Play interactive tour

Edit tour

Analysis Report CL-Eye-Driver-5.3.0.0341-Emuline.exe

Overview

General Information

Sample Name:	CL-Eye-Driver-5.3.0.0341-Emuline.exe
Analysis ID:	343519
MD5:	64112c1df0d80d195d006da9c15bf710
SHA1:	f0bfbc32171ecfb03614470b9c06ef34c07e66b0
SHA256:	29cbd9d9bc6571d15d6a2b29dd2532fe6c7fb81d255778deb40f64dc79502bf5
Most interesting Screenshot:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	32
Range:	0 - 100

Signatures

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

DLL planting / hijacking vulnerabilities found

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Queries device information via Setup API

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Startup

System is w10x64

CL-Eye-Driver-5.3.0.0341-Emuline.exe (PID: 5288 cmdline: 'C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe' MD5: 64112C1DF0D80D195D006DA9C15BF710)

CertMgr.exe (PID: 5388 cmdline: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe -add C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer -c -s -r localMachine TrustedPublisher MD5: 1444BCFEFF029BB1E9B1CA3B896CD143)

conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wdreg.exe (PID: 1240 cmdline: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe -inf PS3EyeCamera.inf -silent -compat install MD5: D0047E39B0DFD11EC2A50E2A45C2D9BE)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Cryptography:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E87E7F HeapSetInformation,LoadStringW,LoadStringW,LoadStringW,LoadStringA,LoadStringW,LoadStringW,LoadStringW,CryptUIDlgCertMgr,CryptMsgClose,CertCloseStore,	1_2_00E87E7F
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E82BFA CryptDecodeObject,printf,	1_2_00E82BFA
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E817F3 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,	1_2_00E817F3
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E82FF4 CryptDecodeObject,printf,printf,printf,	1_2_00E82FF4
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E882C8 CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,	1_2_00E882C8
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E822DB CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,CryptStringToBinaryA,GetLastError,	1_2_00E822DB
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E881D0 printf,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,	1_2_00E881D0
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E85CD6 printf,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CertGetCertificateContextProperty,CryptAcquireContextA,CryptHashPublicKeyInfo,CryptReleaseContext,CertGetCertificateContextProperty,CertGetCertificateContextProperty,printf,printf,printf,CertGetPublicKeyLength,printf,printf,printf,	1_2_00E85CD6
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E881A9 CryptFindOIDInfo,	1_2_00E881A9
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E832A1 CryptGetOIDFunctionAddress,wprintf,CryptFreeOIDFunctionAddress,	1_2_00E832A1
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E82390 CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,CryptStringToBinaryW,GetLastError,	1_2_00E82390
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E82B61 CryptDecodeObject,printf,	1_2_00E82B61
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E88163 CryptFindOIDInfo,	1_2_00E88163
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E83C7E CryptSIPRetrieveSubjectGuid,CryptSIPLoad,memset,CertOpenStore,CryptMsgOpenToDecode,CertCloseStore,CryptMsgUpdate,CertCloseStore,CryptMsgClose,	1_2_00E83C7E
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E83272 CryptFindOIDInfo,	1_2_00E83272
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E8644E CryptMsgGetParam,printf,printf,printf,CryptMsgGetAndVerifySigner,CertFreeCertificateContext,	1_2_00E8644E
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E81A5B strtok,strtok,strtok,SetLastError,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertEnumCertificatesInStore,CertFreeCertificateContext,	1_2_00E81A5B

Privilege Escalation:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: USP10.dll	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: RichEd20.DLL	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: msls31.dll	Jump to behavior

Compliance:

DLL planting / hijacking vulnerabilities found

Show sources

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: USP10.dll	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: RichEd20.DLL	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	DLL: msls31.dll	Jump to behavior

Uses 32bit PE files

Show sources

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Found installer window with terms and condition text

Show sources

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Window detected: < &BackI &AgreeCancelCode Laboratories Inc. Code Laboratories Inc.License AgreementPlease review the license terms before installing CL-Eye Driver.Press Page Down to see the rest of the agreement.CL-EYE PLATFORM END USER LICENSE AGREEMENTUpdated: February 16th 2010 v1.1BY USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT DO NOT USE THIS SOFTWARE AND ERASE ANY COPIES WHICH YOU HAVE OBTAINED.REDISTRIBUTION NOT PERMITTED GRANTCode Laboratories Inc. (CodeLabs) hereby grants you a non-exclusive license to use its accompanying software product (Software).Except as specified in section SDK REDISTRIBUTION you may not: Permit other individuals to use the Software; Modify translate reverse engineer de-compile disassemble (except to the extent applicable laws specifically prohibit such restriction) create derivative works based on the Software; Copy the Software (except for back-up purposes); Rent lease transfer or otherwise transfer rights to the Software or Remove any proprietary notices or labels on the Software.This license does not grant you any right to any enhancement or updates.TITLETitle ownership rights and intellectual property rights in and to the Software shall remain with CodeLabs. The Software copyright laws of the United States and international copyright treaties protect the Software. Title ownership rights and intellectual property rights in and to the content accessed through the Software is the property of the applicable content owner and may be protected by applicable copyright or other law. This License gives you no rights to such content.DISCLAIMER OF WARRANTYThe Software is provided on an AS IS basis without warranty of any kind including without limitation the warranties of merchantability fitness for a particular purpose and non-infringement. The entire risk as to the quality and performance of the Software is borne by you. Should the Software prove defective you and not CodeLabs assume the entire cost of any service and repair. You must determine that the Software sufficiently meets your requirements. This disclaimer of warranty constitutes an essential part of the agreement.SOME STATES DO NOT ALLOW EXCLUSIONS OF AN IMPLIED WARRANTY SO THIS DISCLAIMER MAY NOT APPLY TO YOU AND YOU MAY HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE OR BY JURISDICTION.LIMITATION OF LIABILITYUNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY TORT CONTRACT OR OTHERWISE SHALL CODELABS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF GOODWILL WORK STOPPAGE COMPUTER FAILURE OR MALFUNCTION OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT SHALL (THE CODE LABS) BE LIABLE FOR ANY DAMAGES IN EXCESS OF CODELABS LIST PRICE FOR A LICENSE TO THE SOFTWARE EVEN IF CODELABS SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAG

PE / OLE file has a valid certificate

Show sources

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Show sources

Source:	Binary string: CertMgr.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, CertMgr.exe, nsb97C2.tmp.0.dr
Source:	Binary string: WdfCoInstaller01009.pdbE3 source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: sfxcab.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr
Source:	Binary string: WdfCoInstaller01009.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: C:\cygwin\home\adid\src\wd\wd.1021\samples\wdreg\WIN32\wdreg.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591112002.0000000002799000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: WinUsbCoinstaller2.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr
Source:	Binary string: C:\cygwin\home\adid\src\wd\wd.1021\samples\wdreg\WIN32\wdreg.pdb D` source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591112002.0000000002799000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: WinUsbCoinstaller2.pdbH source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr

Spreading:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Software Vulnerabilities:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 4x nop then movzx eax, byte ptr [rbx]	3_2_0000000140006040
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 4x nop then movzx eax, byte ptr [rsi+rcx]	3_2_0000000140006160
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 4x nop then movzx eax, byte ptr [rbp+00h]	3_2_0000000140006260
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 4x nop then xor eax, eax	3_2_00000001400092A0

Networking:

Source: nsb97C2.tmp.0.dr	String found in binary or memory: http://codelaboratories.com
Source: nsb97C2.tmp.0.dr	String found in binary or memory: http://codelaboratories.com/eye
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wdreg.exe.0.dr	String found in binary or memory: http://www.jungo.com
Source: wdreg.exe	String found in binary or memory: http://www.jungo.comCommand

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.588762038.00000000006CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	File created: C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\ps3eyecamera.cat	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer	Jump to dropped file

System Summary:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_00000001400092A0: CreateFileA,DeviceIoControl,CloseHandle,

3_2_00000001400092A0

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_00000001400086D0 OpenServiceA,GetLastError,DeleteService,GetLastError,ControlService,GetLastError,CloseServiceHandle,CloseServiceHandle,Sleep,OpenServiceA,

3_2_00000001400086D0

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File created: C:\Windows\system32\CLEyeDevices.dll

Jump to behavior

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E857BD	1_2_00E857BD
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140013884	3_2_0000000140013884
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_00000001400164E4	3_2_00000001400164E4
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140016D5C	3_2_0000000140016D5C
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_00000001400121A8	3_2_00000001400121A8
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140012DC4	3_2_0000000140012DC4
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140015DEC	3_2_0000000140015DEC
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_000000014000B290	3_2_000000014000B290
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_00000001400132A0	3_2_00000001400132A0
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140012AE4	3_2_0000000140012AE4
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_00000001400176EC	3_2_00000001400176EC
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140003B20	3_2_0000000140003B20
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_000000014000BB34	3_2_000000014000BB34
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_000000014000CF44	3_2_000000014000CF44
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_000000014000C74C	3_2_000000014000C74C

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: String function: 00000001400066E0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: String function: 0000000140009150 appears 63 times

Source: SETC00C.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 1639755 bytes, 2 files
Source: SETC07A.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 256987 bytes, 4 files
Source: SETC07A.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCL-Eye-Driver-5.3.0.0341.exed" vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewdreg.exeb! vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCERTMGR.EXEj% vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWdfCoInstaller.dllj% vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSFXCAB.EXEj% vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWUDF_UPDATE_PACKAGE_NAME.dllj% vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.594612793.00000000067D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs CL-Eye-Driver-5.3.0.0341-Emuline.exe
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe	Binary or memory string: OriginalFilenameCL-Eye-Driver-5.3.0.0341.exed" vs CL-Eye-Driver-5.3.0.0341-Emuline.exe

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SETC00C.tmp.3.dr

Static PE information: Section: .rsrc ZLIB complexity 0.998562932274

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Binary or memory string: y.vbP[

Source: classification engine

Classification label: clean7.evad.winEXE@7/19@0/0

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_00000001400019F0 GetLastError,FormatMessageA,LocalFree,

3_2_00000001400019F0

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: OpenServiceA,CloseServiceHandle,GetLastError,CreateServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_0000000140008500

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140008930 OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_0000000140008930

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File created: C:\Program Files (x86)\Code Laboratories

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File created: C:\Users\user\AppData\Local\Temp\nsg9792.tmp

Jump to behavior

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wdreg.exe	String found in binary or memory: -startup
Source: wdreg.exe	String found in binary or memory: Please specify a startup level after the '-startup' option
Source: wdreg.exe	String found in binary or memory: Please specify one of those values after the '-startup' option boot, system, automatic, demand, disabled
Source: wdreg.exe	String found in binary or memory: Pre-installing
Source: wdreg.exe	String found in binary or memory: Please specify one of those values after the '-startup' option boot, system, automatic, demand, disabled
Source: wdreg.exe	String found in binary or memory: Please specify a startup level after the '-startup' option

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File read: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe 'C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe -add C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer -c -s -r localMachine TrustedPublisher
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe -inf PS3EyeCamera.inf -silent -compat install
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe -add C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer -c -s -r localMachine TrustedPublisher	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe -inf PS3EyeCamera.inf -silent -compat install	Jump to behavior

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Automated click: I Agree

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static PE information: certificate valid

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe

Static file information: File size 5410368 > 1048576

Source:	Binary string: CertMgr.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, CertMgr.exe, nsb97C2.tmp.0.dr
Source:	Binary string: WdfCoInstaller01009.pdbE3 source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: sfxcab.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr
Source:	Binary string: WdfCoInstaller01009.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: C:\cygwin\home\adid\src\wd\wd.1021\samples\wdreg\WIN32\wdreg.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591112002.0000000002799000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: WinUsbCoinstaller2.pdb source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr
Source:	Binary string: C:\cygwin\home\adid\src\wd\wd.1021\samples\wdreg\WIN32\wdreg.pdb D` source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591112002.0000000002799000.00000004.00000001.sdmp, nsb97C2.tmp.0.dr
Source:	Binary string: WinUsbCoinstaller2.pdbH source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.591171693.00000000027A8000.00000004.00000001.sdmp, SETC07A.tmp.3.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_06882A10 push eax; ret		0_2_06882A3E
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E88B99 push ecx; ret		1_2_00E88BAC

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WinUSBCoInstaller2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	File created: C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC07A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	File created: C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	File created: C:\Windows\System32\CLEyeDevices.dll	Jump to dropped file

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File created: C:\Windows\System32\CLEyeDevices.dll

Jump to dropped file

Boot Survival:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140008930 OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_0000000140008930

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140001C10 LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0000000140001C10

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140003B20 SetupDiGetClassDevsA,GetLastError,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,GetLastError,LocalAlloc,SetupDiGetDeviceRegistryPropertyA,LocalFree,lstrlenA,LocalFree,SetupDiGetDeviceRegistryPropertyA,GetLastError,LocalAlloc,SetupDiGetDeviceRegistryPropertyA,LocalFree,lstrlenA,LocalFree,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,

3_2_0000000140003B20

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Window / User API: threadDelayed 1020	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Window / User API: foregroundWindowGot 594	Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Window / User API: foregroundWindowGot 506	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC07A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Dropped PE file which has not been started: C:\Windows\System32\CLEyeDevices.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	API coverage: 10.0 %

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe TID: 4904

Thread sleep time: -102000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140007260 SetupGetFieldCount,SetupGetStringFieldA,SetupGetStringFieldA,free,free,GetSystemInfo,GetSystemInfo,

3_2_0000000140007260

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	API call chain: ExitProcess graph end node			graph_0-5401
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	API call chain: ExitProcess graph end node			graph_0-5402

Anti Debugging:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_10001855 CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateWindowExA,SetPropA,SendMessageA,SendMessageA,SendMessageA,SetWindowLongA,GetProcessHeap,HeapFree,

0_2_10001855

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E88A1F SetUnhandledExceptionFilter,	1_2_00E88A1F
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	Code function: 1_2_00E886C7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00E886C7
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140014C84 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000140014C84
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_0000000140009560 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000140009560
Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	Code function: 3_2_00000001400119B8 SetUnhandledExceptionFilter,	3_2_00000001400119B8

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe -add C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer -c -s -r localMachine TrustedPublisher			Jump to behavior
Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe	Process created: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe -inf PS3EyeCamera.inf -silent -compat install			Jump to behavior

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_06BA10D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,

0_2_06BA10D3

Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.589197896.0000000000C90000.00000002.00000001.sdmp, wdreg.exe, 00000003.00000002.589859482.0000000001150000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.589197896.0000000000C90000.00000002.00000001.sdmp, wdreg.exe, 00000003.00000002.589859482.0000000001150000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.589197896.0000000000C90000.00000002.00000001.sdmp, wdreg.exe, 00000003.00000002.589859482.0000000001150000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: CL-Eye-Driver-5.3.0.0341-Emuline.exe, 00000000.00000002.589197896.0000000000C90000.00000002.00000001.sdmp, wdreg.exe, 00000003.00000002.589859482.0000000001150000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

3_2_0000000140003B20

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe

Code function: 1_2_00E88CA1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00E88CA1

Source: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe

Code function: 3_2_0000000140012DC4 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_0000000140012DC4

Source: C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Windows Service12	Windows Service12	Masquerading21	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Service Execution12	DLL Search Order Hijacking1	Process Injection12	Virtualization/Sandbox Evasion21	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Application Shimming1	DLL Search Order Hijacking1	Process Injection12	Security Account Manager	Security Software Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Application Shimming1	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Search Order Hijacking1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery15	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
CL-Eye-Driver-5.3.0.0341-Emuline.exe	0%	Virustotal	Browse
CL-Eye-Driver-5.3.0.0341-Emuline.exe	0%	Metadefender	Browse
CL-Eye-Driver-5.3.0.0341-Emuline.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll	0%	Metadefender	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll	0%	ReversingLabs
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WdfCoInstaller01009.dll	0%	Metadefender	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WdfCoInstaller01009.dll	2%	ReversingLabs
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WinUSBCoInstaller2.dll	0%	Metadefender	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WinUSBCoInstaller2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsDialogs.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00C.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00C.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC07A.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC07A.tmp	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://codelaboratories.com	0%	Virustotal		Browse
http://codelaboratories.com	0%	Avira URL Cloud	safe
http://codelaboratories.com/eye	2%	Virustotal		Browse
http://codelaboratories.com/eye	0%	Avira URL Cloud	safe
http://www.jungo.comCommand	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://codelaboratories.com	nsb97C2.tmp.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://codelaboratories.com/eye	nsb97C2.tmp.0.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	CL-Eye-Driver-5.3.0.0341-Emuline.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	CL-Eye-Driver-5.3.0.0341-Emuline.exe	false		high
http://www.jungo.comCommand	wdreg.exe	false	Avira URL Cloud: safe	unknown
http://www.jungo.com	wdreg.exe.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343519
Start date:	24.01.2021
Start time:	13:44:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CL-Eye-Driver-5.3.0.0341-Emuline.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean7.evad.winEXE@7/19@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 65.3% (good quality ratio 58.6%) Quality average: 73.5% Quality standard deviation: 33.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\System.dll	5d#U25a0.exe	Get hash	malicious	Browse
	VpnClientInstall.exe	Get hash	malicious	Browse
	FlashPlayerInstaller.exe	Get hash	malicious	Browse
	Flash PlayerInstaller.exe	Get hash	malicious	Browse
	vcruntime140.exe	Get hash	malicious	Browse
	https://www.arcai.com/download/netcut.exe	Get hash	malicious	Browse
	https://www.userbenchmark.com/resources/download/UserBenchMark.exe	Get hash	malicious	Browse
	https://dxejw4oyledi.cloudfront.net/repository/servicestudio/11.8.7.29639/DevelopmentEnvironment-11.8.7 (Build 29639).exe	Get hash	malicious	Browse
	INIS_EX.exe	Get hash	malicious	Browse
	okayfreedomwr.exe	Get hash	malicious	Browse
	30#Uff09.exe	Get hash	malicious	Browse
	ShopAtHome_AppCore_7127_C78621646_D1_R1051591_B3.exe	Get hash	malicious	Browse
	ace-stream-3-1-1-multi-win.exe	Get hash	malicious	Browse
	bomgar-scc-w0eyc301ijjj7jyyxygew8d6fzhye1wjij6z55gc40jc90.exe	Get hash	malicious	Browse
	SVClientSetup(3.3.2.17.0.1).exe	Get hash	malicious	Browse
	something-else-installer.exe	Get hash	malicious	Browse
	TLDClip_CLIENT.exe	Get hash	malicious	Browse
	0.200228.exe	Get hash	malicious	Browse
	WebClient-Setup-1.17.0.17.exe	Get hash	malicious	Browse
	webxvid-setup-on.exe	Get hash	malicious	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WdfCoInstaller01009.dll	EC-Win for OPTICLINE.exe	Get hash	malicious	Browse
	http://en.fss.flashforge.com/10000/software/8b176bef1058cc76b263410aadf9dce5.zip	Get hash	malicious	Browse
	http://www.wacom.com/services/wacom/get-download-url.aspx?plat=win&dver=6.3.20-2&dt=drivers&redirect=true	Get hash	malicious	Browse
	Prolific-AllNTx64x86-3.8.12.0-dr.exe	Get hash	malicious	Browse
	AcerEXTENDInstaller.exe	Get hash	malicious	Browse
	07da5dff-6819-485b-8fbf-01081aaf94bf.exe	Get hash	malicious	Browse
	prosoft_biometrics_all_driver_installer.exe	Get hash	malicious	Browse
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WinUSBCoInstaller2.dll	wdi-simple.exe	Get hash	malicious	Browse
	https://timeular-desktop-packages.s3.amazonaws.com/win/production/Timeular_Setup.exe	Get hash	malicious	Browse
	http://en.fss.flashforge.com/10000/software/8b176bef1058cc76b263410aadf9dce5.zip	Get hash	malicious	Browse
	AcerEXTENDInstaller.exe	Get hash	malicious	Browse
	07da5dff-6819-485b-8fbf-01081aaf94bf.exe	Get hash	malicious	Browse
	prosoft_biometrics_all_driver_installer.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\CLEyeDevices.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68888
Entropy (8bit):	4.595668459562712
Encrypted:	false
SSDEEP:	768:jQQb8qzJV27KywlOBXRT2EsHRJ1IIILT2I1:jQQb8qFEOtlSXkEsHRJGmo
MD5:	9BBE0ECDB6AE0FC5249F4FBFE6A80550
SHA1:	97039439ACDF1301F096447DD210542E5AC15ACA
SHA-256:	BC02F7F499F0D1EEBE70EB41682DDB24098A8E7FF7C42BDE9D3ECA441FFE7C77
SHA-512:	7092989059BEDB29BB59A21C7A0A59EAA84295352D386E6C371367492AA4F96AB7EDC2A45ECE69B1844ACDC28CB8CB6030AC53705EC7A26799C6CD640F3E02D8
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....~...~...~.....~.....~.....~.Rich..~.........PE..L....k.P...........!.................................................................n....@.............................................h............................................................................................................rsrc...h...........................@..@............................................................ ............................................................... .......8.......P.......h...........................................................................d...(.......................@.......................P.......................`.......................p...........................................................................................................................................................................................................

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\PS3EyeCamera.inf Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2621
Entropy (8bit):	5.399183015547126
Encrypted:	false
SSDEEP:	48:nq14WON4iA4W5gcgg1SVtJDNru9Qjd7U/CSHeokbKmd+N1+J1HEe+ofePCQGNtWX:n63ON4iA4W3zqIQZ7UzyH1fmCjb+
MD5:	60BB6D15F8989D61064565C5E7B7E7BB
SHA1:	7A56F978CE9F66FF9FE7C399155D9C16F0309B2F
SHA-256:	3D75843CF756E744177C3C5B31B9100D2C18C9FE8A7B6D0CF62FFEE9B5F53788
SHA-512:	74E9A3AB0507272D5DFA928C870BD3D0DAC23C32CFB8C95149819AEFE4F033CCA54BD9BB27C988004F83758689E88521D0BD3421FE6F206A6AA138A6A19A516D
Malicious:	false
Reputation:	low
Preview:	; =====================================================================..; PS3Eye Driver for Windows XP/2003/Vista/Win7/Win8 x86/x64..; PS3EyeCamera.inf..; Driver installation file for the Sony PS3Eye camera..; Copyright (c) 2008-2012 Code Laboratories, Inc. All Rights Reserved...; =====================================================================..[Version]..Signature = "$Windows NT$"..Class = Image..ClassGuid = {6bdd1fc6-810f-11d0-bec7-08002be2092f}..Provider = %ProviderName%..DriverVer = 12/06/2012, 5.3.0.0341..CatalogFile.ntx86.= PS3EyeCamera.cat..CatalogFile.ntamd64 = PS3EyeCamera.cat....; ========== Manufacturer/Models sections ===========..[Manufacturer]..%Manufacturer% = Sony, NTx86, NTamd64....[Sony.NTx86]..%PS3EyeDesc% = PS3EyeInstall, USB\VID_1415&PID_2000&MI_00....[Sony.NTamd64]..%PS3EyeDesc% = PS3EyeInstall, USB\VID_1415&PID_2000&MI_00....[PS3EyeInstall]..Include = winusb.inf..Needs = WINUSB.NT..AddProperty = DeviceProperties....[DeviceProperties]..Dev

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WdfCoInstaller01009.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1721576
Entropy (8bit):	7.978334410477683
Encrypted:	false
SSDEEP:	24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
MD5:	4DA5DA193E0E4F86F6F8FD43EF25329A
SHA1:	68A44D37FF535A2C454F2440E1429833A1C6D810
SHA-256:	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
SHA-512:	B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: EC-Win for OPTICLINE.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Prolific-AllNTx64x86-3.8.12.0-dr.exe, Detection: malicious, Browse Filename: AcerEXTENDInstaller.exe, Detection: malicious, Browse Filename: 07da5dff-6819-485b-8fbf-01081aaf94bf.exe, Detection: malicious, Browse Filename: prosoft_biometrics_all_driver_installer.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\WinUSBCoInstaller2.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1002728
Entropy (8bit):	7.9188668904013815
Encrypted:	false
SSDEEP:	24576:aAEBXzGJ7fW6hHv62VYeL7WCE3wixdLZWQzMjp:uBXQz/hPzxRwPdcO
MD5:	246900CE6474718730ECD4F873234CF5
SHA1:	0C84B56C82E4624824154D27926DED1C45F4B331
SHA-256:	981A17EFFDDBC20377512DDAEC9F22C2B7067E17A3E2A8CCF82BB7BB7B2420B6
SHA-512:	6A9E305BFBFB57D8F8FD16EDABEF9291A8A97E4B9C2AE90622F6C056E518A0A731FBB3E33A2591D87C8E4293D0F983EC515E6A241792962257B82401A8811D5C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wdi-simple.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: AcerEXTENDInstaller.exe, Detection: malicious, Browse Filename: 07da5dff-6819-485b-8fbf-01081aaf94bf.exe, Detection: malicious, Browse Filename: prosoft_biometrics_all_driver_installer.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............8............>....../.-....(.T....9......!......?......:....Rich...........PE..d.....[J.........." ................ {....................................................@.........................................@.......8...P....p.......`.......4..................................................................(............................text............................... ..`.data....:... ......................@....pdata.......`....... ..............@..@.rsrc........p.......*..............@..@.reloc..D............0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver\ps3eyecamera.cat Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	data
Category:	dropped
Size (bytes):	9121
Entropy (8bit):	7.154218995176762
Encrypted:	false
SSDEEP:	192:Tt+quC09Qw335/wJirNmL/TSrR1DHC+v+pSXjtlAur9ZCspE+TMcrZQvM:YP3mirILTaTICUHeMcQE
MD5:	2B1EF3BE14DB406855E7EF58A725FFE0
SHA1:	7498D416AD02288CE86696CA1633E750FD8A2C7F
SHA-256:	D70910EB2D223F843328443A18B79B50A71470B40F0A19B7C422F062322CD562
SHA-512:	1633ED6842962A135F5750A2C2AAF48D2C5FCB6EBD44C84514425546BDF0AFC1F2F8FD2290AA8EDD57F9F5E642EDB481278FBD3A7ED16DC3684699F13D885F14
Malicious:	false
Reputation:	low
Preview:	0.#...*.H........#.0.#....1.0...+......0.....+.....7......0...0...+.....7.....4b7#.}.C..SDE.=...121206095708Z0...+.....7.....0...0....R0.5.6.3.9.9.F.A.A.C.B.9.F.C.4.9.F.3.C.F.7.8.B.F.C.3.D.9.F.2.F.4.6.3.E.5.0.1.2.E...1...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........c.....I..x.....c...0....R7.A.5.6.F.9.7.8.C.E.9.F.6.6.F.F.9.F.E.7.C.3.9.9.1.5.5.D.9.C.1.6.F.0.3.0.9.B.2.F...1..q0D..+.....7...1604...F.i.l.e......."p.s.3.e.y.e.c.a.m.e.r.a...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........zV.x.f.....]...0./0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.

C:\Users\user\AppData\Local\Temp\nsb97C2.tmp Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	data
Category:	dropped
Size (bytes):	3876794
Entropy (8bit):	7.601672742605116
Encrypted:	false
SSDEEP:	49152:yh/s4LFCsfZRZA6Xn388avVovfLd+Mo4iENBXQz/hPzxRwPdcOm:cs45Z2ans8GVoLd+GnNBc/lw+9
MD5:	4A0E45B66E99A3DBD7991A82B0C6103E
SHA1:	A29434DACD81F2D731981386CACB6F85A324C09B
SHA-256:	C2FC06425FBBBE7CCBD576F714C9E156F41EE426D80A19A7D0D737B984896288
SHA-512:	3B218F2A759162270841AA926D1AB9EF900EE85B2B1F7E4657933C43930EF7A97F54F9DE1CB3D428F9D50D27B7B85D27F3AF1E7847DC2D65A161BA887FBF1E64
Malicious:	false
Reputation:	low
Preview:	.U......,.......l...............Xr......PT......vU..........................3...........................&.......................k...............................................................................................................................................................%...............................................................................f.......................B.......................D...............j.......................B.......................................................................................................................c.......B.......................................u.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65024
Entropy (8bit):	5.759521527165683
Encrypted:	false
SSDEEP:	1536:qnOUkO0UXRiKvbVAc5xt3xGnmdYw+WXsA9iYzvy:OOUu3KvbVtxtBGnmdt+WXso
MD5:	1444BCFEFF029BB1E9B1CA3B896CD143
SHA1:	A002C0995AEF87A0B523C69073B0B10EF850ACAA
SHA-256:	781F4ECA34D7EA200EC534F556AE0D39A89E0E38D909899166A6E910B57E2CBD
SHA-512:	2BD309DC6605A0ED714C21E9C0BBE9A973E7D4F078E9944EC1E2CC273C98B400A76B94BEAA8389D000EEE3FF982B4A1B9A4E6E5FD21FAE84DE622951B15FAEBC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=[.eS..eS..eS......eS......eS......eS..eR..eS......eS...-..eS......eS......eS.Rich.eS.................PE..L.....pK.....................................................................@.......K....@...... ......................................xW...................0..........................................@............................................text...f........................... ..`.data....(..........................@....rsrc...xW.......X..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	data
Category:	dropped
Size (bytes):	1399
Entropy (8bit):	7.134722692336902
Encrypted:	false
SSDEEP:	24:zKNQ3IaffyrW11B+iIrWGwBB1IW7IXGL3ishvrRgjDiuVz0mkh1BId0WE9EDpq6b:zKQDffr1yibBDrIWb2DiuVxkhbId0juB
MD5:	972B62B8C7088AF29C364514E6582F0B
SHA1:	97B8DB93E99E6D5D8F6424143BE1F8F96D0F4FA7
SHA-256:	7D535AD3E333875076288791BBCE84FD7DB67624940B2639418EB40BF39CE465
SHA-512:	F0E54B5EAB3D67902B823C879CF73DB95372AE222F60885597C43BA93BE81852008C88CC20DE1FB96A93B86E219025191D670EC373E4FE256071BD3AE7D175CD
Malicious:	false
Reputation:	low
Preview:	0..s0..[.......6!a]]..SX..x.A..0....H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://www.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...121202000000Z..140101235959Z0..1.0...U....US1.0...U....Nevada1.0...U....Henderson1 0...U....Code Laboratories, Inc.1>0<..U...5Digital ID Class 3 - Microsoft Software Validation v21 0...U....Code Laboratories, Inc.0.."0....H.............0.........KV.....B.3..Bm%<k\..(..A.r.Gs\|x`..E..........._.:..B....]4.m.....7.e8.J.G.{..K.~?.mN...+m.F....u.....{ ...~v......BsN....X..3...^\|.......... .....G..A.DU%....N.nt.$4..-K`!.y...p..C.....,.(........4..9gGx.S..eSzB..S.<.V.rB.'.}jN.o1.3Z.hd.e...=........{0..w0...U....0.0...U...........0@..U...90705.3.1./http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D..U. .=0;09..`.H...E....0*0(..+.........https://www.verisign.com/rpa0...U.%..0...+.......0q..+........e0c0$..+.....0...http://ocsp.verisign.com0;..+.....0../

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.568877095847681
Encrypted:	false
SSDEEP:	192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:	C17103AE9072A06DA581DEC998343FC1
SHA1:	B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
SHA-256:	DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
SHA-512:	D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 5d#U25a0.exe, Detection: malicious, Browse Filename: VpnClientInstall.exe, Detection: malicious, Browse Filename: FlashPlayerInstaller.exe, Detection: malicious, Browse Filename: Flash PlayerInstaller.exe, Detection: malicious, Browse Filename: vcruntime140.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: INIS_EX.exe, Detection: malicious, Browse Filename: okayfreedomwr.exe, Detection: malicious, Browse Filename: 30#Uff09.exe, Detection: malicious, Browse Filename: ShopAtHome_AppCore_7127_C78621646_D1_R1051591_B3.exe, Detection: malicious, Browse Filename: ace-stream-3-1-1-multi-win.exe, Detection: malicious, Browse Filename: bomgar-scc-w0eyc301ijjj7jyyxygew8d6fzhye1wjij6z55gc40jc90.exe, Detection: malicious, Browse Filename: SVClientSetup(3.3.2.17.0.1).exe, Detection: malicious, Browse Filename: something-else-installer.exe, Detection: malicious, Browse Filename: TLDClip_CLIENT.exe, Detection: malicious, Browse Filename: 0.200228.exe, Detection: malicious, Browse Filename: WebClient-Setup-1.17.0.17.exe, Detection: malicious, Browse Filename: webxvid-setup-on.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\modern-header.bmp Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PC bitmap, Windows 3.x format, 150 x 57 x 24
Category:	dropped
Size (bytes):	25818
Entropy (8bit):	6.701980959072744
Encrypted:	false
SSDEEP:	192:FChlOL8ZsdkLsnDIIaX1kE5xl4LLXhLZhQXkgmyWv5TGXjzCMb9pK0yzu5OY68Z7:FqOHUu5ktJU37c
MD5:	BF0CAC9A510A5C7C674734F70CC78EED
SHA1:	3315DE8307BE3D0B02D1C939DAEEA71256B045B5
SHA-256:	EA407BA58AB565DA56864C02BE188D42F4C35E1124AF85AC668601C7D9FE885C
SHA-512:	2180DE9FC2C0CE2301CD10F5B522E42B2DB57894D597EC7F8F48EAA9146C722144C21481F34E4DA1060197C21B25B50FE4732E42A542259CB8D41B4E34F62B08
Malicious:	false
Preview:	BM.d......6...(.......9............d..a...a............sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.sH.tI.uJ.vL.wM.wM.xN.yO.zP.\|R.}V.~W..X..Z..[..] ._#.`%.b&.d.f..i/.j2.k4.m9.p:.r>.tA.vC.xG.zI.\|M.~Q..T..X..Y..].._..c..g..l..m..p..u..x..{........................................................................................................................................................R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..S..S..U..V..W..X..Y..Z..]..^.._..`..a..c..e!.g".h%.k'.m.n-.p/.r3.t6.u8.w<.y=.zA.}D..G..J..N..P..T..W..Z..^..^..b..g..k..n..p..t..w..\|....................................................................................................................................................X..X..X..X..X..X..X..X..X..X..X..X..X..X

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\modern-wizard.bmp Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 24
Category:	dropped
Size (bytes):	309084
Entropy (8bit):	4.701330546427498
Encrypted:	false
SSDEEP:	768:7PP4Cu6o3BJeg3m4IBzaGhVmF3mIpVR2VoGEwUNg6KKIrs+ysufmhAGU/oZIy8ZQ:mKr
MD5:	2770EC787024E58D3252ED61638447F4
SHA1:	15CF54FEE8CA8C0B176AED93A6F0F3F690B8B217
SHA-256:	966167235AF724AF525EB5B2545DCBB734A1AF26CFAA2CD77ABB080764362EC6
SHA-512:	5E04B7DC798BE73B9A2457BDC1E672828AC41C2D5299BFC1198F4E579B763E367577E1A35F64740634F276E3CE2ECF65430191B84EE810BCF6FCC41BC9BB502E
Malicious:	false
Preview:	BM.[......6...(.......:...........x[....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsDialogs.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.054726426952
Encrypted:	false
SSDEEP:	96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
MD5:	C10E04DD4AD4277D5ADC951BB331C777
SHA1:	B1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43
SHA-256:	E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
SHA-512:	853A5564BF751D40484EA482444C6958457CB4A17FB973CF870F03F201B8B2643BE41BCCDE00F6B2026DC0C3D113E6481B0DC4C7B0F3AE7966D38C92C6B5862E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.cXN`0XN`0XN`0XNa0mN`0.A=0UN`0.mP0]N`0.Hf0YN`0.nd0YN`0RichXN`0........................PE..L......K...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...G........................... ..`.rdata..k....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..<....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.036651327230889
Encrypted:	false
SSDEEP:	96:M7GUb+YNfwgcr8zyKwZ5S4JxN8BS0ef9/3VI9d0qqyVgNk32E:eKgfwgcr8zylsB49Ud0qJVgNX
MD5:	ACC2B699EDFEA5BF5AAE45ABA3A41E96
SHA1:	D2ACCF4D494E43CEB2CFF69ABE4DD17147D29CC2
SHA-256:	168A974EAA3F588D759DB3F47C1A9FDC3494BA1FA1A73A84E5E3B2A4D58ABD7E
SHA-512:	E29EA10ADA98C71A18273B04F44F385B120D4E8473E441CE5748CFA44A23648814F2656F429B85440157988C88DE776C6AC008DC38BF09CBB746C230A46C69FE
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L......K...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...H........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145920
Entropy (8bit):	6.195003438017005
Encrypted:	false
SSDEEP:	3072:pDsy3Iz27vf6Uz4wtApVzVH8csZm5Z4GFQeLn04gQAL/iha8n:pDsy3K2jfewtApTH9sc5Z70n
MD5:	D0047E39B0DFD11EC2A50E2A45C2D9BE
SHA1:	7DD0C7C4689AA4C70E3FFAD86C2336D0785283B3
SHA-256:	5957F8A0BEA130C6C4D91AF8C5D6879943DC76FAF1EBB50A70E3BD285FC8D86E
SHA-512:	4807E11CDFF1F5FE78B7172CC0170DE51FA97997F0096EF44E1C6D159DF7E933889E64A368055CAC5C57F5297478F1A035E0402818CCF33C540503F36305A64C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!0.Oc.Oc.OcOm1c.Oc.o2c.Oc.4"c.Oc.44c.Oc.Nc..Oc.o"cX.Oc.o!c.Oc.o3c.Oc.o7c.OcRich.Oc................PE..d.....\|L..........#......t.....................@................................................................................................<............`..h....................................................................... ............................text....r.......t.................. ..`.rdata..Z............x..............@..@.data...$=... ......................@....pdata..h....`......................@..@.rsrc................6..............@..@........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe
File Type:	data
Category:	dropped
Size (bytes):	9121
Entropy (8bit):	7.154218995176762
Encrypted:	false
SSDEEP:	192:Tt+quC09Qw335/wJirNmL/TSrR1DHC+v+pSXjtlAur9ZCspE+TMcrZQvM:YP3mirILTaTICUHeMcQE
MD5:	2B1EF3BE14DB406855E7EF58A725FFE0
SHA1:	7498D416AD02288CE86696CA1633E750FD8A2C7F
SHA-256:	D70910EB2D223F843328443A18B79B50A71470B40F0A19B7C422F062322CD562
SHA-512:	1633ED6842962A135F5750A2C2AAF48D2C5FCB6EBD44C84514425546BDF0AFC1F2F8FD2290AA8EDD57F9F5E642EDB481278FBD3A7ED16DC3684699F13D885F14
Malicious:	false
Preview:	0.#...*.H........#.0.#....1.0...+......0.....+.....7......0...0...+.....7.....4b7#.}.C..SDE.=...121206095708Z0...+.....7.....0...0....R0.5.6.3.9.9.F.A.A.C.B.9.F.C.4.9.F.3.C.F.7.8.B.F.C.3.D.9.F.2.F.4.6.3.E.5.0.1.2.E...1...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........c.....I..x.....c...0....R7.A.5.6.F.9.7.8.C.E.9.F.6.6.F.F.9.F.E.7.C.3.9.9.1.5.5.D.9.C.1.6.F.0.3.0.9.B.2.F...1..q0D..+.....7...1604...F.i.l.e......."p.s.3.e.y.e.c.a.m.e.r.a...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........zV.x.f.....]...0./0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.

C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2621
Entropy (8bit):	5.399183015547126
Encrypted:	false
SSDEEP:	48:nq14WON4iA4W5gcgg1SVtJDNru9Qjd7U/CSHeokbKmd+N1+J1HEe+ofePCQGNtWX:n63ON4iA4W3zqIQZ7UzyH1fmCjb+
MD5:	60BB6D15F8989D61064565C5E7B7E7BB
SHA1:	7A56F978CE9F66FF9FE7C399155D9C16F0309B2F
SHA-256:	3D75843CF756E744177C3C5B31B9100D2C18C9FE8A7B6D0CF62FFEE9B5F53788
SHA-512:	74E9A3AB0507272D5DFA928C870BD3D0DAC23C32CFB8C95149819AEFE4F033CCA54BD9BB27C988004F83758689E88521D0BD3421FE6F206A6AA138A6A19A516D
Malicious:	false
Preview:	; =====================================================================..; PS3Eye Driver for Windows XP/2003/Vista/Win7/Win8 x86/x64..; PS3EyeCamera.inf..; Driver installation file for the Sony PS3Eye camera..; Copyright (c) 2008-2012 Code Laboratories, Inc. All Rights Reserved...; =====================================================================..[Version]..Signature = "$Windows NT$"..Class = Image..ClassGuid = {6bdd1fc6-810f-11d0-bec7-08002be2092f}..Provider = %ProviderName%..DriverVer = 12/06/2012, 5.3.0.0341..CatalogFile.ntx86.= PS3EyeCamera.cat..CatalogFile.ntamd64 = PS3EyeCamera.cat....; ========== Manufacturer/Models sections ===========..[Manufacturer]..%Manufacturer% = Sony, NTx86, NTamd64....[Sony.NTx86]..%PS3EyeDesc% = PS3EyeInstall, USB\VID_1415&PID_2000&MI_00....[Sony.NTamd64]..%PS3EyeDesc% = PS3EyeInstall, USB\VID_1415&PID_2000&MI_00....[PS3EyeInstall]..Include = winusb.inf..Needs = WINUSB.NT..AddProperty = DeviceProperties....[DeviceProperties]..Dev

C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC00C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1721576
Entropy (8bit):	7.978334410477683
Encrypted:	false
SSDEEP:	24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
MD5:	4DA5DA193E0E4F86F6F8FD43EF25329A
SHA1:	68A44D37FF535A2C454F2440E1429833A1C6D810
SHA-256:	18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
SHA-512:	B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{c4cc54bd-c62e-4545-a2f2-41b896ea201d}\SETC07A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1002728
Entropy (8bit):	7.9188668904013815
Encrypted:	false
SSDEEP:	24576:aAEBXzGJ7fW6hHv62VYeL7WCE3wixdLZWQzMjp:uBXQz/hPzxRwPdcO
MD5:	246900CE6474718730ECD4F873234CF5
SHA1:	0C84B56C82E4624824154D27926DED1C45F4B331
SHA-256:	981A17EFFDDBC20377512DDAEC9F22C2B7067E17A3E2A8CCF82BB7BB7B2420B6
SHA-512:	6A9E305BFBFB57D8F8FD16EDABEF9291A8A97E4B9C2AE90622F6C056E518A0A731FBB3E33A2591D87C8E4293D0F983EC515E6A241792962257B82401A8811D5C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............8............>....../.-....(.T....9......!......?......:....Rich...........PE..d.....[J.........." ................ {....................................................@.........................................@.......8...P....p.......`.......4..................................................................(............................text............................... ..`.data....:... ......................@....pdata.......`....... ..............@..@.rsrc........p.......*..............@..@.reloc..D............0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\CLEyeDevices.dll Download File
Process:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68888
Entropy (8bit):	4.595490225607613
Encrypted:	false
SSDEEP:	768:5QQb8qzJV27KywlOBXRT2EsHRJ1IIILT2Iv:5QQb8qFEOtlSXkEsHRJGmm
MD5:	DAD1C55402BFE58EE7E051EB26F367E7
SHA1:	DCB48ECD5A7998CC99D0E26189DA65F09849F8C0
SHA-256:	6DB1860BC51C56A0B552ABCEA593F1243409D9D07D19265D18110B45A7E3B6F0
SHA-512:	CDDE2C9D4C596ED6ABB76060AE95582D26DC1FF5600771E251507E6CF2DAF376EF4D97F423F3F16C555BAA431DBB12A29BEAA9A67D67362C474322ED75D05FC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....~...~...~.....~.....~.....~.Rich..~.........PE..L....k.P...........!.................................................................{....@.............................................h............................................................................................................rsrc...h...........................@..@............................................................ ............................................................... .......8.......P.......h...........................................................................d...(.......................@.......................P.......................`.......................p...........................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.997282359871388
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CL-Eye-Driver-5.3.0.0341-Emuline.exe
File size:	5410368
MD5:	64112c1df0d80d195d006da9c15bf710
SHA1:	f0bfbc32171ecfb03614470b9c06ef34c07e66b0
SHA256:	29cbd9d9bc6571d15d6a2b29dd2532fe6c7fb81d255778deb40f64dc79502bf5
SHA512:	eefac2d69ece3ac07745a71c6e895200f1fb1b7c1f144ba44fcb658f9232bd613d894929bb81f24d86815eb09f87757b96277f7cd0aa40b1f092c366b54bc1c6
SSDEEP:	98304:4cf1PgNuKGzp9kp2aqDNsmXWtKI/cdVo+J2v1I54UJV17j7MayZkxMCOaX:7xz3zApCXEtECd64eV1TyZkxJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	f0e2fc64d4dccc4c

Static PE Info

General
Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/1/2012 4:00:00 PM 1/1/2014 3:59:59 PM
Subject Chain	CN="Code Laboratories, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Code Laboratories, Inc.", L=Henderson, S=Nevada, C=US
Version:	3
Thumbprint MD5:	972B62B8C7088AF29C364514E6582F0B
Thumbprint SHA-1:	97B8DB93E99E6D5D8F6424143BE1F8F96D0F4FA7
Thumbprint SHA-256:	7D535AD3E333875076288791BBCE84FD7DB67624940B2639418EB40BF39CE465
Serial:	3621615D5DC8015358E6E878C541ABF0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F9F1CC721BEh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007F9F1CC71E71h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F9F1CC71E5Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F9F1CC6F5BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F9F1CC71952h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F9F1CC6F615h
cmp cl, 00000020h
jne 00007F9F1CC6F5B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F9F1CC6F5ACh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x7208	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x527128	0x1d18
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x12000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x7208	0x7400	False	0.236227101293	data	3.93551828229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x36388	0x25a8	data	English	United States
RT_ICON	0x38930	0x10a8	data	English	United States
RT_ICON	0x399d8	0xea8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3a880	0x8a8	data	English	United States
RT_ICON	0x3b128	0x668	data	English	United States
RT_ICON	0x3b790	0x568	data	English	United States
RT_ICON	0x3bcf8	0x468	data	English	United States
RT_ICON	0x3c160	0x2e8	data	English	United States
RT_ICON	0x3c448	0x128	data	English	United States
RT_DIALOG	0x3c570	0xb4	data	English	United States
RT_DIALOG	0x3c628	0x200	data	English	United States
RT_DIALOG	0x3c828	0xf8	data	English	United States
RT_DIALOG	0x3c920	0xee	data	English	United States
RT_GROUP_ICON	0x3ca10	0x84	data	English	United States
RT_VERSION	0x3ca98	0x3ac	data
RT_MANIFEST	0x3ce48	0x3be	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Version Infos

Description	Data
LegalCopyright	2008-2012 Code Laboratories, Inc.. All rights reserved.
InternalName	CL-Eye Driver Setup
FileVersion	5.3.0.0341
CompanyName	Code Laboratories, Inc.
ProductName	CL-Eye Platform Driver for PS3Eye
ProductVersion	5.3.0.0341
FileDescription	CL-Eye Platform Driver Setup
OriginalFilename	CL-Eye-Driver-5.3.0.0341.exe
Translation	0x0000 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CL-Eye-Driver-5.3.0.0341-Emuline.exe PID: 5288 Parent PID: 5652

General

Start time:	13:45:14
Start date:	24/01/2021
Path:	C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe'
Imagebase:	0x400000
File size:	5410368 bytes
MD5 hash:	64112C1DF0D80D195D006DA9C15BF710
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: CertMgr.exe PID: 5388 Parent PID: 5288

General

Start time:	13:45:22
Start date:	24/01/2021
Path:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CertMgr.exe -add C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\CodeLabs.cer -c -s -r localMachine TrustedPublisher
Imagebase:	0xe80000
File size:	65024 bytes
MD5 hash:	1444BCFEFF029BB1E9B1CA3B896CD143
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 1488 Parent PID: 5388

General

Start time:	13:45:23
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wdreg.exe PID: 1240 Parent PID: 5288

General

Start time:	13:45:24
Start date:	24/01/2021
Path:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\wdreg.exe -inf PS3EyeCamera.inf -silent -compat install
Imagebase:	0x140000000
File size:	145920 bytes
MD5 hash:	D0047E39B0DFD11EC2A50E2A45C2D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5848 Parent PID: 1240

General

Start time:	13:45:24
Start date:	24/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: CL-Eye-Driver-5.3.0.0341-Emuline.exe PID: 5288 Parent PID: 5652 CL-Eye-Driver-5.3.0.0341-Emuline.exeCOMMON

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	18%
Signature Coverage:	21.3%
Total number of Nodes:	1780
Total number of Limit Nodes:	57

Executed Functions

Function 06BA10D3, Relevance: 130.1, APIs: 66, Strings: 8, Instructions: 570
stringfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E06BA10D3(void* __eflags, signed int _a4) {
				void* _v8;
				void* _v12;
				CHAR* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				struct _OVERLAPPED* _v44;
				long _v48;
				struct _OVERLAPPED* _v52;
				void* _v56;
				long _v60;
				long _v64;
				struct _SECURITY_ATTRIBUTES _v76;
				struct _PROCESS_INFORMATION _v92;
				void* _v111;
				struct _SECURITY_DESCRIPTOR _v112;
				struct _STARTUPINFOA _v180;
				void _v307;
				char _v308;
				struct _OSVERSIONINFOA _v456;
				char _v716;
				char _t171;
				long _t175;
				long _t176;
				struct HWND__* _t178;
				void* _t180;
				void* _t181;
				void* _t193;
				void* _t205;
				intOrPtr* _t213;
				void* _t219;
				void* _t222;
				void* _t225;
				long _t234;
				int _t242;
				long _t244;
				long _t247;
				void* _t249;
				char _t251;
				struct _OVERLAPPED* _t253;
				int _t255;
				void* _t261;
				long _t268;
				void* _t269;
				struct _OVERLAPPED* _t275;
				struct HWND__* _t276;
				struct HWND__* _t277;
				long _t279;
				long _t280;
				void* _t288;
				void* _t291;
				void* _t293;
				struct _OVERLAPPED* _t301;
				signed int _t302;
				signed int _t305;
				long _t314;
				struct _OVERLAPPED** _t315;
				char* _t318;
				CHAR* _t323;
				void* _t333;
				CHAR* _t334;
				char* _t335;
				void* _t336;
				void* _t340;
				char* _t341;
				CHAR* _t343;
				void* _t344;
				struct _OVERLAPPED* _t351;
				int _t352;
				CHAR* _t353;
				CHAR* _t355;
				void* _t356;

				_t171 =  *0x6ba3478; // 0x0
				_v308 = _t171;
				_t302 = 0x1f;
				memset( &_v307, 0, _t302 << 2);
				_t303 = 0;
				asm("stosw");
				asm("stosb");
				if(E06BA1096(0) != 0) {
					_t175 =  *0x6ba3488; // 0x400
					_t301 = 0;
					_t176 = _t175 + 1;
					__eflags = _t176;
					_v16 = 0;
					_t323 = GlobalAlloc(0x40, _t176);
					_v28 = _t323;
					L13:
					_t178 =  *0x6ba3484; // 0x18021e
					_v32 = _t323;
					__eflags = _t178 - _t301;
					_v52 = _t301;
					_v44 = _t301;
					 *0x6ba3480 = _t301;
					if(_t178 != _t301) {
						_t276 = FindWindowExA(_t178, _t301, "#32770", _t301); // executed
						_t277 = FindWindowExA(_t276, _t301, "SysListView32", _t301); // executed
						 *0x6ba3480 = _t277;
					}
					__eflags = 1;
					while(1) {
						E06BA19C3(_t323);
						_t180 = E06BA17FA(_t303, _t323, "/TIMEOUT=");
						__eflags = _t180 - _t323;
						_pop(_t303);
						if(_t180 != _t323) {
							goto L18;
						}
						_t31 =  &(_t323[9]); // 0x9
						_t275 = E06BA184E(_t31);
						_pop(_t303);
						_v52 = _t275;
						L20:
						 *_t323 = _t301;
						continue;
						L18:
						_t181 = lstrcmpiA(_t323, "/OEM");
						__eflags = _t181;
						if(_t181 != 0) {
							__eflags =  *_t323 - _t301;
							if( *_t323 != _t301) {
								_t305 = 0x10;
								_v180.cb = 0x44;
								_v76.nLength = 0xc;
								memset( &(_v180.lpReserved), 0, _t305 << 2);
								_v112.Revision = _t301;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosw");
								asm("stosb");
								_v92.hProcess = _t301;
								_push(0x24);
								asm("stosd");
								asm("stosd");
								asm("stosd");
								__eflags = _a4 - _t301;
								_v456.dwOSVersionInfoSize = 0x94;
								_v36 = _t301;
								memset( &(_v456.dwMajorVersion), 0, 0 << 2);
								_t308 = 0;
								_v24 = _t301;
								_v40 = _t301;
								_v56 = _t301;
								_v20 = 1;
								_v48 = _t301;
								_v64 = 0x102;
								_v12 = _t301;
								_v8 = _t301;
								if(__eflags == 0) {
									L30:
									GetVersionExA( &_v456);
									__eflags = _v456.dwPlatformId - 2;
									if(_v456.dwPlatformId != 2) {
										_v76.lpSecurityDescriptor = _t301;
									} else {
										InitializeSecurityDescriptor( &_v112, 1);
										SetSecurityDescriptorDacl( &_v112, 1, _t301, _t301);
										_v76.lpSecurityDescriptor =  &_v112;
									}
									_v76.bInheritHandle = 1;
									_t193 = CreatePipe( &_v24,  &_v36,  &_v76, _t301); // executed
									__eflags = _t193;
									if(_t193 == 0) {
										L80:
										lstrcpyA( &_v308, "error");
										goto L81;
									} else {
										_t219 = CreatePipe( &_v56,  &_v40,  &_v76, _t301); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L80;
										}
										GetStartupInfoA( &_v180);
										_v180.dwFlags = 0x101;
										_v180.hStdInput = _v40;
										_t222 = _v36;
										_v180.hStdOutput = _t222;
										_v180.hStdError = _t222;
										_v180.wShowWindow = _t301;
										_t225 = CreateProcessA(_t301, _v28, _t301, _t301, 1, 0x10, _t301, _t301,  &_v180,  &_v92); // executed
										__eflags = _t225;
										if(_t225 == 0) {
											goto L80;
										}
										_v60 = GetTickCount();
										while(1) {
											__eflags = _v64 - _t301;
											if(_v64 != _t301) {
												goto L39;
											}
											__eflags = _v20 - _t301;
											if(_v20 == _t301) {
												L81:
												__eflags = _a4 & 0x00000002;
												if((_a4 & 0x00000002) != 0) {
													E06BA1A03(_v8);
												}
												__eflags = _a4 & 0x00000001;
												if((_a4 & 0x00000001) != 0) {
													_t213 = _v8;
													__eflags =  *_t213 - _t301;
													if( *_t213 != _t301) {
														E06BA1774(_t213, _v44);
													}
												}
												__eflags = _v48 - 0xc000001d;
												if(_v48 == 0xc000001d) {
													lstrcpyA( &_v308, "error");
												}
												__eflags = _v308 - _t301;
												if(_v308 == _t301) {
													wsprintfA( &_v308, "%d", _v48);
												}
												E06BA1A03( &_v308);
												CloseHandle(_v92.hThread);
												CloseHandle(_v92.hProcess);
												CloseHandle(_v36);
												CloseHandle(_v24);
												CloseHandle(_v40);
												CloseHandle(_v56);
												__eflags = _v16 - _t301;
												 *(_v32 - 2) = _t301;
												if(_v16 != _t301) {
													DeleteFileA(_v16);
												}
												_t205 = GlobalFree(_v28);
												__eflags = _a4 - _t301;
												if(_a4 == _t301) {
													return _t205;
												} else {
													GlobalUnlock(_v12);
													return GlobalFree(_v12);
												}
											}
											L39:
											PeekNamedPipe(_v24, _t301, _t301, _t301,  &_v20, _t301); // executed
											__eflags = _v20 - _t301;
											if(_v20 == _t301) {
												_t351 = _v52;
												__eflags = _t351 - _t301;
												if(_t351 == _t301) {
													L78:
													Sleep(0x64); // executed
													L79:
													_v64 = WaitForSingleObject(_v92.hProcess, _t301);
													GetExitCodeProcess(_v92.hProcess,  &_v48); // executed
													PeekNamedPipe(_v24, _t301, _t301, _t301,  &_v20, _t301); // executed
													continue;
												}
												_t234 = GetTickCount();
												_t308 = _v60 + _t351;
												__eflags = _t234 - _v60 + _t351;
												if(_t234 <= _v60 + _t351) {
													goto L78;
												}
												TerminateProcess(_v92, 0xffffffff);
												lstrcpyA( &_v308, "timeout");
												goto L79;
											}
											_v60 = GetTickCount();
											ReadFile(_v24, 0x6ba3078, 0x3ff,  &_v20, _t301); // executed
											__eflags = _a4 - _t301;
											0x6ba3078[_v20] = _t301;
											if(_a4 == _t301) {
												goto L79;
											}
											_t242 = lstrlenA(_v8);
											_t333 = _t242 + lstrlenA(0x6ba3078);
											_t244 = GlobalSize(_v12);
											__eflags = _t244 - _t333;
											if(_t244 >= _t333) {
												L46:
												__eflags = _t333 -  *0x6ba3488;
												if(_t333 <  *0x6ba3488) {
													L49:
													lstrcatA(_v8, 0x6ba3078);
													L50:
													__eflags = _a4 & 0x00000002;
													if((_a4 & 0x00000002) != 0) {
														goto L79;
													}
													_push("\t");
													_push(_v8);
													while(1) {
														_t334 = E06BA17FA(_t308);
														__eflags = _t334 - _t301;
														_pop(_t308);
														if(_t334 == _t301) {
															break;
														}
														_t247 = GlobalSize(_v12);
														_t308 = _t334 - _v8;
														__eflags = _t334 - _v8 - _t247 - 9;
														if(_t334 - _v8 <= _t247 - 9) {
															_t249 = lstrlenA(_t334);
															_t308 = _t249 + _t334;
															__eflags = _t249 - _t301;
															_t352 = _t308;
															_t318 = _t308 + 8;
															if(_t249 <= _t301) {
																L56:
																lstrcpyA(_t334, "        ");
																_t335 =  &(_t334[8]);
																__eflags = _t335;
																 *_t335 = 0x20;
																L57:
																_push("\t");
																_push(_t335);
																continue;
															} else {
																goto L55;
															}
															do {
																L55:
																_t308 =  *_t352;
																 *_t318 =  *_t352;
																_t318 = _t318 - 1;
																_t352 = _t352 - 1;
																_t249 = _t249 - 1;
																__eflags = _t249;
															} while (_t249 != 0);
															goto L56;
														}
														 *_t334 = 0x20;
														_t335 =  &(_t334[1]);
														goto L57;
													}
													_t353 = _v8;
													_t336 = _t353;
													__eflags =  *_t353 - _t301;
													if( *_t353 == _t301) {
														goto L79;
													} else {
														goto L60;
													}
													do {
														L60:
														_t251 =  *_t353;
														__eflags = _t251 - 0xd;
														if(_t251 != 0xd) {
															__eflags = _t251 - 0xa;
															if(_t251 != 0xa) {
																_t353 = CharNextA(_t353);
																goto L69;
															}
															 *_t353 = _t301;
															while(1) {
																__eflags =  *_t336 - _t301;
																if( *_t336 != _t301) {
																	break;
																}
																__eflags = _t336 - _t353;
																if(_t336 == _t353) {
																	break;
																}
																_t336 = _t336 + 1;
																__eflags = _t336;
															}
															E06BA1774(_t336, _v44);
															_t353 =  &(_t353[1]);
															_pop(_t308);
															_t336 = _t353;
															goto L69;
														}
														 *_t353 = _t301;
														_t353 =  &(_t353[1]);
														L69:
														__eflags =  *_t353 - _t301;
													} while ( *_t353 != _t301);
													__eflags = _t336 - _v8;
													if(_t336 == _v8) {
														goto L79;
													}
													_t315 = _v8;
													while(1) {
														_t253 =  *_t336;
														__eflags = _t253 - _t301;
														if(_t253 == _t301) {
															break;
														}
														 *_t315 = _t253;
														_t315 =  &(_t315[0]);
														_t336 = _t336 + 1;
														__eflags = _t336;
													}
													 *_t315 = _t301;
													goto L79;
												}
												__eflags = _a4 & 0x00000002;
												if((_a4 & 0x00000002) == 0) {
													goto L49;
												}
												_t255 = lstrlenA(_v8);
												_t314 =  *0x6ba3488; // 0x400
												_t308 = _t314 - _t255;
												lstrcpynA(_v8 + lstrlenA(_v8), 0x6ba3078, _t314 - _t255);
												goto L50;
											}
											__eflags = _t333 -  *0x6ba3488;
											if(_t333 <  *0x6ba3488) {
												L44:
												GlobalUnlock(_v12);
												_t108 = _t333 + 0x400; // 0x400
												_t261 = GlobalReAlloc(_v12, _t108, 0x42);
												__eflags = _t261 - _t301;
												_v12 = _t261;
												if(_t261 == _t301) {
													goto L80;
												}
												_v8 = GlobalLock(_t261);
												goto L46;
											}
											__eflags = _a4 & 0x00000002;
											if((_a4 & 0x00000002) != 0) {
												goto L46;
											}
											goto L44;
										}
									}
								}
								__eflags = _a4 & 0x00000002;
								_t268 =  *0x6ba3488; // 0x400
								if((_a4 & 0x00000002) == 0) {
									_t268 = 0x1000;
								}
								_t269 = GlobalAlloc(0x42, _t268);
								__eflags = _t269 - _t301;
								_v12 = _t269;
								if(_t269 == _t301) {
									goto L80;
								} else {
									_v8 = GlobalLock(_t269);
									goto L30;
								}
							}
							E06BA1A03("error");
							__eflags = _v16 - _t301;
							 *(_t323 - 2) = _t301;
							if(_v16 != _t301) {
								DeleteFileA(_v16);
							}
							_push(_v28);
							L6:
							return GlobalFree();
						}
						_v44 = 1;
						goto L20;
					}
				}
				_t279 = GetModuleFileNameA( *0x6ba347c,  &_v716, 0x104);
				_t280 =  *0x6ba3488; // 0x400
				_t340 = _t279 + 2;
				_t355 = GlobalAlloc(0x40, _t280 + _t340 + 2);
				_t341 = _t356 + _t340 - 0x2ca;
				_v28 = _t355;
				_t10 =  &(_t355[1]); // 0x1
				 *_t355 = 0x22;
				_v16 = _t10;
				while( *_t341 != 0x5c) {
					_t341 = CharPrevA( &_v716, _t341);
					if(_t341 >  &_v716) {
						continue;
					}
					break;
				}
				if(_t341 !=  &_v716) {
					_t301 = 0;
					 *_t341 = 0;
					GetTempFileNameA( &_v716, 0x6ba3068, 0, _v16);
					 *_t341 = 0x5c;
					_t288 = CopyFileA( &_v716, _v16, 0);
					__eflags = _t288;
					if(_t288 != 0) {
						_t291 = CreateFileA(_v16, 0xc0000000, 0, 0, 3, 0, 0);
						_v32 = _t291;
						_t344 = CreateFileMappingA(_t291, 0, 4, 0, 0, 0);
						_t293 = MapViewOfFile(_t344, 2, 0, 0, 0);
						__eflags = _t293;
						if(_t293 != 0) {
							_t303 =  *((intOrPtr*)(_t293 + 0x3c)) + _t293;
							 *((short*)(_t303 + 0x16)) = 0x10e;
							 *((short*)(_t303 + 0x5c)) = 3;
							__eflags = E06BA18E4;
							 *((intOrPtr*)(_t303 + 0x28)) = E06BA18E4 -  *0x6ba347c;
							UnmapViewOfFile(_t293);
						}
						CloseHandle(_t344);
						CloseHandle(_v32);
					}
					lstrcatA(_t355, 0x6ba3064);
					_t343 =  &(_t355[lstrlenA(_t355)]);
					 *_t343 = 0x20;
					_t323 =  &(_t343[1]);
					goto L13;
				}
				E06BA1A03("error");
				_push(_t355);
				goto L6;
			}

0x06ba10dc
0x06ba10e6
0x06ba10ec
0x06ba10f5
0x06ba10f5
0x06ba10f7
0x06ba10f9
0x06ba1101
0x06ba1242
0x06ba1247
0x06ba1249
0x06ba1249
0x06ba124a
0x06ba1256
0x06ba1258
0x06ba125b
0x06ba125b
0x06ba1260
0x06ba1263
0x06ba1265
0x06ba1268
0x06ba126b
0x06ba1271
0x06ba1288
0x06ba128b
0x06ba128d
0x06ba128d
0x06ba1294
0x06ba1295
0x06ba1296
0x06ba12a1
0x06ba12a7
0x06ba12a9
0x06ba12aa
0x00000000
0x00000000
0x06ba12ac
0x06ba12b0
0x06ba12b5
0x06ba12b6
0x06ba12ce
0x06ba12ce
0x00000000
0x06ba12bb
0x06ba12c1
0x06ba12c7
0x06ba12c9
0x06ba12d2
0x06ba12d4
0x06ba12fd
0x06ba1304
0x06ba130e
0x06ba1315
0x06ba131a
0x06ba131d
0x06ba131e
0x06ba1324
0x06ba1325
0x06ba1326
0x06ba1327
0x06ba1328
0x06ba132a
0x06ba1330
0x06ba1333
0x06ba1335
0x06ba1336
0x06ba1337
0x06ba133b
0x06ba1344
0x06ba134e
0x06ba1351
0x06ba1351
0x06ba1353
0x06ba1356
0x06ba1359
0x06ba135c
0x06ba135f
0x06ba1362
0x06ba1369
0x06ba136c
0x06ba136f
0x06ba139f
0x06ba13a6
0x06ba13ac
0x06ba13b3
0x06ba13d5
0x06ba13b5
0x06ba13ba
0x06ba13c7
0x06ba13d0
0x06ba13d0
0x06ba13e6
0x06ba13ee
0x06ba13f0
0x06ba13f2
0x06ba169a
0x06ba16a6
0x00000000
0x06ba13f8
0x06ba1405
0x06ba1407
0x06ba1409
0x00000000
0x00000000
0x06ba1416
0x06ba141f
0x06ba1429
0x06ba142c
0x06ba142f
0x06ba1432
0x06ba1438
0x06ba144f
0x06ba1455
0x06ba1457
0x00000000
0x00000000
0x06ba1463
0x06ba1466
0x06ba1466
0x06ba146e
0x00000000
0x00000000
0x06ba1470
0x06ba1473
0x06ba16ac
0x06ba16ac
0x06ba16b0
0x06ba16b5
0x06ba16b5
0x06ba16ba
0x06ba16be
0x06ba16c0
0x06ba16c3
0x06ba16c5
0x06ba16cb
0x06ba16d1
0x06ba16c5
0x06ba16d2
0x06ba16d9
0x06ba16e7
0x06ba16e7
0x06ba16ed
0x06ba16f3
0x06ba1704
0x06ba170a
0x06ba1714
0x06ba1722
0x06ba1727
0x06ba172c
0x06ba1731
0x06ba1736
0x06ba173b
0x06ba1740
0x06ba1743
0x06ba1746
0x06ba174b
0x06ba174b
0x06ba175a
0x06ba175c
0x06ba175f
0x06ba1773
0x06ba1761
0x06ba1764
0x00000000
0x06ba176d
0x06ba175f
0x06ba1479
0x06ba1484
0x06ba148a
0x06ba148d
0x06ba162d
0x06ba1630
0x06ba1632
0x06ba1662
0x06ba1664
0x06ba166a
0x06ba1674
0x06ba167e
0x06ba168f
0x00000000
0x06ba168f
0x06ba1634
0x06ba163d
0x06ba163f
0x06ba1641
0x00000000
0x00000000
0x06ba1648
0x06ba165a
0x00000000
0x06ba165a
0x06ba1499
0x06ba14aa
0x06ba14b3
0x06ba14b6
0x06ba14bc
0x00000000
0x00000000
0x06ba14c5
0x06ba14d7
0x06ba14d9
0x06ba14df
0x06ba14e1
0x06ba1521
0x06ba1521
0x06ba1527
0x06ba1555
0x06ba1559
0x06ba155f
0x06ba155f
0x06ba1563
0x00000000
0x00000000
0x06ba1569
0x06ba156e
0x06ba15c2
0x06ba15c7
0x06ba15ca
0x06ba15cc
0x06ba15cd
0x00000000
0x00000000
0x06ba1576
0x06ba1581
0x06ba1584
0x06ba1586
0x06ba158f
0x06ba1595
0x06ba1598
0x06ba159a
0x06ba159c
0x06ba159f
0x06ba15aa
0x06ba15b0
0x06ba15b6
0x06ba15b6
0x06ba15b9
0x06ba15bc
0x06ba15bc
0x06ba15c1
0x00000000
0x00000000
0x00000000
0x00000000
0x06ba15a1
0x06ba15a1
0x06ba15a1
0x06ba15a3
0x06ba15a5
0x06ba15a6
0x06ba15a7
0x06ba15a7
0x06ba15a7
0x00000000
0x06ba15a1
0x06ba1588
0x06ba158b
0x00000000
0x06ba158b
0x06ba15cf
0x06ba15d2
0x06ba15d4
0x06ba15d6
0x00000000
0x00000000
0x00000000
0x00000000
0x06ba15dc
0x06ba15dc
0x06ba15dc
0x06ba15de
0x06ba15e0
0x06ba15e7
0x06ba15e9
0x06ba160f
0x00000000
0x06ba160f
0x06ba15eb
0x06ba15f4
0x06ba15f4
0x06ba15f6
0x00000000
0x00000000
0x06ba15ef
0x06ba15f1
0x00000000
0x00000000
0x06ba15f3
0x06ba15f3
0x06ba15f3
0x06ba15fc
0x06ba1602
0x06ba1603
0x06ba1604
0x00000000
0x06ba1604
0x06ba15e2
0x06ba15e4
0x06ba1611
0x06ba1611
0x06ba1611
0x06ba1615
0x06ba1618
0x00000000
0x00000000
0x06ba161a
0x06ba1623
0x06ba1623
0x06ba1625
0x06ba1627
0x00000000
0x00000000
0x06ba161f
0x06ba1621
0x06ba1622
0x06ba1622
0x06ba1622
0x06ba1629
0x00000000
0x06ba1629
0x06ba1529
0x06ba152d
0x00000000
0x00000000
0x06ba1538
0x06ba153a
0x06ba1540
0x06ba154d
0x00000000
0x06ba154d
0x06ba14e3
0x06ba14e9
0x06ba14f1
0x06ba14f4
0x06ba14fa
0x06ba1506
0x06ba150c
0x06ba150e
0x06ba1511
0x00000000
0x00000000
0x06ba151e
0x00000000
0x06ba151e
0x06ba14eb
0x06ba14ef
0x00000000
0x00000000
0x00000000
0x06ba14ef
0x06ba1466
0x06ba13f2
0x06ba1371
0x06ba1375
0x06ba137a
0x06ba137c
0x06ba137c
0x06ba1384
0x06ba138a
0x06ba138c
0x06ba138f
0x00000000
0x06ba1395
0x06ba139c
0x00000000
0x06ba139c
0x06ba138f
0x06ba12db
0x06ba12e0
0x06ba12e3
0x06ba12e6
0x06ba12eb
0x06ba12eb
0x06ba12f1
0x06ba117e
0x00000000
0x06ba117e
0x06ba12cb
0x00000000
0x06ba12cb
0x06ba1295
0x06ba1119
0x06ba1121
0x06ba1127
0x06ba1135
0x06ba1137
0x06ba113e
0x06ba1141
0x06ba1144
0x06ba1147
0x06ba114a
0x06ba115d
0x06ba1167
0x00000000
0x00000000
0x00000000
0x06ba1167
0x06ba1171
0x06ba118c
0x06ba1194
0x06ba119d
0x06ba11ad
0x06ba11b1
0x06ba11b7
0x06ba11b9
0x06ba11c9
0x06ba11d6
0x06ba11e1
0x06ba11e7
0x06ba11ed
0x06ba11ef
0x06ba11f9
0x06ba11fc
0x06ba1202
0x06ba1208
0x06ba120e
0x06ba1211
0x06ba1211
0x06ba121e
0x06ba1223
0x06ba1223
0x06ba122b
0x06ba123a
0x06ba123c
0x06ba123f
0x00000000
0x06ba123f
0x06ba1178
0x06ba117d
0x00000000

APIs

Part of subcall function 06BA1096: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,0000001F,?,06BA10FF), ref: 06BA10A5
Part of subcall function 06BA1096: GetProcAddress.KERNEL32(00000000), ref: 06BA10AC
Part of subcall function 06BA1096: GetCurrentProcess.KERNEL32(?,?,0000001F,?,06BA10FF), ref: 06BA10BC

GetModuleFileNameA.KERNEL32(?,00000104), ref: 06BA1119
GlobalAlloc.KERNEL32(00000040,?), ref: 06BA112F
CharPrevA.USER32(?,?), ref: 06BA1157
GlobalFree.KERNEL32 ref: 06BA117E
GetTempFileNameA.KERNEL32(?,06BA3068,00000000,?), ref: 06BA119D
CopyFileA.KERNEL32(?,?,00000000), ref: 06BA11B1
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 06BA11C9
CreateFileMappingA.KERNEL32 ref: 06BA11D9
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 06BA11E7
UnmapViewOfFile.KERNEL32(00000000), ref: 06BA1211
CloseHandle.KERNEL32(00000000), ref: 06BA121E
CloseHandle.KERNEL32(?), ref: 06BA1223
lstrcatA.KERNEL32(00000000,06BA3064), ref: 06BA122B
lstrlenA.KERNEL32(00000000), ref: 06BA1232
GlobalAlloc.KERNEL32(00000040,00000401), ref: 06BA1250
FindWindowExA.USER32 ref: 06BA1288
FindWindowExA.USER32 ref: 06BA128B
lstrcmpiA.KERNEL32(00000000,/OEM,00000000), ref: 06BA12C1
DeleteFileA.KERNEL32(?,error), ref: 06BA12EB
GlobalAlloc.KERNEL32(00000042,00000400), ref: 06BA1384
GlobalLock.KERNEL32 ref: 06BA1396
GetVersionExA.KERNEL32(00000094), ref: 06BA13A6
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 06BA13BA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 06BA13C7
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 06BA13EE
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 06BA1405
GetStartupInfoA.KERNEL32(00000044), ref: 06BA1416
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 06BA144F
GetTickCount.KERNEL32 ref: 06BA145D
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 06BA1484
GetTickCount.KERNEL32 ref: 06BA1493
ReadFile.KERNELBASE(?,06BA3078,000003FF,?,00000000), ref: 06BA14AA
lstrlenA.KERNEL32(?), ref: 06BA14C5
lstrlenA.KERNEL32(06BA3078), ref: 06BA14CE
GlobalSize.KERNEL32(?), ref: 06BA14D9
GlobalUnlock.KERNEL32(?), ref: 06BA14F4
GlobalReAlloc.KERNEL32 ref: 06BA1506
GlobalLock.KERNEL32 ref: 06BA1518
lstrlenA.KERNEL32(?), ref: 06BA1538
lstrlenA.KERNEL32(?,06BA3078,00000400), ref: 06BA1547
lstrcpynA.KERNEL32(?), ref: 06BA154D
lstrcatA.KERNEL32(?,06BA3078), ref: 06BA1559
GlobalSize.KERNEL32(00000002), ref: 06BA1576
lstrlenA.KERNEL32(00000000), ref: 06BA158F
lstrcpyA.KERNEL32(00000000, ), ref: 06BA15B0
CharNextA.USER32(?), ref: 06BA1609
GetTickCount.KERNEL32 ref: 06BA1634
TerminateProcess.KERNEL32(?,000000FF), ref: 06BA1648
lstrcpyA.KERNEL32(?,timeout), ref: 06BA165A
Sleep.KERNELBASE(00000064), ref: 06BA1664
WaitForSingleObject.KERNEL32(?,00000000), ref: 06BA166E
GetExitCodeProcess.KERNEL32 ref: 06BA167E
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 06BA168F
lstrcpyA.KERNEL32(?,error), ref: 06BA16A6
lstrcpyA.KERNEL32(?,error), ref: 06BA16E7
wsprintfA.USER32 ref: 06BA1704
CloseHandle.KERNEL32(?,?), ref: 06BA1722
CloseHandle.KERNEL32(?), ref: 06BA1727
CloseHandle.KERNEL32(?), ref: 06BA172C
CloseHandle.KERNEL32(?), ref: 06BA1731
CloseHandle.KERNEL32(?), ref: 06BA1736
CloseHandle.KERNEL32(?), ref: 06BA173B
DeleteFileA.KERNEL32(?), ref: 06BA174B
GlobalFree.KERNEL32 ref: 06BA175A
GlobalUnlock.KERNEL32(00000001), ref: 06BA1764
GlobalFree.KERNEL32 ref: 06BA176D

Strings

/TIMEOUT=, xrefs: 06BA129B
SysListView32, xrefs: 06BA127A
timeout, xrefs: 06BA1654
error, xrefs: 06BA1173, 06BA12D6, 06BA16A0, 06BA16E1
#32770, xrefs: 06BA1281
/OEM, xrefs: 06BA12BB
D, xrefs: 06BA1304
, xrefs: 06BA15AA

Memory Dump Source

Source File: 00000000.00000002.595156484.0000000006BA1000.00000020.00020000.sdmp, Offset: 06BA0000, based on PE: true

Associated: 00000000.00000002.595142650.0000000006BA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595165151.0000000006BA2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595178631.0000000006BA3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595187315.0000000006BA4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$File$Handle$Close$lstrlen$Create$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
String ID: $#32770$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
API String ID: 3603830316-610251817
Opcode ID: 69e4349f697da9ca62b3ca4c1ebcab923f0793fee8cd2131cc2726a65e84d58e
Instruction ID: 7eb282e31c4aa3e5ecae20db9053b310821785321476794a308e38a8dd46704e
Opcode Fuzzy Hash: 69e4349f697da9ca62b3ca4c1ebcab923f0793fee8cd2131cc2726a65e84d58e
Instruction Fuzzy Hash: A22242F1D04349AFDBA19FA8DC59AAEBFBAFF04344F1840A5EA05E7110D7709A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040323C, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405E88(8);
				SHGetFileInfoA(0x41f458, 0,  &_v360, 0x160, 0); // executed
				E00405B66("CL-Eye Driver Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe\" ";
				E00405B66(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E00405684(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405684(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E00405B66("C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E00403208(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C72(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035BD();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34; // 0x0
											if(__eflags != 0) {
												_t106 = E00405E88(3);
												_t100 = E00405E88(4);
												_t55 = E00405E88(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405427(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423ebc; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004036AF();
										goto L32;
									}
									_t103 = E00405684(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver"; // 0x43
										if(_t120 == 0) {
											E00405B66("C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver", _t101);
										}
										E00405B66(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423eb0; // 0x6f0858
											E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x41f058);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe", 0x41f058, 1) != 0) {
												_push(0);
												_push(0x41f058);
												E004058B4();
												_t77 =  *0x423eb0; // 0x6f0858
												E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E004053C6(0x41f058);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004058B4();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E0040573A(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405B66("C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver", _t104);
									E00405B66("C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver\\Driver", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E00403208(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403248
0x0040324c
0x00403254
0x00403256
0x0040325b
0x00403266
0x0040326d
0x00403275
0x0040327f
0x00403295
0x004032a5
0x004032aa
0x004032b0
0x004032b7
0x004032ca
0x004032cf
0x004032d1
0x004032d3
0x004032d8
0x004032d8
0x004032e8
0x004032ee
0x00403357
0x00403357
0x00403359
0x0040335b
0x00000000
0x00000000
0x004032f4
0x004032f7
0x004032ff
0x004032ff
0x00403302
0x00403307
0x00403309
0x00403309
0x0040330a
0x0040330a
0x0040330f
0x00403312
0x00403347
0x0040334c
0x00403351
0x00403354
0x00403356
0x00403356
0x00403356
0x00000000
0x00403314
0x00403314
0x00403315
0x00403318
0x00403320
0x00403323
0x00403325
0x00403325
0x00403325
0x00403323
0x00403328
0x0040332e
0x00403336
0x00403339
0x0040333b
0x0040333b
0x0040333b
0x00403339
0x0040333e
0x00403345
0x0040335f
0x00403362
0x00403362
0x0040336b
0x00403370
0x00403370
0x0040337b
0x00403381
0x00403386
0x00403388
0x004033aa
0x004033af
0x004033b6
0x004033bd
0x004033c1
0x00403428
0x00403428
0x0040342d
0x00403437
0x00403522
0x00403528
0x00403533
0x0040353c
0x0040353e
0x00403543
0x00403545
0x00403547
0x00403549
0x0040354b
0x0040354d
0x0040354f
0x0040355f
0x00403561
0x00403563
0x00403570
0x0040357f
0x00403587
0x0040358f
0x0040358f
0x00403563
0x0040354f
0x0040354b
0x00403594
0x0040359a
0x0040359c
0x004035a0
0x004035a0
0x0040359c
0x004035a5
0x004035aa
0x004035ad
0x004035af
0x004035af
0x004035b7
0x004035b7
0x00403446
0x0040344d
0x0040344d
0x004033c3
0x004033c9
0x00403418
0x00403418
0x00403424
0x00000000
0x00403424
0x004033d2
0x004033df
0x004033d6
0x004033dc
0x00000000
0x00000000
0x004033de
0x004033de
0x004033de
0x004033e3
0x004033e5
0x004033ed
0x00403459
0x0040345e
0x0040346d
0x00000000
0x00000000
0x00403471
0x00403478
0x0040347e
0x00403484
0x0040348c
0x0040348c
0x0040349a
0x004034a1
0x004034aa
0x004034b0
0x004034b0
0x004034bc
0x004034c2
0x004034cc
0x004034e0
0x004034e1
0x004034e2
0x004034e7
0x004034f3
0x004034f9
0x00403500
0x00403503
0x00403509
0x00403509
0x00403500
0x0040350d
0x00403513
0x00403513
0x00403516
0x00403517
0x00403518
0x00000000
0x00403518
0x004033ef
0x004033f1
0x004033fc
0x00000000
0x00000000
0x00403404
0x0040340f
0x00403414
0x00000000
0x00403414
0x00403390
0x0040339c
0x004033a1
0x004033a6
0x004033a8
0x00000000
0x00000000
0x00000000
0x004033a8
0x00000000
0x00403345
0x00000000
0x00000000
0x00000000
0x004032f9
0x004032f9
0x004032f9
0x004032fa
0x004032fa
0x00000000
0x004032f9
0x00000000

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,CL-Eye Driver Setup,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(CL-Eye Driver Setup,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000020), ref: 004032E8
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(1033), ref: 004033AF
OleUninitialize.OLE32(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000000,00000000), ref: 00403465
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
CopyFileA.KERNEL32(C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,0041F058,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

/D=, xrefs: 0040333E
NCRC, xrefs: 00403328
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver, xrefs: 0040340A
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver, xrefs: 00403366, 004033FF, 0040347E, 00403487
SeShutdownPrivilege, xrefs: 0040356A
NSIS Error, xrefs: 0040329B
_?=, xrefs: 004033D6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
~nsu.tmp, xrefs: 00403453
Error launching installer, xrefs: 004033E5
C:\Users\user\Desktop, xrefs: 0040345E, 00403463, 00403486
"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 004032B0, 004032B6, 004033CC
CL-Eye Driver Setup, xrefs: 004032A0
", xrefs: 0040330A
\Temp, xrefs: 00403396
C:\Users\user\AppData\Local\Temp\, xrefs: 00403370, 00403375, 0040338F, 0040339B, 00403458, 00403464, 00403470, 00403477, 00403517
1033, xrefs: 004033AA
C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe, xrefs: 004034D1

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $1033$C:\Program Files (x86)\Code Laboratories\CL-Eye Driver$C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe$CL-Eye Driver Setup$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-3333786347
Opcode ID: 96a31a09bc8c05a7c789ea61c22a0fe7a9ca37f66bcd4d3ddf1a0d24bca330c8
Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
Opcode Fuzzy Hash: 96a31a09bc8c05a7c789ea61c22a0fe7a9ca37f66bcd4d3ddf1a0d24bca330c8
Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405042, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00405042(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t112;
				void* _t120;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684; // 0x30120
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						_t120 = CreateThread(0, 0, E00404FD6, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t120); // executed
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405B88(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x4204a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42366c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423ea8, 8);
							__eflags =  *0x423f2c - _t149; // 0x0
							if(__eflags == 0) {
								_t112 =  *0x41fc70; // 0x6f0a04
								E00404F04( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403EF1(1);
							goto L25;
						}
						 *0x41f868 = 2;
						E00403EF1(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F7F(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403F4D(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0; // 0x6f0858
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403F4D( *0x423670);
				 *0x423674 = E004047A6(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403F18(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149); // executed
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8); // executed
					}
					E00403F4D( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x0040504b
0x00405051
0x0040505a
0x0040505d
0x004051ee
0x004051f5
0x00405212
0x00405219
0x00405219
0x0040521f
0x0040522c
0x0040524a
0x0040524a
0x00405251
0x004052a8
0x004052a8
0x004052ac
0x00000000
0x00000000
0x004052ae
0x004052b1
0x00000000
0x00000000
0x004052bb
0x004052c1
0x004052c3
0x004052c6
0x004053bf
0x00000000
0x004053bf
0x004052d5
0x004052e1
0x004052e7
0x004052ea
0x004052ed
0x00405302
0x00405305
0x00405305
0x00405308
0x004052ef
0x004052f4
0x004052fa
0x004052fd
0x004052fd
0x00405318
0x00405320
0x00405321
0x00405323
0x0040532c
0x0040532f
0x00405336
0x0040533d
0x00405345
0x00405345
0x00405353
0x00405359
0x0040535c
0x0040535c
0x00405363
0x00405369
0x00405372
0x00405379
0x00405382
0x00405384
0x00405387
0x00405396
0x00405398
0x0040539e
0x0040539f
0x004053a0
0x004053a0
0x004053a8
0x004053b3
0x004053b9
0x004053b9
0x00000000
0x00405323
0x00405253
0x00405259
0x00405289
0x0040528b
0x00405291
0x00405293
0x0040529c
0x0040529c
0x004052a3
0x00000000
0x004052a3
0x0040525d
0x00405267
0x00000000
0x0040522e
0x0040522e
0x00405234
0x0040526c
0x00000000
0x00405275
0x0040523d
0x00405242
0x00405245
0x00000000
0x00405245
0x0040522c
0x00405063
0x00405067
0x00405070
0x00405077
0x0040507a
0x0040507d
0x00405080
0x00405081
0x00405082
0x0040509b
0x0040509e
0x004050a8
0x004050b7
0x004050bf
0x004050c7
0x004050cc
0x004050cf
0x004050db
0x004050e4
0x004050ed
0x00405110
0x00405116
0x00405127
0x0040512c
0x0040513a
0x00405148
0x00405148
0x0040514d
0x0040515b
0x0040515b
0x00405160
0x00405163
0x00405168
0x00405174
0x0040517d
0x0040518a
0x00405199
0x0040518c
0x00405191
0x00405191
0x004051a5
0x004051a5
0x004051b9
0x004051c2
0x004051cb
0x004051db
0x004051e7
0x004051e7
0x00000000

APIs

GetDlgItem.USER32 ref: 004050A1
GetDlgItem.USER32 ref: 004050B0
GetClientRect.USER32 ref: 004050ED
GetSystemMetrics.USER32 ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32 ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32 ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32 ref: 00405204
CreateThread.KERNELBASE ref: 00405212
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(00030120,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(00030120,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32 ref: 004052E1
GetWindowRect.USER32 ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32 ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004053A8
SetClipboardData.USER32 ref: 004053B3
CloseClipboard.USER32 ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 04fd3551ffab5966fb9cda90256b8c669c95bfec5800fe84b5e22b820c164908
Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
Opcode Fuzzy Hash: 04fd3551ffab5966fb9cda90256b8c669c95bfec5800fe84b5e22b820c164908
Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 10001855, Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10001855() {
				signed int _v8;
				long _v12;
				long _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				CHAR* _v36;
				void* _v40;
				CHAR* _v44;
				int _t64;
				void* _t66;
				int _t73;
				signed int _t74;
				signed int _t75;
				int _t79;
				int _t80;
				int _t81;
				int _t82;
				int _t83;
				int _t84;
				int _t85;
				int _t86;
				void* _t87;
				int _t92;
				struct HWND__* _t95;
				void* _t100;
				CHAR* _t110;
				struct HWND__* _t111;
				signed int _t118;

				_t110 = HeapAlloc(GetProcessHeap(), 8,  *0x100050dc +  *0x100050dc);
				_t113 =  *0x100050dc + _t110;
				_v44 = _t110;
				_v36 =  *0x100050dc + _t110;
				if(_t110 == 0) {
					return E10001E27("error");
				}
				_t64 = E10001DD9(_t110, 0);
				__eflags = _t64;
				if(__eflags != 0) {
					L4:
					E10001E27("error");
					_push(_t110);
					_push(0);
					_t66 = GetProcessHeap();
					goto L27;
				} else {
					L10001FEC();
					_v12 = _t64;
					L10001FEC();
					_v16 = _t64;
					E10001252(__eflags,  &_v32,  &_v28,  &_v24,  &_v20);
					_t73 = E10001DD9(_t113, 0);
					__eflags = _t73;
					if(_t73 == 0) {
						_t74 =  *0x100050d4;
						_v8 = _t74;
						_t75 = _t74 + 1;
						_v40 = _t75;
						 *0x100050d4 = _t75;
						 *0x100050d8 = HeapReAlloc(GetProcessHeap(), 8,  *0x100050d8, _t75 * 0x418);
						_t79 = lstrcmpiA(_t110, "BUTTON");
						__eflags = _t79;
						if(_t79 != 0) {
							_t80 = lstrcmpiA(_t110, "EDIT");
							__eflags = _t80;
							if(_t80 != 0) {
								_t81 = lstrcmpiA(_t110, "COMBOBOX");
								__eflags = _t81;
								if(_t81 != 0) {
									_t82 = lstrcmpiA(_t110, "LISTBOX");
									__eflags = _t82;
									if(_t82 != 0) {
										_t83 = lstrcmpiA(_t110, "RichEdit");
										__eflags = _t83;
										if(_t83 != 0) {
											_t84 = lstrcmpiA(_t110, "RICHEDIT_CLASS");
											__eflags = _t84;
											if(_t84 != 0) {
												_t85 = lstrcmpiA(_t110, "STATIC");
												__eflags = _t85;
												if(_t85 != 0) {
													_t86 = lstrcmpiA(_t110, "LINK");
													_t118 = _v8 * 0x418;
													__eflags = _t86;
													_t87 =  *0x100050d8;
													if(_t86 != 0) {
														_t36 = _t118 + _t87 + 4;
														 *_t36 =  *(_t118 + _t87 + 4) & 0x00000000;
														__eflags =  *_t36;
													} else {
														 *(_t118 + _t87 + 4) = 8;
													}
												} else {
													_t118 = _v8 * 0x418;
													 *(_t118 +  *0x100050d8 + 4) = 7;
												}
											} else {
												_t118 = _v8 * 0x418;
												 *(_t118 +  *0x100050d8 + 4) = 6;
											}
										} else {
											_t118 = _v8 * 0x418;
											 *(_t118 +  *0x100050d8 + 4) = 5;
										}
									} else {
										_t118 = _v8 * 0x418;
										 *(_t118 +  *0x100050d8 + 4) = 4;
									}
								} else {
									_t118 = _v8 * 0x418;
									 *(_t118 +  *0x100050d8 + 4) = 3;
								}
							} else {
								_t118 = _v8 * 0x418;
								 *(_t118 +  *0x100050d8 + 4) = 2;
							}
						} else {
							_t118 = _v8 * 0x418;
							 *(_t118 +  *0x100050d8 + 4) = 1;
						}
						E10001D0C( *(_t118 +  *0x100050d8 + 4),  &_v12,  &_v16);
						_t92 = lstrcmpiA(_t110, "LINK");
						__eflags = _t92;
						if(_t92 == 0) {
							_t110 = "BUTTON";
						}
						_t95 = CreateWindowExA(_v16, _t110, _v36, _v12, _v32, _v28, _v24, _v20,  *0x100050c0, _v8 + 0x4b0,  *0x100050a4, 0); // executed
						_t111 = _t95;
						 *( *0x100050d8 + _t118) = _t111;
						SetPropA(_t111, "NSIS: nsControl pointer property", _v40);
						SendMessageA(_t111, 0x30, SendMessageA( *0x100050c4, 0x31, 0, 0), 1);
						_t100 =  *0x100050d8;
						__eflags =  *((intOrPtr*)(_t118 + _t100 + 4)) - 8;
						if( *((intOrPtr*)(_t118 + _t100 + 4)) == 8) {
							 *((intOrPtr*)(_t118 +  *0x100050d8 + 0x414)) = SetWindowLongA(_t111, 0xfffffffc, E10001480);
						}
						_push(_t111);
						L10002016();
						_push(_v44);
						_push(0);
						_t66 = GetProcessHeap();
						L27:
						return HeapFree(_t66, ??, ??);
					}
					goto L4;
				}
			}

0x10001877
0x10001880
0x10001883
0x10001886
0x10001889
0x00000000
0x10001890
0x1000189d
0x100018a2
0x100018a4
0x100018d7
0x100018dc
0x100018e1
0x100018e2
0x100018e4
0x00000000
0x100018a6
0x100018a6
0x100018ab
0x100018ae
0x100018b3
0x100018c6
0x100018ce
0x100018d3
0x100018d5
0x100018eb
0x100018f0
0x100018f3
0x100018f4
0x100018f7
0x10001920
0x10001925
0x10001927
0x10001929
0x1000194c
0x1000194e
0x10001950
0x10001973
0x10001975
0x10001977
0x1000199a
0x1000199c
0x1000199e
0x100019c1
0x100019c3
0x100019c5
0x100019e5
0x100019e7
0x100019e9
0x10001a09
0x10001a0b
0x10001a0d
0x10001a2d
0x10001a32
0x10001a38
0x10001a3a
0x10001a3f
0x10001a4b
0x10001a4b
0x10001a4b
0x10001a41
0x10001a41
0x10001a41
0x10001a0f
0x10001a17
0x10001a1d
0x10001a1d
0x100019eb
0x100019f3
0x100019f9
0x100019f9
0x100019c7
0x100019cf
0x100019d5
0x100019d5
0x100019a0
0x100019a8
0x100019ae
0x100019ae
0x10001979
0x10001981
0x10001987
0x10001987
0x10001952
0x1000195a
0x10001960
0x10001960
0x1000192b
0x10001933
0x10001939
0x10001939
0x10001a61
0x10001a6c
0x10001a6e
0x10001a70
0x10001a72
0x10001a72
0x10001aa4
0x10001aad
0x10001aba
0x10001abd
0x10001add
0x10001adf
0x10001ae4
0x10001ae9
0x10001aff
0x10001aff
0x10001b06
0x10001b07
0x10001b0c
0x10001b0f
0x10001b11
0x10001b17
0x00000000
0x10001b18
0x00000000
0x100018d5

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 1000186E
HeapAlloc.KERNEL32(00000000), ref: 10001871
GetProcessHeap.KERNEL32(00000000,00000000,error,00000000,00000000), ref: 100018E4
HeapFree.KERNEL32(00000000), ref: 10001B18

Part of subcall function 10001E27: GlobalAlloc.KERNEL32(00000040,?,?,100010BE,error,?,00000104), ref: 10001E3C
Part of subcall function 10001E27: lstrcpynA.KERNEL32(00000004,?,?,100010BE,error,?,00000104), ref: 10001E52

Strings

LINK, xrefs: 10001A27, 10001A66
COMBOBOX, xrefs: 1000196D
error, xrefs: 1000188B, 100018D7
RichEdit, xrefs: 100019BB
NSIS: nsControl pointer property, xrefs: 10001AB4
STATIC, xrefs: 10001A03
LISTBOX, xrefs: 10001994
BUTTON, xrefs: 1000191A, 10001A72, 10001AA0
RICHEDIT_CLASS, xrefs: 100019DF
EDIT, xrefs: 10001946

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Heap$AllocProcess$FreeGloballstrcpyn
String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
API String ID: 1913068523-3375361224
Opcode ID: be3b3b4c4983e11dc1b5c33d61b0f8411bea3997500eba5d3c8a15e298a32339
Instruction ID: 57bf1a15009ea8118c4abf9dc258b68912d7113ae57ceda1fee72d940ab8fc2c
Opcode Fuzzy Hash: be3b3b4c4983e11dc1b5c33d61b0f8411bea3997500eba5d3c8a15e298a32339
Instruction Fuzzy Hash: 57812BB2900219ABF711DBA4CD84FDEBBFCEB043C5F128025EA05B7159DB35A9448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B88, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405B88(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42367c; // 0x705cb2
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8; // 0x6f7ab0
				_t74 = _t73 + _t36;
				_t37 = 0x422e40;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405B88(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x424000;
							E00405B66(_t86, (_t95 << 0xa) + 0x424000);
						} else {
							E00405AC4(_t86,  *0x423ea8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DC8(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423ea4; // 0x74691340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423ed8;
							E00405A4D(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423ed8, _t86, _t69 & 0x00000040); // executed
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405B88(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B66(_a4, _t37);
			}

0x00405b88
0x00405b88
0x00405b88
0x00405b8e
0x00405b93
0x00405b95
0x00405ba4
0x00405ba4
0x00405ba6
0x00405baf
0x00405bb1
0x00405bb6
0x00405bb9
0x00405bba
0x00405bc1
0x00405bc3
0x00405bc9
0x00405bcc
0x00405bcc
0x00405da5
0x00405da5
0x00405da9
0x00000000
0x00000000
0x00405bd9
0x00405bdf
0x00000000
0x00000000
0x00405be5
0x00405be6
0x00405be9
0x00405bec
0x00405d98
0x00405da2
0x00405da4
0x00405da4
0x00405d9a
0x00405d9c
0x00405d9e
0x00405d9f
0x00405d9f
0x00000000
0x00405d98
0x00405bf2
0x00405bf6
0x00405c06
0x00405c0a
0x00405c11
0x00405c14
0x00405c18
0x00405c1e
0x00405c21
0x00405c24
0x00405c27
0x00405d42
0x00405d45
0x00405d75
0x00405d78
0x00405d7d
0x00405d81
0x00405d81
0x00405d86
0x00405d87
0x00405d8c
0x00405d8f
0x00405d91
0x00000000
0x00405d91
0x00405d47
0x00405d4a
0x00405d5f
0x00405d66
0x00405d4c
0x00405d53
0x00405d53
0x00405d6e
0x00405d71
0x00405d3a
0x00405d3b
0x00405d3b
0x00000000
0x00405d71
0x00405c2f
0x00405c30
0x00405c36
0x00405c38
0x00405c52
0x00405c52
0x00405c59
0x00405c59
0x00405c60
0x00405c64
0x00405c64
0x00405c65
0x00405c67
0x00405ca0
0x00405ca3
0x00405cb3
0x00405cb6
0x00405cbe
0x00405cc4
0x00405cc4
0x00405d20
0x00405d20
0x00405d22
0x00000000
0x00000000
0x00405cc8
0x00405ccf
0x00405cd0
0x00405cd2
0x00405cec
0x00405cfa
0x00405d00
0x00405d02
0x00405d1d
0x00405d1d
0x00405d1d
0x00000000
0x00405d1d
0x00405d08
0x00405d13
0x00405d19
0x00405d1b
0x00000000
0x00000000
0x00000000
0x00405d1b
0x00405cd4
0x00405cd7
0x00000000
0x00000000
0x00405ce6
0x00405ce8
0x00405cea
0x00000000
0x00000000
0x00000000
0x00405cea
0x00000000
0x00405d20
0x00405cab
0x00000000
0x00405c69
0x00405c6e
0x00405c84
0x00405c89
0x00405c8c
0x00405d29
0x00405d29
0x00405d2d
0x00405d35
0x00405d35
0x00000000
0x00405d2d
0x00405c96
0x00405d24
0x00405d24
0x00405d27
0x00000000
0x00000000
0x00000000
0x00405d27
0x00405c67
0x00405c3a
0x00405c3e
0x00000000
0x00000000
0x00405c40
0x00405c44
0x00000000
0x00000000
0x00405c46
0x00405c4a
0x00000000
0x00405c4c
0x00405c4c
0x00000000
0x00405c4c
0x00405c4a
0x00405daf
0x00405db9
0x00405dc5
0x00405dc5
0x00000000

APIs

GetVersion.KERNEL32(00000006,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00404F3C,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32 ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(Exec,00000400), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,Exec), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(Exec,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(Exec,00000006,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00404F3C,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000), ref: 00405D87

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll, xrefs: 00405BB9
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F
Exec, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Exec$Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-216880942
Opcode ID: ec1cfc953701c68b2a4bf792a6f5f2f7cf4c63635bb1673da603afab52f17940
Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
Opcode Fuzzy Hash: ec1cfc953701c68b2a4bf792a6f5f2f7cf4c63635bb1673da603afab52f17940
Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040548B(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040573A(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B66(0x4214a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056A0(_t72);
					} else {
						lstrcatA(0x4214a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405684( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B66(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040581E(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404F04(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404F04(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004058B4();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040548B(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a8 - 0x5c;
					if( *0x4214a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E61(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405659(_t72);
							E0040581E(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404F04(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404F04(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004058B4();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405496
0x0040549a
0x004054a3
0x004054a6
0x004054a9
0x004054b1
0x004054b3
0x004054b4
0x00000000
0x004054b4
0x004054c3
0x004054c3
0x004054c6
0x004054c9
0x004054dd
0x004054e4
0x004054e9
0x004054eb
0x004054fb
0x004054ed
0x004054f3
0x004054f3
0x00405500
0x00405503
0x0040550e
0x00405514
0x00405519
0x00405529
0x0040552b
0x00405531
0x00405534
0x00405537
0x004055f4
0x004055f4
0x004055f8
0x004055fa
0x004055fa
0x004055fa
0x004055fa
0x00000000
0x00000000
0x00000000
0x00000000
0x0040553d
0x0040553d
0x00405546
0x0040554c
0x00405551
0x00405554
0x00405556
0x0040555a
0x0040555c
0x0040555c
0x0040555a
0x0040555f
0x00405562
0x00405575
0x00405577
0x0040557c
0x00405583
0x0040559b
0x004055a1
0x004055a7
0x004055a9
0x004055ce
0x004055ab
0x004055ab
0x004055af
0x004055c3
0x004055b1
0x004055b4
0x004055b9
0x004055bb
0x004055bc
0x004055bc
0x004055af
0x00405585
0x0040558b
0x0040558d
0x00405593
0x00405593
0x0040558d
0x00000000
0x00405583
0x00405564
0x00405567
0x00405569
0x00000000
0x00000000
0x0040556b
0x0040556d
0x00000000
0x00000000
0x0040556f
0x00405573
0x00000000
0x00000000
0x00000000
0x004055d3
0x004055dd
0x004055e3
0x004055e3
0x004055ee
0x00000000
0x004055ee
0x00405505
0x0040550c
0x00000000
0x00000000
0x00000000
0x004054cb
0x004054cb
0x004054cd
0x004055fe
0x00405601
0x00405604
0x00405656
0x00405656
0x00405656
0x00405606
0x00405609
0x00405614
0x00405619
0x0040561b
0x00000000
0x00000000
0x0040561e
0x00405624
0x0040562a
0x00405630
0x00405632
0x00000000
0x0040564e
0x00405634
0x00405638
0x00000000
0x00000000
0x0040563d
0x00405642
0x00405643
0x00000000
0x00405644
0x0040560b
0x0040560b
0x00000000
0x0040560b
0x004054d3
0x004054d7
0x00000000
0x00000000
0x00000000
0x004054d7

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 004054A9
lstrcatA.KERNEL32(004214A8,\*.*,004214A8,?,00000000,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 0040551A
FindFirstFileA.KERNEL32(004214A8,?,?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 00405495
\*.*, xrefs: 004054ED
C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-119839768
Opcode ID: 72cf65ffe980cc8674f12cbe28e3f385dec1d5ecbfc139d45573e2c8a2bb2683
Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
Opcode Fuzzy Hash: 72cf65ffe980cc8674f12cbe28e3f385dec1d5ecbfc139d45573e2c8a2bb2683
Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406131() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406131
0x00406131
0x00406136
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406138
0x00406138
0x0040613c
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x0040615d
0x00406164
0x00406167
0x00406172
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x00406181
0x0040619f
0x004061a1
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063c6
0x004063c9
0x0040636c
0x00406372
0x00000000
0x00000000
0x00000000
0x004063cb
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406369
0x00000000
0x00406369
0x00406183
0x00406183
0x00406186
0x0040618c
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x00406275
0x00406278
0x004061ef
0x004061ef
0x004061f5
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x00406302
0x00406305
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a5
0x004062a5
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x00406310
0x00406310
0x00406313
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x004064dc
0x004064dc
0x004064df
0x004064df
0x00000000
0x004064df
0x00406201
0x00000000
0x00000000
0x00000000
0x0040627e
0x004061ca
0x004061ce
0x0040693b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061ec
0x00000000
0x004061ec
0x00406278
0x00406181
0x00405fb5
0x00405fb5
0x00405fbe
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E88(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409220);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409224));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405e90
0x00405e93
0x00405e9a
0x00405ea2
0x00405eaf
0x00000000
0x00405eb6
0x00405ea5
0x00405ead
0x00000000
0x00000000
0x00405ebe

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E61(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224f0;
			}

0x00405e6c
0x00405e75
0x00000000
0x00405e82
0x00405e78
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224F0,004218A8,0040577D,004218A8,004218A8,00000000,004218A8,004218A8,?,?,74B5F560,0040549F,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED

Uniqueness

Uniqueness Score: -1.00%

Function 00403A45, Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403A45(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420484 = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420498 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f460 = _t91;
						E00403F18(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688); // executed
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420484 = 1;
					}
					_t122 =  *0x4091c4; // 0x2
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F64(0x40b);
						while(1) {
							_t37 =  *0x420484;
							 *0x4091c4 =  *0x4091c4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091c4; // 0x2
							__eflags = _t39 -  *0x423ec4; // 0x5
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ec4; // 0x5
							__eflags =  *0x4091c4 - _t44; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405B88(_t116, _t125, _t130, "Click Next to continue.",  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403F18(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403F3A(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f460, _t117); // executed
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420498);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f460);
							}
							E00403F4D();
							E00405B66(0x4204a0, "CL-Eye Driver Setup");
							E00405B88(0x4204a0, _t125, _t130,  &(0x4204a0[lstrlenA(0x4204a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x4204a0); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678); // executed
									 *0x41fc70 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c8 +  *(_t130 + 4) * 4), _t130); // executed
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403F18(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423678, 8); // executed
									E00403F64(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133; // 0x1
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f868);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420478, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420478,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F7F(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f868 = 1;
											L21:
											_push(0x78);
											L22:
											E00403EF1();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f868 = _t127;
										goto L21;
									}
									__eflags =  *0x4091c4 - _t133; // 0x2
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678); // executed
						 *0x423678 = _a12;
						L58:
						if( *0x4214a0 == _t133) {
							_t142 =  *0x423678 - _t133; // 0x1a0056
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa); // executed
								 *0x4214a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403a4e
0x00403a57
0x00403b98
0x00403b9c
0x00403ba0
0x00403ba2
0x00403ba7
0x00403bb2
0x00403bbd
0x00403bc2
0x00403bc4
0x00403bc6
0x00403bc9
0x00403bce
0x00403bdc
0x00403be9
0x00403bf0
0x00403bf0
0x00403bf1
0x00403bf1
0x00403bf6
0x00403bfc
0x00403c03
0x00403c09
0x00403c0b
0x00403c4b
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00403c63
0x00403c65
0x00403c6a
0x00403c70
0x00403c74
0x00403c74
0x00403c79
0x00403c7f
0x00000000
0x00000000
0x00403c85
0x00403c8a
0x00403c90
0x00000000
0x00000000
0x00403c99
0x00403ca1
0x00403ca6
0x00403ca9
0x00403caf
0x00403cb4
0x00403cb7
0x00403cbd
0x00403cc2
0x00403cc5
0x00403ccb
0x00403cd3
0x00403cd9
0x00403cdf
0x00403ce3
0x00403cea
0x00403cea
0x00403cea
0x00403cf4
0x00403d06
0x00403d12
0x00403d17
0x00403d21
0x00403d27
0x00403d29
0x00403d2e
0x00403d2b
0x00403d2b
0x00403d2b
0x00403d3e
0x00403d56
0x00403d58
0x00403d5e
0x00403d73
0x00403d60
0x00403d69
0x00403d6b
0x00403d6b
0x00403d79
0x00403d89
0x00403d9a
0x00403da1
0x00403da7
0x00403dab
0x00403db0
0x00403db2
0x00000000
0x00403db8
0x00403db8
0x00403dba
0x00000000
0x00000000
0x00403dc0
0x00403dc4
0x00403de9
0x00403def
0x00403df5
0x00403df7
0x00000000
0x00000000
0x00403e1d
0x00403e23
0x00403e25
0x00403e2a
0x00000000
0x00000000
0x00403e30
0x00403e33
0x00403e36
0x00403e4d
0x00403e59
0x00403e72
0x00403e78
0x00403e7c
0x00403e81
0x00403e87
0x00000000
0x00000000
0x00403e91
0x00403e9c
0x00000000
0x00403e9c
0x00403dc6
0x00403dcc
0x00000000
0x00000000
0x00403dd2
0x00403dd8
0x00000000
0x00000000
0x00000000
0x00403dde
0x00403db2
0x00403ea9
0x00403eb5
0x00403ebc
0x00000000
0x00403c0d
0x00403c0d
0x00403c10
0x00403c43
0x00403c43
0x00403c45
0x00000000
0x00000000
0x00000000
0x00403c45
0x00403c12
0x00403c16
0x00403c1b
0x00403c1d
0x00000000
0x00000000
0x00403c2d
0x00403c35
0x00000000
0x00403c3b
0x00403a69
0x00403a69
0x00403a6d
0x00403a72
0x00403a81
0x00403a81
0x00403a8a
0x00403a93
0x00403a9e
0x00403a9e
0x00403aaa
0x00403ac6
0x00403ac9
0x00403adc
0x00403ae2
0x00403b85
0x00000000
0x00403b8e
0x00403ae8
0x00403af5
0x00403af7
0x00403af9
0x00403b18
0x00403b18
0x00403b1b
0x00403b20
0x00403b23
0x00403b33
0x00403b34
0x00403b36
0x00403b6c
0x00403b7f
0x00000000
0x00403b7f
0x00403b38
0x00403b3e
0x00403b57
0x00403b5c
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b4c
0x00403b4c
0x00403b4e
0x00403b4e
0x00000000
0x00403b4e
0x00403b41
0x00403b46
0x00000000
0x00403b46
0x00403b25
0x00403b2b
0x00000000
0x00000000
0x00403b2d
0x00000000
0x00403b2d
0x00403b1d
0x00000000
0x00403b1d
0x00403b03
0x00403b0a
0x00403b10
0x00403b12
0x00000000
0x00000000
0x00000000
0x00403b12
0x00403ace
0x00000000
0x00403aac
0x00403ab2
0x00403abc
0x00403ec2
0x00403ec8
0x00403eca
0x00403ed0
0x00403ed5
0x00403edb
0x00403edb
0x00403ed0
0x00403ee5
0x00000000
0x00403ee5
0x00403aaa

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32 ref: 00403ACE
GetDlgItem.USER32 ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32 ref: 00403BB8
GetDlgItem.USER32 ref: 00403BC2
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32 ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D06
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32 ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(004204A0,?,004204A0,CL-Eye Driver Setup), ref: 00403D92
SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Strings

CL-Eye Driver Setup, xrefs: 00403D83
Click Next to continue., xrefs: 00403C9C

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Window$Item$MessageSend$CallbackDispatcherShowUser$Menu$DestroyEnableEnabledLongSystemTextlstrlen
String ID: CL-Eye Driver Setup$Click Next to continue.
API String ID: 2523155381-3701162871
Opcode ID: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
Opcode Fuzzy Hash: 0ca44dad19ebef12785e3fca4310d205a7ec76f049bba6dd02c4170e1792f308
Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004036AF() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x423eb0; // 0x6f0858
				_t20 = E00405E88(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x4204a0;
					"1033" = 0x7830;
					E00405A4D(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x4204a0, 0);
					__eflags =  *0x4204a0;
					if(__eflags == 0) {
						E00405A4D(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x4204a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405AC4("1033",  *_t20() & 0x0000ffff);
				}
				E00403978(_t76, _t88);
				_t24 =  *0x423eb8; // 0x81
				_t85 = "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver";
				 *0x423f20 = _t24 & 0x00000020;
				 *0x423f3c = 0x10000;
				if(E0040573A(_t88, "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver") != 0) {
					L16:
					if(E0040573A(_t96, _t85) == 0) {
						E00405B88(0, _t79, _t81, _t85,  *((intOrPtr*)(_t81 + 0x118))); // executed
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403978(_t76, __eflags);
							__eflags =  *0x423f40; // 0x0
							if(__eflags != 0) {
								_t31 = E00404FD6(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420478, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t86;
								RegisterClassA(0x423640);
							}
							_t39 =  *0x423680; // 0x0
							_t42 = DialogBoxParamA( *0x423ea0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403A45, 0); // executed
							E004035FF(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423ea0; // 0x400000
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 = _t76;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420478 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x423ed8; // 0x6f7ab0
					_t79 = 0x422e40;
					E00405A4D( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x422e40, 0);
					_t62 =  *0x422e40; // 0x45
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422e41;
						 *((char*)(E00405684(0x422e41, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B66(_t85, E00405659(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056A0(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004036b5
0x004036be
0x004036c5
0x004036c7
0x004036db
0x004036ed
0x004036f7
0x004036fc
0x00403702
0x00403715
0x00403715
0x00403720
0x004036c9
0x004036d4
0x004036d4
0x00403725
0x0040372a
0x0040372f
0x00403738
0x0040373d
0x0040374e
0x004037d5
0x004037dd
0x004037e6
0x004037e6
0x004037fc
0x00403802
0x00403810
0x0040389f
0x004038a7
0x004038b1
0x004038b6
0x004038bc
0x00403946
0x0040394b
0x0040394d
0x00403969
0x00000000
0x00403969
0x0040394f
0x00403955
0x0040395d
0x0040395d
0x00000000
0x00403955
0x004038ca
0x004038db
0x004038dd
0x004038df
0x004038e6
0x004038e6
0x004038ee
0x004038f6
0x004038f8
0x004038fa
0x00403903
0x00403906
0x0040390c
0x0040390c
0x00403912
0x0040392b
0x0040393c
0x00000000
0x00403941
0x004038a9
0x004038ab
0x00000000
0x00403816
0x00403816
0x0040381c
0x00403826
0x0040382e
0x00403838
0x0040383e
0x0040384c
0x0040396e
0x0040396e
0x00000000
0x0040396e
0x00403852
0x0040385b
0x0040389a
0x00000000
0x0040389a
0x00403754
0x00403754
0x00403759
0x00000000
0x00000000
0x0040375e
0x00403763
0x00403773
0x00403778
0x0040377f
0x00000000
0x00000000
0x00403783
0x00403785
0x00403792
0x00403792
0x0040379a
0x004037a0
0x004037c8
0x004037d0
0x00000000
0x004037b2
0x004037b3
0x004037bc
0x004037c2
0x004037c3
0x00000000
0x004037c3
0x004037be
0x004037c0
0x00000000
0x00000000
0x00000000
0x004037c0
0x004037a0

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
lstrlenA.KERNEL32(Exec,?,?,?,Exec,00000000,C:\Program Files (x86)\Code Laboratories\CL-Eye Driver,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe,Exec,?,?,?,Exec,00000000,C:\Program Files (x86)\Code Laboratories\CL-Eye Driver,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000), ref: 004037A8
GetFileAttributesA.KERNEL32(Exec), ref: 004037B3
LoadImageA.USER32 ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32 ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNELBASE(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32 ref: 004038F6
GetClassInfoA.USER32 ref: 00403903
RegisterClassA.USER32 ref: 0040390C
DialogBoxParamA.USER32 ref: 0040392B

Strings

.exe, xrefs: 004037A2
_Nb, xrefs: 00403852, 00403857
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver, xrefs: 0040372F, 00403737, 004037CF, 004037D5, 004037E5
Exec, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 004036BB
RichEdit, xrefs: 004038FD
RichEd32, xrefs: 004038E1
@6B, xrefs: 0040380B
RichEd20, xrefs: 004038D6
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
RichEdit20A, xrefs: 004038EE, 004038F4
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B3
1033, xrefs: 004036CF, 0040371B
.DEFAULT\Control Panel\International, xrefs: 0040370B

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Program Files (x86)\Code Laboratories\CL-Eye Driver$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Exec$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-1530302738
Opcode ID: 6dd8c866dd907658969a4a4875d5acd1ebd92cc4bf810ee3f5d51b3ace02576f
Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
Opcode Fuzzy Hash: 6dd8c866dd907658969a4a4875d5acd1ebd92cc4bf810ee3f5d51b3ace02576f
Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404060, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00404060(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420480 =  *0x420480 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F7F(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420480 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc70; // 0x6f0a04
						_t25 = _t103 + 0x14; // 0x6f0a18
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403F3A(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004042EB();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42367c; // 0x705cb2
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423ed8; // 0x6f7ab0
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E0040402C;
				E00403F18(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403F18(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403F3A( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403F4D(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423eb0; // 0x6f0858
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f464 =  *0x41f464 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16); // executed
				 *0x420480 =  *0x420480 & 0x00000000;
				return 0;
			}

0x00404070
0x00404196
0x004041f2
0x004041f6
0x004042cd
0x004042cf
0x004042cf
0x004042d5
0x004042d5
0x004042d8
0x00000000
0x004042df
0x00404204
0x00404206
0x00404210
0x0040421b
0x0040421e
0x00404221
0x0040422c
0x0040422f
0x00404236
0x00404244
0x0040425c
0x00404264
0x0040426f
0x0040427f
0x00404281
0x00404281
0x00404236
0x0040428b
0x00000000
0x00404296
0x0040429a
0x004042ab
0x004042ab
0x004042b1
0x004042bf
0x004042bf
0x00000000
0x004042c3
0x0040428b
0x004041a1
0x00000000
0x004041b5
0x004041b5
0x004041bb
0x004041bb
0x004041c1
0x00000000
0x00000000
0x004041e6
0x004041e8
0x004041ed
0x00000000
0x004041ed
0x004041a1
0x00404076
0x00404079
0x0040407e
0x00404080
0x0040408f
0x0040408f
0x00404091
0x00404096
0x00404099
0x0040409b
0x004040a0
0x004040a9
0x004040af
0x004040bb
0x004040be
0x004040c7
0x004040cc
0x004040cf
0x004040d4
0x004040eb
0x004040f2
0x00404105
0x00404108
0x0040411d
0x0040411f
0x00404124
0x00404129
0x0040412e
0x0040412e
0x0040413d
0x0040414c
0x0040414e
0x00404164
0x00404173
0x00404175
0x00000000

APIs

CheckDlgButton.USER32 ref: 004040EB
GetDlgItem.USER32 ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32 ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32 ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32 ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32 ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

@.B, xrefs: 00404264
open, xrefs: 00404267
N, xrefs: 004041F2

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402C72, Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C72(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				signed int _t63;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe", 0x400);
				_t105 = E0040583D("C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe", 0x80000000, 3);
				 *0x409014 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405B66("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\CL-Eye-Driver-5.3.0.0341-Emuline.exe");
				E00405B66("CL-Eye-Driver-5.3.0.0341-Emuline.exe", E004056A0("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f050 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BD3(1);
					__eflags =  *0x423eb4; // 0xea00
					if(__eflags == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405F62(0x40afb8);
						E0040586C( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409018 = _t62;
						if(_t62 != 0xffffffff) {
							_t63 =  *0x423eb4; // 0xea00
							_t65 = E004031F1(_t63 + 0x1c);
							 *0x41f054 = _t65;
							 *0x417048 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F18(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x417044; // 0x80166
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E004057FE(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031F1( *0x417040);
					_t77 = E004031BF( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t79 =  *0x423eb4; // 0xea00
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~_t79 & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031BF(0x417050, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BD3(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4; // 0xea00
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BD3(0);
							}
							goto L19;
						}
						E004057FE( &_v40, 0x417050, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417040; // 0x103344
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f050; // 0xe6cee
						if(__eflags < 0) {
							_v8 = E00405EF4(_v8, 0x417050, _t106);
						}
						 *0x417040 =  *0x417040 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c80
0x00402c83
0x00402c9d
0x00402ca2
0x00402cb5
0x00402cba
0x00402cc0
0x00000000
0x00402cc2
0x00402cd3
0x00402ce4
0x00402ceb
0x00402cf1
0x00402cf3
0x00402cf8
0x00402cfa
0x00402dea
0x00402dec
0x00402df1
0x00402df8
0x00000000
0x00000000
0x00402dfe
0x00402e01
0x00402e2d
0x00402e32
0x00402e3d
0x00402e3f
0x00402e50
0x00402e6b
0x00402e71
0x00402e74
0x00402e79
0x00402e8f
0x00402e98
0x00402ea8
0x00402eba
0x00402ebf
0x00402ec4
0x00402ec7
0x00402ed0
0x00402ed4
0x00402edc
0x00402ee1
0x00402ee3
0x00402ee3
0x00402ee3
0x00402eeb
0x00402eeb
0x00402eee
0x00402eef
0x00402eef
0x00402ef2
0x00402ef4
0x00402ef4
0x00402ef4
0x00402ef7
0x00402efe
0x00402f0a
0x00402f0f
0x00000000
0x00402f0f
0x00000000
0x00402ec7
0x00000000
0x00402e7b
0x00402e09
0x00402e14
0x00402e19
0x00402e1b
0x00000000
0x00000000
0x00402e24
0x00402e27
0x00000000
0x00000000
0x00000000
0x00402d00
0x00402d00
0x00402d00
0x00402d05
0x00402d09
0x00402d10
0x00402d15
0x00402d17
0x00402d19
0x00402d19
0x00402d21
0x00402d26
0x00402d28
0x00402e87
0x00402ec9
0x00000000
0x00402ec9
0x00402d2e
0x00402d34
0x00402db4
0x00402db8
0x00402dbb
0x00402dc0
0x00000000
0x00402db8
0x00402d41
0x00402d46
0x00402d49
0x00402d4e
0x00000000
0x00000000
0x00402d50
0x00402d57
0x00000000
0x00000000
0x00402d59
0x00402d60
0x00000000
0x00000000
0x00402d62
0x00402d69
0x00000000
0x00000000
0x00402d6b
0x00402d72
0x00000000
0x00000000
0x00402d74
0x00402d7a
0x00402d83
0x00402d89
0x00402d8c
0x00402d8e
0x00402d94
0x00000000
0x00000000
0x00402d9a
0x00402d9e
0x00402da6
0x00402da6
0x00402da9
0x00402dac
0x00402dae
0x00402db0
0x00402db0
0x00000000
0x00402dae
0x00402da0
0x00402da4
0x00000000
0x00000000
0x00000000
0x00402dc1
0x00402dc1
0x00402dc7
0x00402dd7
0x00402dd7
0x00402dda
0x00402de0
0x00402de2
0x00402de2
0x00000000
0x00402d00

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,00000400), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,CL-Eye-Driver-5.3.0.0341-Emuline.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

CL-Eye-Driver-5.3.0.0341-Emuline.exe, xrefs: 00402CDF
"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 00402C7F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B
soft, xrefs: 00402D62
Inst, xrefs: 00402D59
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
Error launching installer, xrefs: 00402CC2
"qR, xrefs: 00402EBA
C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
Null, xrefs: 00402D6B
C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $"qR$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe$CL-Eye-Driver-5.3.0.0341-Emuline.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-737630685
Opcode ID: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
Opcode Fuzzy Hash: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 06881D3B, Relevance: 21.5, APIs: 14, Instructions: 499
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E06881D3B() {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				intOrPtr _v48;
				void* _v52;
				CHAR* _t180;
				void* _t182;
				signed int _t183;
				void* _t186;
				void* _t188;
				CHAR* _t190;
				void* _t198;
				struct HINSTANCE__* _t199;
				_Unknown_base(*)()* _t200;
				_Unknown_base(*)()* _t202;
				struct HINSTANCE__* _t203;
				void* _t205;
				char* _t206;
				_Unknown_base(*)()* _t207;
				void* _t218;
				signed char _t219;
				void* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				void* _t228;
				void* _t232;
				void* _t235;
				void* _t237;
				void* _t244;
				void* _t245;
				void* _t248;
				struct HINSTANCE__* _t253;
				CHAR* _t254;
				signed char _t257;
				void _t258;
				void* _t259;
				void* _t266;
				void* _t267;
				void* _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t279;
				signed char _t282;
				signed int _t283;
				CHAR* _t284;
				CHAR* _t286;
				struct HINSTANCE__* _t288;
				void* _t290;
				void* _t291;

				_t253 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v12 = 0;
				_v40 = 0;
				_t291 = 0;
				_t180 = E06881541();
				_v24 = _t180;
				_v28 = _t180;
				_v44 = E06881541();
				_t182 = E06881561();
				_v52 = _t182;
				_v8 = _t182;
				while(1) {
					_t183 = _v32;
					_t283 = 3;
					_v48 = _t183;
					if(_t183 != _t253 && _t291 == _t253) {
						break;
					}
					_t282 =  *_v8;
					_t257 = _t282;
					_t186 = _t257 - _t253;
					if(_t186 == 0) {
						_t29 =  &_v32;
						 *_t29 = _v32 | 0xffffffff;
						__eflags =  *_t29;
						L13:
						_t188 = _v48 - _t253;
						if(_t188 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t291 - _t253;
							if(_t291 == _t253) {
								_t224 = GlobalAlloc(0x40, 0x14a4); // executed
								_t291 = _t224;
								 *(_t291 + 0x810) = _t253;
								 *(_t291 + 0x814) = _t253;
							}
							_t258 = _v36;
							_t39 = _t291 + 8; // 0x8
							_t190 = _t39;
							_t40 = _t291 + 0x408; // 0x408
							_t284 = _t40;
							 *_t291 = _t258;
							 *_t190 =  *_t190 & 0x00000000;
							 *(_t291 + 0x808) = _t253;
							 *_t284 =  *_t284 & 0x00000000;
							_t259 = _t258 - _t253;
							__eflags = _t259;
							 *(_t291 + 0x80c) = _t253;
							 *(_t291 + 4) = _t253;
							if(_t259 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L56;
								}
								_t290 = 0;
								GlobalFree(_t291);
								_t291 = E06881641(_v24);
								__eflags = _t291 - _t253;
								if(_t291 == _t253) {
									goto L56;
								} else {
									goto L28;
								}
								while(1) {
									L28:
									_t218 =  *(_t291 + 0x14a0);
									__eflags = _t218 - _t253;
									if(_t218 == _t253) {
										break;
									}
									_t290 = _t291;
									_t291 = _t218;
									__eflags = _t291 - _t253;
									if(_t291 != _t253) {
										continue;
									}
									break;
								}
								__eflags = _t290 - _t253;
								if(_t290 != _t253) {
									 *(_t290 + 0x14a0) = _t253;
								}
								_t219 =  *(_t291 + 0x810);
								__eflags = _t219 & 0x00000008;
								if((_t219 & 0x00000008) == 0) {
									 *(_t291 + 0x810) = _t219 | 0x00000002;
								} else {
									_t291 = E0688187C(_t291);
									 *(_t291 + 0x810) =  *(_t291 + 0x810) & 0xfffffff5;
								}
								goto L56;
							} else {
								_t266 = _t259 - 1;
								__eflags = _t266;
								if(_t266 == 0) {
									L24:
									lstrcpyA(_t190, _v44);
									L25:
									lstrcpyA(_t284, _v24);
									L56:
									_v28 = _v24;
									L57:
									_v8 = _v8 + 1;
									if(_v32 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t267 = _t266 - 1;
								__eflags = _t267;
								if(_t267 == 0) {
									goto L25;
								}
								__eflags = _t267 != 1;
								if(_t267 != 1) {
									goto L56;
								}
								goto L24;
							}
						}
						if(_t188 == 1) {
							_t226 = _v16;
							if(_v40 == _t253) {
								_t226 = _t226 - 1;
							}
							 *(_t291 + 0x814) = _t226;
						}
						goto L56;
					}
					_t227 = _t186 - 0x23;
					if(_t227 == 0) {
						_v32 = _t253;
						_v36 = _t253;
						goto L13;
					}
					_t228 = _t227 - 5;
					if(_t228 == 0) {
						__eflags = _v36 - _t283;
						_v32 = 1;
						_v12 = _t253;
						_v20 = _t253;
						_v16 = (0 | _v36 == _t283) + 1;
						_v40 = _t253;
						goto L13;
					}
					_t232 = _t228 - 1;
					if(_t232 == 0) {
						_v32 = 2;
						_v12 = _t253;
						_v20 = _t253;
						goto L13;
					}
					if(_t232 != 0x16) {
						_t235 = _v32 - _t253;
						__eflags = _t235;
						if(_t235 == 0) {
							__eflags = _t282 - 0x2a;
							if(_t282 == 0x2a) {
								_v36 = 2;
								L55:
								_t253 = 0;
								__eflags = 0;
								goto L56;
							}
							__eflags = _t282 - 0x2d;
							if(_t282 == 0x2d) {
								L124:
								_t237 = _v8 + 1;
								__eflags =  *_t237 - 0x3e;
								if( *_t237 != 0x3e) {
									L126:
									_t237 = _v8 + 1;
									__eflags =  *_t237 - 0x3a;
									if( *_t237 != 0x3a) {
										L133:
										_v28 =  &(_v28[1]);
										 *_v28 = _t282;
										goto L57;
									}
									__eflags = _t282 - 0x2d;
									if(_t282 == 0x2d) {
										goto L133;
									}
									_v36 = 1;
									L129:
									_v8 = _t237;
									__eflags = _v28 - _v24;
									if(_v28 <= _v24) {
										 *_v44 =  *_v44 & 0x00000000;
									} else {
										 *_v28 =  *_v28 & 0x00000000;
										lstrcpyA(_v44, _v24);
									}
									goto L55;
								}
								_v36 = _t283;
								goto L129;
							}
							__eflags = _t282 - 0x3a;
							if(_t282 != 0x3a) {
								goto L133;
							}
							__eflags = _t282 - 0x2d;
							if(_t282 != 0x2d) {
								goto L126;
							}
							goto L124;
						}
						_t244 = _t235 - 1;
						__eflags = _t244;
						if(_t244 == 0) {
							L68:
							_t245 = _t257 - 0x22;
							__eflags = _t245 - 0x55;
							if(_t245 > 0x55) {
								goto L55;
							}
							switch( *((intOrPtr*)(( *(_t245 + 0x68823a0) & 0x000000ff) * 4 +  &M06882344))) {
								case 0:
									__eax = _v24;
									__edi = _v8;
									while(1) {
										__edi = __edi + 1;
										_v8 = __edi;
										__cl =  *__edi;
										__eflags = __cl - __dl;
										if(__cl != __dl) {
											goto L108;
										}
										L107:
										__eflags =  *(__edi + 1) - __dl;
										if( *(__edi + 1) != __dl) {
											L112:
											 *__eax =  *__eax & 0x00000000;
											__ebx = E06881550(_v24);
											goto L84;
										}
										L108:
										__eflags = __cl;
										if(__cl == 0) {
											goto L112;
										}
										__eflags = __cl - __dl;
										if(__cl == __dl) {
											__edi = __edi + 1;
											__eflags = __edi;
										}
										__cl =  *__edi;
										 *__eax =  *__edi;
										__eax = __eax + 1;
										__edi = __edi + 1;
										_v8 = __edi;
										__cl =  *__edi;
										__eflags = __cl - __dl;
										if(__cl != __dl) {
											goto L108;
										}
										goto L107;
									}
								case 1:
									_v12 = 1;
									goto L55;
								case 2:
									_v12 = _v12 | 0xffffffff;
									goto L55;
								case 3:
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									_v16 = _v16 + 1;
									goto L73;
								case 4:
									__eflags = _v20;
									if(_v20 != 0) {
										goto L55;
									}
									_v8 = _v8 - 1;
									__ebx = E06881541();
									 &_v8 = E06881CD9( &_v8);
									__eax = E0688176C(__edx, __eax, __edx, __ebx);
									goto L84;
								case 5:
									L92:
									_v20 = _v20 + 1;
									goto L55;
								case 6:
									_push(0x19);
									goto L119;
								case 7:
									_push(0x15);
									goto L119;
								case 8:
									_push(0x16);
									goto L119;
								case 9:
									_push(0x18);
									goto L119;
								case 0xa:
									_push(5);
									goto L99;
								case 0xb:
									__eax = 0;
									__eax = 1;
									goto L78;
								case 0xc:
									_push(6);
									goto L99;
								case 0xd:
									_push(2);
									goto L99;
								case 0xe:
									_push(3);
									goto L99;
								case 0xf:
									_push(0x17);
									L119:
									_pop(__ebx);
									goto L85;
								case 0x10:
									__eax =  &_v8;
									__eax = E06881CD9( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									__eflags = __ebx - 0xb;
									if(__ebx < 0xb) {
										__ebx = __ebx + 0xa;
									}
									goto L84;
								case 0x11:
									__ebx = 0xffffffff;
									goto L85;
								case 0x12:
									__eax = 0;
									__eflags = 0;
									goto L78;
								case 0x13:
									_push(4);
									L99:
									_pop(__eax);
									L78:
									__edx = _v16;
									__ecx = 0;
									__edx = _v16 << 5;
									__ecx = 1;
									__eflags = _v12 - 0xffffffff;
									__edi = (_v16 << 5) + __esi;
									_v40 = 1;
									 *(__edi + 0x818) = __eax;
									if(_v12 == 0xffffffff) {
										L80:
										__eax = __ecx;
										L81:
										__eflags = _v12 - __ecx;
										 *(__edi + 0x828) = __eax;
										if(_v12 == __ecx) {
											__eax =  &_v8;
											__eax = E06881CD9( &_v8);
											__eax = __eax + 1;
											__eflags = __eax;
											_v12 = __eax;
										}
										__eax = _v12;
										 *((intOrPtr*)(__edi + 0x81c)) = _v12;
										_t126 = _v16 + 0x41; // 0x41
										_t126 = _t126 << 5;
										__eax = 0;
										__eflags = 0;
										 *((intOrPtr*)((_t126 << 5) + __esi)) = 0;
										 *((intOrPtr*)(__edi + 0x82c)) = 0;
										 *((intOrPtr*)(__edi + 0x830)) = 0;
										goto L84;
									}
									__eax =  *(0x6883058 + __eax * 4);
									__eflags = __eax;
									if(__eax > 0) {
										goto L81;
									}
									goto L80;
								case 0x14:
									_t247 =  *(_t291 + 0x814);
									__eflags = _t247 - _v16;
									if(_t247 > _v16) {
										_v16 = _t247;
									}
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									_v36 - 3 = _t247 - (_v36 == 3);
									if(_t247 != _v36 == 3) {
										L73:
										_v40 = 1;
									}
									goto L55;
								case 0x15:
									__eax =  &_v8;
									__eax = E06881CD9( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									L84:
									__eflags = __ebx;
									if(__ebx == 0) {
										goto L55;
									}
									L85:
									__eflags = _v20;
									_v40 = 1;
									if(_v20 != 0) {
										L90:
										__eflags = _v20 - 1;
										if(_v20 == 1) {
											__eax = _v16;
											__eax = _v16 << 5;
											__eflags = __eax;
											 *(__eax + __esi + 0x830) = __ebx;
										}
										goto L92;
									}
									_v16 = _v16 << 5;
									_t134 = __esi + 0x82c; // 0x82c
									__edi = (_v16 << 5) + _t134;
									__eax =  *__edi;
									__eflags = __eax - 0xffffffff;
									if(__eax <= 0xffffffff) {
										L88:
										__eax = GlobalFree(__eax);
										L89:
										 *__edi = __ebx;
										goto L90;
									}
									__eflags = __eax - 0x19;
									if(__eax <= 0x19) {
										goto L89;
									}
									goto L88;
								case 0x16:
									goto L55;
							}
						}
						_t248 = _t244 - 1;
						__eflags = _t248;
						if(_t248 == 0) {
							_v16 = _t253;
							goto L68;
						}
						__eflags = _t248 != 1;
						if(_t248 != 1) {
							goto L133;
						}
						_t271 = _t257 - 0x21;
						__eflags = _t271;
						if(_t271 == 0) {
							_v12 =  ~_v12;
							goto L55;
						}
						_t272 = _t271 - 0x42;
						__eflags = _t272;
						if(_t272 == 0) {
							L51:
							__eflags = _v12 - 1;
							if(_v12 != 1) {
								_t84 = _t291 + 0x810;
								 *_t84 =  *(_t291 + 0x810) &  !0x00000001;
								__eflags =  *_t84;
							} else {
								 *(_t291 + 0x810) =  *(_t291 + 0x810) | 1;
							}
							_v12 = 1;
							goto L55;
						}
						_t276 = _t272;
						__eflags = _t276;
						if(_t276 == 0) {
							_push(0x20);
							L50:
							_pop(1);
							goto L51;
						}
						_t277 = _t276 - 9;
						__eflags = _t277;
						if(_t277 == 0) {
							_push(8);
							goto L50;
						}
						_push(4);
						_pop(1);
						_t278 = _t277 - 1;
						__eflags = _t278;
						if(_t278 == 0) {
							goto L51;
						}
						_t279 = _t278 - 1;
						__eflags = _t279;
						if(_t279 == 0) {
							_push(0x10);
							goto L50;
						}
						__eflags = _t279 != 0;
						if(_t279 != 0) {
							goto L55;
						}
						_push(0x40);
						goto L50;
					} else {
						_v32 = _t283;
						_v12 = 1;
						goto L13;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t291 == _t253 ||  *(_t291 + 0x80c) != _t253) {
					L145:
					return _t291;
				} else {
					_t198 =  *_t291 - 1;
					if(_t198 == 0) {
						_t169 = _t291 + 8; // 0x8
						_t286 = _t169;
						__eflags =  *_t286;
						if( *_t286 != 0) {
							_t199 = GetModuleHandleA(_t286);
							__eflags = _t199 - _t253;
							 *(_t291 + 0x808) = _t199;
							if(_t199 != _t253) {
								L141:
								_t173 = _t291 + 0x408; // 0x408
								_t254 = _t173;
								_t200 = GetProcAddress( *(_t291 + 0x808), _t254);
								__eflags = _t200;
								 *(_t291 + 0x80c) = _t200;
								if(_t200 != 0) {
									goto L145;
								}
								lstrcatA(_t254, 0x6884024);
								_t202 = GetProcAddress( *(_t291 + 0x808), _t254);
								__eflags = _t202;
								L143:
								 *(_t291 + 0x80c) = _t202;
								if(__eflags != 0) {
									goto L145;
								}
								L144:
								_t178 = _t291 + 4;
								 *_t178 =  *(_t291 + 4) | 0xffffffff;
								__eflags =  *_t178;
								goto L145;
							}
							_t203 = LoadLibraryA(_t286);
							__eflags = _t203 - _t253;
							 *(_t291 + 0x808) = _t203;
							if(_t203 == _t253) {
								goto L144;
							}
							goto L141;
						}
						_t170 = _t291 + 0x408; // 0x408
						_t202 = E06881641(_t170);
						__eflags = _t202 - _t253;
						goto L143;
					}
					_t205 = _t198 - 1;
					if(_t205 == 0) {
						_t167 = _t291 + 0x408; // 0x408
						_t206 = _t167;
						__eflags =  *_t206;
						if( *_t206 == 0) {
							goto L145;
						}
						_t207 = E06881641(_t206);
						L136:
						 *(_t291 + 0x80c) = _t207;
						goto L145;
					}
					if(_t205 != 1) {
						goto L145;
					}
					_t72 = _t291 + 8; // 0x8
					_t255 = _t72;
					_t288 = E06881641(_t72);
					 *(_t291 + 0x808) = _t288;
					if(_t288 == 0) {
						goto L144;
					}
					 *(_t291 + 0x850) =  *(_t291 + 0x850) & 0x00000000;
					 *((intOrPtr*)(_t291 + 0x84c)) = E06881550(_t255);
					 *(_t291 + 0x83c) =  *(_t291 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t291 + 0x848)) = 1;
					 *((intOrPtr*)(_t291 + 0x838)) = 1;
					_t81 = _t291 + 0x408; // 0x408
					_t207 =  *(_t288->i + E06881641(_t81) * 4);
					goto L136;
				}
			}

0x06881d43
0x06881d46
0x06881d49
0x06881d4c
0x06881d4f
0x06881d52
0x06881d55
0x06881d57
0x06881d5c
0x06881d5f
0x06881d67
0x06881d6a
0x06881d6f
0x06881d72
0x06881d75
0x06881d75
0x06881d7c
0x06881d7d
0x06881d80
0x00000000
0x00000000
0x06881d8d
0x06881d8f
0x06881d94
0x06881d96
0x06881def
0x06881def
0x06881def
0x06881df3
0x06881df6
0x06881df8
0x06881e1a
0x06881e1d
0x06881e1f
0x06881e28
0x06881e2e
0x06881e30
0x06881e36
0x06881e36
0x06881e3c
0x06881e3f
0x06881e3f
0x06881e42
0x06881e42
0x06881e48
0x06881e4a
0x06881e4d
0x06881e53
0x06881e56
0x06881e56
0x06881e58
0x06881e5e
0x06881e61
0x06881e8c
0x06881e8f
0x00000000
0x00000000
0x06881e96
0x06881e98
0x06881ea6
0x06881ea9
0x06881eab
0x00000000
0x00000000
0x00000000
0x00000000
0x06881eb1
0x06881eb1
0x06881eb1
0x06881eb7
0x06881eb9
0x00000000
0x00000000
0x06881ebb
0x06881ebd
0x06881ebf
0x06881ec1
0x00000000
0x00000000
0x00000000
0x06881ec1
0x06881ec3
0x06881ec5
0x06881ec7
0x06881ec7
0x06881ecd
0x06881ed3
0x06881ed5
0x06881eeb
0x06881ed7
0x06881edd
0x06881ee0
0x06881ee0
0x00000000
0x06881e63
0x06881e63
0x06881e63
0x06881e64
0x06881e70
0x06881e74
0x06881e7a
0x06881e7e
0x06881f64
0x06881f67
0x06881f6a
0x06881f6a
0x06881f71
0x00000000
0x00000000
0x00000000
0x06881f71
0x06881e66
0x06881e66
0x06881e67
0x00000000
0x00000000
0x06881e69
0x06881e6a
0x00000000
0x00000000
0x00000000
0x06881e6a
0x06881e61
0x06881dfb
0x06881e04
0x06881e07
0x06881e14
0x06881e14
0x06881e09
0x06881e09
0x00000000
0x06881dfb
0x06881d98
0x06881d9b
0x06881de7
0x06881dea
0x00000000
0x06881dea
0x06881d9d
0x06881da0
0x06881dcb
0x06881dce
0x06881dd5
0x06881ddc
0x06881ddf
0x06881de2
0x00000000
0x06881de2
0x06881da2
0x06881da3
0x06881dba
0x06881dc1
0x06881dc4
0x00000000
0x06881dc4
0x06881da8
0x06881ef6
0x06881ef6
0x06881ef8
0x06882225
0x06882228
0x06882289
0x06881f62
0x06881f62
0x06881f62
0x00000000
0x06881f62
0x0688222a
0x0688222d
0x06882239
0x0688223c
0x0688223d
0x06882240
0x06882247
0x0688224a
0x0688224b
0x0688224e
0x06882295
0x06882298
0x0688229b
0x00000000
0x0688229b
0x06882250
0x06882253
0x00000000
0x00000000
0x06882255
0x0688225c
0x0688225c
0x06882262
0x06882265
0x06882281
0x06882267
0x06882270
0x06882273
0x06882273
0x00000000
0x06882265
0x06882242
0x00000000
0x06882242
0x0688222f
0x06882232
0x00000000
0x00000000
0x06882234
0x06882237
0x00000000
0x00000000
0x00000000
0x06882237
0x06881efe
0x06881efe
0x06881eff
0x06882026
0x06882026
0x0688202b
0x0688202e
0x00000000
0x00000000
0x0688203b
0x00000000
0x068821cd
0x068821d0
0x068821d3
0x068821d3
0x068821d4
0x068821d7
0x068821d9
0x068821db
0x00000000
0x00000000
0x068821dd
0x068821dd
0x068821e0
0x068821f2
0x068821f5
0x068821fe
0x00000000
0x068821fe
0x068821e2
0x068821e2
0x068821e4
0x00000000
0x00000000
0x068821e6
0x068821e8
0x068821ea
0x068821ea
0x068821ea
0x068821eb
0x068821ed
0x068821ef
0x068821d3
0x068821d4
0x068821d7
0x068821d9
0x068821db
0x00000000
0x00000000
0x00000000
0x068821db
0x00000000
0x06882082
0x00000000
0x00000000
0x0688208e
0x00000000
0x00000000
0x06882075
0x06882079
0x0688207d
0x00000000
0x00000000
0x0688219f
0x068821a3
0x00000000
0x00000000
0x068821a9
0x068821b1
0x068821b8
0x068821c0
0x00000000
0x00000000
0x06882147
0x06882147
0x00000000
0x00000000
0x0688221d
0x00000000
0x00000000
0x0688220d
0x00000000
0x00000000
0x06882211
0x00000000
0x00000000
0x06882219
0x00000000
0x00000000
0x0688215f
0x00000000
0x00000000
0x0688214f
0x06882151
0x00000000
0x00000000
0x06882167
0x00000000
0x00000000
0x06882157
0x00000000
0x00000000
0x0688215b
0x00000000
0x00000000
0x06882215
0x0688221f
0x0688221f
0x00000000
0x00000000
0x0688216f
0x06882173
0x06882178
0x0688217b
0x0688217c
0x0688217f
0x06882185
0x06882185
0x00000000
0x00000000
0x06882205
0x00000000
0x00000000
0x06882097
0x06882097
0x00000000
0x00000000
0x06882163
0x06882169
0x06882169
0x06882099
0x06882099
0x0688209c
0x0688209e
0x068820a1
0x068820a2
0x068820a6
0x068820a9
0x068820ac
0x068820b2
0x068820bf
0x068820bf
0x068820c1
0x068820c1
0x068820c4
0x068820ca
0x068820cc
0x068820d0
0x068820d5
0x068820d5
0x068820d7
0x068820d7
0x068820da
0x068820dd
0x068820e6
0x068820e9
0x068820ec
0x068820ec
0x068820ee
0x068820f1
0x068820f7
0x00000000
0x068820f7
0x068820b4
0x068820bb
0x068820bd
0x00000000
0x00000000
0x00000000
0x00000000
0x06882042
0x06882048
0x0688204b
0x0688204d
0x0688204d
0x06882050
0x06882054
0x06882061
0x06882063
0x06882069
0x06882069
0x06882069
0x00000000
0x00000000
0x0688218d
0x06882191
0x06882196
0x06882199
0x068820fd
0x068820fd
0x068820ff
0x00000000
0x00000000
0x06882105
0x06882105
0x06882109
0x06882110
0x06882134
0x06882134
0x06882138
0x0688213a
0x0688213d
0x0688213d
0x06882140
0x06882140
0x00000000
0x06882138
0x06882115
0x06882118
0x06882118
0x0688211f
0x06882121
0x06882124
0x0688212b
0x0688212c
0x06882132
0x06882132
0x00000000
0x06882132
0x06882126
0x06882129
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0688203b
0x06881f05
0x06881f05
0x06881f06
0x06882023
0x00000000
0x06882023
0x06881f0c
0x06881f0d
0x00000000
0x00000000
0x06881f13
0x06881f13
0x06881f16
0x06881f5f
0x00000000
0x06881f5f
0x06881f18
0x06881f18
0x06881f1b
0x06881f43
0x06881f46
0x06881f49
0x06882015
0x06882015
0x06882015
0x06881f4f
0x06881f4f
0x06881f4f
0x0688201b
0x00000000
0x0688201b
0x06881f1e
0x06881f1e
0x06881f1f
0x06881f40
0x06881f42
0x06881f42
0x00000000
0x06881f42
0x06881f21
0x06881f21
0x06881f24
0x06881f3c
0x00000000
0x06881f3c
0x06881f26
0x06881f28
0x06881f29
0x06881f29
0x06881f2b
0x00000000
0x00000000
0x06881f2d
0x06881f2d
0x06881f2e
0x06881f38
0x00000000
0x06881f38
0x06881f31
0x06881f32
0x00000000
0x00000000
0x06881f34
0x00000000
0x06881dae
0x06881dae
0x06881db1
0x00000000
0x06881db1
0x06881da8
0x06881f80
0x06881f85
0x06881f8a
0x06881f8e
0x0688233d
0x06882343
0x06881fa0
0x06881fa2
0x06881fa3
0x068822c0
0x068822c0
0x068822c3
0x068822c6
0x068822da
0x068822e0
0x068822e2
0x068822e8
0x068822fb
0x06882301
0x06882301
0x0688230e
0x06882310
0x06882312
0x06882318
0x00000000
0x00000000
0x06882320
0x0688232d
0x0688232f
0x06882331
0x06882331
0x06882337
0x00000000
0x00000000
0x06882339
0x06882339
0x06882339
0x06882339
0x00000000
0x06882339
0x068822eb
0x068822f1
0x068822f3
0x068822f9
0x00000000
0x00000000
0x00000000
0x068822f9
0x068822c8
0x068822cf
0x068822d5
0x00000000
0x068822d5
0x06881fa9
0x06881faa
0x068822a2
0x068822a2
0x068822a8
0x068822ab
0x00000000
0x00000000
0x068822b2
0x068822b7
0x068822b8
0x00000000
0x068822b8
0x06881fb1
0x00000000
0x00000000
0x06881fb7
0x06881fb7
0x06881fc0
0x06881fc5
0x06881fcb
0x00000000
0x00000000
0x06881fd1
0x06881fde
0x06881fe4
0x06881fee
0x06881ff4
0x06881ffc
0x0688200c
0x00000000
0x0688200c

APIs

Part of subcall function 06881541: GlobalAlloc.KERNEL32(00000040,06881577,?,?,06881804,?,06881017), ref: 06881549

Part of subcall function 06881561: lstrcpyA.KERNEL32(00000000,?,?,?,06881804,?,06881017), ref: 0688157E
Part of subcall function 06881561: GlobalFree.KERNEL32 ref: 0688158F

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 06881E28
lstrcpyA.KERNEL32(00000008,?), ref: 06881E74
lstrcpyA.KERNEL32(00000408,?), ref: 06881E7E
GlobalFree.KERNEL32 ref: 06881E98
GlobalFree.KERNEL32 ref: 06881F80
GlobalFree.KERNEL32 ref: 06881F85
GlobalFree.KERNEL32 ref: 06881F8A
GlobalFree.KERNEL32 ref: 0688212C
lstrcpyA.KERNEL32(?,?), ref: 06882273
GetModuleHandleA.KERNEL32(00000008), ref: 068822DA
LoadLibraryA.KERNEL32(00000008), ref: 068822EB
GetProcAddress.KERNEL32(?,00000408), ref: 0688230E
lstrcatA.KERNEL32(00000408,06884024), ref: 06882320
GetProcAddress.KERNEL32(?,00000408), ref: 0688232D

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$Free$lstrcpy$AddressAllocProc$HandleLibraryLoadModulelstrcat
String ID:
API String ID: 2432367840-0
Opcode ID: e7f6a808e18ef93d9dfc99642af46b62861ea7fc7dc2da8a99425d00361b650a
Instruction ID: 38b952632449bd58a465ff633e7dfc009809854c0b561923047ae236d9eede82
Opcode Fuzzy Hash: e7f6a808e18ef93d9dfc99642af46b62861ea7fc7dc2da8a99425d00361b650a
Instruction Fuzzy Hash: 2B026271D1420ADFDBA0EFA8C8997EDBBF4FF04314F10456AD2A6E6180DB745A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029F6(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004056C6(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405659(E00405B66(0x409b70, "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver\\Driver")), ??);
				} else {
					_push(0x409b70);
					E00405B66();
				}
				E00405DC8(0x409b70);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E61(0x409b70);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040581E(0x409b70);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040583D(0x409b70, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404F04(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405B66(0x40a370, 0x424000);
						E00405B66(0x424000, 0x409b70);
						E00405B88(_t75, 0x40a370, 0x409b70, "C:\Users\hardz\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405B66(0x424000, 0x40a370);
						_t62 = E00405427("C:\Users\hardz\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b70);
								_push(0xfffffffa);
								E00404F04();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404F04(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F18(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffee);
					} else {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffe9);
						lstrcatA(0x409b70,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b70);
					E00405427();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040265c
0x0040265c
0x0040288b
0x0040288e
0x0040288e
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402894
0x00402894
0x00402894
0x00401833
0x00401833
0x00401834
0x00401492
0x0040220e
0x0040220e
0x0040220e
0x00401831
0x0040182a
0x00402896
0x0040289a
0x0040289a
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x00402209
0x00000000
0x00402209
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Exec,C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,Exec,Exec,00000000,00000000,Exec,C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,CL-Eye Driver Setup,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00402C4A,00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll, xrefs: 00401801, 0040181D
Exec, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver$C:\Users\user\AppData\Local\Temp\nsw97F2.tmp$C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll$Exec
API String ID: 1941528284-2687912583
Opcode ID: 9d059d68c9c495e5e7599dca3da407ef59ee48d8cda07d59e831b40ef7ad4286
Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
Opcode Fuzzy Hash: 9d059d68c9c495e5e7599dca3da407ef59ee48d8cda07d59e831b40ef7ad4286
Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 10001759, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E10001759(void* __eflags, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct HWND__* _t24;
				void* _t28;
				int _t33;
				void* _t34;
				intOrPtr _t35;
				struct HWND__* _t38;

				 *0x100050dc = _a8;
				_t35 = _a20;
				 *0x100050e0 = _a16;
				 *0x100050e4 = _a12;
				 *((intOrPtr*)(_t35 + 0xc))( *0x100050a4, E10001852, _t34);
				_t38 = _a4;
				 *0x100050a0 = _t35;
				 *0x100050c4 = _t38;
				GetWindowRect(GetDlgItem(_t38, E10001FC2(__eflags)),  &_v20);
				MapWindowPoints(0, _t38,  &_v20, 2);
				_t24 = CreateDialogParamA( *0x100050a4, 1, _t38, E100014CA, 0); // executed
				 *0x100050c0 = _t24;
				if(_t24 != 0) {
					_t33 = _v12 - _v20.x;
					__eflags = _t33;
					SetWindowPos(_t24, 0, _v20, _v20.y, _t33, _v8 - _v20.y, 0x14);
					 *0x100050c8 = SetWindowLongA(_t38, 4, E100013FB);
					 *0x100050cc = 0;
					 *0x100050d4 = 0;
					_t28 = HeapAlloc(GetProcessHeap(), 8, 0);
					_push( *0x100050c0);
					 *0x100050d8 = _t28;
					 *0x100050d0 = 0;
					L10002016();
				} else {
					_t28 = E10001E27("error");
				}
				return _t28;
			}

0x10001763
0x1000176c
0x10001774
0x10001782
0x10001787
0x1000178a
0x1000178d
0x10001793
0x100017ab
0x100017bb
0x100017d0
0x100017d8
0x100017dd
0x100017f7
0x100017f7
0x10001803
0x1000181a
0x1000181f
0x10001825
0x10001832
0x10001838
0x1000183e
0x10001843
0x10001849
0x100017df
0x100017e4
0x100017e4
0x10001851

APIs

GetDlgItem.USER32 ref: 100017A0
GetWindowRect.USER32 ref: 100017AB
MapWindowPoints.USER32 ref: 100017BB
CreateDialogParamA.USER32(00000001,?,100014CA,00000000), ref: 100017D0
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 10001803
SetWindowLongA.USER32 ref: 10001811
GetProcessHeap.KERNEL32(00000008,00000000), ref: 1000182B
HeapAlloc.KERNEL32(00000000), ref: 10001832

Part of subcall function 10001E27: GlobalAlloc.KERNEL32(00000040,?,?,100010BE,error,?,00000104), ref: 10001E3C
Part of subcall function 10001E27: lstrcpynA.KERNEL32(00000004,?,?,100010BE,error,?,00000104), ref: 10001E52

Strings

error, xrefs: 100017DF

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
String ID: error
API String ID: 1928716940-1574812785
Opcode ID: 076d4dbdaccacf51b42516d4d78f513792876f9d85fae9c02780eec9c75aeb75
Instruction ID: da06ddcdc36cf1fc2372cec8b2b4e0d3d54046517dea9c4c0835938c29bd36d4
Opcode Fuzzy Hash: 076d4dbdaccacf51b42516d4d78f513792876f9d85fae9c02780eec9c75aeb75
Instruction Fuzzy Hash: A421F576901225EFFB01DFA5CC99EAFBFB9FB49382B008509F61597268DB715500CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00404F04, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404F04(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684; // 0x30120
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405B88(0, _t39, 0x41fc78, 0x41fc78, _a4);
					}
					_t26 = lstrlenA(0x41fc78);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc78); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc78;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc78)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc78, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404f0a
0x00404f16
0x00404f19
0x00404f1f
0x00404f2b
0x00404f2e
0x00404f31
0x00404f37
0x00404f37
0x00404f3d
0x00404f45
0x00404f48
0x00404f65
0x00404f69
0x00404f72
0x00404f72
0x00404f7c
0x00404f85
0x00404f91
0x00404f98
0x00404f9c
0x00404f9f
0x00404fb2
0x00404fc0
0x00404fc0
0x00404fc4
0x00404fc6
0x00404fc9
0x00000000
0x00404fc9
0x00404f4a
0x00404f52
0x00404f5a
0x00404f60
0x00000000
0x00404f60
0x00404f5a
0x00404f48
0x00404fd3

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00402C4A,00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll, xrefs: 00404F24, 00404F36, 00404F3C, 00404F5F, 00404F6B

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll
API String ID: 2531174081-3518102898
Opcode ID: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
Opcode Fuzzy Hash: c16ae44753e0492e8ebf0dec6d4426dfb74cf51d03073e062323e975129af71d
Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403043, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403043(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;

				_t35 =  *0x417044; // 0x80166
				_t37 = _t35 -  *0x40afb0 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BD3(1);
					return 0;
				}
				E004031F1( *0x41f054);
				SetFilePointer( *0x409018,  *0x40afb0, 0, 0); // executed
				 *0x41f050 = _t37;
				 *0x417040 = 0;
				while(1) {
					L2:
					_t12 =  *0x417048; // 0x527122
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f054;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031BF(0x413040, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f054 =  *0x41f054 + _t34;
					 *0x40afd0 = 0x413040;
					 *0x40afd4 = _t34;
					while(1) {
						_t46 =  *0x423eb0; // 0x6f0858
						if(_t46 != 0) {
							_t47 =  *0x423f40; // 0x0
							if(_t47 == 0) {
								_t22 =  *0x41f050; // 0xe6cee
								 *0x417040 = _t22 -  *0x417044 - _a4 +  *0x40afb0;
								E00402BD3(0);
							}
						}
						 *0x40afd8 = 0x40b040;
						 *0x40afdc = 0x8000; // executed
						_t16 = E00405F82(0x40afb8); // executed
						if(_t16 < 0) {
							break;
						}
						_t39 =  *0x40afd8; // 0x40e66a
						_t40 = _t39 - 0x40b040;
						if(_t40 == 0) {
							__eflags =  *0x40afd4; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = _t34;
							if(_t34 == 0) {
								break;
							}
							L17:
							_t18 =  *0x417044; // 0x80166
							if(_t18 -  *0x40afb0 + _a4 > 0) {
								goto L2;
							}
							SetFilePointer( *0x409018, _t18, 0, 0); // executed
							goto L23;
						}
						_t21 = WriteFile( *0x409018, 0x40b040, _t40,  &_v4, 0); // executed
						if(_t21 == 0 || _t40 != _v4) {
							_push(0xfffffffe);
							L22:
							_pop(_t17);
							return _t17;
						} else {
							 *0x40afb0 =  *0x40afb0 + _t40;
							_t53 =  *0x40afd4; // 0x0
							if(_t53 != 0) {
								continue;
							}
							goto L17;
						}
					}
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403047
0x00403054
0x00403067
0x0040306c
0x004031ad
0x004031af
0x00000000
0x004031b5
0x00403078
0x0040308b
0x00403091
0x00403097
0x004030a2
0x004030a2
0x004030a2
0x004030a7
0x004030ac
0x004030b4
0x004030b6
0x004030b6
0x004030bf
0x004030c6
0x00000000
0x00000000
0x004030cc
0x004030d2
0x004030d8
0x004030de
0x004030de
0x004030e4
0x004030e6
0x004030ec
0x004030ee
0x00403104
0x00403109
0x0040310e
0x004030ec
0x00403114
0x0040311a
0x00403124
0x0040312b
0x00000000
0x00000000
0x0040312d
0x00403133
0x00403135
0x00403169
0x0040316f
0x00000000
0x00000000
0x00403171
0x00403173
0x00000000
0x00000000
0x00403175
0x00403175
0x00403188
0x00000000
0x00000000
0x00403197
0x00000000
0x00403197
0x00403145
0x0040314d
0x004031a4
0x004031aa
0x004031aa
0x00000000
0x00403155
0x00403155
0x0040315b
0x00403161
0x00000000
0x00000000
0x00000000
0x00403167
0x0040314d
0x004031a8
0x00000000
0x004031a8
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,0000E9E4), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(0040B040,0040E66A,00000000,00000000,ntrolService,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(00080166,00000000,00000000,ntrolService,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

j@, xrefs: 00403114, 0040312D
ntrolService, xrefs: 004030B8, 004030BE
"qR, xrefs: 004030A2

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: "qR$j@$ntrolService
API String ID: 2146148272-920764919
Opcode ID: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
Opcode Fuzzy Hash: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E

Uniqueness

Uniqueness Score: -1.00%

Function 10001C59, Relevance: 12.1, APIs: 8, Instructions: 51
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001C59(struct HWND__* _a4) {
				struct tagMSG _v32;
				int _t14;

				SendMessageA(_a4, 0x40d,  *0x100050c0, 0);
				ShowWindow( *0x100050c0, 8); // executed
				if( *0x100050c0 != 0) {
					do {
						GetMessageA( &_v32, 0, 0, 0); // executed
						_t14 = IsDialogMessageA( *0x100050c0,  &_v32); // executed
						if(_t14 == 0 && IsDialogMessageA( *0x100050c4,  &_v32) == 0) {
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32); // executed
						}
					} while ( *0x100050c0 != 0);
				}
				return SetWindowLongA(_a4, 4,  *0x100050c8);
			}

0x10001c71
0x10001c7f
0x10001c8b
0x10001c94
0x10001c9b
0x10001cab
0x10001caf
0x10001cc5
0x10001ccf
0x10001ccf
0x10001cd5
0x10001cdd
0x10001cf1

APIs

SendMessageA.USER32(?,0000040D,00000000), ref: 10001C71
ShowWindow.USER32(00000008), ref: 10001C7F
KiUserCallbackDispatcher.NTDLL ref: 10001C9B
IsDialogMessageA.USER32(?), ref: 10001CAB
IsDialogMessageA.USER32(?), ref: 10001CBB
TranslateMessage.USER32(?), ref: 10001CC5
DispatchMessageA.USER32 ref: 10001CCF
SetWindowLongA.USER32 ref: 10001CE9

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
String ID:
API String ID: 4159918924-0
Opcode ID: 716d1f326841b8c89a0f97ad3bd45cbe88ff7acd533940a23d6c43e829f4c26b
Instruction ID: 4cbc1df2721f4002ccc1d99008fa43fc86f26f63345a02fff2ee20be1cd4638b
Opcode Fuzzy Hash: 716d1f326841b8c89a0f97ad3bd45cbe88ff7acd533940a23d6c43e829f4c26b
Instruction Fuzzy Hash: 96111B31801229EBFB029BA5DD98D9F7FBEFB457C2B408121F60192028D7319405CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402F18(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423ef8; // 0x155aa
					_t44 = _t31 + _t51;
					 *0x417044 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403043(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417044 =  *0x417044 + _t57;
						_t32 = E00403043(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417044 =  *0x417044 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409018, 0x413040, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413040, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417044 =  *0x417044 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f1d
0x00402f27
0x00402f29
0x00402f30
0x00402f34
0x00402f3f
0x00402f3f
0x00402f47
0x00402f49
0x00402f50
0x00402f6c
0x00402f70
0x00403039
0x00403039
0x00000000
0x00402f7f
0x00402f82
0x00402f88
0x00402f8f
0x00402f92
0x00402f9b
0x00403008
0x0040300e
0x00403010
0x00403010
0x00403022
0x00403026
0x00000000
0x00403028
0x00403028
0x0040302b
0x00403031
0x00000000
0x00403031
0x00402f9d
0x00402fa0
0x00403034
0x00403034
0x00402fa6
0x00402fab
0x00402fab
0x00402fb3
0x00402fb5
0x00402fb5
0x00402fc6
0x00402fca
0x00000000
0x00000000
0x00402fde
0x00402fe6
0x00403004
0x0040303b
0x0040303b
0x00402fed
0x00402fed
0x00402ff0
0x00402ff3
0x00402ff6
0x00403000
0x00000000
0x00403002
0x00000000
0x00403002
0x00403000
0x00000000
0x00402fe6
0x00000000
0x00402fab
0x00402fa0
0x00402f9b
0x00402f92
0x00402f70
0x0040303c
0x00403040

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,0000E9E4), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,0000E9E4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNELBASE(ntrolService,00004000,0000E9E4,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,0000E9E4), ref: 00402FC6
WriteFile.KERNELBASE(00000000,ntrolService,0000E9E4,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,0000E9E4), ref: 00402FDE

Strings

ntrolService, xrefs: 00402FA6, 00402FBF, 00402FDA

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: ntrolService
API String ID: 2113905535-2971896348
Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423f28 =  *0x423f28 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E004029F6(0xfffffff0);
				 *(_t34 + 8) = E004029F6(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404F04(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, 0x424000, 0x40af70, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E0040364F(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x00402019
0x00402164
0x00402164
0x0040288b
0x0040288e
0x0040289a
0x0040289a
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402012
0x00000000
0x00402012
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00402007
0x00402007
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
KiUserCallbackDispatcher.NTDLL(?,00000400,00424000,0040AF70, ?B,?,00000008,00000001,000000F0), ref: 00401FDE

Part of subcall function 00404F04: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00402C4A,00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressCallbackDispatcherFreeHandleLoadModuleProcTextUserWindowlstrcat
String ID: ?B
API String ID: 4236411475-117478770
Opcode ID: f61d24994a6d5f1d4d515d59e4556ee233a12ed245c0b5973481ab63e6b0a824
Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
Opcode Fuzzy Hash: f61d24994a6d5f1d4d515d59e4556ee233a12ed245c0b5973481ab63e6b0a824
Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029F6(0xfffffff0);
				_t10 = E004056ED(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405684(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B66("C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver\\Driver", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402164
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x0040288e
0x0040289a

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,004218A8,00000000,00405751,004218A8,004218A8,?,?,74B5F560,0040549F,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,74B5F560), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver
API String ID: 3751793516-2701378213
Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040586C(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405870
0x00405876
0x00405877
0x00405877
0x00405878
0x0040587f
0x00405889
0x00405896
0x00405899
0x004058a1
0x00000000
0x00000000
0x004058a5
0x00000000
0x00000000
0x004058a7
0x00000000
0x004058a7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 00405873
nsa, xrefs: 00405878
C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3972528874
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405F82(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004069D4))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405f92
0x00405f99
0x00405f9f
0x00405fa5
0x00000000
0x00405fa9
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe0
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602b
0x0040602e
0x00406056
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x00406048
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609f
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c1
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406107
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067af
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067e5
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x0040680d
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x004061a1
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000

Strings

ntrolService, xrefs: 00405F8C

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID: ntrolService
API String ID: 0-2971896348
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				long _t16;
				void* _t17;
				int _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t16 = LoadImageA(_t21, E004029F6(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10); // executed
				_t17 = SendMessageA(_t25, 0x172, _t21, _t16); // executed
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401cf3
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x0040288e
0x0040289a

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Uniqueness

Uniqueness Score: -1.00%

Function 0688198F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0688198F(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x6884058 = _a8;
				 *0x688405c = _a16;
				 *0x6884060 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6884038, E0688189E);
				_push(1); // executed
				_t34 = E06881D3B(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E068823F6(_t50);
					}
					E06882440(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E068825FE(_t65, _t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E068818A1(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E068825FE(_t65, _t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E068825FE(_t65, _t50);
							_t34 = GlobalFree(E0688159E(E068818A1(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E068825C4(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E06881825( *0x6884054);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E068814C7(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E0688120C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E068827CC(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x0688198f
0x0688198f
0x0688198f
0x06881999
0x068819a1
0x068819ae
0x068819bc
0x068819bf
0x068819c1
0x068819c6
0x068819cb
0x06881ade
0x06881ade
0x068819d1
0x068819d5
0x068819d8
0x068819dd
0x068819df
0x068819e5
0x068819eb
0x06881a1b
0x06881a22
0x06881a46
0x06881a85
0x06881a48
0x06881a48
0x06881a49
0x06881a4c
0x06881a52
0x06881a56
0x06881a59
0x06881a5e
0x06881a5e
0x06881a65
0x06881a6b
0x06881a71
0x06881a7d
0x06881a7e
0x06881a81
0x06881a24
0x06881a25
0x06881a3a
0x06881a3a
0x06881a8f
0x06881a92
0x06881a9f
0x06881aa6
0x06881aae
0x06881ab1
0x06881ab1
0x06881aae
0x06881abe
0x06881ac6
0x06881acb
0x06881abe
0x06881ad3
0x00000000
0x06881ad5
0x00000000
0x06881ad6
0x06881ad3
0x068819ef
0x068819f2
0x06881a10
0x00000000
0x00000000
0x06881a13
0x06881a18
0x06881a18
0x06881a1a
0x00000000
0x06881a1a
0x068819f4
0x068819f5
0x068819fd
0x068819fe
0x00000000
0x068819fe
0x068819f7
0x068819f8
0x06881a06
0x00000000
0x06881a06
0x068819fb
0x00000000
0x00000000
0x00000000
0x068819fb

APIs

Part of subcall function 06881D3B: GlobalFree.KERNEL32 ref: 06881F80
Part of subcall function 06881D3B: GlobalFree.KERNEL32 ref: 06881F85
Part of subcall function 06881D3B: GlobalFree.KERNEL32 ref: 06881F8A

GlobalFree.KERNEL32 ref: 06881A3A
FreeLibrary.KERNEL32(?), ref: 06881AB1
GlobalFree.KERNEL32 ref: 06881AD6

Part of subcall function 068823F6: GlobalAlloc.KERNEL32(00000040,E8002080), ref: 06882428

Part of subcall function 068827CC: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,06881A0B,00000000), ref: 0688281C

Part of subcall function 068818A1: lstrcpyA.KERNEL32(00000000,06884018,00000000,06881967,00000000), ref: 068818BA

Part of subcall function 068825FE: wsprintfA.USER32 ref: 0688265F
Part of subcall function 068825FE: GlobalFree.KERNEL32 ref: 06882728
Part of subcall function 068825FE: GlobalFree.KERNEL32 ref: 06882751

Strings

, xrefs: 06881AB7

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: fb0ead48be0651595b6496d1d9260bfcd93774ad3e0e560c07ab259d632fcad0
Instruction ID: 8f580186c433b4d0a88c3d063762ee37cd59603cbffbb2f26efa6397d85fae30
Opcode Fuzzy Hash: fb0ead48be0651595b6496d1d9260bfcd93774ad3e0e560c07ab259d632fcad0
Instruction Fuzzy Hash: F531737150020B9EDBD4BF68DC9CBAE3BE8BF04214F048525EA95FA186DF74854AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029D9(3);
				 *(_t55 + 8) = E004029D9(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029F6(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029F6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029F6();
					_t28 = E004029F6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E004029D9();
					_t37 = E004029D9();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8)); // executed
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405AC4();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402833
0x00402833
0x0040288e
0x0040289a

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 100013FB, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E100013FB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t20;

				if(_a8 != 0x408 || _a12 != 0xffffffff) {
					L4:
					_t20 = CallWindowProcA( *0x100050c8, _a4, _a8, _a12, _a16);
					if(_a8 == 0x408 && _t20 == 0) {
						DestroyWindow( *0x100050c0); // executed
						HeapFree(GetProcessHeap(), _t20,  *0x100050d8);
						 *0x100050c0 =  *0x100050c0 & _t20;
						 *0x100050d8 =  *0x100050d8 & _t20;
					}
					return _t20;
				} else {
					_push(0);
					_push( *0x100050d0 - 1);
					if( *((intOrPtr*)( *0x100050a0 + 4))() == 0) {
						goto L4;
					}
					return 0;
				}
			}

0x10001407
0x10001428
0x10001444
0x10001446
0x10001452
0x10001466
0x1000146c
0x10001472
0x10001472
0x00000000
0x1000140f
0x10001414
0x10001417
0x10001422
0x00000000
0x00000000
0x00000000
0x10001424

APIs

CallWindowProcA.USER32 ref: 1000143B
DestroyWindow.USER32 ref: 10001452
GetProcessHeap.KERNEL32(00000000), ref: 1000145F
HeapFree.KERNEL32(00000000), ref: 10001466

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: HeapWindow$CallDestroyFreeProcProcess
String ID:
API String ID: 1278960361-0
Opcode ID: 7b9cd953bd664abae8205231ba6a83e54e7b9c286202457f16ecc7c69d2d5d03
Instruction ID: a637dc317a5f84f288a8c6f0a953db2449819efd3de5f231667a3370de739b3b
Opcode Fuzzy Hash: 7b9cd953bd664abae8205231ba6a83e54e7b9c286202457f16ecc7c69d2d5d03
Instruction Fuzzy Hash: DD011E32500266EBEB029F95DC9899F3BB9FB453E3B51C525FA5882078C7328854DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403208(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405DC8(_t6);
				_t2 = E004056C6(_t6);
				if(_t2 != 0) {
					E00405659(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040586C("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x00403209
0x0040320f
0x00403215
0x0040321c
0x00403221
0x00403229
0x00403235
0x0040323b
0x0040321f
0x0040321f
0x0040321f

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403209, 0040320E, 00403214, 00403220, 00403228, 0040322F
1033, xrefs: 00403230

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1075807775
Opcode ID: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
Opcode Fuzzy Hash: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406566() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004069D4))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406566
0x00406566
0x00406566
0x00406566
0x0040656c
0x00406570
0x00406574
0x0040657e
0x0040658c
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x00406899
0x0040689d
0x00000000
0x00000000
0x0040689f
0x004068a8
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00406896
0x00406896
0x00406896
0x00406899
0x0040689d
0x00000000
0x00000000
0x00000000
0x004068f8
0x004068f8
0x00406871
0x00406875
0x004069ad
0x004069ad
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x0040687b
0x00406881
0x00406888
0x00406890
0x00406890
0x00406893
0x00000000
0x00406893
0x004068fd
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd5
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00406920
0x00000000
0x00406920
0x0040607a
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x0040692f
0x00000000
0x0040692f
0x004060ea
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x004067f8
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x00000000
0x00406131
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f2
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064f9
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00406977
0x00000000
0x00406977
0x004065df
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00406947
0x00000000
0x00406947
0x0040628d
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00406953
0x00000000
0x00406953
0x00406351
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00406983
0x00000000
0x00406983
0x00406662
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x00406767
0x0040676b
0x0040678d
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x0040682a
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406915
0x00406918
0x00406819
0x00406819
0x00406819
0x00000000
0x0040681f
0x00000000
0x0040654f
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x00000000
0x00000000
0x00000000
0x00406594
0x00406594
0x00406597
0x004065cd
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x0040662d
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x00406899
0x00406862

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406767() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406767
0x00406767
0x0040676b
0x00406790
0x0040679a
0x00000000
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x0040677a
0x0040677e
0x0040677e
0x00406781
0x0040685b
0x0040685b
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x00000000
0x00406854
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00000000
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x004068f6
0x00000000
0x0040676b

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040647D, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040647D() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040647d
0x0040647d
0x00406481
0x00406538
0x0040653b
0x00406547
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406487
0x0040648b
0x004069cc
0x004069cc
0x004069cf
0x004069d3
0x004069d3
0x00406491
0x00406497
0x0040649a
0x0040649e
0x004064a1
0x004064a5
0x0040696b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x00000000
0x004069c8
0x004064ab
0x004064ae
0x004064b4
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x004064df
0x004064df
0x004064df
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004063D0, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004063D0() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f5
0x004063fc
0x00406402
0x00406408
0x0040641a
0x00406420
0x00406425
0x00000000
0x004063d6
0x004063dc
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004063d4

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004064EE, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004064EE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064ff
0x00406509
0x00000000
0x004064f4
0x004064f4
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004064f2

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040643A, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040643A() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406467
0x00406471
0x00406440
0x00406449
0x00406456
0x00406459
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405A4D, Relevance: 4.5, APIs: 3, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405A4D(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x400;
					_t23 = RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x00405a5d
0x00405a5f
0x00405a6c
0x00405a76
0x00405a7e
0x00405a83
0x00405a97
0x00405a9f
0x00405aad
0x00405aad
0x00405ab2
0x00405ab8
0x00000000
0x00405ab8
0x00405ac1

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405C89,00000000,00000002,?,00000002,002D3BD9,?,00405C89,80000002,Software\Microsoft\Windows\CurrentVersion,002D3BD9,Exec,006F7AB1), ref: 00405A76
RegQueryValueExA.KERNELBASE(002D3BD9,?,00000000,00405C89,002D3BD9,00405C89), ref: 00405A97
RegCloseKey.KERNELBASE(?), ref: 00405AB8

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction ID: 1f5187eb0d206272966296eac295dca0b6851c7ebc3b2299c22a00064415c0d3
Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction Fuzzy Hash: 5E01487114020AEFDB128F64EC84AEB3FACEF14394F004526F945E6120D335D964DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031BF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031BF(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031c3
0x004031d6
0x004031de
0x00000000
0x004031e5
0x00000000
0x004031e7

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,ntrolService,0040B040,004030C4,ntrolService,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Strings

ntrolService, xrefs: 004031C2

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FileRead
String ID: ntrolService
API String ID: 2738559852-2971896348
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403EF1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EF1(int _a4) {
				long _t3;

				if(_a4 == 0x78) {
					 *0x42366c =  *0x42366c + 1;
				}
				_t3 = SendMessageA( *0x423ea8, 0x408, _a4, 0); // executed
				return _t3;
			}

0x00403ef6
0x00403ef8
0x00403ef8
0x00403f0f
0x00403f15

APIs

SendMessageA.USER32(00000408,?,00000000,00403B53), ref: 00403F0F

Strings

x, xrefs: 00403EF1

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend
String ID: x
API String ID: 3850602802-2363233923
Opcode ID: 46d605fedc9b17ed3aa99e624faff798016ffe450984ce7ce2feb54509c3447d
Instruction ID: 0a00224ba8322c10e7c5ad3fa7d0cdf23506fb3b21bf1cf3cfca3f20ccc8a775
Opcode Fuzzy Hash: 46d605fedc9b17ed3aa99e624faff798016ffe450984ce7ce2feb54509c3447d
Instruction Fuzzy Hash: 29C012B2688200BECB205F12DE01F06BA31E7A0703F109039F344200B4C2B86622EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0688120C, Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

LoadImageA.USER32(00000000), ref: 068812CB
GetLastError.KERNEL32 ref: 068813D2

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ErrorImageLastLoad
String ID:
API String ID: 2189606529-0
Opcode ID: 30497e292fd77e5230dc2554dc8730fe559cbe6610d4a6a1ea912c9d9aa7d7aa
Instruction ID: c6c8282f6077dd4fabfbd57f377ddb67b6b067304d884c1b201e8a1071927be5
Opcode Fuzzy Hash: 30497e292fd77e5230dc2554dc8730fe559cbe6610d4a6a1ea912c9d9aa7d7aa
Instruction Fuzzy Hash: 1451937390020ADFDBE0FFACEC95B6E37A5EB54354F104926D644C7201DB389A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423ed0; // 0x6f170c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402866, Relevance: 3.0, APIs: 2, Instructions: 21
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402866(signed int __eax) {
				RECT* _t10;
				void* _t16;

				SendMessageA( *(_t16 - 0x34), 0xb,  *0x4214a0 & __eax, _t10); // executed
				if( *((intOrPtr*)(_t16 - 0x24)) != _t10) {
					InvalidateRect( *(_t16 - 0x34), _t10, _t10);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00402875
0x0040287e
0x00402885
0x00402885
0x0040288e
0x0040289a

APIs

SendMessageA.USER32(?,0000000B,?), ref: 00402875
InvalidateRect.USER32(?), ref: 00402885

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 46d6f11c940701ec0eb3576edbaf6f76ecda1d887e6a847d8cdde8d99bec7f9f
Instruction ID: bcd717e7596d016e205178ba64243b8d7c77eee19d70b8784ae4534d65a4b435
Opcode Fuzzy Hash: 46d6f11c940701ec0eb3576edbaf6f76ecda1d887e6a847d8cdde8d99bec7f9f
Instruction Fuzzy Hash: 2AE08C72B00104FFDB10DF94FE959AE77BAEB44359B10007AF201F10A0D2341D00CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
EnableWindow.USER32(00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 01184a99a098fa4f7b5ffd0caf4b96e4eb64a91bfbc6cfc84e1934e58c82cbe0
Instruction ID: 0a77d41913575adca2a7ede6e8d56263b744db67c7fbf003078f88b8ecd5966f
Opcode Fuzzy Hash: 01184a99a098fa4f7b5ffd0caf4b96e4eb64a91bfbc6cfc84e1934e58c82cbe0
Instruction Fuzzy Hash: 24E0C272F08210DBD710FBB4AE899AE3274DB403A9B10453BF503F20C1D6B89C8196EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040583D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040583D(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405841
0x0040584e
0x00405863
0x00405869

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040581E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040581E(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405822
0x0040582b
0x00405834
0x00000000
0x00405834
0x0040583a

APIs

GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 06882930, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6884038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x688404c, 4, 0x40, 0x688403c); // executed
					 *0x688404c = 0xc2;
					 *0x688403c = 0;
					 *0x6884044 = 0;
					 *0x6884054 = 0;
					 *0x6884048 = 0;
					 *0x6884040 = 0;
					 *0x688404e = 0;
				}
				return 1;
			}

0x06882939
0x0688293e
0x0688294e
0x06882956
0x0688295d
0x06882962
0x06882967
0x0688296c
0x06882971
0x06882976
0x06882976
0x0688297e

APIs

VirtualProtect.KERNELBASE(0688404C,00000004,00000040,0688403C), ref: 0688294E

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d676051ebb9ea01b4e7132211633e34cedeea7e2749690fba903179b63220a0b
Instruction ID: 389e0cc2c6b471d9e4167c3fcf7a78e926619054cd227ef22d02f010be52d182
Opcode Fuzzy Hash: d676051ebb9ea01b4e7132211633e34cedeea7e2749690fba903179b63220a0b
Instruction Fuzzy Hash: D4E0C9B358434BDEC3E0DF7DA8457073EE2A334748B01442AE348D7241E3788044DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00403F18, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F18(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextA(_v4, _v0 + 0x3e8, E00405B88(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}

0x00403f32
0x00403f37

APIs

SetDlgItemTextA.USER32 ref: 00403F32

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
Instruction ID: 32956ba5a052c000d200729fffd4f2c944d874cb1110b62223aa4bdd109d9e57
Opcode Fuzzy Hash: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
Instruction Fuzzy Hash: E4C08C31048200BFD241AB04CC42F1FB3A8EFA0327F00C92EB05CE00D2C634D420CE2A

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F64(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x423678; // 0x1a0056
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00403f64
0x00403f6b
0x00403f76
0x00000000
0x00403f76
0x00403f7c

APIs

SendMessageA.USER32(001A0056,00000000,00000000,00000000), ref: 00403F76

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
Instruction ID: 4934297729c285da13a483c37f1bad53b44c21571947472378d90217470b6476
Opcode Fuzzy Hash: 74a19277012f6d931596f598d2f6ffa2ec736fc7041dbb57cfa43a045af561dc
Instruction Fuzzy Hash: 6CC04C71B442017AEA209F619D45F177B68A754701F5444657204A51D0C674E510D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00403F4D, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F4D(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x423ea8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00403f5b
0x00403f61

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
Instruction ID: 0662716cb4741bc9db58cdf5bc89cb1196afa115b106f7c4ea820954fb206898
Opcode Fuzzy Hash: 5380ca26047a56ac044db27ec5452a3d407db4c462228856e9187df95d64c5b6
Instruction Fuzzy Hash: 17B09276685201BADA215B10DE09F457E62E764702F018064B204240B0C6B200A5DB09

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031F1(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004031ff
0x00403205

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,0000E9E4), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F3A, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F3A(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x420498, _a4); // executed
				return _t2;
			}

0x00403f44
0x00403f4a

APIs

KiUserCallbackDispatcher.NTDLL(?,00403D17), ref: 00403F44

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
Instruction ID: 218003202f2b1835e3bff4e9bf146b8b4f872d9b8cc4e3003fd48478f7f9154f
Opcode Fuzzy Hash: 315e157356e8942ef3b8d7e2082c61631171d9164c942d8812de0ab912510814
Instruction Fuzzy Hash: 09A002755051049BCA519B54DE048057A62A754701741C479B24551575C7315461EB6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404853, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00404853(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8; // 0x6f0ac4
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423eb0; // 0x6f0858
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423eb9 & 0x00000002;
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004047D3(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423eb8; // 0x81
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42047c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x420494;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42047c = _t315;
									 *0x420494 = _t315;
									 *0x423f00 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423eb9 & 0x00000001;
										if(( *0x423eb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423ecc - _t315; // 0x3
										_v32 =  *0x420494;
										_t196 =  *0x423ec8; // 0x6f0ac4
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42367c; // 0x705cb2
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004046F1(0x3ff, 0xfffffffb, E004047A6(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x6f0acc
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x6f0adc
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423ecc; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x420494);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f00 = _a4;
					_t247 =  *0x423ecc; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420494 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420488 =  *0x420488 | 0xffffffff;
					_v24 = _t250;
					 *0x420490 = SetWindowLongA(_v8, 0xfffffffc, E00404E54);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42047c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42047c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405B88(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403F18(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403F18(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423ecc - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420494 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420494 + _t318 * 4) = _t274;
									_t288 =  *( *0x420494 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423ecc; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F4D(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F4D(_v12);
								L89:
								return E00403F7F(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404871
0x00404877
0x00404879
0x0040487f
0x00404885
0x00404888
0x00404892
0x0040489b
0x0040489e
0x004048a1
0x00404ac9
0x00404ac9
0x00404ad0
0x00404ae4
0x00404ad2
0x00404ad4
0x00404ad7
0x00404ad8
0x00404adf
0x00404adf
0x00404ae7
0x00404af0
0x00404afb
0x00404afb
0x00404afe
0x00404b01
0x00404b10
0x00404b10
0x00404b17
0x00404b8f
0x00404b8f
0x00404b92
0x00404b94
0x00404b97
0x00404b9e
0x00404bac
0x00404bac
0x00404bae
0x00404bb1
0x00404bb8
0x00404bba
0x00404bbe
0x00404bdb
0x00404bdf
0x00404bdf
0x00404bc0
0x00404bcd
0x00404bcd
0x00404bbe
0x00404bb8
0x00000000
0x00404b92
0x00404b19
0x00404b1c
0x00404b27
0x00404b29
0x00404b2c
0x00404b33
0x00404b38
0x00404b3a
0x00404b44
0x00404b44
0x00404b48
0x00404b4a
0x00404b4d
0x00404b4f
0x00404b52
0x00404b68
0x00404b68
0x00404b54
0x00404b54
0x00404b5a
0x00404b5c
0x00404b63
0x00404b5e
0x00404b5e
0x00404b5e
0x00404b5c
0x00404b6c
0x00404b6e
0x00404b73
0x00404b7c
0x00404b7d
0x00404b87
0x00404b87
0x00404b89
0x00404b8c
0x00404b8c
0x00404b4d
0x00000000
0x00404b3a
0x00404b1e
0x00404b21
0x00404b25
0x00000000
0x00000000
0x00000000
0x00404b25
0x00404b03
0x00404b0a
0x00000000
0x00000000
0x00000000
0x00404af2
0x00404af2
0x00404af5
0x00404be2
0x00404be2
0x00404be9
0x00404c5d
0x00404c5d
0x00404c64
0x00404c70
0x00404c70
0x00404c72
0x00404c79
0x00404c7b
0x00404c80
0x00404c82
0x00404c85
0x00404c85
0x00404c8b
0x00404c90
0x00404c92
0x00404c95
0x00404c95
0x00404c9b
0x00404ca1
0x00404ca7
0x00404ca7
0x00404cad
0x00404cb4
0x00404e01
0x00404e01
0x00404e08
0x00404e0a
0x00404e11
0x00404e15
0x00404e22
0x00404e22
0x00404e25
0x00404e2b
0x00404e3d
0x00404e3d
0x00404e11
0x00000000
0x00404cba
0x00404cbc
0x00404cc1
0x00404cc4
0x00404cc8
0x00404cc8
0x00404ccd
0x00404cd0
0x00404d11
0x00404d13
0x00404d1d
0x00404d23
0x00404d26
0x00404d2b
0x00404d32
0x00404d35
0x00404dd7
0x00404ddd
0x00404de3
0x00404de8
0x00404deb
0x00404dfc
0x00404dfc
0x00000000
0x00404d3b
0x00404d3b
0x00404d3b
0x00404d3e
0x00404d44
0x00404d47
0x00404d49
0x00404d4b
0x00404d4d
0x00404d50
0x00404d53
0x00404d5a
0x00404d5c
0x00404d5f
0x00404d66
0x00404d69
0x00404d69
0x00404d69
0x00404d69
0x00404d6d
0x00404d70
0x00404d7c
0x00404d7d
0x00404d80
0x00404d82
0x00404d82
0x00404d82
0x00404d72
0x00404d74
0x00404d74
0x00404da1
0x00404da1
0x00404da2
0x00404dae
0x00404dbd
0x00404dbd
0x00404dbf
0x00404dc2
0x00404dcb
0x00404dcb
0x00000000
0x00404d3e
0x00404cd2
0x00404cdd
0x00404ce0
0x00404ce5
0x00404ce7
0x00404ce9
0x00404ceb
0x00404cfb
0x00404d05
0x00404d07
0x00404d0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ced
0x00404ced
0x00404ced
0x00404cf0
0x00404cf3
0x00404cf5
0x00404cf5
0x00404cf5
0x00404cf6
0x00404cf7
0x00404cf7
0x00000000
0x00404ced
0x00404cd0
0x00404cb4
0x00404beb
0x00404bf1
0x00000000
0x00000000
0x00404bfd
0x00404c01
0x00000000
0x00000000
0x00404c11
0x00404c13
0x00404c16
0x00000000
0x00000000
0x00404c28
0x00404c2a
0x00404c2d
0x00404c37
0x00404c39
0x00404c3a
0x00404c3b
0x00404c4a
0x00404c4c
0x00404c53
0x00404c56
0x00000000
0x00404c56
0x00404c2f
0x00404c32
0x00404c35
0x00000000
0x00000000
0x00000000
0x00404c35
0x00000000
0x00404af5
0x004048a7
0x004048ac
0x004048b1
0x004048b6
0x004048b7
0x004048c0
0x004048cb
0x004048d6
0x004048dc
0x004048ea
0x004048ff
0x00404904
0x0040490f
0x00404918
0x0040492d
0x0040493e
0x0040494b
0x0040494b
0x00404950
0x00404956
0x00404958
0x0040495b
0x00404960
0x00404965
0x00404967
0x00404967
0x00404987
0x00404987
0x00404989
0x0040498a
0x0040498f
0x00404992
0x00404995
0x00404999
0x0040499e
0x004049a3
0x004049a7
0x004049ac
0x004049b1
0x004049b3
0x004049b5
0x004049bb
0x00404a85
0x00404a98
0x00000000
0x004049c1
0x004049c4
0x004049c7
0x004049ca
0x004049ca
0x004049d0
0x004049d6
0x004049d9
0x004049df
0x004049e0
0x004049e5
0x004049ee
0x004049f5
0x004049f8
0x004049fb
0x004049fe
0x00404a38
0x00404a3a
0x00404a63
0x00404a3c
0x00404a49
0x00404a49
0x00404a00
0x00404a03
0x00404a12
0x00404a1c
0x00404a24
0x00404a2b
0x00404a33
0x00404a33
0x004049fe
0x00404a69
0x00404a6a
0x00404a70
0x00404a76
0x00404a76
0x00404a83
0x00404a9e
0x00404aa2
0x00404abf
0x00404ac4
0x00404ac7
0x00404ac7
0x00000000
0x00404aa4
0x00404aa9
0x00404ab2
0x00404e3f
0x00404e51
0x00404e51
0x00404aa2
0x00000000
0x00404a83
0x004049bb

APIs

GetDlgItem.USER32 ref: 0040486A
GetDlgItem.USER32 ref: 00404877
GlobalAlloc.KERNEL32(00000040,00000003), ref: 004048C3
LoadBitmapA.USER32 ref: 004048D6
SetWindowLongA.USER32 ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32 ref: 00404A8A
SetWindowLongA.USER32 ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32 ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32 ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

, xrefs: 00404E15
N, xrefs: 00404AE7
M, xrefs: 00404A03

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
Opcode Fuzzy Hash: bc836f97d9874f4f727094095d6c382577d8705a5fdd7ffcfefc5c205b7b8112
Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404356, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404356(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc70; // 0x6f0a04
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040540B(0x3fb, _t162);
					E00405DC8(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040540B(0x3fb, _t162);
							if(E0040573A(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405B66(0x41f468, _t162);
							_t145 = 0;
							_t86 = E00405E88(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405B66(0x41f468, _t162);
								_t88 = E004056ED(0x41f468);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f468,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f468) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f468,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004056A0(0x41f468) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f468) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004047A6(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42367c; // 0x705cb2
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004046F1(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f458);
									} else {
										E004046F1(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403F3A(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x42048c == _t145) {
									E004042EB();
								}
								 *0x42048c = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x4204a0;
							_v56 = E0040468B;
							_v52 = _t162;
							_v64 = E00405B88(0x3fb, 0x4204a0, _t162, 0x41f870, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405659(_t162);
								_t124 =  *0x423eb0; // 0x6f0858
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver") {
									E00405B88(0x3fb, 0x4204a0, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x4204a0) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x42048c =  &(( *0x42048c)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004056C6(_t162) != 0 && E004056ED(_t162) == 0) {
						E00405659(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403F18(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403F18(_t159);
					E00403F4D(_v12);
					_t138 = E00405E88(7);
					if(_t138 == 0) {
						L53:
						return E00403F7F(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040435c
0x00404363
0x0040436f
0x0040437d
0x00404385
0x00404389
0x0040438f
0x0040438f
0x0040439b
0x0040440f
0x00404416
0x004044eb
0x004044f2
0x00404501
0x00404501
0x00404505
0x0040450b
0x00404518
0x0040451a
0x0040451a
0x00404528
0x0040452d
0x00404530
0x00404537
0x0040453a
0x00404571
0x00404573
0x00404579
0x00404580
0x00404582
0x00404582
0x0040459e
0x004045da
0x00000000
0x004045a0
0x004045a3
0x004045b7
0x004045b9
0x00000000
0x004045b9
0x0040453c
0x00404540
0x0040456f
0x0040456f
0x00000000
0x00000000
0x00000000
0x00000000
0x00404542
0x00404542
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404558
0x0040455a
0x0040455a
0x00404565
0x00404568
0x0040456d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040456d
0x004045c8
0x004045cf
0x004045d6
0x004045dd
0x004045dd
0x004045e2
0x004045e4
0x004045ec
0x004045f2
0x004045f2
0x004045f9
0x00404602
0x0040460c
0x00404614
0x0040462a
0x00404616
0x0040461a
0x0040461a
0x00404614
0x0040462f
0x00404634
0x00404639
0x00404642
0x00404642
0x0040464b
0x0040464d
0x0040464d
0x00404659
0x00404661
0x0040466b
0x0040466b
0x00404670
0x00000000
0x00404670
0x0040453a
0x004044f4
0x004044fb
0x00000000
0x00000000
0x00000000
0x004044fb
0x0040441c
0x00404422
0x0040443c
0x00404441
0x0040444b
0x00404452
0x00404461
0x00404464
0x00404467
0x0040446e
0x00404476
0x00404479
0x0040447d
0x00404484
0x0040448c
0x004044e4
0x0040448e
0x0040448f
0x00404496
0x0040449b
0x004044a0
0x004044a8
0x004044b5
0x004044c9
0x004044cd
0x004044cd
0x004044c9
0x004044d2
0x004044dd
0x004044dd
0x0040448c
0x00000000
0x00404441
0x0040442f
0x00000000
0x00000000
0x00404435
0x00000000
0x0040439d
0x0040439d
0x004043a9
0x004043b3
0x004043c0
0x004043c0
0x004043c6
0x004043cf
0x004043d8
0x004043db
0x004043de
0x004043e6
0x004043e9
0x004043ec
0x004043f4
0x004043fb
0x00404402
0x00404676
0x00404688
0x00404688
0x0040440d
0x00000000
0x0040440d

APIs

GetDlgItem.USER32 ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(Exec,004204A0,00000000,?,?), ref: 004044C1
lstrcatA.KERNEL32(?,Exec), ref: 004044CD
SetDlgItemTextA.USER32 ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32 ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32 ref: 0040462A

Strings

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver, xrefs: 004044AA
A, xrefs: 0040447D
Exec, xrefs: 004044BB, 004044C0, 004044CB

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Program Files (x86)\Code Laboratories\CL-Eye Driver$Exec
API String ID: 2246997448-3786558468
Opcode ID: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
Opcode Fuzzy Hash: 8a3aad76447270b687e8e1509915f8df1e24d5d4c23db986a95c4726ded8d1ea
Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402020() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029F6(0xfffffff0);
				_t96 = E004029F6(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029F6(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029F6(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029F6(0x45);
				if(E004056C6(_t96) == 0) {
					E004029F6(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Program Files (x86)\\Code Laboratories\\CL-Eye Driver\\Driver");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409368, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409368, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x00402029
0x00402033
0x0040203c
0x00402046
0x0040204f
0x00402059
0x0040205d
0x0040205d
0x00402062
0x00402073
0x0040207b
0x0040215b
0x0040215b
0x00402162
0x00402081
0x00402081
0x00402092
0x00402096
0x0040209c
0x004020a6
0x004020a8
0x004020b3
0x004020b6
0x004020c3
0x004020c5
0x004020c7
0x004020ce
0x004020d1
0x004020d1
0x004020d4
0x004020de
0x004020e6
0x004020eb
0x004020f7
0x004020f7
0x004020fa
0x00402103
0x00402106
0x0040210f
0x00402114
0x00402126
0x00402135
0x00402137
0x00402143
0x00402143
0x00402135
0x00402145
0x0040214b
0x0040214b
0x0040214e
0x00402154
0x00402159
0x0040216e
0x00000000
0x00000000
0x00000000
0x00402159
0x00402164
0x0040288e
0x0040289a

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Program Files (x86)\Code Laboratories\CL-Eye Driver\Driver
API String ID: 123533781-2701378213
Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040263E(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029F6(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405AC4(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405B66();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402656
0x0040266a
0x00402675
0x00402676
0x004027b1
0x00402658
0x00402658
0x0040265a
0x0040265c
0x0040265c
0x0040288e
0x0040289a

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0; // 0x6f0858
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "CL-Eye Driver Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423ea8; // 0x18021e
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,CL-Eye Driver Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

CL-Eye Driver Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: CL-Eye Driver Setup$F
API String ID: 941294808-3089066853
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 100010EF, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E100010EF(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v12;
				intOrPtr _v36;
				CHAR* _v44;
				long _v56;
				CHAR* _v60;
				CHAR* _v76;
				void _v84;
				char _v88;
				signed int _t33;
				signed char _t34;
				CHAR* _t35;
				int _t38;
				int _t43;
				signed int _t48;
				void* _t55;

				_t48 = 0x12;
				memset( &_v84, 0, _t48 << 2);
				 *0x100050dc = _a8;
				 *0x100050e0 = _a16;
				 *0x100050e4 = _a12;
				_v84 = _a4;
				_v88 = 0x4c;
				_v76 = 0x100044a0;
				_v60 = 0x100048a0;
				_v56 = 0x400;
				_v36 = 0x82000;
				E10001DD9( &_v12, 5);
				E10001DD9(0x100048a0, 0x400);
				E10001DD9(0x100044a0, 0x400);
				_t33 = lstrcmpiA( &_v12, "save");
				asm("sbb edi, edi");
				_t55 =  ~_t33 + 1;
				_t34 = GetFileAttributesA(0x100048a0);
				if(_t34 != 0xffffffff && (_t34 & 0x00000010) != 0) {
					lstrcpyA(0x10004ca0, 0x100048a0);
					 *0x100048a0 =  *0x100048a0 & 0x00000000;
					_v44 = 0x10004ca0;
				}
				if( *0x100044a0 == 0) {
					lstrcpyA(0x100044a0, "All Files|*.*");
				}
				_t35 = 0x100044a0;
				if( *0x100044a0 != 0) {
					do {
						if( *_t35 != 0x7c) {
							_t35 = CharNextA(_t35);
						} else {
							 *_t35 =  *_t35 & 0x00000000;
							_t35 =  &(_t35[1]);
						}
					} while ( *_t35 != 0);
				}
				_t35[1] = _t35[1] & 0x00000000;
				GetCurrentDirectoryA(0x400, 0x100040a0);
				_push( &_v88);
				if(_t55 == 0) {
					_t38 = GetOpenFileNameA();
				} else {
					_t38 = GetSaveFileNameA();
				}
				if(_t38 != 0) {
					L19:
					_push(0x100048a0);
				} else {
					if(CommDlgExtendedError() != 0x3002) {
						L20:
						_push(0x10004098);
					} else {
						 *0x100048a0 =  *0x100048a0 & 0x00000000;
						_push( &_v88);
						if(_t55 == 0) {
							_t43 = GetOpenFileNameA();
						} else {
							_t43 = GetSaveFileNameA();
						}
						if(_t43 == 0) {
							goto L20;
						} else {
							goto L19;
						}
					}
				}
				E10001E27();
				return SetCurrentDirectoryA(??);
			}

0x100010fa
0x10001105
0x1000110f
0x10001117
0x1000111f
0x10001127
0x10001135
0x1000113c
0x1000113f
0x10001142
0x10001145
0x1000114c
0x10001153
0x1000115a
0x10001168
0x10001177
0x10001179
0x1000117a
0x10001183
0x10001193
0x10001199
0x100011a0
0x100011a0
0x100011ae
0x100011b6
0x100011b6
0x100011c3
0x100011c5
0x100011c7
0x100011ca
0x100011d3
0x100011cc
0x100011cc
0x100011cf
0x100011cf
0x100011d9
0x100011c7
0x100011de
0x100011e9
0x100011fa
0x100011fb
0x10001205
0x100011fd
0x100011fd
0x100011fd
0x10001209
0x10001235
0x10001235
0x1000120b
0x10001216
0x1000123c
0x1000123c
0x10001218
0x10001218
0x10001224
0x10001225
0x1000122f
0x10001227
0x10001227
0x10001227
0x10001233
0x00000000
0x00000000
0x00000000
0x00000000
0x10001233
0x10001216
0x10001241
0x10001251

APIs

Part of subcall function 10001DD9: lstrcpynA.KERNEL32(10001054,?,?,?,10001054,?), ref: 10001E06
Part of subcall function 10001DD9: GlobalFree.KERNEL32 ref: 10001E16

lstrcmpiA.KERNEL32(?,save,100044A0,00000400,100048A0,00000400,?,00000005), ref: 10001168
GetFileAttributesA.KERNEL32(100048A0), ref: 1000117A
lstrcpyA.KERNEL32(10004CA0,100048A0), ref: 10001193
lstrcpyA.KERNEL32(100044A0,All Files|*.*), ref: 100011B6
CharNextA.USER32(100044A0), ref: 100011D3
GetCurrentDirectoryA.KERNEL32(00000400,100040A0), ref: 100011E9
GetSaveFileNameA.COMDLG32(0000004C), ref: 100011FD
GetOpenFileNameA.COMDLG32(0000004C), ref: 10001205
CommDlgExtendedError.COMDLG32 ref: 1000120B
GetSaveFileNameA.COMDLG32(0000004C), ref: 10001227
GetOpenFileNameA.COMDLG32(0000004C), ref: 1000122F
SetCurrentDirectoryA.KERNEL32(100040A0,100048A0), ref: 10001247

Strings

save, xrefs: 10001162
L, xrefs: 10001135
All Files|*.*, xrefs: 100011B0

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$Name$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedFreeGlobalNextlstrcmpilstrcpyn
String ID: All Files|*.*$L$save
API String ID: 3853173656-601108453
Opcode ID: ee7c01f886b4788410f5ea61e22284b288ee5a55540d47cc7701049f7c833bfe
Instruction ID: bda79d0c1617a53c2ae572c25b6cebfb1753f7d627be79b9d5d66e21c02e6488
Opcode Fuzzy Hash: ee7c01f886b4788410f5ea61e22284b288ee5a55540d47cc7701049f7c833bfe
Instruction Fuzzy Hash: B541ADB4901298AFF701DFA0DC98BCF3FECEB063D4F528416E601E6199CB7499148B66

Uniqueness

Uniqueness Score: -1.00%

Function 004058B4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004058B4() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405E88(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422630 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca8, "%s=%s\r\n", 0x422630, 0x4220a8);
						_t18 =  *0x423eb0; // 0x6f0858
						_t56 = _t55 + 0x10;
						E00405B88(_t43, 0x400, 0x4220a8, 0x4220a8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040583D(0x4220a8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057B2(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057B2(_t26 + 0xa, 0x409350);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004057FE(_t51 + _t29, 0x421ca8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B66(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040583D(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422630, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004058ba
0x004058c1
0x004058c5
0x004058ce
0x004058d2
0x00405a11
0x00405a11
0x00000000
0x00405a11
0x004058d2
0x004058de
0x004058f4
0x0040591c
0x00405927
0x0040592b
0x0040594b
0x0040594d
0x00405952
0x0040595c
0x00405969
0x0040596e
0x00405973
0x00405977
0x00000000
0x00000000
0x00405986
0x00405988
0x00405995
0x00405999
0x00405a0a
0x00405a0b
0x00000000
0x004059b5
0x004059c2
0x00405a27
0x00405a2e
0x004059d5
0x004059d5
0x004059d7
0x004059e0
0x004059eb
0x004059fd
0x00405a04
0x00000000
0x00405a04
0x00405a30
0x00405a31
0x00405a36
0x00405a38
0x00405a45
0x00405a45
0x00405a49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a3a
0x00405a3a
0x00405a3d
0x00405a40
0x00405a41
0x00000000
0x00405a3a
0x004059cd
0x004059d2
0x00000000
0x004059d2
0x00405999
0x004058f6
0x00405901
0x0040590a
0x0040590e
0x00000000
0x00000000
0x0040590e
0x00405a1b

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32 ref: 0040590A
GetShortPathNameA.KERNEL32 ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32 ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

0&B, xrefs: 004058EF
[Rename], xrefs: 004059B5, 004059C7
%s=%s, xrefs: 0040593B

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0&B$[Rename]
API String ID: 3772915668-951905037
Opcode ID: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
Opcode Fuzzy Hash: 73d0c5d55c6a66a5fc5f40039b5a9282ef929e2af51c157191695387f36ba956
Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 06BA18E4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 80
processstringsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E06BA18E4() {
				char _v5;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v1119;
				char _v1120;
				CHAR* _t27;
				CHAR* _t28;
				int _t29;
				signed int _t36;
				char _t38;
				char _t39;

				_t36 = 0x10;
				memset( &(_v96.lpReserved), 0, _t36 << 2);
				_v28.hProcess = 0;
				asm("stosd");
				asm("stosd");
				_v5 = 0x20;
				asm("stosd");
				_v96.cb = 0x44;
				lstrcpynA( &_v1120, GetCommandLineA(), 0x400);
				_t27 =  &_v1120;
				if(_v1120 == 0x22) {
					_v5 = 0x22;
					_t27 =  &_v1119;
				}
				while(1) {
					_t38 =  *_t27;
					if(_t38 == 0) {
						break;
					}
					if(_t38 == _v5) {
						break;
					}
					_t27 = CharNextA(_t27);
				}
				_t28 = CharNextA(_t27);
				while(1) {
					_t39 =  *_t28;
					if(_t39 == 0) {
						break;
					}
					if(_t39 != 0x20) {
						break;
					}
					_t28 =  &(_t28[1]);
				}
				_t29 = CreateProcessA(0, _t28, 0, 0, 1, 0, 0, 0,  &_v96,  &_v28);
				_v12 = _t29;
				if(_t29 == 0) {
					ExitProcess(0xc000001d);
				}
				WaitForSingleObject(_v28.hProcess, 0xffffffff);
				GetExitCodeProcess(_v28.hProcess,  &_v12);
				CloseHandle(_v28);
				CloseHandle(_v28.hThread);
				ExitProcess(_v12);
			}

0x06ba18f2
0x06ba18fa
0x06ba18ff
0x06ba1902
0x06ba1903
0x06ba1909
0x06ba190d
0x06ba190e
0x06ba1923
0x06ba1930
0x06ba1936
0x06ba1938
0x06ba193c
0x06ba193c
0x06ba1952
0x06ba1952
0x06ba1956
0x00000000
0x00000000
0x06ba194d
0x00000000
0x00000000
0x06ba1950
0x06ba1950
0x06ba1959
0x06ba1963
0x06ba1963
0x06ba1967
0x00000000
0x00000000
0x06ba1960
0x00000000
0x00000000
0x06ba1962
0x06ba1962
0x06ba197a
0x06ba1982
0x06ba1985
0x06ba19bd
0x06ba19bd
0x06ba198c
0x06ba1999
0x06ba19a8
0x06ba19ad
0x06ba19b2

APIs

GetCommandLineA.KERNEL32(00000400), ref: 06BA1915
lstrcpynA.KERNEL32(?,00000000), ref: 06BA1923
CharNextA.USER32(00000022), ref: 06BA1950
CharNextA.USER32(00000022), ref: 06BA1959
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 06BA197A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 06BA198C
GetExitCodeProcess.KERNEL32 ref: 06BA1999
CloseHandle.KERNEL32(?), ref: 06BA19A8
CloseHandle.KERNEL32(?), ref: 06BA19AD
ExitProcess.KERNEL32 ref: 06BA19B2
ExitProcess.KERNEL32 ref: 06BA19BD

Strings

", xrefs: 06BA1929
", xrefs: 06BA1938
D, xrefs: 06BA190E

Memory Dump Source

Source File: 00000000.00000002.595156484.0000000006BA1000.00000020.00020000.sdmp, Offset: 06BA0000, based on PE: true

Associated: 00000000.00000002.595142650.0000000006BA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595165151.0000000006BA2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595178631.0000000006BA3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595187315.0000000006BA4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
String ID: "$"$D
API String ID: 3771911414-3923985841
Opcode ID: 4c2bcd5019bce8e77500fecdcb6fbe4fd8e4c1673b224e628d3d4227a0b57ae3
Instruction ID: 2c647b421bf036123bbee830014e2a2fb057d46414aef6b5f0873483f36b2030
Opcode Fuzzy Hash: 4c2bcd5019bce8e77500fecdcb6fbe4fd8e4c1673b224e628d3d4227a0b57ae3
Instruction Fuzzy Hash: 96212BF1C0425DBFEF619BA4CC59AEFBF7AEB04311F444091E745A3192C6701A49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 068825FE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E068825FE(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t18;
				intOrPtr _t21;
				void* _t23;
				short* _t24;
				void* _t25;
				void* _t30;
				void* _t32;
				void* _t34;
				int _t36;
				void* _t39;
				void* _t42;
				intOrPtr _t52;
				short** _t55;
				void* _t60;
				int _t61;
				int _t62;
				void* _t63;
				short** _t64;
				void* _t65;
				void* _t66;

				_t60 = __edx;
				_t18 = _a4;
				_t52 =  *((intOrPtr*)(_t18 + 0x814));
				_v4 = _t52;
				_t55 = (_t52 + 0x41 << 5) + _t18;
				do {
					if( *((intOrPtr*)(_t55 - 4)) != 0xffffffff) {
						_t64 = _t55;
					} else {
						_t64 =  *_t55;
					}
					_t65 = E06881541();
					_t61 = 0;
					_t21 =  *((intOrPtr*)(_t55 - 8));
					if(_t21 == 0) {
						lstrcpyA(_t65, 0x6884034);
					} else {
						_t30 = _t21 - 1;
						if(_t30 == 0) {
							_push( *_t64);
							goto L12;
						} else {
							_t32 = _t30 - 1;
							if(_t32 == 0) {
								E0688176C(_t60,  *_t64, _t64[1], _t65);
								goto L13;
							} else {
								_t34 = _t32 - 1;
								if(_t34 == 0) {
									_t62 = lstrlenA( *_t64);
									_t36 =  *0x6884058;
									if(_t62 >= _t36) {
										_t62 = _t36 - 1;
									}
									_t7 = _t62 + 1; // 0x1
									lstrcpynA(_t65,  *_t64, _t7);
									 *(_t62 + _t65) =  *(_t62 + _t65) & 0x00000000;
									goto L15;
								} else {
									_t39 = _t34 - 1;
									if(_t39 == 0) {
										WideCharToMultiByte(0, 0,  *_t64,  *0x6884058, _t65,  *0x6884058, 0, 0);
									} else {
										_t42 = _t39 - 1;
										if(_t42 == 0) {
											_t63 = GlobalAlloc(0x40,  *0x6884058 +  *0x6884058);
											__imp__StringFromGUID2( *_t64, _t63,  *0x6884058 +  *0x6884058);
											WideCharToMultiByte(0, 0, _t63,  *0x6884058, _t65,  *0x6884058, 0, 0);
											GlobalFree(_t63);
											L15:
											_t61 = 0;
										} else {
											if(_t42 == 1) {
												_push( *_t55);
												L12:
												wsprintfA(_t65, 0x6884008);
												L13:
												_t66 = _t66 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					_t23 = _t55[5];
					if(_t23 != _t61 && ( *_a4 != 2 ||  *((intOrPtr*)(_t55 - 4)) > _t61)) {
						GlobalFree(_t23);
					}
					_t24 = _t55[4];
					if(_t24 != _t61) {
						if(_t24 != 0xffffffff) {
							if(_t24 > _t61) {
								E0688160E(_t24 - 1, _t65);
								goto L32;
							}
						} else {
							E0688159E(_t65);
							L32:
						}
					}
					_t25 = GlobalFree(_t65);
					_v4 = _v4 - 1;
					_t55 = _t55 - 0x20;
				} while (_v4 >= _t61);
				return _t25;
			}

0x068825fe
0x068825ff
0x06882606
0x0688260d
0x06882617
0x06882619
0x0688261d
0x06882623
0x0688261f
0x0688261f
0x0688261f
0x0688262a
0x0688262f
0x06882631
0x06882633
0x0688270c
0x06882639
0x06882639
0x0688263a
0x068826ff
0x00000000
0x06882640
0x06882640
0x06882641
0x068826f5
0x00000000
0x06882647
0x06882647
0x06882648
0x068826ce
0x068826d0
0x068826d7
0x068826d9
0x068826d9
0x068826dc
0x068826e3
0x068826e9
0x00000000
0x0688264a
0x0688264a
0x0688264b
0x068826be
0x0688264d
0x0688264d
0x0688264e
0x0688267d
0x0688268a
0x0688269f
0x068826a6
0x068826ac
0x068826ac
0x06882650
0x06882651
0x06882657
0x06882659
0x0688265f
0x06882665
0x06882665
0x06882665
0x06882651
0x0688264e
0x0688264b
0x06882648
0x06882641
0x0688263a
0x06882712
0x06882717
0x06882728
0x06882728
0x0688272e
0x06882733
0x06882738
0x06882744
0x06882749
0x00000000
0x0688274e
0x0688273a
0x0688273b
0x0688274f
0x0688274f
0x06882738
0x06882751
0x06882757
0x0688275b
0x0688275e
0x0688276d

APIs

wsprintfA.USER32 ref: 0688265F
GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,06881A8A,00000000), ref: 06882677
StringFromGUID2.OLE32(?,00000000,?,?,?,?,00000000,00000001,06881A8A,00000000), ref: 0688268A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,06881A8A,00000000), ref: 0688269F
GlobalFree.KERNEL32 ref: 068826A6

Part of subcall function 0688160E: lstrcpyA.KERNEL32(-06884047,00000000,?,0688118F,?,00000000), ref: 06881636

GlobalFree.KERNEL32 ref: 06882728
GlobalFree.KERNEL32 ref: 06882751

Strings

{t@ut, xrefs: 0688268A

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
String ID: {t@ut
API String ID: 2278267121-3262140062
Opcode ID: 84d78ba1b4687edef18dbb8d322a30fbbcf502458e1478232fd94c3cc1638520
Instruction ID: 4b693423cfd0bfd3fe72eb962b583248bc98a26292247712d29170b12b011f10
Opcode Fuzzy Hash: 84d78ba1b4687edef18dbb8d322a30fbbcf502458e1478232fd94c3cc1638520
Instruction Fuzzy Hash: D641BE3250420AEFDBA1BB69DD98D3FBBFAFB847447110519FB52CA140DB31A900DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100014CA, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100014CA(struct HWND__* _a4, int _a8, unsigned int _a12, long _a16) {
				struct tagRECT _v20;
				char _v1044;
				int _t62;
				signed int _t66;
				intOrPtr _t75;
				signed int _t76;
				void* _t88;
				void* _t95;
				intOrPtr* _t101;
				struct HWND__* _t102;
				intOrPtr _t105;
				intOrPtr _t106;
				unsigned int _t110;
				void* _t111;
				void* _t115;
				signed int _t117;
				intOrPtr* _t119;
				intOrPtr* _t120;

				_t62 = _a8;
				if(_t62 == 2) {
					_t111 = 0;
					if( *0x100050d4 <= 0) {
						L48:
						return 0;
					}
					_t115 = 0;
					do {
						RemovePropA( *(_t115 +  *0x100050d8), "NSIS: nsControl pointer property");
						_t111 = _t111 + 1;
						_t115 = _t115 + 0x418;
					} while (_t111 <  *0x100050d4);
					goto L48;
				}
				_t101 = _a16;
				if(_t62 == 0x2b) {
					L28:
					_t66 =  *(_t101 + 0x10);
					_a12 = _t66 & 0x00000100;
					_a16 = _t66 & 0x00000200;
					if(E100013C6( *(_t101 + 0x14)) == 0) {
						goto L48;
					}
					asm("movsd");
					asm("movsd");
					_v1044 = _v1044 & 0x00000000;
					asm("movsd");
					asm("movsd");
					GetWindowTextA( *(_t101 + 0x14),  &_v1044, 0x400);
					DrawTextA( *(_t101 + 0x18),  &_v1044, 0xffffffff,  &_v20, 0x414);
					_t105 =  *((intOrPtr*)(_t101 + 0x24));
					_t75 = _v20.right + 2;
					_v20.right = _t75;
					if(_t75 >= _t105) {
						_v20.right = _t105;
					}
					_t76 =  *0x100050cc;
					if(_t76 != 0) {
						_v20.right = _t105;
						_v20.left = _v20.left + _t105 - _v20.right;
					}
					if(( *(_t101 + 0xc) & 0x00000001) != 0) {
						asm("sbb eax, eax");
						_t117 =  ~_t76 & 0x00020000;
						if(_a12 != 0) {
							_t117 = _t117 | 0x00100000;
						}
						if(GetWindowLongA( *(_t101 + 0x14), 0xffffffeb) == 0) {
							SetTextColor( *(_t101 + 0x18), 0xff0000);
						}
						DrawTextA( *(_t101 + 0x18),  &_v1044, 0xffffffff,  &_v20, _t117 | 0x00000015);
					}
					if(( *(_t101 + 0x10) & 0x00000010) == 0 || ( *(_t101 + 0xc) & 0x00000001) == 0) {
						if(( *(_t101 + 0xc) & 0x00000004) == 0) {
							goto L44;
						}
						goto L42;
					} else {
						L42:
						if(_a16 == 0) {
							DrawFocusRect( *(_t101 + 0x18),  &_v20);
						}
						L44:
						return 1;
					}
				}
				if(_t62 == 0x4e) {
					_t88 = E100013C6( *_t101);
					if(_t88 == 0) {
						goto L48;
					}
					_t16 = _t88 + 0x410; // 0x410
					_t119 = _t16;
					if( *_t119 == 0) {
						goto L48;
					}
					L10002016();
					L10002016();
					L10002016();
					 *((intOrPtr*)( *0x100050a0 + 4))( *_t119 - 1, 0,  *_t101,  *((intOrPtr*)(_t101 + 8)), _t101);
					goto L28;
				}
				if(_t62 == 0x111) {
					_t102 = GetDlgItem(_a4, _a12 & 0x0000ffff);
					_t95 = E100013C6(_t102);
					if(_t95 == 0) {
						goto L48;
					}
					_t110 = _a12 >> 0x10;
					if(_t110 != 0) {
						L12:
						if(_t110 != 0x300 ||  *((intOrPtr*)(_t95 + 4)) != 2) {
							if(_t110 != 1 ||  *((intOrPtr*)(_t95 + 4)) != 4) {
								if(_t110 == 6 || _t110 == 1) {
									if( *((intOrPtr*)(_t95 + 4)) != 3) {
										goto L22;
									}
									goto L19;
								} else {
									L22:
									if(_t110 != 0 ||  *((intOrPtr*)(_t95 + 4)) != 7) {
										goto L48;
									} else {
										L24:
										_t15 = _t95 + 0x408; // 0x408
										_t120 = _t15;
										goto L20;
									}
								}
							} else {
								goto L19;
							}
						} else {
							L19:
							_t12 = _t95 + 0x40c; // 0x40c
							_t120 = _t12;
							L20:
							if( *_t120 != 0) {
								L10002016();
								 *((intOrPtr*)( *0x100050a0 + 4))( *_t120 - 1, 0, _t102);
							}
							goto L48;
						}
					}
					_t106 =  *((intOrPtr*)(_t95 + 4));
					if(_t106 == 1 || _t106 == 8) {
						goto L24;
					} else {
						goto L12;
					}
				}
				if(_t62 > 0x132 && (_t62 <= 0x136 || _t62 == 0x138)) {
					return SendMessageA( *0x100050c4, _t62, _a12, _a16);
				}
				goto L48;
			}

0x100014d3
0x100014dc
0x10001722
0x1000172a
0x10001750
0x00000000
0x10001750
0x1000172c
0x1000172e
0x1000173b
0x10001741
0x10001742
0x10001748
0x00000000
0x1000172e
0x100014e2
0x100014e8
0x10001618
0x10001618
0x1000162b
0x1000162e
0x10001638
0x00000000
0x00000000
0x10001644
0x10001645
0x10001646
0x10001653
0x1000165d
0x1000165e
0x1000167f
0x10001684
0x10001687
0x1000168c
0x1000168f
0x10001691
0x10001691
0x10001694
0x1000169b
0x100016a2
0x100016a5
0x100016a5
0x100016ac
0x100016b0
0x100016bb
0x100016bd
0x100016bf
0x100016bf
0x100016d2
0x100016dc
0x100016dc
0x100016f6
0x100016f6
0x100016fc
0x10001708
0x00000000
0x00000000
0x00000000
0x1000170a
0x1000170a
0x1000170e
0x10001717
0x10001717
0x1000171d
0x00000000
0x1000171f
0x100016fc
0x100014f1
0x100015d9
0x100015e0
0x00000000
0x00000000
0x100015e6
0x100015e6
0x100015ef
0x00000000
0x00000000
0x100015f6
0x100015fe
0x10001605
0x10001615
0x00000000
0x10001615
0x100014fc
0x10001541
0x10001544
0x1000154d
0x00000000
0x00000000
0x10001556
0x1000155c
0x1000156b
0x10001570
0x1000157c
0x10001588
0x10001594
0x00000000
0x00000000
0x00000000
0x100015bc
0x100015bc
0x100015bf
0x00000000
0x100015cf
0x100015cf
0x100015cf
0x100015cf
0x00000000
0x100015cf
0x100015bf
0x00000000
0x00000000
0x00000000
0x10001596
0x10001596
0x10001596
0x10001596
0x1000159c
0x1000159e
0x100015a5
0x100015b4
0x100015b4
0x00000000
0x1000159e
0x10001570
0x1000155e
0x10001564
0x00000000
0x00000000
0x00000000
0x00000000
0x10001564
0x10001503
0x00000000
0x10001528
0x00000000

APIs

SendMessageA.USER32(?,?,?), ref: 10001528
GetDlgItem.USER32 ref: 1000153B
GetWindowTextA.USER32 ref: 1000165E
DrawTextA.USER32(?,00000000,000000FF,?,00000414), ref: 1000167F
GetWindowLongA.USER32 ref: 100016CA
SetTextColor.GDI32(?,00FF0000), ref: 100016DC
DrawTextA.USER32(?,00000000,000000FF,00000000,?), ref: 100016F6
DrawFocusRect.USER32 ref: 10001717
RemovePropA.USER32 ref: 1000173B

Strings

NSIS: nsControl pointer property, xrefs: 10001733

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
String ID: NSIS: nsControl pointer property
API String ID: 2331901045-1714965683
Opcode ID: 9008170855da100c46308c438ae93dbef14aeab86a4d14ed565dbd1c12c23fe5
Instruction ID: a25cf0b58983efc43e1d94949bc1ea38fb28a260226272d23706f895723df3db
Opcode Fuzzy Hash: 9008170855da100c46308c438ae93dbef14aeab86a4d14ed565dbd1c12c23fe5
Instruction Fuzzy Hash: B7718C7090461A9BFB11CF64CC84BEA7BFAFB443C1F118565E905AA1AEC771DC80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06882440, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E06882440(void* __edx, intOrPtr _a4) {
				signed int _v4;
				CHAR* _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				void* _t43;
				void** _t49;
				CHAR* _t58;
				void* _t59;
				signed int* _t60;
				void* _t61;
				intOrPtr* _t62;
				CHAR* _t63;
				void* _t73;

				_t59 = __edx;
				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t62 = (_v4 << 5) + _t9;
					_t32 =  *(_t62 + 0x14);
					if(_t32 == 0) {
						goto L9;
					}
					_t58 = 0x1a;
					if(_t32 == _t58) {
						goto L9;
					}
					if(_t32 != 0xffffffff) {
						if(_t32 <= 0 || _t32 > 0x19) {
							 *(_t62 + 0x14) = _t58;
						} else {
							_t32 = E068815E5(_t32 - 1);
							L10:
						}
						goto L11;
					} else {
						_t32 = E06881561();
						L11:
						_t63 = _t32;
						_t13 = _t62 + 8; // 0x820
						_t60 = _t13;
						if( *((intOrPtr*)(_t62 + 4)) != 0xffffffff) {
							_t49 = _t60;
						} else {
							_t49 =  *_t60;
						}
						_t33 =  *_t62;
						 *(_t62 + 0x1c) =  *(_t62 + 0x1c) & 0x00000000;
						if(_t33 == 0) {
							 *_t60 =  *_t60 & 0x00000000;
						} else {
							if(_t33 == 1) {
								_t36 = E06881641(_t63);
								L27:
								 *_t49 = _t36;
								L31:
								_t34 = GlobalFree(_t63);
								if(_v4 == 0) {
									return _t34;
								}
								if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
									_v4 = _v4 + 1;
								} else {
									_v4 = _v4 & 0x00000000;
								}
								continue;
							}
							if(_t33 == 2) {
								 *_t49 = E06881641(_t63);
								_t49[1] = _t59;
								goto L31;
							}
							_t73 = _t33 - 3;
							if(_t73 == 0) {
								_t36 = E06881550(_t63);
								 *(_t62 + 0x1c) = _t36;
								goto L27;
							}
							if(_t73 > 0) {
								if(_t33 <= 5) {
									_t61 = GlobalAlloc(0x40,  *0x6884058 +  *0x6884058);
									 *(_t62 + 0x1c) = _t61;
									MultiByteToWideChar(0, 0, _t63,  *0x6884058, _t61,  *0x6884058);
									if( *_t62 != 5) {
										 *_t49 = _t61;
									} else {
										_t43 = GlobalAlloc(0x40, 0x10);
										 *(_t62 + 0x1c) = _t43;
										 *_t49 = _t43;
										__imp__CLSIDFromString(_t61, _t43);
										GlobalFree(_t61);
									}
								} else {
									if(_t33 == 6 && lstrlenA(_t63) > 0) {
										 *_t60 = E0688276E(E06881641(_t63));
									}
								}
							}
						}
						goto L31;
					}
					L9:
					_t32 = E06881550(0x6884034);
					goto L10;
				}
			}

0x06882440
0x06882454
0x06882458
0x06882463
0x06882463
0x0688246a
0x0688246f
0x00000000
0x00000000
0x06882473
0x06882476
0x00000000
0x00000000
0x0688247b
0x06882486
0x06882496
0x0688248d
0x0688248f
0x068824a5
0x068824a5
0x00000000
0x0688247d
0x0688247d
0x068824a6
0x068824aa
0x068824ac
0x068824ac
0x068824af
0x068824b5
0x068824b1
0x068824b1
0x068824b1
0x068824b7
0x068824b9
0x068824bf
0x0688258a
0x068824c5
0x068824c8
0x06882583
0x0688256f
0x06882570
0x0688258d
0x0688258e
0x06882599
0x068825c3
0x068825c3
0x068825a9
0x068825b5
0x068825ab
0x068825ab
0x068825ab
0x00000000
0x068825a9
0x068824d1
0x0688257b
0x0688257d
0x00000000
0x0688257d
0x068824d7
0x068824da
0x06882567
0x0688256c
0x00000000
0x0688256c
0x068824e0
0x068824e9
0x06882525
0x06882527
0x06882537
0x06882540
0x06882562
0x06882542
0x06882546
0x0688254d
0x06882551
0x06882553
0x0688255a
0x0688255a
0x068824eb
0x068824ee
0x06882510
0x06882512
0x068824ee
0x068824e9
0x068824e0
0x00000000
0x068824bf
0x0688249b
0x068824a0
0x00000000
0x068824a0

APIs

lstrlenA.KERNEL32(?), ref: 068824F5
GlobalAlloc.KERNEL32(00000040,?), ref: 0688251F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 06882537
GlobalAlloc.KERNEL32(00000040,00000010), ref: 06882546
CLSIDFromString.OLE32(00000000,00000000), ref: 06882553
GlobalFree.KERNEL32 ref: 0688255A
GlobalFree.KERNEL32 ref: 0688258E

Part of subcall function 06881550: lstrcpyA.KERNEL32(00000000,?,06881607,?,068811A1,-000000A0), ref: 0688155A

Strings

@ut, xrefs: 06882553

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpylstrlen
String ID: @ut
API String ID: 520554397-3384101347
Opcode ID: 1b925d6b4f7a463db8f15e5cccd209cd588a2946625b69885003f043ab92b04e
Instruction ID: bce869a517c53fd3ac1dd463263c8497296d5114cfbc53713a11bf2f8ef651d5
Opcode Fuzzy Hash: 1b925d6b4f7a463db8f15e5cccd209cd588a2946625b69885003f043ab92b04e
Instruction Fuzzy Hash: ED41B07154430A9FE7F0FF6888A4B3E77E8FB84715F100919E666DA184DB70A640CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC8, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC8(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056C6(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405684("*?|<>/\":", _t5))) == 0) {
							E004057FE(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405dca
0x00405dd2
0x00405de6
0x00405de6
0x00405dec
0x00405df9
0x00405df9
0x00405dfa
0x00405dfc
0x00405e00
0x00405e02
0x00405e0b
0x00405e0d
0x00405e27
0x00405e2f
0x00405e2f
0x00405e34
0x00405e36
0x00405e38
0x00405e3c
0x00405e3d
0x00405e40
0x00405e48
0x00405e4a
0x00405e4e
0x00000000
0x00000000
0x00405e54
0x00405e59
0x00000000
0x00000000
0x00000000
0x00405e59
0x00405e5e

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

Strings

"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 00405DCE
*?|<>/":, xrefs: 00405E10
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2461623915
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F7F(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f91
0x00404025
0x00000000
0x00404025
0x00403fa2
0x00403fa6
0x00000000
0x00000000
0x00403fac
0x00403fb5
0x00403fb8
0x00403fb8
0x00403fbe
0x00403fc4
0x00403fc4
0x00403fd0
0x00403fd6
0x00403fdd
0x00403fe0
0x00403fe3
0x00403fe5
0x00403fe5
0x00403fed
0x00403ff3
0x00403ff3
0x00403ffd
0x00404002
0x00404005
0x0040400a
0x0040400d
0x0040400d
0x0040401d
0x0040401d
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040267C(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029F6(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004056C6(_t52) == 0) {
					E004029F6(0xffffffed);
				}
				E0040581E(_t52);
				_t27 = E0040583D(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4; // 0xea00
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031F1(_t47);
						E004031BF(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F18(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004057FE( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F18(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040267c
0x0040267e
0x0040268a
0x0040268d
0x00402697
0x0040269b
0x0040269b
0x004026a1
0x004026ae
0x004026b6
0x004026b9
0x004026bf
0x004026cd
0x004026d2
0x004026d6
0x004026d9
0x004026e2
0x004026ee
0x004026f2
0x004026f5
0x004026ff
0x0040271e
0x00402706
0x0040270b
0x00402713
0x00402716
0x0040271b
0x0040271b
0x00402725
0x00402725
0x00402737
0x0040273e
0x00402750
0x00402750
0x00402756
0x00402756
0x00402761
0x00402762
0x00402766
0x0040276a
0x00402770
0x00402770
0x00402777
0x00402164
0x0040288e
0x0040289a

APIs

GlobalAlloc.KERNEL32(00000040,0000EA00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32 ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32 ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
Opcode Fuzzy Hash: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BD3(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41704c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41704c = 0;
					return _t15;
				}
				__eflags =  *0x41704c; // 0x0
				if(__eflags != 0) {
					return E00405EC1(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8; // 0x18021e
					if(__eflags == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B3B, 0);
						 *0x41704c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BB7());
						return E00404F04(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bdf
0x00402be1
0x00402be8
0x00402beb
0x00402beb
0x00402bf1
0x00000000
0x00402bf1
0x00402bf9
0x00402bff
0x00000000
0x00402c02
0x00402c09
0x00402c0f
0x00402c15
0x00402c17
0x00402c1d
0x00402c5b
0x00402c64
0x00000000
0x00402c69
0x00402c1f
0x00402c26
0x00402c37
0x00000000
0x00402c45
0x00402c26
0x00402c71

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00402C4A,00402C4A,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00103344,00000064,000E6CEE), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 6fcc86fcae18687c947d36e2215d2af96fd576c68916213958e2ccaa38efcf2c
Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
Opcode Fuzzy Hash: 6fcc86fcae18687c947d36e2215d2af96fd576c68916213958e2ccaa38efcf2c
Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004047D3, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047D3(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004047e1
0x004047ee
0x004047f4
0x00404832
0x00404832
0x00404841
0x00404848
0x00000000
0x0040484a
0x004047f6
0x00404805
0x0040480d
0x00404810
0x00404822
0x00404828
0x0040482f
0x00000000
0x0040482f
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32 ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BB7();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b78
0x00402b7d
0x00402b7f
0x00402b7f
0x00402b8a
0x00402b9a
0x00402bac
0x00402bac
0x00402bb4

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32 ref: 00402BAC

Strings

verifying installer: %d%%, xrefs: 00402B7F
unpacking data: %d%%, xrefs: 00402B78, 00402B88

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99

Uniqueness

Uniqueness Score: -1.00%

Function 00402303, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402303(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AEB(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029F6(2);
				_t18 = E004029F6(0x11);
				_t30 =  *0x423f50; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029F6(0x23);
						_t19 = lstrlenA(0x40a370) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029D9(3);
						 *0x40a370 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F18(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a370, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a370, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x00402304
0x00402309
0x00402313
0x0040231d
0x00402320
0x0040232a
0x00402330
0x0040233a
0x00402341
0x00402349
0x00402357
0x0040235b
0x00402366
0x00402366
0x0040236a
0x0040236e
0x00402374
0x00402379
0x00402379
0x0040237d
0x00402389
0x00402389
0x004023a2
0x004023a4
0x004023a4
0x004023a7
0x0040247d
0x0040247d
0x0040288e
0x0040289a

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw97F2.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw97F2.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw97F2.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D

Strings

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp, xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp
API String ID: 1356686001-2731593573
Opcode ID: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
Opcode Fuzzy Hash: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 10001021, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E10001021(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char* _v28;
				signed int _v32;
				char _v36;
				char _v296;
				char _v556;
				char _v1580;
				char* _t35;
				char* _t36;
				void* _t37;
				char* _t39;

				 *0x100050dc = _a8;
				 *0x100050e0 = _a16;
				 *0x100050e4 = _a12;
				if(E10001DD9( &_v1580, 0x104) != 0 || E10001DD9( &_v556, 0x400) != 0) {
					L3:
					return E10001E27("error");
				} else {
					_v32 = _v32 & 0x00000000;
					_v36 = _a4;
					_v28 =  &_v296;
					_v8 = _v8 & 0x00000000;
					_v24 =  &_v1580;
					_v20 = 0x45;
					_v12 =  &_v556;
					_t35 =  &_v36;
					_v16 = E10001000;
					__imp__SHBrowseForFolderA(_t35);
					_t39 = _t35;
					if(_t39 != 0) {
						_t36 =  &_v296;
						__imp__SHGetPathFromIDListA(_t39, _t36);
						if(_t36 == 0) {
							_push("error");
						} else {
							_push( &_v296);
						}
						_t37 = E10001E27();
						__imp__CoTaskMemFree();
						return _t37;
					}
					goto L3;
				}
			}

0x1000102e
0x10001036
0x1000103e
0x10001056
0x100010b4
0x00000000
0x1000106d
0x10001070
0x10001074
0x1000107d
0x10001086
0x1000108a
0x10001093
0x1000109a
0x1000109d
0x100010a1
0x100010a8
0x100010ae
0x100010b2
0x100010c0
0x100010c8
0x100010d0
0x100010db
0x100010d2
0x100010d8
0x100010d8
0x100010e0
0x100010e6
0x00000000
0x100010e6
0x00000000
0x100010b2

APIs

Part of subcall function 10001DD9: lstrcpynA.KERNEL32(10001054,?,?,?,10001054,?), ref: 10001E06
Part of subcall function 10001DD9: GlobalFree.KERNEL32 ref: 10001E16

SHBrowseForFolderA.SHELL32(?,?,00000400,?,00000104), ref: 100010A8
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 100010C8
CoTaskMemFree.OLE32(00000000,error), ref: 100010E6

Strings

error, xrefs: 100010B4, 100010DB
E, xrefs: 10001093

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Free$BrowseFolderFromGlobalListPathTasklstrcpyn
String ID: E$error
API String ID: 1728609016-2359134700
Opcode ID: e1a7eb802c3a0e6178e2f854ce9366eb71ade3bb25b89a52586c1a3f4d4a4e58
Instruction ID: c5b31664aa199b9ded98f2e5680432c5be8bc3db31d95fa12b81e091e202fa71
Opcode Fuzzy Hash: e1a7eb802c3a0e6178e2f854ce9366eb71ade3bb25b89a52586c1a3f4d4a4e58
Instruction Fuzzy Hash: AE214DB58012699BEB11CF91DD85BDE77FCEB083C1F004152EA45E7108EB75EA848F91

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af74->lfHeight =  ~(MulDiv(E004029D9(2), _t6, 0x48));
				 *0x40af84 = E004029D9(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af8b = 1;
				 *0x40af88 = _t11 & 0x00000001;
				 *0x40af89 = _t11 & 0x00000002;
				 *0x40af8a = _t11 & 0x00000004;
				E00405B88(_t18, _t24, _t26, "MS Shell Dlg",  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af74);
				_push(_t14);
				_push(_t26);
				E00405AC4();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024b8
0x00401561
0x00402833
0x0040288e
0x0040289a

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A

Strings

MS Shell Dlg, xrefs: 00401D70

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID: MS Shell Dlg
API String ID: 3272661963-76309092
Opcode ID: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
Opcode Fuzzy Hash: d8d00129a0c809e423feca600faf407eaf54c466d4b244af4f30760ff25f5d33
Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 06BA1096, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E06BA1096(void* __ecx) {
				char _v8;
				intOrPtr _t5;
				intOrPtr* _t11;

				_t11 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t11 == 0) {
					L3:
					_t5 = 0;
				} else {
					_push( &_v8);
					_push(GetCurrentProcess());
					if( *_t11() == 0) {
						goto L3;
					} else {
						_t5 = _v8;
					}
				}
				return _t5;
			}

0x06ba10b2
0x06ba10b6
0x06ba10ce
0x06ba10ce
0x06ba10b8
0x06ba10bb
0x06ba10c2
0x06ba10c7
0x00000000
0x06ba10c9
0x06ba10c9
0x06ba10c9
0x06ba10c7
0x06ba10d2

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,0000001F,?,06BA10FF), ref: 06BA10A5
GetProcAddress.KERNEL32(00000000), ref: 06BA10AC
GetCurrentProcess.KERNEL32(?,?,0000001F,?,06BA10FF), ref: 06BA10BC

Strings

kernel32, xrefs: 06BA10A0
IsWow64Process, xrefs: 06BA109B

Memory Dump Source

Source File: 00000000.00000002.595156484.0000000006BA1000.00000020.00020000.sdmp, Offset: 06BA0000, based on PE: true

Associated: 00000000.00000002.595142650.0000000006BA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595165151.0000000006BA2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595178631.0000000006BA3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595187315.0000000006BA4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_CL-Eye-Driver-5.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 386468ff5a42193f910319c457a36f9d40d00209d44f7c723525b06d50c37339
Instruction ID: 699fba32b6c5a508a7ce7c81e1f4a421005d5c2e74ddd25ba6ec72d17a7053eb
Opcode Fuzzy Hash: 386468ff5a42193f910319c457a36f9d40d00209d44f7c723525b06d50c37339
Instruction Fuzzy Hash: 48E04FF1A08314BB8AB097F59C1A94F7FACDA005417050491F906D3104DA74DA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06881ADF, Relevance: 7.7, APIs: 5, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E06881ADF(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v148;
				void _t46;
				void _t47;
				signed int _t48;
				signed int _t49;
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t78;
				void* _t82;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				void* _t102;

				_t86 = __edx;
				 *0x6884058 = _a8;
				_t78 = 0;
				 *0x688405c = _a16;
				_v8 = 0;
				_a16 = E06881561();
				_a8 = E06881561();
				_t91 = E06881641(_a16);
				_t82 = _a8;
				_t88 = _t86;
				_t46 =  *_t82;
				if(_t46 != 0x7e && _t46 != 0x21) {
					_v16 = E06881561();
					_t78 = E06881641(_t75);
					_v8 = _t86;
					GlobalFree(_v16);
					_t82 = _a8;
				}
				_t47 =  *_t82;
				_t102 = _t47 - 0x2f;
				if(_t102 > 0) {
					_t48 = _t47 - 0x3c;
					__eflags = _t48;
					if(_t48 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x3c;
						if( *((char*)(_t82 + 1)) != 0x3c) {
							__eflags = _t88 - _v8;
							if(__eflags > 0) {
								L54:
								_t49 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t91 = _t49;
								_t88 = _t86;
								L57:
								E0688176C(_t86, _t91, _t88,  &_v148);
								E0688159E( &_v148);
								GlobalFree(_a16);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t49 = 1;
								goto L55;
							}
							__eflags = _t91 - _t78;
							if(_t91 < _t78) {
								goto L47;
							}
							goto L54;
						}
						_t86 = _t88;
						_t49 = E06882BF0(_t91, _t78, _t86);
						goto L56;
					}
					_t58 = _t48 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags = _t91 - _t78;
						if(_t91 != _t78) {
							goto L54;
						}
						__eflags = _t88 - _v8;
						if(_t88 != _v8) {
							goto L54;
						}
						goto L47;
					}
					_t59 = _t58 - 1;
					__eflags = _t59;
					if(_t59 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x3e;
						if( *((char*)(_t82 + 1)) != 0x3e) {
							__eflags = _t88 - _v8;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t91 - _t78;
							if(_t91 <= _t78) {
								goto L54;
							}
							goto L47;
						}
						_t86 = _t88;
						_t49 = E06882C10(_t91, _t78, _t86);
						goto L56;
					}
					_t61 = _t59 - 0x20;
					__eflags = _t61;
					if(_t61 == 0) {
						_t91 = _t91 ^ _t78;
						_t88 = _t88 ^ _v8;
						goto L57;
					}
					_t62 = _t61 - 0x1e;
					__eflags = _t62;
					if(_t62 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x7c;
						if( *((char*)(_t82 + 1)) != 0x7c) {
							_t91 = _t91 | _t78;
							_t88 = _t88 | _v8;
							goto L57;
						}
						__eflags = _t91 | _t88;
						if((_t91 | _t88) != 0) {
							goto L47;
						}
						__eflags = _t78 | _v8;
						if((_t78 | _v8) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t62 == 0;
					if(_t62 == 0) {
						_t91 =  !_t91;
						_t88 =  !_t88;
					}
					goto L57;
				}
				if(_t102 == 0) {
					L21:
					__eflags = _t78 | _v8;
					if((_t78 | _v8) != 0) {
						_v20 = E06882A80(_t91, _t88, _t78, _v8);
						_v16 = _t86;
						_t49 = E06882B30(_t91, _t88, _t78, _v8);
						_t82 = _a8;
					} else {
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_t49 = _t91;
						_t86 = _t88;
					}
					__eflags =  *_t82 - 0x2f;
					if( *_t82 != 0x2f) {
						goto L56;
					} else {
						_t91 = _v20;
						_t88 = _v16;
						goto L57;
					}
				}
				_t68 = _t47 - 0x21;
				if(_t68 == 0) {
					_t49 = 0;
					__eflags = _t91 | _t88;
					if((_t91 | _t88) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t69 = _t68 - 4;
				if(_t69 == 0) {
					goto L21;
				}
				_t70 = _t69 - 1;
				if(_t70 == 0) {
					__eflags =  *((char*)(_t82 + 1)) - 0x26;
					if( *((char*)(_t82 + 1)) != 0x26) {
						_t91 = _t91 & _t78;
						_t88 = _t88 & _v8;
						goto L57;
					}
					__eflags = _t91 | _t88;
					if((_t91 | _t88) == 0) {
						goto L54;
					}
					__eflags = _t78 | _v8;
					if((_t78 | _v8) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t71 = _t70 - 4;
				if(_t71 == 0) {
					_t49 = E06882A40(_t91, _t88, _t78, _v8);
					goto L56;
				} else {
					_t72 = _t71 - 1;
					if(_t72 == 0) {
						_t91 = _t91 + _t78;
						asm("adc edi, [ebp-0x4]");
					} else {
						if(_t72 == 0) {
							_t91 = _t91 - _t78;
							asm("sbb edi, [ebp-0x4]");
						}
					}
					goto L57;
				}
			}

0x06881adf
0x06881aec
0x06881af5
0x06881af8
0x06881afd
0x06881b05
0x06881b10
0x06881b19
0x06881b1b
0x06881b1e
0x06881b20
0x06881b24
0x06881b30
0x06881b39
0x06881b3e
0x06881b41
0x06881b47
0x06881b47
0x06881b4a
0x06881b4d
0x06881b50
0x06881c16
0x06881c16
0x06881c19
0x06881c82
0x06881c86
0x06881c95
0x06881c98
0x06881ca0
0x06881ca0
0x06881ca0
0x06881ca2
0x06881ca2
0x06881ca3
0x06881ca3
0x06881ca5
0x06881ca7
0x06881cb0
0x06881cbc
0x06881ccd
0x06881cd8
0x06881cd8
0x06881c9a
0x06881c7d
0x06881c7d
0x06881c7f
0x06881c7f
0x00000000
0x06881c7f
0x06881c9c
0x06881c9e
0x00000000
0x00000000
0x00000000
0x06881c9e
0x06881c8a
0x06881c8e
0x00000000
0x06881c8e
0x06881c1b
0x06881c1b
0x06881c1c
0x06881c74
0x06881c76
0x00000000
0x00000000
0x06881c78
0x06881c7b
0x00000000
0x00000000
0x00000000
0x06881c7b
0x06881c1e
0x06881c1e
0x06881c1f
0x06881c54
0x06881c58
0x06881c67
0x06881c6a
0x00000000
0x00000000
0x06881c6c
0x00000000
0x00000000
0x06881c6e
0x06881c70
0x00000000
0x00000000
0x00000000
0x06881c72
0x06881c5c
0x06881c60
0x00000000
0x06881c60
0x06881c21
0x06881c21
0x06881c24
0x06881c4d
0x06881c4f
0x00000000
0x06881c4f
0x06881c26
0x06881c26
0x06881c29
0x06881c35
0x06881c39
0x06881c46
0x06881c48
0x00000000
0x06881c48
0x06881c3b
0x06881c3d
0x00000000
0x00000000
0x06881c3f
0x06881c42
0x00000000
0x00000000
0x00000000
0x06881c44
0x06881c2c
0x06881c2d
0x06881c2f
0x06881c31
0x06881c31
0x00000000
0x06881c2d
0x06881b56
0x06881bce
0x06881bd0
0x06881bd3
0x06881bf1
0x06881bf4
0x06881bfa
0x06881bff
0x06881bd5
0x06881bd5
0x06881bd9
0x06881bdd
0x06881bdf
0x06881bdf
0x06881c02
0x06881c05
0x00000000
0x06881c0b
0x06881c0b
0x06881c0e
0x00000000
0x06881c0e
0x06881c05
0x06881b58
0x06881b5b
0x06881bbf
0x06881bc1
0x06881bc3
0x00000000
0x00000000
0x00000000
0x06881bc9
0x06881b5d
0x06881b60
0x00000000
0x00000000
0x06881b62
0x06881b63
0x06881b99
0x06881b9d
0x06881bb5
0x06881bb7
0x00000000
0x06881bb7
0x06881b9f
0x06881ba1
0x00000000
0x00000000
0x06881ba7
0x06881baa
0x00000000
0x00000000
0x00000000
0x06881bb0
0x06881b65
0x06881b68
0x06881b8f
0x00000000
0x06881b6a
0x06881b6a
0x06881b6b
0x06881b7f
0x06881b81
0x06881b6d
0x06881b6f
0x06881b75
0x06881b77
0x06881b77
0x06881b6f
0x00000000
0x06881b6b

APIs

Part of subcall function 06881561: lstrcpyA.KERNEL32(00000000,?,?,?,06881804,?,06881017), ref: 0688157E
Part of subcall function 06881561: GlobalFree.KERNEL32 ref: 0688158F

GlobalFree.KERNEL32 ref: 06881B41
GlobalFree.KERNEL32 ref: 06881CCD
GlobalFree.KERNEL32 ref: 06881CD2

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: 5db002a9ab040faa608b1ea74f4de81862f41402254f0484084c6698a638a40d
Instruction ID: f95c9fcadc46d999ae3600f4fa4ef59086f4c4894458c81d7a689d90a7e88d23
Opcode Fuzzy Hash: 5db002a9ab040faa608b1ea74f4de81862f41402254f0484084c6698a638a40d
Instruction Fuzzy Hash: 5B51F3B2D0010BAEDBE2FFA8898C57DB7A7EB40244F154579D591E3202DE31AE03CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A36(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f50; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A36(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405E88(2);
					if(_t27 == 0) {
						__eflags =  *0x423f50; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a46
0x00402a57
0x00402a5f
0x00402a87
0x00402a6e
0x00402a71
0x00402ac1
0x00402ac7
0x00402ac9
0x00000000
0x00402ac9
0x00402a7e
0x00402a83
0x00402a85
0x00000000
0x00000000
0x00402a85
0x00402a9c
0x00402aa4
0x00402aab
0x00402ad1
0x00402ad7
0x00000000
0x00000000
0x00402adf
0x00402ae5
0x00402ae7
0x00000000
0x00000000
0x00000000
0x00402ae7
0x00000000
0x00402aba
0x00402ace

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 06BA1774, Relevance: 7.6, APIs: 5, Instructions: 50
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E06BA1774(CHAR* _a4, intOrPtr _a8) {
				long _v20;
				CHAR* _v24;
				void _v40;
				void* _v44;
				void* _t13;
				signed int _t21;
				CHAR* _t25;
				struct HWND__* _t31;

				_t21 = 9;
				_t31 =  *0x6ba3480; // 0x30120
				_v44 = 0;
				_t13 = memset( &_v40, 0, _t21 << 2);
				if(_t31 != 0) {
					_t25 = _a4;
					if(_a8 == 1) {
						OemToCharBuffA(_t25, _t25, lstrlenA(_t25));
					}
					_v40 = SendMessageA( *0x6ba3480, 0x1004, 0, 0);
					_v44 = 1;
					_v24 = _t25;
					_v20 = 0;
					SendMessageA( *0x6ba3480, 0x1007, 0,  &_v44);
					return SendMessageA( *0x6ba3480, 0x1013, _v40, 0);
				}
				return _t13;
			}

0x06ba1780
0x06ba1783
0x06ba178c
0x06ba178f
0x06ba1791
0x06ba1797
0x06ba179a
0x06ba17a6
0x06ba17a6
0x06ba17c2
0x06ba17cf
0x06ba17dc
0x06ba17df
0x06ba17e2
0x00000000
0x06ba17f5
0x06ba17f9

APIs

lstrlenA.KERNEL32(?,74B042C0,00000000,?,?,?,?,06BA16D0,?,?), ref: 06BA179D
OemToCharBuffA.USER32 ref: 06BA17A6
SendMessageA.USER32(00001004,00000000,00000000,00000001), ref: 06BA17C0
SendMessageA.USER32(00001007,00000000,?), ref: 06BA17E2
SendMessageA.USER32(00001013,?,00000000), ref: 06BA17F3

Memory Dump Source

Source File: 00000000.00000002.595156484.0000000006BA1000.00000020.00020000.sdmp, Offset: 06BA0000, based on PE: true

Associated: 00000000.00000002.595142650.0000000006BA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595165151.0000000006BA2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595178631.0000000006BA3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595187315.0000000006BA4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_CL-Eye-Driver-5.jbxd

Similarity

API ID: MessageSend$BuffCharlstrlen
String ID:
API String ID: 2682914888-0
Opcode ID: 0351390b4f6b89a840a51ac6187b67cb492edad3a230dc779a1588c93ad702ca
Instruction ID: 49fe2865febabdba220a6de2c60042da70b74a521a584919100cb8e938957fc2
Opcode Fuzzy Hash: 0351390b4f6b89a840a51ac6187b67cb492edad3a230dc779a1588c93ad702ca
Instruction Fuzzy Hash: 6B010CB2910208BFEB129F94DC85DEFBFBEEB48759F14002AFA00B6140D6B25944DB60

Uniqueness

Uniqueness Score: -1.00%

Function 004046F1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004046F1(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405B88(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405B88(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405B88(_t34, 0, 0x4204a0, 0x4204a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x4204a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x4204a0);
			}

0x004046f9
0x004046fd
0x00404705
0x00404708
0x00404709
0x0040470b
0x0040470d
0x00404710
0x00404710
0x00404717
0x0040471d
0x0040471d
0x00404724
0x0040472f
0x00404730
0x00404733
0x00404733
0x00404740
0x0040474b
0x0040474e
0x00404760
0x00404767
0x00404768
0x00404777
0x00404787
0x004047a3

APIs

lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32 ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
Opcode Fuzzy Hash: 87794c8f90da6e594bd2e0cae66498bbfb5b9cbb1a5c5e50d1da5967a7fbc4b5
Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8

Uniqueness

Uniqueness Score: -1.00%

Function 00403978, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403978(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405ADD(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423eb0; // 0x6f0858
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E00405AC4(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420478, E00405B88(_t13, _t24, _t26, "CL-Eye Driver Setup", 0xfffffffe));
						_t11 =  *0x423ecc; // 0x3
						_t27 =  *0x423ec8; // 0x6f0ac4
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x6f0adc
								_t11 = E00405B88(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040397c
0x00403981
0x00403987
0x0040398c
0x0040398c
0x00403994
0x00000000
0x00000000
0x00403996
0x0040399c
0x004039a4
0x004039a6
0x004039ac
0x004039ac
0x004039ae
0x004039ba
0x00000000
0x00000000
0x004039be
0x00000000
0x00000000
0x00000000
0x004039c0
0x004039c5
0x004039ce
0x004039d4
0x004039d9
0x004039ed
0x004039f8
0x00403a10
0x00403a16
0x00403a1b
0x00403a23
0x00403a44
0x00403a44
0x00403a44
0x00403a25
0x00403a27
0x00403a27
0x00403a2b
0x00403a2e
0x00403a32
0x00403a32
0x00403a37
0x00403a3d
0x00403a3d
0x00000000
0x00403a27
0x004039db
0x004039e0
0x004039e9
0x004039e2
0x004039e2
0x004039e2
0x004039e0

APIs

SetWindowTextA.USER32(00000000,CL-Eye Driver Setup), ref: 00403A10

Strings

CL-Eye Driver Setup, xrefs: 004039FF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
1033, xrefs: 0040397C, 00403986, 004039F7

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$CL-Eye Driver Setup
API String ID: 530164218-1396317467
Opcode ID: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
Opcode Fuzzy Hash: 9a42cbf8a28c659a92ce9de243ac321228f9f300189a9516546428ecdf00a219
Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58

Uniqueness

Uniqueness Score: -1.00%

Function 10001480, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001480(void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _t8;

				_t8 = E100013C6(_a4);
				if(_t8 != 0) {
					if(_a8 != 0x20) {
						return CallWindowProcA( *(_t8 + 0x414), _a4, _a8, _a12, _a16);
					}
					SetCursor(LoadCursorA(0, 0x7f89));
					return 1;
				}
				return _t8;
			}

0x10001486
0x1000148d
0x10001493
0x00000000
0x100014c0
0x100014a3
0x00000000
0x100014ab
0x100014c7

APIs

Part of subcall function 100013C6: GetPropA.USER32 ref: 100013CF

LoadCursorA.USER32 ref: 1000149C
SetCursor.USER32(00000000,?,?,?), ref: 100014A3
CallWindowProcA.USER32 ref: 100014C0

Strings

, xrefs: 1000148F

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Cursor$CallLoadProcPropWindow
String ID:
API String ID: 1635134901-3916222277
Opcode ID: af7a24d79bba28b0373c8a06307af88f9924382bbc0fc11fee82021492e34f15
Instruction ID: 0556be71602f8ff1d696ea859767fe994534909fc462006999ad460077578aeb
Opcode Fuzzy Hash: af7a24d79bba28b0373c8a06307af88f9924382bbc0fc11fee82021492e34f15
Instruction Fuzzy Hash: 3CE0C932545209BBEF529FA0CC05ADA3BA9EB083D1F01C420FA1994079C7719560AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 004053C6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053C6(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004053cf
0x004053eb
0x004053f3
0x004053f8
0x00000000
0x004053fe
0x00405402

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

Error launching installer, xrefs: 004053D9
C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405659, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405659(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x0040565a
0x00405671
0x00405679
0x00405679
0x00405681

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
lstrcatA.KERNEL32(?,00409010), ref: 00405679

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405659

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE

Uniqueness

Uniqueness Score: -1.00%

Function 10001329, Relevance: 6.1, APIs: 4, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10001329(CHAR* _a4, int _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				char _t31;
				long _t32;
				CHAR* _t33;
				int _t34;

				_t33 = _a4;
				_t31 =  *(CharPrevA(_t33,  &(_t33[lstrlenA(_t33)])));
				_t34 = E10001E6C(_t33);
				if(_t31 != 0x25) {
					if(_t31 != 0x75) {
						if(_t34 >= 0) {
							return _t34;
						}
						return _a8 + _t34;
					}
					_v20.bottom = _v20.bottom & 0x00000000;
					_v20.right = _v20.right & 0x00000000;
					_v20.top = _t34;
					_v20.left = _t34;
					MapDialogRect( *0x100050c4,  &_v20);
					if(_a12 == 0) {
						if(_t34 < 0) {
							_t32 = _v20.left;
							L12:
							return _a8 + _t32;
						}
						return _v20.left;
					}
					if(_t34 < 0) {
						_t32 = _v20.top;
						goto L12;
					}
					return _v20.top;
				}
				_push(0x64);
				if(_t34 < 0) {
					_t34 = _t34 + 0x64;
				}
				return MulDiv(_a8, _t34, ??);
			}

0x10001331
0x10001345
0x10001350
0x10001352
0x1000136c
0x100013b5
0x00000000
0x100013be
0x00000000
0x100013ba
0x1000136e
0x10001372
0x10001379
0x1000137d
0x10001386
0x10001390
0x100013a2
0x100013a9
0x100013ac
0x00000000
0x100013af
0x00000000
0x100013a4
0x10001394
0x1000139b
0x00000000
0x1000139b
0x00000000
0x10001396
0x10001356
0x10001358
0x1000135a
0x1000135a
0x00000000

APIs

lstrlenA.KERNEL32(74B04F20,00000400,?,00000400,?,74B04F20,00000000), ref: 10001335
CharPrevA.USER32(74B04F20,00000000,?,74B04F20,00000000), ref: 1000133F
MulDiv.KERNEL32(?,00000000,00000064), ref: 10001361
MapDialogRect.USER32(74B04F20,74B04F20), ref: 10001386

Memory Dump Source

Source File: 00000000.00000002.599060058.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.599048571.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599070015.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.599079066.0000000010004000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.599117295.0000000010007000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CharDialogPrevRectlstrlen
String ID:
API String ID: 3411278111-0
Opcode ID: ee05941cbb0010e5f5c6526b921f77febfcf527a02eae7712f4de4b9ee175961
Instruction ID: c0227da4e0a6f8b068a6b3556f96f506b12a61a0069e54e06ba25e2db4e352f6
Opcode Fuzzy Hash: ee05941cbb0010e5f5c6526b921f77febfcf527a02eae7712f4de4b9ee175961
Instruction Fuzzy Hash: 4F113435E02668EBEB25CB44CC48BDF7BB8EF007E5F018451FD15A665AC330AA008BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029F6(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405AC4(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405AC4(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x0040288e
0x0040289a

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420488 != _t22) {
							 *0x420488 = _t22;
							E00405B66(0x4204a0, 0x424000);
							E00405AC4(0x424000, _t22);
							E0040140B(6);
							E00405B66(0x424000, 0x4204a0);
						}
						L11:
						return CallWindowProcA( *0x420490, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004047D3(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F64(0x413);
				return 0;
			}

0x00404e60
0x00404e85
0x00404ea5
0x00404ea8
0x00404eab
0x00404ec2
0x00404ec8
0x00404ecf
0x00404ed6
0x00404edd
0x00404ee2
0x00404ee8
0x00000000
0x00404ef8
0x00404e92
0x00404ee5
0x00404ee5
0x00000000
0x00404ee5
0x00404e9e
0x00404ea0
0x00000000
0x00404ea0
0x00404e66
0x00000000
0x00000000
0x00404e6d
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32 ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(001A0056,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024BE(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029F6(0x11));
				} else {
					E004029D9(1);
					 *0x409f70 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405ADD(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024be
0x004024be
0x004024c1
0x004024dc
0x004024c3
0x004024c5
0x004024ca
0x004024d1
0x004024e3
0x0040265c
0x0040265c
0x004024e9
0x004024fb
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x0040288e
0x0040289a

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw97F2.tmp\nsExec.dll
API String ID: 427699356-4048914650
Opcode ID: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
Opcode Fuzzy Hash: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D

Uniqueness

Uniqueness Score: -1.00%

Function 0040361A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040361A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f45c; // 0x6e9be8
				_t3 = E004035FF(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f45c =  *0x41f45c & 0x00000000;
				return _t3;
			}

0x0040361b
0x00403623
0x0040362a
0x0040362d
0x0040362d
0x0040362f
0x00403634
0x0040363b
0x00403641
0x00403645
0x00403646
0x0040364e

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" ,00000000,74B5F560,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32 ref: 0040363B

Strings

"C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe" , xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe"
API String ID: 1100898210-1940520939
Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004056A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056A0(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004056a1
0x004056ab
0x004056ad
0x004056b4
0x004056bc
0x00000000
0x00000000
0x00000000
0x004056bc
0x004056be
0x004056c3

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,80000000,00000003), ref: 004056A6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,C:\Users\user\Desktop\CL-Eye-Driver-5.3.0.0341-Emuline.exe,80000000,00000003), ref: 004056B4

Strings

C:\Users\user\Desktop, xrefs: 004056A0

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD

Uniqueness

Uniqueness Score: -1.00%

Function 068810D6, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E068810D6(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x6884058 = _a8;
				 *0x688405c = _a16;
				 *0x6884060 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6884038, E0688189E, _t52);
				_t43 =  *0x6884058 +  *0x6884058 * 4 << 2;
				_t17 = E06881561();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E0688159E(E068815E5( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E0688160E( *_t55 - 0x30, E06881561());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x6884030;
								 *0x6884030 = _t31;
								E06881854(_t31 + 4,  *0x6884060, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x6884030;
							if( *0x6884030 != 0) {
								E06881854( *0x6884060, _t34 + 4, _t43);
								_t37 =  *0x6884030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x6884030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x068810dd
0x068810e5
0x068810f9
0x06881101
0x0688110c
0x0688110f
0x06881117
0x0688111a
0x0688111c
0x068811ba
0x068811c6
0x06881122
0x06881123
0x06881123
0x06881126
0x06881127
0x0688112a
0x068811f9
0x068811fc
0x06881194
0x0688119a
0x068811a2
0x068811a7
0x068811aa
0x00000000
0x068811aa
0x068811ff
0x06881200
0x0688117c
0x06881182
0x0688118a
0x00000000
0x0688118a
0x06881148
0x06881149
0x06881151
0x0688115e
0x06881166
0x0688116f
0x06881174
0x06881174
0x00000000
0x06881149
0x06881130
0x068811c7
0x068811c7
0x068811ce
0x068811db
0x068811e0
0x068811e5
0x068811eb
0x068811f1
0x068811f1
0x00000000
0x068811ce
0x06881136
0x06881139
0x00000000
0x00000000
0x0688113f
0x06881142
0x06881191
0x00000000
0x06881191
0x06881145
0x06881146
0x06881179
0x00000000
0x06881179
0x00000000
0x068811b0
0x068811b0
0x00000000
0x068811b9

APIs

Part of subcall function 06881561: lstrcpyA.KERNEL32(00000000,?,?,?,06881804,?,06881017), ref: 0688157E
Part of subcall function 06881561: GlobalFree.KERNEL32 ref: 0688158F

GlobalAlloc.KERNEL32(00000040,?), ref: 06881151
GlobalFree.KERNEL32 ref: 068811AA
GlobalFree.KERNEL32 ref: 068811BD
GlobalFree.KERNEL32 ref: 068811EB

Memory Dump Source

Source File: 00000000.00000002.594659633.0000000006881000.00000020.00020000.sdmp, Offset: 06880000, based on PE: true

Associated: 00000000.00000002.594653439.0000000006880000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594671367.0000000006883000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.594679270.0000000006885000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6880000_CL-Eye-Driver-5.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: c6780e0aa03425d4f91010ca4ddb6d4d59ea2b9aa2c5950e92e7011153614a6a
Instruction ID: 45adf91aa02ec33bb8bae1718f060fb2c0611f6d2e54da81eb6c728e3c69678a
Opcode Fuzzy Hash: c6780e0aa03425d4f91010ca4ddb6d4d59ea2b9aa2c5950e92e7011153614a6a
Instruction Fuzzy Hash: FD3194B690024B9FE7D1EFACE84DA3E7FE9FB25250B140015EAD5D6110EF309802CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06BA17FA, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E06BA17FA(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x06ba180a
0x06ba180c
0x06ba180f
0x06ba183b
0x06ba1814
0x06ba181d
0x06ba1822
0x06ba182d
0x06ba1830
0x06ba184a
0x06ba1832
0x06ba1839
0x00000000
0x06ba1839
0x06ba1845
0x06ba1849
0x06ba1849
0x06ba1843
0x00000000

APIs

lstrlenA.KERNEL32(?,00000000,00000001,00000000,?,?,06BA12A6,00000000,/TIMEOUT=,00000000), ref: 06BA180A
lstrcmpiA.KERNEL32(?,?,?,?,06BA12A6,00000000,/TIMEOUT=,00000000), ref: 06BA1822
CharNextA.USER32(?,?,?,06BA12A6,00000000,/TIMEOUT=,00000000), ref: 06BA1833
lstrlenA.KERNEL32(?,?,?,06BA12A6,00000000,/TIMEOUT=,00000000), ref: 06BA183C

Memory Dump Source

Source File: 00000000.00000002.595156484.0000000006BA1000.00000020.00020000.sdmp, Offset: 06BA0000, based on PE: true

Associated: 00000000.00000002.595142650.0000000006BA0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595165151.0000000006BA2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.595178631.0000000006BA3000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.595187315.0000000006BA4000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_CL-Eye-Driver-5.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: af075c4d30b0fb9ea6db39ee2623e34fd64aac2f5a812c6be010d50c834114f7
Instruction ID: 21df4774707d0ce91ac772ed5c00c30daad8d9fa7386ec1bd5fa4583921fec49
Opcode Fuzzy Hash: af075c4d30b0fb9ea6db39ee2623e34fd64aac2f5a812c6be010d50c834114f7
Instruction Fuzzy Hash: 51F09671604554FFD7529FA8DC4099E7BA8EF05250F1940D5ED05E7211D770DF41D790

Uniqueness

Uniqueness Score: -1.00%

Function 004057B2, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057B2(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004057be
0x004057c0
0x004057e8
0x004057cd
0x004057d2
0x004057dd
0x00000000
0x004057fa
0x004057e6
0x004057e6
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.587792505.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.587773902.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587822461.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587850301.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587901452.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587919547.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.587936413.0000000000436000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.587943185.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CL-Eye-Driver-5.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CertMgr.exe PID: 5388 Parent PID: 5288 CertMgr.exeCOMMON

Executed Functions

Function 00E87E7F, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 226
encryptionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00E87E7F(void* __ebx, void* __edx, void* __edi, void* __esi, char _a4, signed short** _a8) {
				signed int _v8;
				short _v28;
				short _v48;
				char _v52;
				signed int _v56;
				signed short** _v60;
				int _v80;
				signed int _t41;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				signed short* _t63;
				void* _t71;
				intOrPtr _t72;
				void* _t74;
				void* _t84;
				int _t85;
				int _t86;
				signed int _t87;
				signed char _t92;
				void* _t97;
				signed short** _t99;
				void* _t100;
				void* _t103;
				signed int _t105;

				_t97 = __edx;
				_t41 =  *0xe8a078; // 0xa9659deb
				_v8 = _t41 ^ _t105;
				_v56 = _v56 | 0xffffffff;
				_t99 = _a8;
				_v52 = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, __edi, __esi, __ebx);
				if(E00E817F3() == 0) {
					L41:
					_push(0x1773);
					goto L42;
				} else {
					_t85 = 0xa;
					if(LoadStringW( *0xe8a7f8, 0x17a2,  &_v48, _t85) == 0 || LoadStringW( *0xe8a7f8, 0x17a3,  &_v28, _t85) == 0 || LoadStringA( *0xe8a7f8, 0x1b58, "<NULL>", _t85) == 0 || LoadStringW( *0xe8a7f8, 0x1b59, ?str?, _t85) == 0 || LoadStringW( *0xe8a7f8, 0x1b5a, ?str?, _t85) == 0) {
						goto L41;
					} else {
						_t86 = 0x14;
						if(LoadStringW( *0xe8a7f8, 0x1b5b, L"<UNKNOWN OID>", _t86) == 0) {
							goto L41;
						} else {
							if(_a4 != 1) {
								while(1) {
									_t20 =  &_a4;
									 *_t20 = _a4 - 1;
									if( *_t20 == 0) {
										break;
									}
									_t99 =  &(_t99[1]);
									_t63 =  *_t99;
									_t87 =  *_t63 & 0x0000ffff;
									_v60 = _t99;
									if(_t87 == _v48 || _t87 == _v28) {
										if(E00E834B4( &_a4,  &_v60) == 0) {
											if( *0xe8a830 != 1) {
												goto L20;
											} else {
												E00E81A02();
											}
										} else {
											_t99 = _v60;
											continue;
										}
									} else {
										if( *0xe8a83c != 0) {
											if(E00E82675(0xe8a84c, _t63) == 0) {
												L20:
												E00E81864();
											} else {
												continue;
											}
										} else {
											 *0xe8a83c = _t63;
											continue;
										}
									}
									goto L43;
								}
								if(E00E83822() != 0) {
									_t71 = E00E84B58( &_v52, _t87, _t97,  *0xe8a83c,  *0xe8a834,  *0xe8a070,  *0xe8a854,  *0xe8a85c, 1,  &_v52); // executed
									if(_t71 != 0) {
										_t72 =  *0xe8a820; // 0x0
										_t92 =  *0xe8a7fc; // 0x2
										if(_t72 == 0 || (_t92 & 0x00000004) == 0 ||  *0xe8a840 == 0) {
											if((_t92 & 0x00000001) == 0) {
												L35:
												if(( *0xe8a7fc & 0x00000004) == 0 || E00E87934(_t97, _v52) != 0) {
													if(( *0xe8a7fc & 0x00000002) == 0) {
														L39:
														if(( *0xe8a7fc & 0x00000008) == 0 || E00E873E5(_t86, _t97, _v52) != 0) {
															goto L9;
														} else {
															goto L41;
														}
													} else {
														_t74 = E00E86F07(_t86, _t97, _v52); // executed
														if(_t74 == 0) {
															goto L41;
														} else {
															goto L39;
														}
													}
												} else {
													goto L41;
												}
											} else {
												if(_t72 == 0 || E00E8644E(_t97, _t72,  *0xe8a800) != 0) {
													if(E00E86D37(_t97, _v52) == 0) {
														goto L41;
													} else {
														_push(0x1c0b);
														_push( *0xe8a7f8);
														E00E88F8E();
														goto L35;
													}
												} else {
													goto L41;
												}
											}
										} else {
											_push(0x1c2b);
											goto L29;
										}
									} else {
										_push(0x17b0);
										L29:
										_push( *0xe8a7f8);
										E00E88F8E();
										goto L41;
									}
									goto L42;
								} else {
									goto L20;
								}
							} else {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_push( &_v80);
								_v80 = _t86;
								L00E8931A();
								L9:
								_v56 = _v56 & 0x00000000;
								_push(0x1772);
								L42:
								_push( *0xe8a7f8); // executed
								E00E88F8E(); // executed
							}
						}
					}
				}
				L43:
				_t46 =  *0xe8a854; // 0x0
				_pop(_t100);
				_pop(_t103);
				_pop(_t84);
				if(_t46 != 0) {
					E00E88F35(_t46, _t46);
				}
				_t47 =  *0xe8a864; // 0x0
				if(_t47 != 0) {
					E00E88F35(_t47, _t47);
				}
				_t48 =  *0xe8a814; // 0x0
				if(_t48 != 0) {
					E00E88F35(_t48, _t48);
				}
				_t49 =  *0xe8a820; // 0x0
				if(_t49 != 0) {
					__imp__CryptMsgClose(_t49);
				}
				if(_v52 != 0) {
					__imp__CertCloseStore(_v52, 0);
				}
				return E00E886C7(_v56, _t84, _v8 ^ _t105, _t97, _t100, _t103);
			}

0x00e87e7f
0x00e87e87
0x00e87e8e
0x00e87e91
0x00e87e98
0x00e87ea2
0x00e87ea5
0x00e87eb2
0x00e880ec
0x00e880ec
0x00000000
0x00e87eb8
0x00e87ec0
0x00e87ed5
0x00000000
0x00e87f4a
0x00e87f4c
0x00e87f62
0x00000000
0x00e87f68
0x00e87f6c
0x00e87fde
0x00e87fde
0x00e87fde
0x00e87fe1
0x00000000
0x00000000
0x00e87f92
0x00e87f95
0x00e87f97
0x00e87f9a
0x00e87fa1
0x00e87fd9
0x00e87ffd
0x00000000
0x00e87fff
0x00e87fff
0x00e87fff
0x00e87fdb
0x00e87fdb
0x00000000
0x00e87fdb
0x00e87fa9
0x00e87fb0
0x00e87fc6
0x00e87fec
0x00e87fec
0x00e87fc8
0x00000000
0x00e87fc8
0x00e87fb2
0x00e87fb2
0x00000000
0x00e87fb2
0x00e87fb0
0x00000000
0x00e87fa1
0x00e87fea
0x00e8802d
0x00e88034
0x00e8803d
0x00e88042
0x00e8804a
0x00e88071
0x00e880a5
0x00e880ac
0x00e880c1
0x00e880cf
0x00e880d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00e880c3
0x00e880c6
0x00e880cd
0x00000000
0x00000000
0x00000000
0x00000000
0x00e880cd
0x00000000
0x00000000
0x00000000
0x00e88073
0x00e88075
0x00e88091
0x00000000
0x00e88093
0x00e88093
0x00e88098
0x00e8809e
0x00000000
0x00e880a4
0x00000000
0x00000000
0x00000000
0x00e88075
0x00e8805a
0x00e8805a
0x00000000
0x00e8805a
0x00e88036
0x00e88036
0x00e8805f
0x00e8805f
0x00e88065
0x00000000
0x00e8806b
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87f6e
0x00e87f73
0x00e87f74
0x00e87f75
0x00e87f76
0x00e87f77
0x00e87f7b
0x00e87f7c
0x00e87f7f
0x00e87f84
0x00e87f84
0x00e87f88
0x00e880f1
0x00e880f1
0x00e880f7
0x00e880fd
0x00e87f6c
0x00e87f62
0x00e87ed5
0x00e880fe
0x00e880fe
0x00e88103
0x00e88104
0x00e88105
0x00e88108
0x00e8810b
0x00e8810b
0x00e88110
0x00e88117
0x00e8811a
0x00e8811a
0x00e8811f
0x00e88126
0x00e88129
0x00e88129
0x00e8812e
0x00e88135
0x00e88138
0x00e88138
0x00e88142
0x00e88149
0x00e88149
0x00e8815d

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00E87EA5

Part of subcall function 00E817F3: GetModuleHandleA.KERNEL32(00000000,00E87EB0), ref: 00E817F5

LoadStringW.USER32(000017A2,?,0000000A), ref: 00E87ED1
LoadStringW.USER32(000017A3,?,0000000A), ref: 00E87EEB
LoadStringA.USER32 ref: 00E87F06
LoadStringW.USER32(00001B59,SHA1,0000000A), ref: 00E87F25
LoadStringW.USER32(00001B5A,MD5,0000000A), ref: 00E87F40
LoadStringW.USER32(00001B5B,<UNKNOWN OID>,00000014), ref: 00E87F5E
CryptUIDlgCertMgr.CRYPTUI(?), ref: 00E87F7F
CryptMsgClose.CRYPT32(00000000), ref: 00E88138
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E88149

Strings

SHA1, xrefs: 00E87F15
<UNKNOWN OID>, xrefs: 00E87F4E
<NULL>, xrefs: 00E87EF6
MD5, xrefs: 00E87F30

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadString$CertCloseCrypt$HandleHeapInformationModuleStore
String ID: <NULL>$<UNKNOWN OID>$MD5$SHA1
API String ID: 215360622-1563267417
Opcode ID: d29757018eddeadf985deb19387e656f603634236629911f32da24615b47661b
Instruction ID: 32cba3e411457e66f0f0d49e7e33bda757446ab26ec3bab13a01faaed0239f23
Opcode Fuzzy Hash: d29757018eddeadf985deb19387e656f603634236629911f32da24615b47661b
Instruction Fuzzy Hash: 29716071604205EEFB117B62EE45FAA3BF9AB04744F586026FE0CB50A1DF71C849DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00E88A1F, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E88A1F() {

				SetUnhandledExceptionFilter(E00E889D7); // executed
				return 0;
			}

0x00e88a24
0x00e88a2c

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000089D7), ref: 00E88A24

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7154fada4c9f157e7afcc99af197bee0a54b17330e17c9afaff7adeee669985b
Instruction ID: ac0355f0ebef6b150c143650b8efa26589c157de0889d9f72032ad730f1d57be
Opcode Fuzzy Hash: 7154fada4c9f157e7afcc99af197bee0a54b17330e17c9afaff7adeee669985b
Instruction Fuzzy Hash: 8D9002702556405A4B0227B25E1969625945B98702B815492AA0EF8054DE5040455716

Uniqueness

Uniqueness Score: -1.00%

Function 00E86F07, Relevance: 33.4, APIs: 22, Instructions: 395
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 00E86F5C
CertCloseStore.CRYPT32(?,00000000), ref: 00E873A5

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CertStore$CloseOpen
String ID:
API String ID: 2191479384-0
Opcode ID: a7502c9c110c468fb59f0069476f3326489d963bfcdbbe388ccd948b8a508261
Instruction ID: 7573332a96d7587bd24fc3a41f317dcfb575d22032cd9b5b3871cc5165350d56
Opcode Fuzzy Hash: a7502c9c110c468fb59f0069476f3326489d963bfcdbbe388ccd948b8a508261
Instruction Fuzzy Hash: D6E16870D08208EFDB21AF91DD88AEEBBB9FB44344F345456F94DB2160D3358A45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B58, Relevance: 18.2, APIs: 12, Instructions: 190
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(0000000A,00000000,?,?), ref: 00E84B92
CertOpenStore.CRYPT32(0000000A,00000000,?,?), ref: 00E84BC2
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E84BDD
CertOpenStore.CRYPT32(0000000A,00000000,?,?), ref: 00E84BF2
CertOpenStore.CRYPT32(00000008,00000000,00000000,?), ref: 00E84CA4
CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 00E84CF1
CertAddEncodedCTLToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E84D09
CertAddEncodedCRLToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E84D23
CertAddEncodedCertificateToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E84D3D
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E84D49
CertOpenStore.CRYPT32(00000005,00000000,00000000,?), ref: 00E84D5D
CertOpenStore.CRYPT32(00000006,00000000,00000000,?), ref: 00E84D73

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CertStore$Open$Encoded$Close$Certificate
String ID:
API String ID: 2200726460-0
Opcode ID: 15f3b2ef948025715e8e8ed3dcbab46ccffc6957d7e441278dd61caaa2a23128
Instruction ID: d75e176aa360729113d572d9434dcb0fb8b548b2dcf702151e73b6cb0a1eee6d
Opcode Fuzzy Hash: 15f3b2ef948025715e8e8ed3dcbab46ccffc6957d7e441278dd61caaa2a23128
Instruction Fuzzy Hash: 0051A572500255FFDB21BFA6CC44EAEBABCFB89748F045526F61CB20A0D3314945DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E81DC3, Relevance: 13.6, APIs: 9, Instructions: 91
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertAddCertificateContextToStore.CRYPT32(?,00000000,00000003,00000000), ref: 00E81DF4
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81E02
CertAddCRLContextToStore.CRYPT32(?,?,00000003,00000000), ref: 00E81E22
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00E81E32
CertAddCRLContextToStore.CRYPT32(?,?,00000003,00000000), ref: 00E81E57
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E81E6C
CertFreeCertificateContext.CRYPT32(00000000), ref: 00E81E81
CertFreeCRLContext.CRYPT32(?), ref: 00E81E8F
CertFreeCRLContext.CRYPT32(?), ref: 00E81EA0

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$ContextStore$Free$CertificateEnum$CertificatesFrom
String ID:
API String ID: 121226512-0
Opcode ID: 7910553916855f71c9a2f0077c412b47f1eeeb389930d0970fb623d2c6a7d354
Instruction ID: 28361ddb70c1d4d25899374b871e7c83e966f4ea2d6823137577d8b7f1fb7f25
Opcode Fuzzy Hash: 7910553916855f71c9a2f0077c412b47f1eeeb389930d0970fb623d2c6a7d354
Instruction Fuzzy Hash: 67312A75900259BFDB22AFA1DC44A9EBF7DEF04754F144495F90DB2060C3B18A96DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E89087, Relevance: 9.1, APIs: 6, Instructions: 96
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00E89087(long _a4, void* _a8, void** _a12, void** _a16) {
				long _v8;
				long _v12;
				long _v16;
				void* _t22;
				long _t24;
				signed int _t25;
				void* _t28;
				void* _t31;
				void* _t32;
				void** _t33;
				void** _t38;

				_t22 = _a8;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(_t22 == 0) {
					L20:
					return 0x80070057;
				}
				_t33 = _a12;
				if(_t33 == 0 || _a4 == 0) {
					goto L20;
				} else {
					_t38 = _a16;
					if(_t38 == 0) {
						goto L20;
					}
					_push(0);
					_push(0x80);
					_push(3);
					_push(0);
					_push(1);
					_push(0x80000000);
					_push(_a4);
					 *_t33 = 0;
					 *_t22 = 0;
					 *_t38 =  *_t38 | 0xffffffff; // executed
					E00E89349(); // executed
					 *_t38 = _t22;
					if(_t22 != 0xffffffff) {
						_t24 = GetFileSize(_t22,  &_v16);
						_a4 = _t24;
						if(_t24 == 0xffffffff) {
							goto L5;
						}
						if(_v16 == 0) {
							_t31 = CreateFileMappingA( *_t38, 0, 2, 0, 0, 0); // executed
							_v12 = _t31;
							if(_t31 == 0) {
								goto L5;
							}
							_t32 = MapViewOfFile(_t31, 4, 0, 0, _a4); // executed
							if(_t32 == 0) {
								goto L5;
							}
							 *_a8 = _a4;
							 *_t33 = _t32;
							L14:
							if(_v8 == 0) {
								L17:
								if(_v12 != 0) {
									FindCloseChangeNotification(_v12); // executed
								}
								return _v8;
							}
							L15:
							_t28 =  *_t38;
							if(_t28 != 0xffffffff) {
								CloseHandle(_t28);
								 *_t38 =  *_t38 | 0xffffffff;
							}
							goto L17;
						}
						_v8 = 0x80004005;
						goto L15;
					}
					L5:
					_t25 = GetLastError();
					if(_t25 > 0) {
						_t25 = _t25 & 0x0000ffff | 0x80070000;
					}
					_v8 = _t25;
					goto L14;
				}
			}

0x00e8908f
0x00e89097
0x00e8909a
0x00e8909d
0x00e890a2
0x00e89181
0x00000000
0x00e89181
0x00e890a8
0x00e890ad
0x00000000
0x00e890bc
0x00e890bc
0x00e890c1
0x00000000
0x00000000
0x00e890c7
0x00e890c8
0x00e890cd
0x00e890cf
0x00e890d0
0x00e890d2
0x00e890d7
0x00e890da
0x00e890dc
0x00e890de
0x00e890e1
0x00e890e6
0x00e890eb
0x00e8910b
0x00e89111
0x00e89117
0x00000000
0x00000000
0x00e8911c
0x00e8912f
0x00e89135
0x00e8913a
0x00000000
0x00000000
0x00e89144
0x00e8914c
0x00000000
0x00000000
0x00e89154
0x00e89156
0x00e89158
0x00e8915b
0x00e8916e
0x00e89171
0x00e89176
0x00e89176
0x00000000
0x00e8917c
0x00e8915d
0x00e8915d
0x00e89162
0x00e89165
0x00e8916b
0x00e8916b
0x00000000
0x00e89162
0x00e8911e
0x00000000
0x00e8911e
0x00e890ed
0x00e890ed
0x00e890f5
0x00e890fc
0x00e890fc
0x00e89101
0x00000000
0x00e89101

APIs

GetLastError.KERNEL32(?,00000000,?,?,000000FF), ref: 00E890ED
GetFileSize.KERNEL32(00000000,?,000000FF,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,000000FF), ref: 00E8910B
CreateFileMappingA.KERNEL32 ref: 00E8912F
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,000000FF,?,00000000,?,?,000000FF), ref: 00E89144
CloseHandle.KERNEL32(00000000,?,00000000,?,?,000000FF), ref: 00E89165
FindCloseChangeNotification.KERNELBASE(000000FF,?,00000000,?,?,000000FF), ref: 00E89176

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: File$Close$ChangeCreateErrorFindHandleLastMappingNotificationSizeView
String ID:
API String ID: 2370202277-0
Opcode ID: 720274477f18847c050fc7e8d0fff9ee5c69b9ac7810418768eaee376c0a857f
Instruction ID: 726cd9fd2aa53fd5e3eaedd4b7db6d97de32392cc9809d425d05937c8e6d3825
Opcode Fuzzy Hash: 720274477f18847c050fc7e8d0fff9ee5c69b9ac7810418768eaee376c0a857f
Instruction Fuzzy Hash: 7131CE70D01205FFCB21AF6ACC4C9AEBBB9EB81B20F298659F56DB6291D3314940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E825EA, Relevance: 7.6, APIs: 5, Instructions: 56
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00E825EA(void* __ecx, void* _a4) {
				signed int _v8;
				char _v12;
				void* _t16;
				void* _t22;
				void* _t23;
				void* _t25;

				_v8 = _v8 | 0xffffffff;
				_t16 = E00E89087(_a4,  &_v12,  &_a4,  &_v8); // executed
				if(_t16 == 0) {
					__imp__CertOpenStore(2, 0, 0, 0, 0, _t22, _t25);
					_t23 = _t16;
					if(_t23 != 0) {
						__imp__CertAddEncodedCTLToStore(_t23,  *0xe8a06c, _a4, _v12, 4, 0);
						if(_t16 == 0) {
							__imp__CertCloseStore(_t23, 0);
							_t23 = 0;
						}
					}
					if(_a4 != 0) {
						UnmapViewOfFile(_a4);
					}
					if(_v8 != 0xffffffff) {
						CloseHandle(_v8);
					}
					return _t23;
				}
				return 0;
			}

0x00e825f1
0x00e82604
0x00e8260b
0x00e8261b
0x00e82621
0x00e82625
0x00e82637
0x00e8263f
0x00e82643
0x00e82649
0x00e82649
0x00e8263f
0x00e8264e
0x00e82653
0x00e82653
0x00e8265d
0x00e82662
0x00e82662
0x00000000
0x00e8266b
0x00000000

APIs

Part of subcall function 00E89087: GetLastError.KERNEL32(?,00000000,?,?,000000FF), ref: 00E890ED
Part of subcall function 00E89087: CloseHandle.KERNEL32(00000000,?,00000000,?,?,000000FF), ref: 00E89165
Part of subcall function 00E89087: FindCloseChangeNotification.KERNELBASE(000000FF,?,00000000,?,?,000000FF), ref: 00E89176

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 00E8261B
CertAddEncodedCTLToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E82637
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E82643
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00E82653
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,000000FF), ref: 00E82662

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Close$CertStore$Handle$ChangeEncodedErrorFileFindLastNotificationOpenUnmapView
String ID:
API String ID: 3658566462-0
Opcode ID: 0e47226fd9208ecedd4f9737774e237d6896d1d1064e725c726becaa52cc128d
Instruction ID: 4cd75bc6f036acaf45b115c3bdc69049a3d205bc35767d0c57b6b25c79f9f2a3
Opcode Fuzzy Hash: 0e47226fd9208ecedd4f9737774e237d6896d1d1064e725c726becaa52cc128d
Instruction Fuzzy Hash: BA015B76502214BFCB216BA2CD0CDDF7E6DEF857A4F144165FA0DB1060E7308A46EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E824D4, Relevance: 7.6, APIs: 5, Instructions: 56
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00E824D4(void* __ecx, void* _a4) {
				signed int _v8;
				char _v12;
				void* _t16;
				void* _t22;
				void* _t23;
				void* _t25;

				_v8 = _v8 | 0xffffffff;
				_t16 = E00E89087(_a4,  &_v12,  &_a4,  &_v8); // executed
				if(_t16 == 0) {
					__imp__CertOpenStore(2, 0, 0, 0, 0, _t22, _t25);
					_t23 = _t16;
					if(_t23 != 0) {
						__imp__CertAddEncodedCRLToStore(_t23,  *0xe8a064, _a4, _v12, 4, 0); // executed
						if(_t16 == 0) {
							__imp__CertCloseStore(_t23, 0);
							_t23 = 0;
						}
					}
					if(_a4 != 0) {
						UnmapViewOfFile(_a4);
					}
					if(_v8 != 0xffffffff) {
						CloseHandle(_v8);
					}
					return _t23;
				}
				return 0;
			}

0x00e824db
0x00e824ee
0x00e824f5
0x00e82505
0x00e8250b
0x00e8250f
0x00e82521
0x00e82529
0x00e8252d
0x00e82533
0x00e82533
0x00e82529
0x00e82538
0x00e8253d
0x00e8253d
0x00e82547
0x00e8254c
0x00e8254c
0x00000000
0x00e82555
0x00000000

APIs

Part of subcall function 00E89087: GetLastError.KERNEL32(?,00000000,?,?,000000FF), ref: 00E890ED
Part of subcall function 00E89087: CloseHandle.KERNEL32(00000000,?,00000000,?,?,000000FF), ref: 00E89165
Part of subcall function 00E89087: FindCloseChangeNotification.KERNELBASE(000000FF,?,00000000,?,?,000000FF), ref: 00E89176

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 00E82505
CertAddEncodedCRLToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E82521
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E8252D
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00E8253D
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,000000FF), ref: 00E8254C

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Close$CertStore$Handle$ChangeEncodedErrorFileFindLastNotificationOpenUnmapView
String ID:
API String ID: 3658566462-0
Opcode ID: e9ef48fabdb171faf05e3e50fc5d9d8ae53f036919e6f48ec68f337e1f7f5c6d
Instruction ID: 01d78c65b9fedfbca747d4f5bee2e00a7604929a8419e37643fa873ed537f1d5
Opcode Fuzzy Hash: e9ef48fabdb171faf05e3e50fc5d9d8ae53f036919e6f48ec68f337e1f7f5c6d
Instruction Fuzzy Hash: 2E018E31101214BFCB215B62DD0CCDF7E2DEF867A0B104165F60DB1060D7308A46E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8255F, Relevance: 7.6, APIs: 5, Instructions: 56
encryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00E8255F(void* __ecx, void* _a4) {
				signed int _v8;
				char _v12;
				void* _t16;
				void* _t22;
				void* _t23;
				void* _t25;

				_v8 = _v8 | 0xffffffff;
				_t16 = E00E89087(_a4,  &_v12,  &_a4,  &_v8); // executed
				if(_t16 == 0) {
					__imp__CertOpenStore(2, 0, 0, 0, 0, _t22, _t25);
					_t23 = _t16;
					if(_t23 != 0) {
						__imp__CertAddEncodedCertificateToStore(_t23,  *0xe8a06c, _a4, _v12, 4, 0);
						if(_t16 == 0) {
							__imp__CertCloseStore(_t23, 0);
							_t23 = 0;
						}
					}
					if(_a4 != 0) {
						UnmapViewOfFile(_a4);
					}
					if(_v8 != 0xffffffff) {
						CloseHandle(_v8);
					}
					return _t23;
				}
				return 0;
			}

0x00e82566
0x00e82579
0x00e82580
0x00e82590
0x00e82596
0x00e8259a
0x00e825ac
0x00e825b4
0x00e825b8
0x00e825be
0x00e825be
0x00e825b4
0x00e825c3
0x00e825c8
0x00e825c8
0x00e825d2
0x00e825d7
0x00e825d7
0x00000000
0x00e825e0
0x00000000

APIs

Part of subcall function 00E89087: GetLastError.KERNEL32(?,00000000,?,?,000000FF), ref: 00E890ED
Part of subcall function 00E89087: CloseHandle.KERNEL32(00000000,?,00000000,?,?,000000FF), ref: 00E89165
Part of subcall function 00E89087: FindCloseChangeNotification.KERNELBASE(000000FF,?,00000000,?,?,000000FF), ref: 00E89176

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 00E82590
CertAddEncodedCertificateToStore.CRYPT32(00000000,?,?,00000004,00000000), ref: 00E825AC
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E825B8
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00E825C8
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,000000FF), ref: 00E825D7

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Close$CertStore$Handle$CertificateChangeEncodedErrorFileFindLastNotificationOpenUnmapView
String ID:
API String ID: 780097858-0
Opcode ID: 94f97bf16ec7e7abe9cfb1bb00fb49c0aa0b2119b46bcbaed7cd5d4d3c16ed7b
Instruction ID: a8869975064d376647d1304dcf1a4f6854243809805c139639f235659d26e7bc
Opcode Fuzzy Hash: 94f97bf16ec7e7abe9cfb1bb00fb49c0aa0b2119b46bcbaed7cd5d4d3c16ed7b
Instruction Fuzzy Hash: F4012136101214BFCB215B62DC0CDDF7E6DEF457A4B144165F61DB10A0E7308A46D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E88F8E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E88F8E(struct HINSTANCE__* _a4, int _a8, void _a12) {
				int _t6;

				LoadStringW(_a4, _a8, 0xe8acd8,  *0xe8a390);
				_t6 = vwprintf(0xe8acd8,  &_a12); // executed
				return _t6;
			}

0x00e88fa6
0x00e88fb1
0x00e88fba

APIs

LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
vwprintf.MSVCRT ref: 00E88FB1

Strings

CertMgr Succeeded, xrefs: 00E88F9A, 00E88F9F, 00E88FB0

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadStringvwprintf
String ID: CertMgr Succeeded
API String ID: 1051060134-2974366063
Opcode ID: db0fab0b319d8323a694ea2feb2300a68ad91cd6259564ef2abd01298b10ed43
Instruction ID: 407c871d11202c6d950dd630a2d05c3f96545edd26b60663a09243ef1c775509
Opcode Fuzzy Hash: db0fab0b319d8323a694ea2feb2300a68ad91cd6259564ef2abd01298b10ed43
Instruction Fuzzy Hash: 7FD05E320092187F9B122F82EC09CDB3F5DEB423707084022F91C62120DA3299119795

Uniqueness

Uniqueness Score: -1.00%

Function 00E84DA0, Relevance: 4.6, APIs: 3, Instructions: 113
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertCloseStore.CRYPT32(00000000,00000000), ref: 00E84EEB

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CertCloseLoadStoreStringvwprintf
String ID:
API String ID: 3929983701-0
Opcode ID: 86c5e2a6ff16fa27d9b7f1977f6f6bacbf8986c96f591b47d47e5856c80b9691
Instruction ID: 8e4fb2b76697f063030c990fb3acfd013cc2f30a18c796c194db6aca8e7fd119
Opcode Fuzzy Hash: 86c5e2a6ff16fa27d9b7f1977f6f6bacbf8986c96f591b47d47e5856c80b9691
Instruction Fuzzy Hash: E031A1B2104305FEFB266B53AD49D5A7AF9F740B54F18512BF60C7A0F0D6324845EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E88436, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00E8845A

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 4cbd19b71c6cb2bb1f3a7814cd150a4c879cfbc0c405cd983b155b15ef1733cd
Instruction ID: bde925f878d4f3081130530653d280889e6712f97883a19e9e8d13ae2327b99a
Opcode Fuzzy Hash: 4cbd19b71c6cb2bb1f3a7814cd150a4c879cfbc0c405cd983b155b15ef1733cd
Instruction Fuzzy Hash: 83D0927068A300BEB612AF56BC069113A60A7C870034FA077F60C72161D26020588B13

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E857BD, Relevance: 59.9, APIs: 2, Strings: 32, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

printf.MSVCRT ref: 00E8580B
printf.MSVCRT ref: 00E85828

Part of subcall function 00E854FA: printf.MSVCRT ref: 00E85596

Strings

2.5.4.3, xrefs: 00E85B04
2.5.29.1, xrefs: 00E8588A
2.16.840.1.113730.1.8, xrefs: 00E85C3E
2.5.29.2, xrefs: 00E8591C
1.3.6.1.4.1.311.2.1.27, xrefs: 00E85ABE
2.16.840.1.113730.1.7, xrefs: 00E85C1E
2.5.29.31, xrefs: 00E858D1
1.3.6.1.4.1.311.2.1.10, xrefs: 00E85A9B
2.5.29.18, xrefs: 00E8599F
2.5.29.15, xrefs: 00E85A2D
2.5.29.14, xrefs: 00E858F4
2.5.29.35, xrefs: 00E858AE
2.5.29.21, xrefs: 00E85B6D
1.3.6.1.4.1.311.10.2, xrefs: 00E859BF
2.16.840.1.113730.1.12, xrefs: 00E85C5E
1.3.6.1.4.1.311.2.1.26, xrefs: 00E85AE1
, xrefs: 00E85869, 00E85CAD
2.5.29.37, xrefs: 00E85B27
2.5.29.8, xrefs: 00E8595F
2.16.840.1.113730.1.1, xrefs: 00E85B90
2.5.29.4, xrefs: 00E859E7
2.5.29.10, xrefs: 00E85A0A
1.2.840.113549.1.9.15, xrefs: 00E85B4A
2.16.840.1.113730.1.3, xrefs: 00E85BDB
2.5.29.19, xrefs: 00E85A50
2.5.29.32, xrefs: 00E85A73
2.16.840.1.113730.1.4, xrefs: 00E85BFE
<NULL>, xrefs: 00E857EC, 00E85832
2.5.29.17, xrefs: 00E8597F
2.16.840.1.113730.1.2, xrefs: 00E85BB8
2.5.29.7, xrefs: 00E8593F
2.16.840.1.113730.1.13, xrefs: 00E85C80

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf
String ID: $1.2.840.113549.1.9.15$1.3.6.1.4.1.311.10.2$1.3.6.1.4.1.311.2.1.10$1.3.6.1.4.1.311.2.1.26$1.3.6.1.4.1.311.2.1.27$2.16.840.1.113730.1.1$2.16.840.1.113730.1.12$2.16.840.1.113730.1.13$2.16.840.1.113730.1.2$2.16.840.1.113730.1.3$2.16.840.1.113730.1.4$2.16.840.1.113730.1.7$2.16.840.1.113730.1.8$2.5.29.1$2.5.29.10$2.5.29.14$2.5.29.15$2.5.29.17$2.5.29.18$2.5.29.19$2.5.29.2$2.5.29.21$2.5.29.31$2.5.29.32$2.5.29.35$2.5.29.37$2.5.29.4$2.5.29.7$2.5.29.8$2.5.4.3$<NULL>
API String ID: 3524737521-359703846
Opcode ID: 09fc43b3d6f07b34489eeaad5d44a4ecb372cc2fcf6309be41639a6a50bdad1d
Instruction ID: de577f7e3b6d41593fe80547a07d6205bf634b59d584df06743396d9832ed5c1
Opcode Fuzzy Hash: 09fc43b3d6f07b34489eeaad5d44a4ecb372cc2fcf6309be41639a6a50bdad1d
Instruction Fuzzy Hash: 0BE18533604608FBEF15BE918D41DA57B67EB84320F2CD195FA0C3E1A6DB728C52AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E85CD6, Relevance: 35.5, APIs: 15, Strings: 5, Instructions: 493
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00E85CD6(void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v28;
				char* _v32;
				void* _v36;
				long* _v40;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t123;
				void* _t159;
				char* _t171;
				int _t174;
				void* _t179;
				intOrPtr _t188;
				intOrPtr* _t256;
				char* _t257;
				intOrPtr* _t258;
				void* _t261;
				void* _t263;
				void* _t304;
				void* _t305;
				intOrPtr* _t306;
				signed int _t308;
				char* _t309;
				signed int _t311;
				void* _t312;
				void* _t314;
				void* _t315;
				void* _t316;
				void* _t317;

				_t304 = __edx;
				_t123 =  *0xe8a078; // 0xa9659deb
				_v8 = _t123 ^ _t311;
				_v40 = _v40 & 0x00000000;
				_t310 = _a4;
				_t256 = 0x14;
				_push(0x1b5c);
				_push( *0xe8a7f8);
				_v36 = _t256;
				E00E88F8E();
				_pop(_t261);
				L00E84254(_t261, _t305,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x34)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x30)), _a8);
				_push(0x1b5d);
				_push( *0xe8a7f8);
				E00E88F8E();
				_pop(_t263);
				L00E84254(_t263, _t305,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x18)), _a8);
				E00E88F8E();
				E00E883AA( *((intOrPtr*)(_t310 + 0xc)) + 4);
				printf("\n");
				_t306 = __imp__CertGetCertificateContextProperty;
				 *_t306(_t310, 3,  &_v28,  &_v36,  *0xe8a7f8, 0x1b5e);
				E00E8297C("SHA1",  &_v28, _v36);
				_v36 = _t256;
				 *_t306(_t310, 4,  &_v28,  &_v36);
				E00E8297C("MD5",  &_v28, _v36);
				CryptAcquireContextA( &_v40, 0, 0, 1, 0);
				if(_v40 != 0) {
					_v36 = _t256;
					__imp__CryptHashPublicKeyInfo(0x8003, 0,  *0xe8a064,  *((intOrPtr*)(_t310 + 0xc)) + 0x38,  &_v28,  &_v36);
					E00E88F8E( *0xe8a7f8, 0x1b5f, _v40);
					E00E8297C("MD5",  &_v28, _v36);
					CryptReleaseContext(_v40, 0);
				}
				_v32 = _v32 & 0x00000000;
				 *_t306(_t310, 2, 0,  &_v32);
				if(_v32 == 0) {
					L17:
					E00E88F8E( *0xe8a7f8, 0x1b66, E00E83E22(_t304, _t306,  *((intOrPtr*)(_t310 + 0xc)) + 0x20));
					_t159 = E00E88F8E( *0xe8a7f8, 0x1b67, E00E83E22(_t304, _t306,  *((intOrPtr*)(_t310 + 0xc)) + 0x28));
					_t314 = _t312 + 0x18;
					_t308 = _a8 & 0x00010000;
					if(_t308 != 0) {
						E00E83FFA(_t159, _t310, _a8);
					}
					if(_t308 == 0) {
						L54:
						return E00E886C7(1, _t256, _v8 ^ _t311, _t304, _t308, _t310);
					} else {
						E00E88F8E( *0xe8a7f8, 0x1b68,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)))));
						_t309 =  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0xc));
						_t315 = _t314 + 0xc;
						if(_t309 == 0) {
							_t309 = "<NULL>";
						}
						_push(0x1b69);
						_push( *0xe8a7f8);
						_push(E00E83272(E00E88F8E(), _t309, 4));
						_push(_t309);
						_t257 = "%s (%S)\n";
						printf(_t257);
						_t316 = _t315 + 0xc;
						_t308 = L"    ";
						if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x10)) != 0) {
							_push(0x1b6a);
							_push( *0xe8a7f8);
							E00E88F8E();
							E00E828A5(_t308,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x14)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x10)));
						}
						_t171 =  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x38));
						_v32 = _t171;
						if(_t171 == 0) {
							_v32 = "<NULL>";
						}
						_push(0x1b6b);
						_push( *0xe8a7f8);
						_push(E00E83272(E00E88F8E(), _v32, 3));
						_push(_v32);
						_t174 = printf(_t257);
						_t317 = _t316 + 0xc;
						_v32 = E00E881A9(_t174, _v32, 3);
						if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x3c)) != 0) {
							_push(0x1b6c);
							_push( *0xe8a7f8);
							E00E88F8E();
							E00E828A5(_t308,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x40)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x3c)));
							if(_v32 == 0x2200) {
								_t259 = E00E882C8( &_v44, 0x27,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x40)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x3c)),  &_v44);
								if(_t219 != 0) {
									E00E88F8E( *0xe8a7f8, 0x1b6d,  *_t259);
									E00E88F8E( *0xe8a7f8, 0x1b6e,  *_t259 << 3);
									_t317 = _t317 + 0x18;
									E00E828A5(_t308, _t259[1],  *_t259);
									_push(0x1b6f);
									E00E88F8E();
									E00E828A5(_t308, _t259[3], _t259[2]);
									E00E88F8E( *0xe8a7f8, 0x1b70,  *0xe8a7f8);
									E00E88F35(E00E828A5(_t308, _t259[5], _t259[4]), _t259);
								}
							}
						}
						E00E88F8E();
						_t179 =  *((intOrPtr*)(_t310 + 0xc)) + 0x38;
						__imp__CertGetPublicKeyLength( *0xe8a064, _t179,  *0xe8a7f8, 0x1b71);
						if(_t179 != 0) {
							E00E88F8E( *0xe8a7f8, 0x1b72, _t179);
							_t317 = _t317 + 0xc;
						}
						_t181 =  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x4c));
						if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x4c)) != 0) {
							E00E88F8E( *0xe8a7f8, 0x1b73, _t181);
							_t317 = _t317 + 0xc;
						}
						printf("\n");
						_t183 =  *((intOrPtr*)(_t310 + 0xc));
						if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x44)) == 0) {
							_push(0x1b76);
							_push( *0xe8a7f8);
							E00E88F8E();
							goto L44;
						} else {
							E00E828A5(_t308,  *((intOrPtr*)(_t183 + 0x48)),  *((intOrPtr*)(_t183 + 0x44)));
							if(_v32 == 0x2400 || _v32 == 0xa400) {
								_push(0x1b74);
								_push( *0xe8a7f8);
								E00E88F8E();
								_t258 = E00E882C8( &_v32, 0x13,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x48)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x44)),  &_v32);
								if(_t258 == 0) {
									goto L44;
								}
								_push(_v32);
								_push(_t258);
								goto L40;
							} else {
								if(_v32 != 0x2200) {
									L44:
									_push(_a8);
									E00E840DE( *((intOrPtr*)(_t310 + 4)),  *((intOrPtr*)(_t310 + 8)));
									_t256 = 0;
									if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x50)) != 0) {
										_push(0x1b77);
										_push( *0xe8a7f8);
										E00E88F8E();
										_t199 =  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x58));
										if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x58)) != 0) {
											E00E88F8E( *0xe8a7f8, 0x1b73, _t199);
											_t317 = _t317 + 0xc;
										}
										printf("\n");
										E00E828A5(_t308,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x54)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x50)));
									}
									if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x5c)) != _t256) {
										_push(0x1b78);
										_push( *0xe8a7f8);
										E00E88F8E();
										_t192 =  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x64));
										if( *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x64)) != _t256) {
											E00E88F8E( *0xe8a7f8, 0x1b73, _t192);
										}
										printf("\n");
										E00E828A5(_t308,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x60)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x5c)));
									}
									_t188 =  *((intOrPtr*)(_t310 + 0xc));
									if( *((intOrPtr*)(_t188 + 0x68)) != _t256) {
										_t310 = _t188;
										E00E857BD( *((intOrPtr*)(_t188 + 0x68)),  *((intOrPtr*)(_t188 + 0x6c)), _a8);
									}
									goto L54;
								}
								_push(0x1b75);
								_push( *0xe8a7f8);
								E00E88F8E();
								_t258 = E00E882C8( &_v44, 0x26,  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x48)),  *((intOrPtr*)( *((intOrPtr*)(_t310 + 0xc)) + 0x44)),  &_v44);
								if(_t258 == 0) {
									goto L44;
								}
								_push( *_t258);
								_push( *((intOrPtr*)(_t258 + 4)));
								L40:
								_push(_t308);
								E00E88F35(E00E828A5(), _t258);
								goto L44;
							}
						}
					}
				}
				_t256 = E00E89241(_v32, 0, 0);
				if(_t256 == 0) {
					goto L17;
				}
				_push( &_v32);
				_push(_t256);
				_push(2);
				_push(_t310);
				if( *_t306() == 0) {
					L16:
					E00E88F35(_t235, _t256);
					goto L17;
				}
				E00E88F8E( *0xe8a7f8, 0x1b60,  *((intOrPtr*)(_t256 + 8)));
				_t238 =  *((intOrPtr*)(_t256 + 4));
				_t312 = _t312 + 0xc;
				if( *((intOrPtr*)(_t256 + 4)) != 0) {
					E00E88F8E( *0xe8a7f8, 0x1b61, _t238);
					_t312 = _t312 + 0xc;
				}
				_t239 =  *((intOrPtr*)(_t256 + 0xc));
				if( *((intOrPtr*)(_t256 + 0xc)) != 0) {
					E00E88F8E( *0xe8a7f8, 0x1b62, _t239);
					_t312 = _t312 + 0xc;
				}
				_t240 =  *_t256;
				if( *_t256 != 0) {
					E00E88F8E( *0xe8a7f8, 0x1b63, _t240);
					_t312 = _t312 + 0xc;
				}
				_t241 =  *((intOrPtr*)(_t256 + 0x10));
				if( *((intOrPtr*)(_t256 + 0x10)) != 0) {
					E00E88F8E( *0xe8a7f8, 0x1bc2, _t241);
					_t312 = _t312 + 0xc;
				}
				_t242 =  *((intOrPtr*)(_t256 + 0x18));
				if( *((intOrPtr*)(_t256 + 0x18)) != 0) {
					E00E88F8E( *0xe8a7f8, 0x1b65, _t242);
					_t312 = _t312 + 0xc;
				}
				_t235 = printf("\n");
				goto L16;
			}

0x00e85cd6
0x00e85cde
0x00e85ce5
0x00e85ce8
0x00e85cee
0x00e85cf4
0x00e85cf5
0x00e85cfa
0x00e85d00
0x00e85d03
0x00e85d0c
0x00e85d16
0x00e85d1b
0x00e85d20
0x00e85d26
0x00e85d2f
0x00e85d39
0x00e85d49
0x00e85d57
0x00e85d61
0x00e85d67
0x00e85d79
0x00e85d87
0x00e85d97
0x00e85d9a
0x00e85da8
0x00e85db8
0x00e85dc2
0x00e85dd9
0x00e85de6
0x00e85df7
0x00e85e0a
0x00e85e14
0x00e85e14
0x00e85e1a
0x00e85e27
0x00e85e2e
0x00e85f08
0x00e85f20
0x00e85f40
0x00e85f48
0x00e85f4b
0x00e85f51
0x00e85f57
0x00e85f57
0x00e85f5e
0x00e862ee
0x00e862ff
0x00e85f64
0x00e85f74
0x00e85f7c
0x00e85f7f
0x00e85f84
0x00e85f86
0x00e85f86
0x00e85f8b
0x00e85f90
0x00e85fa5
0x00e85fa6
0x00e85fa7
0x00e85fad
0x00e85fb6
0x00e85fbd
0x00e85fc2
0x00e85fc4
0x00e85fc9
0x00e85fcf
0x00e85fe0
0x00e85fe0
0x00e85fe8
0x00e85feb
0x00e85ff0
0x00e85ff2
0x00e85ff2
0x00e85ff9
0x00e85ffe
0x00e86015
0x00e86016
0x00e8601a
0x00e86020
0x00e8602d
0x00e86037
0x00e8603d
0x00e86042
0x00e86048
0x00e86059
0x00e86065
0x00e8607f
0x00e86083
0x00e86099
0x00e860a9
0x00e860ae
0x00e860b7
0x00e860bc
0x00e860c7
0x00e860d5
0x00e860e5
0x00e860f9
0x00e860f9
0x00e86083
0x00e86065
0x00e86109
0x00e86113
0x00e8611d
0x00e86125
0x00e86133
0x00e86138
0x00e86138
0x00e8613e
0x00e86143
0x00e86151
0x00e86156
0x00e86156
0x00e8615e
0x00e86164
0x00e8616c
0x00e8620e
0x00e86213
0x00e86219
0x00000000
0x00e86172
0x00e86179
0x00e86185
0x00e861dc
0x00e861e1
0x00e861e7
0x00e86202
0x00e86206
0x00000000
0x00000000
0x00e86208
0x00e8620b
0x00000000
0x00e86190
0x00e86197
0x00e86220
0x00e86220
0x00e86229
0x00e86231
0x00e86236
0x00e86238
0x00e8623d
0x00e86243
0x00e8624b
0x00e86252
0x00e86260
0x00e86265
0x00e86265
0x00e8626d
0x00e8627e
0x00e8627e
0x00e86289
0x00e8628b
0x00e86290
0x00e86296
0x00e8629e
0x00e862a5
0x00e862b3
0x00e862b8
0x00e862c0
0x00e862d1
0x00e862d1
0x00e862d6
0x00e862dc
0x00e862e1
0x00e862e9
0x00e862e9
0x00000000
0x00e862dc
0x00e8619d
0x00e861a2
0x00e861a8
0x00e861c3
0x00e861c7
0x00000000
0x00000000
0x00e861c9
0x00e861cb
0x00e861ce
0x00e861ce
0x00e861d5
0x00000000
0x00e861d5
0x00e86185
0x00e8616c
0x00e85f5e
0x00e85e3e
0x00e85e42
0x00000000
0x00000000
0x00e85e4b
0x00e85e4c
0x00e85e4d
0x00e85e4f
0x00e85e54
0x00e85f02
0x00e85f03
0x00000000
0x00e85f03
0x00e85e68
0x00e85e6d
0x00e85e70
0x00e85e75
0x00e85e83
0x00e85e88
0x00e85e88
0x00e85e8b
0x00e85e90
0x00e85e9e
0x00e85ea3
0x00e85ea3
0x00e85ea6
0x00e85eaa
0x00e85eb8
0x00e85ebd
0x00e85ebd
0x00e85ec0
0x00e85ec5
0x00e85ed3
0x00e85ed8
0x00e85ed8
0x00e85edb
0x00e85ee0
0x00e85eee
0x00e85ef3
0x00e85ef3
0x00e85efb
0x00000000

APIs

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E85D61
CertGetCertificateContextProperty.CRYPT32(?,00000003,?,?), ref: 00E85D79

Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829B0
Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829F0

CertGetCertificateContextProperty.CRYPT32(?,00000004,?,?), ref: 00E85D9A

Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829E3

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000000), ref: 00E85DB8
CryptHashPublicKeyInfo.CRYPT32(00000000,00008003,00000000,?,?,?), ref: 00E85DE6

Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829D2

CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00E85E14
CertGetCertificateContextProperty.CRYPT32(?,00000002,00000000,00000000), ref: 00E85E27
CertGetCertificateContextProperty.CRYPT32(?,00000002,00000000,00000000), ref: 00E85E50
printf.MSVCRT ref: 00E85EFB
printf.MSVCRT ref: 00E85FAD
CertGetPublicKeyLength.CRYPT32(?,00000003), ref: 00E8611D
printf.MSVCRT ref: 00E8615E
printf.MSVCRT ref: 00E8626D
printf.MSVCRT ref: 00E862C0

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

printf.MSVCRT ref: 00E8601A

Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E828E2
Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E82907
Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E8291E
Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E82929
Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E82949
Part of subcall function 00E828A5: wprintf.MSVCRT ref: 00E82963

Part of subcall function 00E88F35: free.MSVCRT(00000000,?,00E892E1,00E81A8A,?,00000000,?,?,00E81A8A), ref: 00E88F43

Strings

SHA1, xrefs: 00E85D82
%s (%S), xrefs: 00E85FA7, 00E85FAC, 00E86019
<NULL>, xrefs: 00E85F86, 00E85F9F, 00E85FA6, 00E85FF2
MD5, xrefs: 00E85DA3, 00E85E05
, xrefs: 00E85FBD, 00E85FDF, 00E86058, 00E860B6, 00E860D4, 00E860F2, 00E86178, 00E861CE, 00E8627D, 00E862D0

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$Contextwprintf$CertCrypt$CertificateProperty$DecodeObjectPublic$AcquireHashInfoLengthLoadReleaseStringfreevwprintf
String ID: $%s (%S)$<NULL>$MD5$SHA1
API String ID: 938926514-2100278587
Opcode ID: 96e3eaedc9a7eeab0c6c88c74ae20032f4b29a89ea64df88316c03e76edcf909
Instruction ID: 51b99e0d7370bf91866916d3a65f7fb09aa88702aa1bf962f8e2cc5a915b8a4d
Opcode Fuzzy Hash: 96e3eaedc9a7eeab0c6c88c74ae20032f4b29a89ea64df88316c03e76edcf909
Instruction Fuzzy Hash: 56F18132600205EFEB117F50DC46EAE77FAFB04310B08606AFA1D7A1B2EB76D9559B11

Uniqueness

Uniqueness Score: -1.00%

Function 00E81A5B, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00E81A5B(void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v24;
				char* _v28;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char* _t71;
				char* _t80;
				char _t82;
				char* _t84;
				intOrPtr* _t86;
				signed int _t88;
				char* _t89;
				char* _t90;
				char* _t94;
				intOrPtr* _t96;
				signed int* _t97;
				signed int _t98;
				intOrPtr* _t99;

				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				_v8 = 0;
				if(E00E89279( *0xe8a824,  &_v16) == 0) {
					_t84 = ",";
					if(strtok(_v16, _t84) == 0) {
						L5:
						_push(2);
						_t58 = 0;
						asm("repe cmpsb");
						if(0 != 0) {
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
						}
						if(_t58 != 0) {
							L27:
							if(_v16 != 0) {
								_t58 = E00E88F35(_t58, _v16);
							}
							_t94 = _v20;
							if(_t94 != 0) {
								_t61 =  *((intOrPtr*)(_t94 + 4));
								if( *((intOrPtr*)(_t94 + 4)) != 0) {
									_t61 = E00E88F35(_t61, _t61);
								}
								_t58 = E00E88F35(_t61, _t94);
							}
							if(_v28 != 0) {
								E00E88F35(_t58, _v28);
							}
							if(_v8 != 0) {
								__imp__CertFreeCertificateContext(_v8);
							}
							return _v32;
						} else {
							L20:
							_t86 = __imp__CertEnumCertificatesInStore;
							_t58 =  *_t86(_a4, 0);
							_v8 = _t58;
							if(_t58 == 0) {
								L26:
								_v32 = 1;
								goto L27;
							}
							_t96 = __imp__CertSetCertificateContextProperty;
							while(1) {
								_push(0);
								_push(0);
								_push(9);
								_push(_v8);
								if( *_t96() == 0) {
									goto L27;
								}
								if(_v12 == 0) {
									L25:
									_t58 =  *_t86(_a4, _v8);
									_v8 = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L26;
								}
								_v40 = _v24;
								_v36 = _v28;
								_push( &_v40);
								_push(0);
								_push(9);
								_push(_v8);
								if( *_t96() == 0) {
									goto L27;
								}
								goto L25;
							}
							goto L27;
						}
					} else {
						goto L3;
					}
					do {
						L3:
						_v12 =  &(_v12[1]);
					} while (strtok(0, _t84) != 0);
					if(_v12 != 0) {
						_t97 = E00E89241(8, 0, 0);
						_v20 = _t97;
						if(_t97 == 0) {
							goto L27;
						}
						_t58 = 0;
						asm("stosd");
						asm("stosd");
						_t88 = _v12;
						if(_t88 <= 0x1fffffff) {
							 *_t97 = _t88;
							_t58 = E00E89241(_t88 << 2, 0, 0);
							_t97[1] = 0;
							if(0 == 0) {
								goto L27;
							}
							_t80 = _v16;
							_t98 = 0;
							if(_t88 <= 0) {
								L17:
								_t99 = __imp__CryptEncodeObject;
								_push( &_v24);
								_push(0);
								_push(_v20);
								_t89 = "2.5.29.37";
								_push(_t89);
								_push(1);
								if( *_t99() == 0) {
									goto L27;
								}
								_t58 = E00E89241(_v24, 0, 0);
								_v28 = _t58;
								if(_t58 == 0) {
									goto L27;
								}
								_push( &_v24);
								_push(_t58);
								_push(_v20);
								_push(_t89);
								_push(1);
								if( *_t99() == 0) {
									goto L27;
								}
								goto L20;
							} else {
								goto L14;
							}
							do {
								L14:
								 *(_v20[1] + _t98 * 4) = _t80;
								_t71 = _t80;
								_t90 =  &(_t71[1]);
								do {
									_t82 =  *_t71;
									_t71 =  &(_t71[1]);
								} while (_t82 != 0);
								_t98 = _t98 + 1;
								_t80 =  &(_t80[_t71 - _t90 + 1]);
							} while (_t98 < _v12);
							goto L17;
						}
						SetLastError(0x80070057);
						goto L27;
					}
					goto L5;
				}
				return 0;
			}

0x00e81a70
0x00e81a73
0x00e81a76
0x00e81a79
0x00e81a7c
0x00e81a7f
0x00e81a82
0x00e81a8c
0x00e81a9d
0x00e81aac
0x00e81ac0
0x00e81ac3
0x00e81ac6
0x00e81ac8
0x00e81aca
0x00e81acc
0x00e81ace
0x00e81ace
0x00e81ad3
0x00e81bf4
0x00e81bf7
0x00e81bfc
0x00e81bfc
0x00e81c01
0x00e81c06
0x00e81c08
0x00e81c0d
0x00e81c10
0x00e81c10
0x00e81c16
0x00e81c16
0x00e81c20
0x00e81c25
0x00e81c25
0x00e81c2d
0x00e81c32
0x00e81c32
0x00000000
0x00e81ad9
0x00e81b97
0x00e81b97
0x00e81ba1
0x00e81ba3
0x00e81ba8
0x00e81bed
0x00e81bed
0x00000000
0x00e81bed
0x00e81baa
0x00e81bb0
0x00e81bb0
0x00e81bb1
0x00e81bb2
0x00e81bb4
0x00e81bbb
0x00000000
0x00000000
0x00e81bc0
0x00e81bde
0x00e81be4
0x00e81be6
0x00e81beb
0x00000000
0x00000000
0x00000000
0x00e81beb
0x00e81bc5
0x00e81bcb
0x00e81bd1
0x00e81bd2
0x00e81bd3
0x00e81bd5
0x00e81bdc
0x00000000
0x00000000
0x00000000
0x00e81bdc
0x00000000
0x00e81bb0
0x00000000
0x00000000
0x00000000
0x00e81aae
0x00e81aae
0x00e81aae
0x00e81ab7
0x00e81abe
0x00e81ae7
0x00e81ae9
0x00e81aee
0x00000000
0x00000000
0x00e81af4
0x00e81af8
0x00e81af9
0x00e81afa
0x00e81b03
0x00e81b1d
0x00e81b1f
0x00e81b24
0x00e81b29
0x00000000
0x00000000
0x00e81b2f
0x00e81b32
0x00e81b36
0x00e81b59
0x00e81b59
0x00e81b62
0x00e81b63
0x00e81b64
0x00e81b67
0x00e81b6c
0x00e81b6d
0x00e81b73
0x00000000
0x00000000
0x00e81b7a
0x00e81b7f
0x00e81b84
0x00000000
0x00000000
0x00e81b89
0x00e81b8a
0x00e81b8b
0x00e81b8e
0x00e81b8f
0x00e81b95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e81b38
0x00e81b38
0x00e81b3e
0x00e81b41
0x00e81b43
0x00e81b46
0x00e81b46
0x00e81b48
0x00e81b49
0x00e81b4f
0x00e81b50
0x00e81b54
0x00000000
0x00e81b38
0x00e81b0a
0x00000000
0x00e81b0a
0x00000000
0x00e81abe
0x00000000

APIs

strtok.MSVCRT ref: 00E81AA6
strtok.MSVCRT ref: 00E81AB3
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81BA1
CertSetCertificateContextProperty.CRYPT32(?,00000009,00000000,00000000), ref: 00E81BB7
CertSetCertificateContextProperty.CRYPT32(?,00000009,00000000,?), ref: 00E81BD8
CertEnumCertificatesInStore.CRYPT32(?,?), ref: 00E81BE4
CertFreeCertificateContext.CRYPT32(?), ref: 00E81C32

Strings

2.5.29.37, xrefs: 00E81B67, 00E81B6C, 00E81B8E

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$CertificateContext$CertificatesEnumPropertyStorestrtok$Free
String ID: 2.5.29.37
API String ID: 2615395459-3842544949
Opcode ID: 4fda46c48c087d82cac8a64e1509a8652fe2e5c65c5d69f4451a418d6aded136
Instruction ID: f35eac01ef31b27f7e5dcb5ea9744953fc627d0f0d609428623a02cf4df17774
Opcode Fuzzy Hash: 4fda46c48c087d82cac8a64e1509a8652fe2e5c65c5d69f4451a418d6aded136
Instruction Fuzzy Hash: 81518E72D0015AEFDF20AFA5CD809EEBBBDEB48314F1450A9E51DB3150E7319E428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8644E, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 205
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00E8644E(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				char* _v24;
				void* __ebx;
				void* __esi;
				char* _t50;
				char* _t58;
				void* _t82;
				int _t84;
				void* _t96;
				void* _t97;
				void* _t110;
				char* _t111;
				char* _t112;
				char* _t113;
				void* _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t110 = __edx;
				_t111 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				if(_a4 != 0) {
					_t50 =  &_v16;
					_v12 = 4;
					__imp__CryptMsgGetParam(_a4, 5, 0, _t50,  &_v12);
					__eflags = _t50;
					if(_t50 != 0) {
						__eflags = _v16;
						if(_v16 != 0) {
							_v8 = 0;
							__eflags = _v16;
							if(_v16 <= 0) {
								L24:
								_v24 = 1;
								L25:
								return _v24;
							}
							_t96 = printf;
							while(1) {
								E00E88F8E( *0xe8a7f8, 0x1b8b, _v8 + 1);
								_t120 = _t119 + 0xc;
								_t116 = E00E881D0(_t97, _a4, 6, _v8,  &_v12);
								__eflags = _t116 - _t111;
								if(_t116 != _t111) {
									_t112 =  *((intOrPtr*)(_t116 + 0x14));
									__eflags = _t112;
									if(_t112 == 0) {
										_t112 = "<NULL>";
									}
									_push(0x1c15);
									_push( *0xe8a7f8);
									_push(E00E83272(E00E88F8E(), _t112, 1));
									_push(_t112);
									printf("%s (%S)\n");
									_t121 = _t120 + 0xc;
									__eflags =  *((intOrPtr*)(_t116 + 0x18));
									if( *((intOrPtr*)(_t116 + 0x18)) != 0) {
										_push(0x1c16);
										_push( *0xe8a7f8);
										E00E88F8E();
										E00E828A5(L"    ",  *((intOrPtr*)(_t116 + 0x1c)),  *((intOrPtr*)(_t116 + 0x18)));
									}
									_t113 =  *((intOrPtr*)(_t116 + 0x20));
									__eflags = _t113;
									if(_t113 == 0) {
										_t113 = "<NULL>";
									}
									_push(0x1c17);
									_push( *0xe8a7f8);
									_t82 = E00E88F8E();
									_pop(_t97);
									_push(E00E83272(_t82, _t113, 4));
									_push(_t113);
									_t84 = printf("%s (%S)\n");
									_t120 = _t121 + 0xc;
									__eflags =  *((intOrPtr*)(_t116 + 0x24));
									if( *((intOrPtr*)(_t116 + 0x24)) != 0) {
										_push(0x1c18);
										_push( *0xe8a7f8);
										E00E88F8E();
										_pop(_t97);
										_t84 = E00E828A5(L"    ",  *((intOrPtr*)(_t116 + 0x28)),  *((intOrPtr*)(_t116 + 0x24)));
									}
									E00E88F35(_t84, _t116);
									_t111 = 0;
									__eflags = 0;
								}
								_t58 =  &_v20;
								__imp__CryptMsgGetAndVerifySigner(_a4, _t111, _t111, 4, _t58,  &_v8);
								__eflags = _t58;
								if(__eflags == 0) {
									break;
								}
								E00E88F8E( *0xe8a7f8, 0x1c19, _v8 + 1);
								_t119 = _t120 + 0xc;
								E00E85CD6(_t110, __eflags, _v20, _a8);
								__imp__CertFreeCertificateContext(_v20);
								_t117 = E00E881D0(_t97, _a4, 9, _v8,  &_v12);
								__eflags = _t117 - _t111;
								if(_t117 != _t111) {
									_t75 = _v8 + 1;
									__eflags = _v8 + 1;
									E00E88F8E( *0xe8a7f8, 0x1b8c, _t75);
									_t119 = _t119 + 0xc;
									E00E88F35(E00E8560E(_t96, _t110, _t117,  *_t117,  *((intOrPtr*)(_t117 + 4)), _a8), _t117);
								}
								_t118 = E00E881D0(_t97, _a4, 0xa, _v8,  &_v12);
								__eflags = _t118 - _t111;
								if(_t118 != _t111) {
									_t70 = _v8 + 1;
									__eflags = _v8 + 1;
									E00E88F8E( *0xe8a7f8, 0x1b8d, _t70);
									_t119 = _t119 + 0xc;
									E00E88F35(E00E8560E(_t96, _t110, _t118,  *_t118,  *((intOrPtr*)(_t118 + 4)), _a8), _t118);
								}
								_v8 = _v8 + 1;
								__eflags = _v8 - _v16;
								if(_v8 < _v16) {
									continue;
								} else {
									goto L24;
								}
							}
							_push(0x17d3);
							_push( *0xe8a7f8);
							E00E88F8E();
							goto L25;
						}
						_push(0x1b8a);
						_push( *0xe8a7f8);
						E00E88F8E();
						return 1;
					}
					_push(0x17d2);
					_push( *0xe8a7f8);
					E00E88F8E();
				}
				return 0;
			}

0x00e8644e
0x00e86457
0x00e86459
0x00e8645c
0x00e8645f
0x00e86465
0x00e86472
0x00e8647c
0x00e86483
0x00e86489
0x00e8648b
0x00e864a1
0x00e864a4
0x00e864c2
0x00e864c5
0x00e864c8
0x00e8669f
0x00e8669f
0x00e866a6
0x00000000
0x00e866aa
0x00e864ce
0x00e864d4
0x00e864e4
0x00e864e9
0x00e864fd
0x00e864ff
0x00e86501
0x00e86507
0x00e8650a
0x00e8650c
0x00e8650e
0x00e8650e
0x00e86513
0x00e86518
0x00e8652d
0x00e8652e
0x00e86534
0x00e86536
0x00e86539
0x00e8653d
0x00e8653f
0x00e86544
0x00e8654a
0x00e8655c
0x00e8655c
0x00e86561
0x00e86564
0x00e86566
0x00e86568
0x00e86568
0x00e8656d
0x00e86572
0x00e86578
0x00e8657e
0x00e86587
0x00e86588
0x00e8658e
0x00e86590
0x00e86593
0x00e86597
0x00e86599
0x00e8659e
0x00e865a4
0x00e865aa
0x00e865b6
0x00e865b6
0x00e865bc
0x00e865c1
0x00e865c1
0x00e865c1
0x00e865c7
0x00e865d2
0x00e865d8
0x00e865da
0x00000000
0x00000000
0x00e865f0
0x00e865f5
0x00e865fe
0x00e86606
0x00e8661d
0x00e8661f
0x00e86621
0x00e86626
0x00e86626
0x00e86633
0x00e86638
0x00e86649
0x00e86649
0x00e8665f
0x00e86661
0x00e86663
0x00e86668
0x00e86668
0x00e86675
0x00e8667a
0x00e8668b
0x00e8668b
0x00e86690
0x00e86696
0x00e86699
0x00000000
0x00000000
0x00000000
0x00000000
0x00e86699
0x00e866b0
0x00e866b5
0x00e866bb
0x00000000
0x00e866c1
0x00e864a6
0x00e864ab
0x00e864b1
0x00000000
0x00e864ba
0x00e8648d
0x00e86492
0x00e86498
0x00e8649e
0x00000000

APIs

CryptMsgGetParam.CRYPT32(?,00000005,00000000,?,?), ref: 00E86483
printf.MSVCRT ref: 00E86534
printf.MSVCRT ref: 00E8658E
CryptMsgGetAndVerifySigner.CRYPT32(00000004,00000000,00000000,00000004,?,?), ref: 00E865D2

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Strings

%s (%S), xrefs: 00E8652F, 00E86589
<NULL>, xrefs: 00E8650E, 00E86527, 00E8652E, 00E86568, 00E86581, 00E86588
, xrefs: 00E86557, 00E865B1

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cryptprintf$LoadParamSignerStringVerifyvwprintf
String ID: $%s (%S)$<NULL>
API String ID: 4044473539-2923719891
Opcode ID: 5d027fdf7c0e4191239c0f16c5f262f0cafeba001adbf2e3d4bcddaad7f0bb52
Instruction ID: fcf8a38614b0f3f7fab26c02d9d9f3174e8086bfb26a78374c8536e8ff7c5d22
Opcode Fuzzy Hash: 5d027fdf7c0e4191239c0f16c5f262f0cafeba001adbf2e3d4bcddaad7f0bb52
Instruction Fuzzy Hash: 70619431940208FEEB11BF50DD42DAE77FAFB40710F141026FA1D760A1EB729E95AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E83C7E, Relevance: 13.6, APIs: 9, Instructions: 144encryptionCOMMON

Download Yara Rule

APIs

CryptSIPRetrieveSubjectGuid.CRYPT32(?,00000000,?), ref: 00E83CAE
CryptSIPLoad.CRYPT32(?,00000000,?), ref: 00E83CD5
memset.MSVCRT ref: 00E83CEE

Part of subcall function 00E89241: malloc.MSVCRT ref: 00E8924A

CertOpenStore.CRYPT32(00000005,00000000,00000000,?), ref: 00E83D7E
CryptMsgOpenToDecode.CRYPT32(00000000,?,00000000,00000000,00000000), ref: 00E83DB0
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E83DC1
CryptMsgUpdate.CRYPT32(00000000,?,?,00000001), ref: 00E83DD5
CertCloseStore.CRYPT32(00000000,00000000), ref: 00E83DE1
CryptMsgClose.CRYPT32 ref: 00E83DF0

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Crypt$CertCloseStore$Open$DecodeGuidLoadRetrieveSubjectUpdatemallocmemset
String ID:
API String ID: 2179762507-0
Opcode ID: 860987d99ad7daeecb6e216d10faac33542523010d8a4a1af74dddbe21b513b9
Instruction ID: 3e619172757c701b060c02451a3035f87555cda19fa81f895b5d53b2a41f020e
Opcode Fuzzy Hash: 860987d99ad7daeecb6e216d10faac33542523010d8a4a1af74dddbe21b513b9
Instruction Fuzzy Hash: 76510671901219AFDB21AFA2DD45AEFBFBCEB48754F000026F60DF2151DB349A46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E88CA1, Relevance: 7.5, APIs: 5, Instructions: 49
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88CA1() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t23;
				signed int _t32;

				_t14 =  *0xe8a078; // 0xa9659deb
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t32 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t32 == 0xbb40e64e || ( *0xe8a078 & 0xffff0000) == 0) {
						_t32 = 0xbb40e64f;
					}
					 *0xe8a078 = _t32;
					 *0xe8a07c =  !_t32;
					return _t22;
				} else {
					_t23 =  !_t14;
					 *0xe8a07c = _t23;
					return _t23;
				}
			}

0x00e88ca9
0x00e88cae
0x00e88cb2
0x00e88cc4
0x00e88cd8
0x00e88ce4
0x00e88cec
0x00e88cf4
0x00e88d00
0x00e88d09
0x00e88d0c
0x00e88d10
0x00e88d1a
0x00e88d1a
0x00e88d1f
0x00e88d27
0x00000000
0x00e88cca
0x00e88cca
0x00e88ccc
0x00000000
0x00e88ccc

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E88CD8
GetCurrentProcessId.KERNEL32 ref: 00E88CE4
GetCurrentThreadId.KERNEL32 ref: 00E88CEC
GetTickCount.KERNEL32 ref: 00E88CF4
QueryPerformanceCounter.KERNEL32(?), ref: 00E88D00

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c750ddbecd6da2e00a462c0482fc3e42c1baf1d9d7700ad20f5c8bf5b26b333f
Instruction ID: 26cbd4033f5ce11c522588e6f7086e7f9d19561e174db775f6ba2ce049c26cb0
Opcode Fuzzy Hash: c750ddbecd6da2e00a462c0482fc3e42c1baf1d9d7700ad20f5c8bf5b26b333f
Instruction Fuzzy Hash: 3801A136C002149FDB10ABB6ED486AAF7B8EF08355F960462E90DF7154EA3059888B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E832A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87encryptionCOMMON

Download Yara Rule

APIs

CryptGetOIDFunctionAddress.CRYPT32(?,00000000,?,?), ref: 00E832EF
wprintf.MSVCRT ref: 00E8334F
CryptFreeOIDFunctionAddress.CRYPT32(?,00000000), ref: 00E8336E

Strings

%s, xrefs: 00E8334A

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: AddressCryptFunction$Freewprintf
String ID: %s
API String ID: 1836932162-620797490
Opcode ID: 423128d1a571c4434a5dfd258ae24b4f151d1cc20e7272ec234f2545f821e0ed
Instruction ID: 926d08d2fac812741002d7a0ee33aa22db878d730a50c247c276a94a637aa81f
Opcode Fuzzy Hash: 423128d1a571c4434a5dfd258ae24b4f151d1cc20e7272ec234f2545f821e0ed
Instruction Fuzzy Hash: 8D212A31901218BFDB119FA6DC48DEF7FBDEB44B54B145066B51CA1020D7318A54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E82FF4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(2.5.29.21,?,?,00000000,?,?), ref: 00E8301C

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E83097
printf.MSVCRT ref: 00E830A0

Strings

2.5.29.21, xrefs: 00E83011

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$CryptDecodeLoadObjectStringvwprintf
String ID: 2.5.29.21
API String ID: 1886321042-359661889
Opcode ID: ae18c1635c2ef1d490c3d86ababa358caa9212d4492cd09a7b0f1a0f390f6edd
Instruction ID: 5fe961f31306c3f277255aacdcba995d83ef35bd711f678498b16ae8135a4d58
Opcode Fuzzy Hash: ae18c1635c2ef1d490c3d86ababa358caa9212d4492cd09a7b0f1a0f390f6edd
Instruction Fuzzy Hash: 6F011E35248304FAEB206BA1EC02FD977A9F700F54F2491A7BB1E790D0A7719705A751

Uniqueness

Uniqueness Score: -1.00%

Function 00E817F3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37encryptionCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00E87EB0), ref: 00E817F5
CryptInitOIDFunctionSet.CRYPT32(CryptDllFormatObject,00000000), ref: 00E8180E

Strings

CryptDllFormatObject, xrefs: 00E81808, 00E8180D, 00E81831

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptFunctionHandleInitModule
String ID: CryptDllFormatObject
API String ID: 188214945-3973519293
Opcode ID: 8dd704f97bf613437505bcd6b78e8aba56334232b9ef70b8448d52242e79264f
Instruction ID: a4f60e40905fb7c6a3eccc050ec3009bc53e29b77f23dd416bf1bb3c9310fdbd
Opcode Fuzzy Hash: 8dd704f97bf613437505bcd6b78e8aba56334232b9ef70b8448d52242e79264f
Instruction Fuzzy Hash: D1F0E235288312AFF7042B627D06F823BDDE700B16F0510B7F60DF40A0E6718486AB56

Uniqueness

Uniqueness Score: -1.00%

Function 00E822DB, Relevance: 6.1, APIs: 4, Instructions: 74
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E822DB(void* __ecx, char* _a4, int _a8, BYTE** _a12, intOrPtr* _a16) {
				int _v8;
				signed int _t24;
				BYTE* _t29;

				 *_a12 = 0;
				 *_a16 = 0;
				_v8 = 0;
				if(CryptStringToBinaryA(_a4, _a8, 7, 0,  &_v8, 0, 0) != 0) {
					if(_v8 != 0) {
						_t29 = E00E89241(_v8, 0, 0);
						if(_t29 != 0) {
							if(CryptStringToBinaryA(_a4, _a8, 7, _t29,  &_v8, 0, 0) != 0) {
								 *_a12 = _t29;
								 *_a16 = _v8;
								_t24 = 0;
							} else {
								E00E88F35(_t21, _t29);
								_t24 = GetLastError();
								if(_t24 > 0) {
									_t24 = _t24 & 0x0000ffff | 0x80070000;
								}
							}
						} else {
							_t24 = 0x8007000e;
						}
					} else {
						_t24 = 0;
					}
				} else {
					_t24 = GetLastError();
					if(_t24 > 0) {
						_t24 = _t24 & 0x0000ffff | 0x80070000;
					}
				}
				return _t24;
			}

0x00e822ef
0x00e822f5
0x00e82301
0x00e8230b
0x00e82326
0x00e82337
0x00e8233b
0x00e82357
0x00e8237b
0x00e82380
0x00e82382
0x00e82359
0x00e8235a
0x00e8235f
0x00e82367
0x00e8236e
0x00e8236e
0x00e82367
0x00e8233d
0x00e8233d
0x00e8233d
0x00e82328
0x00e82328
0x00e82328
0x00e8230d
0x00e8230d
0x00e82315
0x00e8231c
0x00e8231c
0x00e82315
0x00e82388

APIs

CryptStringToBinaryA.CRYPT32(?,?,00000007,00000000,?,00000000,00000000), ref: 00E82307
GetLastError.KERNEL32 ref: 00E8230D

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: BinaryCryptErrorLastString
String ID:
API String ID: 1279426848-0
Opcode ID: a88eec829ba1c37037fee2638f5f3df3b5609b10770c1db7a3cccf34114af63d
Instruction ID: 61d9b682ddb41a76c509db551c1b973e17176f092b2ab45f9b5af07df440af31
Opcode Fuzzy Hash: a88eec829ba1c37037fee2638f5f3df3b5609b10770c1db7a3cccf34114af63d
Instruction Fuzzy Hash: A3216A7260011AFFCB21AF55CD449AE7AADEF49794B200429FA0DFA120C2389E00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E82390, Relevance: 6.1, APIs: 4, Instructions: 74encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,?,00000007,00000000,?,00000000,00000000), ref: 00E823BC
GetLastError.KERNEL32 ref: 00E823C2

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: BinaryCryptErrorLastString
String ID:
API String ID: 1279426848-0
Opcode ID: 73fd7190ae6f22b592ee0928bebcac872e34626d04702bc7b79abd32674ba677
Instruction ID: deec26358e1f9a44c4f2f66d4fc8f96d239b94343d85c8359333473abd44a954
Opcode Fuzzy Hash: 73fd7190ae6f22b592ee0928bebcac872e34626d04702bc7b79abd32674ba677
Instruction Fuzzy Hash: BE216D71541129EFCB21AF55DD44EAE3AADEF55794F208429FA1DE6120C2748E009BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00E886C7, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E886C7(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr* _t26;
				void* _t29;

				_t29 = __ecx -  *0xe8a078; // 0xa9659deb
				if(_t29 != 0) {
					 *0xe8aab8 = __eax;
					 *0xe8aab4 = __ecx;
					 *0xe8aab0 = __edx;
					 *0xe8aaac = __ebx;
					 *0xe8aaa8 = __esi;
					 *0xe8aaa4 = __edi;
					 *0xe8aad0 = ss;
					 *0xe8aac4 = cs;
					 *0xe8aaa0 = ds;
					 *0xe8aa9c = es;
					 *0xe8aa98 = fs;
					 *0xe8aa94 = gs;
					asm("pushfd");
					_pop( *0xe8aac8);
					 *0xe8aabc =  *_t26;
					 *0xe8aac0 = _v0;
					 *0xe8aacc =  &_a4;
					 *0xe8aa08 = 0x10001;
					_t11 =  *0xe8aac0; // 0x0
					 *0xe8a9c4 = _t11;
					 *0xe8a9b8 = 0xc0000409;
					 *0xe8a9bc = 1;
					_t12 =  *0xe8a078; // 0xa9659deb
					_v812 = _t12;
					_t13 =  *0xe8a07c; // 0x569a6214
					_v808 = _t13;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter(0xe81670);
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}

0x00e886c7
0x00e886cd
0x00e88d42
0x00e88d47
0x00e88d4d
0x00e88d53
0x00e88d59
0x00e88d5f
0x00e88d65
0x00e88d6c
0x00e88d73
0x00e88d7a
0x00e88d81
0x00e88d88
0x00e88d8f
0x00e88d90
0x00e88d99
0x00e88da1
0x00e88da9
0x00e88db4
0x00e88dbe
0x00e88dc3
0x00e88dc8
0x00e88dd2
0x00e88ddc
0x00e88de1
0x00e88de7
0x00e88dec
0x00e88df4
0x00e88dff
0x00e88e18
0x00e886cf
0x00e886cf
0x00e886cf

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E88DF4
UnhandledExceptionFilter.KERNEL32(00E81670), ref: 00E88DFF
GetCurrentProcess.KERNEL32(C0000409), ref: 00E88E0A
TerminateProcess.KERNEL32(00000000), ref: 00E88E11

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 1216d3f2b87340f95b8020b1b110797d72892b8aaf4da5b279d55e328efbf27e
Instruction ID: 1ac176e92f0f9eef9469ed532db5e6845fcb4f86ee169601decde48acadedec1
Opcode Fuzzy Hash: 1216d3f2b87340f95b8020b1b110797d72892b8aaf4da5b279d55e328efbf27e
Instruction Fuzzy Hash: 1021C0B9805200DFF309DF1BFA846547BB4BB58344B4840ABE50DA7F60E374558ACF16

Uniqueness

Uniqueness Score: -1.00%

Function 00E82B61, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(1.3.6.1.4.1.311.2.1.27,?,?,00000000,?,?), ref: 00E82B8B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E82BEA

Strings

1.3.6.1.4.1.311.2.1.27, xrefs: 00E82B80

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeLoadObjectStringprintfvwprintf
String ID: 1.3.6.1.4.1.311.2.1.27
API String ID: 1959750101-3254324927
Opcode ID: f5ce13c205e23a4db5bf8181400572ed3f609051ec64134572c21f49062eff38
Instruction ID: 5650e2708fa92dd47ac333e14208acb260b9925a7e374ff4e3b0385a639c6239
Opcode Fuzzy Hash: f5ce13c205e23a4db5bf8181400572ed3f609051ec64134572c21f49062eff38
Instruction Fuzzy Hash: 35015636244208FAEB116B51ED06E8C37A9AB00715F24506AFA1C740E0EBB29689AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E82BFA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(1.3.6.1.4.1.311.2.1.26,?,?,00000000,?,?), ref: 00E82C22

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E82C62

Strings

1.3.6.1.4.1.311.2.1.26, xrefs: 00E82C17

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeLoadObjectStringprintfvwprintf
String ID: 1.3.6.1.4.1.311.2.1.26
API String ID: 1959750101-3070115369
Opcode ID: a4601a4f82c34683f9ed18e16aa24ccda7cc4d4b9c5dba41c56a461704248116
Instruction ID: b0e82866c8a57eab0806ed9213fe80f431b2f249619d34f6819ed6558a59b4e1
Opcode Fuzzy Hash: a4601a4f82c34683f9ed18e16aa24ccda7cc4d4b9c5dba41c56a461704248116
Instruction Fuzzy Hash: F0F06D36100208FEEB116B52EE06F9D7BA9EB00714F14901ABB1D790E0DB729645AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00E88163, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,?,00000004), ref: 00E8817D

Strings

, xrefs: 00E8816F

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptFindInfo
String ID:
API String ID: 4232373045-399585960
Opcode ID: 37ab8289c4644b6c11e8ca29d379fd7bfd3878eac0ae87c175a892e0141a16ce
Instruction ID: cb71b6f9471dff6b641d6241696639be5edbc27bb5930d2dd189e0d54de18ebc
Opcode Fuzzy Hash: 37ab8289c4644b6c11e8ca29d379fd7bfd3878eac0ae87c175a892e0141a16ce
Instruction Fuzzy Hash: A5F06D72200306AFD7249F49DC05F96B7F9FF94321F214459EA49AF260DBB0E861CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E83272, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,?,?), ref: 00E8327F

Strings

<UNKNOWN OID>, xrefs: 00E83293

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptFindInfo
String ID: <UNKNOWN OID>
API String ID: 4232373045-3377398671
Opcode ID: 1900b920e22cfc4f8391c76964449ec943d74a188e0d19c93a6fcfacf8ed99cc
Instruction ID: bc1746733af31bf80b65dbb54af8607ae77618a5b5c589c123cb509c04a54225
Opcode Fuzzy Hash: 1900b920e22cfc4f8391c76964449ec943d74a188e0d19c93a6fcfacf8ed99cc
Instruction Fuzzy Hash: 59D0A7312001087FDF002FA1CC09F5A3B5AEF94B60F489421F90DAF070DAB1D990D750

Uniqueness

Uniqueness Score: -1.00%

Function 00E881A9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,?,-`), ref: 00E881B6

Strings

-`, xrefs: 00E881AE

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptFindInfo
String ID: -`
API String ID: 4232373045-2959475056
Opcode ID: ed2a826dda94b84904af1e9111e022936ee51df297b829264ff69ceb247cd7dd
Instruction ID: 2a1f4c3f2efc20939f98ea4fb758efe969aa3b6bd9d17d70ac455c50f7df50ce
Opcode Fuzzy Hash: ed2a826dda94b84904af1e9111e022936ee51df297b829264ff69ceb247cd7dd
Instruction Fuzzy Hash: 34D01236244248BFDB406F96DC08E967B6AFB50750F509450F91CDA051DEB2D851DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E882C8, Relevance: 3.1, APIs: 2, Instructions: 61encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: 6db73686c9d5d0bfbf5c100fc4050991a3998a4df4aea2dc4251128c5963e1f9
Instruction ID: 85431de26f72a3b0b198337001776e2520f05fafa0d35135d0337cdd9e54f497
Opcode Fuzzy Hash: 6db73686c9d5d0bfbf5c100fc4050991a3998a4df4aea2dc4251128c5963e1f9
Instruction Fuzzy Hash: C611307660020DFFDF119E959E80DAF7BADEB54B88B505075BE0CA6110CA71DD11AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E881D0, Relevance: 3.0, APIs: 2, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CryptMsgGetParam.CRYPT32(?,00000006,00000004,00000000,00000004), ref: 00E881F2

Part of subcall function 00E89241: malloc.MSVCRT ref: 00E8924A

CryptMsgGetParam.CRYPT32(?,00000006,00000004,00000000,00000004), ref: 00E8821B

Part of subcall function 00E88F35: free.MSVCRT(00000000,?,00E892E1,00E81A8A,?,00000000,?,?,00E81A8A), ref: 00E88F43

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptParam$freemalloc
String ID:
API String ID: 2367485992-0
Opcode ID: 5db2b81031fdf96767c6e005321ddfa4710a72a1db42da820f929399eb5a3c04
Instruction ID: 20b283783a3af5d5df0662af553c582382eeff777587e98401523bac63a59589
Opcode Fuzzy Hash: 5db2b81031fdf96767c6e005321ddfa4710a72a1db42da820f929399eb5a3c04
Instruction Fuzzy Hash: 6E01217650010DFF9F11EF95EE80CAE7BBEEB88394B544065FD08A3120DB319E11AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E873E5, Relevance: 43.9, APIs: 29, Instructions: 436
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 00E87446
CertFindCertificateInStore.CRYPT32(?,00000000,00010000,?,00000000), ref: 00E87495
CertFreeCertificateContext.CRYPT32(?), ref: 00E87820
CertFreeCRLContext.CRYPT32(?), ref: 00E8782E
CertFreeCRLContext.CRYPT32(?), ref: 00E8783C
CertFreeCertificateContext.CRYPT32(?), ref: 00E8784A
CertFreeCRLContext.CRYPT32(?), ref: 00E87858
CertFreeCRLContext.CRYPT32(?), ref: 00E87866
CertFreeCertificateContext.CRYPT32(?), ref: 00E87887
free.MSVCRT(?,00000000), ref: 00E87899
CertFreeCRLContext.CRYPT32(?), ref: 00E878B1
free.MSVCRT(?,00000000), ref: 00E878C3
CertFreeCRLContext.CRYPT32(?), ref: 00E878DB
free.MSVCRT(?,00000000), ref: 00E878ED

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$ContextFree$Certificate$free$Store$FindLoadOpenStringvwprintf
String ID:
API String ID: 22078982-0
Opcode ID: 5d8b4172f249d7b827b849dadf3cb3ee18f008f470d9828ba894982569c926e5
Instruction ID: 4485ae9b5893fb17c9d657f9b1d1c64cb60149ca70c08c9f53f0376095471380
Opcode Fuzzy Hash: 5d8b4172f249d7b827b849dadf3cb3ee18f008f470d9828ba894982569c926e5
Instruction Fuzzy Hash: 07F17970D08218EFDB15AF96DD889EEBBB9FB44344F34506AE44DB6220D3319E85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E87934, Relevance: 37.9, APIs: 25, Instructions: 411encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 00E879AA
CertFindCertificateInStore.CRYPT32(?,00000000,00010000,?,00000000), ref: 00E87A3F
CertFreeCertificateContext.CRYPT32(00000000), ref: 00E87D8A
CertFreeCRLContext.CRYPT32(?), ref: 00E87D98
CertFreeCRLContext.CRYPT32(?), ref: 00E87DA6

Part of subcall function 00E81EB2: CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81EFC
Part of subcall function 00E81EB2: CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00E81F30
Part of subcall function 00E81EB2: CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E81F6D
Part of subcall function 00E81EB2: CertFreeCertificateContext.CRYPT32(?), ref: 00E81F85
Part of subcall function 00E81EB2: CertFreeCRLContext.CRYPT32(?), ref: 00E81F93
Part of subcall function 00E81EB2: CertFreeCRLContext.CRYPT32(00000004), ref: 00E81FA4

CertFreeCertificateContext.CRYPT32(?), ref: 00E87DC7
free.MSVCRT(?), ref: 00E87DD9
CertFreeCRLContext.CRYPT32(?), ref: 00E87DF1
free.MSVCRT(?), ref: 00E87E03
CertFreeCRLContext.CRYPT32(?), ref: 00E87E1B
free.MSVCRT(?), ref: 00E87E2D
CertCloseStore.CRYPT32(?,00000000), ref: 00E87E3F

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$ContextFree$Store$Certificate$free$Enum$CertificatesCloseFindFromOpen
String ID:
API String ID: 3594960610-0
Opcode ID: 46ad1803e05cc1536b7419e34040f33c64ea23c6eabc638b65f7356cb43c946b
Instruction ID: 5033269081ddb42fd0054a20a1620e8fc92118ec8d3feb49e02aa6e5db7ab57a
Opcode Fuzzy Hash: 46ad1803e05cc1536b7419e34040f33c64ea23c6eabc638b65f7356cb43c946b
Instruction Fuzzy Hash: 72F18B70908208EFDB11AF91DD849EEBBBAFF44344F3460AAE58DB3160D3358E859B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E86795, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 184encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E867FC
printf.MSVCRT ref: 00E8685D
CertGetCRLContextProperty.CRYPT32(?,00000003,?,00000014), ref: 00E868D4
CertGetCRLContextProperty.CRYPT32(?,00000004,?,00000014), ref: 00E868F9
printf.MSVCRT ref: 00E8694C

Strings

SHA1, xrefs: 00E868DD
[%d] %s, xrefs: 00E867F7
<NULL>, xrefs: 00E86931, 00E86946
MD5, xrefs: 00E86902
, xrefs: 00E8682E, 00E86973
%s , xrefs: 00E86947

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$CertContextProperty$LoadStringvwprintf
String ID: $ [%d] %s$%s $<NULL>$MD5$SHA1
API String ID: 1489666178-2308969636
Opcode ID: 045fd8826220acc4f01b228934e8a0ff8c82828712e1fa65aff0410d55ecfd2e
Instruction ID: 1f6fe429460da8aaeda079f904d93c96fb8a8da9288ff7b0a934dae72b813205
Opcode Fuzzy Hash: 045fd8826220acc4f01b228934e8a0ff8c82828712e1fa65aff0410d55ecfd2e
Instruction Fuzzy Hash: 5B51BF31504309AFEB10BFA0DD42E9E77FAFB44714F08602AF60D760A1EB72A995DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E81EB2, Relevance: 18.1, APIs: 12, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertDuplicateCertificateContext.CRYPT32(?), ref: 00E81EE3
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00E81EEA
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81EFC
CertDuplicateCRLContext.CRYPT32(?), ref: 00E81F17
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00E81F22
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00E81F30
CertDuplicateCRLContext.CRYPT32(00000004), ref: 00E81F4F
CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00E81F5A
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E81F6D
CertFreeCertificateContext.CRYPT32(?), ref: 00E81F85
CertFreeCRLContext.CRYPT32(?), ref: 00E81F93
CertFreeCRLContext.CRYPT32(00000004), ref: 00E81FA4

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$ContextStore$From$DeleteDuplicateFree$CertificateEnum$Certificates
String ID:
API String ID: 3778652152-0
Opcode ID: 96be5e95b30004ad1af253b36a163bb9224c7d4c5d86323eceb49bde62edbc1b
Instruction ID: 2785352f1e022e6fa18c2a7819e86fc6231a2a6cb9d3af9dba5182d5553877ab
Opcode Fuzzy Hash: 96be5e95b30004ad1af253b36a163bb9224c7d4c5d86323eceb49bde62edbc1b
Instruction Fuzzy Hash: 08314D71E00249EFCB12AFA6DD4899EBBBDBF44348F2454D6E60DB2020D7758A86DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E828A5, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E828A5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t15;
				int _t18;
				signed char _t20;
				intOrPtr _t30;
				void* _t42;
				void* _t43;
				void* _t44;
				intOrPtr _t46;

				if(_a12 == 0) {
					return E00E88F8E( *0xe8a7f8, 0x1b8e, _a4);
				}
				if(__eflags > 0) {
					do {
						_push(_a4);
						wprintf(L"%s");
						_t30 = 0x10;
						__eflags = _a12 - _t30;
						if(_a12 <= _t30) {
							_t30 = _a12;
						}
						_a12 = _a12 - _t30;
						_t42 = 0;
						__eflags = _t30;
						if(_t30 <= 0) {
							L8:
							_t43 = 0x10;
							__eflags = _t30 - _t43;
							if(_t30 >= _t43) {
								L11:
								wprintf(L"    \'");
								_t44 = 0;
								__eflags = _t30;
								if(_t30 <= 0) {
									goto L17;
								} else {
									goto L12;
								}
								do {
									L12:
									_t20 =  *((intOrPtr*)(_t44 + _a8));
									__eflags = _t20 - 0x20;
									if(_t20 < 0x20) {
										L15:
										wprintf(".");
										goto L16;
									}
									__eflags = _t20 - 0x7f;
									if(_t20 > 0x7f) {
										goto L15;
									}
									_push(_t20 & 0x000000ff);
									wprintf(L"%c");
									L16:
									_t44 = _t44 + 1;
									__eflags = _t44 - _t30;
								} while (_t44 < _t30);
								goto L17;
							}
							_t46 = _t43 - _t30;
							__eflags = _t46;
							do {
								wprintf(L"   ");
								_t46 = _t46 - 1;
								__eflags = _t46;
							} while (_t46 != 0);
							goto L11;
						} else {
							do {
								_push( *(_t42 + _a8) & 0x000000ff);
								wprintf(L" %02X");
								_t42 = _t42 + 1;
								__eflags = _t42 - _t30;
							} while (_t42 < _t30);
							goto L8;
						}
						L17:
						_a8 = _a8 + _t30;
						_t18 = wprintf(L"\'\n");
						__eflags = _a12;
					} while (_a12 > 0);
					return _t18;
				}
				return _t15;
			}

0x00e828ae
0x00000000
0x00e828c3
0x00e828cb
0x00e828da
0x00e828da
0x00e828e2
0x00e828e8
0x00e828e9
0x00e828ec
0x00e828ee
0x00e828ee
0x00e828f1
0x00e828f4
0x00e828f6
0x00e828f8
0x00e82910
0x00e82912
0x00e82913
0x00e82915
0x00e82924
0x00e82929
0x00e8292b
0x00e8292e
0x00e82930
0x00000000
0x00000000
0x00000000
0x00000000
0x00e82932
0x00e82932
0x00e82935
0x00e82938
0x00e8293a
0x00e8294e
0x00e82953
0x00000000
0x00e82953
0x00e8293c
0x00e8293e
0x00000000
0x00000000
0x00e82943
0x00e82949
0x00e82955
0x00e82955
0x00e82957
0x00e82957
0x00000000
0x00e82932
0x00e82917
0x00e82917
0x00e82919
0x00e8291e
0x00e82920
0x00e82920
0x00e82921
0x00000000
0x00e828fa
0x00e828fa
0x00e82901
0x00e82907
0x00e82909
0x00e8290c
0x00e8290c
0x00000000
0x00e828fa
0x00e8295b
0x00e8295b
0x00e82963
0x00e82965
0x00e82969
0x00000000
0x00e82972
0x00e82974

APIs

wprintf.MSVCRT ref: 00E828E2
wprintf.MSVCRT ref: 00E82907
wprintf.MSVCRT ref: 00E8291E
wprintf.MSVCRT ref: 00E82929
wprintf.MSVCRT ref: 00E82949
wprintf.MSVCRT ref: 00E82963

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Strings

', xrefs: 00E82924
, xrefs: 00E82919
%02X, xrefs: 00E82902

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: wprintf$LoadStringvwprintf
String ID: $ '$ %02X
API String ID: 2851814717-3839679036
Opcode ID: df3a261076cf1e4cb5ffd520031b63367137a6757e998e2d84765bea5b67b17a
Instruction ID: 5e3aacda6631d52fd0907f9367882b7e8cb5de90e07034c50a21bbfb2e434b23
Opcode Fuzzy Hash: df3a261076cf1e4cb5ffd520031b63367137a6757e998e2d84765bea5b67b17a
Instruction Fuzzy Hash: 5E213833B0030DAEDB143FA59C41ABD3759EBC0721F10603FFB1C750808AB049925B64

Uniqueness

Uniqueness Score: -1.00%

Function 00E869E9, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 138
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00E869E9(void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				char _t83;
				void* _t86;
				void* _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t98;
				signed int _t99;

				_t95 = __edx;
				_t42 =  *0xe8a078; // 0xa9659deb
				_v8 = _t42 ^ _t99;
				_t98 = _a4;
				_t83 = 0x14;
				_push(0x1b5d);
				_push( *0xe8a7f8);
				_v32 = _t83;
				E00E88F8E();
				_pop(_t86);
				L00E84254(_t86, _t96,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 0x14)),  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 0x10)), _a8);
				E00E88F8E( *0xe8a7f8, 0x1b7d, E00E83E22(_t95, _t96,  *((intOrPtr*)(_t98 + 0xc)) + 0x18));
				E00E88F8E( *0xe8a7f8, 0x1b7e, E00E83E22(_t95, _t96,  *((intOrPtr*)(_t98 + 0xc)) + 0x20));
				_t97 = __imp__CertGetCRLContextProperty;
				 *_t97(_t98, 3,  &_v28,  &_v32);
				E00E8297C("SHA1",  &_v28, _v32);
				_v32 = _t83;
				 *_t97(_t98, 4,  &_v28,  &_v32);
				E00E8297C("MD5",  &_v28, _v32);
				if((_a8 & 0x00010000) != 0) {
					E00E88F8E( *0xe8a7f8, 0x1b68,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)))));
					_t97 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 4));
					if(_t97 == 0) {
						_t97 = "<NULL>";
					}
					_push(0x1b69);
					_push( *0xe8a7f8);
					E00E88F8E();
					_push(_t97);
					printf("%s \n");
					if( *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 8)) != 0) {
						_push(0x1b6a);
						_push( *0xe8a7f8);
						E00E88F8E();
						E00E828A5(L"    ",  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 0xc)),  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 8)));
					}
					_t78 =  *((intOrPtr*)(_t98 + 0xc));
					if( *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 0x30)) != 0) {
						E00E857BD( *((intOrPtr*)(_t78 + 0x30)),  *((intOrPtr*)(_t78 + 0x34)), _a8);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t98 + 0xc)) + 0x28)) != 0) {
					_push(0x1b83);
					_push( *0xe8a7f8);
					E00E88F8E();
					E00E86391(_t95,  *((intOrPtr*)(_t98 + 0x28)),  *((intOrPtr*)(_t98 + 0x2c)), _a8);
				} else {
					_push(0x1b82);
					_push( *0xe8a7f8);
					E00E88F8E();
				}
				return E00E886C7(1, 0, _v8 ^ _t99, _t95, _t97, _t98);
			}

0x00e869e9
0x00e869f1
0x00e869f8
0x00e869fd
0x00e86a03
0x00e86a04
0x00e86a09
0x00e86a0f
0x00e86a12
0x00e86a1b
0x00e86a25
0x00e86a42
0x00e86a62
0x00e86a67
0x00e86a7b
0x00e86a89
0x00e86a99
0x00e86a9c
0x00e86aaa
0x00e86ab8
0x00e86ace
0x00e86ad6
0x00e86ade
0x00e86ae0
0x00e86ae0
0x00e86ae5
0x00e86aea
0x00e86af0
0x00e86af5
0x00e86afb
0x00e86b0a
0x00e86b0c
0x00e86b11
0x00e86b17
0x00e86b2c
0x00e86b2c
0x00e86b31
0x00e86b37
0x00e86b42
0x00e86b42
0x00e86b37
0x00e86b4d
0x00e86b63
0x00e86b68
0x00e86b6e
0x00e86b81
0x00e86b4f
0x00e86b4f
0x00e86b54
0x00e86b5a
0x00e86b60
0x00e86b97

APIs

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Part of subcall function 00E83E22: LoadStringW.USER32(00001C0C,00E8A870,00000064), ref: 00E83E62

Part of subcall function 00E83E22: LoadStringW.USER32(00001B9D,?,00000032), ref: 00E83E8A
Part of subcall function 00E83E22: LoadStringW.USER32(00001B9E,?,00000032), ref: 00E83EA5
Part of subcall function 00E83E22: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E83EB7
Part of subcall function 00E83E22: FileTimeToSystemTime.KERNEL32(?,?), ref: 00E83ECB
Part of subcall function 00E83E22: _wasctime.MSVCRT ref: 00E83F4D

CertGetCRLContextProperty.CRYPT32(?,00000003,?,?), ref: 00E86A7B

Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829B0
Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829F0

CertGetCRLContextProperty.CRYPT32(?,00000004,?,?), ref: 00E86A9C

Part of subcall function 00E8297C: printf.MSVCRT ref: 00E829E3

printf.MSVCRT ref: 00E86AFB

Strings

SHA1, xrefs: 00E86A84
<NULL>, xrefs: 00E86AE0, 00E86AF5
MD5, xrefs: 00E86AA5
, xrefs: 00E86B27
%s , xrefs: 00E86AF6

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadStringTimeprintf$File$CertContextProperty$LocalSystem_wasctimevwprintf
String ID: $%s $<NULL>$MD5$SHA1
API String ID: 1904437375-3298317204
Opcode ID: 77fcc2a2479e71d7f81f69852aebefec770eacffb7640eea6229ed5737193d7d
Instruction ID: 11bf35b9f09e2e4ec0954001fa38577a789638d43bd0ebd9c1643045f92d3163
Opcode Fuzzy Hash: 77fcc2a2479e71d7f81f69852aebefec770eacffb7640eea6229ed5737193d7d
Instruction Fuzzy Hash: 06417F72500209EFEB11BF95DC42C9A77FAEF04320B09902AF61DBB161DB72A955DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E86D37, Relevance: 13.7, APIs: 9, Instructions: 154encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,?), ref: 00E86DAD
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E86D65

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Part of subcall function 00E85CD6: printf.MSVCRT ref: 00E85D61
Part of subcall function 00E85CD6: CertGetCertificateContextProperty.CRYPT32(?,00000003,?,?), ref: 00E85D79
Part of subcall function 00E85CD6: CertGetCertificateContextProperty.CRYPT32(?,00000004,?,?), ref: 00E85D9A
Part of subcall function 00E85CD6: CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,00000000), ref: 00E85DB8
Part of subcall function 00E85CD6: CryptHashPublicKeyInfo.CRYPT32(00000000,00008003,00000000,?,?,?), ref: 00E85DE6

CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00E86DE1
CertEnumCTLsInStore.CRYPT32(?,?), ref: 00E86E29
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E86E62
CertGetCRLFromStore.CRYPT32(?,00000000,?,?), ref: 00E86EAF
CertFreeCertificateContext.CRYPT32(?), ref: 00E86ED6
CertFreeCRLContext.CRYPT32(?), ref: 00E86EE4
CertFreeCRLContext.CRYPT32(?), ref: 00E86EF5

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$ContextStore$Enum$CertificateFree$CertificatesCryptFromProperty$AcquireHashInfoLoadPublicStringprintfvwprintf
String ID:
API String ID: 2852249584-0
Opcode ID: 6898b85c6ce5ef9e98911b433b59e36c0405e4dcf666da1799a236c4eee03931
Instruction ID: 2cc6507b4f63ba872fdadee95479f02480f95952017a9c1a9742ba6b1b61c3a3
Opcode Fuzzy Hash: 6898b85c6ce5ef9e98911b433b59e36c0405e4dcf666da1799a236c4eee03931
Instruction Fuzzy Hash: 05518032904209BEEF127BA1DD4589E7FF6FB44748B28506BF50CB50B0EB724E95AB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E81FB6, Relevance: 13.6, APIs: 9, Instructions: 115encryptionCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00E82007
CertDuplicateCertificateContext.CRYPT32(?), ref: 00E8201C
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E8203A
realloc.MSVCRT ref: 00E82055
CertDuplicateCertificateContext.CRYPT32(?), ref: 00E82066
CertFindCertificateInStore.CRYPT32(?,00000000,00080007,?,00000000), ref: 00E8208F
CertFreeCertificateContext.CRYPT32(?), ref: 00E820B4
CertFreeCertificateContext.CRYPT32(00000000), ref: 00E820D5
free.MSVCRT(?), ref: 00E820E3

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$Certificate$Context$DuplicateFreeStorerealloc$CertificatesEnumFindfree
String ID:
API String ID: 3052196173-0
Opcode ID: a61b32469ceed3dafa835c1215d5f99633ebb4650b99a8b7de6ab7be91e0bcab
Instruction ID: ce3bec77a14c855d98efd8b38cd537ba5e67d840a83e0db733e9922742ec629a
Opcode Fuzzy Hash: a61b32469ceed3dafa835c1215d5f99633ebb4650b99a8b7de6ab7be91e0bcab
Instruction Fuzzy Hash: AC416A7550024AEFCB21AF95DC8889DBBB5FF04305B20486DEA9DB7260C7329D95EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E8560E, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00E8560E(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8, signed int _a12) {
				char* _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __edi;
				intOrPtr _t42;
				char* _t43;
				void* _t57;
				intOrPtr* _t65;
				intOrPtr _t67;
				void* _t72;
				void* _t74;
				void* _t77;
				char _t78;
				intOrPtr* _t83;
				void* _t90;
				void* _t93;

				_t77 = __edx;
				_t78 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a4 <= 0) {
					L26:
					return _t42;
				} else {
					goto L3;
					L6:
					_v20 = _t78;
					if(_t93 <= 0) {
						L23:
						_v12 = _v12 + 1;
						_t42 = _v12;
						_a8 = _t83 + 0xc;
						if(_t42 < _a4) {
							_t78 = 0;
							L3:
							_t83 = _a8;
							_t43 =  *_t83;
							_t67 =  *((intOrPtr*)(_t83 + 4));
							_t65 =  *((intOrPtr*)(_t83 + 8));
							_v24 = _t67;
							_v8 = _t43;
							if(_t43 == _t78) {
								_v8 = "<NULL>";
							}
							_t93 = _t67 - _t78;
							if(_t93 == 0) {
								goto L20;
							} else {
								goto L6;
							}
						}
						if(_v16 == 0) {
							goto L26;
						}
						return E00E88F35(_t42, _v16);
					} else {
						goto L7;
					}
					do {
						L7:
						_push(_v8);
						_push(_v20);
						_push(_v12);
						printf("  [%d,%d] %s\n");
						_t49 =  *_t65;
						_t90 = _t90 + 0x10;
						if( *_t65 == 0) {
							_push(0x1b90);
							_push( *0xe8a7f8);
							E00E88F8E();
						} else {
							if((_a12 & 0x00010000) != 0) {
								E00E828A5(L"    ",  *((intOrPtr*)(_t65 + 4)), _t49);
							}
							_push(0x15);
							asm("repe cmpsb");
							if(0 == 0) {
								_push(0x1b8f);
								_push( *0xe8a7f8);
								E00E88F8E();
								E00E855AE( *((intOrPtr*)(_t65 + 4)),  *_t65, _a12);
							}
							_push(0x15);
							asm("repe cmpsb");
							if(0 == 0) {
								_push(0x1c13);
								_push( *0xe8a7f8);
								E00E88F8E();
								_pop(_t74);
								E00E84F00(_t74, "1.2.840.113549.1.9.6",  *((intOrPtr*)(_t65 + 4)),  *_t65, _a12);
							}
							_t72 = 0x15;
							asm("repe cmpsb");
							if(0 == 0) {
								_t89 = E00E882C8(_t72, 0x11,  *((intOrPtr*)(_t65 + 4)),  *_t65, 0);
								if(_t55 != 0) {
									_t57 = E00E88F8E( *0xe8a7f8, 0x1c14, E00E83E22(_t77, "1.2.840.113549.1.9.5", _t89));
									_t90 = _t90 + 0xc;
									E00E88F35(_t57, _t89);
								}
							}
						}
						_v20 = _v20 + 1;
						_t65 = _t65 + 8;
					} while (_v20 < _v24);
					_t83 = _a8;
					goto L23;
					L20:
					if(E00E88241(_v8,  &_v16) != 0) {
						_v16 = _t78;
					} else {
						_push(_v16);
						E00E88F8E( *0xe8a7f8, 0x1b91, _v12);
						_t90 = _t90 + 0x10;
					}
					goto L23;
				}
			}

0x00e8560e
0x00e85617
0x00e85619
0x00e8561c
0x00e85622
0x00e857b5
0x00e857b5
0x00e85628
0x00e8562a
0x00e85652
0x00e85652
0x00e85655
0x00e8578e
0x00e8578e
0x00e85791
0x00e85797
0x00e8579d
0x00e8562c
0x00e8562e
0x00e8562e
0x00e85631
0x00e85633
0x00e85636
0x00e85639
0x00e8563c
0x00e85641
0x00e85643
0x00e85643
0x00e8564a
0x00e8564c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8564c
0x00e857a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8565b
0x00e8565b
0x00e8565e
0x00e8565f
0x00e85662
0x00e8566a
0x00e85670
0x00e85672
0x00e85677
0x00e85737
0x00e8573c
0x00e85742
0x00e8567d
0x00e85684
0x00e8568f
0x00e8568f
0x00e85694
0x00e8569e
0x00e856a0
0x00e856a2
0x00e856a7
0x00e856ad
0x00e856bc
0x00e856bc
0x00e856c4
0x00e856ce
0x00e856d0
0x00e856d2
0x00e856d7
0x00e856dd
0x00e856e3
0x00e856ec
0x00e856ec
0x00e856fb
0x00e856fe
0x00e85700
0x00e8570f
0x00e85713
0x00e85727
0x00e8572c
0x00e85730
0x00e85730
0x00e85713
0x00e85700
0x00e85749
0x00e8574f
0x00e85752
0x00e8575b
0x00000000
0x00e85760
0x00e8576e
0x00e8578b
0x00e85770
0x00e85770
0x00e85781
0x00e85786
0x00e85786
0x00000000
0x00e8576e

APIs

printf.MSVCRT ref: 00E8566A

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Strings

1.2.840.113549.1.9.5, xrefs: 00E856F6
[%d,%d] %s, xrefs: 00E85665
<NULL>, xrefs: 00E85643, 00E8565E
1.3.6.1.4.1.311.10.2, xrefs: 00E85696
1.2.840.113549.1.9.6, xrefs: 00E856C6
, xrefs: 00E8568A

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadStringprintfvwprintf
String ID: $ [%d,%d] %s$1.2.840.113549.1.9.5$1.2.840.113549.1.9.6$1.3.6.1.4.1.311.10.2$<NULL>
API String ID: 3914510563-3034289211
Opcode ID: fc60eee96201c820e0effd82e818748a46b086909835e25da4485e4f98667c69
Instruction ID: f1fa7e37642831877d0833529bbd505c2b2ddbe18b4f9e6d2fa97e1754407fc3
Opcode Fuzzy Hash: fc60eee96201c820e0effd82e818748a46b086909835e25da4485e4f98667c69
Instruction Fuzzy Hash: B141AF32900608FFEF11BF90DD429AD7BB6FF44314F14A066F91C7A161DB329A91AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E82C72, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00E82C72(intOrPtr _a4, signed int _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* __ecx;
				intOrPtr* _t29;
				intOrPtr _t39;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				intOrPtr* _t56;
				intOrPtr _t58;
				intOrPtr* _t59;
				void* _t60;

				_push(_t42);
				_push(_t42);
				_t29 = E00E882C8(_t42, 0x10, _a8, _a12, 0);
				_t56 = _t29;
				_v12 = _t56;
				if(_t56 != 0) {
					_t39 =  *_t56;
					_t53 =  *((intOrPtr*)(_t56 + 4));
					_v8 = _t39;
					_t30 = E00E88F8E( *0xe8a7f8, _a4, _t52);
					if(_t39 == 0) {
						_push(0x1bc1);
						_push( *0xe8a7f8);
						_t30 = E00E88F8E();
					}
					_a8 = _a8 & 0x00000000;
					if(_t39 > 0) {
						do {
							_push( *_t53);
							_t58 =  *((intOrPtr*)(_t53 + 4));
							_push(_a8);
							_a4 = _t58;
							printf("    [%d] %s");
							_t60 = _t60 + 0xc;
							if(_t58 != 0) {
								_push(0x1bda);
								_push( *0xe8a7f8);
								E00E88F8E();
							}
							_a12 = _a12 & 0x00000000;
							_t59 =  *((intOrPtr*)(_t53 + 8));
							if(_a4 > 0) {
								do {
									_push( *_t59);
									_push(_a12);
									printf("      [%d] %s");
									_t60 = _t60 + 0xc;
									if( *((intOrPtr*)(_t59 + 4)) == 0) {
										printf("\n");
									} else {
										_push(0x1bdb);
										_push( *0xe8a7f8);
										E00E88F8E();
										E00E828A5(L"    ",  *((intOrPtr*)(_t59 + 8)),  *((intOrPtr*)(_t59 + 4)));
									}
									_a12 = _a12 + 1;
									_t59 = _t59 + 0xc;
								} while (_a12 < _a4);
							}
							_a8 = _a8 + 1;
							_t30 = _a8;
							_t53 = _t53 + 0xc;
						} while (_a8 < _v8);
						_t56 = _v12;
					}
					_t29 = E00E88F35(_t30, _t56);
				}
				return _t29;
			}

0x00e82c77
0x00e82c78
0x00e82c84
0x00e82c89
0x00e82c8b
0x00e82c90
0x00e82c97
0x00e82c9d
0x00e82ca6
0x00e82ca9
0x00e82cb2
0x00e82cb4
0x00e82cb9
0x00e82cbf
0x00e82cc5
0x00e82cc6
0x00e82ccc
0x00e82cd8
0x00e82cd8
0x00e82cda
0x00e82cdd
0x00e82ce0
0x00e82ce8
0x00e82cea
0x00e82cef
0x00e82cf1
0x00e82cf6
0x00e82cfc
0x00e82d02
0x00e82d03
0x00e82d0b
0x00e82d0e
0x00e82d10
0x00e82d10
0x00e82d12
0x00e82d1a
0x00e82d1c
0x00e82d23
0x00e82d4e
0x00e82d25
0x00e82d25
0x00e82d2a
0x00e82d30
0x00e82d42
0x00e82d42
0x00e82d51
0x00e82d57
0x00e82d5a
0x00e82d10
0x00e82d5f
0x00e82d62
0x00e82d65
0x00e82d68
0x00e82d71
0x00e82d71
0x00e82d75
0x00e82d7b
0x00e82d7e

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E82CE8
printf.MSVCRT ref: 00E82D1A
printf.MSVCRT ref: 00E82D4E

Strings

[%d] %s, xrefs: 00E82CE3
[%d] %s, xrefs: 00E82D15
, xrefs: 00E82D3D

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$CryptDecodeObject$LoadStringvwprintf
String ID: $ [%d] %s$ [%d] %s
API String ID: 1559741091-2298187835
Opcode ID: 0be3c49b3767a25dc3d756494d029189b7f1783d4f466ebbcb7fd9d769f22119
Instruction ID: 03d1a5403d6fd212ed58e07a7db07aee5a7d8121251931e76a9867c4fadd662c
Opcode Fuzzy Hash: 0be3c49b3767a25dc3d756494d029189b7f1783d4f466ebbcb7fd9d769f22119
Instruction Fuzzy Hash: 10319A36500208BFEF10AF41DD42A9D7BB2FB04720F15A51AFE1C361A1CB71A9919B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E821ED, Relevance: 10.6, APIs: 7, Instructions: 88encryptionCOMMON

Download Yara Rule

APIs

CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 00E82223
realloc.MSVCRT ref: 00E8223E
CertDuplicateCRLContext.CRYPT32(?), ref: 00E8224F
CertEnumCTLsInStore.CRYPT32(?,?), ref: 00E8226A
CertFreeCRLContext.CRYPT32(00000000), ref: 00E8228C
CertFreeCRLContext.CRYPT32(00000000), ref: 00E822AE
free.MSVCRT(?), ref: 00E822BC

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$Context$EnumFreeStore$Duplicatefreerealloc
String ID:
API String ID: 2405492650-0
Opcode ID: cc8d14f30a050d1f7f99b7522616f043001d8f8744c994a3feb29542c799d3b7
Instruction ID: 6108b203193d68c8837ff3139063ee3ddd9f55ef0c0a77ecc2c16647f71dab64
Opcode Fuzzy Hash: cc8d14f30a050d1f7f99b7522616f043001d8f8744c994a3feb29542c799d3b7
Instruction Fuzzy Hash: DB317871400208EFDB22AF59C844AADBBF5FF84325F20846EE95CA7260D7319E82DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E83155, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00E83155(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t8;
				intOrPtr _t10;
				int _t11;
				char* _t22;
				void* _t32;
				intOrPtr* _t36;

				_t8 = E00E882C8(__ecx, 0x1a, _a8, _a12, 0);
				_t36 = _t8;
				if(_t36 != 0) {
					E00E88F8E( *0xe8a7f8, _a4, _t32);
					_t10 =  *_t36;
					if(_t10 != 1) {
						if(_t10 == 0) {
							_push(0x1bc1);
							_push( *0xe8a7f8);
							_t11 = E00E88F8E();
							L8:
							L9:
							return E00E88F35(_t11, _t36);
						}
						_t22 = "\n";
						printf(_t22);
						E00E828A5(L"    ",  *(_t36 + 4),  *_t36);
						E00E88F8E( *0xe8a7f8, 0x1b73,  *((intOrPtr*)(_t36 + 8)));
						_t11 = printf(_t22);
						goto L9;
					}
					_push( *( *(_t36 + 4)) & 0x000000ff);
					printf(" %02X");
					_t19 =  *((intOrPtr*)(_t36 + 8));
					if( *((intOrPtr*)(_t36 + 8)) != 0) {
						E00E88F8E( *0xe8a7f8, 0x1b73, _t19);
					}
					_t11 = printf("\n");
					goto L8;
				}
				return _t8;
			}

0x00e83165
0x00e8316a
0x00e8316e
0x00e8317e
0x00e83183
0x00e8318a
0x00e831c8
0x00e83205
0x00e8320a
0x00e83210
0x00e83216
0x00e83217
0x00000000
0x00e8321d
0x00e831d1
0x00e831d7
0x00e831e4
0x00e831f7
0x00e831fd
0x00000000
0x00e83202
0x00e83198
0x00e8319e
0x00e831a0
0x00e831a7
0x00e831b5
0x00e831ba
0x00e831c2
0x00000000
0x00e831c2
0x00e83220

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E8319E
printf.MSVCRT ref: 00E831C2
printf.MSVCRT ref: 00E831D7
printf.MSVCRT ref: 00E831FD

Strings

%02X, xrefs: 00E83199
, xrefs: 00E831DF

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$CryptDecodeObject$LoadStringvwprintf
String ID: $ %02X
API String ID: 1559741091-2119626176
Opcode ID: 762142aab1dee6adcb35365cb6a7c29d7df9441c69341802335042cc33a9ade4
Instruction ID: 4c4c34d8486b11cfb8f6e99b15cb98035df4db2e1571dda83d0f8db006824109
Opcode Fuzzy Hash: 762142aab1dee6adcb35365cb6a7c29d7df9441c69341802335042cc33a9ade4
Instruction Fuzzy Hash: AD112B32204305BFE7113B65ED02D6E3BEAEF44B10B192026FA1C760B2DF62E951AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8297C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E8297C(intOrPtr _a4, signed char* _a8, signed char* _a12) {
				signed char* _t13;
				signed char* _t21;

				E00E88F8E( *0xe8a7f8, 0x1b9c, _a4);
				_t13 = _a12;
				if(_t13 != 0) {
					if(__eflags > 0) {
						do {
							_t21 = 4;
							__eflags = _t13 - _t21;
							if(_t13 <= _t21) {
								_t21 = _t13;
							}
							_t13 = _t13 - _t21;
							while(1) {
								__eflags = _t21;
								if(_t21 <= 0) {
									goto L9;
								}
								_push( *_a8 & 0x000000ff);
								printf("%02X");
								_t21 = _t21 - 1;
								_t4 =  &_a8;
								 *_t4 =  &(_a8[1]);
								__eflags =  *_t4;
							}
							L9:
							printf(" ");
							__eflags = _t13;
						} while (_t13 > 0);
					}
				} else {
					_push("<NULL>");
					printf("%s");
				}
				return printf("\n");
			}

0x00e82991
0x00e82996
0x00e829a4
0x00e829b6
0x00e829b9
0x00e829bb
0x00e829bc
0x00e829be
0x00e829c0
0x00e829c0
0x00e829c2
0x00e829da
0x00e829da
0x00e829dc
0x00000000
0x00000000
0x00e829cc
0x00e829d2
0x00e829d5
0x00e829d6
0x00e829d6
0x00e829d6
0x00e829d9
0x00e829de
0x00e829e3
0x00e829e6
0x00e829e6
0x00e829ea
0x00e829a6
0x00e829a6
0x00e829b0
0x00e829b3
0x00e829f6

APIs

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E829B0
printf.MSVCRT ref: 00E829E3
printf.MSVCRT ref: 00E829F0

Strings

<NULL>, xrefs: 00E829A6
%02X, xrefs: 00E829CD

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf$LoadStringvwprintf
String ID: %02X$<NULL>
API String ID: 3594943052-3318528641
Opcode ID: 58e613271216dfe13d1dc4f0f4c1e76aa66f72beb5fb81540fe9c149ec12755b
Instruction ID: 212d38f3d92828b5e984623fed3a74a48a89312434a1cf24b11b0dee814f6888
Opcode Fuzzy Hash: 58e613271216dfe13d1dc4f0f4c1e76aa66f72beb5fb81540fe9c149ec12755b
Instruction Fuzzy Hash: D8012D36744759BEA6217A81AC52D6E7B18EBD1BF1F29203FFF0C36081D9B258118761

Uniqueness

Uniqueness Score: -1.00%

Function 00E8900B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00E8900B(struct HINSTANCE__* _a4, int _a8, int _a12, int _a16, int _a20) {

				LoadStringW(_a4, _a8, "CertMgr Succeeded",  *0xe8a390);
				LoadStringW(_a4, _a12, 0xe8b4d8,  *0xe8a390);
				LoadStringW(_a4, _a16, 0xe8b0d8,  *0xe8a390);
				LoadStringW(_a4, _a20, 0xe8bcd8,  *0xe8a390);
				_push(0xe8bcd8);
				_push(0xe8b0d8);
				_push(0xe8b4d8);
				return wprintf("CertMgr Succeeded");
			}

0x00e8902a
0x00e8903d
0x00e89051
0x00e89065
0x00e89067
0x00e89068
0x00e89069
0x00e8907f

APIs

LoadStringW.USER32(0000177F,0000177E,CertMgr Succeeded,?), ref: 00E8902A
LoadStringW.USER32(0000177F,0000177D,00E8B4D8), ref: 00E8903D
LoadStringW.USER32(0000177F,00E81936,00E8B0D8), ref: 00E89051
LoadStringW.USER32(0000177F,?,00E8BCD8), ref: 00E89065
wprintf.MSVCRT ref: 00E89073

Strings

CertMgr Succeeded, xrefs: 00E8901F, 00E8906E

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadString$wprintf
String ID: CertMgr Succeeded
API String ID: 698749725-2974366063
Opcode ID: 6fd6da6ac20a0e1b7223f2cb2e44f526873b3a8576dfaa37f37b13f6d7aeefbe
Instruction ID: 9c2e17e5eb9d2500f4131b2c9b334ade954737466444e0bd008cef6bbc59287b
Opcode Fuzzy Hash: 6fd6da6ac20a0e1b7223f2cb2e44f526873b3a8576dfaa37f37b13f6d7aeefbe
Instruction Fuzzy Hash: BEF0E732540218BF9F232F82DC06C9B3F2AEB967A570C5026FA1C31131C7328935EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E826A9, Relevance: 9.1, APIs: 6, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E826A9(signed short* _a4, signed int* _a8, intOrPtr* _a12) {
				intOrPtr* _t21;
				intOrPtr* _t22;
				signed int _t28;
				char _t42;
				signed int _t45;
				signed char _t56;
				signed int* _t59;
				void* _t60;
				void* _t61;
				signed int* _t65;
				void* _t66;
				intOrPtr _t72;
				long _t73;
				long _t75;
				signed int _t77;
				signed short* _t80;
				void* _t81;

				if(_a4 == 0) {
					L27:
					return 0x80070057;
				}
				_t59 = _a8;
				if(_t59 == 0) {
					goto L27;
				}
				_t21 = _a12;
				if(_t21 == 0) {
					goto L27;
				}
				 *_t59 = 0;
				 *_t21 = 0;
				_t22 = _a4;
				_t60 = _t22 + 2;
				do {
					_t72 =  *_t22;
					_t22 = _t22 + 2;
				} while (_t72 != 0);
				if(_t22 - _t60 >> 1 == 0x28) {
					_t77 = E00E89241(0x14, 0, 0);
					 *_t59 = _t77;
					if(_t77 == 0) {
						goto L27;
					}
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_a8 = 0;
					_t80 = _a4;
					do {
						_t73 =  *_t80 & 0x0000ffff;
						_t28 = _t73 & 0x0000ffff;
						_t8 = _t28 - 0x30; // -48
						_t61 = _t8;
						if(_t61 > 9 || _t61 < 0) {
							if((towupper(_t73) & 0x0000ffff) - 0x41 < 0 || (towupper( *_t80 & 0x0000ffff) & 0x0000ffff) - 0x41 > 5) {
								goto L24;
							} else {
								_t42 = (towupper( *_t80 & 0x0000ffff) & 0x0000ffff) - 0x37;
								goto L15;
							}
						} else {
							_t42 = _t28 + 0xffffffd0;
							L15:
							_t65 = _a8;
							 *((char*)(_t65 +  *_t59)) = _t42;
							 *( *_t59 + _t65) =  *( *_t59 + _t65) << 4;
							_t75 = _t80[1] & 0x0000ffff;
							_t45 = _t75 & 0x0000ffff;
							_t66 = _t45 - 0x30;
							if(_t66 > 9 || _t66 < 0) {
								if((towupper(_t75) & 0x0000ffff) - 0x41 < 0 || (towupper(_t80[1] & 0x0000ffff) & 0x0000ffff) - 0x41 > 5) {
									L24:
									_t32 =  *_t59;
									_t81 = 0x80070057;
									if( *_t59 != 0) {
										E00E88F35(_t32, _t32);
									}
									 *_t59 =  *_t59 & 0x00000000;
									L23:
									return _t81;
								} else {
									_t56 = (towupper(_t80[1] & 0x0000ffff) & 0x0000ffff) - 0x37;
									goto L21;
								}
							} else {
								_t56 = _t45 + 0xffffffd0;
								goto L21;
							}
						}
						L21:
						 *(_a8 +  *_t59) =  *(_a8 +  *_t59) | _t56;
						_a8 =  &(_a8[0]);
						_t80 =  &(_t80[2]);
					} while (_a8 < 0x14);
					_t81 = 0;
					 *_a12 = 0x14;
					goto L23;
				}
				return 0x80004005;
			}

0x00e826b6
0x00e827fd
0x00000000
0x00e827fd
0x00e826bc
0x00e826c1
0x00000000
0x00000000
0x00e826c7
0x00e826cc
0x00000000
0x00000000
0x00e826d2
0x00e826d4
0x00e826d6
0x00e826d9
0x00e826dc
0x00e826dc
0x00e826e0
0x00e826e1
0x00e826ed
0x00e82702
0x00e82704
0x00e82708
0x00000000
0x00000000
0x00e82710
0x00e82711
0x00e82712
0x00e82713
0x00e82714
0x00e8271b
0x00e8271e
0x00e82721
0x00e82721
0x00e82724
0x00e82727
0x00e82727
0x00e8272d
0x00e82742
0x00000000
0x00e8275e
0x00e82768
0x00000000
0x00e82768
0x00e82733
0x00e82733
0x00e8276b
0x00e8276d
0x00e82770
0x00e82777
0x00e8277a
0x00e8277e
0x00e82781
0x00e82787
0x00e8279c
0x00e827e7
0x00e827e7
0x00e827e9
0x00e827f0
0x00e827f3
0x00e827f3
0x00e827f8
0x00e827e3
0x00000000
0x00e827b1
0x00e827bc
0x00000000
0x00e827bc
0x00e8278d
0x00e8278d
0x00000000
0x00e8278d
0x00e82787
0x00e827bf
0x00e827c6
0x00e827c8
0x00e827cb
0x00e827ce
0x00e827db
0x00e827dd
0x00000000
0x00e827dd
0x00000000

APIs

Part of subcall function 00E89241: malloc.MSVCRT ref: 00E8924A

towupper.MSVCRT ref: 00E82739
towupper.MSVCRT ref: 00E8274C
towupper.MSVCRT ref: 00E82762
towupper.MSVCRT ref: 00E82793
towupper.MSVCRT ref: 00E827A3
towupper.MSVCRT ref: 00E827B6

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: towupper$malloc
String ID:
API String ID: 655879201-0
Opcode ID: 7ff3c199298caca85a88315fd94ba3eebc541dd6b02a3bb11b4c7aa6479fa3a7
Instruction ID: 47aaff68215b35a8b2dd9f1010f6172c5e6421b8708c17652c05720fd7b9a772
Opcode Fuzzy Hash: 7ff3c199298caca85a88315fd94ba3eebc541dd6b02a3bb11b4c7aa6479fa3a7
Instruction Fuzzy Hash: 504169791001B19BDB14AF2ACC8497977E8FF51725B10805FFA9DDF294C235C840EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E83E22, Relevance: 9.1, APIs: 6, Instructions: 136
timeCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00E83E22(short* __edx, void* __edi, FILETIME* _a4) {
				signed int _v8;
				short _v108;
				short _v208;
				struct _SYSTEMTIME _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				signed int _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				struct _FILETIME _v268;
				void* __ebx;
				void* __esi;
				signed int _t38;
				WCHAR* _t43;
				WCHAR* _t65;
				WCHAR* _t69;
				signed int _t72;
				short _t80;
				short _t82;
				void* _t85;
				short* _t87;
				void* _t88;
				signed int _t91;

				_t88 = __edi;
				_t87 = __edx;
				_t38 =  *0xe8a078; // 0xa9659deb
				_v8 = _t38 ^ _t91;
				_t90 = _a4;
				 *0xe8a870 = 0;
				if(_t90->dwLowDateTime != 0 || _t90->dwHighDateTime != 0) {
					_push(_t88);
					if(LoadStringW( *0xe8a7f8, 0x1b9d,  &_v208, 0x32) == 0 || LoadStringW( *0xe8a7f8, 0x1b9e,  &_v108, 0x32) == 0) {
						_t43 = 0xe8a870;
					} else {
						FileTimeToLocalFileTime(_t90,  &_v268);
						if(FileTimeToSystemTime( &_v268,  &_v224) == 0) {
							_push(_t90->dwLowDateTime);
							_t90 = 0xe8a870;
							E00E8341A(0xe8a870, 0x64,  &_v208,  *0x00E8A874);
						} else {
							_v260 = _v224.wSecond & 0x0000ffff;
							_v256 = _v224.wMinute & 0x0000ffff;
							_v252 = _v224.wHour & 0x0000ffff;
							_v248 = _v224.wDay & 0x0000ffff;
							_v244 = (_v224.wMonth & 0x0000ffff) - 1;
							_v240 = (_v224.wYear & 0x0000ffff) - 0x76c;
							_v236 = _v224.wDayOfWeek & 0x0000ffff;
							_v232 = 0;
							_v228 = 0;
							__imp___wasctime( &_v260);
							_t90 = 0xe8a870;
							E00E83386(0xe8a870, 0x64,  &_v260);
							_t65 = 0xe8a870;
							_t26 =  &(_t65[1]); // 0xe8a872
							_t87 = _t26;
							do {
								_t80 =  *_t65;
								_t65 =  &(_t65[1]);
							} while (_t80 != 0);
							 *((short*)(0xe8a86e + (_t65 - _t87 >> 1) * 2)) = 0;
							if(_v224.wMilliseconds != 0) {
								_t69 = 0xe8a870;
								_t30 =  &(_t69[1]); // 0xe8a872
								_t87 = _t30;
								do {
									_t82 =  *_t69;
									_t69 =  &(_t69[1]);
								} while (_t82 != 0);
								_push(_v224.wMilliseconds & 0x0000ffff);
								_push( &_v108);
								_t72 = _t69 - _t87 >> 1;
								_t85 = 0x64;
								_push(_t85 - _t72);
								_push( &(0xe8a870[_t72]));
								E00E8341A();
							}
						}
						_t43 = _t90;
					}
					_pop(_t88);
				} else {
					_t90 = 0xe8a870;
					LoadStringW( *0xe8a7f8, 0x1c0c, 0xe8a870, 0x64);
					_t43 = 0xe8a870;
				}
				return E00E886C7(_t43, 0, _v8 ^ _t91, _t87, _t88, _t90);
			}

0x00e83e22
0x00e83e22
0x00e83e2d
0x00e83e34
0x00e83e3b
0x00e83e40
0x00e83e48
0x00e83e6f
0x00e83e8e
0x00e83fdf
0x00e83eaf
0x00e83eb7
0x00e83ed3
0x00e83fbf
0x00e83fca
0x00e83fd3
0x00e83ed9
0x00e83ee0
0x00e83eed
0x00e83efa
0x00e83f07
0x00e83f15
0x00e83f27
0x00e83f34
0x00e83f41
0x00e83f47
0x00e83f4d
0x00e83f57
0x00e83f5d
0x00e83f62
0x00e83f64
0x00e83f64
0x00e83f67
0x00e83f67
0x00e83f6b
0x00e83f6c
0x00e83f77
0x00e83f86
0x00e83f88
0x00e83f8a
0x00e83f8a
0x00e83f8d
0x00e83f8d
0x00e83f91
0x00e83f92
0x00e83f9e
0x00e83fa2
0x00e83fa7
0x00e83fa9
0x00e83fac
0x00e83fb4
0x00e83fb5
0x00e83fba
0x00e83f86
0x00e83fdb
0x00e83fdb
0x00e83fe4
0x00e83e4f
0x00e83e51
0x00e83e62
0x00e83e68
0x00e83e68
0x00e83ff2

APIs

LoadStringW.USER32(00001C0C,00E8A870,00000064), ref: 00E83E62
LoadStringW.USER32(00001B9D,?,00000032), ref: 00E83E8A
LoadStringW.USER32(00001B9E,?,00000032), ref: 00E83EA5
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E83EB7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E83ECB
_wasctime.MSVCRT ref: 00E83F4D

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Time$FileLoadString$LocalSystem_wasctime
String ID:
API String ID: 3399651677-0
Opcode ID: c8b0e6958e456c10d94482ddf1a1203f60ed33e81414ec98852034a29d6ecde4
Instruction ID: e11843e93eeb040ee0d24e2652a8eda48e0e45d7088158baea03cac39e16e5f4
Opcode Fuzzy Hash: c8b0e6958e456c10d94482ddf1a1203f60ed33e81414ec98852034a29d6ecde4
Instruction Fuzzy Hash: 1D515071A002299EEB24AF65DC05FF9B7B8EB04B00F0444BAFA4DF6150E7759E85DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E82100, Relevance: 9.1, APIs: 6, Instructions: 89encryptionCOMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 00E8214C
CertDuplicateCRLContext.CRYPT32(?), ref: 00E8215D
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E8217C
CertFreeCRLContext.CRYPT32(?), ref: 00E821A1
CertFreeCRLContext.CRYPT32(00000000), ref: 00E821C2
free.MSVCRT(?), ref: 00E821D0

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$Context$Free$DuplicateFromStorefreerealloc
String ID:
API String ID: 420543247-0
Opcode ID: e6f0dce59030a74aa4daf3a3b118340349ad00a0b6f1cacffebf0a18c55f4529
Instruction ID: ba2f3c7b3a04a3f23ff2877f84d8ad1bb737a23f6a39138e9a41b64e5fc03d1f
Opcode Fuzzy Hash: e6f0dce59030a74aa4daf3a3b118340349ad00a0b6f1cacffebf0a18c55f4529
Instruction Fuzzy Hash: 2E312876901249EFDB21AF95CC8889DBBF5FB44358B3084AEEB59A7210C7319E45DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00E840DE, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

printf.MSVCRT ref: 00E8412D

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Strings

%s (%S), xrefs: 00E84128
<NULL>, xrefs: 00E84107, 00E84120, 00E84127
, xrefs: 00E8413A, 00E84159, 00E84181, 00E841EC, 00E84222
(, xrefs: 00E841D1

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeObject$LoadStringprintfvwprintf
String ID: $%s (%S)$($<NULL>
API String ID: 3576710509-3389890325
Opcode ID: 77188748d4d56bf743c17ddd1b32f419c85c8bc1348dbee136cceba269bf1105
Instruction ID: 8c872c9fb257fc76afb85d93bee97a1315c35b1ce24752411d4ad7e4e47236a2
Opcode Fuzzy Hash: 77188748d4d56bf743c17ddd1b32f419c85c8bc1348dbee136cceba269bf1105
Instruction Fuzzy Hash: 5731A272108305BEFB253B51ED46DAA37EAEB04714F44612AF70D350F1DF72A9859B22

Uniqueness

Uniqueness Score: -1.00%

Function 00E83FFA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificateContextProperties.CRYPT32(?,00000000), ref: 00E84008
CertGetCertificateContextProperty.CRYPT32(?,00000000,00000000,?), ref: 00E8404B
CertGetCertificateContextProperty.CRYPT32(?,00000000,00000000,?), ref: 00E8406B
CertEnumCertificateContextProperties.CRYPT32(?,00000000), ref: 00E840C0

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

Strings

, xrefs: 00E84075

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CertCertificateContext$EnumPropertiesProperty$LoadStringvwprintf
String ID:
API String ID: 1334782540-399585960
Opcode ID: e3f85961c64bb82bd26f8f1f815631a9fcae6a05d6ace6913c3c8ea8c2abf4f4
Instruction ID: 31d9d15637c21c3f13065c11ede331711448123d92c5900db51d349daa11512e
Opcode Fuzzy Hash: e3f85961c64bb82bd26f8f1f815631a9fcae6a05d6ace6913c3c8ea8c2abf4f4
Instruction Fuzzy Hash: 8B21A8B2900119FEEB217B95DD85CAF7AAEEF00394755203AFB0C710A1DB714E85A763

Uniqueness

Uniqueness Score: -1.00%

Function 00E82F08, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E00E82F08(void* __ecx, void* __esi, intOrPtr* _a4, char _a8) {
				void* __ebx;
				intOrPtr* _t19;
				char* _t28;
				intOrPtr _t30;
				intOrPtr* _t38;
				intOrPtr* _t40;
				void* _t42;

				_t30 = 0;
				_t19 = E00E882C8(__ecx, 0xb, _a4, _a8, 0);
				_t38 = _t19;
				if(_t38 != 0) {
					_push(0x1beb);
					_push( *0xe8a7f8);
					_t20 = E00E88F8E();
					if( *_t38 == 0) {
						L11:
						if( *((intOrPtr*)(_t38 + 8)) != 0) {
							_push(0x1bed);
							_push( *0xe8a7f8);
							_a8 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 0xc))));
							E00E88F8E();
							_t20 = E00E82E33(_t30, _a8);
						}
						return E00E88F35(_t20, _t38);
					}
					_t20 = E00E88F8E( *0xe8a7f8, 0x1bec, __esi);
					_t40 =  *((intOrPtr*)(_t38 + 4));
					_a8 = 0;
					if( *_t38 <= 0) {
						L10:
						goto L11;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = 0;
						if( *_t40 == 0) {
							_push("<NULL>");
							_push(_a8);
							printf("     [%d,*] %s\n");
							_t42 = _t42 + 0xc;
						}
						_a4 =  *((intOrPtr*)(_t40 + 4));
						if( *_t40 > 0) {
							do {
								_t28 =  *_a4;
								if(_t28 == 0) {
									_t28 = "<NULL>";
								}
								_push(_t28);
								_push(_t30);
								_push(_a8);
								printf("     [%d,%d] %s\n");
								_a4 = _a4 + 4;
								_t42 = _t42 + 0x10;
								_t30 = _t30 + 1;
							} while (_t30 <  *_t40);
						}
						_a8 = _a8 + 1;
						_t20 = _a8;
						_t40 = _t40 + 8;
					} while (_a8 <  *_t38);
					goto L10;
				}
				return _t19;
			}

0x00e82f0f
0x00e82f1a
0x00e82f1f
0x00e82f23
0x00e82f29
0x00e82f2e
0x00e82f34
0x00e82f3d
0x00e82fbb
0x00e82fbf
0x00e82fc6
0x00e82fcb
0x00e82fd1
0x00e82fd4
0x00e82fde
0x00e82fde
0x00000000
0x00e82fe4
0x00e82f4b
0x00e82f50
0x00e82f55
0x00e82f5a
0x00e82fba
0x00000000
0x00000000
0x00000000
0x00000000
0x00e82f5c
0x00e82f5c
0x00e82f5c
0x00e82f60
0x00e82f62
0x00e82f67
0x00e82f6f
0x00e82f75
0x00e82f75
0x00e82f7e
0x00e82f81
0x00e82f83
0x00e82f86
0x00e82f8a
0x00e82f8c
0x00e82f8c
0x00e82f91
0x00e82f92
0x00e82f93
0x00e82f9b
0x00e82fa1
0x00e82fa5
0x00e82fa8
0x00e82fa9
0x00e82f83
0x00e82fad
0x00e82fb0
0x00e82fb3
0x00e82fb6
0x00000000
0x00e82f5c
0x00e82fec

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E82F6F
printf.MSVCRT ref: 00E82F9B

Strings

[%d,%d] %s, xrefs: 00E82F96
[%d,*] %s, xrefs: 00E82F6A
<NULL>, xrefs: 00E82F62, 00E82F8C

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeObjectprintf$LoadStringvwprintf
String ID: [%d,%d] %s$ [%d,*] %s$<NULL>
API String ID: 3954790218-3661550745
Opcode ID: 91b5e7d8d055dae04dbb8e6402c36589503a2ac63876d3734dd579322c0071db
Instruction ID: 853e0685a8abe2be514351aea23af04ea7056f5b904421c295e947e3bd96952a
Opcode Fuzzy Hash: 91b5e7d8d055dae04dbb8e6402c36589503a2ac63876d3734dd579322c0071db
Instruction Fuzzy Hash: C021BD35208309BFEB117FA5D881D997BB5FB00365B24A02EFF1C7A251D732A990CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E88FC0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E88FC0(struct HINSTANCE__* _a4, char _a8, int _a12) {

				_t1 =  &_a8; // 0xe8585d
				LoadStringW(_a4,  *_t1, 0xe8acd8,  *0xe8a390);
				LoadStringW(_a4, _a12, 0xe8b4d8,  *0xe8a390);
				_push(0xe8b4d8);
				return wprintf(0xe8acd8);
			}

0x00e88fda
0x00e88fe0
0x00e88ff4
0x00e88ff6
0x00e89003

APIs

LoadStringW.USER32(?,]X,CertMgr Succeeded,-00001BAE), ref: 00E88FE0
LoadStringW.USER32(?,?,00E8B4D8), ref: 00E88FF4
wprintf.MSVCRT ref: 00E88FF8

Strings

CertMgr Succeeded, xrefs: 00E88FD4, 00E88FD9, 00E88FF7
]X, xrefs: 00E88FDA

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadString$wprintf
String ID: CertMgr Succeeded$]X
API String ID: 698749725-3773154439
Opcode ID: 0cb45cbe18b58c6eaaade138a1571809a062741f2119557262a40e9f418b21a2
Instruction ID: 571e649eaf2bc413efc8e671249c84a65bf7dc2619c9c3f17fc4efd232720b35
Opcode Fuzzy Hash: 0cb45cbe18b58c6eaaade138a1571809a062741f2119557262a40e9f418b21a2
Instruction Fuzzy Hash: 88E012371042587F9B122F43EC45C5B7F6DE7C63747184027F91C2212196329821EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E81CD9, Relevance: 7.6, APIs: 5, Instructions: 91encryptionCOMMON

Download Yara Rule

APIs

CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 00E81D0D
CertGetCRLContextProperty.CRYPT32(?,00000003,00000000,?), ref: 00E81D2F
CertGetCRLContextProperty.CRYPT32(?,00000003,00000000,?), ref: 00E81D50
CertGetCRLFromStore.CRYPT32(?,00000000,?,?), ref: 00E81D79
CertFreeCRLContext.CRYPT32(?), ref: 00E81DAB

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$Context$FromPropertyStore$Free
String ID:
API String ID: 1268920413-0
Opcode ID: 8561ed851e03c1e35afe9ee43b4844d46b375d139de76ad684630831d756670a
Instruction ID: cfe9479c169df04b06fc24206036e478b6e07e50bb04d24167b178226340aefc
Opcode Fuzzy Hash: 8561ed851e03c1e35afe9ee43b4844d46b375d139de76ad684630831d756670a
Instruction Fuzzy Hash: AB31E371D01229FFCB22EB95CD44AEEBBBDEF08765B1450A6A80DB2150D7309E42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E81C45, Relevance: 7.6, APIs: 5, Instructions: 61encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81C82
CertSetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,00000000), ref: 00E81C97
CertSetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,?), ref: 00E81CA6
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 00E81CB0
CertFreeCertificateContext.CRYPT32(00000000), ref: 00E81CC4

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: Cert$CertificateContext$CertificatesEnumPropertyStore$Free
String ID:
API String ID: 1316045383-0
Opcode ID: a0a82f9c292a350904d36e3e0e29a514982a263562a0ebc54d7d3a36f9f5239b
Instruction ID: 68da90bc60a8b9f2733186059c4bbfd375146f33e6ecbc89b4edd89b9dc69a34
Opcode Fuzzy Hash: a0a82f9c292a350904d36e3e0e29a514982a263562a0ebc54d7d3a36f9f5239b
Instruction Fuzzy Hash: 4B114832540205BFD7269B59CC44FAEB7BDEB84744F2400A5E50CFB280DB70DE068B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E844A1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00E844A1(intOrPtr _a4, signed int _a8) {
				intOrPtr* _v8;
				void* __ecx;
				intOrPtr* _t15;
				int _t16;
				intOrPtr _t21;
				void* _t24;
				intOrPtr* _t33;
				intOrPtr _t35;
				signed int _t36;
				signed int _t37;
				void* _t38;
				intOrPtr* _t39;
				void* _t41;

				_push(_t24);
				_t15 = E00E882C8(_t24, 0x2a, _a4, _a8, 0);
				_t33 = _t15;
				_v8 = _t33;
				if(_t33 != 0) {
					_t21 =  *_t33;
					_t39 =  *((intOrPtr*)(_t33 + 4));
					_a4 = _t21;
					_t16 = E00E88F8E( *0xe8a7f8, 0x1bc0, _t38);
					if(_t21 == 0) {
						_push(0x1bc1);
						_push( *0xe8a7f8);
						_t16 = E00E88F8E();
					}
					_a8 = _a8 & 0x00000000;
					if(_t21 > 0) {
						do {
							_t35 =  *_t39;
							_push(E00E83272(_t16, _t35, 0));
							_push(_t35);
							_t36 = _a8;
							_push(_t36);
							printf("    [%d] %s (%S)");
							_t41 = _t41 + 0x10;
							if( *((intOrPtr*)(_t39 + 4)) == 0) {
								_t16 = printf("\n");
							} else {
								_push(0x1b64);
								_push( *0xe8a7f8);
								E00E88F8E();
								_t16 = E00E828A5(L"      ",  *((intOrPtr*)(_t39 + 8)),  *((intOrPtr*)(_t39 + 4)));
							}
							_t37 = _t36 + 1;
							_t39 = _t39 + 0xc;
							_a8 = _t37;
						} while (_t37 < _a4);
						_t33 = _v8;
					}
					_t15 = E00E88F35(_t16, _t33);
				}
				return _t15;
			}

0x00e844a6
0x00e844b2
0x00e844b7
0x00e844b9
0x00e844be
0x00e844c5
0x00e844c8
0x00e844d6
0x00e844d9
0x00e844e2
0x00e844e4
0x00e844e9
0x00e844ef
0x00e844f5
0x00e844f6
0x00e844fc
0x00e84504
0x00e84504
0x00e8450e
0x00e8450f
0x00e84510
0x00e84513
0x00e84519
0x00e8451b
0x00e84522
0x00e8454d
0x00e84524
0x00e84524
0x00e84529
0x00e8452f
0x00e84541
0x00e84541
0x00e84550
0x00e84551
0x00e84554
0x00e84557
0x00e8455c
0x00e8455c
0x00e84560
0x00e84566
0x00e84569

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E84519
printf.MSVCRT ref: 00E8454D

Strings

[%d] %s (%S), xrefs: 00E84514
, xrefs: 00E8453C

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeObjectprintf$LoadStringvwprintf
String ID: $ [%d] %s (%S)
API String ID: 3954790218-4092857480
Opcode ID: 98184446ae7c26b3abaa008a43f11edb4b17b381d075f6390a7e19b30aec173e
Instruction ID: 4cb049c53a5ed41a4923bc2c6cc5d31d6cf53681b57b17781a3ca1cfff158b13
Opcode Fuzzy Hash: 98184446ae7c26b3abaa008a43f11edb4b17b381d075f6390a7e19b30aec173e
Instruction Fuzzy Hash: A411D276200305FBEB107F45DC42FAD77BAEB84B20F25A01AFA1C37190DB71A9419B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E82A90, Relevance: 6.1, APIs: 4, Instructions: 77
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00E82A90(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr* _t9;
				intOrPtr _t18;
				void* _t22;
				void* _t24;
				intOrPtr* _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_push(_t24);
				_v8 = 0;
				_t9 = E00E882C8(_t24, 6, _a4, _a8, 0);
				_t36 = _t9;
				if(_t36 == 0) {
					L9:
					return _t9;
				}
				E00E88F8E( *0xe8a7f8, 0x1bc4, __ebx);
				_t33 = __imp__CertRDNValueToStrW;
				_t4 = _t36 + 4; // 0x4
				_t22 =  *_t33( *_t36, _t4, 0, 0);
				if(_t22 > 1) {
					_t18 = E00E89241(_t22 + _t22, 0, 0);
					_v8 = _t18;
					if(_t18 != 0) {
						_t7 = _t36 + 4; // 0x4
						 *_t33( *_t36, _t7, _t18, _t22);
					}
				}
				E00E88F8E( *0xe8a7f8, 0x1bc5,  *_t36);
				_t34 = _v8;
				if(_t34 == 0) {
					_push(0x1b58);
					_push( *0xe8a7f8);
					E00E88F8E();
				} else {
					_push(_t34);
					wprintf(L"%s");
				}
				_t9 = E00E88F35(printf("\n"), _t36);
				if(_t34 != 0) {
					_t9 = E00E88F35(_t9, _t34);
				}
				goto L9;
			}

0x00e82a95
0x00e82a9e
0x00e82aa6
0x00e82aab
0x00e82aaf
0x00e82b56
0x00e82b59
0x00e82b59
0x00e82ac1
0x00e82aca
0x00e82ad0
0x00e82ad8
0x00e82add
0x00e82ae7
0x00e82aec
0x00e82af1
0x00e82af5
0x00e82afb
0x00e82afb
0x00e82af1
0x00e82b0a
0x00e82b0f
0x00e82b18
0x00e82b28
0x00e82b2d
0x00e82b33
0x00e82b1a
0x00e82b1a
0x00e82b20
0x00e82b20
0x00e82b47
0x00e82b4e
0x00e82b51
0x00e82b51
0x00000000

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

CertRDNValueToStrW.CRYPT32(00000000,00000004,00000000,00000000), ref: 00E82AD6
CertRDNValueToStrW.CRYPT32(00000000,00000004,00000000,00000000), ref: 00E82AFB
wprintf.MSVCRT ref: 00E82B20
printf.MSVCRT ref: 00E82B3F

Part of subcall function 00E89241: malloc.MSVCRT ref: 00E8924A

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CertCryptDecodeObjectValue$LoadStringmallocprintfvwprintfwprintf
String ID:
API String ID: 626385143-0
Opcode ID: 36b2b6a073645bf005766a815db6102c758911ece1be88b14d0d146c37926f1f
Instruction ID: 10d00a8c1215a4493a3e27bf30f147ccb7f655ba04a4aa70136426ee989cac61
Opcode Fuzzy Hash: 36b2b6a073645bf005766a815db6102c758911ece1be88b14d0d146c37926f1f
Instruction Fuzzy Hash: EF11A231500204BEE7217B529D0AE9B7BBEEBC1750B15111AFA0C77060EA7299419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E89192, Relevance: 6.1, APIs: 4, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00E89192(void* __eax, void* __ecx, intOrPtr _a4, void* _a8, long _a12) {
				long _v8;
				signed int _t12;
				signed int _t16;
				signed int _t18;
				void* _t22;
				signed int _t30;

				_v8 = 0;
				if(_a4 == 0 || _a8 == 0 || _a12 == 0) {
					_t12 = 0x80070057;
				} else {
					_push(0);
					_push(0);
					_push(2);
					_push(0);
					_push(0);
					_push(0x40000000);
					_push(_a4);
					E00E89349();
					_t22 = __eax;
					if(__eax != 0xffffffff) {
						if(WriteFile(__eax, _a8, _a12,  &_v8, 0) != 0) {
							asm("sbb esi, esi");
							_t30 =  ~(_v8 - _a12) & 0x80004005;
						} else {
							_t16 = GetLastError();
							if(_t16 > 0) {
								_t16 = _t16 & 0x0000ffff | 0x80070000;
							}
							_t30 = _t16;
						}
						CloseHandle(_t22);
					} else {
						_t18 = GetLastError();
						if(_t18 > 0) {
							_t18 = _t18 & 0x0000ffff | 0x80070000;
						}
						_t30 = _t18;
					}
					_t12 = _t30;
				}
				return _t12;
			}

0x00e8919b
0x00e891a1
0x00e89232
0x00e891b5
0x00e891b6
0x00e891b7
0x00e891b8
0x00e891ba
0x00e891bb
0x00e891bc
0x00e891c1
0x00e891c4
0x00e891c9
0x00e891ce
0x00e891fc
0x00e8921e
0x00e89220
0x00e891fe
0x00e891fe
0x00e89206
0x00e8920d
0x00e8920d
0x00e89212
0x00e89212
0x00e89227
0x00e891d0
0x00e891d0
0x00e891d8
0x00e891df
0x00e891df
0x00e891e4
0x00e891e4
0x00e8922d
0x00e8922f
0x00e89239

APIs

GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001,00000000,?,00E87811,00000000,00000000), ref: 00E891D0
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001,00000000), ref: 00E891F4
GetLastError.KERNEL32(?,00E87811,00000000,00000000), ref: 00E891FE
CloseHandle.KERNEL32(00000000,?,00E87811,00000000,00000000), ref: 00E89227

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: ErrorLast$CloseFileHandleWrite
String ID:
API String ID: 2639859636-0
Opcode ID: 7df0cc1e1de2da7977e4c85d24c30f311df80d867614b2f16dae43accfbaf2fc
Instruction ID: fa91deffb82000bc32e37311529810563939580c8f14cc125576a8c81bedd914
Opcode Fuzzy Hash: 7df0cc1e1de2da7977e4c85d24c30f311df80d867614b2f16dae43accfbaf2fc
Instruction Fuzzy Hash: 3811A332D41025FFCB216A56AD0CAFE7A69EF41BA4F295225F91DF6061D2348D01E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8449A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,?), ref: 00E882FF
Part of subcall function 00E882C8: CryptDecodeObject.CRYPT32(00010001,?,?,?,00000001,00000000,12345678), ref: 00E8832B

Part of subcall function 00E88F8E: LoadStringW.USER32(?,00E81A8A,CertMgr Succeeded,00000000), ref: 00E88FA6
Part of subcall function 00E88F8E: vwprintf.MSVCRT ref: 00E88FB1

printf.MSVCRT ref: 00E84519

Strings

[%d] %s (%S), xrefs: 00E84514
, xrefs: 00E8453C

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: CryptDecodeObject$LoadStringprintfvwprintf
String ID: $ [%d] %s (%S)
API String ID: 3576710509-4092857480
Opcode ID: a1df83b08e4c7573e7acbe909ab1665e0b192232648939e6ef93b4965f6bcd19
Instruction ID: 950ba0df38f6c14eb52415b737c23e1808ca53b3633c85f094e54e55aa35d41f
Opcode Fuzzy Hash: a1df83b08e4c7573e7acbe909ab1665e0b192232648939e6ef93b4965f6bcd19
Instruction Fuzzy Hash: B011D276500305BFEB107F45DC42F9D77B6EB84720F25A01AFA1C37191DB71A9419B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E84FD3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00E85095

Strings

%s, xrefs: 00E85090
, xrefs: 00E85071

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: printf
String ID: $%s
API String ID: 3524737521-1620431320
Opcode ID: a242783f868827b6f24e1e23486ae59eeb789a8ed5500e8a94d49fe6a956b5aa
Instruction ID: ff18614c0d484fe0bc6fbba55fe226cc49a4f0bf00b28c68983fcf198f7daa14
Opcode Fuzzy Hash: a242783f868827b6f24e1e23486ae59eeb789a8ed5500e8a94d49fe6a956b5aa
Instruction Fuzzy Hash: 21116037688705FFF6213B40DD02CA57BA6EB04B10754642AF75E390F0AF625552AB43

Uniqueness

Uniqueness Score: -1.00%

Function 00E850E4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

wprintf.MSVCRT ref: 00E8511B

Strings

%s, xrefs: 00E85116
, xrefs: 00E85141

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: wprintf
String ID: $%s
API String ID: 3614878089-1620431320
Opcode ID: c0ef65cb01b9d7913a8e43c599d7ed96da194efe74637199790cd8342e0c2772
Instruction ID: 85ca897943274e2c5cc7cb064bdc3d374020d3c143478468c99f4d155b0b1db7
Opcode Fuzzy Hash: c0ef65cb01b9d7913a8e43c599d7ed96da194efe74637199790cd8342e0c2772
Instruction Fuzzy Hash: 3501F933101F04FEEA247B40ED0AEA677EAEB04710B14201AF20E764D0EF62A940D751

Uniqueness

Uniqueness Score: -1.00%

Function 00E852CB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E852CB(intOrPtr* _a4, intOrPtr _a8) {
				void* __edi;
				intOrPtr* _t4;
				void* _t6;
				intOrPtr _t9;
				intOrPtr _t10;

				_t4 = _a4;
				_t10 =  *((intOrPtr*)(_t4 + 4));
				_t9 =  *_t4;
				_t6 = 0;
				if(_t9 > 0) {
					do {
						_push(_t6);
						wprintf(L"    [%d] ");
						_t4 = E00E84FD3(_t9, _t10, _a8);
						_t6 = _t6 + 1;
						_t10 = _t10 + 0xc;
					} while (_t6 < _t9);
				}
				return _t4;
			}

0x00e852d0
0x00e852d5
0x00e852d9
0x00e852db
0x00e852df
0x00e852e1
0x00e852e1
0x00e852e7
0x00e852f3
0x00e852f8
0x00e852f9
0x00e852fc
0x00e852e1
0x00e85304

APIs

wprintf.MSVCRT ref: 00E852E7

Strings

1.3.6.1.4.1.311.10.2, xrefs: 00E852D8
[%d] , xrefs: 00E852E2

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: wprintf
String ID: [%d] $1.3.6.1.4.1.311.10.2
API String ID: 3614878089-3478931004
Opcode ID: f6a3db377a47b9b2bfae9ea1c3f6af8d5ba7dd55185ef3522f1297c467ad01bb
Instruction ID: 20a48cd61958e4b3e06cbb4d547a2e2bc0843644a05c810013ec5855b3f0fcc8
Opcode Fuzzy Hash: f6a3db377a47b9b2bfae9ea1c3f6af8d5ba7dd55185ef3522f1297c467ad01bb
Instruction Fuzzy Hash: 1DE0DF372007146F96007BC8AC84C8AB3ADEAC93603265066FA0C631108AB2BC0243A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E88F52, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E88F52(struct HINSTANCE__* _a4, intOrPtr _a8, int _a12) {
				signed int _t4;

				_t4 = LoadStringW(_a4, _a12, 0xe8acd8,  *0xe8a390);
				if(_t4 != 0) {
					_push(0xe8acd8);
					_push(_a8);
					L00E89332();
					return _t4;
				}
				return _t4 | 0xffffffff;
			}

0x00e88f6a
0x00e88f72
0x00e88f79
0x00e88f7a
0x00e88f7d
0x00000000
0x00e88f83
0x00000000

APIs

LoadStringW.USER32(?,?,CertMgr Succeeded,?), ref: 00E88F6A
_wcsicmp.MSVCRT ref: 00E88F7D

Strings

CertMgr Succeeded, xrefs: 00E88F5E, 00E88F63, 00E88F79

Memory Dump Source

Source File: 00000001.00000002.222199983.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000001.00000002.222197026.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.222206325.0000000000E8A000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.222208904.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e80000_CertMgr.jbxd

Similarity

API ID: LoadString_wcsicmp
String ID: CertMgr Succeeded
API String ID: 129124420-2974366063
Opcode ID: 245cc5a8228b3788d0c47400b70fcf363cff9147554261ea9caa2ebbfa1c3448
Instruction ID: fc542b725070d2dc9bf2f06a9cc09dd06334a1f8d741a8c634448a734d929413
Opcode Fuzzy Hash: 245cc5a8228b3788d0c47400b70fcf363cff9147554261ea9caa2ebbfa1c3448
Instruction Fuzzy Hash: 64E0C232148218BB9B213F53EC09DDB3F5EEF523B47185226F92C701B0DA328820E790

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wdreg.exe PID: 1240 Parent PID: 5288 wdreg.exeCOMMON

Executed Functions

Function 0000000140001C10, Relevance: 238.8, APIs: 76, Strings: 60, Instructions: 831COMMON

Download Yara Rule

Strings

CM_Get_Sibling, xrefs: 0000000140002B71, 0000000140002B99, 0000000140002BC8
SetupDiGetINFClassA, xrefs: 0000000140002433
DriverPackageUninstallA, xrefs: 0000000140002888
%sCannot load library setupapi.dll: %s, xrefs: 0000000140001D17
CMP_WaitNoPendingInstallEvents, xrefs: 0000000140002607
SetupGetStringFieldA, xrefs: 00000001400022AD
%sCannot load library difxapi.dll: %s, xrefs: 0000000140001E03
CM_Locate_DevNodeA, xrefs: 00000001400028F1, 0000000140002919, 000000014000294F
SetupDiGetDeviceInstallParamsA, xrefs: 00000001400024A8
SetupDiCreateDeviceInfoA, xrefs: 00000001400023E5
DriverPackageGetPathA, xrefs: 0000000140002828
SetupCloseInfFile, xrefs: 0000000140002349
cfgmgr32.dll, xrefs: 0000000140001D4E
SetupCopyOEMInfA, xrefs: 000000014000225F
%sCannot find the function %s in %s: %s, xrefs: 0000000140001E96, 0000000140001F2B, 0000000140001FC3, 000000014000205E, 00000001400020FD
CM_Get_Parent, xrefs: 0000000140002AF3, 0000000140002B1B, 0000000140002B4A
SetupDiGetDeviceInstanceIdA, xrefs: 00000001400024CF
%sCannot load library newdev.dll: %s, xrefs: 0000000140001CA5
SetupDiSetDeviceRegistryPropertyA, xrefs: 0000000140002211
SetupQueryInfOriginalFileInformationA, xrefs: 000000014000267C
SetupDiGetDeviceRegistryPropertyA, xrefs: 0000000140001F6A, 0000000140001FBC
CM_Get_Device_IDA, xrefs: 0000000140002BEF, 0000000140002C17, 0000000140002C46
UpdateDriverForPlugAndPlayDevicesA, xrefs: 00000001400021E4
%sCannot load library cfgmgr32.dll: %s, xrefs: 0000000140001D8D
CM_Reenumerate_DevNode, xrefs: 0000000140002979, 00000001400029A1, 00000001400029D0
SetupOpenInfFileA, xrefs: 0000000140002322
DriverPackagePreinstallA, xrefs: 0000000140002868
SetupGetFieldCount, xrefs: 00000001400022D4
SetupInstallFilesFromInfSectionA, xrefs: 00000001400024F6
SetupCommitFileQueueA, xrefs: 000000014000251D
CM_Get_Device_ID_Size, xrefs: 0000000140002C6D, 0000000140002C95, 0000000140002CB0
SetupFindFirstLineA, xrefs: 0000000140002370
setupapi.dll, xrefs: 0000000140001CD0
SetupDiGetSelectedDriverA, xrefs: 0000000140002655
SetupDiGetClassDevsA, xrefs: 0000000140001E40, 0000000140001E8F
DIFXAPISetLogCallbackA, xrefs: 0000000140002804
SetupInitDefaultQueueCallback, xrefs: 0000000140002592
SetupDiDestroyDeviceInfoList, xrefs: 00000001400020A0, 00000001400020F6
SetupGetInfFileListA, xrefs: 00000001400026F1
DriverPackageInstallA, xrefs: 0000000140002848
SetupDiOpenDeviceInfoA, xrefs: 0000000140002238
SetupFindNextLine, xrefs: 00000001400022FB
CM_Get_Child, xrefs: 0000000140002A75, 0000000140002A9D, 0000000140002ACC
SetupDiRemoveDevice, xrefs: 0000000140002397
difxapi.dll, xrefs: 0000000140001DC1
SetupOpenFileQueue, xrefs: 0000000140002544
SetupDiSetClassInstallParamsA, xrefs: 0000000140002481
SetupDiCallClassInstaller, xrefs: 000000014000240C
newdev.dll, xrefs: 0000000140001C61
SetupTermDefaultQueueCallback, xrefs: 00000001400025E0
SetupDiClassGuidsFromNameA, xrefs: 000000014000245A
SetupDiCreateDeviceInfoList, xrefs: 00000001400023BE
SetupCloseFileQueue, xrefs: 000000014000256B
SetupUninstallOEMInfA, xrefs: 0000000140002286
SetupDiEnumDeviceInfo, xrefs: 0000000140001ED5, 0000000140001F24
SetupGetInfInformationA, xrefs: 00000001400026CA
SetupDefaultQueueCallbackA, xrefs: 00000001400025B9
SetupDiGetDriverInfoDetailA, xrefs: 000000014000262E, 00000001400026A3
SetupDiGetDeviceRegistryPropertyW, xrefs: 0000000140002005, 0000000140002057
CM_Get_DevNode_Status, xrefs: 00000001400029F7, 0000000140002A1F, 0000000140002A4E

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Version
String ID: %sCannot find the function %s in %s: %s$%sCannot load library cfgmgr32.dll: %s$%sCannot load library difxapi.dll: %s$%sCannot load library newdev.dll: %s$%sCannot load library setupapi.dll: %s$CMP_WaitNoPendingInstallEvents$CM_Get_Child$CM_Get_DevNode_Status$CM_Get_Device_IDA$CM_Get_Device_ID_Size$CM_Get_Parent$CM_Get_Sibling$CM_Locate_DevNodeA$CM_Reenumerate_DevNode$DIFXAPISetLogCallbackA$DriverPackageGetPathA$DriverPackageInstallA$DriverPackagePreinstallA$DriverPackageUninstallA$SetupCloseFileQueue$SetupCloseInfFile$SetupCommitFileQueueA$SetupCopyOEMInfA$SetupDefaultQueueCallbackA$SetupDiCallClassInstaller$SetupDiClassGuidsFromNameA$SetupDiCreateDeviceInfoA$SetupDiCreateDeviceInfoList$SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInfo$SetupDiGetClassDevsA$SetupDiGetDeviceInstallParamsA$SetupDiGetDeviceInstanceIdA$SetupDiGetDeviceRegistryPropertyA$SetupDiGetDeviceRegistryPropertyW$SetupDiGetDriverInfoDetailA$SetupDiGetINFClassA$SetupDiGetSelectedDriverA$SetupDiOpenDeviceInfoA$SetupDiRemoveDevice$SetupDiSetClassInstallParamsA$SetupDiSetDeviceRegistryPropertyA$SetupFindFirstLineA$SetupFindNextLine$SetupGetFieldCount$SetupGetInfFileListA$SetupGetInfInformationA$SetupGetStringFieldA$SetupInitDefaultQueueCallback$SetupInstallFilesFromInfSectionA$SetupOpenFileQueue$SetupOpenInfFileA$SetupQueryInfOriginalFileInformationA$SetupTermDefaultQueueCallback$SetupUninstallOEMInfA$UpdateDriverForPlugAndPlayDevicesA$cfgmgr32.dll$difxapi.dll$newdev.dll$setupapi.dll
API String ID: 1889659487-353350101
Opcode ID: 708a2418d327a5d918c486b5d1c6fa8a4eb98b6af84075268749c76278493648
Instruction ID: fc00e69a26d8d14dc85430ad4c2244c551d9f047fea17f89a634ea1af39f9a24
Opcode Fuzzy Hash: 708a2418d327a5d918c486b5d1c6fa8a4eb98b6af84075268749c76278493648
Instruction Fuzzy Hash: 74A28CB4206B04A5FE57DB17B8953E423A5BB4DBC0F940129FA4E4B374EF398999C702

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007260, Relevance: 28.3, APIs: 7, Strings: 9, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005EB0: free.LIBCMT ref: 0000000140005EFE

Part of subcall function 00000001400070C0: SetupGetStringFieldA.SETUPAPI ref: 00000001400070F6

SetupGetFieldCount.SETUPAPI ref: 0000000140007318
SetupGetStringFieldA.SETUPAPI ref: 0000000140007358
GetSystemInfo.KERNEL32 ref: 00000001400075B5

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

Failed retrieving model field %s, xrefs: 00000001400072D1
Failed to allocate %d bytes for INF field, xrefs: 00000001400073B5
Failed to retrieve size of INF field: %s, xrefs: 000000014000737B
ia64, xrefs: 00000001400074D8, 00000001400075E6
unknown, xrefs: 0000000140007325
Failed to retrieve value of INF field: %s, xrefs: 00000001400073FB
ntx86, xrefs: 00000001400074E8, 000000014000758A, 00000001400075F6
Failed retrieving platform field %d for model %s: %s, xrefs: 0000000140007445
ntamd64, xrefs: 00000001400074C1, 00000001400075CF

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: FieldSetup$String_vfwprintf_pfree$CountErrorFormatInfoLastMessageSystem
String ID: Failed retrieving model field %s$Failed retrieving platform field %d for model %s: %s$Failed to allocate %d bytes for INF field$Failed to retrieve size of INF field: %s$Failed to retrieve value of INF field: %s$ia64$ntamd64$ntx86$unknown
API String ID: 606664080-2032687059
Opcode ID: cbb25b5ec7f4268dfe976f8f002be6ff6faeeae4cc7ffe52f84b07a2a19dfe4c
Instruction ID: b9695af54b990543e2cef917d8ad479a1d91cc9d9caa5f0e234df83f1c24f835
Opcode Fuzzy Hash: cbb25b5ec7f4268dfe976f8f002be6ff6faeeae4cc7ffe52f84b07a2a19dfe4c
Instruction Fuzzy Hash: D4B18EB1315A40A1EA12EB27F8957EB6351B79E7C0F805522BB4E876B6EE38C944C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001000, Relevance: 100.4, APIs: 2, Strings: 55, Instructions: 600COMMON

Download Yara Rule

Strings

Warning: failed getting full path for %s, using it as is, xrefs: 000000014000166F
-file, xrefs: 000000014000125C
Cannot use -inf with other flags (except -silent and -log).Run without parameters to see the correct usage., xrefs: 0000000140001559
demand, xrefs: 000000014000121E
-log, xrefs: 000000014000110F
-inf, xrefs: 0000000140001140
STATUS_FAILURE, xrefs: 000000014000192F
unknown option %s, xrefs: 00000001400013D4
WDREG utility v10.21. Build Aug 31 2010 14:21:54Jungo Confidential. Copyright (c) 2010 Jungo Ltd. http://www.jungo.comCommand usage:non-WDM Drivers: (KernelPlugin Win2000/XP/Server 2003/Vista/7; .SYS drivers on WinNT4;)%s [Options ...] , xrefs: 000000014000108F
WINDRVR6, xrefs: 00000001400015B5
Initializing driver failed, xrefs: 0000000140001710
enable, xrefs: 00000001400017BF
delete, xrefs: 000000014000182B
create, xrefs: 0000000140001809
stop, xrefs: 000000014000186F
start, xrefs: 000000014000184D
Please specify an enumerator after the '-rescan' option, xrefs: 00000001400013B7
%s: unsupported action for this driver, xrefs: 000000014000189E
-compat, xrefs: 00000001400012C9
WDREG utility v10.21. Build Aug 31 2010 14:21:54Log from %s, xrefs: 0000000140001423
windrvr6, xrefs: 00000001400015A9
-dont_create_virtual, xrefs: 00000001400012E4
install, xrefs: 0000000140001750
Please specify a name after the '-name' option, xrefs: 000000014000135F
-silent, xrefs: 00000001400010F0
STATUS_REBOOT_REQUIRED, xrefs: 0000000140001914
You need to use one of the following flags: -inf / -name.For detailed usage information, run "wdreg"., xrefs: 0000000140001598
Please specify a filename after the '-log' option, xrefs: 0000000140001333
-startup, xrefs: 00000001400011A2
WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 00000001400010A2
-name, xrefs: 0000000140001171
Unsupported operating system, xrefs: 0000000140001503
Please specify one of those values after the '-startup' option boot, system, automatic, demand, disabled, xrefs: 0000000140001375
Please specify a startup level after the '-startup' option, xrefs: 000000014000138B
uninstall, xrefs: 000000014000179A
Please reboot the computer in order to complete the action, xrefs: 0000000140001908
system, xrefs: 00000001400011E5
Cannot open log file %s, xrefs: 0000000140001445
Creating driver failed, xrefs: 00000001400016F2
Failed trying to %s the driver, xrefs: 00000001400018E6
disable, xrefs: 00000001400017E4
-rescan, xrefs: 000000014000128D
no action specified: nothing to do!, xrefs: 00000001400015F3
automatic, xrefs: 0000000140001202
preinstall, xrefs: 0000000140001775
Cannot use -inf for this operating system, xrefs: 0000000140001523
Command line:, xrefs: 0000000140001451
STATUS_SUCCESS, xrefs: 0000000140001945
disabled, xrefs: 000000014000123B
Please specify a filename after the '-inf' option, xrefs: 0000000140001349
boot, xrefs: 00000001400011C9
-delete_files, xrefs: 0000000140001302
%s: completed successfully, xrefs: 00000001400018B0
Invalid parameter %s, xrefs: 00000001400018C2
Please specify a filename after the '-file' option, xrefs: 00000001400013A1

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p$Version
String ID: WDREG utility v10.21. Build Aug 31 2010 14:21:54Log from %s$%s: completed successfully$%s: unsupported action for this driver$-compat$-delete_files$-dont_create_virtual$-file$-inf$-log$-name$-rescan$-silent$-startup$Cannot open log file %s$Cannot use -inf for this operating system$Cannot use -inf with other flags (except -silent and -log).Run without parameters to see the correct usage.$Command line:$Creating driver failed$Failed trying to %s the driver$Initializing driver failed$Invalid parameter %s$Please reboot the computer in order to complete the action$Please specify a filename after the '-file' option$Please specify a filename after the '-inf' option$Please specify a filename after the '-log' option$Please specify a name after the '-name' option$Please specify a startup level after the '-startup' option$Please specify an enumerator after the '-rescan' option$Please specify one of those values after the '-startup' option boot, system, automatic, demand, disabled$STATUS_FAILURE$STATUS_REBOOT_REQUIRED$STATUS_SUCCESS$Unsupported operating system$WDREG utility v10.21. Build Aug 31 2010 14:21:54$WDREG utility v10.21. Build Aug 31 2010 14:21:54Jungo Confidential. Copyright (c) 2010 Jungo Ltd. http://www.jungo.comCommand usage:non-WDM Drivers: (KernelPlugin Win2000/XP/Server 2003/Vista/7; .SYS drivers on WinNT4;)%s [Options ...] $WINDRVR6$Warning: failed getting full path for %s, using it as is$You need to use one of the following flags: -inf / -name.For detailed usage information, run "wdreg".$automatic$boot$create$delete$demand$disable$disabled$enable$install$no action specified: nothing to do!$preinstall$start$stop$system$uninstall$unknown option %s$windrvr6
API String ID: 4273296281-1831385799
Opcode ID: 20464c1e8fb9bca4e3b58a73ef6449eb882bf6e9cd9adc57e59e34ae3cc8fa40
Instruction ID: 25340212d8ee0cc928dbd1660da5642d866afd2f61e288ed0b466eb40a68d397
Opcode Fuzzy Hash: 20464c1e8fb9bca4e3b58a73ef6449eb882bf6e9cd9adc57e59e34ae3cc8fa40
Instruction Fuzzy Hash: 4A4225B1218A4081FA22DF17F9903EA63A2B7CC7D4F944526FB5A8B6B5EF79C544C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400077F0, Relevance: 56.4, APIs: 18, Strings: 14, Instructions: 372
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005EB0: free.LIBCMT ref: 0000000140005EFE

SetupOpenInfFileA.SETUPAPI ref: 000000014000785B
SetupDiGetINFClassA.SETUPAPI ref: 00000001400078EA
SetupCloseInfFile.SETUPAPI ref: 0000000140007932

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

Failed to allocate %d bytes for INF field, xrefs: 0000000140007BB8
Version, xrefs: 0000000140007A1A
Failed to retrieve value of INF field: %s, xrefs: 0000000140007C03
Failed retrieving manufacturer %s section from INF file %s: %s, xrefs: 0000000140007D8F
CatalogFile, xrefs: 0000000140007A13
Failed retrieving hardware ID field for manufacturer %s: %s, xrefs: 0000000140007C4B
Failed opening INF file %s line %d: %s, xrefs: 0000000140007893
Failed getting device class GUID from class name %s: %s, xrefs: 00000001400079CE
Failed to retrieve size of INF field: %s, xrefs: 0000000140007B84
Failed retrieving manufacturer field from INF file %s: %s, xrefs: 0000000140007AFA
Processing HWID %s, xrefs: 0000000140007C9F
Failed getting device class from INF file %s: %s, xrefs: 0000000140007918
Failed locating Manufacturer section in INF file %s: %s, xrefs: 0000000140007A78
Manufacturer, xrefs: 0000000140007A40

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Setup$File_vfwprintf_pfree$ClassCloseErrorFormatLastMessageOpen
String ID: Processing HWID %s$CatalogFile$Failed getting device class GUID from class name %s: %s$Failed getting device class from INF file %s: %s$Failed locating Manufacturer section in INF file %s: %s$Failed opening INF file %s line %d: %s$Failed retrieving hardware ID field for manufacturer %s: %s$Failed retrieving manufacturer %s section from INF file %s: %s$Failed retrieving manufacturer field from INF file %s: %s$Failed to allocate %d bytes for INF field$Failed to retrieve size of INF field: %s$Failed to retrieve value of INF field: %s$Manufacturer$Version
API String ID: 2554268171-4125249935
Opcode ID: 7cac2ff579461cca5bb4d4af94979c017a6631fe6f7d62109d42b3c447ea916f
Instruction ID: ed707adb9ba53dbb83a69ddb2e278601339c26ea061d83bac69a6d167badc795
Opcode Fuzzy Hash: 7cac2ff579461cca5bb4d4af94979c017a6631fe6f7d62109d42b3c447ea916f
Instruction Fuzzy Hash: 65F14EB1315980A2EA12EB63F8957EB6350FBCA7C0F801526B74F876B6EE38C545C701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400080F0, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 76
libraryloaderserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000000014000810E
GetProcAddress.KERNEL32 ref: 000000014000811E
GetCurrentProcess.KERNEL32 ref: 000000014000812C
CloseServiceHandle.ADVAPI32 ref: 00000001400081A8
GetLastError.KERNEL32 ref: 0000000140008140

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

OpenSCManagerA.ADVAPI32 ref: 000000014000818A

Strings

Cannot run an x86 build of this utility on x64 platform., xrefs: 000000014000815E
Cannot open service control manager.Make sure you are running with Administrator privileges, xrefs: 0000000140008195
IsWow64Process, xrefs: 0000000140008117
Can't identify SysWow64, Error: 0x%x, xrefs: 0000000140008148
kernel32, xrefs: 0000000140008107
Cannot load dynamic functions%s, xrefs: 00000001400081E4

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Handle_vfwprintf_p$AddressCloseCurrentErrorLastManagerModuleOpenProcProcessService
String ID: Can't identify SysWow64, Error: 0x%x$Cannot load dynamic functions%s$Cannot open service control manager.Make sure you are running with Administrator privileges$Cannot run an x86 build of this utility on x64 platform.$IsWow64Process$kernel32
API String ID: 4099843004-1036678174
Opcode ID: 4834887dfd10fc18cd39bada0a78cf618fe8674924b091f73d0110614c18cbd7
Instruction ID: 4a292ffbb9e73d38be772f7c7d9c985e1debc434c4a0b426b6182c5259f502a0
Opcode Fuzzy Hash: 4834887dfd10fc18cd39bada0a78cf618fe8674924b091f73d0110614c18cbd7
Instruction Fuzzy Hash: 48314DB130590195FA67EB63F8153EA22A4BB8C7D0F440525BB5E8B6F6EF39C546C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400070C0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupGetStringFieldA.SETUPAPI ref: 00000001400070F6

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

Failed to allocate %d bytes for INF field, xrefs: 0000000140007149
Failed to retrieve size of INF field: %s, xrefs: 0000000140007116
Failed to retrieve value of INF field: %s, xrefs: 0000000140007192

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p$ErrorFieldFormatLastMessageSetupStringfree
String ID: Failed to allocate %d bytes for INF field$Failed to retrieve size of INF field: %s$Failed to retrieve value of INF field: %s
API String ID: 67989277-4263525725
Opcode ID: d74c14611bca7e6128366a2f4fd0cfccf57cb74a7d0771070e0b8dd5a5c2f041
Instruction ID: 9f800009986c219b3d951088a813abdd2337ea09ceac5a9531093ea9918ec237
Opcode Fuzzy Hash: d74c14611bca7e6128366a2f4fd0cfccf57cb74a7d0771070e0b8dd5a5c2f041
Instruction Fuzzy Hash: 88315E71314A4192EA42EB27F8557DB6291ABDABD0F441225BB5E47BFAEF38C501CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010890, Relevance: 10.7, APIs: 7, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001400108B0

Part of subcall function 00000001400103EC: _errno.LIBCMT ref: 0000000140010415
Part of subcall function 00000001400103EC: _errno.LIBCMT ref: 000000014001041F

GetFileType.KERNEL32 ref: 0000000140010A03
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000140010A44

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$CountCriticalFileInfoInitializeSectionSpinStartupType
String ID:
API String ID: 2002992188-0
Opcode ID: 733255da6f6aab3817571311eb28898a459049c4c820d82072af2c92ebc85a10
Instruction ID: 1de62c766087428682dc86f9f33195338ebd0f25265c08e2eb3720650212e680
Opcode Fuzzy Hash: 733255da6f6aab3817571311eb28898a459049c4c820d82072af2c92ebc85a10
Instruction Fuzzy Hash: 7081E77270479085FB468F26D48439837A4E7097B8F598329EBB94B3F1DBBAC805C712

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004C10, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005F7B
Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005FE6

FreeLibrary.KERNEL32 ref: 0000000140004DE3
FreeLibrary.KERNEL32 ref: 0000000140004DF5
FreeLibrary.KERNEL32 ref: 0000000140004E07
FreeLibrary.KERNEL32 ref: 0000000140004E19

Strings

%sWarning: the device (hwid:%s) is not plugged-in., xrefs: 0000000140004DAA
%sWarning: cannot copy the INF file for device (hwid:%s): %s, xrefs: 0000000140004CCD

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: FreeLibrary$free
String ID: %sWarning: cannot copy the INF file for device (hwid:%s): %s$%sWarning: the device (hwid:%s) is not plugged-in.
API String ID: 573304979-930569882
Opcode ID: f95f36da3346926fa965ca41edc3a5050687b2c3a2f53613922242d643e89c53
Instruction ID: eaecedc2fb57e334c04bcf02524c6857764034a5754022ba3400b9dc0714b6b8
Opcode Fuzzy Hash: f95f36da3346926fa965ca41edc3a5050687b2c3a2f53613922242d643e89c53
Instruction Fuzzy Hash: 766139B1205B4095FB62EB23F8553DA72A4F7897C0F84022AFB4A876B6DF39C945C705

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B4AC, Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 000000014000B4D8
_FF_MSGBANNER.LIBCMT ref: 000000014000B5B4
_FF_MSGBANNER.LIBCMT ref: 000000014000B5DF
GetCommandLineA.KERNEL32 ref: 000000014000B60C
__setargv.LIBCMT ref: 000000014000B625

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CommandLineVersion__setargv
String ID:
API String ID: 2826300012-0
Opcode ID: 04d519d436ffdb82d465fece200651be63796011effa11c881333c9c94729c16
Instruction ID: 501a3e6d81011dcae229c0b38c77ecb5d035c8abeed1aacbedf0a1650ea8fc1c
Opcode Fuzzy Hash: 04d519d436ffdb82d465fece200651be63796011effa11c881333c9c94729c16
Instruction Fuzzy Hash: 87516DB021464286FB67EB67F8927EA36A1AB9C7C5F500139F745876F2DB39C844CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000983C, Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014000986C
RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
_errno.LIBCMT ref: 00000001400098B5
_errno.LIBCMT ref: 00000001400098C0
_errno.LIBCMT ref: 00000001400098D5

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: 2fa9f452854abb1f20cb5342d5393a6dc66ba85a573c5aa4d608459381ac8468
Instruction ID: f8124b4ddef323a2f58e6b279d6a1de12176d1201a7200c1816ffde2305edd1c
Opcode Fuzzy Hash: 2fa9f452854abb1f20cb5342d5393a6dc66ba85a573c5aa4d608459381ac8468
Instruction Fuzzy Hash: FB115BB060564485FB57EB67B8417E923919B8DBE0F088635FB1A477E6CF7888808721

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000A89C, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32 ref: 000000014000A8E1
DecodePointer.KERNEL32 ref: 000000014000A8F0

Part of subcall function 00000001400102F4: _errno.LIBCMT ref: 00000001400102FD

EncodePointer.KERNEL32 ref: 000000014000A964
EncodePointer.KERNEL32 ref: 000000014000A977

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Pointer$DecodeEncode$_errno
String ID:
API String ID: 1230916053-0
Opcode ID: c4e198d4853535845a7573d1eb5d423ef1feeaead6265595d87ccab9310be368
Instruction ID: 8608c10c1ebf228ae1dd6d5ecf2eb75cde534096096ee728a6e76339886e589f
Opcode Fuzzy Hash: c4e198d4853535845a7573d1eb5d423ef1feeaead6265595d87ccab9310be368
Instruction Fuzzy Hash: B921397130265081EE42EB57F5483DAA3A1B74EBC4F568826FB4D0B7A9DE7CC8958304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005F20, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 0000000140005F7B

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

free.LIBCMT ref: 0000000140005FE6

Strings

setupapi.dll, xrefs: 0000000140005F2F

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$Heapfree$AllocateErrorFreeLast
String ID: setupapi.dll
API String ID: 3377555370-3506073724
Opcode ID: 9043abaf6dba0e39ef67dd926e93d7164d3ca500aef90d9c61f3662c41987198
Instruction ID: 03d74945e021815c04d9c9d5589245fc2d44788ba91de3deb37a3fc16af7b132
Opcode Fuzzy Hash: 9043abaf6dba0e39ef67dd926e93d7164d3ca500aef90d9c61f3662c41987198
Instruction Fuzzy Hash: 3F3164B6205B8186EE26DF17F4403AAB7A0E749BD4F188525EBAE07BA5DF3CD441C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B818, Relevance: 4.5, APIs: 3, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 000000014000B82A
HeapSetInformation.KERNEL32 ref: 000000014000B854
HeapSetInformation.KERNEL32 ref: 000000014000B876

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Heap$Information$Create
String ID:
API String ID: 1487802526-0
Opcode ID: 3635ab072b17c61c96a093286bb3d589c330901bfce161e6a64714cb1d56c969
Instruction ID: fd755b440e05a9a95d8abd57cd974581ccefcf0b40d7431cfe6ef3a6f6ff2404
Opcode Fuzzy Hash: 3635ab072b17c61c96a093286bb3d589c330901bfce161e6a64714cb1d56c969
Instruction Fuzzy Hash: 66F05EB162168092F7899B12E889B957260F78C781F409019FB4A43768DF3DC085CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002D30, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140005EB0: free.LIBCMT ref: 0000000140005EFE

SetupCopyOEMInfA.SETUPAPI ref: 0000000140002DBA

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

%sWarning: cannot copy INF file %s to the INF directory: %s, xrefs: 0000000140002DF8

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$CopyErrorFormatLastMessageSetup
String ID: %sWarning: cannot copy INF file %s to the INF directory: %s
API String ID: 4182642161-1333120281
Opcode ID: 3d43c874bb2d159bb2978ed8d4aac7ad05e155caa0c82b37161804a210beccef
Instruction ID: a260bcda6a67e270aa816ece544500d6adaae5e0dc98e563fb72a3a11fcabc1b
Opcode Fuzzy Hash: 3d43c874bb2d159bb2978ed8d4aac7ad05e155caa0c82b37161804a210beccef
Instruction Fuzzy Hash: 1D31327121598062E621FB66F8963DB6361F7DA3C1F811625B79E83AF6DE38C944CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011A64, Relevance: 3.1, APIs: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__initmbctable.LIBCMT ref: 0000000140011A82
free.LIBCMT ref: 0000000140011B67

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __initmbctablefree
String ID:
API String ID: 4048718625-0
Opcode ID: 707cfe73b69d28fbd41a27e71dd1c4459dbdcd0f8e574bd82994c511f2d22f02
Instruction ID: 7cea7c463272bef0f5572d1f7ff27c394584c00b54fd460e38b1be93774637b2
Opcode Fuzzy Hash: 707cfe73b69d28fbd41a27e71dd1c4459dbdcd0f8e574bd82994c511f2d22f02
Instruction Fuzzy Hash: 1F31D27570664045FB568B23B8407E93A91AB5C7E4F584718BF684BAF6DF7AC040C200

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001033C, Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000000014001035F
RtlAllocateHeap.NTDLL(?,?,?,?,00000000,000000014001489B,?,?,00000000,000000014000DEF3,?,?,00000000,000000014000B799), ref: 00000001400103A8

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 0ef3d0e98a5ef3d40b2818c87bb85fbc6e29815c8717bf9c0b392d6166e11ca2
Instruction ID: 9666080b9eb535d7e33b8c19bd976a677e944fe4becf791e165e81fe0e1971cf
Opcode Fuzzy Hash: 0ef3d0e98a5ef3d40b2818c87bb85fbc6e29815c8717bf9c0b392d6166e11ca2
Instruction Fuzzy Hash: F111257130526087FF178B27E6447EDB295A79C7E4F088721BFA94B7F4DBB985808600

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400103EC, Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014001033C: _errno.LIBCMT ref: 000000014001035F

_errno.LIBCMT ref: 0000000140010415
_errno.LIBCMT ref: 000000014001041F

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: b2f66f09a795db3cc2f58cb9ab8fd87ef2d849e4174b02f5ff3105c7acb06222
Instruction ID: 111031f64989afe724f459ff0e9d6ef547fb7376852f700e861f2002f86f6fd4
Opcode Fuzzy Hash: b2f66f09a795db3cc2f58cb9ab8fd87ef2d849e4174b02f5ff3105c7acb06222
Instruction Fuzzy Hash: E4E012B272538447EA529B53F1C13DA62A4AB9C7D0F544024FB8C077A6DB79C840CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012A94, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,00000001,000000014000CD0B), ref: 0000000140012AAD

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 18d6ce85c6607c875f682a818518c41bee8132d99c3125ecc31c884aaa54386f
Instruction ID: 2f7dd9b170810d7a37784435576ac98eb5ef92685def3ff7e5361fc09cd74cba
Opcode Fuzzy Hash: 18d6ce85c6607c875f682a818518c41bee8132d99c3125ecc31c884aaa54386f
Instruction Fuzzy Hash: FCD05B32B60540C2DB519B26F55039923A4E7C87D4F58C011E75C07659C939C855C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005EB0, Relevance: 1.3, APIs: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 0000000140005EFE

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$Heap$AllocateErrorFreeLastfree
String ID:
API String ID: 1720997648-0
Opcode ID: b5f13b1a4be6436122ec3ab5cc4ca3b343caa525f2e557fc6fb87ce4da41f348
Instruction ID: 41f298bb13d0881af24310473346aa492613f88abd1367d2d2a576024ad621ca
Opcode Fuzzy Hash: b5f13b1a4be6436122ec3ab5cc4ca3b343caa525f2e557fc6fb87ce4da41f348
Instruction Fuzzy Hash: 7EF01DB2205B8485EF46DF66E4403A973A5E78DFC8F188435EB5C4B3AADB79C851C350

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000140003B20, Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 311memorystringCOMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI ref: 0000000140003B85
GetLastError.KERNEL32 ref: 0000000140003BA9
SetupDiEnumDeviceInfo.SETUPAPI ref: 0000000140003C0F
SetupDiGetDeviceRegistryPropertyA.SETUPAPI ref: 0000000140003C73
GetLastError.KERNEL32 ref: 0000000140003C80
LocalAlloc.KERNEL32 ref: 0000000140003C97
SetupDiGetDeviceRegistryPropertyA.SETUPAPI ref: 0000000140003CCD
LocalFree.KERNEL32 ref: 0000000140003CDE
lstrlenA.KERNEL32 ref: 0000000140003D1E
LocalFree.KERNEL32 ref: 0000000140003D40
SetupDiGetDeviceRegistryPropertyA.SETUPAPI ref: 0000000140003D80
GetLastError.KERNEL32 ref: 0000000140003D90
LocalAlloc.KERNEL32 ref: 0000000140003DA7
SetupDiGetDeviceRegistryPropertyA.SETUPAPI ref: 0000000140003DDD
LocalFree.KERNEL32 ref: 0000000140003DEE
lstrlenA.KERNEL32 ref: 0000000140003E2E
LocalFree.KERNEL32 ref: 0000000140003E50
SetupDiEnumDeviceInfo.SETUPAPI ref: 0000000140003F01
GetLastError.KERNEL32 ref: 0000000140003F14
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 0000000140003FA8

Strings

%sCouldn't get the hardware IDs of all the devices, xrefs: 0000000140003F8F
%sSetupDiGetClassDevs failed with error: %d - %s, xrefs: 0000000140003BBD
, xrefs: 0000000140003C01
%sSetupDiEnumDeviceInfo failed with error: %d - %s, xrefs: 0000000140003F44

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Setup$Device$Local$ErrorFreeLastPropertyRegistry$Info$AllocEnumlstrlen$ClassDestroyDevsList
String ID: $%sCouldn't get the hardware IDs of all the devices$%sSetupDiEnumDeviceInfo failed with error: %d - %s$%sSetupDiGetClassDevs failed with error: %d - %s
API String ID: 3735440783-2713487562
Opcode ID: c6cb93a1ef6d335e67d6abd8f5307db4f856dd4929323be4471bbd9e2865b723
Instruction ID: 82ba4b4cf8874b11c31c6e6f3ac05b4117b7dc756cd5693797695ceb4312b6ee
Opcode Fuzzy Hash: c6cb93a1ef6d335e67d6abd8f5307db4f856dd4929323be4471bbd9e2865b723
Instruction Fuzzy Hash: 7CD17DB2204A8196EB63DB16F4403DAB3A5F78DBD4F540226FB4A47BA8DF39C945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400086D0, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 127serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 000000014000870A
GetLastError.KERNEL32 ref: 0000000140008718

Part of subcall function 0000000140009210: _vfwprintf_p.LIBCMT ref: 0000000140009250
Part of subcall function 0000000140009210: _vfwprintf_p.LIBCMT ref: 0000000140009287

DeleteService.ADVAPI32 ref: 000000014000878D
GetLastError.KERNEL32 ref: 0000000140008797
CloseServiceHandle.ADVAPI32 ref: 000000014000884F

Strings

Service %s already deleted, xrefs: 0000000140008732
The system is busy. Please reboot the machineand try again., xrefs: 000000014000889E
ControlService failed: %s, xrefs: 000000014000882E
Cannot remove the service - access denied, xrefs: 00000001400087E6
Error trying to open service %s for delete: %s, xrefs: 000000014000876C
The removal will take effect after the system reboots., xrefs: 00000001400087D8
Cannot delete the service: %s, xrefs: 00000001400087BF
x, xrefs: 0000000140008863

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Service$ErrorLast_vfwprintf_p$CloseDeleteHandleOpen
String ID: Cannot delete the service: %s$Cannot remove the service - access denied$ControlService failed: %s$Error trying to open service %s for delete: %s$Service %s already deleted$The removal will take effect after the system reboots.$The system is busy. Please reboot the machineand try again.$x
API String ID: 3582348919-1173064612
Opcode ID: f06ca242807996fab8a3dd643aff2b5378f516d886bfa689b025f87563f4aac9
Instruction ID: 48cf6a411171282e646e89599cf995fce3204ae41a7219d0f992cb2b4cdf5a64
Opcode Fuzzy Hash: f06ca242807996fab8a3dd643aff2b5378f516d886bfa689b025f87563f4aac9
Instruction Fuzzy Hash: B4516EB131494092FA23EB13F8583EA2261BB8DBD0F854625FB4E872F6DE39C945C301

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400121A8, Relevance: 28.9, APIs: 19, Instructions: 440COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400121F5
_errno.LIBCMT ref: 00000001400121FC

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: aee7ec0f7ee071fcf5ab062b8adcd4e5444fe40db1ac2ee56c7ecb626a921ccc
Instruction ID: 7bf92d6de3aa6ef7e5d9e7e65d6e819065a0da70fcdf739882ffcb739e078db6
Opcode Fuzzy Hash: aee7ec0f7ee071fcf5ab062b8adcd4e5444fe40db1ac2ee56c7ecb626a921ccc
Instruction Fuzzy Hash: CA02D07271464186EB228F2AE4843EE67A1F79C7C4F550116FB4A4B6F8EB3EC955CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015DEC, Relevance: 20.0, APIs: 13, Instructions: 499fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140015EC7
_errno.LIBCMT ref: 0000000140015ED1
__doserrno.LIBCMT ref: 0000000140016013
_errno.LIBCMT ref: 000000014001601D
_errno.LIBCMT ref: 0000000140016028
CreateFileA.KERNEL32 ref: 0000000140016068
GetLastError.KERNEL32 ref: 000000014001609A
_errno.LIBCMT ref: 00000001400160A7
GetFileType.KERNEL32 ref: 00000001400160B6
CloseHandle.KERNEL32 ref: 00000001400160E6
CloseHandle.KERNEL32 ref: 0000000140016113
__doserrno.LIBCMT ref: 000000014001619A
_errno.LIBCMT ref: 00000001400163F1

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$__doserrno$CloseFileHandle$CreateErrorLastType
String ID:
API String ID: 2510576375-0
Opcode ID: ca2b74d0937f518d223502f32e4a42f731e902beda2180dbef86cb69c8a4ac4c
Instruction ID: d862426a153d895559ce082ac3d2d546ed24e7f46e5292c4245eaf0f72d0e0b8
Opcode Fuzzy Hash: ca2b74d0937f518d223502f32e4a42f731e902beda2180dbef86cb69c8a4ac4c
Instruction Fuzzy Hash: 3312F37261464086FB769A3BE8807ED26A1B38D7D4F244229FB664F6F5CB3ACD41C701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400092A0, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005F7B
Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005FE6

Part of subcall function 0000000140005B20: free.LIBCMT ref: 0000000140005B95

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140006A0B), ref: 000000014000937B
DeviceIoControl.KERNEL32 ref: 00000001400093D2
CloseHandle.KERNEL32 ref: 00000001400093DB

Part of subcall function 0000000140008FF0: _vfwprintf_p.LIBCMT ref: 000000014000903B
Part of subcall function 0000000140008FF0: _vfwprintf_p.LIBCMT ref: 0000000140009073
Part of subcall function 0000000140008FF0: _getch.LIBCMT ref: 00000001400090BA

Strings

*WINDRVR6, xrefs: 00000001400092C7
Cannot set driver name, xrefs: 0000000140009304
There %s currently %d connected device%s using WinDriver.Please disconnect or uninstall all connected devices from the Device Managerand press Retry.To reload WinDriver, press Cancel and reboot., xrefs: 0000000140009456
are, xrefs: 0000000140009409, 0000000140009449
WINDRVR6, xrefs: 00000001400092DC
There %s currently %d open application%s using WinDriver.Please close all applications and press Retry.To reload WinDriver, press Cancel and reboot., xrefs: 0000000140009416

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$_vfwprintf_p$CloseControlCreateDeviceFileHandle_getch
String ID: *WINDRVR6$Cannot set driver name$There %s currently %d connected device%s using WinDriver.Please disconnect or uninstall all connected devices from the Device Managerand press Retry.To reload WinDriver, press Cancel and reboot.$There %s currently %d open application%s using WinDriver.Please close all applications and press Retry.To reload WinDriver, press Cancel and reboot.$WINDRVR6$are
API String ID: 2347401647-404040874
Opcode ID: c8549be5061474a5cf2886adcfaf22862d06ecb44e4da58dc47186b3019f7a4f
Instruction ID: cbaf6fe13c27fd079fd0fe7b342d703fc041198953b91929195afaa732150760
Opcode Fuzzy Hash: c8549be5061474a5cf2886adcfaf22862d06ecb44e4da58dc47186b3019f7a4f
Instruction Fuzzy Hash: 2C419372314A4099E622DB26F840BDA7360A78A7E0F501225FB5D876F5DF39C549CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012DC4, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 0000000140012DED

Part of subcall function 0000000140012D84: _errno.LIBCMT ref: 0000000140012D8D

free.LIBCMT ref: 0000000140012EE7

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

Part of subcall function 0000000140014110: _errno.LIBCMT ref: 0000000140014128

___lc_codepage_func.LIBCMT ref: 0000000140012E65

Part of subcall function 000000014000C690: RtlCaptureContext.KERNEL32 ref: 000000014000C69E
Part of subcall function 000000014000C690: RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C6B7
Part of subcall function 000000014000C690: RtlVirtualUnwind.KERNEL32 ref: 000000014000C6F3
Part of subcall function 000000014000C690: OutputDebugStringA.KERNEL32 ref: 000000014000C722

Strings

-, xrefs: 0000000140013134

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$CaptureContextDebugEntryErrorFreeFunctionHeapLastLookupOutputStringUnwindVirtual___lc_codepage_func_lockfree
String ID: -
API String ID: 2788215654-2547889144
Opcode ID: d9ebf2b80148a67454c0ec5a9b59e23095c8e789b8897401ca3a9545fdf91fd4
Instruction ID: 2a2b08abffb9421d183083164081d0ff035e9c4b9be373a57279063aa0873197
Opcode Fuzzy Hash: d9ebf2b80148a67454c0ec5a9b59e23095c8e789b8897401ca3a9545fdf91fd4
Instruction Fuzzy Hash: CBD1E7766042808AE737DB27E8517DA77A5F38C7C8F444229FB894B7B5CB3AC8558B01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008500, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 96serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 0000000140008539
CloseServiceHandle.ADVAPI32 ref: 0000000140008547
GetLastError.KERNEL32 ref: 0000000140008557

Strings

Failed creating service %s: %s, xrefs: 0000000140008643
Error trying to open service %s (0x%lx): %s, xrefs: 000000014000858D

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Service$CloseErrorHandleLastOpen
String ID: Error trying to open service %s (0x%lx): %s$Failed creating service %s: %s
API String ID: 4162089118-1272098570
Opcode ID: 47c3fab6b98b93d05d939bad6500523f1282392fd9e9e31aeafa176f9b1f9ce9
Instruction ID: 7e941c079b479c32ef896aef597831ffef21f5a1bc021d9d216eb462ede00376
Opcode Fuzzy Hash: 47c3fab6b98b93d05d939bad6500523f1282392fd9e9e31aeafa176f9b1f9ce9
Instruction Fuzzy Hash: 99413E71305A4096EA12EB26F8583DA73A0F78D7D0F500629BB9E877B6DF39C585C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CF44, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170,?,?,?,?,0000000140009871,?,?,00000000,0000000140011015), ref: 000000014000D006
GetStdHandle.KERNEL32(?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170,?,?,?,?,0000000140009871,?,?,00000000,0000000140011015), ref: 000000014000D0E2
WriteFile.KERNEL32(?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170,?,?,?,?,0000000140009871,?,?,00000000,0000000140011015), ref: 000000014000D11F

Strings

Microsoft Visual C++ Runtime Library, xrefs: 000000014000D0C6
<program name unknown>, xrefs: 000000014000D010
Runtime Error!Program: , xrefs: 000000014000CFC5
WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 000000014000CF53

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: <program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 3784150691-2583370257
Opcode ID: bb8f2c7daf1dacc114cd4c96501ab0719209a14760fba2abc1c2ad3cb9bc9e08
Instruction ID: b97b20efe415c6d9a2e8cab23d7781173865c5b2d1e510af62c6aae5f480fa87
Opcode Fuzzy Hash: bb8f2c7daf1dacc114cd4c96501ab0719209a14760fba2abc1c2ad3cb9bc9e08
Instruction Fuzzy Hash: AC51E2B271074152FB26DB63B915BEA7296A78C7C4F84422ABF0947AF6CF3EC4448610

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400176EC, Relevance: 12.3, APIs: 8, Instructions: 272COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140017714
_errno.LIBCMT ref: 000000014001780B
free.LIBCMT ref: 000000014001790B

Part of subcall function 0000000140014110: _errno.LIBCMT ref: 0000000140014128

SetEnvironmentVariableA.KERNEL32 ref: 0000000140017A83
_errno.LIBCMT ref: 0000000140017A92
free.LIBCMT ref: 0000000140017AA0
free.LIBCMT ref: 0000000140017AAD
free.LIBCMT ref: 0000000140017ABE

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errnofree$EnvironmentVariable
String ID:
API String ID: 3637960752-0
Opcode ID: 34a0e2386867a0e4bf6bc445ba4d16a7abbba6396fe1e3049d1ef7f5a485b79e
Instruction ID: 0f44686b1199645ed81a86d2f4b1bfc46a9e3208ed6fd526121cec02d19a7355
Opcode Fuzzy Hash: 34a0e2386867a0e4bf6bc445ba4d16a7abbba6396fe1e3049d1ef7f5a485b79e
Instruction Fuzzy Hash: 2DB1C13271165086FB639F27A804BE966A1B78CBE0F984625BB5D4B7F5DF7AC8418300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012AE4, Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140012B2A
_errno.LIBCMT ref: 0000000140012B94
_errno.LIBCMT ref: 0000000140012B9F
_errno.LIBCMT ref: 0000000140012BD3
WideCharToMultiByte.KERNEL32 ref: 0000000140012C6E
GetLastError.KERNEL32 ref: 0000000140012C8E
_errno.LIBCMT ref: 0000000140012CB4

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: 1d71e13bd14614d4de2fb52c70f6ba274c47ad1257b8a4ee9662a6b11a3a5ec2
Instruction ID: 615474333ea08e39459046ae6654d41c06be99255e903a0f065c17cb135a9cbe
Opcode Fuzzy Hash: 1d71e13bd14614d4de2fb52c70f6ba274c47ad1257b8a4ee9662a6b11a3a5ec2
Instruction Fuzzy Hash: 3B51D67260C6C08AE7729F66E4917EEB790E3897D0F188115F7894BAE5CB39C4A18B05

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008930, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 0000000140008965
StartServiceA.ADVAPI32 ref: 00000001400089BA
CloseServiceHandle.ADVAPI32 ref: 0000000140008A02

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

Error opening the service %s: %s, xrefs: 0000000140008997
Error starting the service %s: %s, xrefs: 00000001400089E8

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Service$_vfwprintf_p$CloseErrorFormatHandleLastMessageOpenStartfree
String ID: Error opening the service %s: %s$Error starting the service %s: %s
API String ID: 2235298671-3899500212
Opcode ID: cce18e286fa5cf345f16dad8561af524f727fd948a6378445b368979e78bb370
Instruction ID: a561f683e68406cd49786204ca2d9274a884fe85301bf03e4db6ba682362c9ba
Opcode Fuzzy Hash: cce18e286fa5cf345f16dad8561af524f727fd948a6378445b368979e78bb370
Instruction Fuzzy Hash: 8E21C57131594041EA12EB67F8593EA6360BB8EBE0F440625BF5E877F6EE38C5428301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009560, Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 0000000140009595
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 00000001400095AD
RtlVirtualUnwind.KERNEL32 ref: 00000001400095E4
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 000000014000964B
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 0000000140009658
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 000000014000965E
TerminateProcess.KERNEL32(?,?,?,?,?,?,00000000,0000000140006849), ref: 000000014000966C

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID:
API String ID: 3266983031-0
Opcode ID: b16dfc79ce4f8f2f4e423bfb2d2b1d4c9517ffd7a0b85279cd8dc0f65418f0f7
Instruction ID: b3a2cd5d512ab16034bb13f0f73ea8928c2d9f442581186f5a94e4410517ac5a
Opcode Fuzzy Hash: b16dfc79ce4f8f2f4e423bfb2d2b1d4c9517ffd7a0b85279cd8dc0f65418f0f7
Instruction Fuzzy Hash: E1311271204A0192EB028B66F85439A67A0FB8CBD4F50011AFB8A17B74DF38C985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B290, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000B2CB
_errno.LIBCMT ref: 000000014000B2FE

Strings

WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 000000014000B2A3

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno
String ID: WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 2918714741-2635416921
Opcode ID: 4a9758924b2d97ead5d3ed8e5fc96bce222a81440e64a55925649b6c5bc35258
Instruction ID: e77428fe47c2ea632fd0c51cbbf305b98450a63d1e760ca58980afe8cc97a832
Opcode Fuzzy Hash: 4a9758924b2d97ead5d3ed8e5fc96bce222a81440e64a55925649b6c5bc35258
Instruction Fuzzy Hash: 0E4125B271829441EB2ADB3779817EE26916B89BD8F104215FF194BBF2CF7CC9068701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006260, Relevance: 6.5, APIs: 5, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 000000014000636A
free.LIBCMT ref: 0000000140006393

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errnofree$AllocateHeap
String ID:
API String ID: 2676329746-0
Opcode ID: b27dca0d590e3f74f49723f18b808315419945a8c72af04aa356cfd7a22b0493
Instruction ID: ecefc7ef20bb53fac18c2d68ae5f536a674826a75f8e49086a74cb1a8a4be004
Opcode Fuzzy Hash: b27dca0d590e3f74f49723f18b808315419945a8c72af04aa356cfd7a22b0493
Instruction Fuzzy Hash: 2481C5B1205B9049FF5ADE36B4103A96A91BB09FE8F488214FF6A277E6DB38C541C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013884, Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400138A5
_errno.LIBCMT ref: 00000001400138E6
_isindst.LIBCMT ref: 00000001400139A9

Part of subcall function 0000000140016D5C: _errno.LIBCMT ref: 0000000140016D7E

_isindst.LIBCMT ref: 00000001400139FD

Part of subcall function 0000000140013838: _lock.LIBCMT ref: 0000000140013846

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$_isindst$_lock
String ID:
API String ID: 98040322-0
Opcode ID: e2c45c44948870b7983f746b58ecc3285dcb9489fd8ead9d51c5624f4f17a499
Instruction ID: 1d41d949abd4de73b61cf30aa70963cdd3baa74eae6ceed3264606715021df2e
Opcode Fuzzy Hash: e2c45c44948870b7983f746b58ecc3285dcb9489fd8ead9d51c5624f4f17a499
Instruction Fuzzy Hash: EA81E5B271535483EF299F2AE4517DD77A1E398BC0F148026FB898FBA9DB39C5018B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006040, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 000000014000609B

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

free.LIBCMT ref: 000000014000610A

Strings

setupapi.dll, xrefs: 000000014000604F

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$Heapfree$AllocateErrorFreeLast
String ID: setupapi.dll
API String ID: 3377555370-3506073724
Opcode ID: cce90638379c265f087668ce1ce8c57507b3aa88ad2f64a44dc3cf13b1f9fe58
Instruction ID: 9ebf555bf6ce27b3aa3535a5294b8dfb5597442051b642f572cbe1c49163efd4
Opcode Fuzzy Hash: cce90638379c265f087668ce1ce8c57507b3aa88ad2f64a44dc3cf13b1f9fe58
Instruction Fuzzy Hash: 8831B7B220578486EE26DF27F4403AAB7A1E749BD4F188115EBAE177A6DF3DD441C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400019F0, Relevance: 4.5, APIs: 3, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140001A0E
FormatMessageA.KERNEL32 ref: 0000000140001A42
LocalFree.KERNEL32 ref: 0000000140001A7C

Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005F7B
Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005FE6

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 3053142517-0
Opcode ID: e10ebce59d1e51d989bc97c2b5f28da042bb8a162b62ed2e79e2750dc5cc99c5
Instruction ID: 60ee8e5114d0ae6b0102ab50d0d287545f9bfb8254b380285f765d6e4fac7554
Opcode Fuzzy Hash: e10ebce59d1e51d989bc97c2b5f28da042bb8a162b62ed2e79e2750dc5cc99c5
Instruction Fuzzy Hash: 191139B220864182EB21DB26F4543DA6760F7CABE4F545220FB9A476F8DF7DC149CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006160, Relevance: 1.3, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140006040: free.LIBCMT ref: 000000014000609B
Part of subcall function 0000000140006040: free.LIBCMT ref: 000000014000610A

free.LIBCMT ref: 0000000140006209

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c40b88632e077709a8598b5a561063931c3477e33bd77a51184d12666e0194fd
Instruction ID: 620a6feb18a47c31cd2e6ecaab57b8264a1a90b53e8a08a41013dc54f1464c54
Opcode Fuzzy Hash: c40b88632e077709a8598b5a561063931c3477e33bd77a51184d12666e0194fd
Instruction Fuzzy Hash: 3321C1B120468085EB55DF76A0003A9B6A1F749BF4F18872AEF79577DACB38C8508340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400143C0, Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400143D5

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

free.LIBCMT ref: 00000001400143DE
free.LIBCMT ref: 00000001400143E7
free.LIBCMT ref: 00000001400143F0
free.LIBCMT ref: 00000001400143F9
free.LIBCMT ref: 0000000140014402
free.LIBCMT ref: 000000014001440A
free.LIBCMT ref: 0000000140014413
free.LIBCMT ref: 000000014001441C
free.LIBCMT ref: 0000000140014425
free.LIBCMT ref: 000000014001442E
free.LIBCMT ref: 0000000140014437
free.LIBCMT ref: 0000000140014440
free.LIBCMT ref: 0000000140014449
free.LIBCMT ref: 0000000140014452
free.LIBCMT ref: 000000014001445B
free.LIBCMT ref: 0000000140014467
free.LIBCMT ref: 0000000140014473
free.LIBCMT ref: 000000014001447F
free.LIBCMT ref: 000000014001448B
free.LIBCMT ref: 0000000140014497
free.LIBCMT ref: 00000001400144A3
free.LIBCMT ref: 00000001400144AF
free.LIBCMT ref: 00000001400144BB
free.LIBCMT ref: 00000001400144C7
free.LIBCMT ref: 00000001400144D3
free.LIBCMT ref: 00000001400144DF
free.LIBCMT ref: 00000001400144EB
free.LIBCMT ref: 00000001400144F7
free.LIBCMT ref: 0000000140014503
free.LIBCMT ref: 000000014001450F
free.LIBCMT ref: 000000014001451B
free.LIBCMT ref: 0000000140014527
free.LIBCMT ref: 0000000140014533
free.LIBCMT ref: 000000014001453F
free.LIBCMT ref: 000000014001454B
free.LIBCMT ref: 0000000140014557
free.LIBCMT ref: 0000000140014563
free.LIBCMT ref: 000000014001456F
free.LIBCMT ref: 000000014001457B
free.LIBCMT ref: 0000000140014587
free.LIBCMT ref: 0000000140014593
free.LIBCMT ref: 000000014001459F

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 61bb5ec95e5b0476da9386a578fb04bafdbd0a29d01f3f9c6de28f41b23cc97a
Instruction ID: ce92ac608318ba65dba1067852b8984c85452e586481a30bde8a078c3d8206d1
Opcode Fuzzy Hash: 61bb5ec95e5b0476da9386a578fb04bafdbd0a29d01f3f9c6de28f41b23cc97a
Instruction Fuzzy Hash: 974164B722594481EB96FF77D8523ED1322AB88B84F054131BB5D5B6B7CFA0C855C390

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140013E54, Relevance: 38.6, APIs: 15, Strings: 7, Instructions: 140libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013E9E
GetProcAddress.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013EBD
GetProcAddress.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013EE1
EncodePointer.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013EEA
GetProcAddress.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013F00
EncodePointer.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013F09
GetProcAddress.KERNEL32 ref: 0000000140013F4E
EncodePointer.KERNEL32 ref: 0000000140013F57
GetProcAddress.KERNEL32 ref: 0000000140013F72
EncodePointer.KERNEL32 ref: 0000000140013F7B
DecodePointer.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013FA0
DecodePointer.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140013FB6
DecodePointer.KERNEL32(?,?,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000000,00000000,000000014000D0DB,?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170), ref: 0000000140014054

Strings

GetProcessWindowStation, xrefs: 0000000140013F68
MessageBoxA, xrefs: 0000000140013EB3
GetUserObjectInformationA, xrefs: 0000000140013F44
GetLastActivePopup, xrefs: 0000000140013EEF
USER32.DLL, xrefs: 0000000140013E97
GetActiveWindow, xrefs: 0000000140013ED0
WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 0000000140013E66

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Pointer$AddressProc$Encode$Decode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL$WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 3623393973-124041944
Opcode ID: 91b0c4301fc8aba1c7dec3c213963a6a0080423ef4f6f4110be3a89941408abc
Instruction ID: 2fa111fd58935b4900f4d9c91521c7e4e5224fbd3a99c37ae05310a688022f3a
Opcode Fuzzy Hash: 91b0c4301fc8aba1c7dec3c213963a6a0080423ef4f6f4110be3a89941408abc
Instruction Fuzzy Hash: 28516A31615B4085FB67EB63B8517E932A0AB8CBC4F44412ABF4E4BBB5EF3AC5458701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140014D28, Relevance: 30.5, APIs: 20, Instructions: 466COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140014D5B
_errno.LIBCMT ref: 0000000140014D64
__doserrno.LIBCMT ref: 0000000140014DCD
_errno.LIBCMT ref: 0000000140014DD4

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c2c0054a8ad2058c356eb153cd1fa1fc09dc9c5e2a647fe305a0dab17ce13ae8
Instruction ID: 8912c05bdd6d3caf4f9d8577924ed03ef78a095f34e6d81d488f54b09300de28
Opcode Fuzzy Hash: c2c0054a8ad2058c356eb153cd1fa1fc09dc9c5e2a647fe305a0dab17ce13ae8
Instruction Fuzzy Hash: A8222472208680C6EB63AB56E4843ED2B91F3897D5F588216FB5A0F7F1C77AC545C702

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400044A0, Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 292COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005EB0: free.LIBCMT ref: 0000000140005EFE

GetWindowsDirectoryA.KERNEL32 ref: 00000001400044F0
SetupGetInfFileListA.SETUPAPI ref: 0000000140004576

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

%sWarning: INF copy for %s not found => not deleted., xrefs: 00000001400048A9
%sINF cannot get a list of INF files: %s, xrefs: 0000000140004909
PNF, xrefs: 0000000140004731
%sINF error getting windows directory: %s, xrefs: 0000000140004522
\INF\, xrefs: 000000014000462E
%sINF copy %%WINDIR%%\%s cannot be deleted: %s, xrefs: 0000000140004850
%sINF failed allocating %ld bytes, xrefs: 00000001400045BA

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$DirectoryErrorFileFormatLastListMessageSetupWindows
String ID: %sINF cannot get a list of INF files: %s$%sINF copy %%WINDIR%%\%s cannot be deleted: %s$%sINF error getting windows directory: %s$%sINF failed allocating %ld bytes$%sWarning: INF copy for %s not found => not deleted.$PNF$\INF\
API String ID: 1309968152-3763761631
Opcode ID: 896ba61994e5c98c7e53187082753e6850746791f00f1a89c79a20c17b1112e8
Instruction ID: 104eb2e7af4952619592d9946d06e097be343c993b334fe1874ef6abbb18d839
Opcode Fuzzy Hash: 896ba61994e5c98c7e53187082753e6850746791f00f1a89c79a20c17b1112e8
Instruction Fuzzy Hash: 1AC150B132594062EA12FB66F8953DB6350FB9A7C0F801626B74E876F7EE38C944C741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001151C, Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001156D
_wsopen_s.LIBCMT ref: 000000014001176E

Strings

UTF-8, xrefs: 00000001400116EC
, xrefs: 0000000140011559
UTF-16LE, xrefs: 0000000140011709
a, xrefs: 000000014001155E
, xrefs: 000000014001174A
, xrefs: 00000001400116C6
r, xrefs: 0000000140011563
w, xrefs: 0000000140011568
UNICODE, xrefs: 0000000140011726
ccs=, xrefs: 00000001400116CB

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno_wsopen_s
String ID: $ $ $UNICODE$UTF-16LE$UTF-8$a$ccs=$r$w
API String ID: 1497100469-859952999
Opcode ID: ab8e1f3144eafa6bdebc931d3220a61593101837723350bcc198c8cc03afad1d
Instruction ID: 70ac62ac1a00ea49ab7d282771181d099848c8f90332ba79514adf3d3167432e
Opcode Fuzzy Hash: ab8e1f3144eafa6bdebc931d3220a61593101837723350bcc198c8cc03afad1d
Instruction Fuzzy Hash: A771EDB2A1824085FB7F8A27BA047E92AD26BDD7C4F494514FF471BAF7D23BC9408201

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008A70, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 99serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 0000000140008ACC
GetLastError.KERNEL32 ref: 0000000140008ADA

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

Sending stop request to service: %s, xrefs: 0000000140008B8F
windrvr6, xrefs: 0000000140008A90
Nothing to stop: service %s does not exist, xrefs: 0000000140008AF2
Nothing to stop: service %s is not active, xrefs: 0000000140008B6B
Cannot open service: %s, xrefs: 0000000140008B1C
WINDRVR6, xrefs: 0000000140008AA3
Cannot stop service: %s, xrefs: 0000000140008BC6

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ErrorLast_vfwprintf_p$FormatMessageOpenServicefree
String ID: Sending stop request to service: %s$Cannot open service: %s$Cannot stop service: %s$Nothing to stop: service %s does not exist$Nothing to stop: service %s is not active$WINDRVR6$windrvr6
API String ID: 276576194-3827881508
Opcode ID: ecc82703720090130841b4a193fc5584d0027bfeeb96c0829c81ec89b0afe73d
Instruction ID: 50c3c5d5882553cf8260af0073220f0b1333dedf6ba851b5f183c9398f71f882
Opcode Fuzzy Hash: ecc82703720090130841b4a193fc5584d0027bfeeb96c0829c81ec89b0afe73d
Instruction Fuzzy Hash: 364181B1304A0092EA22EB67F4953EA63A1B78E7C0F840225FB4E476F6EF39C545C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DF60, Relevance: 21.1, APIs: 14, Instructions: 90COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000014000DF7F

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

free.LIBCMT ref: 000000014000DF8D
free.LIBCMT ref: 000000014000DF9B
free.LIBCMT ref: 000000014000DFA9
free.LIBCMT ref: 000000014000DFB7
free.LIBCMT ref: 000000014000DFC5
free.LIBCMT ref: 000000014000DFD3
free.LIBCMT ref: 000000014000DFE1
free.LIBCMT ref: 000000014000DFF2
free.LIBCMT ref: 000000014000E00A
_lock.LIBCMT ref: 000000014000E014
free.LIBCMT ref: 000000014000E042
_lock.LIBCMT ref: 000000014000E057
free.LIBCMT ref: 000000014000E0A1

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: b6cafeada19b211189294fe98c39286d674c572666597c6e2a195ebc60d93e6c
Instruction ID: 21051a7da49a9fdca6f7eee3f6b0781b7671cdd826901e5272a4180c9dece9b0
Opcode Fuzzy Hash: b6cafeada19b211189294fe98c39286d674c572666597c6e2a195ebc60d93e6c
Instruction Fuzzy Hash: 0231F0B631694144FE9BEFA7E1517F92351AF8CBC4F044526BB1E076E68F74C841C261

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003FE0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 157COMMON

Download Yara Rule

APIs

SetupDiCreateDeviceInfoList.SETUPAPI ref: 0000000140004020
SetupDiCreateDeviceInfoA.SETUPAPI ref: 00000001400040BD
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 0000000140004208

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

, xrefs: 0000000140004092
%sError creating empty device info list: %s, xrefs: 0000000140004057
%sError creating device info element: %s, xrefs: 00000001400040EF
%sError setting device hardware id property: hwid %s, error %lxMake sure that the system permits addition of new devices under "%s" class, xrefs: 000000014000418C
%sError calling class installer register: %s, xrefs: 00000001400041E0

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: DeviceInfoSetup$CreateList$DestroyErrorFormatLastMessagefree
String ID: $%sError calling class installer register: %s$%sError creating device info element: %s$%sError creating empty device info list: %s$%sError setting device hardware id property: hwid %s, error %lxMake sure that the system permits addition of new devices under "%s" class
API String ID: 129083322-2336943437
Opcode ID: 1aca9a46b458c5c510b112f579b5ac330d5672b56738ebddf6e519d7cba82b7e
Instruction ID: 9d1385793a54e290cfb69f2f4060f9fab3f5b465664a93a6ea30c6ed80235ee1
Opcode Fuzzy Hash: 1aca9a46b458c5c510b112f579b5ac330d5672b56738ebddf6e519d7cba82b7e
Instruction Fuzzy Hash: 8B516FB1314A4456EA12EB63F8543DA6291B78EBE4F840229FF5A977F6EE38C504C701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400042B0, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00000001400042FA
CreateFileA.KERNEL32 ref: 0000000140004324
GetFileSize.KERNEL32 ref: 0000000140004346
GetFileSize.KERNEL32 ref: 0000000140004353
ReadFile.KERNEL32 ref: 000000014000438D
ReadFile.KERNEL32 ref: 00000001400043B4
GetLastError.KERNEL32 ref: 00000001400043E5
CloseHandle.KERNEL32 ref: 00000001400043F5
CloseHandle.KERNEL32 ref: 00000001400043FE

Strings

&, xrefs: 0000000140004408
%sINF error opening file: %s, xrefs: 0000000140004440

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize$ErrorLast
String ID: %sINF error opening file: %s$&
API String ID: 32646414-3564837584
Opcode ID: a54edadf774f9b67afe0e14cdf481a849a2303546a1cda033b107f0f46d6a981
Instruction ID: 89e7dfc2c5aa3051d27ef8dd0ec8fc552bfeaf261b3fe503db3c5d5912d1d3b2
Opcode Fuzzy Hash: a54edadf774f9b67afe0e14cdf481a849a2303546a1cda033b107f0f46d6a981
Instruction Fuzzy Hash: C841A9B5214A4086E762EB23B8443DA23A4B78E7E4F400325FF6A476F5DF78C649C705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008FF0, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_vfwprintf_p.LIBCMT ref: 000000014000903B

Part of subcall function 0000000140008F30: _vfwprintf_p.LIBCMT ref: 0000000140008F66
Part of subcall function 0000000140008F30: _vfwprintf_p.LIBCMT ref: 0000000140008F9A

_vfwprintf_p.LIBCMT ref: 0000000140009073
_getch.LIBCMT ref: 00000001400090BA

Strings

CANCEL, xrefs: 00000001400090FA
r, xrefs: 00000001400090D2
RETRY, xrefs: 000000014000911F
a+t, xrefs: 0000000140009052
R, xrefs: 00000001400090CD
C, xrefs: 00000001400090D7
c, xrefs: 00000001400090DC
Please press 'R' to retry or 'C' to cancel..., xrefs: 000000014000908E

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p$_getch
String ID: Please press 'R' to retry or 'C' to cancel...$C$CANCEL$R$RETRY$a+t$c$r
API String ID: 2682755570-3423389621
Opcode ID: a216e02194b4a26f5bd760e2c712eb59a6343baf21346415ebfd392d76693c42
Instruction ID: 6e2de046124259a455611d0ecf1b627146e019439fd89e490db88b08f8248f57
Opcode Fuzzy Hash: a216e02194b4a26f5bd760e2c712eb59a6343baf21346415ebfd392d76693c42
Instruction Fuzzy Hash: A831A3B230164199FA67D757B8517E62294AB4D3D5F88082ABF49472F6DF3DCAC2C301

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017ACC, Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011FBC: _errno.LIBCMT ref: 0000000140011FDE

_errno.LIBCMT ref: 0000000140017B54

Part of subcall function 0000000140011FBC: SetFilePointer.KERNEL32(?,?,?,0000000140012275), ref: 0000000140011FFE
Part of subcall function 0000000140011FBC: GetLastError.KERNEL32(?,?,?,0000000140012275), ref: 000000014001200D

GetProcessHeap.KERNEL32 ref: 0000000140017B26
HeapAlloc.KERNEL32 ref: 0000000140017B3B
_errno.LIBCMT ref: 0000000140017B49
__doserrno.LIBCMT ref: 0000000140017BAE
_errno.LIBCMT ref: 0000000140017BB8
GetProcessHeap.KERNEL32 ref: 0000000140017BD1
HeapFree.KERNEL32 ref: 0000000140017BDF
SetEndOfFile.KERNEL32 ref: 0000000140017C0A
_errno.LIBCMT ref: 0000000140017C22
__doserrno.LIBCMT ref: 0000000140017C2D
GetLastError.KERNEL32 ref: 0000000140017C35

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 5458c50b896ef7e216aedbb76431fc36a28681ed3cf38ece300bbf12c5758f9a
Instruction ID: 9483cb7a444d84cae398f713e06ca9cf3fc13a123e7971610ef56682033acbc4
Opcode Fuzzy Hash: 5458c50b896ef7e216aedbb76431fc36a28681ed3cf38ece300bbf12c5758f9a
Instruction Fuzzy Hash: 0F418D3530495086EA1AAB37A8447DA72A2A78CBF0F144714FB3D0F7F6DB7AC4458641

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002F40, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005F7B
Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005FE6

SetupOpenInfFileA.SETUPAPI ref: 0000000140002FA1
SetupOpenFileQueue.SETUPAPI ref: 0000000140003022
SetupInstallFilesFromInfSectionA.SETUPAPI ref: 000000014000304B
SetupInitDefaultQueueCallback.SETUPAPI ref: 0000000140003053
SetupCommitFileQueueA.SETUPAPI ref: 000000014000306B
SetupTermDefaultQueueCallback.SETUPAPI ref: 0000000140003074
SetupCloseFileQueue.SETUPAPI ref: 000000014000307D
SetupCloseInfFile.SETUPAPI ref: 0000000140003086

Strings

DriverInstall, xrefs: 000000014000303C
%sFailed opening INF file %s line %d: %s, xrefs: 0000000140002FF5

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Setup$FileQueue$CallbackCloseDefaultOpenfree$CommitFilesFromInitInstallSectionTerm
String ID: %sFailed opening INF file %s line %d: %s$DriverInstall
API String ID: 2023082784-3555299665
Opcode ID: ee293acae7efa64e64381b1c436258f00d3a9a89c9d1e2d19d4d671906cffb5c
Instruction ID: c177bfc718d3bd7ec89a1aaf8c671a2d70d984153c942ff2be461fbec53e59b9
Opcode Fuzzy Hash: ee293acae7efa64e64381b1c436258f00d3a9a89c9d1e2d19d4d671906cffb5c
Instruction Fuzzy Hash: 3F4131B1214A40A2EA12EB22E8553DA77A0F78EBE0F844325FB5A477F5DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008E60, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000140008E74
GetProcAddress.KERNEL32 ref: 0000000140008E84
GetCurrentProcess.KERNEL32 ref: 0000000140008E92
GetLastError.KERNEL32 ref: 0000000140008EA6

Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091BA
Part of subcall function 0000000140009150: _vfwprintf_p.LIBCMT ref: 00000001400091EC

OpenSCManagerA.ADVAPI32 ref: 0000000140008EF4

Strings

Cannot run an x86 build of this utility on x64 platform., xrefs: 0000000140008ECF
Cannot open service control manager.Make sure you are running with Administrator privileges, xrefs: 0000000140008F03
IsWow64Process, xrefs: 0000000140008E7A
Can't identify SysWow64, Error: 0x%x, xrefs: 0000000140008EAC
kernel32, xrefs: 0000000140008E6D

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p$AddressCurrentErrorHandleLastManagerModuleOpenProcProcess
String ID: Can't identify SysWow64, Error: 0x%x$Cannot open service control manager.Make sure you are running with Administrator privileges$Cannot run an x86 build of this utility on x64 platform.$IsWow64Process$kernel32
API String ID: 4030066227-1836098034
Opcode ID: e7f71ec26f27f28a1cbe0203cd21fd8691ba3c7240c8c7fc8826f974a2ba0a03
Instruction ID: 3b37c432c306563b592afbd80c6429daf7a5f10c97cd66ce131f06a0cc67fc9e
Opcode Fuzzy Hash: e7f71ec26f27f28a1cbe0203cd21fd8691ba3c7240c8c7fc8826f974a2ba0a03
Instruction Fuzzy Hash: 32117F71711A4186EF96DB67F8543E923A1EB8C7C0F481025BB4E8B6B9EF39C585C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E17C, Relevance: 16.8, APIs: 11, Instructions: 263COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000E249
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000E351
LCMapStringW.KERNEL32 ref: 000000014000E380
LCMapStringW.KERNEL32 ref: 000000014000E3D2

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3c427df736d840c592fcc3e1ee847b816f4e7d61021ce69bf5ca0cf36495d5aa
Instruction ID: 2e1534e33a481ae3cb68d218cbf541959294b4db66e780ff0f1e978396b93817
Opcode Fuzzy Hash: 3c427df736d840c592fcc3e1ee847b816f4e7d61021ce69bf5ca0cf36495d5aa
Instruction Fuzzy Hash: 10B1B2B2204BC08AE762CF22A9403D977A5F7487E8F144624FB5967BE9EB78C541C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000F810, Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 421COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140009BEC: RtlLookupFunctionEntry.KERNEL32(00000000,00000001,?,000000014000F87B), ref: 0000000140009C60

__GetUnwindTryBlock.LIBCMT ref: 000000014000F884
__SetUnwindTryBlock.LIBCMT ref: 000000014000F8AF

Part of subcall function 0000000140014B98: RaiseException.KERNEL32 ref: 0000000140014C18

__GetUnwindTryBlock.LIBCMT ref: 000000014000F8B9
_SetThrowImageBase.LIBCMT ref: 000000014000F949

Strings

csm, xrefs: 000000014000FA96
csm, xrefs: 000000014000FDDD
csm, xrefs: 000000014000F965
bad exception, xrefs: 000000014000FA46
csm, xrefs: 000000014000F8CF

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
String ID: bad exception$csm$csm$csm$csm
API String ID: 2128467468-506059908
Opcode ID: 3d0aee99186740652a1dd93cf70be66fef7f459a1cdd588e50105484a4ab96ba
Instruction ID: 620affbda0af06416c0f9cce251adc597f3b95d17cfbcc9627a2050ee3cccb31
Opcode Fuzzy Hash: 3d0aee99186740652a1dd93cf70be66fef7f459a1cdd588e50105484a4ab96ba
Instruction Fuzzy Hash: C602AFB220478086EA72DB27B4407EE77A4F749BC4F448126FB8947FA6DB38D551EB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012870, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140012899
_errno.LIBCMT ref: 00000001400128A2
__doserrno.LIBCMT ref: 00000001400128F2
_errno.LIBCMT ref: 00000001400128F9

Strings

WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 0000000140012881

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID: WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 921712934-2635416921
Opcode ID: 4aff2e4107ae0715b2597e4d26cef1066704ebbe03631bdc50b827147a864641
Instruction ID: a3b68aae9362883327b916f1ed493f2973d662cb5fdaca21f98eaaf62b9e4bab
Opcode Fuzzy Hash: 4aff2e4107ae0715b2597e4d26cef1066704ebbe03631bdc50b827147a864641
Instruction Fuzzy Hash: 1531007222425082F313AF3BA841BDE7A91A7C87E0F554615FB690B7F2CB39C4128B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003800, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

SetupDiSetClassInstallParamsA.SETUPAPI ref: 0000000140003898
SetupDiSetClassInstallParamsA.SETUPAPI ref: 000000014000392B

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

%sError changing the device status for device %s: %s, xrefs: 00000001400039CB
%sError setting the install parameters for device %s (GLOBAL): %s, xrefs: 00000001400038CF
%sError getting the install parameters for device %s: %s, xrefs: 0000000140003A42
%sError setting the install parameters for device %s (SPECIFIC): %s, xrefs: 0000000140003962

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ClassInstallParamsSetup$ErrorFormatLastMessagefree
String ID: %sError changing the device status for device %s: %s$%sError getting the install parameters for device %s: %s$%sError setting the install parameters for device %s (GLOBAL): %s$%sError setting the install parameters for device %s (SPECIFIC): %s
API String ID: 1946844895-3296254695
Opcode ID: bf136bdba29f4a9421b81081caf2bd0af9ebd2fabcae69af794573165bae1e4a
Instruction ID: 3dbaeae9c7a2767fbda12a8e0e9fc8f4c408a6b3caeca0bf24ffd05da71eb472
Opcode Fuzzy Hash: bf136bdba29f4a9421b81081caf2bd0af9ebd2fabcae69af794573165bae1e4a
Instruction Fuzzy Hash: 8A6162B1215B4096EA52EF26F8513DA77A0F78A7C4F801229FB4E876B6DF38C544CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140003560, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 128COMMON

Download Yara Rule

APIs

SetupDiGetDeviceInstanceIdA.SETUPAPI ref: 00000001400035E8
SetupDiSetClassInstallParamsA.SETUPAPI ref: 00000001400035FF
SetupDiCallClassInstaller.SETUPAPI ref: 0000000140003663

Part of subcall function 00000001400019F0: GetLastError.KERNEL32 ref: 0000000140001A0E
Part of subcall function 00000001400019F0: FormatMessageA.KERNEL32 ref: 0000000140001A42

Part of subcall function 0000000140005A20: free.LIBCMT ref: 0000000140005A37

Strings

%sRemoved %s, xrefs: 000000014000376B
%sError removing device %s: %s, xrefs: 000000014000369E
%sError getting install params for removed device %s: %s, xrefs: 0000000140003719
%sError setting install params for removing device: %s, xrefs: 0000000140003631

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Setup$Class$CallDeviceErrorFormatInstallInstallerInstanceLastMessageParamsfree
String ID: %sError getting install params for removed device %s: %s$%sError removing device %s: %s$%sError setting install params for removing device: %s$%sRemoved %s
API String ID: 3006532288-1296256300
Opcode ID: 6a0f60a1f610a52d77322cb864601ac22673da5f068c8484270f1797eadf7189
Instruction ID: 79559821be0d00c68e88bcbb50a9edebbc35735297e05c9919a6553f1884c741
Opcode Fuzzy Hash: 6a0f60a1f610a52d77322cb864601ac22673da5f068c8484270f1797eadf7189
Instruction Fuzzy Hash: 04514EB1215B45A6EA52EB16F8503DA73A0F78D7C4F80562AF74E476B5EF38C908C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010FB4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0000000140010FDB

Part of subcall function 000000014000CF44: GetModuleFileNameA.KERNEL32(?,?,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,000000014000D170,?,?,?,?,0000000140009871,?,?,00000000,0000000140011015), ref: 000000014000D006

Part of subcall function 000000014000CBE8: ExitProcess.KERNEL32 ref: 000000014000CBF7

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

_errno.LIBCMT ref: 000000014001101D
_lock.LIBCMT ref: 0000000140011031
free.LIBCMT ref: 0000000140011053
_errno.LIBCMT ref: 0000000140011058
LeaveCriticalSection.KERNEL32(?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8,?,?,?,?,000000014000B32D), ref: 000000014001107E

Strings

WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 0000000140010FC3

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$AllocateCriticalExitFileHeapLeaveModuleNameProcessSection_lockfree
String ID: WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 1070137386-2635416921
Opcode ID: 180c5ca275ab55732a50461783afcee12dc7c0373e5a93fb8f602e98fe47b1fe
Instruction ID: bea34cd65b75c2a39c37b0b43ae93f27b48952d1f42a9c13ae488ed730229829
Opcode Fuzzy Hash: 180c5ca275ab55732a50461783afcee12dc7c0373e5a93fb8f602e98fe47b1fe
Instruction Fuzzy Hash: E0218E75A1568082F6ABAB13E4457EA6294A78DBC4F044434FB4A4B6E7CFBAC8808750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007F80, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000140007F91
GetProcAddress.KERNEL32 ref: 0000000140007FA1
GetCurrentProcess.KERNEL32 ref: 0000000140007FC8
GetLastError.KERNEL32 ref: 0000000140007FDC

Strings

Cannot run an x86 build of this utility on x64 platform., xrefs: 000000014000800C
IsWow64Process, xrefs: 0000000140007F97
Can't identify SysWow64, Error: 0x%x, xrefs: 0000000140007FE2
kernel32, xrefs: 0000000140007F8A

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcess
String ID: Can't identify SysWow64, Error: 0x%x$Cannot run an x86 build of this utility on x64 platform.$IsWow64Process$kernel32
API String ID: 896058289-3496699341
Opcode ID: 424eaad0caa0c7d756c43f1e370194a857ceecdcfeaf463d9b98d930aa177c4d
Instruction ID: 43a23b157323f5f0ddd518736c70e927498f3a05dceabc3dd1fd631a4ad8895d
Opcode Fuzzy Hash: 424eaad0caa0c7d756c43f1e370194a857ceecdcfeaf463d9b98d930aa177c4d
Instruction Fuzzy Hash: EB11517171560286EB46DB6BF8947E95390EB8C7C4F881035BB0E877B4DE39C889C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D9F0, Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014000DA3C

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

Part of subcall function 00000001400145F4: free.LIBCMT ref: 0000000140014612
Part of subcall function 00000001400145F4: free.LIBCMT ref: 0000000140014624
Part of subcall function 00000001400145F4: free.LIBCMT ref: 0000000140014636
Part of subcall function 00000001400145F4: free.LIBCMT ref: 0000000140014648
Part of subcall function 00000001400145F4: free.LIBCMT ref: 000000014001465A
Part of subcall function 00000001400145F4: free.LIBCMT ref: 000000014001466C
Part of subcall function 00000001400145F4: free.LIBCMT ref: 000000014001467E

free.LIBCMT ref: 000000014000DA5E
free.LIBCMT ref: 000000014000DA76
free.LIBCMT ref: 000000014000DA82
free.LIBCMT ref: 000000014000DAA6
free.LIBCMT ref: 000000014000DABA
free.LIBCMT ref: 000000014000DAC9
free.LIBCMT ref: 000000014000DAD5
free.LIBCMT ref: 000000014000DB02
free.LIBCMT ref: 000000014000DB2A
free.LIBCMT ref: 000000014000DB44

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 6dff679a752d613d0e4d2cda2d56002de2255f18e8177ecb06650a4c2e7d5b05
Instruction ID: a1fef226496f7fd0e4d8d5a777510f98dd59e118bfcb7fda40ab7807a21887d1
Opcode Fuzzy Hash: 6dff679a752d613d0e4d2cda2d56002de2255f18e8177ecb06650a4c2e7d5b05
Instruction Fuzzy Hash: B341FB72616A8084EF96DF63E4513E933A1EB8CBD4F190436AB0D4B6B5CF78C881C761

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001138C, Relevance: 13.6, APIs: 9, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400113AD
__doserrno.LIBCMT ref: 00000001400113B8
__doserrno.LIBCMT ref: 00000001400113CC
_errno.LIBCMT ref: 00000001400113D4

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c546e78d02e7009339f4347a447611a94e8224a9fe007967290c3efe5e1f484a
Instruction ID: 17195e9e9d2aa81f2dc8d8c69dbb6179c603890010c4cb59ef3c7c4fb5de8154
Opcode Fuzzy Hash: c546e78d02e7009339f4347a447611a94e8224a9fe007967290c3efe5e1f484a
Instruction Fuzzy Hash: 9831C27261864487F71BAF63B8417DE2661ABC8BE1F558515FB060B7E3CB7AC8018B10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017200, Relevance: 12.2, APIs: 8, Instructions: 250COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400175AE), ref: 00000001400172F3
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400175AE), ref: 0000000140017372
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400175AE), ref: 000000014001741A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400175AE), ref: 0000000140017440

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 347fb8b280ffd273d92e572b9c17d8cf9116591f9a3b7569aa2840028b8d11b6
Instruction ID: f2a9c4c121b0679958cd5eefb8b94754d1e6318cef57a427522da5425788b34b
Opcode Fuzzy Hash: 347fb8b280ffd273d92e572b9c17d8cf9116591f9a3b7569aa2840028b8d11b6
Instruction Fuzzy Hash: F1A1E27260468086EB329F669440BDD3BE2F3497E4F584626FB6D4B7E5CB7AC985C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140012050, Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140012079
_errno.LIBCMT ref: 0000000140012082
__doserrno.LIBCMT ref: 00000001400120D3
_errno.LIBCMT ref: 00000001400120DA

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 71b44924f26463168ec8386fca0fbb1cfa5e766ee74934f50f7e41f77b9798cc
Instruction ID: 4fe2047c34e0b2c09f36a5265af89a3740ade97c3490332ae0690486893d2eb0
Opcode Fuzzy Hash: 71b44924f26463168ec8386fca0fbb1cfa5e766ee74934f50f7e41f77b9798cc
Instruction Fuzzy Hash: 2531AD7621429082E717AF27A841B9E7A52A7C87F4F554715FF390B7F2CB3984128B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015458, Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140015471
_errno.LIBCMT ref: 00000001400154BD

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 2878039a58fd44fbe47c4421dc1eb28e098f2e18bc2897f3cea21c93d14a99cf
Instruction ID: e75bd40d16295c81bd2de659de0bbce65d9d7a65c9977e654ac0416999310ff5
Opcode Fuzzy Hash: 2878039a58fd44fbe47c4421dc1eb28e098f2e18bc2897f3cea21c93d14a99cf
Instruction Fuzzy Hash: AE31D272624A4086F727AF77A4A57EE2A53A7883E5F554318FB190F2F2CF79C4018704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400101D0, Relevance: 10.6, APIs: 7, Instructions: 61COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400101F9

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

_errno.LIBCMT ref: 000000014001026E
GetLastError.KERNEL32(?,?,00000000,000000014000A954), ref: 0000000140010276
_errno.LIBCMT ref: 0000000140010287
GetLastError.KERNEL32(?,?,00000000,000000014000A954), ref: 000000014001028F

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$ErrorLast$AllocateHeapfree
String ID:
API String ID: 3707629261-0
Opcode ID: 0a3c62ae9000e1eec61882b7818730d343163648725383137621b962153e50a5
Instruction ID: be21532df955663d7b376f76377270e0dfcd3a73575f7376043bc0522819edba
Opcode Fuzzy Hash: 0a3c62ae9000e1eec61882b7818730d343163648725383137621b962153e50a5
Instruction Fuzzy Hash: C5216D7460465589FE57AB67A9083E962906B8DBE0F048630FF6A8B3F6EE7DC4408201

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140011ED0, Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000000140011EE4
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,000000014000B61E), ref: 0000000140011F3B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,000000014000B61E), ref: 0000000140011F78
free.LIBCMT ref: 0000000140011F85
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,000000014000B61E), ref: 0000000140011F8F
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,?,000000014000B61E), ref: 0000000140011F9D

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: cd703fe02d3b77f41eef4abf89300f5c94175d5d3b3ab6f68ce391cbfd0d1cd7
Instruction ID: 317710b4b4a5e62cfda200c59fbd7acbeac38072ebb7106234d08b3f3d43ceac
Opcode Fuzzy Hash: cd703fe02d3b77f41eef4abf89300f5c94175d5d3b3ab6f68ce391cbfd0d1cd7
Instruction Fuzzy Hash: 32213072A1874486EB659F23A4443EAB3E1E78CBD4F084128FF4A4BBA9DF7DC5458701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CD94, Relevance: 9.1, APIs: 6, Instructions: 63COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 000000014000CDBA
DecodePointer.KERNEL32 ref: 000000014000CDE5
DecodePointer.KERNEL32 ref: 000000014000CDF4
_initterm.LIBCMT ref: 000000014000CE2E
_initterm.LIBCMT ref: 000000014000CE41
ExitProcess.KERNEL32 ref: 000000014000CE76

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: DecodePointer_initterm$ExitProcess_lock
String ID:
API String ID: 4044905312-0
Opcode ID: c4e020424c5edbbc4bea516e11caa18e21469d5e25634a4a5254c7cc556604ce
Instruction ID: 9ee9d997353d9f925fe1e17e1e785e858ed5d15f91d4d7f01fcfc280aa078fa9
Opcode Fuzzy Hash: c4e020424c5edbbc4bea516e11caa18e21469d5e25634a4a5254c7cc556604ce
Instruction Fuzzy Hash: 552166B022268081FB1ADB17F8017D872A4BB8CBC4F940029BB590B7B6CF79C945C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005060, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000001400051A0
FreeLibrary.KERNEL32 ref: 00000001400051B2
FreeLibrary.KERNEL32 ref: 00000001400051C4
FreeLibrary.KERNEL32 ref: 00000001400051D6

Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005F7B
Part of subcall function 0000000140005F20: free.LIBCMT ref: 0000000140005FE6

Strings

%sWarning: the device (hwid:%s) is not installed., xrefs: 0000000140005169

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: FreeLibrary$free
String ID: %sWarning: the device (hwid:%s) is not installed.
API String ID: 573304979-868816708
Opcode ID: bc37958ccb21e58d4b1124d76ddc725192ab2dbd7ed9ac07731edafbfe280195
Instruction ID: ad03dc3503df973693368e03e8f1c98543e0afc937e779a0eed222d75e8a786b
Opcode Fuzzy Hash: bc37958ccb21e58d4b1124d76ddc725192ab2dbd7ed9ac07731edafbfe280195
Instruction Fuzzy Hash: F24115B1200B4496FB22EB22F8457EA76A4B78EBC1F544229FB49476B5DB38C885C701

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B028, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000B03D
_flush.LIBCMT ref: 000000014000B066
_freebuf.LIBCMT ref: 000000014000B070

Strings

WDREG utility v10.21. Build Aug 31 2010 14:21:54, xrefs: 000000014000B02D

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno_flush_freebuf
String ID: WDREG utility v10.21. Build Aug 31 2010 14:21:54
API String ID: 3308817952-2635416921
Opcode ID: 109d82df2f4a185f60228bc1970696ead0efcf51bf2b188ae06f11876b4e32dd
Instruction ID: 87bd5f5c2f9a2fdff9c50a40b55391b1645b1d12d2337df5546ae19edf4da0e2
Opcode Fuzzy Hash: 109d82df2f4a185f60228bc1970696ead0efcf51bf2b188ae06f11876b4e32dd
Instruction Fuzzy Hash: E501D4B271464442FF1ADB77A8913EE12516B9C7E8F280720BB69871F7DE79C4018640

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400145F4, Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140014612

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

free.LIBCMT ref: 0000000140014624
free.LIBCMT ref: 0000000140014636
free.LIBCMT ref: 0000000140014648
free.LIBCMT ref: 000000014001465A
free.LIBCMT ref: 000000014001466C
free.LIBCMT ref: 000000014001467E

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 408979f8b5b7c8d0f59e99f48d2e469553aa4f58c2162d5905de57d7e72d9096
Instruction ID: 8b86d8e25997e25deec471cda33d2e1a6020a72c5cab9ca40f4f2c7c578f9a6e
Opcode Fuzzy Hash: 408979f8b5b7c8d0f59e99f48d2e469553aa4f58c2162d5905de57d7e72d9096
Instruction Fuzzy Hash: 3D01A577214C1091EB97EF63E4A23E52361AB9DBC8F450006B71E8B5B2CFB5DC81C662

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C690, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000C69E
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C6B7
RtlVirtualUnwind.KERNEL32 ref: 000000014000C6F3
OutputDebugStringA.KERNEL32 ref: 000000014000C722

Strings

Invalid parameter passed to C runtime function., xrefs: 000000014000C71B

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CaptureContextDebugEntryFunctionLookupOutputStringUnwindVirtual
String ID: Invalid parameter passed to C runtime function.
API String ID: 711593133-455672764
Opcode ID: fba6de40861da115f1c04894ec3ec0be6a6ebc63674aacdc0d3d2cf73daa974e
Instruction ID: 82fd7cecd8f46148595259a6521b7875afb33d05cc2f85b8e7e115800f438138
Opcode Fuzzy Hash: fba6de40861da115f1c04894ec3ec0be6a6ebc63674aacdc0d3d2cf73daa974e
Instruction Fuzzy Hash: 1401ED76229F8192DA658B15F8947DAB370F788795F540125EB8E07B68DF3DC298CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015B80, Relevance: 7.6, APIs: 5, Instructions: 141COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140010FB4: _FF_MSGBANNER.LIBCMT ref: 0000000140010FDB

_lock.LIBCMT ref: 0000000140015BBE
_lock.LIBCMT ref: 0000000140015C17
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,00000000,00000000,00000109,000000014001600C), ref: 0000000140015C2C
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,00000109,000000014001600C), ref: 0000000140015C57
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,00000109,000000014001600C), ref: 0000000140015C67

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin
String ID:
API String ID: 3451527041-0
Opcode ID: d76fbb7d49dac2cdf19b2e8729a3c439521dbc716ce71c0e2bb3ea0bb895ffb3
Instruction ID: f9beca4007352568cda71f2847d15fb79d5b56808c0269d7c25ae36bffa41d9d
Opcode Fuzzy Hash: d76fbb7d49dac2cdf19b2e8729a3c439521dbc716ce71c0e2bb3ea0bb895ffb3
Instruction Fuzzy Hash: 5E51E172204780C6EB62AF12E48439976D4F798BE9F584219FB6A0F7F5DB79C400CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000D7AC, Relevance: 7.6, APIs: 5, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000D4D0: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000014000D7E6,?,?,?,?,?,000000014000D9DF), ref: 000000014000D4FA

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 000000014000D857

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

_lock.LIBCMT ref: 000000014000D88F
free.LIBCMT ref: 000000014000D942
free.LIBCMT ref: 000000014000D972
_errno.LIBCMT ref: 000000014000D977

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$free$Heap$AllocateErrorFreeLast_lock
String ID:
API String ID: 113673271-0
Opcode ID: 9e55f04690e587e132355659b42bc2101b1e3bb94dbeb9ae6b40c0a3f85c3eff
Instruction ID: 9705c69ee205b1f18023ee77f3a0fd828612471e52920a23c1953d9babc9f389
Opcode Fuzzy Hash: 9e55f04690e587e132355659b42bc2101b1e3bb94dbeb9ae6b40c0a3f85c3eff
Instruction Fuzzy Hash: B9518FB260464096E756DB66B4403E9B7A1F78CBE8F148617FB9A473F6CB78C841C720

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400148EC, Relevance: 7.6, APIs: 5, Instructions: 85memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000014001493E
GetSystemInfo.KERNEL32 ref: 0000000140014955
SetThreadStackGuarantee.KERNEL32 ref: 0000000140014967
VirtualAlloc.KERNEL32 ref: 00000001400149C6
VirtualProtect.KERNEL32 ref: 00000001400149E1

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: 9a37226d1ae2109e08393391b80ed4ffd8c0b5500a3d92a962a6e023de907d79
Instruction ID: 8f89bc0395ef90eb72051618c5612675aaee5714b32c9879ecdb283ed5235332
Opcode Fuzzy Hash: 9a37226d1ae2109e08393391b80ed4ffd8c0b5500a3d92a962a6e023de907d79
Instruction Fuzzy Hash: F7312132310A959AEB15CF36D8547D937A5F70CBC8F444125EB4A8BB68DF3AD585C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B14C, Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000B17B
_errno.LIBCMT ref: 000000014000B199

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 1e308cdc133ef77ae88deeab30a85e624ec471c87e9b7588444c6f530c5a44b2
Instruction ID: fd8484b1c71169b29c70f56d321086e1a323c9f2b88d445cabac76b0b51ab20c
Opcode Fuzzy Hash: 1e308cdc133ef77ae88deeab30a85e624ec471c87e9b7588444c6f530c5a44b2
Instruction Fuzzy Hash: F0316FB162868585F767DB73B8117DF66D2A78C7C0F445824BB4987BA6DF3CC5018704

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E2E5, Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400148EC: VirtualQuery.KERNEL32 ref: 000000014001493E
Part of subcall function 00000001400148EC: GetSystemInfo.KERNEL32 ref: 0000000140014955
Part of subcall function 00000001400148EC: SetThreadStackGuarantee.KERNEL32 ref: 0000000140014967
Part of subcall function 00000001400148EC: VirtualAlloc.KERNEL32 ref: 00000001400149C6
Part of subcall function 00000001400148EC: VirtualProtect.KERNEL32 ref: 00000001400149E1

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000E351
LCMapStringW.KERNEL32 ref: 000000014000E380
LCMapStringW.KERNEL32 ref: 000000014000E3D2
free.LIBCMT ref: 000000014000E543
free.LIBCMT ref: 000000014000E569

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: Virtual$String_errnofree$AllocAllocateByteCharGuaranteeHeapInfoMultiProtectQueryStackSystemThreadWide
String ID:
API String ID: 1525220363-0
Opcode ID: 1dfa270e5d32c50f9cce3cc23f84553c6021e4b41416567b0afaf45280e09c4b
Instruction ID: 4afb7f39bbe1d8394641f5e776db1f9335c51abe5127e7999440013ac06f0117
Opcode Fuzzy Hash: 1dfa270e5d32c50f9cce3cc23f84553c6021e4b41416567b0afaf45280e09c4b
Instruction Fuzzy Hash: 3C31E0B2205AD08AE776CF22B8143E93794F74CBDDF044515EB495BBA9DB78CA45C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017FEC, Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconin.LIBCMT ref: 0000000140018019

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __initconin
String ID:
API String ID: 2454263311-0
Opcode ID: 8ea2f48b58982aa8f2e77d3c6d316cb4ec0c96a5bddc10fe7d727daa511d0386
Instruction ID: 424d200f524c61c9f14beececb506c78d81cfde6e4cc20f15245e4a8591defb4
Opcode Fuzzy Hash: 8ea2f48b58982aa8f2e77d3c6d316cb4ec0c96a5bddc10fe7d727daa511d0386
Instruction Fuzzy Hash: 3C213931205644A5EAB38B2398443E977A5A78C7F4F044315FB794B6F4CB7ECA89CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400094A8, Relevance: 7.5, APIs: 5, Instructions: 38timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,000000014000B701), ref: 00000001400094DE
GetCurrentProcessId.KERNEL32(?,?,?,000000014000B701), ref: 00000001400094E9
GetCurrentThreadId.KERNEL32 ref: 00000001400094F5
GetTickCount.KERNEL32 ref: 0000000140009501
QueryPerformanceCounter.KERNEL32(?,?,?,000000014000B701), ref: 0000000140009512

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 6fea42819a48a4afed4881e4c4ebd40d5e96c9dc089622f556ea15030f538073
Instruction ID: 889b0898505c66962ad5007b5b7a6c1e2f7b46554a74397a27634bad1ed8c079
Opcode Fuzzy Hash: 6fea42819a48a4afed4881e4c4ebd40d5e96c9dc089622f556ea15030f538073
Instruction Fuzzy Hash: A3014875215A4092EB52CB22F9843D563A1FB5CBE1F486A25FF5B477B8DA39C984C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DEC0, Relevance: 7.5, APIs: 5, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54), ref: 000000014000DECA
FlsGetValue.KERNEL32(?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54), ref: 000000014000DED8
SetLastError.KERNEL32(?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54), ref: 000000014000DF28

Part of subcall function 0000000140014868: Sleep.KERNEL32(?,?,00000000,000000014000DEF3,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 00000001400148AD

FlsSetValue.KERNEL32(?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54), ref: 000000014000DF04
free.LIBCMT ref: 000000014000DF1F

Part of subcall function 000000014000DDE4: _lock.LIBCMT ref: 000000014000DE54

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ErrorLastValue$Sleep_lockfree
String ID:
API String ID: 1332947546-0
Opcode ID: 48fd035c66babdcfb002b4d8fea031f47c25062933fe344d85db37b371e60b51
Instruction ID: 35ae319c95b5a31ab139bfe7c834d1ab7035644d0f446119c500e6895c171341
Opcode Fuzzy Hash: 48fd035c66babdcfb002b4d8fea031f47c25062933fe344d85db37b371e60b51
Instruction Fuzzy Hash: 3A01867160160282FB469B63F4483F87251AB8C7E0F098239BF2A473F5DE38C845C211

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009150, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008F30: _vfwprintf_p.LIBCMT ref: 0000000140008F66
Part of subcall function 0000000140008F30: _vfwprintf_p.LIBCMT ref: 0000000140008F9A

_vfwprintf_p.LIBCMT ref: 00000001400091BA
_vfwprintf_p.LIBCMT ref: 00000001400091EC

Strings

a+t, xrefs: 00000001400091CF
Error: , xrefs: 0000000140009174

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p
String ID: Error: $a+t
API String ID: 1894331995-2972717919
Opcode ID: cd34162ea68bcc908baac85706e9479d7928e0efcfed15d2710de2d9d6d8d31c
Instruction ID: ab7e97eb591ee9c64244b2a810b8db6d3799e83e84d51186beab3b5e15d3fa26
Opcode Fuzzy Hash: cd34162ea68bcc908baac85706e9479d7928e0efcfed15d2710de2d9d6d8d31c
Instruction Fuzzy Hash: A11179B130074191FA16EB47BD503E9A2A5AB8C7C0F48453ABF49476B6DF3CC9818300

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000CBAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,000000014000CBF5,?,?,00000028,0000000140009885,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3), ref: 000000014000CBBB
GetProcAddress.KERNEL32(?,?,000000FF,000000014000CBF5,?,?,00000028,0000000140009885,?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3), ref: 000000014000CBD0

Strings

CorExitProcess, xrefs: 000000014000CBC6
mscoree.dll, xrefs: 000000014000CBB4

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 5092da99a59b7a4caae6aa57a066b0d28cd21f24837f911f9443660e9964c853
Instruction ID: 956d50b35615d0a01cf6c36785494f7403b12cb2c2ebc25cd683b26665dc4f0e
Opcode Fuzzy Hash: 5092da99a59b7a4caae6aa57a066b0d28cd21f24837f911f9443660e9964c853
Instruction Fuzzy Hash: EEE0127076260142FE1B9B92B8857E423919B4C780F48102D5A1F4B3B0EF3DC989C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006550, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 00000001400065EC
free.LIBCMT ref: 0000000140006687

Strings

setupapi.dll, xrefs: 000000014000655D
newdev.dll, xrefs: 000000014000655C

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errnofree$AllocateHeap
String ID: newdev.dll$setupapi.dll
API String ID: 2676329746-3632918777
Opcode ID: 781f903651c45e3c61660490b9a3a154c921132f4ee9ae875bc50e739cc1f1fc
Instruction ID: 3f6df8eee86bad0a3e4d21fcbd3b339901039c583e126512682f6b8aa56d7922
Opcode Fuzzy Hash: 781f903651c45e3c61660490b9a3a154c921132f4ee9ae875bc50e739cc1f1fc
Instruction Fuzzy Hash: A241C1B6205A8086EE26DF27B4003AAB791BB4DBE4F084524AFA9577E5DF3DD041C310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400141D4, Relevance: 6.1, APIs: 4, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000000,00000001,000000014001439A), ref: 000000014001422F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000000,00000001,000000014001439A), ref: 00000001400142DC
GetStringTypeW.KERNEL32(?,?,?,?,?,00000000,00000001,000000014001439A), ref: 00000001400142F3
free.LIBCMT ref: 0000000140014307

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefree
String ID:
API String ID: 3522554955-0
Opcode ID: 7da1cbac8c6507a3dca0eb83f64ca89d857b1f264c14660987f29d64c487fd42
Instruction ID: 4b3e41aaac4c523319f4c2fcdd0b1691afae99557ae246e6dda57e14bd357ec4
Opcode Fuzzy Hash: 7da1cbac8c6507a3dca0eb83f64ca89d857b1f264c14660987f29d64c487fd42
Instruction Fuzzy Hash: 1C415E72610A408AEB129F67D8403D97396F74CBE8F984212FF294BBF5DA79C581C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400117B8, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001400117CC
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000014001188A
free.LIBCMT ref: 000000014001189E
EnterCriticalSection.KERNEL32 ref: 00000001400118C0

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_lockfree
String ID:
API String ID: 1657009446-0
Opcode ID: 5ab1409049612cdfdf1ff449e645b8d4787804c1d28c3191c5387de3db88d048
Instruction ID: d9ed1c18d8d08d3a81d15e85c4b5518bddf79e2b99987c97bb917db125ddc61a
Opcode Fuzzy Hash: 5ab1409049612cdfdf1ff449e645b8d4787804c1d28c3191c5387de3db88d048
Instruction Fuzzy Hash: FB414872610A4496EB569B17F8843E873A1F78CBD4F558229EB5A4B7F6CF39C841C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000E464, Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400148EC: VirtualQuery.KERNEL32 ref: 000000014001493E
Part of subcall function 00000001400148EC: GetSystemInfo.KERNEL32 ref: 0000000140014955
Part of subcall function 00000001400148EC: SetThreadStackGuarantee.KERNEL32 ref: 0000000140014967
Part of subcall function 00000001400148EC: VirtualAlloc.KERNEL32 ref: 00000001400149C6
Part of subcall function 00000001400148EC: VirtualProtect.KERNEL32 ref: 00000001400149E1

LCMapStringW.KERNEL32 ref: 000000014000E4CA
WideCharToMultiByte.KERNEL32 ref: 000000014000E4FF
free.LIBCMT ref: 000000014000E543
free.LIBCMT ref: 000000014000E569

Part of subcall function 000000014000983C: _FF_MSGBANNER.LIBCMT ref: 000000014000986C
Part of subcall function 000000014000983C: RtlAllocateHeap.NTDLL(?,?,00000000,0000000140011015,?,?,WDREG utility v10.21. Build Aug 31 2010 14:21:54,00000001400110E3,?,?,00000000,000000014000ADE8), ref: 0000000140009891
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098B5
Part of subcall function 000000014000983C: _errno.LIBCMT ref: 00000001400098C0

free.LIBCMT ref: 000000014000E55B
free.LIBCMT ref: 000000014000E581

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: free$Virtual$_errno$AllocAllocateByteCharGuaranteeHeapInfoMultiProtectQueryStackStringSystemThreadWide
String ID:
API String ID: 3679212795-0
Opcode ID: 96d928e843ce8828ec5ae0a32e45c54fe1ccddf216220b2b91a3344d597f4183
Instruction ID: 751702e640a4d8f2294bbaf01374199b5458989cf0f5881fb6eb09839563cfe9
Opcode Fuzzy Hash: 96d928e843ce8828ec5ae0a32e45c54fe1ccddf216220b2b91a3344d597f4183
Instruction Fuzzy Hash: C8216DB2200AC08AE762DF22A8103EA7390F7487DDF048515FB495BBA9EB78C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400157A0, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400157EC
free.LIBCMT ref: 0000000140015889

Part of subcall function 00000001400103EC: _errno.LIBCMT ref: 0000000140010415
Part of subcall function 00000001400103EC: _errno.LIBCMT ref: 000000014001041F

WideCharToMultiByte.KERNEL32 ref: 0000000140015833

Part of subcall function 00000001400176EC: _errno.LIBCMT ref: 0000000140017714

free.LIBCMT ref: 0000000140015857

Part of subcall function 0000000140009750: HeapFree.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009766
Part of subcall function 0000000140009750: _errno.LIBCMT ref: 0000000140009770
Part of subcall function 0000000140009750: GetLastError.KERNEL32(?,?,00000000,000000014000DF24,?,?,00000000,000000014000B799,?,?,?,?,00000001400098DA,?,?,00000000), ref: 0000000140009778

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _errno$ByteCharMultiWidefree$ErrorFreeHeapLast
String ID:
API String ID: 1683487404-0
Opcode ID: cae1af1a24efbc74868b94edf57096a5cd1d7c1ece8022e82b5c6dc5a9511c43
Instruction ID: d06e273e21aa6cab29cc64ee5bb9be838cb6928b3c8ec1d70d5278f6f08dd075
Opcode Fuzzy Hash: cae1af1a24efbc74868b94edf57096a5cd1d7c1ece8022e82b5c6dc5a9511c43
Instruction Fuzzy Hash: 52215E72615B4486EB55DF23E4443AAB3A0F79CBD5F084619BB8D4FAA9DFBDC0048700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140004B40, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000000140004BAA
FreeLibrary.KERNEL32 ref: 0000000140004BBC
FreeLibrary.KERNEL32 ref: 0000000140004BCE
FreeLibrary.KERNEL32 ref: 0000000140004BE0

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 10290bc9cd2afba518faab4e2d6fc4a4a08d59a7dd4be9d9be6ecdb0164d6b7f
Instruction ID: 79da7c149aab8b2c61792e7f5f247190d4aae75012e4bbbac547288cb299e02a
Opcode Fuzzy Hash: 10290bc9cd2afba518faab4e2d6fc4a4a08d59a7dd4be9d9be6ecdb0164d6b7f
Instruction Fuzzy Hash: 0E21B3B5605B4096FB16DB67B9513A5B3E8FB9C7C0F040259FB4A4BAB5CF38C850C606

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDBC, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000014000E115), ref: 000000014000DDCB
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,000000014000E115), ref: 0000000140010F4E
free.LIBCMT ref: 0000000140010F57
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,000000014000E115), ref: 0000000140010F77

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 99d2d851aa7a26424748e53af535ae9bd1a2a7b7cb3f1d6663ad5d027c26779f
Instruction ID: d01e701ef75905dd9651573a345f7249217491625c13f79af41853f01ca33524
Opcode Fuzzy Hash: 99d2d851aa7a26424748e53af535ae9bd1a2a7b7cb3f1d6663ad5d027c26779f
Instruction Fuzzy Hash: 94119A32601A50D6FA269B13E4453D87360F748BE4F584229F7950BAB9CBBAC8A3C701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400159F8, Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140015A3A
_errno.LIBCMT ref: 0000000140015A42
__doserrno.LIBCMT ref: 0000000140015A6A
_errno.LIBCMT ref: 0000000140015A72

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 92010c78e7f16ed010224debf61dc7973fba8325e0209035380f6972b577ff3e
Instruction ID: b5ddc3193423af8fa6a52f10bda340bedd48ea7d1ef6585c224b1a95127e76d0
Opcode Fuzzy Hash: 92010c78e7f16ed010224debf61dc7973fba8325e0209035380f6972b577ff3e
Instruction Fuzzy Hash: 1A01B5B2654604C9FF16AB67D4927EC22909F987F2F9C4309FB2A0F6F2CB7D84414612

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001B80, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000000140001BA5
FreeLibrary.KERNEL32 ref: 0000000140001BB7
FreeLibrary.KERNEL32 ref: 0000000140001BC9
FreeLibrary.KERNEL32 ref: 0000000140001BDB

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0aaa8caf2ac11c7b37fc96b0cae5a83f05814bd0172a09ad526bdd5afb4f36c8
Instruction ID: 1c68a36593599726f9af53a282bceea3abe5ce475c3edb9373e220275225fc52
Opcode Fuzzy Hash: 0aaa8caf2ac11c7b37fc96b0cae5a83f05814bd0172a09ad526bdd5afb4f36c8
Instruction Fuzzy Hash: 77018078202B0499FA47DF67AC913E032E5BB8CBC0F54025DFA098B270EF388841C602

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000EF6A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014000EFAE
RaiseException.KERNEL32 ref: 000000014000EFD1

Strings

csm, xrefs: 000000014000F000

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: 3f63e73cee0a0873cea256e8a06039ce86c8d3795c14671306133364d138a610
Instruction ID: baf24f870b760db7d61ae42eec72bf334a271be51036fcdd5705911d714c9339
Opcode Fuzzy Hash: 3f63e73cee0a0873cea256e8a06039ce86c8d3795c14671306133364d138a610
Instruction Fuzzy Hash: E4316F72200681C2E672DF12E048BA97765F39D7E1F458126EF5917BA5CB39D845DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008F30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_vfwprintf_p.LIBCMT ref: 0000000140008F66
_vfwprintf_p.LIBCMT ref: 0000000140008F9A

Strings

a+t, xrefs: 0000000140008F7D

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p
String ID: a+t
API String ID: 1894331995-2538352713
Opcode ID: 1716c272f5e098cacedfc83b463c79ad8c46bcf2fc770b3ff596a60ffcac0bfe
Instruction ID: 2a2989ac4b8da563255df5fad55c946a651a238cd6ea5f8359dab5e713c9d900
Opcode Fuzzy Hash: 1716c272f5e098cacedfc83b463c79ad8c46bcf2fc770b3ff596a60ffcac0bfe
Instruction Fuzzy Hash: 63019EB270270145FA57D777BC403E962816B4D7E1F880935BF48837A2EF38C9818300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140008350, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 000000014000839C
CloseHandle.KERNEL32 ref: 00000001400083AB

Strings

windrvr6, xrefs: 0000000140008359

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: windrvr6
API String ID: 3498533004-3224109929
Opcode ID: b4daf428e38340600cd84856720fd8905b120d31c1373401ea62757ff2ae5853
Instruction ID: 0ff61f0559a36f75c7dd68d8986631ef19a88b229f9f53a52ee2b24efcc76b6b
Opcode Fuzzy Hash: b4daf428e38340600cd84856720fd8905b120d31c1373401ea62757ff2ae5853
Instruction Fuzzy Hash: F60152B1300A0542EB569B27E45479A2390B788FE5F040225EF6B473E4DF7DC949C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140009210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_vfwprintf_p.LIBCMT ref: 0000000140009250
_vfwprintf_p.LIBCMT ref: 0000000140009287

Strings

a+t, xrefs: 0000000140009265

Memory Dump Source

Source File: 00000003.00000002.589986281.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.589967892.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590020168.0000000140019000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.590055772.0000000140022000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.590075023.0000000140026000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_wdreg.jbxd

Similarity

API ID: _vfwprintf_p
String ID: a+t
API String ID: 1894331995-2538352713
Opcode ID: c00851732cf69bdb6fbde2343e70937f46acbc608f02d4bc54a2044555c15c78
Instruction ID: fafa2563ae1aa5aed79810f49ad41feeefe842dfc8a95b2677f1973f6b4f29c3
Opcode Fuzzy Hash: c00851732cf69bdb6fbde2343e70937f46acbc608f02d4bc54a2044555c15c78
Instruction Fuzzy Hash: D5017CB120574091FE56DB53B8403EA73A4AB8C7C0F44492ABF8D47BA6DF3CC6918700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CL-Eye-Driver-5.3.0.0341-Emuline.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Cryptography:

Privilege Escalation:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 06BA10D3, Relevance: 130.1, APIs: 66, Strings: 8, Instructions: 570
stringfilememoryCOMMON

Function 0040323C, Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 270
filestringcomCOMMON

Function 00405042, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 10001855, Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215
memoryCOMMON

Function 00405B88, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197
stringCOMMON

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403A45, Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00404060, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Function 00402C72, Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 203
memoryCOMMON

Function 06881D3B, Relevance: 21.5, APIs: 14, Instructions: 499
stringlibraryloaderCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 10001759, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77
memoryCOMMON

Function 00404F04, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00403043, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
fileCOMMON

Function 10001C59, Relevance: 12.1, APIs: 8, Instructions: 51
windowCOMMON

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00401F51, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 00405F82, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Function 0688198F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Function 100013FB, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre