Edit tour

Windows Analysis Report
https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q

Overview

General Information

Sample URL:	https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q
Analysis ID:	636152
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

PE file has a writeable .text section

Contains functionality to hide user accounts

Yara detected Generic Downloader

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Entry point lies outside standard sections

Abnormal high CPU Usage

Is looking for software installed on the system

PE file does not import any functions

PE file contains strange resources

Drops PE files

Found evasive API chain checking for process token information

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6328 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q" > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 6416 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

7za.exe (PID: 5876 cmdline: 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Win_OSC_7.48.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OSC_Gaming_7.48.exe (PID: 980 cmdline: "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe" MD5: 3ACB26F0E75E1DF8A687C40E3F812BC4)

dotNetFx40_Full_x86_x64.exe (PID: 6568 cmdline: "C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe" /q /norestart MD5: 251743DFD3FDA414570524BAC9E55381)

OSC_Gaming_7.48.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe" MD5: 3ACB26F0E75E1DF8A687C40E3F812BC4)

OSC_Gaming_7.48.exe (PID: 4584 cmdline: "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe" MD5: 3ACB26F0E75E1DF8A687C40E3F812BC4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000025.00000003.1030578560.000000000704E000.00000004.00000800.00020000.00000000.sdmp	wce	wce	Benjamin DELPY (gentilkiwi)	0x32800:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	wce	wce	Benjamin DELPY (gentilkiwi)	0x10295d:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00

Unpacked PEs

Source	Rule	Description	Author	Strings
37.3.dotNetFx40_Full_x86_x64.exe.705f24b.25.unpack	wce	wce	Benjamin DELPY (gentilkiwi)	0x209b5:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
37.3.dotNetFx40_Full_x86_x64.exe.705f24b.25.raw.unpack	wce	wce	Benjamin DELPY (gentilkiwi)	0x215b5:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
37.3.dotNetFx40_Full_x86_x64.exe.7e2a3b0.34.raw.unpack	wce	wce	Benjamin DELPY (gentilkiwi)	0x465ad:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
37.3.dotNetFx40_Full_x86_x64.exe.7dace44.33.raw.unpack	wce	wce	Benjamin DELPY (gentilkiwi)	0xc3b19:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
37.3.dotNetFx40_Full_x86_x64.exe.7ae51c4.30.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
37.3.dotNetFx40_Full_x86_x64.exe.7dd4b3c.32.raw.unpack	wce	wce	Benjamin DELPY (gentilkiwi)	0x9be21:$hex_legacy: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 5D C2 08 00
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 37.3.dotNetFx40_Full_x86_x64.exe.cc2928.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 37.3.dotNetFx40_Full_x86_x64.exe.cec930.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0125751D CryptAcquireContextA,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,		37_2_0125751D
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_01257C12 LoadLibraryW,GetLastError,GetProcAddress,GetLastError,DecryptFileW,GetLastError,		37_2_01257C12

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3076\eula.rtf	Jump to behavior

Source:	Binary string: wpftxt_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035930893.00000000084B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <DebugSymbolsProjectOutputGroupDependency Include="@(_ReferenceRelatedPaths->'%(FullPath)')" Condition="'%(Extension)' == '.pdb'"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 4.0.dll.exe.pdb.xml-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Entity.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.Thunk.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_perf.pdb9> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb' source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TlbRef.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdb`[j[t[\|[ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sbscmp10.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.Design.pdbG source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Runtime.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.ComponentModel.pdbjJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationProvider.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wpffontcache_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DynamicData.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine.pdb) source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AspNetMMCExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DynamicData.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_counters.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Whether or not a .pdb file is produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_isapi.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_isapi.pdb) source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdbN source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdboo source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clretwrc.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Routing.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca204e016b-af71-45e4-a74f-7e966c67d9a6\Microsoft.Build.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationProvider.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.Design.pdbKj source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" /> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Activities.pdb: source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdb!` source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.ComponentModel.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Abstractions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Input.Manipulations.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_x86_x64.exe
Source:	Binary string: System.Drawing.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: XamlBuildTask.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1043244256.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wpfgfx_v0400.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035504546.000000000833C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Workflow.Compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.Design.pdb\ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb8D source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Messaging.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.WasHosting.pdbNjhj Zj_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdbiB source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Presentation.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationClient.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Copy references that are marked as "CopyLocal" and their dependencies, including .pdbs, .xmls and satellites. source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TlbRef.pdb@ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationTypes.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Activities.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb@{ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DataSvcUtil.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.DataVisualization.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_perf.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualC.STLCLR.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Record the .pdb if one was produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Web.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WsatConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Services.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationClientsideProviders.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Add any missing .pdb extension, as the compiler does --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.Formatters.Soap.pdbx source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Runtime.pdb;: source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb* source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @(_ReferenceRelatedPaths) - Paths to .xmls and .pdbs. source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Routing.pdbZ^t^ f^_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationCore.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdbDp^p Pp_CorExeMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_counters.pdbY" source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb/ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.RegularExpressions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Activation.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationBuildTasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.Formatters.Soap.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ilasm.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.WasHosting.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.pdbv source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.ServiceMoniker40.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WMINet_Utils.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="@(_DebugSymbolsIntermediatePathTemporary->'%(RootDir)%(Directory)%(Filename).pdb')"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wpfgfx_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035012731.000000000817A000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035504546.000000000833C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine4.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca08cb66d7-c242-441b-8811-f78f134a4521\Microsoft.Build.Engine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdb; source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdbI$ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.DataVisualization.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdbZ\ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WindowsFormsIntegration.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Copy the debug information file (.pdb), if any --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: MmcAspExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022336269.000000000541F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbI source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb} source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="$(IntermediateOutputPath)$(TargetName).pdb" Condition="'$(_DebugSymbolsProduced)'=='true' and '@(_DebugSymbolsIntermediatePath)'==''"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbhI~I pI_CorExeMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WMINet_Utils.pdbY<L> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Presentation.pdb'CAC 3C_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Mobile.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_004386C5 __EH_prolog,FindFirstFileW,FindClose,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,DeleteFileW,	33_2_004386C5
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_00417C8A __EH_prolog,FindFirstFileW,FindClose,FindClose,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,WriteFile,WriteFile,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,FindClose,FindClose,	33_2_00417C8A
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_012592BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	37_2_012592BB
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0125A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	37_2_0125A7B1
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_004386C5 __EH_prolog,FindFirstFileW,FindClose,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,DeleteFileW,	38_2_004386C5
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00424BBF FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose,	38_2_00424BBF
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00417C8A __EH_prolog,FindFirstFileW,FindClose,FindClose,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,#7,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,#7,WriteFile,WriteFile,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,FindClose,FindClose,	38_2_00417C8A

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_0125774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,

37_2_0125774A

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 37.3.dotNetFx40_Full_x86_x64.exe.7ae51c4.30.raw.unpack, type: UNPACKEDPE

Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asp.net/ApplicationServices/v200D
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asp.net/ApplicationServices/v200TU
Source: wget.exe, 00000002.00000002.742524395.0000000001098000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.741954291.0000000001094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.742524395.0000000001098000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.741954291.0000000001094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo.com/foo
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost/data.svc
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.netscape.com/publish/formats/rss-0.91.dtd
Source: OSC_Gaming_7.48.exe, 00000021.00000002.1070579167.0000000002380000.00000004.00000020.00020000.00000000.sdmp, OSC_Gaming_7.48.exe, 00000021.00000002.1070942131.00000000027FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://saturn.installshield.com/is/prerequisites/Microsoft
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/#If-Modified-Since
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/:discovery
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/:discoveryRef
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/?
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/O
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/schema/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/schema/:schemaRef
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/scl/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/scl/:contractRef
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/scl/Bhttp://schemas.xmlsoap.org/disco/Zurn:schemas-dynamicdiscovery
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/soap/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/soap/:soap%:address
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/soap/S
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/disco/soap/W
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding//
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/=
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/G
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/httpqTheMethodsAndUseTheSameRequestElementAndSoapActionXmlns6
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/mex
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/1SchemaSyntaxErrorDetails%XmlSchemaNamedItem
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/2003-02-11.xsd
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:binding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:definitions
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:documentation
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:fault
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:import
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:input
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:message
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:operation
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:output
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:part
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:port
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:portType
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:required
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:service
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/:types
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/Z
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/$System.Web.Services.Description.Port
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/$System.Web.Services.Description.Port/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/0System.Web.Services.Description.OperationBinding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/0System.Web.Services.Description.OperationBindingb
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/:address
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/:binding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/:operation
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/:urlEncoded
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/:urlReplacement
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/http/Z
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/(System.Web.Services.Description.MimePart
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/:content
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/:mimeXml
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/:multipartRelated
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/:part
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/$System.Web.Services.Description.Port
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/$System.Web.Services.Description.PortY
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/0System.Web.Services.Description.OperationBinding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/0System.Web.Services.Description.OperationBindingg
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/2003-02-11.xsd.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/:address
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/:binding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/:fault
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/:headerfaultShttp://schemas.xmlsoap.org/wsdl/:requiredehttp://m
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/:operation
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/Hhttp://schemas.xmlsoap.org/soap/httpNhttp://schemas.xmlsoap.or
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/$System.Web.Services.Description.Port
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/$System.Web.Services.Description.PortG
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/0System.Web.Services.Description.OperationBinding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/:addressihttp://schemas.xmlsoap.org/wsdl/:required
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/:binding
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/:fault
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/:headerfault
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/:operation
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/Khttp://schemas.xmlsoap.org/wsdl/http/Khttp://schemas.xmlsoap
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/e
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://server/application/trace.axd).
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/SampleNamespace
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4287
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#3StreamDoesNotSupportWrite
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#SignedProperties
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uri.etsi.org/01903/v1.2.2#bhttp://uri.etsi.org/01903/v1.2.2#SignedProperties
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://validator.w3.org/feed/docs/rss2.html
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ws-i.org/profiles/basic/1.1
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ws-i.org/schemas/conformanceClaim/
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2396.txt
Source: OSC_Gaming_7.48.exe	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/rfc/rfc5023.txt
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.wapforum.org/DTD/wml_1.1.xml
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.wapforum.org/DTD/xhtml-mobile10.dtd
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.wapforum.org/dtd/wml20.dtd
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ws-i.org/Profiles/BasicProfile-1.1.html
Source: OSC_Gaming_7.48.exe, 00000021.00000002.1071092654.0000000010001000.00000040.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://ftp://toys::file_lite.text.rdata.debugSharedFileCountIncrementFile=%s
Source: wget.exe, 00000002.00000002.742611627.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q

System Summary

PE file has a writeable .text section

Source: ISSetup.dll.33.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 37.3.dotNetFx40_Full_x86_x64.exe.705f24b.25.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 37.3.dotNetFx40_Full_x86_x64.exe.705f24b.25.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 37.3.dotNetFx40_Full_x86_x64.exe.7e2a3b0.34.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 37.3.dotNetFx40_Full_x86_x64.exe.7dace44.33.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 37.3.dotNetFx40_Full_x86_x64.exe.7dd4b3c.32.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 00000025.00000003.1030578560.000000000704E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 38_2_0042FE59 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

38_2_0042FE59

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_0044A0C0	33_2_0044A0C0
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_00448260	33_2_00448260
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_004440F4	33_2_004440F4
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_00440667	33_2_00440667
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0125F9FE	37_2_0125F9FE
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_01263049	37_2_01263049
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_01260BD0	37_2_01260BD0
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_01264252	37_2_01264252
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0126630E	37_2_0126630E
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_012673D8	37_2_012673D8
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0044A0C0	38_2_0044A0C0
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_004440F4	38_2_004440F4
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00448260	38_2_00448260
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00440667	38_2_00440667
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00436C72	38_2_00436C72
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0043DA40	38_2_0043DA40

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: String function: 0125854A appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: String function: 01274DF4 appears 44 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0040B34B appears 136 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 00410501 appears 45 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0040176A appears 73 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0043AE17 appears 42 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0040840D appears 39 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 00401732 appears 156 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 004392EF appears 36 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0043B644 appears 701 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0043BA1F appears 31 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 0040A5F5 appears 88 times
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: String function: 004057E0 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_01257A0A: GetDriveTypeW,SetErrorMode,SetErrorMode,SetErrorMode,CreateFileW,DeviceIoControl,CloseHandle,SetErrorMode,

37_2_01257A0A

Source: SetupResources.dll16.37.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: C:\Windows\SysWOW64\wget.exe

Process Stats: CPU usage > 98%

Source: SetupResources.dll21.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll5.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll3.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll16.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll11.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll15.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll7.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll1.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll9.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll10.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll13.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll23.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll4.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll18.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll12.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll17.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll22.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll19.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll20.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll6.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll2.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll8.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll0.37.dr	Static PE information: No import functions for PE file found
Source: SetupResources.dll14.37.dr	Static PE information: No import functions for PE file found

Source: OSC_Gaming_7.48.exe.31.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OSC_Gaming_7.48.exe.31.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OSC_Gaming_7.48.exe.31.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dotNetFx40_Full_x86_x64.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vcredist_x86.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vcredist_x64.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.33.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.37.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.37.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.37.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.37.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ISSetup.dll.33.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Source: ISSetup.dll.33.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: vcredist_x86.exe.33.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999106813499
Source: vcredist_x64.exe.33.dr	Static PE information: Section: .rsrc ZLIB complexity 0.99922917794

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q"
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Win_OSC_7.48.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe "C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe" /q /norestart
Source: unknown	Process created: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Source: unknown	Process created: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q"	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe "C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe" /q /norestart	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 38_2_0042FE59 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

38_2_0042FE59

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\

Jump to behavior

Source: classification engine

Classification label: mal52.troj.win@13/217@0/2

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

File read: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.ini

Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_0040E346 lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

33_2_0040E346

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_01258DAE FormatMessageW,GetLastError,LocalFree,

37_2_01258DAE

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Mutant created: \Sessions\1\BaseNamedObjects\E5C1B339-0E4E-49A5-859E-5E1DE1938706
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_00402AB2 FindResourceW,LoadResource,SizeofResource,GlobalAlloc,LockResource,

33_2_00402AB2

Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB4098: MSBuild is invoking VCBuild to build this project. Project-to-project references between VC++ projects (.VCPROJ) and C#/VB/VJ# projects (.CSPROJ, .VBPROJ, .VJSPROJ) are not supported by the command-line build systems when building stand-alone VC++ projects. Projects that contain such project-to-project references will fail to build. Please build the solution file containing this project instead.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <add path=".csproj" verb="" type="System.Web.HttpForbiddenHandler" validate="true" />
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSB4126: The specified solution configuration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionExt Condition="'$(SolutionExt)'==''">Undefined</SolutionExt> <!-- Example, .sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionPath Condition="'$(SolutionPath)'==''">Undefined</SolutionPath> <!-- Example, f:\MySolutions\MySolution\MySolution.sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tryRemoving ASPNET account from registryNetUserDelDeleting ASPNET accountEnableUserAccountDisabling ASPNET accountACLAllDirsSetting ACLs for the ASPNET accountRemoving Machine account from Users groupRegisterAccountToLocalGroupRemoving Machine account from Guests groupGetting Machine Account SIDIsDomainControllerDetermining if we are running on a domain controllerSOFTWARE\Microsoft\Passport\KeyDataroot\aspnetSetting ACLs on dirs and WMINT Service\WMSVCCreateASPNetAccount/binASP.NET v4.0.30319ASP.NET v4.0.30319 (32-bit)RegisterInProcRegistering InProcessIsapiApps property in IIS metabaseUnregisterInProcUnregistering InProcessIsapiApps property in IIS metabase,RootVerDefaultDocInstalled/LM/w3svc//LM/UnregisterCustomHeaderUnregistering custom header properties in IIS metabase1.2.0.0/AppPools/GetNativeSystemInfoUnregisterScriptMapsUnregistering scriptmap properties in IIS metabaseFiltersASP.NET Cookieless Session FilterIIsFilterASP.NET_4.0.30319.0/Filters/ASP.NET_4.0.30319.0ASP.NET_/Filters/ASP.NET_RegisterFilterRegistering ISAPI Filter in IIS metabaseUnregisterFilterUnregistering ISAPI Filter in IIS metabaseRegisterDefaultDocumentRegistering DefaultDoc properties in IIS metabaseUnregisterDefaultDocumentUnregistering DefaultDoc properties in IIS metabase/LM/MimeMapUnregisterMimeMapUnregistering MimeMap property in IIS metabaseRegisterMimeMapRegistering MimeMap property in IIS metabaseRegister custom header properties in IIS metabaseRegisterCustomHeaderRegistering custom header properties in IIS metabaseX-Powered-By: ASP.NET.application,application/deployment,.manifest,application/deploymentCheckIISStateCheck the status of IISIsRegisteredInProcCheck InProcessIsapiApps property in IIS metabase to see if current version of ASP.NET is registered/aspnet_regiis_helper_2 /scriptmap RegisterScriptMapsRegistering scriptmap properties in IIS metabaseiisadminw3svcASP.NET v1.1.4322RegisterIISUpdate IIS Metabase to use this ASP.NET isapiUnregisterIISRemoving IIS Metabase entries.vbhtml.vbhtm.cshtml.cshtm.aspq.rules.xamlx.xoml.refresh.exclude.java.ldf.mdf.svc.ldb.sdmDocument.sdm.lddprototype.adprototype.cd.sd.ldd.dd.ad.msgx.sitemap.vjsproj.jsl.mdb.browser.compiled.skin.master.resources.resx.licx.webinfo.vbproj.vb.csproj.cs.config.soap.rem.vsdisco.axd.aspx.asmx.ashx.ascx*.asaxlockItem\v4.0path<configuration>
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: that exist on disk. For IDE builds and command-line .SLN builds, the solution build manager
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <add path=".csproj" verb="" type="System.Web.HttpForbiddenHandler" validate="True" />
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <SolutionFileName Condition="'$(SolutionFileName)'==''">Undefined</SolutionFileName> <!-- Example, MySolution.sln -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- NOTE: The item Include and the Exists function are operating relative to the PROJECT (.csproj, .vbproj etc.) directory in this case -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .vbproj
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <!-- Example, c:\MyProjects\MyProject\MyProject.csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uration "{0}" is invalid. Please specify a valid solution configuration using the Configuration and Platform properties (e.g. MSBuild.exe Solution.sln /p:Configuration=Debug /p:Platform="Any CPU") or leave those properties blank to use the default solution configuration.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <ProjectFileName Condition=" '$(ProjectFileName)' == '' ">$(MSBuildProjectFile)</ProjectFileName> <!-- Example, MyProject.csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\globalroot.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .csproj
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <ProjectExt Condition=" '$(ProjectExt)' == '' ">$(MSBuildProjectExtension)</ProjectExt> <!-- Example, .csproj -->
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yMSB4051: Project {0} is referencing a project with GUID {1}, but a project with this GUID was not found in the .SLN file.
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Unexpected return type from this.rawGroups.ItemGroupsAndChooses.sln
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <add path=".vbproj" verb="" type="System.Web.HttpForbiddenHandler" validate="True" />
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <add path=".vbproj" verb="" type="System.Web.HttpForbiddenHandler" validate="true" />
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .config.sln

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

File written: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0404.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wpftxt_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035930893.00000000084B8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <DebugSymbolsProjectOutputGroupDependency Include="@(_ReferenceRelatedPaths->'%(FullPath)')" Condition="'%(Extension)' == '.pdb'"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 4.0.dll.exe.pdb.xml-TargetFrameworkSubsets;InstalledAssemblySubsetTables7FullFrameworkAssemblyTables=FullTargetFrameworkSubsetNames source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Entity.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.Thunk.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_perf.pdb9> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb' source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TlbRef.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdb`[j[t[\|[ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sbscmp10.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.Design.pdbG source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Runtime.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.ComponentModel.pdbjJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationProvider.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wpffontcache_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DynamicData.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb` source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine.pdb) source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AspNetMMCExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DynamicData.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_counters.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Whether or not a .pdb file is produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_isapi.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_isapi.pdb) source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdbN source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdboo source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clretwrc.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Routing.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca204e016b-af71-45e4-a74f-7e966c67d9a6\Microsoft.Build.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationProvider.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.Design.pdbKj source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $(IntermediateOutputPath)$(XamlTemporaryAssemblyName).pdb" /> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Activities.pdb: source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdb!` source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.ComponentModel.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Abstractions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Input.Manipulations.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: boxstub.pdb source: dotNetFx40_Full_x86_x64.exe
Source:	Binary string: System.Drawing.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: XamlBuildTask.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1043244256.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wpfgfx_v0400.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035504546.000000000833C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Workflow.Compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.Design.pdb\ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EdmGen.pdb8D source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Messaging.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.WasHosting.pdbNjhj Zj_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regiis.pdbiB source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Presentation.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationClient.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Copy references that are marked as "CopyLocal" and their dependencies, including .pdbs, .xmls and satellites. source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TlbRef.pdb@ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationTypes.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Activities.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Security.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ComSvcConfig.pdb@{ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DataSvcUtil.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.DataVisualization.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca99fdc434-123c-406d-b00d-fdf344963d45\Microsoft.Build.Utilities.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_perf.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualC.STLCLR.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Extensions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Record the .pdb if one was produced. --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Data.Entity.Build.Tasks.pdb9 source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Web.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WsatConfig.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.DataVisualization.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Services.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationClientsideProviders.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Add any missing .pdb extension, as the compiler does --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.Formatters.Soap.pdbx source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Workflow.Runtime.pdb;: source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb* source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: @(_ReferenceRelatedPaths) - Paths to .xmls and .pdbs. source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Routing.pdbZ^t^ f^_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UIAutomationCore.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_filter.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdbDp^p Pp_CorExeMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_counters.pdbY" source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb/ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.RegularExpressions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Data.Services.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.Activation.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PresentationBuildTasks.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.Formatters.Soap.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ilasm.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.WasHosting.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.pdbv source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.ServiceMoniker40.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbJ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WMINet_Utils.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="@(_DebugSymbolsIntermediatePathTemporary->'%(RootDir)%(Directory)%(Filename).pdb')"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wpfgfx_v0400.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035012731.000000000817A000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1035504546.000000000833C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Xaml.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webengine4.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca08cb66d7-c242-441b-8811-f78f134a4521\Microsoft.Build.Engine.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdb; source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ServiceMonikerSupport.pdbI$ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.DataVisualization.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca74e6feca-34d3-48ad-9b77-e765b9fbef06\Microsoft.Build.Tasks.v4.0.pdbZ\ source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WindowsFormsIntegration.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <!-- Copy the debug information file (.pdb), if any --> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: MmcAspExt.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022336269.000000000541F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdbI source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilcaac540338-5a68-4975-889b-93a13c396061\Microsoft.Build.Framework.pdb} source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <_DebugSymbolsIntermediatePath Include="$(IntermediateOutputPath)$(TargetName).pdb" Condition="'$(_DebugSymbolsProduced)'=='true' and '@(_DebugSymbolsIntermediatePath)'==''"/> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Entity.Design.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: FileTracker.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbhI~I pI_CorExeMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1039632408.0000000008687000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WMINet_Utils.pdbY<L> source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Presentation.pdb'CAC 3C_CorDllMainmscoree.dll source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Web.Mobile.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Temp\1\ilca2a83e267-7f7d-4216-aa5c-0ca1e5bfb4f4\Microsoft.Build.Conversion.v4.0.pdb source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019477055.0000000004F8E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0126AB05 push ecx; ret	37_2_0126AB18
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_01274EE0 push ecx; ret	37_2_01274EF3
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0043B644 push eax; ret	38_2_0043B662
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0043B9F0 push eax; ret	38_2_0043BA1E

Source: dotNetFx40_Full_x86_x64.exe.33.dr	Static PE information: section name: .boxld01
Source: NDP462-DevPack-KB3151934-ENU.exe.33.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_0125B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

37_2_0125B4B3

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: initial sample

Static PE information: section name: .text entropy: 7.98119659578

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3076\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	File created: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_00448260 lstrcpyA,lstrcpyW,lstrlenA,lstrlenA,lstrcpyA,lstrlenA,lstrlenA,lstrcmpiA,GetTickCount,wsprintfW,GetFileAttributesW,WriteFile,SetLastError,GetLastError,SetLastError,lstrlenA,GetPrivateProfileIntA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SetLastError,SetLastError,GetPrivateProfileSectionNamesA,lstrcpyA,lstrlenA,SetLastError,SetLastError,GetLastError,SetLastError,lstrcpyA,GetPrivateProfileStringA,GetSysColor,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetLastError,SetLastError,GetLastError,lstrcpyA,lstrlenA,SetLastError,lstrcmpA,GetLastError,SetLastError,SetLastError,GetLastError,SetLastError,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,	33_2_00448260
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00448260 lstrcpyA,lstrcpyW,lstrlenA,lstrlenA,lstrcpyA,lstrlenA,lstrlenA,lstrcmpiA,GetTickCount,wsprintfW,GetFileAttributesW,WriteFile,SetLastError,GetLastError,SetLastError,lstrlenA,GetPrivateProfileIntA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SetLastError,SetLastError,GetPrivateProfileSectionNamesA,lstrcpyA,lstrlenA,SetLastError,SetLastError,GetLastError,SetLastError,lstrcpyA,GetPrivateProfileStringA,GetSysColor,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetLastError,SetLastError,GetLastError,lstrcpyA,lstrlenA,SetLastError,lstrcmpA,GetLastError,SetLastError,SetLastError,GetLastError,SetLastError,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,	38_2_00448260
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00413D51 __EH_prolog,GetPrivateProfileIntW,	38_2_00413D51

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1033\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1025\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1028\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1030\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1031\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1029\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1036\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1035\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1032\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1038\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1037\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1040\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1041\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1042\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1044\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1043\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1046\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1045\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1055\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1053\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2052\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\1049\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3082\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\2070\eula.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	File created: C:\81cd3e1c31538730e132\3076\eula.rtf	Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: %HTTP_USER_AGENTHTTP_COOKIESyncPipesPerCPUUnderDebuggeraspnet_wp.exe%s^%d^%d^0x%08x%s0x%08x%X%s %u %u %d %u %u %u %sASP.NETPMEvent_%s_%s_%u_%u_PingASP.NETPMEvent_%s_%s_%u_%u\\.\pipe\ASP.NETPMAsyncPipe_%s_%s_%u_%u\\.\pipe\ASP.NETPMSyncPipe_%s_%s_%u_%umaxIoThreadsmaxWorkerThreadsresponseDeadlockIntervalresponseRestartDeadlockIntervalpingTimeoutpingFrequencyrestartQueueLimitasyncOptionrequestAckswebGardencpuMaskmemoryLimitrequestQueueLimitrequestLimitshutdownTimeoutidleTimeouttimeoutenableserverErrorMessageFilecomImpersonationLevelcomAuthenticationLevellogLevelpassworduserNameDebugOnDeadlockDebugOnHighMem%d%d^%d%d^%d^%dASP.NET Password from Machine.config fileASP.NET Password from Machine.config file entropyregistryautogenerateDelegateIdentifyAnonymousDefaultPktPrivacyPktIntegrityPktCallNonewarningsnoneerrorsprocessModelAutoGeneratemachineImpersonateConnectCouldn't create managed ASP.NET runtime componentUnchecked "Allow logon to terminal server".DiableLogonToTerminalServerUnchecking "Allow logon to terminal server".Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListMachineAccountsAccount used for running the ASP.Net tasksASP.Net AccountCRegAccount::EnableUserAccountEnabling account: UsersGuestsSeImpersonatePrivilegeSeInteractiveLogonRightSeDenyRemoteInteractiveLogonRightSeServiceLogonRightSeDenyInteractiveLogonRightSeBatchLogonRightSeNetworkLogonRight\\.\GrantAccessToMetabasePathGranting access to metabase path: SetSDSDGetSD__SystemSecurityGrantAccessToWmiNamespaceGrant access to WMI namespace: GetPrincipalSIDGetting Machine Account SID on DCGetAccCredentialsOnDCGetting ASPNET Account credentials on DCSYSTEMGetServiceAccCredentialsGetting credentials for the service accountGrantAccessToMetabase/LM/W3SVC/LMAutoGenKeysStoreAccountPasswordInLSAStoring ASPNET account password in LSACreateUserCreating ASPNET accountCreateGoodPasswordGenerating passwordTempSetting ACLs on config directorySetting ACLs on install root directorySetACLOnDirSetting ACLs on Temporary ASP.Net directoryGetTempDirGetting location of Temporary ASP.Net directoryRemoveAccountFromRegis21z

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe TID: 5496	Thread sleep count: 50 > 30			Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe TID: 3352	Thread sleep count: 161 > 30			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_37-14719

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1032\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1031\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\SetupEngine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1029\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1028\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1030\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1033\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1036\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1035\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1037\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1038\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1040\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\2070\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1041\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\SetupUi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\3076\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\SetupUtility.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1045\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\2052\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1046\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1044\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1043\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1042\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\3082\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1049\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1025\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1055\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\1053\SetupResources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Dropped PE file which has not been started: C:\81cd3e1c31538730e132\sqmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Registry key enumerated: More than 300 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_33-23358

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_0042E6D0 GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,

33_2_0042E6D0

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_004386C5 __EH_prolog,FindFirstFileW,FindClose,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,DeleteFileW,	33_2_004386C5
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_00417C8A __EH_prolog,FindFirstFileW,FindClose,FindClose,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,WriteFile,WriteFile,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,FindClose,FindClose,	33_2_00417C8A
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_012592BB GetFileAttributesW,GetLastError,SetFileAttributesW,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,GetLastError,	37_2_012592BB
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0125A7B1 FindFirstFileW,GetLastError,FindNextFileW,CloseHandle,FindClose,	37_2_0125A7B1
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_004386C5 __EH_prolog,FindFirstFileW,FindClose,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,RemoveDirectoryW,FindClose,DeleteFileW,	38_2_004386C5
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00424BBF FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose,	38_2_00424BBF
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_00417C8A __EH_prolog,FindFirstFileW,FindClose,FindClose,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,#7,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,#7,WriteFile,WriteFile,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,FindClose,FindClose,	38_2_00417C8A

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_0125774A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,GetLogicalDriveStringsW,CharUpperW,_wcschr,GetDiskFreeSpaceExW,

37_2_0125774A

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_012691D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

37_2_012691D5

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_0125B4B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

37_2_0125B4B3

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_0125A505 HeapAlloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlReAllocateHeap,ReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetLastError,_memmove,_memmove,GetProcessHeap,HeapFree,

37_2_0125A505

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_0043EA4F SetUnhandledExceptionFilter,	33_2_0043EA4F
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 33_2_0043EA61 SetUnhandledExceptionFilter,	33_2_0043EA61
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_012691D5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_012691D5
Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe	Code function: 37_2_0126AE73 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0126AE73
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0043EA4F SetUnhandledExceptionFilter,	38_2_0043EA4F
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Code function: 38_2_0043EA61 SetUnhandledExceptionFilter,	38_2_0043EA61

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process created: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe "C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe" /q /norestart			Jump to behavior
Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe	Process created: unknown unknown			Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_0040E45D InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,LocalFree,

33_2_0040E45D

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_00437600 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

33_2_00437600

Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _hwndProgman
Source: OSC_Gaming_7.48.exe, 00000021.00000002.1071653760.00000000101CC000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsProgmanWindow
Source: OSC_Gaming_7.48.exe, 00000021.00000002.1071092654.0000000010001000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: ISGlobalOpTypesTableC:\CodeBases\isdev\src\Shared\LogServices2\LogDB.cppISLOG_VERSION_INFOOPTYPE_FILEOPTYPE_SHELLOPTYPE_REGISTRYOPTYPE_PROGMANOPTYPE_INIOPTYPE_FILEREGOPTYPE_GENERALISLOGDB_USER_PROPERTIESOPTYPE_DOTNETOPTYPE_REGISTRY64OPTYPE_FILE64

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: SendMessageW,GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,

38_2_00407035

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_00431B36 __EH_prolog,GetCurrentProcessId,InitializeCriticalSection,GetLocalTime,GetModuleFileNameW,

33_2_00431B36

Source: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Code function: 37_2_01258E9C GetTimeZoneInformation,GetSystemTime,SystemTimeToTzSpecificLocalTime,

37_2_01258E9C

Source: C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Code function: 33_2_00437791 GetVersion,

33_2_00437791

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Users	Cached Domain Credentials	4 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	37 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	4 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Link
C:\81cd3e1c31538730e132\1025\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1025\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1028\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1028\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1029\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1029\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1030\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1030\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1031\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1031\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1032\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1032\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1033\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1033\SetupResources.dll	0%	ReversingLabs
C:\81cd3e1c31538730e132\1035\SetupResources.dll	0%	Metadefender	Browse
C:\81cd3e1c31538730e132\1035\SetupResources.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
37.3.dotNetFx40_Full_x86_x64.exe.cc2928.0.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
37.3.dotNetFx40_Full_x86_x64.exe.cec930.1.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/SampleNamespace	0%	Virustotal		Browse
http://tempuri.org/SampleNamespace	0%	Avira URL Cloud	safe
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	0%	Virustotal		Browse
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	0%	Avira URL Cloud	safe
https://ftp://toys::file_lite.text.rdata.debugSharedFileCountIncrementFile=%s	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://foo.com/foo	0%	Virustotal		Browse
http://foo.com/foo	0%	Avira URL Cloud	safe
http://server/application/trace.axd).	0%	Avira URL Cloud	safe
http://ws-i.org/profiles/basic/1.1	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/#If-Modified-Since	0%	Avira URL Cloud	safe
http://www.wapforum.org/dtd/wml20.dtd	0%	Avira URL Cloud	safe
http://www.ws-i.org/Profiles/BasicProfile-1.1.html	0%	Avira URL Cloud	safe
http://www.wapforum.org/DTD/wml_1.1.xml	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/wsdl/:output	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:binding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/:fault	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/Hhttp://schemas.xmlsoap.org/soap/httpNhttp://schemas.xmlsoap.or	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q	wget.exe, 00000002.00000002.742611627.0000000001196000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/$System.Web.Services.Description.Port/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/G	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://asp.net/ApplicationServices/v200TU	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:definitions	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/:binding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/:discovery	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/:operation	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/SampleNamespace	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.wapforum.org/DTD/xhtml-mobile10.dtd	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/http	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/:urlReplacement	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/$System.Web.Services.Description.Port	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ftp://toys::file_lite.text.rdata.debugSharedFileCountIncrementFile=%s	OSC_Gaming_7.48.exe, 00000021.00000002.1071092654.0000000010001000.00000040.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/disco/schema/:schemaRef	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/0System.Web.Services.Description.OperationBinding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc4287	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://uri.etsi.org/01903/v1.2.2#3StreamDoesNotSupportWrite	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ietf.org/rfc/rfc2396.txt	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/:headerfaultShttp://schemas.xmlsoap.org/wsdl/:requiredehttp://m	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://asp.net/ApplicationServices/v200D	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:fault	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/Z	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/mex	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:import	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/mime/:content	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo.com/foo	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://uri.etsi.org/01903/v1.2.2#SignedProperties	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:message	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:input	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/?	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:part	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/0System.Web.Services.Description.OperationBindingg	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/soap/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/mime/(System.Web.Services.Description.MimePart	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:portType	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/$System.Web.Services.Description.Port	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/$System.Web.Services.Description.PortY	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/:addressihttp://schemas.xmlsoap.org/wsdl/:required	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/O	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/mime/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/scl/Bhttp://schemas.xmlsoap.org/disco/Zurn:schemas-dynamicdiscovery	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/2003-02-11.xsd	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/0System.Web.Services.Description.OperationBindingb	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:service	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp, dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1019050543.0000000004D02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	OSC_Gaming_7.48.exe	false		high
http://uri.etsi.org/01903/v1.2.2#bhttp://uri.etsi.org/01903/v1.2.2#SignedProperties	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/$System.Web.Services.Description.PortG	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://server/application/trace.axd).	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/wsdl/Z	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/mime/:part	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/:address	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://my.netscape.com/publish/formats/rss-0.91.dtd	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1032696211.0000000007AC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/:discoveryRef	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/:operation	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/Khttp://schemas.xmlsoap.org/wsdl/http/Khttp://schemas.xmlsoap	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/:binding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:documentation	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/:urlEncoded	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/soap/:soap%:address	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ws-i.org/profiles/basic/1.1	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/http/0System.Web.Services.Description.OperationBinding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/$System.Web.Services.Description.Port	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://saturn.installshield.com/is/prerequisites/Microsoft	OSC_Gaming_7.48.exe, 00000021.00000002.1070579167.0000000002380000.00000004.00000020.00020000.00000000.sdmp, OSC_Gaming_7.48.exe, 00000021.00000002.1070942131.00000000027FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/#If-Modified-Since	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/mime/:multipartRelated	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.wapforum.org/dtd/wml20.dtd	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/disco/schema/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/scl/	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/1SchemaSyntaxErrorDetails%XmlSchemaNamedItem	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/2003-02-11.xsd.	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/e	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/:address	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding//	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap/:fault	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:required	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/:types	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/disco/scl/:contractRef	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/http/:binding	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ws-i.org/Profiles/BasicProfile-1.1.html	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://validator.w3.org/feed/docs/rss2.html	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/soap12/:operation	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1030658639.00000000070C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/rfc/rfc5023.txt	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1022606142.0000000005508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.wapforum.org/DTD/wml_1.1.xml	dotNetFx40_Full_x86_x64.exe, 00000025.00000003.1029670511.0000000006DC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States		15169	GOOGLEUS	false
95.140.230.217	unknown	United Kingdom		22822	LLNWUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	636152
Start date and time: 30/05/202213:44:36	2022-05-30 13:44:36 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.troj.win@13/217@0/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 76.6% (good quality ratio 73.9%) Quality average: 73.7% Quality standard deviation: 24.6%
HCA Information:	Successful, ratio: 96% Number of executed functions: 207 Number of non-executed functions: 136
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, RuntimeBroker.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Execution Graph export aborted for target OSC_Gaming_7.48.exe, PID 6984 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:50:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
13:50:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ISSetupPrerequisistes "C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
13:51:58	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ed7373e5-d579-4663-83e1-28d41ada77fe} "C:\ProgramData\Package Cache\{ed7373e5-d579-4663-83e1-28d41ada77fe}\NDP462-DevPack-KB3151934-ENU.exe" /burn.runonce

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\81cd3e1c31538730e132\1025\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	74214
Entropy (8bit):	4.180711029644354
Encrypted:	false
SSDEEP:	384:4w1hDxsSsxGMZzhKtQOsitz0SBijTJ3ejrwddv:PhDxsnxGMdAVBijTJ3eHm
MD5:	C5BF74C96A711B3F7004CA6BDDECC491
SHA1:	4C4D42FF69455F267CE98F1DB8F2C5D76A1046DA
SHA-256:	6B67C8A77C1A637B72736595AFDF77BDB3910AA9FE48D959775806A0683FFA66
SHA-512:	2F2071BF9966BFFE64C90263F4B9BD5EFCAC4F976C4E42FBDEAA5D6A6DEE51C33F4902CF5E3D0897E1C841E9182E25C86D42E392887BC3CE3D9ED3D780D96AC9
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".. . J..9.0.1. ..4.:.J.D. .'.D.%.9./.'./. .A.J. .H.6.9. .'.D..H.'.A.B... .D.E.2.J./. .E.F. .'.D.E.9.D.H.E.'.... .1.'.,.9. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.'.D.E.D.A. .'.D.*.E.G.J./.J.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

C:\81cd3e1c31538730e132\1025\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17240
Entropy (8bit):	5.619267132242324
Encrypted:	false
SSDEEP:	192:Ea4ZUfwxW1NX2QxqaSzWUrfncpNWLIeWkQKPnEtObMacxc8hjXHUz1TrOKA+nfW6:Nx2SX2vPzBrSNWkeWkLXci2jXHU46iQ
MD5:	35B62B395968B7754C298FBB410E9821
SHA1:	DE95297EE33466DDA2A63C8658E79F17EBBB2911
SHA-256:	4BC6711145430AC74F0D8F80A41DD89ACE79427EBAF7D3CFE479A43DB08D66E1
SHA-512:	CD34802098D57CA81446B32D2CD39B3B3FA659ED0A366167C09DAD5FF583B2266E28BA044486E343E4336A40E85D4A713E4E67EAC00B6CBFC3D4C33A1B9BD23B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P............@.......................................... ...$...........,..X............................................................................................text...G...........................@..@.rsrc....0... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1025\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	7567
Entropy (8bit):	4.307679152385702
Encrypted:	false
SSDEEP:	192:sf3yLpQxL75CD7sH08JUXthIT2M+bOx7BnT7QUm2:AyLpQxL7YsH08JUXQT2M+s7BnT7QUm2
MD5:	AF1A4F6740A8B51683DFD89D520EB729
SHA1:	6B02C8E704D2D90DE9E0B63FA389B2899C75E567
SHA-256:	E4BA6C3852C94BB2034DFFED5A0FE45150E873B98ABA95A2C3A93A71227EF605
SHA-512:	C669728CA1AF1513DB36EAEE9F15AA7B0209E2F9E85C7FAE759794D05DEEF2920712C9C6F7AAF4ED1B13BF83D310DF6E770CD6C9A49D7FE62FD5F9A11464B255
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1256\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset178 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset178 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1025\b\f0\rtlch\fs20\'c7\'e1\'d4\'d1\'e6\'d8 \'c7\'e1\'c5\'d6\'c7\'dd\'ed\'c9 \'e1\'ca\'d1\'ce\'ed\'d5 \'c8\'d1\'e4\'c7\'e3\'cc \lang1033\f1\ltrch MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr MICROSOFT .NET FRAMEWORK 4\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\par..MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE\lang1025\f0\rtlch \'e1\'e4\'d9\'c7\'e3 \'c7\'e1\'ca\'d4\'db\'ed\'e1 \lang1033\f1\ltrch WINDOWS\lang1025\f0\rtlch \'e3\'e4 \lang1033\f1\ltrch MICROSOFT\f2\par..\lang3073\f

C:\81cd3e1c31538730e132\1028\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60816
Entropy (8bit):	4.3418522371704045
Encrypted:	false
SSDEEP:	384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
MD5:	967A6D769D849C5ED66D6F46B0B9C5A4
SHA1:	C0FF5F094928B2FA8B61E97639C42782E95CC74F
SHA-256:	0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
SHA-512:	219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

C:\81cd3e1c31538730e132\1028\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	5.9724110685335825
Encrypted:	false
SSDEEP:	192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
MD5:	7C136B92983CEC25F85336056E45F3E8
SHA1:	0BB527E7004601E920E2AAC467518126E5352618
SHA-256:	F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
SHA-512:	06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1028\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	6309
Entropy (8bit):	4.470827969332999
Encrypted:	false
SSDEEP:	96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
MD5:	6F2F198B6D2F11C0CBCE4541900BF75C
SHA1:	75EC16813D55AAF41D4D6E3C8D4948E548996D96
SHA-256:	D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
SHA-512:	B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]\|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

C:\81cd3e1c31538730e132\1029\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80970
Entropy (8bit):	3.7136351704498183
Encrypted:	false
SSDEEP:	384:4w9jRY/svLov/QvQovOLeyndT/jfB7eyNdT9eTiyn15byYOMbqav8qAMrZEXw/Fm:Wt/jPvoZJZ0z
MD5:	0B6ED582EB557573E959E37EBE2FCA6A
SHA1:	82C19C7EAFB28593F453341ECA225873FB011D4C
SHA-256:	8A0DA440261940ED89BAD7CD65BBC941CC56001D9AA94515E346D57B7B0838FC
SHA-512:	ABA3D19F408BD74F010EC49B31A2658E0884661D2EFDA7D999558C90A4589B500570CC80410BA1C323853CA960E7844845729FFF708E3A52EA25F597FAD90759
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a...n... .p.r.o.g.r.a.m. .n.e.l.z.e. .s.p.u.s.t.i.t. .v. .r.e.~.i.m.u. .k.o.m.p.a.t.i.b.i.l.i.t.y... .D.a.l.a... .i.n.f.o.r.m.a.c.e. .n.a.l.e.z.n.e.t.e. .v. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.s.o.u.b.o.r.u. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

C:\81cd3e1c31538730e132\1029\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.308536555634371
Encrypted:	false
SSDEEP:	384:sIr67PAteQx2PoipahxPh1KuMWp1eWCLXci2jpvsH:sv6CMi2jpvsH
MD5:	62876C2FE28B1B5C434B9FAD80ABE9F9
SHA1:	BE3D479204B8E36933E0EECC250C330E69A06D02
SHA-256:	36E316718C8BBBD7B511E9074FC0EECB9ACD0A9B572F593A5A569CC93276D932
SHA-512:	FFDD2D8DB4AE62EA07178677D8C8745CF54D7EDBE1683478A2C588D5B84EF9EA970E2B1C44E3B8F18B33D189655B0C42D5747392DB97176A38FAB4CBAB3E3F10
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......V.....@.......................................... ..d(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1029\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3726
Entropy (8bit):	5.271587861695615
Encrypted:	false
SSDEEP:	96:4BfgejTQpTfD/g7OyGBB2nZsEAVxfw8EMpDRI/YFkvvApzdYPBGx2:sfN7OHn2nZsEmf+Oa/c2
MD5:	B02C48825414EDCA106C92182D32BC8A
SHA1:	CF00219D69E3CFF9777BABECE1EE9D8CDC776AC9
SHA-256:	C6147000FC34894C724C09CB69FFCE75DD1263B69D063F75466D70B67B3C80DD
SHA-512:	B8AFE051701189F60789D0340FD15E81491456284305B55C4582D0153A2C8CB25F1EDD05F40B50893C7CBB80EC57FF635D764DB5F56AA2E945CF29E9C550E9BA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1250\deff0\deflang1029\deflangfe1029{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 DODATKOV\'c9 LICEN\'c8N\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\'c8NOSTI MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\lang1033\f1\par..\lang1029\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PRO OPERA\'c8N\'cd SYST\'c9M MICROSOFT WINDOWS\par..\pard\brdrb\brdrs\brdrw10\brsp20 A P\'d8IDRU\'8eEN\'c9 JAZYKOV\'c9 SADY\par..\pard\nowidctlpar\sb120\sa120\b0 Licenci k\~tomuto dodatku v\'e1m poskytuje spole\'e8nost Microsoft Corporation (nebo n\'eckter\'e1 z\~jej\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte).\lang1033\b

C:\81cd3e1c31538730e132\1030\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77748
Entropy (8bit):	3.5770566057374418
Encrypted:	false
SSDEEP:	384:4wvo3sGYQTjtLCpCggWuUyl+JMcf/zmSmRLAgRQJmS+e/JAu1O2Xx+v:9o8GYQTjtLCYggWuUMe+e/J8
MD5:	69925E463A6FEDCE8C8E1B68404502FB
SHA1:	76341E490A432A636ED721F0C964FD9026773DD7
SHA-256:	5F370D2CCDD5FA316BCE095BF22670123C09DE175B7801D0A77CDB68174AC6B7
SHA-512:	5F61ABEC49E1F9CC44C26B83AA5B32C217EBEBA63ED90D25836F51F810C59F71EC7430DC5338EFBA9BE720F800204891E5AB9A5F5EC1FF51EF46C629482E5220
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.t.i.l.s.t.a.n.d... .D.u. .k.a.n. .f.i.n.d.e. .f.l.e.r.e. .o.p.l.y.s.n.i.n.g.e.r. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.g.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.

C:\81cd3e1c31538730e132\1030\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.237828095883879
Encrypted:	false
SSDEEP:	384:cNX61hALPTIOWWptfeWuLXci2jXHUgyh1J:cQweMi2jXHUgU1J
MD5:	9F0CD8981979154CC2A6393DA42731C5
SHA1:	AFFAFE8CF152C25DF75CF3E6B67B7AA8A4A80056
SHA-256:	30C86AE90DE0EE7D2A637AB7EF7AE450690A55A5EA8C007169BAB57B10F0E013
SHA-512:	036253A9B4718EC38C7784ABA6AA124E4A334170AD13546126B0D746F003A4FC571165DBDA3BC3DD1911C343326CAE22C0A3C0A82A17D7F5943D2F2057E3C060
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......9a....@.......................................... ..$(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1030\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3314
Entropy (8bit):	5.229229499381171
Encrypted:	false
SSDEEP:	96:MTBfIGPzxT1B9TwDXOC1uJzGTcDC5bhPqljShnEGiBe4YOMpDIbu0L9D+Ogp+Ogj:If/Jqn1uJzGTcDC5bhSljShnEGioDOOa
MD5:	B756C9B475E1E5955D8BF1544DF556F7
SHA1:	03ACD306196D5C0CDFBEB947CE3E018C08FD08CB
SHA-256:	204021CC428C70F76DE750C0B01404E3396EE8602C8F25F44635F6F2BDBF693A
SHA-512:	88E44178770025B960BF2329901B6BEC90115B62D9F44A43FD914AEF687C2FCE7E370D9BA8CAAF9BF930553EB99580C47F8E7FDC0C32FE9A921DD368BF8E4658
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1030\b\f0\fs28 TILL\'c6G TIL LICENSVILK\'c5R FOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1030\f0\fs22 MICROSOFT .NET FRAMEWORK 4 TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\lang1033\par..\lang1030 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL TIL MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPROGPAKKER\lang1033\f1\fs20\par..\pard\nowidctlpar\sb120\sa120\lang1030\b0\f0 Microsoft Corporation (eller, afh\'e6ngigt af hvor De bor, et af dets associerede selskaber) licenserer dette till\'e6g til Dem.\lang1033\b \lang1030\b0 Hvis De har licens til at bruge Microsoft Windows-operativsystemsoftware (som dette till\'e6g g\'e6lder for) ("

C:\81cd3e1c31538730e132\1031\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82346
Entropy (8bit):	3.5798945100215325
Encrypted:	false
SSDEEP:	1536:guayUbZwf+2CzQHsjz1VbxzPGnz6solo8xKc6JT/1Sy:JayUtwf+2CzQHshPGnz6solo8xKc6JTd
MD5:	8505219C0A8D950FF07DC699D8208309
SHA1:	7A557356C57F1FA6D689EA4C411E727438AC46DF
SHA-256:	C48986CDB7FE3401234E0A6540EB394C1201846B5BEB1F12F83DC6E14674873A
SHA-512:	7BCDAD0CB4B478068434F4EBD554474B69562DC83DF9A423B54C1701CA3B43C3B92DE09EE195A86C0D244AA5EF96C77B1A08E73F1F2918C8AC7019F8DF27B419
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.a.s. .S.e.t.u.p. .k.a.n.n. .n.i.c.h.t. .i.m. .K.o.m.p.a.t.i.b.i.l.i.t...t.s.m.o.d.u.s. .a.u.s.g.e.f...h.r.t. .w.e.r.d.e.n... .W.e.i.t.e.r.e. .I.n.f.o.r.m.a.t.i.o.n.e.n. .f.i.n.d.e.n. .S.i.e. .i.n. .d.e.r. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.I.n.f.o.d.a.t.e.i.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.

C:\81cd3e1c31538730e132\1031\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.135663555520085
Encrypted:	false
SSDEEP:	384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
MD5:	7C9AE49B3A400C728A55DD1CACC8FFB2
SHA1:	DD3A370F541010AD650F4F6AA42E0CFC68A00E66
SHA-256:	402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
SHA-512:	D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1031\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3419
Entropy (8bit):	5.19064562442276
Encrypted:	false
SSDEEP:	96:MWBfVBITvyTqDyiRc3E5Zob0MpDmqgH4KYXsY/49Uo2:VffWX5Zm0O3Q32
MD5:	94190970FB79C7085DE2E97AE4630B07
SHA1:	272677F49985098CA0477D6A8C1E70E4BDDB646C
SHA-256:	A448FE5954EC68B7C395DA387545C1664C3F4BAADE021E6157EC142997D93CA2
SHA-512:	7A7EE485D20912FC533E83EAE0F151DC142C2F01051735D1F9B20A7146154A04C8269FC9F71AC82E57925B566E07E716CDED6DB8B11026225CEAAC209311531F
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1031\b\f0\fs20 ERG\'c4NZENDE LIZENZBESTIMMUNGEN F\'dcR MICROSOFT-SOFTWARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'dcR MICROSOFT WINDOWS-BETRIEBSSYSTEM\par..UND ZUGEH\'d6RIGE LANGUAGE PACKS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (oder eine andere Microsoft-Konzerngesellschaft, wenn diese an dem Ort, an dem Sie leben, die Software lizenziert) lizenziert diese Softwareerg\'e4nzung an Sie. Wenn Sie \'fcber eine Lizenz f\'fcr Microsoft Windows-Betriebssystem-Software verf\'fcgen (f\'fcr die diese Softwareerg\

C:\81cd3e1c31538730e132\1032\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	86284
Entropy (8bit):	4.3740758325121645
Encrypted:	false
SSDEEP:	384:4w+7UVysuXHXeXAehlT++sTGoheXrW4MgcyvF773/xSFVQbleaS8tOnjiJLtchH0:+3OQeHll5PunjiJr
MD5:	3BF8DA35B14FBCC564E03F6342BB71F2
SHA1:	8F9139F0BB813BF95F8C437548738D32848D8940
SHA-256:	39EFE12C689EDFEA041613B0E4D6EC78AFEC8FE38A0E4ADC656591FFEF8F415D
SHA-512:	31B050647BA4BD0C2762D77307E1ED2A324E9B152C06ED496B86EA063CDC18BF2BB1F08D2E9B4AF3429A2BC333D7891338D7535487C83495304A5F78776DBC03
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....... ........... ............. ... ................. ....... ......................... ..... ................... ....................... ........................... ....... ......................... .......................,. ................... ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;............. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.

C:\81cd3e1c31538730e132\1032\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19288
Entropy (8bit):	5.607263971475317
Encrypted:	false
SSDEEP:	384:jwB6VfhGGglsETXrI7k1tcVlUHe3YRPWTBZWwLXci2jXHUQ:jlpGGKQVlhsSLMi2jXHUQ
MD5:	E663B67A66ADF9375D1D183CA5FDD23D
SHA1:	30360546A00FFF0A7C2B47F4B01C89E771F13971
SHA-256:	574FBDEDCDA1F9F34C997AC3F192CBA72A67D6534B2E9AB80A35AB3543621D58
SHA-512:	46E7FFB4889A43059665893ABF1D2B6BF3430A617023FFA91F54AF6D5062444B844D8811ED2D037E756993F733986479E93784AC25C553F70F1CF8D1B67182A3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P............@.......................................... ..`-...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1032\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	8876
Entropy (8bit):	4.086204739568071
Encrypted:	false
SSDEEP:	192:/foOHY6P6Km5NHMQaEjxPSuHON0SuQI62:R46Pm5Ns0jxpeuQV2
MD5:	2091F5DA2BF884F747103A31D2DC947B
SHA1:	AAD26EB74B793D7DE2F466150F609C276D398FB5
SHA-256:	B7A7F2388600D9D059DCDF300845938E429A0FF16EB03BDECE48825805069B7E
SHA-512:	AE798ACD11E9A4ADD33DA760B46200E24B9F9403BBBFAF6CB45E25193D346BDE3B91C9B79BB7E10E529DEDD824A89D23212745CF9E9E5EBB44319E9DD812C61D
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset161 Tahoma;}{\f1\froman\fprq2\fcharset161{\\fname Times New Roman;}Times New Roman Greek;}{\f2\fswiss\fprq2\fcharset161 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1032\b\f0\fs20\'d3\'d5\'cc\'d0\'cb\'c7\'d1\'d9\'cc\'c1\'d4\'c9\'ca\'cf\'c9 \'cf\'d1\'cf\'c9 \'c1\'c4\'c5\'c9\'c1\'d3 \'d7\'d1\'c7\'d3\'c7\'d3 \'cb\'cf\'c3\'c9\'d3\'cc\'c9\'ca\'cf\'d5 \'d4\'c7\'d3 MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1032\f0 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\'d4\'c7\'cc\'c1 MICROSOFT WINDOWS\lang1033\f1\par..\lang1032\f0\'d0\'d1\'cf\'d6\'c9\'cb \'d0\'d1\'cf\'c3\'d1\'c1\'cc\'cc\'c1\'d4\'cf\'d3-\'d0\'c5\'cb\'c1\'d4\'c7 MICROSOFT .NET FRAMEWORK 4 \'c3\'c9\'c1 \'cb\'c5\'c9\'d4\'cf\'d5\'d1\'c3\'c9\'ca\'cf \'d3\'d5\'d3\

C:\81cd3e1c31538730e132\1033\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	77232
Entropy (8bit):	3.5669629909438734
Encrypted:	false
SSDEEP:	384:4w6JjgKW5D8U2JhrDheHQTBNgNSdfUGNatvcc7QDBuGdSJgkR6Sqzxu:gJsKKIrDPT7lSJYI
MD5:	326518603D85ACD79A6258886FC85456
SHA1:	F1CEF14BC4671A132225D22A1385936AD9505348
SHA-256:	665797C7840B86379019E5A46227F888FA1A36A593EA41F9170EF018C337B577
SHA-512:	F8A514EFD70E81D0F2F983282D69040BCA6E42F29AA5DF554E6874922A61F112E311AD5D2B719B6CA90012F69965447FB91E8CD4103EFB2453FF160A9062E5D3
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.e. .s.e.t.u.p. .c.a.n.n.o.t. .r.u.n. .i.n. .c.o.m.p.a.t.i.b.i.l.i.t.y. .m.o.d.e... .F.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n.,. .s.e.e. .t.h.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.R.e.a.d.m.e. .f.i.l.e.&.l.t.;./.A.&.g.t.;...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.

C:\81cd3e1c31538730e132\1033\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17240
Entropy (8bit):	5.151474565875158
Encrypted:	false
SSDEEP:	192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
MD5:	9547D24AC04B4D0D1DBF84F74F54FAF7
SHA1:	71AF6001C931C3DE7C98DDC337D89AB133FE48BB
SHA-256:	36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
SHA-512:	8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1033\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	5.285087573798006
Encrypted:	false
SSDEEP:	96:MHfTLNnTkWBTkFDZ8f4wHlre7MUxprfKmMb0+MW+1Ep9qeelN+sznM+IEp+Lk2:yfyTLillHW+mMhyAspz2
MD5:	B7129C4881F118FCB38F27CFB00CD36D
SHA1:	148989B710205C6A67B3F960567F6DAA98D75BDA
SHA-256:	DA3D6A6AC223744DF01C920EAE5F43E017F52350831C4F3F6BB38D78232EA3B4
SHA-512:	C0816D7676DDF0774EB9022BD305CDCDFEF590BE38E20C2D5584968BCA78E10A14BE375FA892593F11D04BE2734A30B5C1D21814B88C31814C713E08546436E7
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fprq2\fcharset0 Times New Roman;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;\red255\green0\blue0;\red0\green0\blue128;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\sb120\sa120\f0\fs20\par..\b\f1\fs28 MICROSOFT SOFTWARE SUPPLEMENTAL LICENSE TERMS\par..\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\f1 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE FOR MICROSOFT WINDOWS OPERATING SYSTEM \f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \sb120\sa120\f1 AND ASSOCIATED LANGUAGE PACKS\b0\f0\par..\pard\sb120\sa120\f1\fs20 Microsoft Corporation (or based on where you live, one of its affiliates) licenses this supplement to you. If you are licensed to use Microsoft Windows operating system software (for which this supplement is applicable) (the \ldblquote software\rdblquote ), you may use this supplement. You may

C:\81cd3e1c31538730e132\1035\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77022
Entropy (8bit):	3.5745326569682434
Encrypted:	false
SSDEEP:	1536:wT42CX8ugmmuM92kEMeeGOCOUJPePJiWGICG+JND:wT42CX8ugmmuM92kEMeeGOCOUJPePJi/
MD5:	1AA252256C895B806E4E55F3EA8D5FFB
SHA1:	0322EE94C3D5EA26418A2FEA3F7E62EC5D04B81D
SHA-256:	8A68B3B6522C30502202ECB8D16AE160856947254461AC845B39451A3F2DB35F
SHA-512:	CE57784892C0BE55A00CED0ADC594A534D8A40819790CA483A29B6CD544C7A75AE4E9BDE9B6DC6DE489CECEB7883B7C2EA0E98A38FCC96D511157D61C8AA3E63
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A.s.e.n.n.u.s.o.h.j.e.l.m.a.a. .e.i. .v.o.i. .s.u.o.r.i.t.t.a.a. .y.h.t.e.e.n.s.o.p.i.v.u.u.s.t.i.l.a.s.s.a... .L.i.s...t.i.e.t.o.j.a. .o.n. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.u.e. .m.i.n.u.t. .-.t.i.e.d.o.s.t.o.s.s.a.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.

C:\81cd3e1c31538730e132\1035\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.166182954405893
Encrypted:	false
SSDEEP:	192:rJkinUfwVWVRdufl0fXA1Z1j93S0WHpdcIirs442QXWMkeWEQKPnEtObMacxc8hg:rO16Lwz51JWMkeWELXci2jpvi
MD5:	881ADF55D51976CA592033A7ADF620B8
SHA1:	E82ED85E25411610D1F977A99368A7A6547C7C47
SHA-256:	88FCE9BFC0458E375811A7F1EA7CB9777E241D373EEF15D4B23835F77979D54C
SHA-512:	FED744A6E37F18B6CC3708EEB9F3E874269B1CBDB63B54284470E39E2B01D3DFB61F3626E34638231B9034FA699BDCCD7FE623D8478B205723EF45C1AA595FF9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......(.....@.......................................... ..x)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1035\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3702
Entropy (8bit):	5.238529406475761
Encrypted:	false
SSDEEP:	96:MWBfuMAh8TZhqTy9DbDixX7zR7MrrqX37ILY7TpLgoyk1zERRe5g9KIMpDnYA06m:VfeRzH3vmLQzE6AOAC2
MD5:	4A43D21D1576E040DC9F5B90162A0401
SHA1:	1616FA39D9E4E7B2BB927CADED944DD14BD05656
SHA-256:	F0E2739892A1CE8A6445CEC72FF9AD88E939E21C719552E8ACD746F92F9FAFB7
SHA-512:	7A7C50B7EC09282A828B06C6A52340C1CAEFF0CFA01FF81375483045972D3645092B5B385103C19ACCADBE5B758DFF85A9DC6FDC00F9AF32AEE076E2C49F79BA
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1035\b\f0\fs20 MICROSOFT-OHJELMISTON T\'c4YDENNYSOSAN K\'c4YTT\'d6OIKEUSSOPIMUKSEN EHDOT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\lang1033\f1\par..\lang1035\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE MICROSOFT WINDOWS -K\'c4YTT\'d6J\'c4RJESTELM\'c4\'c4N\par..\lang1033 SEK\'c4 NIIHIN LIITTYV\'c4T KIELIPAKETIT\par..\pard\nowidctlpar\sb120\sa120\lang1035\b0 Microsoft Corporation (tai asiakkaan asuinpaikan mukaan m\'e4\'e4r\'e4ytyv\'e4 Microsoft Corporationin konserniyhti\'f6) my\'f6nt\'e4\'e4 asiakkaalle t\'e4m\'e4n t\'e4ydennysosan k\'e4ytt\'f6oikeudet.\la

C:\81cd3e1c31538730e132\1036\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82962
Entropy (8bit):	3.5891850903091727
Encrypted:	false
SSDEEP:	384:4wCFpNvOvt1jagJVzRzchryjiTIJz0kbG52bxVv:WvotpaluaIJzaIv
MD5:	1DAD88FAED661DB34EEF535D36563EE2
SHA1:	0525B2F97EDDBD26325FDDC561BF8A0CDA3B0497
SHA-256:	9605468D426BCBBE00165339D84804E5EB2547BFE437D640320B7BFEF0B399B6
SHA-512:	CCD0BFFBF0538152CCCD4B081C15079716A5FF9AD04CEE8679B7F721441F89EB7C6F8004CFF7E1DDE9188F5201F573000D0C078474EDF124CFA4C619E692D6BC
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".L.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .n.e. .p.e.u.t. .p.a.s. .s.'.e.x...c.u.t.e.r. .e.n. .m.o.d.e. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.o.u.r. .p.l.u.s. .d.'.i.n.f.o.r.m.a.t.i.o.n.s.,. .c.o.n.s.u.l.t.e.z. .l.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.c.h.i.e.r. .r.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

C:\81cd3e1c31538730e132\1036\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.112489568342605
Encrypted:	false
SSDEEP:	384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
MD5:	93F57216FE49E7E2A75844EDFCCC2E09
SHA1:	DCCD52787F147E9581D303A444C8EE134AFC61A8
SHA-256:	2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
SHA-512:	EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B\|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1036\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3526
Entropy (8bit):	5.107243175407303
Encrypted:	false
SSDEEP:	96:MTBfEhmvTf8vTR/DSIem21HDpHD1cT+Tot4er42xzK8/ptMpDLaFNsNGlDPsCU2:IfJw95eJlx1E+Tot4er42xzKuOKPU2
MD5:	E0DA85DB8B02A89A63601EA6B9AD7FF8
SHA1:	5F91C397CF3FBF4475FF71339B2D69C45694130F
SHA-256:	8880B979A4F8ECDD529241D9AE02583FECD21010EA1E255A1CBCD0C6FB2F75E9
SHA-512:	C8F47154145507C89D9B599D725C3444A206AE2AFAC2ACA4B2EA18980DEC134A25FC539CE1FB2291AF942DC1CA25EE2FFF323FB17F43F5BF91157A30B19BCD17
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang1036\b\f0\fs20 TERMES DE CONTRAT DE LICENCE D\rquote UN SUPPL\'c9MENT MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK\~4 POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK\~4 CLIENT PROFILE POUR LE SYST\'c8ME D\rquote EXPLOITATION MICROSOFT WINDOWS\par..ET LES LANGAGE PACKS ASSOCI\'c9S\par..\pard\nowidctlpar\sb120\sa120\b0 Microsoft Corporation (ou, en fonction du lieu o\'f9 vous vivez, l\rquote un de ses affili\'e9s) vous accorde une licence pour ce suppl\'e9ment.\b \b0 Si vous \'eates titulaire d\rquote une licence d\rquote utilisation du logiciel de syst\'e8me d\rquote exploita

C:\81cd3e1c31538730e132\1037\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	72076
Entropy (8bit):	4.190903034087703
Encrypted:	false
SSDEEP:	384:4wkvJlqaYsxaAzdNhXdQGKbvvGu1kZJNvSX33qLv:OHqaBxaeJN7T
MD5:	16E6416756C1829238EF1814EBF48AD6
SHA1:	C9236906317B3D806F419B7A98598DD21E27AD64
SHA-256:	C0EE256567EA26BBD646F019A1D12F3ECED20B992718976514AFA757ADF15DEA
SHA-512:	AA595ED0B3B1DB280F94B29FA0CB9DB25441A1EF54355ABF760B6B837E8CE8E035537738E666D27DD2A8D295D7517C325A5684E16304887CCB17313CA4290CE6
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."............... ............. ....... ............. ........... ......... ............... ........... ......... .........,. ....... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;......... .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.

C:\81cd3e1c31538730e132\1037\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16728
Entropy (8bit):	5.741920618836553
Encrypted:	false
SSDEEP:	192:KADkdHUfwVW13jowXiTeISvjpHawC1wWmeW8QKPnEtObMacxc8hjeyveCX1HQ:K506Qrw5wWmeW8LXci2jpvfw
MD5:	06CC83E6C677DB13757DF4242F5679F7
SHA1:	493D44DA1C36A5CEC83B0420BEBC2BF76A9262E8
SHA-256:	8E3C9332AB38DAD95A4293C466EAB88B17DEE82C87BE047839E85BB816B6146E
SHA-512:	D4E1694AFE2A35A7A2DB3C8B2A4F83A536DE0AFC5871AE44591317B5B6489B3911F7AEDE8AD9584DCB0BAA8D84B65A20393D587D6F993035FA7DFE13AEAF10CF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........&...............................................P............@.......................................... ..."...........*..X............................................................................................text...G...........................@..@.rsrc....0... ...$..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1037\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	6851
Entropy (8bit):	4.46966326918659
Encrypted:	false
SSDEEP:	96:2Rf64JJR1vTJ3R1vTJZZDg1YGZmF1plypIuw75TYgnMJ9nqIQ2fPMpicPtxScRtZ:0fXRskPWIHxYnJVPOxScl9ZnlfZ4LH2
MD5:	74C015D4E8024F9A49CF8D183CBDB0F5
SHA1:	8428260A9E522A712EFC8740AF848BD7521DEB8E
SHA-256:	D7718CF8F97F78656AA8964721757EA7E369FC7BBB052777C90E63D07C7CC7C5
SHA-512:	BB8748054F194450BC0383D4E88600F00E01BA8FD182C3C3A5A09CFBB0C2FBC30B9CECBAD0B99DDA1EEFA5C3EB56AD50CCACF3FE39302842F16A17082F5F8D04
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1255\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset177 Tahoma;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset177 Times New Roman;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\rtlpar\nowidctlpar\sb120\sa120\qr\lang1037\b\f0\rtlch\fs20\'fa\'f0\'e0\'e9 \'f8\'f9\'e9\'e5\'ef \'ee\'f9\'ec\'e9\'ee\'e9\'ed \'f2\'e1\'e5\'f8 \'fa\'e5\'eb\'f0\'fa \lang1033\f1\ltrch MICROSOFT\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \rtlpar\nowidctlpar\sb120\sa120\qr\f1 MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT WINDOWS\par..\lang1037\f0\rtlch\'f4\'f8\'e5\'f4\'e9\'ec \'ec\'f7\'e5\'e7 \'f9\'ec \lang1033\f1\ltrch MICROSOFT .NET FRAMEWORK 4\lang1037\f0\rtlch \'f2\'e1\'e5\'f8 \'ee\'f2\'f8\'eb\'fa \'e4\'e4\'f4\'f2\'ec\'e4 \lang1033\f1\ltrch MICROSOFT

C:\81cd3e1c31538730e132\1038\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	86442
Entropy (8bit):	3.674300926924721
Encrypted:	false
SSDEEP:	1536:Ji+5JLuNF70SNjPBzuXrXdJHbdi3kC4kL1:Ji+5JLyF70SNjPBzuXrXdJHbdi3kCZZ
MD5:	89D4356E0F226E75CA71D48690E8EC15
SHA1:	2336CAA971527977F47512BC74E88CEC3F770C7D
SHA-256:	FCBB619DEB2D57B791A78954B0342DBB2FEF7DDD711066A0786C8EF669D2B385
SHA-512:	FA03D55A4AAFE94CBF5C134A65BD809FC86C042BC1B8FFBC9A2A5412EB70A468551C05C44B6CE81F638DF43CCA599AA1DD6F42F2DF3012C8A95A3612DF7C821E
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".A. .t.e.l.e.p...t.Q. .n.e.m. .f.u.t.t.a.t.h.a.t... .k.o.m.p.a.t.i.b.i.l.i.s. ...z.e.m.m...d.b.a.n... .T.o.v...b.b.i. .i.n.f.o.r.m...c.i... .a. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.o.n.t.o.s. .f...j.l.b.a.n.&.l.t.;./.A.&.g.t.;. .o.l.v.a.s.h.a.t....."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.

C:\81cd3e1c31538730e132\1038\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.210200964255437
Encrypted:	false
SSDEEP:	384:mTW68sRjOP2w99bfc/ta4V3mfCHpeEVn3i0MC4wWqyWpLXci2jpv5nNY:m+Aj0R99bfKtHVWfCJeEVn3i0MC44pMQ
MD5:	C1BF3D63576D619B24837B72986DFAD4
SHA1:	7392C7B478090831EB2E213BF1224E4F16FDD4D8
SHA-256:	0995DD70D260673F954DE54FDBA53D55218C536034BE6342E135C7D514073869
SHA-512:	597F327DF59B0F0CF39FC8753154E55CA8053F489F3FAA5A59C3E7F2115148FE4B49313A94C7CE802AF4B9A1D3FDDF92D3EDC60246E68B17F4CA57CFA3B33397
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......(....@.......................................... ..4+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1038\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4254
Entropy (8bit):	5.3269919672171735
Encrypted:	false
SSDEEP:	96:k8BfeEfTtXeTjXyZD+dtQRzrGJ6JwtxYMpDNeb6CZXKEp5/Eupwy9Ep+LM2:kgffCXPdOzSJ6JwkOBjC0V2
MD5:	58E6E6D6258994D6A08C6101F11F302D
SHA1:	DF2DB9DA70204CBB539D17DF860A6C45613EF086
SHA-256:	70546BABD12AFAF9FFCC437712DF5491DDF9A6AF8AB4F319FC0EA23AFB186726
SHA-512:	A4A992E2E44C8594E22849C3ED9019C32CF4085E90CC45F0E45A210E68A574A47BF1A06FA405B1F725E1A4DEFBD27E46FE52F3E7A829C8288EC0208BEAC3238B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1250\deff0\deflang1038\deflangfe1038{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 KIEG\'c9SZ\'cdT\'d5 LICENCFELT\'c9TELEK MICROSOFT SZOFTVERHEZ\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET-KERETRENDSZER 4 MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\f1\par..\f0 MICROSOFT .NET-KERETRENDSZER 4 \'dcGYF\'c9LPROFIL MICROSOFT WINDOWS OPER\'c1CI\'d3S RENDSZERHEZ\par..\'c9S A KAPCSOL\'d3D\'d3 NYELVI CSOMAGOK\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Ezen kieg\'e9sz\'edt\'e9s licenc\'e9t a Microsoft Corporation (vagy az \'d6n lakhelye alapj\'e1n egy t\'e1rsv\'e1llalata) ny\'fajtja \'d6nnek.\b \b0\'d6n akkor haszn\'e1lhatja ezt a kieg\'e9sz\'edt\'e9st, ha rende

C:\81cd3e1c31538730e132\1040\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80060
Entropy (8bit):	3.556654700353072
Encrypted:	false
SSDEEP:	384:4wFACg1fPK/YBZ3tMa9eIzNZNs4fzWmJVo5HnscuRv:/ACgNKjaVLJi2
MD5:	EDA1EC689D45C7FAA97DA4171B1B7493
SHA1:	807FE12689C232EBD8364F48744C82CA278EA9E6
SHA-256:	80FAA30A7592E8278533D3380DCB212E748C190AAEEF62136897E09671059B36
SHA-512:	8385A5DE4EB6B38169DD1EB03926BC6D4604545801F13D99CEE3ACEDE3D34EC9F9D96B828A23AE6246809DC666E67F77A163979679956297533DA40F9365BF2C
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .i.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .i.n. .m.o.d.a.l.i.t... .d.i. .c.o.m.p.a.t.i.b.i.l.i.t..... .P.e.r. .u.l.t.e.r.i.o.r.i. .i.n.f.o.r.m.a.z.i.o.n.i.,. .v.e.d.e.r.e. .i.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.f.i.l.e. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.

C:\81cd3e1c31538730e132\1040\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.142702232041524
Encrypted:	false
SSDEEP:	384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
MD5:	E4860FC5D4C114D5C0781714F3BF041A
SHA1:	864CE88E8AB1DB9AFF6935F9231521B6B72D5974
SHA-256:	6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
SHA-512:	39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1040\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3643
Entropy (8bit):	5.117983582325958
Encrypted:	false
SSDEEP:	96:rwBfYOP/TfVTJDwXtxjCJEZ+jw/Njppm/F/ZaFgcT/okOct2:yfYXRzMjsA9/EFxDt2
MD5:	6C9C19BFED724146512493F05CBA4F0F
SHA1:	DE249075AAC70D4661ED559FD64DE9F33DE43DB5
SHA-256:	C405AB9949C10619742AF1AF153521FFD85C16821324C16233B025F982A98CAD
SHA-512:	709A522477121EE32152DBE7F90EE4B597621761854B55A791C07C9521FFB899A21C0B84351A68AC3A583B43A91AC5164EF34259D153D21B47C404B4313893B3
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1040\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT SUPPLEMENTARI\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PER IL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E RELATIVI LANGUAGE PACK \f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) concede in licenza al licenziatario il presente supplemento.\b \b0 Qualora il licenziatario sia autorizzato a utilizzare il software per il sistema operativo Microsoft Windows (per il qua

C:\81cd3e1c31538730e132\1041\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	68226
Entropy (8bit):	4.416259780276574
Encrypted:	false
SSDEEP:	384:4wVzQOXe7GoXHoMIpYnxKJMlvWy0aO8rRnfJGnav:3QOu7GlCnkJMlvWy0aO8rRnfJ5
MD5:	64FFA6FF8866A15AFF326F11A892BEAD
SHA1:	378201477564507A481BA06EA1BC0620B6254900
SHA-256:	7570390094C0A199F37B8F83758D09DD2CECD147132C724A810F9330499E0CBF
SHA-512:	EA5856617B82D13C9A312CB4F10673DBC4B42D9AC5703AD871E8BDFCC6549E262E61288737AB8EBCF77219D24C0822E7DACF043D1F2D94A97C9B7EC0A5917EF2
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..0.0.0.0.0.0o0.N.c.0.0.0g0.[L.g0M0~0[0.0.0s.0}k0d0D0f0o0.0&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..0.0.0.0 ..0.0.0&.l.t.;./.A.&.g.t.;..0.SgqW0f0O0`0U0D0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..0.0.0

C:\81cd3e1c31538730e132\1041\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15704
Entropy (8bit):	5.929554826924656
Encrypted:	false
SSDEEP:	192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
MD5:	278FD7595B580A016705D00BE363612F
SHA1:	89A299A9ABECB624C3606267371B7C07B74B3B26
SHA-256:	B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
SHA-512:	838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1041\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	10125
Entropy (8bit):	4.144479793761895
Encrypted:	false
SSDEEP:	192:tEf13/qC2+PCsANROmuuU8EhZFJEj2VQoKOwyWAOxzpOh+uqaJgt2:tBtQoCnGDzhuqz2
MD5:	75CE7D721BDB78F1020ACF2B206B1859
SHA1:	CC0418DE8806811D21B19005BC5DB0092767F340
SHA-256:	2ABDC7246E95E420B4E66CC3C07ACDB56FF390BCD524E0D8525D5BF345030A5A
SHA-512:	FAFAC863DC825FC0B104751FE62CDA2C43048683F9D7E45659784206EA67F1AA98EA282AFC2A3A4BA287D03F73B21EC1E2F8C02F5D036CE96CAEFD851A5389E5
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg932\deff0\deflang1033\deflangfe1041{\fonttbl{\f0\fmodern\fprq2\fcharset128 \'82\'6c\'82\'72 \'82\'6f\'83\'53\'83\'56\'83\'62\'83\'4e;}{\f1\fswiss\fprq2\fcharset0 Tahoma;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(<?[\'5c\'7b\'81\'92\'5c\'81\'e1\'81\'65\'81\'67}{\*\fchars !%'),.:\'3b>?]\'7d\'81\'91\'81\'8b\'81\'45\'81\'e2\'81\'66\'81\'68\'81\'f1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1041\b\f0\fs20\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\lang1033\f1 \lang1041\f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\'92\'c7\'89\'c1\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f1 MICROSOFT WINDOWS \lang1041\f0\'83\'49\'83\'79\'83\'8c\'81\'5b\'83\'65\'83\'42\'83\'93\'83\'4f\lang1033\f1 \lang1041\

C:\81cd3e1c31538730e132\1042\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	65238
Entropy (8bit):	4.384411743704147
Encrypted:	false
SSDEEP:	384:4wsx1QzSzXLGKgooDQA0pb5ywW4JSUQvEQzH/dv:egtqpb5yw5Jg
MD5:	78C16DA54542C9ED8FA32FED3EFAF10D
SHA1:	AD8CFE972C8A418C54230D886E549E00C7E16C40
SHA-256:	E3E3A2288FF840AB0E7C5E8F7B4CFB1F26E597FB17CFC581B7728116BD739ED1
SHA-512:	D9D7BB82A1D752A424BF81BE3D86ABEA484ACBB63D35C90A8EE628E14CF34A7E8A02F37D2EA82AA2CE2C9AA4E8416A7A6232C632B7655F2033C4AAAB208C60BF
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".8.X. .......... .$.X. ...\.....D. ....`. ... ........ ...8.\. .....@. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;..... ..... ...\|.&.l.t.;./.A.&.g.t.;.D. .8.p.X.....$..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.

C:\81cd3e1c31538730e132\1042\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15192
Entropy (8bit):	5.9622226182057325
Encrypted:	false
SSDEEP:	192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
MD5:	FCFD69EC15A6897A940B0435439BF5FC
SHA1:	6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
SHA-256:	90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
SHA-512:	4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1042\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	12687
Entropy (8bit):	4.39170120937692
Encrypted:	false
SSDEEP:	192:MUf0PVF4MjeKojIfE6wK+b/mIr4tIAcAIce5rD6O1IuonKZim+dfNAW6qUK84Zn+:aK0wB/Tr4TmckIuCm+TAWdUN/re2
MD5:	A3B318528E286EC387E81934E5D3B081
SHA1:	CEDCC08D008E21C0E88EEF8354DAB8CFF2EF51AD
SHA-256:	2954EDB51628942A37A9BF58DA628932638C35ED61744892E42623FE4CCD06A0
SHA-512:	3544D9BE654C859CDE2B9CD8614C5ABED89E488DFEE2F51AB92A509873DC504942E375388D12379DE9D29DEEDE662667F8CC4BC6D2DCD50C5AC865CE6C44352D
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg949\deff0\deflang1033\deflangfe1042{\fonttbl{\f0\fswiss\fprq2\fcharset0 Arial;}{\f1\froman\fprq2\fcharset129 \'b9\'d9\'c5\'c1;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(<?[\'5c\'7b\'a1\'cc\'a1\'cd\'a1\'ec\'a1\'ae\'a1\'b0}{\*\fchars !%'),.:\'3b>?]\'7d\'a1\'cb\'a1\'c6\'a1\'ed\'a1\'af\'a1\'b1}}..\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1042\f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\lang1033\f0 \lang1042\f1\'c3\'df\'b0\'a1\lang1033\f0 \lang1042\f1\'bb\'e7\'bf\'eb\'b1\'c7\lang1033\f0 \lang1042\f1\'b0\'e8\'be\'e0\'bc\'ad\lang1033\f0\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\fs20 MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\par..MICROSOFT WINDOWS \lang1042\f1\'bf\'ee\'bf\'b5\lang1033\f0 \lang1042\f1\'c3\'bc\'c1\'a6\'bf\'eb\lang1033\f0 MICROSOFT .N

C:\81cd3e1c31538730e132\1043\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79634
Entropy (8bit):	3.5656146816718155
Encrypted:	false
SSDEEP:	384:4wCsfDNzgDbRiRVqxdYRF405vYtyVB1HaAzTGZUeJvuQFKhlQ5gwJBKQauJf1tSY:jbZKbRyVqb82IB+GlQ5gwJBzauJzkA
MD5:	6506B4E64EBF6121997FA227E762589F
SHA1:	71BC1478C012D9EC57FC56A5266DD325B7801221
SHA-256:	415112AE783A87427C2FADD7B010ADE4F1A7C23B27E4B714B7B507C16B572A1C
SHA-512:	39024EA9D42352F7C1BD6FEFE0574054ECEB4059F773CFAEB26C42FAADA2540AE95FB34718D30CCB6DA157D2597F80D12A024461FBD0E8D510431BA6FFA81EC2
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S.e.t.u.p. .k.a.n. .n.i.e.t. .w.o.r.d.e.n. .u.i.t.g.e.v.o.e.r.d. .i.n. .d.e. .c.o.m.p.a.t.i.b.i.l.i.t.e.i.t.s.m.o.d.u.s... .R.a.a.d.p.l.e.e.g. .h.e.t. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.L.e.e.s.m.i.j.-.b.e.s.t.a.n.d.&.l.t.;./.A.&.g.t.;. .v.o.o.r. .m.e.e.r. .i.n.f.o.r.m.a.t.i.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.

C:\81cd3e1c31538730e132\1043\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19288
Entropy (8bit):	5.101791972320269
Encrypted:	false
SSDEEP:	384:3124Y0WDDkowwX8OZjv1t2WlLeWvLXci2jpvc:lYZhzMi2jpvc
MD5:	76D6E9F15D842E6A56EE42C9C5CCABCA
SHA1:	36E6FA7C032F69DEA2C34B5934AC556AAE738CBB
SHA-256:	A961DE62DA74B05EAF593BB78A4A5A4C5586FE2D0D4A45D99675D03E7F01D7C5
SHA-512:	F9E04AA073EBF98BDD13F6A0A9214DDA42CD5FDFEC24873CF171B77D31408CA6698BF0C9D931A93BDD7A54FE55A9E6394F2C8050C7E847455E4A36585E36D6EB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........0...............................................P......ky....@.......................................... ...,...........4..X............................................................................................text...G...........................@..@.rsrc....0... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1043\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3546
Entropy (8bit):	5.203062637938479
Encrypted:	false
SSDEEP:	96:rTBfrnjTsVT08DfQhtJlIcm3wEM8LPMpDlGu3x+O0H+Ozo+SBT+OZt6S2:ZfLltGwEMAPOkukO0eONNOT2
MD5:	305AE79EC7D0E8D1F826D70D7D469BB4
SHA1:	BBE8FFD83FCA6C013A20CDEE6EA0AFFD988C4815
SHA-256:	69537AEF05EDFB55EC32897B3DD59724A825FDDECCD92BDD5E8840CB92B1B383
SHA-512:	A7368CEC366E8F717F3FD51FA71133A02C5E7B44D095B849320E15F8D95DC1A58AB977FA9A4C1633FCD1AD82D929FF8FB2271C816BE8B2B8892D7389E3E3EACD
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b\f0\fs20 AANVULLENDE LICENTIEVOORWAARDEN VOOR MICROSOFT-SOFTWARE\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS\lang1033\f1\par..\lang1043\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE VOOR HET BESTURINGSSYSTEEM MICROSOFT WINDOWS \par..EN GERELATEERDE TAALPAKKETTEN\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1043\b0\f0 Microsoft Corporation (of, afhankelijk uw locatie, een van haar gelieerde ondernemingen) geeft dit supplement aan u in licentie.\lang1033\b \lang1043\b0 Als u een licentie hebt voor het gebruik van Microsoft Windows

C:\81cd3e1c31538730e132\1044\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79296
Entropy (8bit):	3.5898407770439955
Encrypted:	false
SSDEEP:	384:4wn2IhI4z6T1sHCqeHveRWUw+KbGpK+9C/E6b2NJBf2OEuv:V9hI4z6T1siqeHveRhAo9CM6b2NJBuOD
MD5:	120104FA24709C2A9D8EFC84FF0786CD
SHA1:	B513FA545EFAE045864D8527A5EC6B6CEBE31BB9
SHA-256:	516525636B91C16A70AEF8D6F6B424DC1EE7F747B8508B396EE88131B2BB0947
SHA-512:	1EA8EB2BE9D5F4EF6F1F2C0D90CB228A9BB58D7143CCAFE77E18CE52EC4ACA25DDE0BA18430FD4D3D7962D079CCBE7E2552B2C7090361E03C6FDFB7C2B9C7325
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.s.j.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.k.k.e. .k.j...r.e. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.m.o.d.u.s... .H.v.i.s. .d.u. .v.i.l. .h.a. .m.e.r. .i.n.f.o.r.m.a.s.j.o.n.,. .s.e. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

C:\81cd3e1c31538730e132\1044\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.209166644217636
Encrypted:	false
SSDEEP:	384:cNeu+Oeu+Oeu+rW56qxYBlgFAcUm/rW9eWoLXci2jpv72:TIxYBegm/WgMi2jpv72
MD5:	BACEA57A781C43738A3B065103479BB5
SHA1:	45E277CC370150293252535D5371B2C0F79B4874
SHA-256:	8B372354A54643F1159FAB562D0F2DFE21F08A3D67DBB7337242846316D3BEC4
SHA-512:	CD0BB774D1373A7B735AE9A867387527DAB28D7635B5DE881F92B66ECD87DA4E8F4605F3DF093294CA3060F993220472D3C926780BEB57BF3E90ECC081F0F1E1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P.......H....@.......................................... ..t'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1044\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3046
Entropy (8bit):	5.1859499604057495
Encrypted:	false
SSDEEP:	48:rPN3nffnyzInT7BjTgLDRn0l392N4S2ZOMb5XgNRc9q5QB34pg5lqM9TX/ufMpDn:rPBffyUnT7BjTADRn0lN2N4S2wG5wNRq
MD5:	830EBCED0F03F267EEE7A5167C4E91A4
SHA1:	740075166941E5623ECB488B0390F25A84FEEC77
SHA-256:	2D0B46674BB383A56E6061D25F0D446C8B50C83C92269A3FCCB657429E9EF4BE
SHA-512:	CD146C8F35C1095E142EEDF2B486A22593A417138CAE35FBA00DEFB5395D6DAA34C84B6A345AE88A5B365D4E17190FD3C7F3AA384D2D4472E0413F432280F53E
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1044\deflangfe1044{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TILLEGGSLISENSVILK\'c5R FOR MICROSOFT-PROGRAMVARE\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0\fs22 MICROSOFT .NET FRAMEWORK 4 FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4-KLIENTPROFIL FOR MICROSOFT WINDOWS-OPERATIVSYSTEM\par..OG TILKNYTTEDE SPR\'c5KPAKKER\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0\fs20 Microsoft Corporation (eller, avhengig av hvor du bor, et av dets tilknyttede selskaper) lisensierer dette tillegget til deg.\b \b0 Hvis du er lisensiert til \'e5 bruke Microsoft Windows-operativsystemprogramvare (som dette tillegget gjelder for) (\ldblquote programvaren\rdblquote ), har du r

C:\81cd3e1c31538730e132\1045\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	82374
Entropy (8bit):	3.6806551409534465
Encrypted:	false
SSDEEP:	768:lz2ue+xTxXUpUqTvvUOfUs6LArUpFymrqQtr8BAyfO4RkSzXunasvJH2TF0wpYl7:lz2ue+xTxXUpUOvvUOfUs6LqTavdJkUr
MD5:	BDB583C7A48F811BE3B0F01FCEA40470
SHA1:	E8453946A6B926E4F4AE5B02BA1D648DAF23E133
SHA-256:	611B7B7352188ADFFD6380B9C8A85B8FF97C09A1C293BB7AC0EF5478A0E18AC8
SHA-512:	27B02226F8F86CA4D00789317C79E8CA0089F5B910BED14AA664EEAB6BE66E98DE3BAFD7670C895D70AB9C34ECE5F05199F3556FDDC1B165904E3432A51C008D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.a.t.o.r. .n.i.e. .m.o.\|.e. .d.z.i.a.B.a... .w. .t.r.y.b.i.e. .z.g.o.d.n.o.[.c.i... .A.b.y. .u.z.y.s.k.a... .w.i...c.e.j. .i.n.f.o.r.m.a.c.j.i.,. .z.o.b.a.c.z. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.P.l.i.k. .R.e.a.d.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.

C:\81cd3e1c31538730e132\1045\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.2854545598714635
Encrypted:	false
SSDEEP:	192:fa1YUfwxWVxSIn+hnISv7N/blaRr26WneWAQKPnEtObMacxc8hjeyveCXW:iN2Gan9xblaRr26WneWALXci2jpvQ
MD5:	550C79640EEE713C73EB67B0736A92E6
SHA1:	51656BB182048F0ABFC57DC2DF9703D59E264442
SHA-256:	F90002DA2068F868D5A710444EA30F91AE2229DBEB660166C1E28935E4AB6078
SHA-512:	F90A9A5C399DEC2649E8EC088139E5FE4DD0419BDF7B5988BE8F437A35040A1E0D2F03D326B8C38B2F4F1CFDBE0269445120D95061BD691296E7C9B20C5EAC31
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P............@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1045\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4040
Entropy (8bit):	5.362038982382671
Encrypted:	false
SSDEEP:	96:rTBfQaJRTIRTjzH+oDgQUoIs89FcG5ywI5Et/+TMm9MpDcA/+MvsNcUOsG9jeLdp:Zfo+Bs18ncG5Y5Et/+Z9OwAjs7OtRwdp
MD5:	BB93B108D4BE954133380F7709E7BA1E
SHA1:	34376037B3C5879142796A2F524E5B3EA6097ED1
SHA-256:	4F2D6A8979C89592877555FE8F576D5F631132452AFE86114D35E9531A1CA948
SHA-512:	69C60EF8C0E6A8F7A92EC9A9C94C99F6DDE39477D8DEE041ABF7A164025D7EBFC9F0C7399AD8C9ED150861B00FC47F1F1CB40BB245AA87ED7904B1BAE6A4271B
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset238 Tahoma;}{\f1\froman\fprq2\fcharset238{\\fname Times New Roman;}Times New Roman CE;}{\f2\fswiss\fprq2\fcharset238 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1045\b\f0\fs20 UZUPE\'a3NIAJ\'a5CE POSTANOWIENIA LICENCYJNE DOTYCZ\'a5CE OPROGRAMOWANIA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\f1\par..\f0 PROFIL KLIENTA PROGRAMU MICROSOFT .NET FRAMEWORK 4 DLA SYSTEMU OPERACYJNEGO MICROSOFT WINDOWS\par..I POWI\'a5ZANYCH PAKIET\'d3W J\'caZYKOWYCH\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\b0\f0 Microsoft \lang1045 Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jeden z\~podmiot\'f3w stowarzyszonych Microsoft Corporation) udziela Licencjobiorcy

C:\81cd3e1c31538730e132\1046\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80738
Entropy (8bit):	3.581949939963976
Encrypted:	false
SSDEEP:	384:4wl7DAQput9emRem6cvMOem6QemIAY/YEQTeQoqk7EHd9nKxXq5fKsLaG5m73Rdv:geOeqeCe1CkyJtG07g
MD5:	A03D2063D388FC7A1B4C36D85EFA5A1A
SHA1:	88BD5E2FF285EE421CCC523F7582E05A8C3323F8
SHA-256:	61D8339E89A9E48F8AE2D929900582BB8373F08D553EC72D5E38A0840B47C8A3
SHA-512:	3A219F36E57D90CA92E9FAEC4DFD34841C2C9244DA4FE7E1D70608DDE7857AA36325BDB46652A42922919F782BB7C97F567E69A9FC51942722B8FD66CD4ECAF0
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".N...o. ... .p.o.s.s...v.e.l. .e.x.e.c.u.t.a.r. .a. .i.n.s.t.a.l.a.....o. .e.m. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .o.b.t.e.r. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.q.u.i.v.o. .L.e.i.a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.

C:\81cd3e1c31538730e132\1046\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.203641313145023
Encrypted:	false
SSDEEP:	192:zjkTnUfwVWwwZFf7TOS7LDoKGslNDGf8BjWNeWSQKPnEtObMacxc8hjeyveCXKuj:zom6QT7FprmmWNeWSLXci2jpv3j
MD5:	86CB58F2B6BC1174D200D0ABE5497233
SHA1:	F1174409A44D922C23F376C6BC7609BBDAD5016C
SHA-256:	DD7FB50E88355F46D619D89E47D3057ACC1C069178BA81839970BB13479FCF4C
SHA-512:	AD4C9124F2459FB83C977B235B7ACDDA86AFAEBE9FEBD8BE084AA50E87AB091331A8724EC517D5096487970A3992C7E3D255CDA31DC494544CABA5DEF9C93DD1
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......E.....@.......................................... ...(...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1046\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3683
Entropy (8bit):	5.188584376027454
Encrypted:	false
SSDEEP:	96:rTBfAlMu9fTp/9fTdIDsGJ1KlhREerHr7uStmESWp55ztFuMpDl/BRwZ+qf+J4Ed:ZfeuqhGeHVIErn1zuO9BC8q2WEHt+B2
MD5:	E43708161843A33D34D6FDF966D36397
SHA1:	2E5C0450CEBD9A737A90908EEDDAAE2D0B3E2940
SHA-256:	0AF1F04F416712387BF87C93FA846B4E8EB0AC25E284A2A3578C58E2724E2778
SHA-512:	FB334D29BBBC2D19D20C5260C55BF83D9D6D242C6A8F04AC88F8280A63E6AF32FB5D96703E43D39F6863D17B27D9E0E36CBAB1099127E5FA281255A19AE39E0D
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\b\f0\fs20 TERMOS DE LICEN\'c7A COMPLEMENTARES PARA SOFTWARE DA MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1046\f0 MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\lang1046\f0 PERFIL DO CLIENTE DO MICROSOFT .NET FRAMEWORK 4 PARA SISTEMA OPERACIONAL MICROSOFT WINDOWS\line\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\b0\f1\fs22\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1046\f0\fs20 A Microsoft Corporation (ou, dependendo do local em que voc\'ea esteja domiciliado, uma de suas afiliadas) fornece a voc\'ea a licen\'e7a deste supleme

C:\81cd3e1c31538730e132\1049\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	81482
Entropy (8bit):	4.270033694989682
Encrypted:	false
SSDEEP:	384:4w7iPuXsPXBUhOLGvVVA5/Fpn9zJop9TE+zkX6JS/5cGhj/6v:MP5XyZVrJF
MD5:	349B52A81342A7AFB8842459E537ECC6
SHA1:	6268343E82FBBABE7618BD873335A8F9F84ED64D
SHA-256:	992BF5AEB06AA3701D50C23FA475B4B86D8997383C9F0E3425663CFBD6B8A2A5
SHA-512:	EF4CBD3F7F572A9F146A524CFBC2EFBD084E6C70A65B96A42339ADC088E3F0524BC202548340969481E7F3DF3AC517AC34B200B56A3B9957802ABD0EFA951C49
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...5. .C.4.0.5.B.A.O. .2.K.?.>.;.=.8.B.L. .C.A.B.0.=.>.2.:.C. .2. .@.5.6.8.<.5. .A.>.2.<.5.A.B.8.<.>.A.B.8... ...>.?.>.;.=.8.B.5.;.L.=.K.5. .A.2.5.4.5.=.8.O. .A.<... .2. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.D.0.9.;.5. .A.2.5.4.5.=.8.9. .>. .?.@.>.4.C.:.B.5.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.

C:\81cd3e1c31538730e132\1049\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18264
Entropy (8bit):	5.548909804205606
Encrypted:	false
SSDEEP:	192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
MD5:	7EF74AF6AB5760950A1D233C582099F1
SHA1:	BF79FF66346907446F4F95E1E785A03CA108EB5D
SHA-256:	658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
SHA-512:	BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ..............0..X............................................................................................text...G...........................@..@.rsrc....0... .....................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1049\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	54456
Entropy (8bit):	4.950349023670169
Encrypted:	false
SSDEEP:	768:3CR6rdlWFJv3zGz9tWQ2ni8UNo/8PZrS14Z:3CcrMeDZ
MD5:	2277852A45DA18B12BEEC5FB6F08CDC9
SHA1:	E564862D098BD111430C4208EAA1ADD5CD52A601
SHA-256:	59AD806664E3CE4A024452985C4602D5610126A16FC36ADE018A9756ACCC92CC
SHA-512:	ED9726D207479E4DF494C6AF17E64909EA6649DDD8BDC3E37229A73270B4A159B2B11C1ADD462871DD40A23033E6B3F8A26E3EA1FA6E3B7316153AF13B316CD2
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f38\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604030504040204}Tahoma;}{\f44\fbidi \froman\fcharset0\fprq2 Times New Roman CYR;}{\f45\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0603020202020204}Trebuchet MS;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\pa

C:\81cd3e1c31538730e132\1053\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	77680
Entropy (8bit):	3.602060477304833
Encrypted:	false
SSDEEP:	384:4w+optBSCVb5v6iMSsCtD7jjktDhHfLSGM3zD0q0Xt//Vvcinnl/06N9mGktJsIO:QqtBSCVb5v69SsuD7jwDkqmGeJsoON
MD5:	B3B1A89458BEC6AF82C5386D26639B59
SHA1:	D9320B8CC862F40C65668A40670081079B63CEA1
SHA-256:	1EF312E8BE9207466FBFDECEE92BFC6C6B7E2DA61979B0908EAF575464E7B7A0
SHA-512:	478CE08619490ED1ECDD8751B5F60DA1EE4AC0D08D9A97468C3F595AC4376FECA59E9C72DD9C83B00C8D78B298BE757C6F24A422B7BE8C041F780524844998BF
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.n.s.t.a.l.l.a.t.i.o.n.s.p.r.o.g.r.a.m.m.e.t. .k.a.n. .i.n.t.e. .k...r.a.s. .i. .k.o.m.p.a.t.i.b.i.l.i.t.e.t.s.l...g.e... .M.e.r. .i.n.f.o.r.m.a.t.i.o.n. .f.i.n.n.s. .i. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.V.i.k.t.i.g.t.-.f.i.l.e.n.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.

C:\81cd3e1c31538730e132\1053\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.196946497211754
Encrypted:	false
SSDEEP:	384:W9U6qxM8IJu5M/oZVQVWpyeWRLXci2jpvE:WIxMwLVWVMi2jpvE
MD5:	28813510B82F45868B5BDC67FFF9C9FA
SHA1:	696A06D1F7B13C20599C53E74969BDC99AB5D30A
SHA-256:	EB0A73F6BFAF65FAA58440D57145709894E9A5354E840805EC02DCE153332249
SHA-512:	A01A7C8147138125BBFF7D135FACF255A0284AFABD2BB28D5CB6E54C86A8F1A685855B5561584574A057D4FCFDEF630A10AD262495C58EA5DF974A3249787D9B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P......8p....@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1053\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3865
Entropy (8bit):	5.329033876405121
Encrypted:	false
SSDEEP:	96:rTBfv+/9TfHTGDXtZEOuAs50Y1EIF19VWMpDHvuKMLDBD+d54+QFEp5Tf+8K+l1S:5ffduAs591EIb9gOpqDoDZQmx2W2
MD5:	E2F73097FC60F5347BAD1C1E93B2941B
SHA1:	8564447AF45B488AC713D898405B759365662598
SHA-256:	72860227092C38AE5E00E24C75E9B263E77BD2032EE597AABE408B9176448097
SHA-512:	94ECD5BD5053A417BFF3E49C5E7B362843D2C850DA09D389161D4F4D98DE624473E0F143E6A088AB288AB4DA49B7910FFC80F77401009F560B60470FB13609B1
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang1053\deflangfe1053{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\sb120\sa120\lang1033\b\f0\fs28 TILL\'c4GGSLICENSVILLKOR F\'d6R PROGRAMVARA FR\'c5N MICROSOFT\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\sb120\sa120\fs22 MICROSOFT .NET FRAMEWORK 4 F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE F\'d6R OPERATIVSYSTEMET MICROSOFT WINDOWS\par..OCH ASSOCIERADE SPR\'c5KPAKET\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1053\b0\f0\fs20 Microsoft Corporation (eller beroende p\'e5 var du bor, ett av dess koncernbolag) licensierar detta till\'e4gg till dig.\lang1033\b \lang1053\b0 Om du innehar licens f\'f6r programvara f\'f6r operativsystemet Microsoft Windows (som detta till\'e4gg g\'e4ller f\'f6r) (\rdblquote pr

C:\81cd3e1c31538730e132\1055\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	76818
Entropy (8bit):	3.7161950547055933
Encrypted:	false
SSDEEP:	1536:bM8DL5YHRL87mlQg5IgrbGZzwOS8Frc+iI0jJNJ7rtRpUR:bM8DL5YHRL87mlQg5IgrbGZzwOS8FrcS
MD5:	65E771FED28B924942A10452BBBF5C42
SHA1:	586921B92D5FB297F35EFFC2216342DAC1AE2355
SHA-256:	45E30569A756D9BCBC5F9DAE78BDA02751FD25E1C0AEE471CE112CB4464A6EE2
SHA-512:	D014A2A96F3A5C487EF1CADDD69599DBEC15DA5AD689D68009F1CA4D5CB694105A7903F508476D6FFEC9D81386CB184DF6FC428D34F056190CEE30715514A8F7
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".K.u.r.u.l.u.m. .u.y.u.m.l.u.l.u.k. .m.o.d.u.n.d.a. ...a.l.1._.a.m.a.z... .D.a.h.a. .f.a.z.l.a. .b.i.l.g.i. .i...i.n. .b.k.z... .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.B.e.n.i.o.k.u. .d.o.s.y.a.s.1.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.

C:\81cd3e1c31538730e132\1055\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17752
Entropy (8bit):	5.263298426482242
Encrypted:	false
SSDEEP:	384:Hfp2mDyEkEIb7/dscoGvXdBXbtRS0W0eW0LXci2jpvhPN:H1DyEkEIFscVXdBXbtRVsMi2jpvhl
MD5:	357A1CBF08A83E657FFAE8639AC1212A
SHA1:	384DF3D9DBBE27731785D92C257B7BA584FBE5E8
SHA-256:	DD7337A6C67B39905A9B01C4212667F27EDFB68E86D1099E20EC37B03C51E7B9
SHA-512:	67E47DF1E462A279C909B7B4255BEC4824554890CFF789BDF6691898A66E71DB007794476508F9290D95ACCE908109AA589A3A01A04125AEBB9EFBF67AEBF25F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........*...............................................P............@.......................................... ...'..............X............................................................................................text...G...........................@..@.rsrc....0... ...(..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\1055\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	3859
Entropy (8bit):	5.120677849638168
Encrypted:	false
SSDEEP:	96:VSfjQOTqfRRTqfSD+vmScfQEz04jMpDLiIzhZLlZhD2:wfcFpcfEo4jOT2
MD5:	D71A0D5B6CB13901CD35C036D395BE59
SHA1:	B0F83CF648C2E84119A32AFD2E0EF409BB2047CE
SHA-256:	A8850F6DBF56B6C55D255E81B15A3D17196EEE89FFBE41CDFCA19205628C1A7B
SHA-512:	FE7C6E54014AD963F51850973F5AE5872FBA9843F1C20973F5E875008064F870A5217C2C9ADA3D92A3F1B2DF6318D5137814943D6295E72CF27343DF93B957E1
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1254\deff0\deflang1055\deflangfe1055{\fonttbl{\f0\fswiss\fprq2\fcharset162 Tahoma;}{\f1\froman\fprq2\fcharset162{\\fname Times New Roman;}Times New Roman TUR;}{\f2\fswiss\fprq2\fcharset162 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT YAZILIM EK\'dd L\'ddSANS KO\'deULLARI\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4\lang1033\f1\par..\lang1055\f0 MICROSOFT WINDOWS \'dd\'deLET\'ddM S\'ddSTEMLER\'dd \'dd\'c7\'ddN MICROSOFT .NET FRAMEWORK 4 \'ddSTEMC\'dd PROF\'ddL\'dd\par..VE \'ddL\'dd\'deK\'ddL\'dd D\'ddL PAKETLER\'dd\lang1033\f1\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang1055\b0\f0 Microsoft Corporation (veya ya\'fead\'fd\'f0\'fdn\'fdz yere g\'f6re bir ba\'f0l\'fd \'feirketi) bu ekin lisans\'fdn\'fd size v

C:\81cd3e1c31538730e132\2052\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60684
Entropy (8bit):	4.338517891382778
Encrypted:	false
SSDEEP:	384:4w7yHdhTgqbbT1HjWZez2jtKgst+7x0x8EM5NnqQivGXU4woZukC7FQKAuXR/4mn:dyjg2z2bXXwoZukC7FQKAuXRgcJf
MD5:	10DA125EEABCBB45E0A272688B0E2151
SHA1:	6C4124EC8CA2D03B5187BA567C922B6C3E5EFC93
SHA-256:	1842F22C6FD4CAF6AD217E331B74C6240B19991A82A1A030A6E57B1B8E9FD1EC
SHA-512:	D968ABD74206A280F74BF6947757CCA8DD9091B343203E5C2269AF2E008D3BB0A17FF600EB961DBF69A93DE4960133ADE8D606FB9A99402D33B8889F2D0DA710
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z.^.e.l.N\|Q.['`!j._.L..0.gsQ..~.Oo`.....S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.....e.N&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".xS}. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...O.[..g.N.^(u.z.^.e.lck8^.L.

C:\81cd3e1c31538730e132\2052\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	6.010838262457833
Encrypted:	false
SSDEEP:	192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
MD5:	407CDB7E1C2C862B486CDE45F863AE6E
SHA1:	308AEEBEB1E1663ACA26CE880191F936D0E4E683
SHA-256:	9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
SHA-512:	7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\2052\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	5827
Entropy (8bit):	4.418112026919231
Encrypted:	false
SSDEEP:	96:M5DBmf0jLTCLLgLTCLLmDjxrDT2k9rkKp7aDKaXzaWZMa/O9wzy6n/MpDTKTGptk:EmfJXoQkRGDtXeWZv/O9XmOdZzQJWBBi
MD5:	4288C2541843F75C348D825FC8B94153
SHA1:	E0DD8ED7BDB3C941A589361EE764F49A3619C264
SHA-256:	C30A7597AA67E2847940E2C24F09B35C07B1EC759ADBCA7C8261141FC1ECCA92
SHA-512:	7BA9991FE4EED625FE7BEF96A1D3AE70CB7616AAD034236D1A2B346A08B48280CB6C20D2B059DA9953919B0265125FE56DC5F4CC619AC653B4C1164ED564B359
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fprq2\fcharset134 \'cb\'ce\'cc\'e5;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars $(.<?[\'7b\'a3\'a5\'ab\'b7\'91\'93}{\*\fchars !"%'),.:\'3b>?]`\|\'7d~\'a2\'a8\'af\'b0\'b7\'bb\'92\'94\'85\'89\'9b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT \lang2052\f1\'c8\'ed\'bc\'fe\'b2\'b9\'b3\'e4\'b3\'cc\'d0\'f2\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\lang2052\f1\'d3\'c3\'d3\'da\lang1033\f0 MICROSOFT WINDOWS \lang2052\f1\'b2\'d9\'d7\'f7\'cf\'b5\'cd\'b3\'b5\'c4\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 CLI

C:\81cd3e1c31538730e132\2070\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	80254
Entropy (8bit):	3.5905984831890927
Encrypted:	false
SSDEEP:	384:4wdLPpRgMjLeUueUA48DYeUOqeUd/iboeuXWpFPYOAjw/BdgysR0AmhRod30J0qf:fenekeCeRuXWpFxgJMh230JMaWs
MD5:	7FA9926A4BC678E32E5D676C39F8FB97
SHA1:	BBA4311DD30261A9B625046F8A6EA215516C9213
SHA-256:	A25EE75C78C24C50440AD7DE9929C6A6E1CC0629009DC0D01B90CBAC177DD404
SHA-512:	E06423BC1EA50A566D341DC513828608E9B6611FEA81D33FCA471A38F6B2B61B556EA07A5DEC0830F3E87194975D87F267A5E5E1A2BE5E6A86B07C5BB2BDDCB6
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .n...o. .p.o.d.e. .s.e.r. .e.x.e.c.u.t.a.d.o. .n.o. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d.e... .P.a.r.a. .m.a.i.s. .i.n.f.o.r.m.a.....e.s.,. .c.o.n.s.u.l.t.e. .o. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.F.i.c.h.e.i.r.o. .L.e.i.a.-.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.

C:\81cd3e1c31538730e132\2070\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.195239987750812
Encrypted:	false
SSDEEP:	192:8ae5UfwxWr4KyGpTOSZmzmTssa8x91cvWp7eWYQKPnEtObMacxc8hjeyveCXgs:V32NAT7ZmzmYpqUvWp7eWYLXci2jpvas
MD5:	58CB55FA4D9E2F62F675720B1269137D
SHA1:	472F8E4982369C703C78091E66E33BF6B2A03F09
SHA-256:	9C9E0ABFDB8065ECEC3420398DA687FAD4429F4CBF68B7082C8221925BF8D86B
SHA-512:	123906A064033F37891DBB9C2A01A990AFD3C8447E38CDF66265784449FDD94806372A589A7DEA074830EB1DF7812E4877A1EE59171D37F1652167A03D2B961B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......U^....@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\2070\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	4015
Entropy (8bit):	5.250694812846901
Encrypted:	false
SSDEEP:	96:r4IffB09DkTLGTHD28ygHx0LlHKe1rvGA9mE0Eyh+iH/OMpiKwIurpEpiT0T8x8w:VfB8ygHclqe1ruAYEBm+imOvurerV2
MD5:	4518BE9A9BCA5BE1D8AC926A4B2C087D
SHA1:	D089427D93EA726380E89ECF00127BD51A4DCFC1
SHA-256:	D838ACF5ED559C58F623F73AF4902A13848502778EEA7AF585AC2E801D7C8C45
SHA-512:	7BCF5248E36D98D74040B6AFB08CA62A3255E397A26FF6DCA9A8E42BADF71BC0005FD8FE8B3CA3A4896434823A9E3401EEC86EF60B1A6CE395CE21A710626478
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\fbidis\ansi\ansicpg1252\deff0\deflang2070\deflangfe1041{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue0;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\ltrpar\nowidctlpar\sb120\sa120\b\f0\fs28 TERMOS DE LICENCIAMENTO SUPLEMENTARES PARA SOFTWARE MICROSOFT\lang1033\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \ltrpar\nowidctlpar\sb120\sa120\lang2070\f0\fs22 MICROSOFT .NET FRAMEWORK 4 PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\lang1033\f1\par..\lang2070\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA O SISTEMA OPERATIVO MICROSOFT WINDOWS\par..E PACOTES DE IDIOMAS ASSOCIADOS\lang1033\f1\fs20\par..\pard\ltrpar\nowidctlpar\sb120\sa120\lang2070\b0\f0 A Microsoft Corporation (ou, dependendo do pa\'eds em que reside, uma das respectivas empresas afiliadas) licencia este suplemento para o Adquirente.\lang1033\b \lang2070\b0 Se o Adquirente es

C:\81cd3e1c31538730e132\3076\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	60816
Entropy (8bit):	4.3418522371704045
Encrypted:	false
SSDEEP:	384:4wCGbCWB6rFk+2jP8lxtrzh1hsPN7ODPnPgQy50sJCXnofDPiv:tbCWYFrewYTJCf
MD5:	967A6D769D849C5ED66D6F46B0B9C5A4
SHA1:	C0FF5F094928B2FA8B61E97639C42782E95CC74F
SHA-256:	0BC010947BFF6EC1CE9899623CCFDFFD702EEE6D2976F28D9E06CC98A79CF542
SHA-512:	219B13F1BEEB7D690AF9D9C7D98904494C878FBE9904F8CB7501B9BB4F48762F9D07C3440EFA0546600FF62636AC34CB4B32E270CF90CB47A9E08F9CB473030C
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..[..z._!q.l(W.v.['`!j._.N.WL..0.Y..s.0}.......S..&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;....b.jHh&.l.t.;./.A.&.g.t.;..0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.i.n.s.t.a.l.l.W.a.r.n.i.n.g.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."..d..[. .M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. ..S...g.\..g.N.a(u.z._\PbkK.

C:\81cd3e1c31538730e132\3076\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14168
Entropy (8bit):	5.9724110685335825
Encrypted:	false
SSDEEP:	192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
MD5:	7C136B92983CEC25F85336056E45F3E8
SHA1:	0BB527E7004601E920E2AAC467518126E5352618
SHA-256:	F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
SHA-512:	06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\3076\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	6309
Entropy (8bit):	4.470827969332999
Encrypted:	false
SSDEEP:	96:/R8NRf8TTVKTu4LuTu4LrzZD41raZM4HbegdxqKZJQ1/FSMZJujgzc/MpD1JzIf2:/R4Rfm2NBZMjOfro2n6CA2
MD5:	6F2F198B6D2F11C0CBCE4541900BF75C
SHA1:	75EC16813D55AAF41D4D6E3C8D4948E548996D96
SHA-256:	D7D3CFBE65FE62DFA343827811A8071EC54F68D72695C82BEC9D9037D4B4D27A
SHA-512:	B1F5B812182C7A8BF1C1A8D0F616B44B0896F2AC455AFEE56C44522B458A8638F5C18200A8FB23B56DC1471E5AB7C66BE1BE9B794E12EC06F44BEEA4D9D03D6F
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset136 \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9;}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\\generator Msftedit 5.41.21.2509;}{\info{\horzdoc}{\\lchars (<?[`\'7b\'a2\'47\'a2\'44?\'a1\'a5\'a1\'a7}{\*\fchars !'),.:\'3b>?]\|\'7d\'a2\'46\'a1\'50?\'a1\'56\'a1\'58\'a1\'a6\'a1\'a8\'a1\'45\'a1\'4b}}..\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs28 MICROSOFT \lang1028\f1\'b3\'6e\'c5\'e9\'bc\'57\'b8\'c9\'b1\'c2\'c5\'76\'b1\'f8\'b4\'da\lang1033\f2\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0\fs20 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4\f2\par..\f0 MICROSOFT WINDOWS \lang1028\f1\'a7\'40\'b7\'7e\'a8\'74\'b2\'ce\'aa\'ba\lang1033\f0 MICROSOFT .NET FRAMEWORK 4 \lang1028\f1\'a5\'ce\'a4\'e1\'ba\'dd\'b3\'5d\'a9

C:\81cd3e1c31538730e132\3082\LocalizedData.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	79996
Entropy (8bit):	3.5542515107748844
Encrypted:	false
SSDEEP:	1536:Xo/yYrDKRqvf+ffl0VMf/mfL94T+7j2JoiZq:Xo/yYrDKRqvf+feVMf/mfL94T+7j2Jrq
MD5:	2D54FE70376DB0218E8970B28C1C4518
SHA1:	83EE9AC93142751F23D5BB858F7264E27EA2EAB0
SHA-256:	D17C5B638E2A4D43212D21A2052548C8D4909EB6410E30B8A951A292BCDBBEDD
SHA-512:	20C0FB9A046911BC2D702AB321C3992262AC0F80F33DDDA5EC2CCAFE9EF07611774223369E0DC7CB91C9CDA1CBD65C598A7E1C914D6E6CA4B00205A16411BE30
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.i.n._.O.S._.C.o.m.p.a.t.i.b.i.l.i.t.y._.M.o.d.e.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .n.o. .s.e. .p.u.e.d.e. .e.j.e.c.u.t.a.r. .e.n. .m.o.d.o. .d.e. .c.o.m.p.a.t.i.b.i.l.i.d.a.d... .P.a.r.a. .o.b.t.e.n.e.r. .m...s. .i.n.f.o.r.m.a.c.i...n.,. .v.e.a. .e.l. .&.l.t.;.A. .H.R.E.F.=.&.q.u.o.t.;.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.d.=.1.6.4.1.5.6.&.q.u.o.t.;.&.g.t.;.a.r.c.h.i.v.o. .L...a.m.e.&.l.t.;./.A.&.g.t.;..."./.>..... . . . . . .<.T.e.x.t. .I.

C:\81cd3e1c31538730e132\3082\SetupResources.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18776
Entropy (8bit):	5.182140892959793
Encrypted:	false
SSDEEP:	192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
MD5:	B057315A8C04DF29B7E4FD2B257B75F4
SHA1:	D674D066DF8D1041599FCBDB3BA113600C67AE93
SHA-256:	51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
SHA-512:	F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\3082\eula.rtf

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Rich Text Format data, version 1, ANSI
Category:	dropped
Size (bytes):	3069
Entropy (8bit):	5.138349598257165
Encrypted:	false
SSDEEP:	48:MTN3nfZQZXRFOTfyTZQDeK9xxMFcJ55HsUXHNX/RgMzsrMpDgLmqIy3W0b8EwKg3:MTBfZQZhoTfyTZQDeQxpDHsOH1ZvoMp9
MD5:	D40C65F632063E5CDFEF104E324D0AD4
SHA1:	49FABA625BADF413763BD913EDB62510D3790E98
SHA-256:	AAD96E7F4037E977997C630DEC015ECF09CF73C1F5B73F84944E60B309EAAB66
SHA-512:	6A948FA1602E517021C98861B0DF12FCB707FBBEBF094DDE96D9E60CC7DED30B07C1BF6CA8541117A362B5EB8703D61051CF187083C91076E0AD235CF72B7237
Malicious:	false
Reputation:	unknown
Preview:	{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\fswiss\fprq2\fcharset0 Trebuchet MS;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\lang3082\b\f0\fs20 T\'c9RMINOS DE LICENCIA COMPLEMENTARIOS DEL SOFTWARE DE MICROSOFT\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT .NET FRAMEWORK 4 PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\f1\par..\f0 MICROSOFT .NET FRAMEWORK 4 CLIENT PROFILE PARA EL SISTEMA OPERATIVO MICROSOFT WINDOWS\par..Y PAQUETES DE IDIOMA ASSOCIADOS\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 Microsoft Corporation (o, en funci\'f3n del lugar en el que resida, una de sus filiales) le concede la licencia para este complemento. Si obtiene la licencia para utilizar el sistema operativo Microsoft Windows (al que se aplica este suplemento), en adelante el "software", podr\'e1 usar e

C:\81cd3e1c31538730e132\Client\Parameterinfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	201796
Entropy (8bit):	3.4097027044493644
Encrypted:	false
SSDEEP:	384:wYQH0RbAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKMNGIe9bs:w2RbYoVQTLTQTDFdPknZ13GpPcbrIl
MD5:	EB9D318BBEA1F384A78EDE1D1051F47D
SHA1:	ECD4391FE00D9BB73964456AF15FCD94DB676CC0
SHA-256:	73B29A019C1821304C65A30F338DB2747B950EBCC0E65C02CFF39A0166316A72
SHA-512:	91716D9A78852DB0ABE526A08C73C8349EEB997AD493A8F5B043E45A4A7AADB15FEBFBBC42641AEEC445BC36B0054A4520E051A0CE4CADD237510033F3A9BCE0
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .C.l.i.e.n.t. .P.r.o.f.i.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.

C:\81cd3e1c31538730e132\Client\UiInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	39042
Entropy (8bit):	3.1132391675648923
Encrypted:	false
SSDEEP:	768:24URyd5vssgP7ZgZ/vSguJQvFQXvDINJh6F8hZkV1GO0N0phUl9eu+dODOOODOtK:24URyd5vsTPuZXQYQLIN/6F8hZkV1GOv
MD5:	D7A2E90DD9DF6F93FD4B7354F8EC2B0D
SHA1:	A792C41B62796513E312F19DEE91447B9280B23B
SHA-256:	1D1590EB48E66646ED7917A76302862AC87E6651C841A808CF3FE797B9E697F6
SHA-512:	A3431DA5517428B69D4481A98AB6CDA6849F3B1B33DD44CC2EDFD76DDBF51BD2B45B3C4ED21293F7FEE2789281B8CF5120EF83F11F99DE6FC18C0E3FE5D1D9D5
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\81cd3e1c31538730e132\DHtmlHeader.html

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	HTML document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	16118
Entropy (8bit):	3.6434775915277604
Encrypted:	false
SSDEEP:	192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
MD5:	CD131D41791A543CC6F6ED1EA5BD257C
SHA1:	F42A2708A0B42A13530D26515274D1FCDBFE8490
SHA-256:	E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
SHA-512:	A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
Malicious:	false
Reputation:	unknown
Preview:	..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

C:\81cd3e1c31538730e132\DisplayIcon.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	88533
Entropy (8bit):	7.210526848639953
Encrypted:	false
SSDEEP:	1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
MD5:	F9657D290048E169FFABBBB9C7412BE0
SHA1:	E45531D559C38825FBDE6F25A82A638184130754
SHA-256:	B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
SHA-512:	8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
Malicious:	false
Reputation:	unknown
Preview:	..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

C:\81cd3e1c31538730e132\Extended\Parameterinfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93314
Entropy (8bit):	3.379177079191028
Encrypted:	false
SSDEEP:	384:tYDmmqzP4JUaGMLiqedW0XeeUnG3GPcbrKFl:tRTaBG2PcbrIl
MD5:	4A61E563A344188E3FDEB19C25197710
SHA1:	BDD1E1774DB4CCE9D5393882B61F1360826C1DFA
SHA-256:	7E682BDF51FAC1B3991E6E6330BBF5E7C63060053A8503DAAEA77AB5CD70888A
SHA-512:	F898AC736AC8017624733BBE50C281239BB6F9472B04FB3459C428B22843637AACE99C6A4023ABBB537070F43A0A34FD900D19A4B90C001772C8A67467805801
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .E.x.t.e.n.d.e.d. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x.

C:\81cd3e1c31538730e132\Extended\UiInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	39050
Entropy (8bit):	3.114226586013312
Encrypted:	false
SSDEEP:	768:24URsd5vssgP7ZgZ/vSguJQvFQXvDINJh6Fuh3kr1UO0NWpPUb9cu+dOtOcOdOjQ:24URsd5vsTPuZXQYQLIN/6Fuh3kr1UOB
MD5:	EC417B1688CA10739C0737B72BF07431
SHA1:	A1CF21FD2183C1C4E308FB3C6600D5855BDB3E51
SHA-256:	0452A6720E55B9D4E61225BB66016513DDE15CE9CC1FB305FC0037D008476787
SHA-512:	B317C2985FCADC551F28791311966F9FDE1B854144723AFD449BE1280AB6D6D6CBE8D50FB113282C3DDB687BEC3048D7F93F2DD97AA63B596FA6C0C80A46481E
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\81cd3e1c31538730e132\Graphics\Print.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.923507556620034
Encrypted:	false
SSDEEP:	24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
MD5:	7E55DDC6D611176E697D01C90A1212CF
SHA1:	E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
SHA-256:	FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
SHA-512:	283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
Malicious:	false
Reputation:	unknown
Preview:	............ .h.......(....... ..... .....@.........................................................................................t?.fR.\|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

C:\81cd3e1c31538730e132\Graphics\Rotate1.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5118974066097444
Encrypted:	false
SSDEEP:	6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
MD5:	26A00597735C5F504CF8B3E7E9A7A4C1
SHA1:	D913CB26128D5CA1E1AC3DAB782DE363C9B89934
SHA-256:	37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
SHA-512:	08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l\|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+...........................................3.2%.$+...........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate2.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5178766234336925
Encrypted:	false
SSDEEP:	12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
MD5:	8419CAA81F2377E09B7F2F6218E505AE
SHA1:	2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
SHA-256:	DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
SHA-512:	74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................\|.\|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate3.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5189797450574103
Encrypted:	false
SSDEEP:	12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
MD5:	924FD539523541D42DAD43290E6C0DB5
SHA1:	19A161531A2C9DBC443B0F41B97CBDE7375B8983
SHA-256:	02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
SHA-512:	86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate4.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5119705312617957
Encrypted:	false
SSDEEP:	6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
MD5:	BB55B5086A9DA3097FB216C065D15709
SHA1:	1206C708BD08231961F17DA3D604A8956ADDCCFE
SHA-256:	8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
SHA-512:	DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... .............................................................................................................................................................................................................y.y...\|.\|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate5.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5083713071878764
Encrypted:	false
SSDEEP:	6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
MD5:	3B4861F93B465D724C60670B64FCCFCF
SHA1:	C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
SHA-256:	7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
SHA-512:	2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate6.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.5043420982993396
Encrypted:	false
SSDEEP:	12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
MD5:	70006BF18A39D258012875AEFB92A3D1
SHA1:	B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
SHA-256:	19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
SHA-512:	97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate7.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.4948009720290445
Encrypted:	false
SSDEEP:	6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
MD5:	FB4DFEBE83F554FAF1A5CEC033A804D9
SHA1:	6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
SHA-256:	4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
SHA-512:	3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Rotate8.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	2.513882730304912
Encrypted:	false
SSDEEP:	12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
MD5:	D1C53003264DCE4EFFAF462C807E2D96
SHA1:	92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
SHA-256:	5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
SHA-512:	C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
Malicious:	false
Reputation:	unknown
Preview:	..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

C:\81cd3e1c31538730e132\Graphics\Save.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.824239610266714
Encrypted:	false
SSDEEP:	24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
MD5:	7D62E82D960A938C98DA02B1D5201BD5
SHA1:	194E96B0440BF8631887E5E9D3CC485F8E90FBF5
SHA-256:	AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
SHA-512:	AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
Malicious:	false
Reputation:	unknown
Preview:	............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{\|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

C:\81cd3e1c31538730e132\Graphics\Setup.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	36710
Entropy (8bit):	5.3785085024370805
Encrypted:	false
SSDEEP:	384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
MD5:	3D25D679E0FF0B8C94273DCD8B07049D
SHA1:	A517FC5E96BC68A02A44093673EE7E076AD57308
SHA-256:	288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
SHA-512:	3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
Malicious:	false
Reputation:	unknown
Preview:	..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.\|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..\|u..xq..\|r..\|u..rx..zy..\|w.}.y...q...d...y...{......S...]..d..i..r..\|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

C:\81cd3e1c31538730e132\Graphics\SysReqMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.038533294442847
Encrypted:	false
SSDEEP:	24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
MD5:	661CBD315E9B23BA1CA19EDAB978F478
SHA1:	605685C25D486C89F872296583E1DC2F20465A2B
SHA-256:	8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
SHA-512:	802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
Malicious:	false
Reputation:	unknown
Preview:	............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.\|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

C:\81cd3e1c31538730e132\Graphics\SysReqNotMet.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.854644771288791
Encrypted:	false
SSDEEP:	24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
MD5:	EE2C05CC9D14C29F586D40EB90C610A9
SHA1:	E571D82E81BD61B8FE4C9ECD08869A07918AC00B
SHA-256:	3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
SHA-512:	0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
Malicious:	false
Reputation:	unknown
Preview:	............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......\|\|..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................\|\|..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

C:\81cd3e1c31538730e132\Graphics\stop.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	6.016582854640062
Encrypted:	false
SSDEEP:	96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
MD5:	5DFA8D3ABCF4962D9EC41CFC7C0F75E3
SHA1:	4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
SHA-256:	B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
SHA-512:	69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
Malicious:	false
Reputation:	unknown
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

C:\81cd3e1c31538730e132\Graphics\warn.ico

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	4.3821301214809045
Encrypted:	false
SSDEEP:	192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
MD5:	B2B1D79591FCA103959806A4BF27D036
SHA1:	481FD13A0B58299C41B3E705CB085C533038CAF5
SHA-256:	FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
SHA-512:	5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
Malicious:	false
Reputation:	unknown
Preview:	...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

C:\81cd3e1c31538730e132\ParameterInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	272046
Entropy (8bit):	3.4004643852090877
Encrypted:	false
SSDEEP:	384:EYSROAGiYNVrkT+8TodTBltw11VTvcL1wCiUj78leRqmH9Hej2iXWKYP4JUaGMLi:EFROYoVQTLTQTDFdhaaot6PcbrIl
MD5:	7213DA83E0F0B8AE4FEA44AE1CB7F62B
SHA1:	F2E3FCC77A1AD4D042253BD2E0010BCB40B68ED3
SHA-256:	59E67E4FB46E5490EEE63D8B725324F1372720ADE7345C74C6138C4A76EA73D9
SHA-512:	86186AB0F2CB38E520DD1284042ECED157F96874846EB9061BE9CF56B84A1CAB5901A4879E105A8B04B336BBC43B03F4BDF198D43AF868BE188602347DB829E0
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".4...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".O.S.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .<.B.l.o.c.k.i.n.g.M.u.t.e.x. .N.a.m.e.=.".N.e.

C:\81cd3e1c31538730e132\RGB9RAST_x64.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Create Time/Date: Fri Jul 30 09:00:00 1999, Name of Creating Application: Windows Installer, Title: RGB9Rast Installation Database, Subject: Recommended Sequence Tables for Windows Installer 1.1, Author: Microsoft Corporation, Comments: Note that actions in the UI sequence tables that end in "Dialog" are authored dialogs and not stardard actions., Last Saved By: paulble, Revision Number: {03C9DE4B-2618-4EDA-9C8B-8CD66AC8C15B}, Last Saved Time/Date: Fri Jan 13 19:09:38 2006, Number of Pages: 200, Number of Words: 0, Security: 0, Template: AMD64;1033
Category:	dropped
Size (bytes):	184832
Entropy (8bit):	7.87268869519203
Encrypted:	false
SSDEEP:	3072:SMZbdgC73Q5H0Un0li+G9A7Kve3Hg5BszizUVQzB7m09g47aEqPNWZKq5uXp0:SMddgq38l1A7Km3Hg5CzizuE99gVEqi0
MD5:	4C424650C4187ADDA4C24F946099B437
SHA1:	56BAC80D1384204A270CBEC915222B0D9F590C93
SHA-256:	9B4C00CA561FF1DEBA57C34FEF5C8610708E78774C2207411C593109C046FB3F
SHA-512:	0C5239E5D6F8F42E21904E199EE6409B0B40FFC74034B82F6B69CCCE24962B95BAE1B1E5591AEFC8C3CDC0AB6B43CD470B9BF90C8D227EB0AA2943DFE6E3D64F
Malicious:	false
Reputation:	unknown
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\RGB9Rast_x86.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Create Time/Date: Fri Jul 30 09:00:00 1999, Name of Creating Application: Windows Installer, Title: RGB9Rast Installation Database, Subject: Recommended Sequence Tables for Windows Installer 1.1, Author: Microsoft Corporation, Comments: Note that actions in the UI sequence tables that end in "Dialog" are authored dialogs and not stardard actions., Template: Intel;, Last Saved By: paulble, Revision Number: {03C9DE4B-2618-4EDA-9C8B-8CD66AC8C15B}, Last Saved Time/Date: Fri Jan 13 19:09:38 2006, Number of Pages: 200, Number of Words: 0, Security: 0
Category:	dropped
Size (bytes):	94720
Entropy (8bit):	7.682694326916969
Encrypted:	false
SSDEEP:	1536:upZdWM41picgCjX3QAoHwDHL0fWi0lrmsIjyG9heHApNR3YHaeAHaeee:ugZbdgC73Q5H0Un0li+G9AsxqQ
MD5:	674353068D0290B0884B35B3B925DFE2
SHA1:	8226215B301026BCDCD2E7038D8E090E81DAA18E
SHA-256:	62F384BF20E669180CBB45EFC0E9E3EE59FE18E58DE75DEB8FDCFD3DD9AC7073
SHA-512:	402ED710E941DF0E4BFD39FBA8F39BB4475E047243BE508A4C831CA171D2F21ADFE85BB847A827CE4B27E43E47AA2FA4DF9A53398DD1C97DB17636E740C38F59
Malicious:	false
Reputation:	unknown
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\Setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78152
Entropy (8bit):	6.011592088917562
Encrypted:	false
SSDEEP:	1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
MD5:	006F8A615020A4A17F5E63801485DF46
SHA1:	78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
SHA-256:	D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
SHA-512:	C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.\|.......B.....h.~.....Y.\|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\SetupEngine.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	807256
Entropy (8bit):	6.357664904941565
Encrypted:	false
SSDEEP:	24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
MD5:	84C1DAF5F30FF99895ECAB3A55354BCF
SHA1:	7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
SHA-256:	7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
SHA-512:	E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\SetupUi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295248
Entropy (8bit):	6.262127887617593
Encrypted:	false
SSDEEP:	3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
MD5:	EB881E3DDDC84B20BD92ABCEC444455F
SHA1:	E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
SHA-256:	11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
SHA-512:	5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\SetupUi.xsd

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	30120
Entropy (8bit):	4.990211039591874
Encrypted:	false
SSDEEP:	768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
MD5:	2FADD9E618EFF8175F2A6E8B95C0CACC
SHA1:	9AB1710A217D15B192188B19467932D947B0A4F8
SHA-256:	222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
SHA-512:	A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

C:\81cd3e1c31538730e132\SetupUtility.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	96088
Entropy (8bit):	6.292361456158864
Encrypted:	false
SSDEEP:	1536:L+59IKI1N74oszIepIJqwlAno0dwRXPuY6zcVcE7OgkT9vs6M4raUZrH9rHUA:L+59hI1NktIemJllRXGYRKEaVM4raUZh
MD5:	8DFBB95989AF28058C7431704CE7CD66
SHA1:	78A5927D6B65D177F537FC671ED6BE4A77F20353
SHA-256:	589B4F04ED38A35D29C4A16FCCB489C3FBA6505F5DA399C1A2AF0CA966486059
SHA-512:	51FFB1B20006BB1C2F396C84EF19D7D47AD421D0A3196919B4ABC26405326BF15DDB989EDF815CBEDEEA8DEDC0454C0CC22A3987492E9BC1646A42A31151E1AF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ux`.1...1...1...8a..0...^o......^o..!...^o..@...8a..:...1...T...Vo..0...Vo..;...Vo..0...Vo..0...Vo..0...Vo..0...Rich1...........................PE..L......K.........."......0...L.......^.......@....@..................................u....@...... ..................`>.......5..x....p...............`..X............................................K..@...............\|............................text............0.................. ..`.data........@.......4..............@....rsrc........p.......D..............@..@.reloc..f............H..............@..B................................................................................................................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\SplashScreen.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 200 x 200 x 8
Category:	dropped
Size (bytes):	41080
Entropy (8bit):	6.9955557349183595
Encrypted:	false
SSDEEP:	384:G1o2kgxmJGEsU3pP28+Qq1ms68/tUqHUlHGwM7bwv3ETbFrS:kkpoapTbimsqHGI
MD5:	0966FCD5A4AB0DDF71F46C01EFF3CDD5
SHA1:	8F4554F079EDAD23BCD1096E6501A61CF1F8EC34
SHA-256:	31C13ECFC0EB27F34036FB65CC0E735CD444EEC75376EEA2642F926AC162DCB3
SHA-512:	A9E70A2FB5A9899ACF086474D71D0E180E2234C40E68BCADB9BF4FE145774680CB55584B39FE53CC75DE445C6BF5741FC9B15B18385CBBE20FC595FE0FF86FCE
Malicious:	false
Reputation:	unknown
Preview:	BMx.......6...(...................B.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

C:\81cd3e1c31538730e132\Strings.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14084
Entropy (8bit):	3.701412990655975
Encrypted:	false
SSDEEP:	384:VqZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VqB
MD5:	8A28B474F4849BEE7354BA4C74087CEA
SHA1:	C17514DFC33DD14F57FF8660EB7B75AF9B2B37B0
SHA-256:	2A7A44FB25476886617A1EC294A20A37552FD0824907F5284FADE3E496ED609B
SHA-512:	A7927700D8050623BC5C761B215A97534C2C260FCAB68469B7A61C85E2DFF22ED9CF57E7CB5A6C8886422ABE7AC89B5C71E569741DB74DAA2DCB4152F14C2369
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.p.a.g.e._.r.e.q.u.i.r.e.d._.a.n.d._.a.v.a.i.l.a.b.l.e._.d.i.s.k._.s.p.a.c.e.).<./.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.

C:\81cd3e1c31538730e132\UiInfo.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	38898
Entropy (8bit):	3.1042370213993578
Encrypted:	false
SSDEEP:	768:24UR0d5vssgP7ZgZ/vSguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjY:24UR0d5vsTPuZXQYQLIN/6Fmhvk71sOR
MD5:	8B8B0A935DC591799A0C6D52FDC33460
SHA1:	CE2748BD469AAD6E90B06D98531084D00611FB89
SHA-256:	57A9CCB84CAE42E0D8D1A29CFE170AC3F27BDCAE829D979CDDFD5E757519B159
SHA-512:	93009B3045939B65A0C1D25E30A07A772BD73DDA518529462F9CE1227A311A4D6FD7595F10B4255CC0B352E09C02026E89300A641492F14DF908AD256A3C9D76
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.!.-.-..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . .-.-.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.F.i.l.e.N.a.m.e.>.S.p.l.a.s.h.S.c.r.e.e.n...b.m.p.<./.F.i.l.e.N.a.m.e.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.

C:\81cd3e1c31538730e132\Windows6.0-KB956250-v6001-x64.msu

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 5192107 bytes, 2 files
Category:	dropped
Size (bytes):	5198099
Entropy (8bit):	6.736010382988102
Encrypted:	false
SSDEEP:	98304:huEAUjX57BkOKxUKnat45mFe4H5+Ju4JKUYc93iKlOKJhln:F3ZBkOK2Knq45mY4H5OMKkKzln
MD5:	0008DCAB034696F6DEAFAA9D4CAE3AB0
SHA1:	6C0E146B93468AB0819C696F3A668EFA4AFA4A0B
SHA-256:	454DC7A6D227D10729C08F33AF2E0A6B2D31933A7D684A6C0811753B6E292D46
SHA-512:	BEA86BC7ACEC85D5214EBB74B5281FFB762A331D7575FD9CBF6BD1760FACB6DC84DEFB5F7519BF34E20CAEF1DDCF58ACCDF5624CF86D29977C9EF4AFEEA4545A
Malicious:	false
Reputation:	unknown
Preview:	MSCF.....9O.....D............................9O.h...................&.L.......r<.Z .Windows6.0-KB956250-x64.cab..t..&.L...r<.[ .WSUSSCAN.cab.07......MSCF.....L.....D...........$................L.`...........J.......@.........h;A^ .amd64_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.1.6001.18242_none_9a9688d69ecbe764.manifest.n...@.....h;A^ .amd64_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.1.6001.18242_none_61e0e2c7e840a2a4.manifest...........h;A^ .amd64_microsoft-windows-n..loyment-netfx30-wpf_31bf3856ad364e35_6.1.6001.18242_none_a6a0652ef5fe7831.manifest..G..[.....h;E^ .amd64_netfx-dfshim_dll_31bf3856ad364e35_6.1.6001.18242_none_9ca423e8b4415204.manifest..%..B`....h;E^ .amd64_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.1.6001.18242_none_b8b7d5fad28075e7.manifest..........h;E^ .amd64_netfx-mscorees_dll_31bf3856ad364e35_6.1.6001.18242_none_3d7db7b9e274d6c8.manifest..r........h;E^ .amd64_netfx-mscoree_dll_31bf3856ad364e35_6.1.6001.18242_none_d984299dad710f

C:\81cd3e1c31538730e132\Windows6.0-KB956250-v6001-x86.msu

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 2186680 bytes, 2 files
Category:	dropped
Size (bytes):	2192672
Entropy (8bit):	6.9829541702941835
Encrypted:	false
SSDEEP:	49152:d7Ti7TD7TH784x7Tb7T6YV4YaG7T2DumT1r7AdXZy9KU2KUYxs35DKZ3OIKxWh0h:2V4YakTo1PAdXZzKUYxs3pKZnKxfem
MD5:	6A73CEBEB4D84811550327DAE08CF8BF
SHA1:	84BD7293DA81E71EAB10110B0C25BFDE4E9467DC
SHA-256:	5AC30D2F8B1A478DF43CDB8982D316127ABD69830B6E8C1C268A817F9DC6E750
SHA-512:	E81DDEDCD216384361C2120B480389AC66FC60DEBACF81E7CDA3AC366264B61D81B1D1189FB5E81946F4CB5972A19873EE8CC8BE916C8828D6D313A73D7894AB
Malicious:	false
Reputation:	unknown
Preview:	MSCF.....]!.....D............................]!.h...............C.............r<.P .Windows6.0-KB956250-x86.cab.Lt........r<OQ .WSUSSCAN.cab...44....MSCF....g.......D...........................g...`...............>....1........h;.] .update.cat......1....h;.] .update.mum.4....A....h;.] .x86_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.1.6001.18242_none_3e77ed52e66e762e.manifest......J....h;.] .x86_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.1.6001.18242_none_05c247442fe3316e.manifest.....`P....h;.] .x86_microsoft-windows-n..loyment-netfx30-wpf_31bf3856ad364e35_6.1.6001.18242_none_4a81c9ab3da106fb.manifest..G...W....h;.] .x86_netfx-dfshim_dll_31bf3856ad364e35_6.1.6001.18242_none_40858864fbe3e0ce.manifest..%.......h;.] .x86_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.1.6001.18242_none_5c993a771a2304b1.manifest...........h;.] .x86_netfx-mscorees_dll_31bf3856ad364e35_6.1.6001.18242_none_e15f1c362a176592.manifest..r..<.....h;.] .x86_netfx-mscoree_dll_31bf3856ad3

C:\81cd3e1c31538730e132\Windows6.1-KB958488-v6001-x64.msu

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 5085798 bytes, 4 files
Category:	dropped
Size (bytes):	5091790
Entropy (8bit):	6.7130741075427345
Encrypted:	false
SSDEEP:	98304:MQf0pKy/aBHTKYzKXH54UuFe1kBpHua/KUKcs3DKVDK6rCZ:57BBHTK8KXZ4UuY1kB1iKFKma
MD5:	843E85AE98FDE6E76A3DC9228058C44F
SHA1:	A137E4F328F01146DFA75D7B5A576090DEE948DC
SHA-256:	A5F4243CE8B07C9222284FD8FF6F7E742D934C57C89DE9CAB5D88C74402264E3
SHA-512:	A08B4F8E5A83D16B1DBD20EE18EABE88481CB43E5AA6E0080EC11B25938E99C1DBC3283D708EE15511168BD31B4FE5594DFE87881879007609317FB905183D87
Malicious:	false
Reputation:	unknown
Preview:	MSCF....f.M.....D...........................f.M.h...................m.........<<.} .Windows6.1-KB958488-x64-pkgProperties.txt...K.m.....r<.b .Windows6.1-KB958488-x64.cab..... .K...<<.} .Windows6.1-KB958488-x64.xml..s... K...r<.b .WSUSSCAN.cab.\..D....Applies to="Windows 6.1"..Build Date="2010/1/28"..Company="Microsoft Corporation"..File Version="1"..Installation Type="FULL"..Installer Engine="WUSA.EXE"..Installer Version="N/A"..KB Article Number="958488"..Language="ALL"..Package Type="Update"..Processor Architecture="amd64"..Product Name="Windows 6.1"..Support Link="http://support.microsoft.com?kbid=958488"..MSCF....S.K.....D...........%...............S.K.`................... .........<<Y. .amd64_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.2.7600.16513_none_9adfccf5ffc9e41e.manifest.N... .....<<Y. .amd64_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.2.7600.16513_none_622a26e7493e9f5e.manifest.....n.....<<Y. .amd64_microsoft-windows-n..loyment-netfx30-wpf_3

C:\81cd3e1c31538730e132\Windows6.1-KB958488-v6001-x86.msu

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 2135441 bytes, 4 files
Category:	dropped
Size (bytes):	2141433
Entropy (8bit):	6.966562890391342
Encrypted:	false
SSDEEP:	49152:Z7uUU7N37NM7u6/7uUj7uU6cP4UJ6EeaDuv7GuMRau8yuXQFKUYcs3HVKf3rhKzl:zP4UJneDGnRau84KUYcs31KfFKzdN5
MD5:	7550EE95E70E80800E394ED45BC7053C
SHA1:	C4F8FCA1279B823894CA6B19A05F420DA26979FA
SHA-256:	08A66C14B8E42EDC4CA72EDC28C9323FF3B23E18C83A8F9D3DD7F08D4D908ED7
SHA-512:	BF778DCD71DD9A97406B6EE1626269AF8CEFB531814A3303DDFA1B3651F00AC2B2B7F283E6470863FEE670E8819A24616A931B21F2CDE377A226620DB8897CE7
Malicious:	false
Reputation:	unknown
Preview:	MSCF...... .....D............................. .h...............B...k.........<<o} .Windows6.1-KB958488-x86-pkgProperties.txt..%..k.....r<.` .Windows6.1-KB958488-x86.cab.....-'....<<o} .Windows6.1-KB958488-x86.xml..i...)....r<Z` .WSUSSCAN.cab........Applies to="Windows 6.1"..Build Date="2010/1/28"..Company="Microsoft Corporation"..File Version="1"..Installation Type="FULL"..Installer Engine="WUSA.EXE"..Installer Version="N/A"..KB Article Number="958488"..Language="ALL"..Package Type="Update"..Processor Architecture="x86"..Product Name="Windows 6.1"..Support Link="http://support.microsoft.com?kbid=958488"..MSCF....b.......D...........................b...`...........6...=....;........<<. .update.cat......;....<<. .update.mum......A....<<. .x86_microsoft-windows-n..-deployment-netfx20_31bf3856ad364e35_6.2.7600.16513_none_3ec13172476c72e8.manifest.r....J....<<. .x86_microsoft-windows-n..4-shared-deployment_31bf3856ad364e35_6.2.7600.16513_none_060b8b6390e12e28.manifest.....RP....<<. .

C:\81cd3e1c31538730e132\header.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 49 x 49 x 8
Category:	dropped
Size (bytes):	3628
Entropy (8bit):	4.8382652865388724
Encrypted:	false
SSDEEP:	48:f0sO8Kdwc6o5NF5ghwwpnMOccFpscGqfkemvIQpQK/xHiggTfGRgVC0q:cMa1krnrJmdQ+EgyfG3
MD5:	514BFCD8DA66722A9639EB41ED3988B7
SHA1:	CF11618E3A3C790CD5239EE749A5AE513B4205CD
SHA-256:	6B8201ED10CE18FFADE072B77C6D1FCACCF1D29ACB47D86F553D9BEEBD991290
SHA-512:	89F01C3361BA874015325007EA24E83AE6E73700996D0912695A4E7CB3F8A611494BA9D63F004DCD4F358821E756BE114BCF0137ED9B130776A6E26A95382C7B
Malicious:	false
Reputation:	unknown
Preview:	BM,.......6...(...1...1................................iI.\|4..{3...8...:...qI..oH..hH......8...9...<...A...>..}<...@...F...C..t:...A...D...qG..C...E..m:...L...K...H...G...L...N..yB...L..........N...S...Z...S..vC...J...U......V...S...R...Y...V...Y...Y...M...Z...h...x8..\|<...i......]...\...Y...]...V...^...^...e...c...o...l...c...a..._..._...b...X...j...^...d...k...j...q...u...p...x+..p.....h...g...d...j...b...u...u...n...t...t...s...m...r...u...s...{"...4...i..r...m...m...w...u...q...t...}...K...N..U..l..........r.......x...{....!...#...)..@..N..V...............$...#...'...,..4..5..:..C..T..u......................... ...'...*..,.....<..B..V..\..e..p..............)..,..2..4..5..9..<..<..R..\..d...y........................................................ ..)..3..8..:..B..L..O..n......................................................4..^....................O...b...\|.........................................................

C:\81cd3e1c31538730e132\netfx_Core.mzz

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 181477643 bytes, 539 files
Category:	dropped
Size (bytes):	181483595
Entropy (8bit):	6.302023019513652
Encrypted:	false
SSDEEP:	3145728:50cvEXiCiitmPnUxMYaPxmnjl4L4JeF3Y0WkSEo:iX
MD5:	78A7BE275E1C86E5847B36F3E6858F16
SHA1:	6D770AA288E426B706191BF8DC6882F0407FBACA
SHA-256:	2DB8044459098D36A812B3C333B406DE4A30FD3C8BD11D789F534741F36B5E43
SHA-512:	BF9689BD89C9C93A2ED220325FBCC27DAA5CAB8223A67590AED747602B6476A035A35077EF346D39A744C53460E2DB9F0048196AC489FF3B4659537069D6184A
Malicious:	false
Reputation:	unknown
Preview:	MSCF.....!...................................!..@............a......w................~......\|.......P.......w...............J........}...............a.......d.......+.......3.......Y'......\'......g)......j).....Y}+.......+.....b.+.......-......32.....8Q2......]8.....<.;.....dd9.......:.C...d.\......-\.2...[.t......,..............Cx..........2...z.......1...^...?3.......................t..............h............... {..............ye......Y.'......~2.......5.......9......6F.......G.....u.M......"W......................r......................;.F......I......!L.....{oS.....#gV..............s...............e......................c4..............<.......................Td.......$.......J......,o...............^..............D...................}...V.H.....V[R......"S.....9gS...... U......&].%...Awo......Tq.-..........AC..............y..........)....v......A<......._...............y..............).......................v...............H......q... ....J........6.....i.6.....A.<.....y...

C:\81cd3e1c31538730e132\netfx_Core_x64.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Client Profile, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Client Profile; Copyright (C) Microsoft Corporation, All rights reserved., Template: x64;0, Revision Number: {12051853-CF96-4588-AED7-926AA73006BF}, Create Time/Date: Thu Mar 18 21:29:46 2010, Last Saved Time/Date: Thu Mar 18 21:29:46 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	1901056
Entropy (8bit):	6.461226431661216
Encrypted:	false
SSDEEP:	24576:f/zZ6tsNrQpc+BQbPyxbs4rONSnfiPBC6xahsovoMfjhOGxZWxw0:V6tuQpcxisfQf2M6FGoML
MD5:	7FA435DC3ED0B5C0D95456C32D775F1A
SHA1:	CE9CC73365C768727523F91272A2164E55E8D0BF
SHA-256:	2B7A95AFFB391D6197BFC394C6E559488DCB9D4C34012C029D830FAE6F11E516
SHA-512:	9D5293048A5CA7787C42198596E6FC6EA9AA1136A33666D53B3A767A795704E626DFC8D338E51574AC4AA64D1B78B975B6313BCE95840DFEC650BEDB6907D403
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................:...............................!................................................................................... ...!.......#...$...%...&...'...0...)...*...+...,...-......./..."...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\netfx_Core_x86.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Client Profile, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Client Profile; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {F3592794-C7C9-495D-8985-EDD0D19ECD10}, Create Time/Date: Thu Mar 18 20:19:02 2010, Last Saved Time/Date: Thu Mar 18 20:19:02 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	1163264
Entropy (8bit):	6.501190522452734
Encrypted:	false
SSDEEP:	24576:Df6szx1u6dsNbQXcUwabPx9bswH/fd6pxr:DfhzxI6d+QXcWDsK1
MD5:	50D6022791EFDE93CAFD864014DED84C
SHA1:	A0A84AD332A9AB217E94089038A9544B4F53878B
SHA-256:	BC7B6B32157ED65023BB251E177F78480490EC1FA53EB54EC4441E8A44F33F36
SHA-512:	B64D32C6E36F0F5EEA35F4EC1FA8F6EF873E5BFCE849358725E9704BEFAC369C8D1B06374E6E56E6EBD81CDF4D812A47899CCA2CBA79542805CFA6B3CE1ACAF7
Malicious:	false
Reputation:	unknown
Preview:	......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................1.......(...!..."...#...$...%...&...'.......)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\netfx_Extended.mzz

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Microsoft Cabinet archive data, 43125631 bytes, 590 files
Category:	dropped
Size (bytes):	43131591
Entropy (8bit):	5.929087637532983
Encrypted:	false
SSDEEP:	393216:/XL2q6NTwgZNtNr2OmDQva6gcYQqWZYsp4Ut6:/buZNtB2OgQvafvF
MD5:	D8F8D21682DBF213F370839EE5721E22
SHA1:	CC64364CE73A1DFCCB18C106AD7E4FDB09BFF7E3
SHA-256:	DF57836EE8D6762A4C95E00823A0D635E8B4048A0C2A3BD7C3F047DC57921CA0
SHA-512:	516546FE22EAC972875E7D5044B53E52334EA7F9AF66B6863D6803D955807BAE8D81A8AF83F63A4D18D3F1F3AA6FD41717FD9DBCA769AED4DAED077C81CC750D
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...........N...................H............n..4....U......xW......................9.......................Z.......@+...............<......9B...............b......=5 ......9!.....7T!......./.-.....F.....K.F.......G......eO.....z.O......O......O.....s.O.......O......HZ.....z.\.......\.......\.....Q.\.....\.\.......].......].....3#]......C].....#D]....../^.....Fc^.....[n^.....`.^.......^......^......._.......`.......`.......`.......`......$`.......a.......a.....!.a.....j#b.....>0b......yc.....7.c.......c.....W.c.....#.c......-j......1j......Gj.....xPj.....jxj......xj......yj.....szj......{j.....L.j.......j.....9.j.......j......j.....D.j.....^.j.......j.......j.......j.......t.......t.......t.......u.....6.u.......v.....S=w.......w.......x.......x.....B.y.......y.......y.......z......4z.....qbz.....K~z.......z.......z.....v.z.......z.......{.....^!{......v{.....{.{.....t.{.......{.......{.......{.....w.\|.....\*\|......3}.)....x.......`......D...!....D......l..........

C:\81cd3e1c31538730e132\netfx_Extended_x64.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Extended, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Extended; Copyright (C) Microsoft Corporation, All rights reserved., Template: x64;0, Revision Number: {276A40EA-DCA8-426C-883E-A50A46E70736}, Create Time/Date: Fri Mar 19 00:23:04 2010, Last Saved Time/Date: Fri Mar 19 00:23:04 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	872448
Entropy (8bit):	6.345407948123054
Encrypted:	false
SSDEEP:	24576:E/J96doNrQlcqGRpOQSpKiPBD6txBkkkkk5SV:W6dKQlc4Fc216XmS
MD5:	EADB43461CA9172AAA530AEC509C4082
SHA1:	7C9B9BC04F814E0FE113A4376B8DFA56B407FC5C
SHA-256:	070CEA34E4D275393DB78AB7683819DA98F59911B6436CC1DA34F50A37E610C8
SHA-512:	EC21D0D6D5B7E5C9ABB5F3EFF1E35A3D36A3F0A6D2D3AFB474BB1CCE37AAB8DFD2D7469A7E25E6229A9572F680AB34375F30F12A59986EA15B2F209C6840F4E0
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................z.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V...........=.......................&....... ...!..."...#...$...%.......'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\netfx_Extended_x86.msi

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Framework 4 Extended, Author: Microsoft Corporation, Keywords: Install,MSI,Framework, Comments: Microsoft .NET Framework 4 Extended; Copyright (C) Microsoft Corporation, All rights reserved., Template: Intel;0, Revision Number: {6049F8E7-4CD1-48EC-92A9-039B68CD82B3}, Create Time/Date: Thu Mar 18 23:47:22 2010, Last Saved Time/Date: Thu Mar 18 23:47:22 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 0, Number of Words: 0
Category:	dropped
Size (bytes):	495616
Entropy (8bit):	6.419160692432259
Encrypted:	false
SSDEEP:	6144:DRHfepsrxRrGh/JD6sAOiOk05c+Q+OjUIsLQUIcFxZSBVv+lYjsm6FBQ0ssT5H:dHfepsrx1GX6sEsNz7QXcFxZ+VhjEr
MD5:	A9EB4FCEFB05A5054009919042482AEC
SHA1:	B220E5406668F958D19CCCC52B0E66E66BD18F7C
SHA-256:	AFF90540E38BA99EFC5CA086F84C9F3C54754D5C6C2AC0F953D7316FAE59432D
SHA-512:	6D0FF3236FD487EB20A16581874A9043F1B8E8912F87C987DFA33A041BB04288D067C1787606950AD9A2900005E122F22F7693DD4761B3FFC1B8F10BF27839B2
Malicious:	false
Reputation:	unknown
Preview:	......................>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."....................... ...!.......#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\81cd3e1c31538730e132\sqmapi.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144416
Entropy (8bit):	6.7404750879679485
Encrypted:	false
SSDEEP:	3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
MD5:	3F0363B40376047EFF6A9B97D633B750
SHA1:	4EAF6650ECA5CE931EE771181B04263C536A948B
SHA-256:	BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
SHA-512:	537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

C:\81cd3e1c31538730e132\watermark.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 628 x 8
Category:	dropped
Size (bytes):	104072
Entropy (8bit):	7.2628723112196
Encrypted:	false
SSDEEP:	768:QKUpOeBmAj72KbvEvffvCv7cTIMUHuRzHA8X9H51T9ho4xw7CgB1:QKULmAfbvEv47cIHzE9vo4SuU1
MD5:	B0075CEE80173D764C0237E840BA5879
SHA1:	B4CF45CD5BB036F4F210DFCBA6AC16665A7C56A8
SHA-256:	AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
SHA-512:	71A748C82CC8B0B42EF5A823BAC4819D290DA2EDDBB042646682BCCC7EB7AB320AFDCFDFE08B1D9EEBE149792B1259982E619F8E33845E33EEC808C546E5C829
Malicious:	false
Reputation:	unknown
Preview:	BM........6...(.......t...........R...................};.......F.......T...c....H..b...t...m...z...d...a..._...f...f....&..x...j...w...o...k...r....+..........\|...u...\|...q...v...w...\|...2..~...z.......x...........{.................................................................... ...#..:..P..e................................#..#..&..(..+..+..-........EDA................$..,../..4..2..6..;...........................$..'..,..0..:..?..E......................6..5..>...D...I...K...Q...j...................=...D...L...P...U...V...\...r.....................Y...\...`...d...b...f...j...l...{..................................`...g...o...u...\|....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1262
Entropy (8bit):	5.302760843969488
Encrypted:	false
SSDEEP:	24:dYrtDYqzcYKB01Y9kjwYSztjqYFJYssYsvNYeLK4FqyYBjHIWtcYljHTYRsYc8YQ:GrtEqzfA9SjSztpFysvsv2T4YVIWdpUH
MD5:	A48D38FBBD66C108C8E499615E459863
SHA1:	660627F5D1324494227A488889A2777E6F8E64D9
SHA-256:	8B9868080215EE5A1CD59FD40DD1E47550ED4EEA46FEE4D4AE1412CEAC4E70CB
SHA-512:	F744A4377CFD993481E6006BD80C0C65DE864A0ABA722915C91DD1D2673E2F39C0A17B110577B24EA42A284464049F87C536106E4E389F53F4145C6EF963CD04
Malicious:	false
Reputation:	unknown
Preview:	[5/30/2022, 13:50:38] === Logging started: 2022/05/30 13:50:38 ===..[5/30/2022, 13:50:38] Executable: C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe v4.0.30319.1..[5/30/2022, 13:50:38] --- logging level: standard ---..[5/30/2022, 13:50:38] Successfully bound to the ClusApi.dll..[5/30/2022, 13:50:38] Error 0x800706d9: Failed to open the current cluster..[5/30/2022, 13:50:38] Cluster drive map: ''..[5/30/2022, 13:50:38] Considering drive: 'C:\'.....[5/30/2022, 13:50:38] Considering drive: 'D:\'.....[5/30/2022, 13:50:38] Drive 'D:\' is rejected because of the unknown or unsuitable drive type..[5/30/2022, 13:50:38] Drive 'C:\' has been selected as the largest fixed drive..[5/30/2022, 13:50:38] Directory 'C:\81cd3e1c31538730e132\' has been selected for file extraction..[5/30/2022, 13:50:38] Extracting files to: C:\81cd3e1c31538730e132\..[5/30/2022, 13:51:50] Extraction too

C:\Users\user\AppData\Local\Temp\skinfe75.rra

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25855
Entropy (8bit):	4.807413943854186
Encrypted:	false
SSDEEP:	192:Rp4NNm9MNfLrOlB2MzFwFeSAWak8VeuGPy4fcPB3jhe7fnoJgX7I7N:Rp4NNm+NA
MD5:	0BC4BD285FE6296C6B8797063742D87F
SHA1:	720FD2AB84E76C157F35814DF428ACC1028E2E4D
SHA-256:	90F8E356B05163FA68E4103B94A21D65BA6C72951ADEE8C5B12FC8490FE2565D
SHA-512:	51F0A1EC10996EF8DA3496FE743AB22ABB1E9B9B15C36FDACB08F26DA69DD5E930592F51C75CE6F3CEA9E1861C9DA2D81BF5438CD4854EEBFFDB92A3834F1B54
Malicious:	false
Reputation:	unknown
Preview:	[SKINS]..VERSION=1....[ALL]..TEXTCOLOR=255,255,255..RECTS=2..RECT1=0,51,102..RECT1POS=0,0..RECT1AREA=460,35..RECT2=61,102,171..RECT2POS=0,35..RECT2AREA=460,280..IMAGES=3..IMAGE1=LeftSplash2.BMP..IMAGE1POS=0,35..IMAGE1OPT=SCALE,UPPER_LEFT..IMAGE2=TopDivider.gif..IMAGE2POS=0,35..IMAGE2OPT=SCALE,HCENTER,UPPER_LEFT..IMAGE3=Console2.gif..IMAGE3POS=0,0..IMAGE3OPT=SCALE,LOWER_LEFT..BUTTONSUP=ButtonNormal.gif..BUTTONSDOWN=ButtonPushed.gif..BUTTONSOPT=SCALE,TRANSPARENT..BUTTONSTXTCLR=0,0,0..BUTTONSDISTXTCLR=96,104,112..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=2..BUTTON4POS=400,284....[AskPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=31..BUTTON4POS=390,112....[AskDestPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=196..BUTTON4POS=390,231....[ComponentDialog]..BUTTONS=4..BUTTON1=12.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0404.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10670
Entropy (8bit):	5.78485884894983
Encrypted:	false
SSDEEP:	192:N2wEq5DSXJmoJcQoDyNtkob5zaG/NFroVVV3d9S7efd19+o:5v5DSIoDFFsHV3dIodv+o
MD5:	EC1F8F71FA21C49BC96A17C81AD51598
SHA1:	5750F674B4DE76D708DD1178265E280D515D8774
SHA-256:	60F176F3014342F48468FF7EA67280FA3A671C4721EBEFE7B4EE789FF65C87DF
SHA-512:	AC939507581988B4A4816BFD27FEE8BC4794743D7251138B08DA3F76268EC5B8F869FC7E2B52C6DD8BDB777BB07A95D3AD4375A38208E1CBD9EB4338AA194562
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.0}.f.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.0.4.].....1.1.0.0.=..[..z._w..Y/.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z._ck(W.n.P .%.2....[.\._.\.`.[.biR...v.[.N..z.0..z.P.0....1.1.0.3.=.ck(W.j.g\Omi.\|q}Hr,g....1.1.0.4.=.ck(W.j.g .W.i.n.d.o.w.s.(.R.). .i.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(W-..[ .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(W-..[ .%.s.....1.1.0.7.=..[..z._.](W.`.v.\|q}-N.[.b.N .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r. ..v-..[.0 .......e_U.R.\|q}.N.O\|~.~.[..0 ...c.N.N.0..e_U.R.0.O..e_U.R.\|q}.0....1.1.0.8.=.%.s.....1.1.2.5.=.x..d.[.........1.1.2.6.=.._.N.Nx...-Nx..ddk.[..z._.v.....0....1.1.2.7.=..[..z._._....e_U.R.\|q}Mb...[.b-..[ .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.0.c.N.N.0/f.0.c...zsS..e_U.R...Y.g.`.N._..e_U.R..GR.c.N.N.0&T.0.0....1.1.2.8.=.dk.[..z._.\.WL. .'.%.s.'. .GS.}.0/f&T..\|~.~......1.1.2.9.=.dk_j.].[....eHr,g.v .'.%.s.'..0.[.!q.l\|~.~.0....1.1.3.0.=..x.[....1.1.3.1.=..S.m....1.1.3.2.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0407.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25860
Entropy (8bit):	3.5091459120889494
Encrypted:	false
SSDEEP:	768:2LNV1dYKJpgAbtaPZuQ2g2HhmDqtnLOW8oXxN1HYLifZThxfrkTI0n497:2z1djJpgAb0RuQ2g2HhmDU
MD5:	9A62DA6C523506355C1BF1B30DB73EDD
SHA1:	EE83114A7D4B995DD4AD7D1781ED66C4727CC121
SHA-256:	8B5D7BC395D0D6980299702D0573C6019FEFEA92EB98701D1894A5623B2691A0
SHA-512:	BE026517CEA5613D834337D83324C383F40B449DD92F338D612048C424AB8BD88C17F766C7D1629A2205A8A068F6DCBA1CE3536438018562490EBD7001EFBEE5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.7.].....1.1.0.0.=.S.e.t.u.p.-.I.n.i.t.i.a.l.i.s.i.e.r.u.n.g.s.f.e.h.l.e.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .b.e.r.e.i.t.e.t. .d.e.n. .%.2. .v.o.r.,. .d.e.r. .S.i.e. .d.u.r.c.h. .d.e.n. .S.e.t.u.p.-.V.o.r.g.a.n.g. .l.e.i.t.e.n. .w.i.r.d... .B.i.t.t.e. .w.a.r.t.e.n.......1.1.0.3.=...b.e.r.p.r...f.e.n. .d.e.r. .B.e.t.r.i.e.b.s.s.y.s.t.e.m.v.e.r.s.i.o.n.....1.1.0.4.=...b.e.r.p.r...f.e.n. .d.e.r. .V.e.r.s.i.o.n. .v.o.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.t. .d.i.e. .K.o.n.f.i.g.u.r.a.t.i.o.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .a.u.f. .I.h.r.e.m. .C.o.m.p.u.t.e.r. .a.b.g.e.s.c.h.l.o.s.s.e.n... .U.m. .m.i.t. .d.e.r. .I.n.s.t.a.l.l.a.t.i.o.n. .f.o.r.t.z.u.f.a.h.r.e.n. .m.u... .d.a.s. .S.y.s.t.e.m. .n.e.u. .g.e.s.t.a.r.t.e.t. .w.e.r.d.e.n... .W...h.l.e.n. .S.i.e. .N.e.u.s.t.a.r.t.e.n.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22492
Entropy (8bit):	3.484893836872466
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
MD5:	BE345D0260AE12C5F2F337B17E07C217
SHA1:	0976BA0982FE34F1C35A0974F6178E15C238ED7B
SHA-256:	E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
SHA-512:	77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x040a.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25140
Entropy (8bit):	3.439336772199357
Encrypted:	false
SSDEEP:	192:XqCTxiKLkQEq0w/2yOK8deU2K4/WaChA2ZwxD9VErXWlMHtDaMJVLr5:XqClLkQT4z4uaCC2axbYXWSHZaMJxr5
MD5:	E872C54C58EEF055BC791D3EEAD093C3
SHA1:	FC7BA9CEF237686C06DD63FD2CCBFE037518E378
SHA-256:	1739D42ED181F36AB4F524C01B57A4102C2F7510661D973A1077A4E88AC34B97
SHA-512:	E8512974D4851B7FB504292F3330D318F72C2646EC3DB2C54ED7938EB73249EC1CE867916D15C6A36B3FEB39F0FE98DD1781E5EC938BB2427059B4EE2DC00E1D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.a.].....1.1.0.0.=.E.r.r.o.r. .d.e. .i.n.i.c.i.o. .d.e. .i.n.s.t.a.l.a.c.i...n.....1.1.0.1.=.%.s.....1.1.0.2.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .%.2.,. .q.u.e. .l.e. .g.u.i.a.r... .d.u.r.a.n.t.e. .e.l. .r.e.s.t.o. .d.e.l. .p.r.o.c.e.s.o. .d.e. .i.n.s.t.a.l.a.c.i...n... . .E.s.p.e.r.e. .p.o.r. .f.a.v.o.r.......1.1.0.3.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .%.s.....1.1.0.7.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .h.a. .t.e.r.m.i.n.a.d.o. .d.e. .c.o.n.f.i.g.u.r.a.r. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s. .e.n. .e.l. .s.i.s.t.e.m.a... .E.l. .s.i.s.t.e.m.a. .s.e. .d.e.b.e. .r.e.i.n.i.c.i.a.r. .p.a.r.a. .s.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x040c.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	26270
Entropy (8bit):	3.4773296330092287
Encrypted:	false
SSDEEP:	384:dadl9gg5LFghqYpI+JTz0bBQBWRGgG8fY8JfuqGWzjYN2D6UMYO1:dMXFGhqiUbBQcL68JfuqFjYN2DVa
MD5:	35989450C8121207917F04D1EBE4CA2A
SHA1:	0037EC09F27D222CAD447288BD2462D63ABA2520
SHA-256:	B14D9D7AFC505868407C425CB5A78C891BAA8A6AC8EB35CFB3D71C71F5BEE1FA
SHA-512:	1CF2A0130679AB238C5E41BB1DE21F6F915595AF7CC9B90ECFCE2D05075CF3BA92CCAB464A7291EFD1EE4CDBA54A01D61BEB75B919AD687FBA178A95486B26F8
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.c.].....1.1.0.0.=.E.r.r.e.u.r. .l.o.r.s. .d.e. .l.'.i.n.i.t.i.a.l.i.s.a.t.i.o.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....1.1.0.1.=.%.s.....1.1.0.2.=.L.'.i.n.s.t.a.l.l.a.t.e.u.r. .%.1. .p.r...p.a.r.e. .%.2.,. .l.e.q.u.e.l. .v.o.u.s. .g.u.i.d.e.r.a. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.u. .l.o.g.i.c.i.e.l... .V.e.u.i.l.l.e.z. .p.a.t.i.e.n.t.e.r.......1.1.0.3.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .s.y.s.t...m.e. .d.'.e.x.p.l.o.i.t.a.t.i.o.n.....1.1.0.4.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.'.%.s.....1.1.0.7.=.L.'.i.n.s.t.a.l.l.a.t.i.o.n. .a. .t.e.r.m.i.n... .l.a. .c.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r... .P.o.u.r. .p.o.u.v.o.i.r. .p.o.u.r.s.u.i.v.r.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.,. .

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0410.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25188
Entropy (8bit):	3.4430435546496425
Encrypted:	false
SSDEEP:	384:hXRoc4nLsC8oKjuTSC6KJqJ/j48pQ2LmRU20yn:hyLLKqTS6oQ2Lmf
MD5:	F89FC24FCE7B72A6C9A6E1F9E7B22D8A
SHA1:	CD13C5DBD8C58DDC1F1727D45362358AFAC7FCF2
SHA-256:	2970BB63E5BC3DE4C693DE313D715C0C5F93BD35E18CDAEC56954034CC7653A6
SHA-512:	A55209B9419B9FEF4D6107956131E6BDA36BD281C94416C39788AA8E926A7A44DAE19544A46C84CD2337678A3A4AF753FAD73E024BAE19DA4D536186A061013A
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.0.].....1.1.0.0.=.E.r.r.o.r.e. .d.i. .i.n.i.z.i.a.l.i.z.z.a.z.i.o.n.e. .d.e.l.l.'.i.n.s.t.a.l.l.a.z.i.o.n.e.....1.1.0.1.=.%.s.....1.1.0.2.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .%.1. .s.t.a. .p.r.e.p.a.r.a.n.d.o. .%.2... . .A.t.t.e.n.d.e.r.e.......1.1.0.3.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o. .i.n. .c.o.r.s.o.....1.1.0.4.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.i. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .%.s. .i.n. .c.o.r.s.o.....1.1.0.7.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .h.a. .c.o.m.p.l.e.t.a.t.o. .l.a. .c.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.l. .s.i.s.t.e.m.a... .R.i.a.v.v.i.a.r.e. .i.l. .s.i.s.t.e.m.a. .p.e.r. .c.o.n.t.i.n.u.a.r.e... .S.c.e.g.l.i.e.r.e.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0411.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14960
Entropy (8bit):	5.1996979572130915
Encrypted:	false
SSDEEP:	384:DKeEbO3nl8cDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3l8coK21OxgCl7Fyl
MD5:	6EBBB5D67423D8D85F1688B561BF5304
SHA1:	AD0E2D717F750AF47F81E0BC1200F5245266D505
SHA-256:	E3B87E8B94AD50BBE21795B3408943F9A6D6F33813E96802962CB74B889EDFE7
SHA-512:	13CDBA0E0EA410BED289492C7C04D5CB9FFBD931B6006547AA5FF05587FBB9CF32E6626D016DD29892A80514EA642D60490F16E6B9402256C257B7CE276924DF
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0412.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14126
Entropy (8bit):	5.413031845668093
Encrypted:	false
SSDEEP:	192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
MD5:	73E70A6B9354E80237C8E2B3170830A0
SHA1:	B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
SHA-256:	316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
SHA-512:	F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.\|.). .$.X.`. .$.X. ......\|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.\|. ....X.$.t. ....\.D. .... ....t.\|. .i..... .".... ....". ...\|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....\|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.\|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].\|. .t..X...

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0413.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25000
Entropy (8bit):	3.4464436827428178
Encrypted:	false
SSDEEP:	192:iSdyxvO3iFoIuWyQLKHiSeBtcIA0YpE7jir/dX4dJgXpDAKTcm3tbcrnj8k:iIMO3sJdMpA6ViJguKTcmZcrj8k
MD5:	DC1C05A9FCE06CF659C20AED317DD417
SHA1:	2447C12E75ED0F4B5BD9D4C6ACB29AEE35562F23
SHA-256:	98D6CEEF6A444B9E8450ABEFC5B72BD6B0DF1CD5D7C7CD2822EB1BD186FF8526
SHA-512:	2CDD4932E279988B0DFEEFD86E5B997A9D5F5BC6780819D80293BAF5A9B0B56C9D0AA597150CADC1C7B2C329F5FEAF308F97FA22DD4B915050BCC6D911CDDA96
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.3.].....1.1.0.0.=.I.n.i.t.i.a.l.i.s.a.t.i.e.f.o.u.t. .v.o.o.r. .S.e.t.u.p.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .b.e.z.i.g. .m.e.t. .h.e.t. .v.o.o.r.b.e.r.e.i.d.e.n. .v.a.n. .d.e. .%.2. .d.i.e. .u. .d.o.o.r. .d.e. .s.e.t.u.p. .v.a.n. .h.e.t. .p.r.o.g.r.a.m.m.a. .z.a.l. .l.e.i.d.e.n... .E.e.n. .o.g.e.n.b.l.i.k. .g.e.d.u.l.d.......1.1.0.3.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .h.e.t. .b.e.s.t.u.r.i.n.g.s.s.y.s.t.e.e.m.....1.1.0.4.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .i.s. .k.l.a.a.r. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.p. .u.w. .s.y.s.t.e.e.m... .H.e.t.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0416.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24142
Entropy (8bit):	3.50067586721218
Encrypted:	false
SSDEEP:	384:cuS60JBnWzm1xn9iW4WSWIWwWdW/WxW9W7WSWiAhWssvK4D:cT6YBosx9Ujsf
MD5:	88CF36612986147152BC34798D847FC8
SHA1:	C626EB6CA21D0BD8148C4990CA9BC3955A84AC2E
SHA-256:	FD410CE6CEA3FE21E0D45BA8A3A95459502275052C318971ECD548970DFCCDCF
SHA-512:	D5768CF9ECB1E158B3A9196CD340EB8DB5B294BB20433554D4D605C7A3AB4F7CA6027791FD63F011E68325AF52EB18D734B45F2FD670D109FF60E93B97D9A20D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.6.].....1.1.0.0.=.E.r.r.o. .d.e. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .I.n.s.t.a.l.l.S.h.i.e.l.d. .W.i.z.a.r.d.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .o. .%.2. .p.a.r.a. .a.j.u.d...-.l.o. .c.o.m. .o. .p.r.o.c.e.s.s.o. .d.e. .i.n.s.t.a.l.a.....o... . .A.g.u.a.r.d.e.......1.1.0.3.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.c.i.o.n.a.l.....1.1.0.4.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .%.s.....1.1.0.7.=.A. .i.n.s.t.a.l.a.....o. .c.o.m.p.l.e.t.o.u. .a. .c.o.n.f.i.g.u.r.a.....o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s. .e.m. .s.e.u. .s.i.s.t.e.m.a... .O. .s.i.s.t.e.m.a. .p.r.e.c.i.s.a. .s.e.r. .r.e.i.n.i.c.i.a.d.o. .p.a.r.a. .p.o.d.e.r. .c.o.n.t.i.n.u.a.r. .c.o.m. .a. .

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0419.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	23432
Entropy (8bit):	4.02726434010301
Encrypted:	false
SSDEEP:	384:kiGLTiSapi6QnIw5sgVfCxOJebMVLDOU9L/esT:k/9tqMVLDOUJZ
MD5:	D12957CBC8D709DDACB854CCB7E09BEA
SHA1:	332F16C47A6F77390421E8DD9E1E5CD10625C46C
SHA-256:	79FE5A9A1DCD35ED68016FC5AA3720945F87A34C7B85F14763DC08F55796485E
SHA-512:	75351BAA104682FEDCC4B237C1DF1804C3C1EC2671E0200EAA4E37F26D1D28E3A6A33C93F6FF35CEC58E7701FA6A0961EFD7A2CBB44ED6C2CBD29D7C5DB057F5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.9.].....1.1.0.0.=...H.8.1.:.0. .8.=.8.F.8.0.;.8.7.0.F.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ...4.5.B. .?.>.4.3.>.B.>.2.:.0. .:. .7.0.?.C.A.:.C. .<.0.A.B.5.@.0. .%.2.,. .2.K.?.>.;.=.O.N.I.5.3.>. .C.A.B.0.=.>.2.:.C. .?.@.>.3.@.0.<.<.K... . ...4.8.B.5.......1.1.0.3.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .>.?.5.@.0.F.8.>.=.=.>.9. .A.8.A.B.5.<.K.....1.1.0.4.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=...0.A.B.@.>.9.:.0. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.....1.1.0.6.=...0.A.B.@.>.9.:.0. .%.s.....1.1.0.7.=...@.>.3.@.0.<.<.0. .C.A.B.0.=.>.2.:.8. .7.0.2.5.@.H.8.;.0. .=.0.A.B.@.>.9.:.C. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s. .2. .A.8.A.B.5.<.5... ...;.O. .?.@.>.4.>.;.6.5.=.8.O. .C.A.B.0.=.>.2.:.8. .=.5.>.1.E.>.4.8.<.>. .?.5.@.5.7.0.?.C.A.B.8.B.L. .A.8.A.B.5.<.C... ...0.6.<.8.B.5. .:.=.>.?.:.C. ."...5.@.5.7.0.?.C.A.:.".,. .G.B.>.1.K. .?.5.@.5.7.0.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0804.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10760
Entropy (8bit):	5.78352212360944
Encrypted:	false
SSDEEP:	192:Nw8vvP/KID2jmCt1bRNJQYRyljRpRIHDJCL0PvrmeAdovo/BVEU3EDa+7VUX7AoU:7XD65P9PvabCU6l7
MD5:	3D94EA458231BB249E464A3246E47D39
SHA1:	A1660EFACE2D76B3BAB6E21980D64EC5DA9A3844
SHA-256:	B1422D24B8B703541404776BADF70D377DF435D519CC5FFF2EE6666581CE407C
SHA-512:	46BFBD5D1D86CFFCEEF1316B13815B1D9A099E247ECB7CA12974107F921787EAA917DDC04BB937C7BF293EAFF12A45B56952174C1059EB42B325DBBC48CE4FA4
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=..[SO....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.8.0.4.].....1.1.0.0.=..[..z.^.R.Y.S.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z.^ck(W.Q.Y .%.2....[.\._.[.`.[.biRYO.v.[...z.0...z.P.0....1.1.0.3.=.ck(W.h.g.d\O.\|.~Hr,g....1.1.0.4.=.ck(W.h.g .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(WM.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(WM.n. .%.s.....1.1.0.7.=..[..z.^.](W.`.v.\|.~-N.[.b.N .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..vM.n..0 .......e/T.R.\|.~.N.O.~.~.[..0 ...US.Q. ..e/T.R. eg..e/T.R.\|.~.0....1.1.0.8.=.%.s.....1.1.2.5.=....b.[..z.^.v.......1.1.2.6.=..N.N.N..y.-N...bdk.[..z.^.v....0....1.1.2.7.=.I.n.s.t.a.l.l.e.r. .._{...e/T.R.`.v.\|.~..Mb...[.b .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.vM.n..0US.Q"./f"..S.zsS..e/T.R..US.Q".&T"..R.S(W.N.T/T.R.0....1.1.2.8.=..[..z.^.\.[.b .'.%.s.'. ..f.e.0/f&T.~.~......1.1.2.9.=.dk:ghV.].[....eHr .'.%.s.'..0.[..e.l.~.~.0....1.1.3.0.=.nx.[....1.1.3.1.=..S.m....1.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\0x0816.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24772
Entropy (8bit):	3.4962564786346575
Encrypted:	false
SSDEEP:	384:ol0dQRxCLgWg2HuLWaQWIWdW7WwW8WtWxWdU0eWrWDWqWeRlWNudBv0s4n:omd0xCLa+i9g0kGudBch
MD5:	F5647EC2FA6F96103629860955AAED3C
SHA1:	960398A7F4406F91F37148DE2E83A86B660CFAD3
SHA-256:	C1ED2933A2CCB3B82F7A952741BF4C6D4F653D4997855C341F365671FCB9E87D
SHA-512:	CCDAB8B0884BDD7C55736EE419AAD5713B36DD9590232EA6BBCDFCE2A05058AAF708F0D19D42C450C2E3E7B82AD72D860B1CD21EA0C3671236DA5EFDDFCEBC5F
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.8.1.6.].....1.1.0.0.=.E.r.r.o. .n.a. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .%.1. .e.s.t... .a. .p.r.e.p.a.r.a.r. .o. .%.2. .q.u.e. .o. .o.r.i.e.n.t.a.r... .a.o. .l.o.n.g.o. .d.o. .p.r.o.c.e.s.s.o. .d.e. .c.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a... . .A.g.u.a.r.d.e.......1.1.0.3.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .%.s.....1.1.0.7.=.C.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.o. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n.o. .s.i.s.t.e.m.a. .c.o.n.c.l.u...d.a... ... .n.e.c.e.s.s...r.i.o. .r.e.i.n.i.c.i.a.r. .o.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0404.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10670
Entropy (8bit):	5.78485884894983
Encrypted:	false
SSDEEP:	192:N2wEq5DSXJmoJcQoDyNtkob5zaG/NFroVVV3d9S7efd19+o:5v5DSIoDFFsHV3dIodv+o
MD5:	EC1F8F71FA21C49BC96A17C81AD51598
SHA1:	5750F674B4DE76D708DD1178265E280D515D8774
SHA-256:	60F176F3014342F48468FF7EA67280FA3A671C4721EBEFE7B4EE789FF65C87DF
SHA-512:	AC939507581988B4A4816BFD27FEE8BC4794743D7251138B08DA3F76268EC5B8F869FC7E2B52C6DD8BDB777BB07A95D3AD4375A38208E1CBD9EB4338AA194562
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.0}.f.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.0.4.].....1.1.0.0.=..[..z._w..Y/.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z._ck(W.n.P .%.2....[.\._.\.`.[.biR...v.[.N..z.0..z.P.0....1.1.0.3.=.ck(W.j.g\Omi.\|q}Hr,g....1.1.0.4.=.ck(W.j.g .W.i.n.d.o.w.s.(.R.). .i.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(W-..[ .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(W-..[ .%.s.....1.1.0.7.=..[..z._.](W.`.v.\|q}-N.[.b.N .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r. ..v-..[.0 .......e_U.R.\|q}.N.O\|~.~.[..0 ...c.N.N.0..e_U.R.0.O..e_U.R.\|q}.0....1.1.0.8.=.%.s.....1.1.2.5.=.x..d.[.........1.1.2.6.=.._.N.Nx...-Nx..ddk.[..z._.v.....0....1.1.2.7.=..[..z._._....e_U.R.\|q}Mb...[.b-..[ .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.0.c.N.N.0/f.0.c...zsS..e_U.R...Y.g.`.N._..e_U.R..GR.c.N.N.0&T.0.0....1.1.2.8.=.dk.[..z._.\.WL. .'.%.s.'. .GS.}.0/f&T..\|~.~......1.1.2.9.=.dk_j.].[....eHr,g.v .'.%.s.'..0.[.!q.l\|~.~.0....1.1.3.0.=..x.[....1.1.3.1.=..S.m....1.1.3.2.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0407.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25860
Entropy (8bit):	3.5091459120889494
Encrypted:	false
SSDEEP:	768:2LNV1dYKJpgAbtaPZuQ2g2HhmDqtnLOW8oXxN1HYLifZThxfrkTI0n497:2z1djJpgAb0RuQ2g2HhmDU
MD5:	9A62DA6C523506355C1BF1B30DB73EDD
SHA1:	EE83114A7D4B995DD4AD7D1781ED66C4727CC121
SHA-256:	8B5D7BC395D0D6980299702D0573C6019FEFEA92EB98701D1894A5623B2691A0
SHA-512:	BE026517CEA5613D834337D83324C383F40B449DD92F338D612048C424AB8BD88C17F766C7D1629A2205A8A068F6DCBA1CE3536438018562490EBD7001EFBEE5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.7.].....1.1.0.0.=.S.e.t.u.p.-.I.n.i.t.i.a.l.i.s.i.e.r.u.n.g.s.f.e.h.l.e.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .b.e.r.e.i.t.e.t. .d.e.n. .%.2. .v.o.r.,. .d.e.r. .S.i.e. .d.u.r.c.h. .d.e.n. .S.e.t.u.p.-.V.o.r.g.a.n.g. .l.e.i.t.e.n. .w.i.r.d... .B.i.t.t.e. .w.a.r.t.e.n.......1.1.0.3.=...b.e.r.p.r...f.e.n. .d.e.r. .B.e.t.r.i.e.b.s.s.y.s.t.e.m.v.e.r.s.i.o.n.....1.1.0.4.=...b.e.r.p.r...f.e.n. .d.e.r. .V.e.r.s.i.o.n. .v.o.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.t. .d.i.e. .K.o.n.f.i.g.u.r.a.t.i.o.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .a.u.f. .I.h.r.e.m. .C.o.m.p.u.t.e.r. .a.b.g.e.s.c.h.l.o.s.s.e.n... .U.m. .m.i.t. .d.e.r. .I.n.s.t.a.l.l.a.t.i.o.n. .f.o.r.t.z.u.f.a.h.r.e.n. .m.u... .d.a.s. .S.y.s.t.e.m. .n.e.u. .g.e.s.t.a.r.t.e.t. .w.e.r.d.e.n... .W...h.l.e.n. .S.i.e. .N.e.u.s.t.a.r.t.e.n.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22492
Entropy (8bit):	3.484893836872466
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
MD5:	BE345D0260AE12C5F2F337B17E07C217
SHA1:	0976BA0982FE34F1C35A0974F6178E15C238ED7B
SHA-256:	E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
SHA-512:	77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x040a.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25140
Entropy (8bit):	3.439336772199357
Encrypted:	false
SSDEEP:	192:XqCTxiKLkQEq0w/2yOK8deU2K4/WaChA2ZwxD9VErXWlMHtDaMJVLr5:XqClLkQT4z4uaCC2axbYXWSHZaMJxr5
MD5:	E872C54C58EEF055BC791D3EEAD093C3
SHA1:	FC7BA9CEF237686C06DD63FD2CCBFE037518E378
SHA-256:	1739D42ED181F36AB4F524C01B57A4102C2F7510661D973A1077A4E88AC34B97
SHA-512:	E8512974D4851B7FB504292F3330D318F72C2646EC3DB2C54ED7938EB73249EC1CE867916D15C6A36B3FEB39F0FE98DD1781E5EC938BB2427059B4EE2DC00E1D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.a.].....1.1.0.0.=.E.r.r.o.r. .d.e. .i.n.i.c.i.o. .d.e. .i.n.s.t.a.l.a.c.i...n.....1.1.0.1.=.%.s.....1.1.0.2.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .%.2.,. .q.u.e. .l.e. .g.u.i.a.r... .d.u.r.a.n.t.e. .e.l. .r.e.s.t.o. .d.e.l. .p.r.o.c.e.s.o. .d.e. .i.n.s.t.a.l.a.c.i...n... . .E.s.p.e.r.e. .p.o.r. .f.a.v.o.r.......1.1.0.3.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .%.s.....1.1.0.7.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .h.a. .t.e.r.m.i.n.a.d.o. .d.e. .c.o.n.f.i.g.u.r.a.r. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s. .e.n. .e.l. .s.i.s.t.e.m.a... .E.l. .s.i.s.t.e.m.a. .s.e. .d.e.b.e. .r.e.i.n.i.c.i.a.r. .p.a.r.a. .s.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x040c.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	26270
Entropy (8bit):	3.4773296330092287
Encrypted:	false
SSDEEP:	384:dadl9gg5LFghqYpI+JTz0bBQBWRGgG8fY8JfuqGWzjYN2D6UMYO1:dMXFGhqiUbBQcL68JfuqFjYN2DVa
MD5:	35989450C8121207917F04D1EBE4CA2A
SHA1:	0037EC09F27D222CAD447288BD2462D63ABA2520
SHA-256:	B14D9D7AFC505868407C425CB5A78C891BAA8A6AC8EB35CFB3D71C71F5BEE1FA
SHA-512:	1CF2A0130679AB238C5E41BB1DE21F6F915595AF7CC9B90ECFCE2D05075CF3BA92CCAB464A7291EFD1EE4CDBA54A01D61BEB75B919AD687FBA178A95486B26F8
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.c.].....1.1.0.0.=.E.r.r.e.u.r. .l.o.r.s. .d.e. .l.'.i.n.i.t.i.a.l.i.s.a.t.i.o.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....1.1.0.1.=.%.s.....1.1.0.2.=.L.'.i.n.s.t.a.l.l.a.t.e.u.r. .%.1. .p.r...p.a.r.e. .%.2.,. .l.e.q.u.e.l. .v.o.u.s. .g.u.i.d.e.r.a. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.u. .l.o.g.i.c.i.e.l... .V.e.u.i.l.l.e.z. .p.a.t.i.e.n.t.e.r.......1.1.0.3.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .s.y.s.t...m.e. .d.'.e.x.p.l.o.i.t.a.t.i.o.n.....1.1.0.4.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.'.%.s.....1.1.0.7.=.L.'.i.n.s.t.a.l.l.a.t.i.o.n. .a. .t.e.r.m.i.n... .l.a. .c.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r... .P.o.u.r. .p.o.u.v.o.i.r. .p.o.u.r.s.u.i.v.r.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.,. .

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0410.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25188
Entropy (8bit):	3.4430435546496425
Encrypted:	false
SSDEEP:	384:hXRoc4nLsC8oKjuTSC6KJqJ/j48pQ2LmRU20yn:hyLLKqTS6oQ2Lmf
MD5:	F89FC24FCE7B72A6C9A6E1F9E7B22D8A
SHA1:	CD13C5DBD8C58DDC1F1727D45362358AFAC7FCF2
SHA-256:	2970BB63E5BC3DE4C693DE313D715C0C5F93BD35E18CDAEC56954034CC7653A6
SHA-512:	A55209B9419B9FEF4D6107956131E6BDA36BD281C94416C39788AA8E926A7A44DAE19544A46C84CD2337678A3A4AF753FAD73E024BAE19DA4D536186A061013A
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.0.].....1.1.0.0.=.E.r.r.o.r.e. .d.i. .i.n.i.z.i.a.l.i.z.z.a.z.i.o.n.e. .d.e.l.l.'.i.n.s.t.a.l.l.a.z.i.o.n.e.....1.1.0.1.=.%.s.....1.1.0.2.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .%.1. .s.t.a. .p.r.e.p.a.r.a.n.d.o. .%.2... . .A.t.t.e.n.d.e.r.e.......1.1.0.3.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o. .i.n. .c.o.r.s.o.....1.1.0.4.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.i. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .%.s. .i.n. .c.o.r.s.o.....1.1.0.7.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .h.a. .c.o.m.p.l.e.t.a.t.o. .l.a. .c.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.l. .s.i.s.t.e.m.a... .R.i.a.v.v.i.a.r.e. .i.l. .s.i.s.t.e.m.a. .p.e.r. .c.o.n.t.i.n.u.a.r.e... .S.c.e.g.l.i.e.r.e.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0411.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14960
Entropy (8bit):	5.1996979572130915
Encrypted:	false
SSDEEP:	384:DKeEbO3nl8cDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3l8coK21OxgCl7Fyl
MD5:	6EBBB5D67423D8D85F1688B561BF5304
SHA1:	AD0E2D717F750AF47F81E0BC1200F5245266D505
SHA-256:	E3B87E8B94AD50BBE21795B3408943F9A6D6F33813E96802962CB74B889EDFE7
SHA-512:	13CDBA0E0EA410BED289492C7C04D5CB9FFBD931B6006547AA5FF05587FBB9CF32E6626D016DD29892A80514EA642D60490F16E6B9402256C257B7CE276924DF
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0412.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14126
Entropy (8bit):	5.413031845668093
Encrypted:	false
SSDEEP:	192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
MD5:	73E70A6B9354E80237C8E2B3170830A0
SHA1:	B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
SHA-256:	316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
SHA-512:	F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.\|.). .$.X.`. .$.X. ......\|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.\|. ....X.$.t. ....\.D. .... ....t.\|. .i..... .".... ....". ...\|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....\|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.\|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].\|. .t..X...

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0413.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25000
Entropy (8bit):	3.4464436827428178
Encrypted:	false
SSDEEP:	192:iSdyxvO3iFoIuWyQLKHiSeBtcIA0YpE7jir/dX4dJgXpDAKTcm3tbcrnj8k:iIMO3sJdMpA6ViJguKTcmZcrj8k
MD5:	DC1C05A9FCE06CF659C20AED317DD417
SHA1:	2447C12E75ED0F4B5BD9D4C6ACB29AEE35562F23
SHA-256:	98D6CEEF6A444B9E8450ABEFC5B72BD6B0DF1CD5D7C7CD2822EB1BD186FF8526
SHA-512:	2CDD4932E279988B0DFEEFD86E5B997A9D5F5BC6780819D80293BAF5A9B0B56C9D0AA597150CADC1C7B2C329F5FEAF308F97FA22DD4B915050BCC6D911CDDA96
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.3.].....1.1.0.0.=.I.n.i.t.i.a.l.i.s.a.t.i.e.f.o.u.t. .v.o.o.r. .S.e.t.u.p.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .b.e.z.i.g. .m.e.t. .h.e.t. .v.o.o.r.b.e.r.e.i.d.e.n. .v.a.n. .d.e. .%.2. .d.i.e. .u. .d.o.o.r. .d.e. .s.e.t.u.p. .v.a.n. .h.e.t. .p.r.o.g.r.a.m.m.a. .z.a.l. .l.e.i.d.e.n... .E.e.n. .o.g.e.n.b.l.i.k. .g.e.d.u.l.d.......1.1.0.3.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .h.e.t. .b.e.s.t.u.r.i.n.g.s.s.y.s.t.e.e.m.....1.1.0.4.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .i.s. .k.l.a.a.r. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.p. .u.w. .s.y.s.t.e.e.m... .H.e.t.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0416.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24142
Entropy (8bit):	3.50067586721218
Encrypted:	false
SSDEEP:	384:cuS60JBnWzm1xn9iW4WSWIWwWdW/WxW9W7WSWiAhWssvK4D:cT6YBosx9Ujsf
MD5:	88CF36612986147152BC34798D847FC8
SHA1:	C626EB6CA21D0BD8148C4990CA9BC3955A84AC2E
SHA-256:	FD410CE6CEA3FE21E0D45BA8A3A95459502275052C318971ECD548970DFCCDCF
SHA-512:	D5768CF9ECB1E158B3A9196CD340EB8DB5B294BB20433554D4D605C7A3AB4F7CA6027791FD63F011E68325AF52EB18D734B45F2FD670D109FF60E93B97D9A20D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.6.].....1.1.0.0.=.E.r.r.o. .d.e. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .I.n.s.t.a.l.l.S.h.i.e.l.d. .W.i.z.a.r.d.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .o. .%.2. .p.a.r.a. .a.j.u.d...-.l.o. .c.o.m. .o. .p.r.o.c.e.s.s.o. .d.e. .i.n.s.t.a.l.a.....o... . .A.g.u.a.r.d.e.......1.1.0.3.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.c.i.o.n.a.l.....1.1.0.4.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .%.s.....1.1.0.7.=.A. .i.n.s.t.a.l.a.....o. .c.o.m.p.l.e.t.o.u. .a. .c.o.n.f.i.g.u.r.a.....o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s. .e.m. .s.e.u. .s.i.s.t.e.m.a... .O. .s.i.s.t.e.m.a. .p.r.e.c.i.s.a. .s.e.r. .r.e.i.n.i.c.i.a.d.o. .p.a.r.a. .p.o.d.e.r. .c.o.n.t.i.n.u.a.r. .c.o.m. .a. .

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0419.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	23432
Entropy (8bit):	4.02726434010301
Encrypted:	false
SSDEEP:	384:kiGLTiSapi6QnIw5sgVfCxOJebMVLDOU9L/esT:k/9tqMVLDOUJZ
MD5:	D12957CBC8D709DDACB854CCB7E09BEA
SHA1:	332F16C47A6F77390421E8DD9E1E5CD10625C46C
SHA-256:	79FE5A9A1DCD35ED68016FC5AA3720945F87A34C7B85F14763DC08F55796485E
SHA-512:	75351BAA104682FEDCC4B237C1DF1804C3C1EC2671E0200EAA4E37F26D1D28E3A6A33C93F6FF35CEC58E7701FA6A0961EFD7A2CBB44ED6C2CBD29D7C5DB057F5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.9.].....1.1.0.0.=...H.8.1.:.0. .8.=.8.F.8.0.;.8.7.0.F.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ...4.5.B. .?.>.4.3.>.B.>.2.:.0. .:. .7.0.?.C.A.:.C. .<.0.A.B.5.@.0. .%.2.,. .2.K.?.>.;.=.O.N.I.5.3.>. .C.A.B.0.=.>.2.:.C. .?.@.>.3.@.0.<.<.K... . ...4.8.B.5.......1.1.0.3.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .>.?.5.@.0.F.8.>.=.=.>.9. .A.8.A.B.5.<.K.....1.1.0.4.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=...0.A.B.@.>.9.:.0. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.....1.1.0.6.=...0.A.B.@.>.9.:.0. .%.s.....1.1.0.7.=...@.>.3.@.0.<.<.0. .C.A.B.0.=.>.2.:.8. .7.0.2.5.@.H.8.;.0. .=.0.A.B.@.>.9.:.C. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s. .2. .A.8.A.B.5.<.5... ...;.O. .?.@.>.4.>.;.6.5.=.8.O. .C.A.B.0.=.>.2.:.8. .=.5.>.1.E.>.4.8.<.>. .?.5.@.5.7.0.?.C.A.B.8.B.L. .A.8.A.B.5.<.C... ...0.6.<.8.B.5. .:.=.>.?.:.C. ."...5.@.5.7.0.?.C.A.:.".,. .G.B.>.1.K. .?.5.@.5.7.0.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0804.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10760
Entropy (8bit):	5.78352212360944
Encrypted:	false
SSDEEP:	192:Nw8vvP/KID2jmCt1bRNJQYRyljRpRIHDJCL0PvrmeAdovo/BVEU3EDa+7VUX7AoU:7XD65P9PvabCU6l7
MD5:	3D94EA458231BB249E464A3246E47D39
SHA1:	A1660EFACE2D76B3BAB6E21980D64EC5DA9A3844
SHA-256:	B1422D24B8B703541404776BADF70D377DF435D519CC5FFF2EE6666581CE407C
SHA-512:	46BFBD5D1D86CFFCEEF1316B13815B1D9A099E247ECB7CA12974107F921787EAA917DDC04BB937C7BF293EAFF12A45B56952174C1059EB42B325DBBC48CE4FA4
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=..[SO....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.8.0.4.].....1.1.0.0.=..[..z.^.R.Y.S.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z.^ck(W.Q.Y .%.2....[.\._.[.`.[.biRYO.v.[...z.0...z.P.0....1.1.0.3.=.ck(W.h.g.d\O.\|.~Hr,g....1.1.0.4.=.ck(W.h.g .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(WM.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(WM.n. .%.s.....1.1.0.7.=..[..z.^.](W.`.v.\|.~-N.[.b.N .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..vM.n..0 .......e/T.R.\|.~.N.O.~.~.[..0 ...US.Q. ..e/T.R. eg..e/T.R.\|.~.0....1.1.0.8.=.%.s.....1.1.2.5.=....b.[..z.^.v.......1.1.2.6.=..N.N.N..y.-N...bdk.[..z.^.v....0....1.1.2.7.=.I.n.s.t.a.l.l.e.r. .._{...e/T.R.`.v.\|.~..Mb...[.b .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.vM.n..0US.Q"./f"..S.zsS..e/T.R..US.Q".&T"..R.S(W.N.T/T.R.0....1.1.2.8.=..[..z.^.\.[.b .'.%.s.'. ..f.e.0/f&T.~.~......1.1.2.9.=.dk:ghV.].[....eHr .'.%.s.'..0.[..e.l.~.~.0....1.1.3.0.=.nx.[....1.1.3.1.=..S.m....1.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\0x0816.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24772
Entropy (8bit):	3.4962564786346575
Encrypted:	false
SSDEEP:	384:ol0dQRxCLgWg2HuLWaQWIWdW7WwW8WtWxWdU0eWrWDWqWeRlWNudBv0s4n:omd0xCLa+i9g0kGudBch
MD5:	F5647EC2FA6F96103629860955AAED3C
SHA1:	960398A7F4406F91F37148DE2E83A86B660CFAD3
SHA-256:	C1ED2933A2CCB3B82F7A952741BF4C6D4F653D4997855C341F365671FCB9E87D
SHA-512:	CCDAB8B0884BDD7C55736EE419AAD5713B36DD9590232EA6BBCDFCE2A05058AAF708F0D19D42C450C2E3E7B82AD72D860B1CD21EA0C3671236DA5EFDDFCEBC5F
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.8.1.6.].....1.1.0.0.=.E.r.r.o. .n.a. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .%.1. .e.s.t... .a. .p.r.e.p.a.r.a.r. .o. .%.2. .q.u.e. .o. .o.r.i.e.n.t.a.r... .a.o. .l.o.n.g.o. .d.o. .p.r.o.c.e.s.s.o. .d.e. .c.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a... . .A.g.u.a.r.d.e.......1.1.0.3.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .%.s.....1.1.0.7.=.C.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.o. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n.o. .s.i.s.t.e.m.a. .c.o.n.c.l.u...d.a... ... .n.e.c.e.s.s...r.i.o. .r.e.i.n.i.c.i.a.r. .o.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetup.dll

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	624128
Entropy (8bit):	7.682447840603514
Encrypted:	false
SSDEEP:	12288:DG0Drt8hYjUSwYA7UCT9Te8so/Qf26dI9WgHnV:DfIYSLM8soYQ9Wg1
MD5:	A1F4859765FB2831E9E938978786E5A9
SHA1:	7E3FA7EC11142A2D4D39021466E295DF28E16D1A
SHA-256:	239FD6526AD6DEFA186CAADC6352BCE3E5F1DBA80B938960A46F909645B1FAC0
SHA-512:	19453A30E014D2EDEDDE5055F74C34102D2AAD0F7AC6BD9A77EEC0DC668D189A70BDA7EAA360BF1EA4D28A423B760472E71650DA6CB6221E2A8357163C1855A3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(..G(..G(..G...G+..GS..G,..G...G6..GG..G+..Gv..G..G...G..G..G$..G..G'..G(..G&..G...G...G...G...G..G)..G..G)..GRich(..G........PE..L......V...........!................h........ ..........................................................................G...\|...8...........................................................................................@7.......................text............x......PEC2MO...... ....rsrc................\|.............. ....reloc..............................@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\Microsoft .NET Framework 4.0 Full.prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	5.5315549627548615
Encrypted:	false
SSDEEP:	24:2dJER/304bIH4aSHqoBqd4zo7bR7FXBM+3itCv:cJER/EiI+JbzoHR7fSO
MD5:	A41C92076196F22C499456E28B717307
SHA1:	8A02F9E07F8147DC0BD1E80F036D948A998D96DA
SHA-256:	86F0C3170240059A4B5559FA37A67BA1B1E0FC63AC05618BC25873921DD9C2EC
SHA-512:	4DBBBA684655919F2E0C9CFDADF8DC1952B3024493153127CCE900E91FB777F20E8BECE953F294CE565474411A52DD2C23C5B1A3E074BD04335152BBEBB2DCD6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\\\SetupPrerequisites\Microsoft .net\4.0\Full\dotNetFx40_Full_x86_x64.exe" URL="http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe" CheckSum="251743DFD3FDA414570524BAC9E55381" FileSize="0,50449456"></file>...</files>...<execute file="dotNetFx40_Full_x86_x64.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}" Description="This prerequisite installs the .NET Framework 4.0 full standalone package." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft .net framework 4.0 full.prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\Microsoft .NET Framework 4.6.2 Full.prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	852
Entropy (8bit):	5.574649055595306
Encrypted:	false
SSDEEP:	24:2dJg3lZjK5iQNo7qd4zo73IFs7NbBMMZ3w6Cv:cJgbgiQebzoB7Ntw
MD5:	2C483E72FFE687F26F1786EF83AB0B90
SHA1:	FAEBCD011FDA46E81CCBA651C6F366F1FF3CA560
SHA-256:	1EBE32F9DABE5633C32284CF408BFDE5B0030C6A11296F68587B370C205D64E6
SHA-512:	6283FE7F4B8DE81DD8E69DCEBE635625CAE192367EB4E8663EEA8D4C85A5A369342C6399A27193E13E387B13F8385F79E0A52169D2AC49FAAE65391FC6D57C34
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\\SetupPrerequisites\Microsoft .net\4.6.2\Full\NDP462-DevPack-KB3151934-ENU.exe" URL="https://www.microsoft.com/en-us/download/confirmation.aspx?id=53345" CheckSum="55BA952927271EE000AC9E9C29A773A2" FileSize="0,86788848"></file>...</files>...<execute file="NDP462-DevPack-KB3151934-ENU.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}" Description="This prerequisite installs the .NET Framework 4.6.2 Web Installer package." AltPrqURL="http://saturn.installshield.com/is/prerequisites/Microsoft .NET Framework 4.6.2 Web.prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2010 Redistributable Package (x64).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	870
Entropy (8bit):	5.534055912980872
Encrypted:	false
SSDEEP:	24:2dJObIyqy6lklZbowqd4zo7vg78PUyA3iM+v0hjDCv:cJMIBy6KlZTbzoU78POSv+jo
MD5:	80DDC85DF5C906B7F99B35B791BDFF10
SHA1:	39FE138666E0651D14B3F7E0F5E88990782D471F
SHA-256:	00BD1654C27BC26796A5ED6749EC66B59C153FD85AD9602E826A624E471BDB84
SHA-512:	F1DEBA415D85923A8F949CC3178B3CF2D4F729594A0040EF6CD15E42A38FE7371115E5A0134C20B754C19600AC55D56082D71F7FABEFBBBC5EF1AF792B961752
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\VC 2010 Redist\x64\vcredist_x64.exe" URL="http://download.microsoft.com/download/3/2/2/3224B87F-CFA0-4E70-BDA3-3DE650EFEBA5/vcredist_x64.exe" CheckSum="630D75210B325A280C3352F879297ED5" FileSize="0,5718872"></file>...</files>...<execute file="vcredist_x64.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{8A102FA5-9E73-477b-8937-2ED4C06AF304}" Description="This prerequisite installs the Microsoft Visual C++ 2010 Runtime Libraries (x64)." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft visual c++ 2010 redistributable package (x64).prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2010 Redistributable Package (x86).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1016
Entropy (8bit):	5.5327569153074005
Encrypted:	false
SSDEEP:	24:2dJ2BbIkrBPOosqd4zofSrB+V78PUyAmM+v0hjfCv:cJgIkrlIbzoKrsV78POWv+jE
MD5:	460D807CA0FCB1F58539341DF0CA148D
SHA1:	3A534427F1B6B1BA5B538632409DC6B74CDED8C8
SHA-256:	E3FB60799EAA6D77FE7BF66A701B0F939EEB8FE3EBBB0BD13FC4379CB31E5B1F
SHA-512:	CC987917D55207CD86BD7D19A998B8E89B9392CFAF51BAFE3C55F5B7D1B4488D3B18FAAF2A32923C5094D271519DE7EF2CAD80C3301604DEDA0F761EF5FE9D4A
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\VC 2010 Redist\x86\vcredist_x86.exe" URL="http://download.microsoft.com/download/5/B/C/5BC5DBB3-652D-4DCE-B14A-475AB85EEF6E/vcredist_x86.exe" CheckSum="B88228D5FEF4B6DC019D69D4471F23EC" FileSize="0,5073240"></file>...</files>...<execute file="vcredist_x86.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<dependencies>....<dependency File="<ISProductFolder>\SetupPrerequisites\Windows Installer 3.1 (x86).prq"></dependency>...</dependencies>...<properties Id="{83960519-644A-4722-BA7A-37D23C1D004F}" Description="This prerequisite installs the Microsoft Visual C++ 2010 Runtime Libraries (x86)." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft visual c++ 2010 redistributable package (x86).prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\Windows Installer 3.1 (x86).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.379991792486219
Encrypted:	false
SSDEEP:	48:cmx7JdOue1nQb+9n6R9nhL5eofOlCIpdln6l1Xz0ws737JI:t7Pano+9nu9nhL57SCIpfnW1j0DW
MD5:	2CEE8889AB159E0071065B7B01A04A54
SHA1:	FE0D3E5B4078E15E98E98176D74AE414359F1F48
SHA-256:	7C452695E76E194D70EEAAF791B5A29354C268918169DA3F849D87EEBAD5F4C3
SHA-512:	5139B28E5B47C971204AAA4407576603C683B0C6C39A7EBD30F652FCF94EA64D3AC7C54A3E9AAF992E56362D6F6CCD3DB111E14659AB2198FB25856107756F21
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="16" Comparison="2" Path="[SystemFolder]" FileName="msi.dll" ReturnValue="3.1.4000.2435"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2\|3" ServicePackMajorMax="0"></operatingsystemcondition>...</operatingsystemconditions>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\Windows Installer\3.1\x86\WindowsInstaller-KB893803-v2-x86.exe" URL="http://download.microsoft.com/download/1/4/7/147ded26-931c-4daf-9095-ec7baf996f46/WindowsInstaller-KB893803-v2-x86.exe" FileSize="0

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50449456
Entropy (8bit):	7.999857855558976
Encrypted:	true
SSDEEP:	1572864:cAVBjIQSzQe3cf7xOCHKYrLn+XxdjrALIjOqWY99:VVBIbzQe3u7KYrCDS9299
MD5:	251743DFD3FDA414570524BAC9E55381
SHA1:	58DA3D74DB353AAD03588CBB5CEA8234166D8B99
SHA-256:	65E064258F2E418816B304F646FF9E87AF101E4C9552AB064BB74D281C38659F
SHA-512:	241BA3F82F37818407BC00909C160B653B45A1A3D156E043B87BA18A7819294716705C952C7B46516C4AFD86E6F99BAD23E7235B951A371AE6728107F19E5F23
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@............@...... ..................@.......D...........................p.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2585872
Entropy (8bit):	7.976224453143546
Encrypted:	false
SSDEEP:	49152:nKiC/rk62xWNol+5gOsLO66qJ6021cJjLtk4pWGNG5VGFPNqJyoTL:orZ23AbsK6Ro022JjL2WEiVqJZL
MD5:	342F79337765760AD4E392EB67D5ED2C
SHA1:	8318455B36BA0A748307459279D46F2F4CDB5A0E
SHA-256:	69B61B2C00323CEA3686315617D0F452E205DAE10C47E02CBE1EA96FEA38F582
SHA-512:	70F32D415C70A97EECF0280EE9E6B10DB8F367EECFEDD92FCA6155A7DB19A776D2A96D5FCDBDE847036F4D7CF2E69B1D6DF6C073025582097F28C71F607B7E12
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ................................(.......... .....................................0............Z'..............!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...0.........&.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5073240
Entropy (8bit):	7.998813387067771
Encrypted:	true
SSDEEP:	98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
MD5:	B88228D5FEF4B6DC019D69D4471F23EC
SHA1:	372D9C1670343D3FB252209BA210D4DC4D67D358
SHA-256:	8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
SHA-512:	CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5718872
Entropy (8bit):	7.999141578918811
Encrypted:	true
SSDEEP:	98304:EuLgywiNHBeSLxYK/bxE3q/BlZkWMGPQflVJ/EK1sLyzs2T2Q1mOjq4/:V7wqheSVYK/bua/BlWWnuVhsus8nm+qi
MD5:	630D75210B325A280C3352F879297ED5
SHA1:	B330B760A8F16D5A31C2DC815627F5EB40861008
SHA-256:	B06546DDC8CA1E3D532F3F2593E88A6F49E81B66A9C2051D58508CC97B6A2023
SHA-512:	B6E107FA34764D336C9B59802C858845DF9F8661A1BEB41436FD638A044580557921E69883ED32737F853E203F0083358F642F3EFE0A80FAE7932C5E6137331F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ...............................3X.......... ...................................................,W.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............V.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86788848
Entropy (8bit):	7.999877963075258
Encrypted:	true
SSDEEP:	1572864:Tbutk/VhxWw8CoP4pN5U8J50zcrP7rFtZ2dKEw6unC2jPXjiVPzu3jAcp6tfe:CSVhxlcPiN5nogP7rFiAz3z/jkuAcYF
MD5:	55BA952927271EE000AC9E9C29A773A2
SHA1:	E9662691AB9E6CE2D1EEEBB9F94524707375B5ED
SHA-256:	E21D111FCA26C1B39CC09A619127A962137C242CE086AD25B8B5E097A0C8E199
SHA-512:	1C2D25371C9469E7D23EFF61C2C2A0C28F0AF5442744AEBB69CA9179E4D796414AC963A418235943C9A6A7F108FBE72E2DA6C308A6DEBF508791C541E2CA9784
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}\|~.\|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...!:.T.....................6....................@..........................P........,...@..................................5..@........8............,..>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....8.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\data1.cab

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	54808537
Entropy (8bit):	7.99876508220103
Encrypted:	true
SSDEEP:	1572864:AJ/OBuxg7TTMgHmQTs1UExFZQNZhJ7IeAjZfs2:AJ/OBjTtdTs1UExFZaFxAx5
MD5:	65CFAAE3E506C9AA2A9764F1736FF38F
SHA1:	021F54C82207A30F536C7EE3EA69D269E693B4C9
SHA-256:	09741DAC76C1AA5D4A46494A3E0775CA616550ABBE3888DBBB6EC401832728AC
SHA-512:	BC26D63C587DACFA6C1F877DCFE276644D8B1CADFD1A89BCE5315865463F60400B838A96F493140DC56797114B7435494561530CD98AE0EF747F51A06EC31250
Malicious:	false
Reputation:	unknown
Preview:	ISc(l...........................f............................................................................................................................................................................................................................................................................................................................................................9...N..I..^.....................S:..A..("6"..r..E...H.;@`...h.....#.N.`L.".l....................................................+.....6.=U....q%..IQR.ag.c7UY..z.~..H."l.`.hdeJ.......sx.r.2...`w.otS.D.......b..YL...}e.....l2.Q.!...h.."O.....dV6.%.......E-\.0........ ..kH..Tif`.V...KRS!5CA..$..Y....P...k....E.......An}.j...`.I..\.i.)0..&......=p......f..@..9p......n.J.bF...:W..J1...n..b.R. 7.3........:..a.p....l..<...<+.oWW{'b..=`.....Xi...7.........i..7.F.G.z.u..,z.K..:....O.....=.A<.a...0.=m.<......C..}.'....M_....x>.a..,Ul..Fq..a_\).......,..>...g.\..i.1i......n...>..+..*~.e.....q.\|..C

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\data1.hdr

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	162815
Entropy (8bit):	4.080610091980609
Encrypted:	false
SSDEEP:	1536:Nr4qY8/DW+dZ7EOV3X0L8MrLw6SMFldPUcX4cnKd7Byxl+KdX6+UluYjF/ui+2jR:ZVhJKxjmX
MD5:	29E0F2F27A360E991B83345EA3FBDE7D
SHA1:	DCCCB59AF0C321A1DE5563E936B4B760BCEE0B6C
SHA-256:	6FE5FEEFECE89D8E9CEF5748C96D778759A8DD898FB1D120C05180D8ECDE837E
SHA-512:	E1D0BB9AE435CADE4771531A507B18CC1618B7954020B8DD946373DB089D880019A0B1ADEA2B0BA8552A8817C9D9E30990F89CB9ED0AAA1CEA350ACD2A13079B
Malicious:	false
Reputation:	unknown
Preview:	ISc(l.........../_...{..........................................................................B~.........................................................................................................................................................................................................................................................................................9...N..I..^.....................S:..A..("6"..r..E...H.;@`...h.....#.N.`L.".l....................................................qJ........../_......................L.......L......(..........u,...,...,...,...,...........,...,...,...,...-..5-..A-..M-..}-...-...-...-..............1...........a......................../..E/..Q/..............i/..u/.../.../.../.../......./.../.../.............../.../......./.......0...0.......0..)0..........50..........A0..Y0..e0..}0...0...0...............0...........0...................................0.......................0...0.......0...............1...........................1

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\layout.bin

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	data
Category:	dropped
Size (bytes):	2384
Entropy (8bit):	3.4577970172580654
Encrypted:	false
SSDEEP:	48:FbTws6MFj3lOrjM/8v2NkhPRuhPlCbKRBOmyO:FXlf/kZUZUWZyO
MD5:	35308A914057746D647522C80386B555
SHA1:	25D119F844A36B2CEAAC9451D47051DC9FD41B8B
SHA-256:	4A3AFDC1E4B20EFF0103583963F4905378A3B59E72AA9B7C08AC3D7294D95F7D
SHA-512:	363A594F1FDAC65A8B453A984A32B03CE964666FAAF6B1E77F987D5257B0586B5BAACB44815B7996B3F7E3387C88286C0E5A7366ADE802C4A0D3B830995990DD
Malicious:	false
Reputation:	unknown
Preview:	c..S.@..P..........@.(.................................................................................................................................................................................................................................................... . ................... ...6...J.......p.......z.......\|......................................."...8...N...d...z...............................&...:...4...4.......................................(...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...s.e.t.u.p...i.n.i.....s.e.t.u.p...e.x.e...M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...0. .F.u.l.l...p.r.q...I.S.S.e.t.u.p.P.r.e.r.e.q.u.i.s.i.t.e.s...d.o.t.N.e.t.F.x.4.0._.F.u.l.l._.x.8.6._.x.6.4...e.x.e...I.S.S.e.t.u.p.P.r.e.r.e.q.u.i.s.i.t.e.s.\.{.3.2.D.7.E.3.D.1.-.C.9.D.F.-.4.F.A.6.-.9.F.9.B.-.4.D.5.1.1.7.A.B.2.9.1.7.}...M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...6...2. .F.u.l.l...p.r.q...N.D.P.4.6.2.-.D.e.v.P.a.c.k.-.K.B.3.1.5.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	899584
Entropy (8bit):	6.634097534067204
Encrypted:	false
SSDEEP:	6144:NihqjC12el65limzYmGJMbu5GB7BhraDgqnperwtSak6tEnq80iFqKSJGBCGvVpi:WkHi6GJMS5sh5qpmtsrKfF3qUC+q
MD5:	0AF63F5DA767CFDE6DE4F770CA1D43CF
SHA1:	EE65CDD7C3AE594F49A3AD90EF213B910614E4BF
SHA-256:	9FB2722457D9D14835C26AB97BCD6C4568D0F3F2E32A14E54A4A797FBDEA180E
SHA-512:	15160588A9544EABD1D3E6DFE8D3221DB64D32469590012062A23772D51F623E74CB1C5D412AB633E403ECDF462F69436BC597A3F321761A56351F5A69CB7560
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Oi............Q1.......2......:2.......1..........0...c........."........../..C...............~(......Rich............PE..L..../.V.................\...Z......=........p....@..........................................................................<.......................................................................................p..d....5.. ....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...d....`.......L..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3218
Entropy (8bit):	3.707704974093079
Encrypted:	false
SSDEEP:	96:rsAM4A1crEtiqrvnp6kY05w7tCYOvlnAMXDczb0pxwZxZF:w51Bzr/p0050t4vjz00pW
MD5:	26F679F0945CBA869E3E2245E0090D72
SHA1:	693D69335ABC02F278970F53CEA702EC4F25FA8B
SHA-256:	E3C7091D0E7405CC6F248DBC7A71463F9ED01D1D0B5BD465175EDB80F593DA23
SHA-512:	3D739A5C24BB3D828C4E4841764CE98075C99810034FA01E590EEDFAF82A3E890EE58AF3B47FBB47552C0B5EA2216AFF0DEC433836C92733EFB2389CF025488E
Malicious:	false
Reputation:	unknown
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.n.S.c.r.e.e.n. .C.o.n.t.r.o.l.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.C.1.B.3.3.9.-.0.E.4.E.-.4.9.A.5.-.8.5.9.E.-.5.E.1.D.E.1.9.3.8.7.0.6.....C.o.m.p.a.n.y.N.a.m.e.=.L.G. .E.l.e.c.t.r.o.n.i.c.s. .I.n.c.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...l.g.e...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.8.0.4.,.0.x.0.4.0.4.,.0.x.0.4.1.3.,.0.x.0.4.0.9.,.0.x.0.4.0.c.,.0.x.0.4.0.7.,.0.x.0.4.1.0.,.0.x.0.4.1.1.,.0.x.0.4.1.2.,.0.x.0.4.1.6.,.0.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.inx

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	data
Category:	dropped
Size (bytes):	263335
Entropy (8bit):	7.385341141702601
Encrypted:	false
SSDEEP:	3072:j8jnE+rziLW8F77/ZPxcejZanFcij4+2YRT99r0rbs3301y3s03pHE7ctfNZpJHR:j8jE6iLWKtZaaeFPEfy3s0Zkwt79WinZ
MD5:	FBE553A541574E5DF388139AAE5B4AA2
SHA1:	4A761EA0BB4DAE31097A13C63739F000573DB2C1
SHA-256:	FC9CC5F64031771C6E636BA2F925218DF2EC2BD1C80DA99E42ED4021FF163B99
SHA-512:	02D7B66B7BC691183D31648055C21B0EA8E1119FEAC4FE2165D7C2D08199387F5C36BAC505B37E9D07B900B64CF55A9073CCA5D89BDEE2E87B14FAF6C7E1C163
Malicious:	false
Reputation:	unknown
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a_=mQ.Y]A=.M1.)-!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-...............................]......a..(..H....YQQEY.0.o=55.={.gC[..W.....O.So##` ......,..x8........X......]..H.........5MM.5s..gW.CKgCC.....;..TDh..8P@........8.....p.e..Q...\| h......%]1II.1....S[wSS.[.G.W.o....L.`H ..D.. ........t....L......ayyIa......s..w!99.!....Gs[K[............T,.0,,......\|(.....l...P...yyy!a...........w.o.....W.;o?g..+O.....4.,$\.@....<......l......}uuI}.4..@....!99.!..s.w..3{.SGk.......0.D4\.... H.............4...Ye}!e. ..D....c.w......w3.;#.#C.[.THl....(.<,4p,.$.......a..t...8..L..YQQ=Y...w.{o..`.--..S.w3.7+kk .....$..H8@.X,0...y...........x...H...1miMQ.c4....{%9-%%.-c.sO.....'7?..... @\D.....H...................iuUaaUi...MEE%M..gk........?.7wK.....@.\|$d8......$.<................e}}Qe...I]1II.1.W.[.c_.;[s.....g..W..L<l...

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\setup.isn

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Atari MSA archive data, 53900 sectors per track, starting track: 22332, ending track: 3470
Category:	dropped
Size (bytes):	260021
Entropy (8bit):	6.694949702521348
Encrypted:	false
SSDEEP:	6144:qsIKmUhmFIr3hK5aKN+SepcSjP23O3yjlD3trv0:UaQU
MD5:	AE2D8A450097B805681CF7353D2156DC
SHA1:	CFFC8C62295F8DC4571BD3A3ECFFD5C4AE818E0B
SHA-256:	566479EDE0B15838C3E89D7BC39D35B9EABD825080C052C0F139C70E295F01B5
SHA-512:	5A6B9ED7F4E920E974C22A83FCA19062D117356A759571F7AFD47A56D75EA784038441C309548BBFB8255EAF7F0F8496EBFEBCD7CF06713D6E0A3B6244A5EDFD
Malicious:	false
Reputation:	unknown
Preview:	.....W<.....%.K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\setup.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3218
Entropy (8bit):	3.707704974093079
Encrypted:	false
SSDEEP:	96:rsAM4A1crEtiqrvnp6kY05w7tCYOvlnAMXDczb0pxwZxZF:w51Bzr/p0050t4vjz00pW
MD5:	26F679F0945CBA869E3E2245E0090D72
SHA1:	693D69335ABC02F278970F53CEA702EC4F25FA8B
SHA-256:	E3C7091D0E7405CC6F248DBC7A71463F9ED01D1D0B5BD465175EDB80F593DA23
SHA-512:	3D739A5C24BB3D828C4E4841764CE98075C99810034FA01E590EEDFAF82A3E890EE58AF3B47FBB47552C0B5EA2216AFF0DEC433836C92733EFB2389CF025488E
Malicious:	false
Reputation:	unknown
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.n.S.c.r.e.e.n. .C.o.n.t.r.o.l.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.C.1.B.3.3.9.-.0.E.4.E.-.4.9.A.5.-.8.5.9.E.-.5.E.1.D.E.1.9.3.8.7.0.6.....C.o.m.p.a.n.y.N.a.m.e.=.L.G. .E.l.e.c.t.r.o.n.i.c.s. .I.n.c.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...l.g.e...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.8.0.4.,.0.x.0.4.0.4.,.0.x.0.4.1.3.,.0.x.0.4.0.9.,.0.x.0.4.0.c.,.0.x.0.4.0.7.,.0.x.0.4.1.0.,.0.x.0.4.1.1.,.0.x.0.4.1.2.,.0.x.0.4.1.6.,.0.

C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\setup.isn

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Atari MSA archive data, 53900 sectors per track, starting track: 22332, ending track: 3470
Category:	dropped
Size (bytes):	260021
Entropy (8bit):	6.694949702521348
Encrypted:	false
SSDEEP:	6144:qsIKmUhmFIr3hK5aKN+SepcSjP23O3yjlD3trv0:UaQU
MD5:	AE2D8A450097B805681CF7353D2156DC
SHA1:	CFFC8C62295F8DC4571BD3A3ECFFD5C4AE818E0B
SHA-256:	566479EDE0B15838C3E89D7BC39D35B9EABD825080C052C0F139C70E295F01B5
SHA-512:	5A6B9ED7F4E920E974C22A83FCA19062D117356A759571F7AFD47A56D75EA784038441C309548BBFB8255EAF7F0F8496EBFEBCD7CF06713D6E0A3B6244A5EDFD
Malicious:	false
Reputation:	unknown
Preview:	.....W<.....%.K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0404.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10670
Entropy (8bit):	5.78485884894983
Encrypted:	false
SSDEEP:	192:N2wEq5DSXJmoJcQoDyNtkob5zaG/NFroVVV3d9S7efd19+o:5v5DSIoDFFsHV3dIodv+o
MD5:	EC1F8F71FA21C49BC96A17C81AD51598
SHA1:	5750F674B4DE76D708DD1178265E280D515D8774
SHA-256:	60F176F3014342F48468FF7EA67280FA3A671C4721EBEFE7B4EE789FF65C87DF
SHA-512:	AC939507581988B4A4816BFD27FEE8BC4794743D7251138B08DA3F76268EC5B8F869FC7E2B52C6DD8BDB777BB07A95D3AD4375A38208E1CBD9EB4338AA194562
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.0}.f.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.0.4.].....1.1.0.0.=..[..z._w..Y/.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z._ck(W.n.P .%.2....[.\._.\.`.[.biR...v.[.N..z.0..z.P.0....1.1.0.3.=.ck(W.j.g\Omi.\|q}Hr,g....1.1.0.4.=.ck(W.j.g .W.i.n.d.o.w.s.(.R.). .i.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(W-..[ .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(W-..[ .%.s.....1.1.0.7.=..[..z._.](W.`.v.\|q}-N.[.b.N .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r. ..v-..[.0 .......e_U.R.\|q}.N.O\|~.~.[..0 ...c.N.N.0..e_U.R.0.O..e_U.R.\|q}.0....1.1.0.8.=.%.s.....1.1.2.5.=.x..d.[.........1.1.2.6.=.._.N.Nx...-Nx..ddk.[..z._.v.....0....1.1.2.7.=..[..z._._....e_U.R.\|q}Mb...[.b-..[ .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.0.c.N.N.0/f.0.c...zsS..e_U.R...Y.g.`.N._..e_U.R..GR.c.N.N.0&T.0.0....1.1.2.8.=.dk.[..z._.\.WL. .'.%.s.'. .GS.}.0/f&T..\|~.~......1.1.2.9.=.dk_j.].[....eHr,g.v .'.%.s.'..0.[.!q.l\|~.~.0....1.1.3.0.=..x.[....1.1.3.1.=..S.m....1.1.3.2.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0407.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25860
Entropy (8bit):	3.5091459120889494
Encrypted:	false
SSDEEP:	768:2LNV1dYKJpgAbtaPZuQ2g2HhmDqtnLOW8oXxN1HYLifZThxfrkTI0n497:2z1djJpgAb0RuQ2g2HhmDU
MD5:	9A62DA6C523506355C1BF1B30DB73EDD
SHA1:	EE83114A7D4B995DD4AD7D1781ED66C4727CC121
SHA-256:	8B5D7BC395D0D6980299702D0573C6019FEFEA92EB98701D1894A5623B2691A0
SHA-512:	BE026517CEA5613D834337D83324C383F40B449DD92F338D612048C424AB8BD88C17F766C7D1629A2205A8A068F6DCBA1CE3536438018562490EBD7001EFBEE5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.7.].....1.1.0.0.=.S.e.t.u.p.-.I.n.i.t.i.a.l.i.s.i.e.r.u.n.g.s.f.e.h.l.e.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .b.e.r.e.i.t.e.t. .d.e.n. .%.2. .v.o.r.,. .d.e.r. .S.i.e. .d.u.r.c.h. .d.e.n. .S.e.t.u.p.-.V.o.r.g.a.n.g. .l.e.i.t.e.n. .w.i.r.d... .B.i.t.t.e. .w.a.r.t.e.n.......1.1.0.3.=...b.e.r.p.r...f.e.n. .d.e.r. .B.e.t.r.i.e.b.s.s.y.s.t.e.m.v.e.r.s.i.o.n.....1.1.0.4.=...b.e.r.p.r...f.e.n. .d.e.r. .V.e.r.s.i.o.n. .v.o.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.t. .d.i.e. .K.o.n.f.i.g.u.r.a.t.i.o.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .a.u.f. .I.h.r.e.m. .C.o.m.p.u.t.e.r. .a.b.g.e.s.c.h.l.o.s.s.e.n... .U.m. .m.i.t. .d.e.r. .I.n.s.t.a.l.l.a.t.i.o.n. .f.o.r.t.z.u.f.a.h.r.e.n. .m.u... .d.a.s. .S.y.s.t.e.m. .n.e.u. .g.e.s.t.a.r.t.e.t. .w.e.r.d.e.n... .W...h.l.e.n. .S.i.e. .N.e.u.s.t.a.r.t.e.n.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22492
Entropy (8bit):	3.484893836872466
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
MD5:	BE345D0260AE12C5F2F337B17E07C217
SHA1:	0976BA0982FE34F1C35A0974F6178E15C238ED7B
SHA-256:	E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
SHA-512:	77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x040a.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25140
Entropy (8bit):	3.439336772199357
Encrypted:	false
SSDEEP:	192:XqCTxiKLkQEq0w/2yOK8deU2K4/WaChA2ZwxD9VErXWlMHtDaMJVLr5:XqClLkQT4z4uaCC2axbYXWSHZaMJxr5
MD5:	E872C54C58EEF055BC791D3EEAD093C3
SHA1:	FC7BA9CEF237686C06DD63FD2CCBFE037518E378
SHA-256:	1739D42ED181F36AB4F524C01B57A4102C2F7510661D973A1077A4E88AC34B97
SHA-512:	E8512974D4851B7FB504292F3330D318F72C2646EC3DB2C54ED7938EB73249EC1CE867916D15C6A36B3FEB39F0FE98DD1781E5EC938BB2427059B4EE2DC00E1D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.a.].....1.1.0.0.=.E.r.r.o.r. .d.e. .i.n.i.c.i.o. .d.e. .i.n.s.t.a.l.a.c.i...n.....1.1.0.1.=.%.s.....1.1.0.2.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .%.2.,. .q.u.e. .l.e. .g.u.i.a.r... .d.u.r.a.n.t.e. .e.l. .r.e.s.t.o. .d.e.l. .p.r.o.c.e.s.o. .d.e. .i.n.s.t.a.l.a.c.i...n... . .E.s.p.e.r.e. .p.o.r. .f.a.v.o.r.......1.1.0.3.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .%.s.....1.1.0.7.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .h.a. .t.e.r.m.i.n.a.d.o. .d.e. .c.o.n.f.i.g.u.r.a.r. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s. .e.n. .e.l. .s.i.s.t.e.m.a... .E.l. .s.i.s.t.e.m.a. .s.e. .d.e.b.e. .r.e.i.n.i.c.i.a.r. .p.a.r.a. .s.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x040c.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	26270
Entropy (8bit):	3.4773296330092287
Encrypted:	false
SSDEEP:	384:dadl9gg5LFghqYpI+JTz0bBQBWRGgG8fY8JfuqGWzjYN2D6UMYO1:dMXFGhqiUbBQcL68JfuqFjYN2DVa
MD5:	35989450C8121207917F04D1EBE4CA2A
SHA1:	0037EC09F27D222CAD447288BD2462D63ABA2520
SHA-256:	B14D9D7AFC505868407C425CB5A78C891BAA8A6AC8EB35CFB3D71C71F5BEE1FA
SHA-512:	1CF2A0130679AB238C5E41BB1DE21F6F915595AF7CC9B90ECFCE2D05075CF3BA92CCAB464A7291EFD1EE4CDBA54A01D61BEB75B919AD687FBA178A95486B26F8
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.c.].....1.1.0.0.=.E.r.r.e.u.r. .l.o.r.s. .d.e. .l.'.i.n.i.t.i.a.l.i.s.a.t.i.o.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....1.1.0.1.=.%.s.....1.1.0.2.=.L.'.i.n.s.t.a.l.l.a.t.e.u.r. .%.1. .p.r...p.a.r.e. .%.2.,. .l.e.q.u.e.l. .v.o.u.s. .g.u.i.d.e.r.a. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.u. .l.o.g.i.c.i.e.l... .V.e.u.i.l.l.e.z. .p.a.t.i.e.n.t.e.r.......1.1.0.3.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .s.y.s.t...m.e. .d.'.e.x.p.l.o.i.t.a.t.i.o.n.....1.1.0.4.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.'.%.s.....1.1.0.7.=.L.'.i.n.s.t.a.l.l.a.t.i.o.n. .a. .t.e.r.m.i.n... .l.a. .c.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r... .P.o.u.r. .p.o.u.v.o.i.r. .p.o.u.r.s.u.i.v.r.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.,. .

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0410.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25188
Entropy (8bit):	3.4430435546496425
Encrypted:	false
SSDEEP:	384:hXRoc4nLsC8oKjuTSC6KJqJ/j48pQ2LmRU20yn:hyLLKqTS6oQ2Lmf
MD5:	F89FC24FCE7B72A6C9A6E1F9E7B22D8A
SHA1:	CD13C5DBD8C58DDC1F1727D45362358AFAC7FCF2
SHA-256:	2970BB63E5BC3DE4C693DE313D715C0C5F93BD35E18CDAEC56954034CC7653A6
SHA-512:	A55209B9419B9FEF4D6107956131E6BDA36BD281C94416C39788AA8E926A7A44DAE19544A46C84CD2337678A3A4AF753FAD73E024BAE19DA4D536186A061013A
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.0.].....1.1.0.0.=.E.r.r.o.r.e. .d.i. .i.n.i.z.i.a.l.i.z.z.a.z.i.o.n.e. .d.e.l.l.'.i.n.s.t.a.l.l.a.z.i.o.n.e.....1.1.0.1.=.%.s.....1.1.0.2.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .%.1. .s.t.a. .p.r.e.p.a.r.a.n.d.o. .%.2... . .A.t.t.e.n.d.e.r.e.......1.1.0.3.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o. .i.n. .c.o.r.s.o.....1.1.0.4.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.i. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .%.s. .i.n. .c.o.r.s.o.....1.1.0.7.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .h.a. .c.o.m.p.l.e.t.a.t.o. .l.a. .c.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.l. .s.i.s.t.e.m.a... .R.i.a.v.v.i.a.r.e. .i.l. .s.i.s.t.e.m.a. .p.e.r. .c.o.n.t.i.n.u.a.r.e... .S.c.e.g.l.i.e.r.e.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0411.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14960
Entropy (8bit):	5.1996979572130915
Encrypted:	false
SSDEEP:	384:DKeEbO3nl8cDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3l8coK21OxgCl7Fyl
MD5:	6EBBB5D67423D8D85F1688B561BF5304
SHA1:	AD0E2D717F750AF47F81E0BC1200F5245266D505
SHA-256:	E3B87E8B94AD50BBE21795B3408943F9A6D6F33813E96802962CB74B889EDFE7
SHA-512:	13CDBA0E0EA410BED289492C7C04D5CB9FFBD931B6006547AA5FF05587FBB9CF32E6626D016DD29892A80514EA642D60490F16E6B9402256C257B7CE276924DF
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0412.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14126
Entropy (8bit):	5.413031845668093
Encrypted:	false
SSDEEP:	192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
MD5:	73E70A6B9354E80237C8E2B3170830A0
SHA1:	B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
SHA-256:	316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
SHA-512:	F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.\|.). .$.X.`. .$.X. ......\|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.\|. ....X.$.t. ....\.D. .... ....t.\|. .i..... .".... ....". ...\|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....\|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.\|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].\|. .t..X...

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0413.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25000
Entropy (8bit):	3.4464436827428178
Encrypted:	false
SSDEEP:	192:iSdyxvO3iFoIuWyQLKHiSeBtcIA0YpE7jir/dX4dJgXpDAKTcm3tbcrnj8k:iIMO3sJdMpA6ViJguKTcmZcrj8k
MD5:	DC1C05A9FCE06CF659C20AED317DD417
SHA1:	2447C12E75ED0F4B5BD9D4C6ACB29AEE35562F23
SHA-256:	98D6CEEF6A444B9E8450ABEFC5B72BD6B0DF1CD5D7C7CD2822EB1BD186FF8526
SHA-512:	2CDD4932E279988B0DFEEFD86E5B997A9D5F5BC6780819D80293BAF5A9B0B56C9D0AA597150CADC1C7B2C329F5FEAF308F97FA22DD4B915050BCC6D911CDDA96
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.3.].....1.1.0.0.=.I.n.i.t.i.a.l.i.s.a.t.i.e.f.o.u.t. .v.o.o.r. .S.e.t.u.p.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .b.e.z.i.g. .m.e.t. .h.e.t. .v.o.o.r.b.e.r.e.i.d.e.n. .v.a.n. .d.e. .%.2. .d.i.e. .u. .d.o.o.r. .d.e. .s.e.t.u.p. .v.a.n. .h.e.t. .p.r.o.g.r.a.m.m.a. .z.a.l. .l.e.i.d.e.n... .E.e.n. .o.g.e.n.b.l.i.k. .g.e.d.u.l.d.......1.1.0.3.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .h.e.t. .b.e.s.t.u.r.i.n.g.s.s.y.s.t.e.e.m.....1.1.0.4.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .i.s. .k.l.a.a.r. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.p. .u.w. .s.y.s.t.e.e.m... .H.e.t.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0416.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24142
Entropy (8bit):	3.50067586721218
Encrypted:	false
SSDEEP:	384:cuS60JBnWzm1xn9iW4WSWIWwWdW/WxW9W7WSWiAhWssvK4D:cT6YBosx9Ujsf
MD5:	88CF36612986147152BC34798D847FC8
SHA1:	C626EB6CA21D0BD8148C4990CA9BC3955A84AC2E
SHA-256:	FD410CE6CEA3FE21E0D45BA8A3A95459502275052C318971ECD548970DFCCDCF
SHA-512:	D5768CF9ECB1E158B3A9196CD340EB8DB5B294BB20433554D4D605C7A3AB4F7CA6027791FD63F011E68325AF52EB18D734B45F2FD670D109FF60E93B97D9A20D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.6.].....1.1.0.0.=.E.r.r.o. .d.e. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .I.n.s.t.a.l.l.S.h.i.e.l.d. .W.i.z.a.r.d.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .o. .%.2. .p.a.r.a. .a.j.u.d...-.l.o. .c.o.m. .o. .p.r.o.c.e.s.s.o. .d.e. .i.n.s.t.a.l.a.....o... . .A.g.u.a.r.d.e.......1.1.0.3.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.c.i.o.n.a.l.....1.1.0.4.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .%.s.....1.1.0.7.=.A. .i.n.s.t.a.l.a.....o. .c.o.m.p.l.e.t.o.u. .a. .c.o.n.f.i.g.u.r.a.....o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s. .e.m. .s.e.u. .s.i.s.t.e.m.a... .O. .s.i.s.t.e.m.a. .p.r.e.c.i.s.a. .s.e.r. .r.e.i.n.i.c.i.a.d.o. .p.a.r.a. .p.o.d.e.r. .c.o.n.t.i.n.u.a.r. .c.o.m. .a. .

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0419.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	23432
Entropy (8bit):	4.02726434010301
Encrypted:	false
SSDEEP:	384:kiGLTiSapi6QnIw5sgVfCxOJebMVLDOU9L/esT:k/9tqMVLDOUJZ
MD5:	D12957CBC8D709DDACB854CCB7E09BEA
SHA1:	332F16C47A6F77390421E8DD9E1E5CD10625C46C
SHA-256:	79FE5A9A1DCD35ED68016FC5AA3720945F87A34C7B85F14763DC08F55796485E
SHA-512:	75351BAA104682FEDCC4B237C1DF1804C3C1EC2671E0200EAA4E37F26D1D28E3A6A33C93F6FF35CEC58E7701FA6A0961EFD7A2CBB44ED6C2CBD29D7C5DB057F5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.9.].....1.1.0.0.=...H.8.1.:.0. .8.=.8.F.8.0.;.8.7.0.F.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ...4.5.B. .?.>.4.3.>.B.>.2.:.0. .:. .7.0.?.C.A.:.C. .<.0.A.B.5.@.0. .%.2.,. .2.K.?.>.;.=.O.N.I.5.3.>. .C.A.B.0.=.>.2.:.C. .?.@.>.3.@.0.<.<.K... . ...4.8.B.5.......1.1.0.3.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .>.?.5.@.0.F.8.>.=.=.>.9. .A.8.A.B.5.<.K.....1.1.0.4.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=...0.A.B.@.>.9.:.0. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.....1.1.0.6.=...0.A.B.@.>.9.:.0. .%.s.....1.1.0.7.=...@.>.3.@.0.<.<.0. .C.A.B.0.=.>.2.:.8. .7.0.2.5.@.H.8.;.0. .=.0.A.B.@.>.9.:.C. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s. .2. .A.8.A.B.5.<.5... ...;.O. .?.@.>.4.>.;.6.5.=.8.O. .C.A.B.0.=.>.2.:.8. .=.5.>.1.E.>.4.8.<.>. .?.5.@.5.7.0.?.C.A.B.8.B.L. .A.8.A.B.5.<.C... ...0.6.<.8.B.5. .:.=.>.?.:.C. ."...5.@.5.7.0.?.C.A.:.".,. .G.B.>.1.K. .?.5.@.5.7.0.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0804.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10760
Entropy (8bit):	5.78352212360944
Encrypted:	false
SSDEEP:	192:Nw8vvP/KID2jmCt1bRNJQYRyljRpRIHDJCL0PvrmeAdovo/BVEU3EDa+7VUX7AoU:7XD65P9PvabCU6l7
MD5:	3D94EA458231BB249E464A3246E47D39
SHA1:	A1660EFACE2D76B3BAB6E21980D64EC5DA9A3844
SHA-256:	B1422D24B8B703541404776BADF70D377DF435D519CC5FFF2EE6666581CE407C
SHA-512:	46BFBD5D1D86CFFCEEF1316B13815B1D9A099E247ECB7CA12974107F921787EAA917DDC04BB937C7BF293EAFF12A45B56952174C1059EB42B325DBBC48CE4FA4
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=..[SO....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.8.0.4.].....1.1.0.0.=..[..z.^.R.Y.S.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z.^ck(W.Q.Y .%.2....[.\._.[.`.[.biRYO.v.[...z.0...z.P.0....1.1.0.3.=.ck(W.h.g.d\O.\|.~Hr,g....1.1.0.4.=.ck(W.h.g .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(WM.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(WM.n. .%.s.....1.1.0.7.=..[..z.^.](W.`.v.\|.~-N.[.b.N .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..vM.n..0 .......e/T.R.\|.~.N.O.~.~.[..0 ...US.Q. ..e/T.R. eg..e/T.R.\|.~.0....1.1.0.8.=.%.s.....1.1.2.5.=....b.[..z.^.v.......1.1.2.6.=..N.N.N..y.-N...bdk.[..z.^.v....0....1.1.2.7.=.I.n.s.t.a.l.l.e.r. .._{...e/T.R.`.v.\|.~..Mb...[.b .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.vM.n..0US.Q"./f"..S.zsS..e/T.R..US.Q".&T"..R.S(W.N.T/T.R.0....1.1.2.8.=..[..z.^.\.[.b .'.%.s.'. ..f.e.0/f&T.~.~......1.1.2.9.=.dk:ghV.].[....eHr .'.%.s.'..0.[..e.l.~.~.0....1.1.3.0.=.nx.[....1.1.3.1.=..S.m....1.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\0x0816.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24772
Entropy (8bit):	3.4962564786346575
Encrypted:	false
SSDEEP:	384:ol0dQRxCLgWg2HuLWaQWIWdW7WwW8WtWxWdU0eWrWDWqWeRlWNudBv0s4n:omd0xCLa+i9g0kGudBch
MD5:	F5647EC2FA6F96103629860955AAED3C
SHA1:	960398A7F4406F91F37148DE2E83A86B660CFAD3
SHA-256:	C1ED2933A2CCB3B82F7A952741BF4C6D4F653D4997855C341F365671FCB9E87D
SHA-512:	CCDAB8B0884BDD7C55736EE419AAD5713B36DD9590232EA6BBCDFCE2A05058AAF708F0D19D42C450C2E3E7B82AD72D860B1CD21EA0C3671236DA5EFDDFCEBC5F
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.8.1.6.].....1.1.0.0.=.E.r.r.o. .n.a. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .%.1. .e.s.t... .a. .p.r.e.p.a.r.a.r. .o. .%.2. .q.u.e. .o. .o.r.i.e.n.t.a.r... .a.o. .l.o.n.g.o. .d.o. .p.r.o.c.e.s.s.o. .d.e. .c.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a... . .A.g.u.a.r.d.e.......1.1.0.3.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .%.s.....1.1.0.7.=.C.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.o. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n.o. .s.i.s.t.e.m.a. .c.o.n.c.l.u...d.a... ... .n.e.c.e.s.s...r.i.o. .r.e.i.n.i.c.i.a.r. .o.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0404.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10670
Entropy (8bit):	5.78485884894983
Encrypted:	false
SSDEEP:	192:N2wEq5DSXJmoJcQoDyNtkob5zaG/NFroVVV3d9S7efd19+o:5v5DSIoDFFsHV3dIodv+o
MD5:	EC1F8F71FA21C49BC96A17C81AD51598
SHA1:	5750F674B4DE76D708DD1178265E280D515D8774
SHA-256:	60F176F3014342F48468FF7EA67280FA3A671C4721EBEFE7B4EE789FF65C87DF
SHA-512:	AC939507581988B4A4816BFD27FEE8BC4794743D7251138B08DA3F76268EC5B8F869FC7E2B52C6DD8BDB777BB07A95D3AD4375A38208E1CBD9EB4338AA194562
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.0}.f.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.0.4.].....1.1.0.0.=..[..z._w..Y/.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z._ck(W.n.P .%.2....[.\._.\.`.[.biR...v.[.N..z.0..z.P.0....1.1.0.3.=.ck(W.j.g\Omi.\|q}Hr,g....1.1.0.4.=.ck(W.j.g .W.i.n.d.o.w.s.(.R.). .i.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(W-..[ .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(W-..[ .%.s.....1.1.0.7.=..[..z._.](W.`.v.\|q}-N.[.b.N .W.i.n.d.o.w.s. .i.n.s.t.a.l.l.e.r. ..v-..[.0 .......e_U.R.\|q}.N.O\|~.~.[..0 ...c.N.N.0..e_U.R.0.O..e_U.R.\|q}.0....1.1.0.8.=.%.s.....1.1.2.5.=.x..d.[.........1.1.2.6.=.._.N.Nx...-Nx..ddk.[..z._.v.....0....1.1.2.7.=..[..z._._....e_U.R.\|q}Mb...[.b-..[ .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.0.c.N.N.0/f.0.c...zsS..e_U.R...Y.g.`.N._..e_U.R..GR.c.N.N.0&T.0.0....1.1.2.8.=.dk.[..z._.\.WL. .'.%.s.'. .GS.}.0/f&T..\|~.~......1.1.2.9.=.dk_j.].[....eHr,g.v .'.%.s.'..0.[.!q.l\|~.~.0....1.1.3.0.=..x.[....1.1.3.1.=..S.m....1.1.3.2.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0407.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25860
Entropy (8bit):	3.5091459120889494
Encrypted:	false
SSDEEP:	768:2LNV1dYKJpgAbtaPZuQ2g2HhmDqtnLOW8oXxN1HYLifZThxfrkTI0n497:2z1djJpgAb0RuQ2g2HhmDU
MD5:	9A62DA6C523506355C1BF1B30DB73EDD
SHA1:	EE83114A7D4B995DD4AD7D1781ED66C4727CC121
SHA-256:	8B5D7BC395D0D6980299702D0573C6019FEFEA92EB98701D1894A5623B2691A0
SHA-512:	BE026517CEA5613D834337D83324C383F40B449DD92F338D612048C424AB8BD88C17F766C7D1629A2205A8A068F6DCBA1CE3536438018562490EBD7001EFBEE5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.7.].....1.1.0.0.=.S.e.t.u.p.-.I.n.i.t.i.a.l.i.s.i.e.r.u.n.g.s.f.e.h.l.e.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .b.e.r.e.i.t.e.t. .d.e.n. .%.2. .v.o.r.,. .d.e.r. .S.i.e. .d.u.r.c.h. .d.e.n. .S.e.t.u.p.-.V.o.r.g.a.n.g. .l.e.i.t.e.n. .w.i.r.d... .B.i.t.t.e. .w.a.r.t.e.n.......1.1.0.3.=...b.e.r.p.r...f.e.n. .d.e.r. .B.e.t.r.i.e.b.s.s.y.s.t.e.m.v.e.r.s.i.o.n.....1.1.0.4.=...b.e.r.p.r...f.e.n. .d.e.r. .V.e.r.s.i.o.n. .v.o.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.K.o.n.f.i.g.u.r.i.e.r.e.n. .v.o.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.t. .d.i.e. .K.o.n.f.i.g.u.r.a.t.i.o.n. .v.o.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .a.u.f. .I.h.r.e.m. .C.o.m.p.u.t.e.r. .a.b.g.e.s.c.h.l.o.s.s.e.n... .U.m. .m.i.t. .d.e.r. .I.n.s.t.a.l.l.a.t.i.o.n. .f.o.r.t.z.u.f.a.h.r.e.n. .m.u... .d.a.s. .S.y.s.t.e.m. .n.e.u. .g.e.s.t.a.r.t.e.t. .w.e.r.d.e.n... .W...h.l.e.n. .S.i.e. .N.e.u.s.t.a.r.t.e.n.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0409.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22492
Entropy (8bit):	3.484893836872466
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
MD5:	BE345D0260AE12C5F2F337B17E07C217
SHA1:	0976BA0982FE34F1C35A0974F6178E15C238ED7B
SHA-256:	E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
SHA-512:	77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x040a.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25140
Entropy (8bit):	3.439336772199357
Encrypted:	false
SSDEEP:	192:XqCTxiKLkQEq0w/2yOK8deU2K4/WaChA2ZwxD9VErXWlMHtDaMJVLr5:XqClLkQT4z4uaCC2axbYXWSHZaMJxr5
MD5:	E872C54C58EEF055BC791D3EEAD093C3
SHA1:	FC7BA9CEF237686C06DD63FD2CCBFE037518E378
SHA-256:	1739D42ED181F36AB4F524C01B57A4102C2F7510661D973A1077A4E88AC34B97
SHA-512:	E8512974D4851B7FB504292F3330D318F72C2646EC3DB2C54ED7938EB73249EC1CE867916D15C6A36B3FEB39F0FE98DD1781E5EC938BB2427059B4EE2DC00E1D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.a.].....1.1.0.0.=.E.r.r.o.r. .d.e. .i.n.i.c.i.o. .d.e. .i.n.s.t.a.l.a.c.i...n.....1.1.0.1.=.%.s.....1.1.0.2.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .%.2.,. .q.u.e. .l.e. .g.u.i.a.r... .d.u.r.a.n.t.e. .e.l. .r.e.s.t.o. .d.e.l. .p.r.o.c.e.s.o. .d.e. .i.n.s.t.a.l.a.c.i...n... . .E.s.p.e.r.e. .p.o.r. .f.a.v.o.r.......1.1.0.3.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.C.o.m.p.r.o.b.a.n.d.o. .l.a. .v.e.r.s.i...n. .d.e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .%.s.....1.1.0.7.=.E.l. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .h.a. .t.e.r.m.i.n.a.d.o. .d.e. .c.o.n.f.i.g.u.r.a.r. .e.l. .i.n.s.t.a.l.a.d.o.r. .d.e. .W.i.n.d.o.w.s. .e.n. .e.l. .s.i.s.t.e.m.a... .E.l. .s.i.s.t.e.m.a. .s.e. .d.e.b.e. .r.e.i.n.i.c.i.a.r. .p.a.r.a. .s.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x040c.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	26270
Entropy (8bit):	3.4773296330092287
Encrypted:	false
SSDEEP:	384:dadl9gg5LFghqYpI+JTz0bBQBWRGgG8fY8JfuqGWzjYN2D6UMYO1:dMXFGhqiUbBQcL68JfuqFjYN2DVa
MD5:	35989450C8121207917F04D1EBE4CA2A
SHA1:	0037EC09F27D222CAD447288BD2462D63ABA2520
SHA-256:	B14D9D7AFC505868407C425CB5A78C891BAA8A6AC8EB35CFB3D71C71F5BEE1FA
SHA-512:	1CF2A0130679AB238C5E41BB1DE21F6F915595AF7CC9B90ECFCE2D05075CF3BA92CCAB464A7291EFD1EE4CDBA54A01D61BEB75B919AD687FBA178A95486B26F8
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.c.].....1.1.0.0.=.E.r.r.e.u.r. .l.o.r.s. .d.e. .l.'.i.n.i.t.i.a.l.i.s.a.t.i.o.n. .d.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.....1.1.0.1.=.%.s.....1.1.0.2.=.L.'.i.n.s.t.a.l.l.a.t.e.u.r. .%.1. .p.r...p.a.r.e. .%.2.,. .l.e.q.u.e.l. .v.o.u.s. .g.u.i.d.e.r.a. .p.o.u.r. .l.'.i.n.s.t.a.l.l.a.t.i.o.n. .d.u. .l.o.g.i.c.i.e.l... .V.e.u.i.l.l.e.z. .p.a.t.i.e.n.t.e.r.......1.1.0.3.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .s.y.s.t...m.e. .d.'.e.x.p.l.o.i.t.a.t.i.o.n.....1.1.0.4.=.V...r.i.f.i.c.a.t.i.o.n. .d.e. .l.a. .v.e.r.s.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.t.i.o.n. .d.'.%.s.....1.1.0.7.=.L.'.i.n.s.t.a.l.l.a.t.i.o.n. .a. .t.e.r.m.i.n... .l.a. .c.o.n.f.i.g.u.r.a.t.i.o.n. .d.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.r. .v.o.t.r.e. .o.r.d.i.n.a.t.e.u.r... .P.o.u.r. .p.o.u.v.o.i.r. .p.o.u.r.s.u.i.v.r.e. .l.'.i.n.s.t.a.l.l.a.t.i.o.n.,. .

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0410.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25188
Entropy (8bit):	3.4430435546496425
Encrypted:	false
SSDEEP:	384:hXRoc4nLsC8oKjuTSC6KJqJ/j48pQ2LmRU20yn:hyLLKqTS6oQ2Lmf
MD5:	F89FC24FCE7B72A6C9A6E1F9E7B22D8A
SHA1:	CD13C5DBD8C58DDC1F1727D45362358AFAC7FCF2
SHA-256:	2970BB63E5BC3DE4C693DE313D715C0C5F93BD35E18CDAEC56954034CC7653A6
SHA-512:	A55209B9419B9FEF4D6107956131E6BDA36BD281C94416C39788AA8E926A7A44DAE19544A46C84CD2337678A3A4AF753FAD73E024BAE19DA4D536186A061013A
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.0.].....1.1.0.0.=.E.r.r.o.r.e. .d.i. .i.n.i.z.i.a.l.i.z.z.a.z.i.o.n.e. .d.e.l.l.'.i.n.s.t.a.l.l.a.z.i.o.n.e.....1.1.0.1.=.%.s.....1.1.0.2.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .%.1. .s.t.a. .p.r.e.p.a.r.a.n.d.o. .%.2... . .A.t.t.e.n.d.e.r.e.......1.1.0.3.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.e.l. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o. .i.n. .c.o.r.s.o.....1.1.0.4.=.V.e.r.i.f.i.c.a. .d.e.l.l.a. .v.e.r.s.i.o.n.e. .d.i. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.5.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .i.n. .c.o.r.s.o.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .%.s. .i.n. .c.o.r.s.o.....1.1.0.7.=.I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .h.a. .c.o.m.p.l.e.t.a.t.o. .l.a. .c.o.n.f.i.g.u.r.a.z.i.o.n.e. .d.i. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.u.l. .s.i.s.t.e.m.a... .R.i.a.v.v.i.a.r.e. .i.l. .s.i.s.t.e.m.a. .p.e.r. .c.o.n.t.i.n.u.a.r.e... .S.c.e.g.l.i.e.r.e.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0411.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14960
Entropy (8bit):	5.1996979572130915
Encrypted:	false
SSDEEP:	384:DKeEbO3nl8cDUK21OxgCvk3aV4ls8Gb8YVyl:DKtbO3l8coK21OxgCl7Fyl
MD5:	6EBBB5D67423D8D85F1688B561BF5304
SHA1:	AD0E2D717F750AF47F81E0BC1200F5245266D505
SHA-256:	E3B87E8B94AD50BBE21795B3408943F9A6D6F33813E96802962CB74B889EDFE7
SHA-512:	13CDBA0E0EA410BED289492C7C04D5CB9FFBD931B6006547AA5FF05587FBB9CF32E6626D016DD29892A80514EA642D60490F16E6B9402256C257B7CE276924DF
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.M.S. .U.I. .G.o.t.h.i.c.....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.1.].....1.1.0.0.=..0.0.0.0.0.0.R.g.S.0.0.0....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..0.0.0.0.0.0o0.0.0.0.0.0.0.0.0.0.0.0.0n0Kb...0T0Hh.QY0.0 .%.2. ..0.n.PW0f0D0~0Y0.0W0p0.0O0J0._a0O0`0U0D0.0....1.1.0.3.=..0.0.0.0.0.0.0.0 ..0.0.0.0n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.n0.0.0.0.0.0.0.x..W0f0D0~0Y0....1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r..0-..[W0f0D0~0Y0....1.1.0.6.=.%.s. ..0-..[W0f0D0~0Y0....1.1.0.7.=..0.0.0.0.0.0o0.0.0.0.0.0.Nn0 .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n0-..[.0.[.NW0~0W0_0.0.0.0.0.0.0.0.0.}L.Y0.0k0o0.0.0.0.0.0.0.Qw..RY0.0._..L0B0.0~0Y0.0.0.Qw..R.0.0.0.0.0.0W0f0.0.0.0.0.0.0.Qw..RW0f0O0`0U0D0.0....1.1.0.8.=.%.s.....1.1.2.5.=..0.0.0.0.0.0....n0x..b....1.1.2.6.=.S0n0.0.0.0.0.0.0g0.O(uY0.0.....0!kn0.0.0.0K0.0x..bW0f0O0`0U0D0.0....1.1.2.7.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..0.0.0.0n0-..[.0.[.bU0[0.0.p.0.0.0.0.0.0.0o0

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0412.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	14126
Entropy (8bit):	5.413031845668093
Encrypted:	false
SSDEEP:	192:NtPl0V894Pp/WwJTqSuQusVG5qyKBUxVzliQZWNtgHmYgHgsNSbiE/VRauG:+G94xOwJTqSuQB7VNtc3OS3VUV
MD5:	73E70A6B9354E80237C8E2B3170830A0
SHA1:	B4C8777CE9C2D2FFF4C0C914825CBE698FEAADAF
SHA-256:	316577CF74D3545D632B0DE55513A3511D654849655157CB84821B871EC081E9
SHA-512:	F15E736E7C0B55437B39869A0BBCE15D5365F04C70BE23FC373D83CE0E99E0A806244C1C44CD298DC4970D20AF6CB1198A9D84749F5D5AC02162C261B1460ED7
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=.t.......F.o.n.t.S.i.z.e.=.9.........[.0.x.0.4.1.2.].....1.1.0.0.=.$.X. ...0.T. .$.X.....1.1.0.1.=.%.s.....1.1.0.2.=.%.2. ... ......X. .....0... .%.1.D.(.\|.). .$.X.`. .$.X. ......\|. ...D. ........ ..... .0.......$.......1.1.0.3.=..... ..... ..... .U.x. .......1.1.0.4.=.W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. ..... .U.x. .......1.1.0.5.=.W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .l.1. .......1.1.0.6.=.%.s. .l.1. .......1.1.0.7.=.$.X. ...\.....t. ......X. ....\... .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.X. .l.1.D. .D......... .$.X.\|. ....X.$.t. ....\.D. .... ....t.\|. .i..... .".... ....". ...\|. .... ....\.D. .... .....X.....$.......1.1.0.8.=.%.s.....1.1.2.5.=.$.X. .... . .......1.1.2.6.=.$.X.X.. ..H. .....`. ....\|. .D...... . ...X.....$.......1.1.2.7.=.$.X. ...\.....t. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ...D... .l.1.D. .D..X.$.t. ....\.D. .... ....t.\|. .i..... . ..... ....\.D. .... ....X.$.t. .[...].\|. .t..X...

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0413.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	25000
Entropy (8bit):	3.4464436827428178
Encrypted:	false
SSDEEP:	192:iSdyxvO3iFoIuWyQLKHiSeBtcIA0YpE7jir/dX4dJgXpDAKTcm3tbcrnj8k:iIMO3sJdMpA6ViJguKTcmZcrj8k
MD5:	DC1C05A9FCE06CF659C20AED317DD417
SHA1:	2447C12E75ED0F4B5BD9D4C6ACB29AEE35562F23
SHA-256:	98D6CEEF6A444B9E8450ABEFC5B72BD6B0DF1CD5D7C7CD2822EB1BD186FF8526
SHA-512:	2CDD4932E279988B0DFEEFD86E5B997A9D5F5BC6780819D80293BAF5A9B0B56C9D0AA597150CADC1C7B2C329F5FEAF308F97FA22DD4B915050BCC6D911CDDA96
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.3.].....1.1.0.0.=.I.n.i.t.i.a.l.i.s.a.t.i.e.f.o.u.t. .v.o.o.r. .S.e.t.u.p.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .b.e.z.i.g. .m.e.t. .h.e.t. .v.o.o.r.b.e.r.e.i.d.e.n. .v.a.n. .d.e. .%.2. .d.i.e. .u. .d.o.o.r. .d.e. .s.e.t.u.p. .v.a.n. .h.e.t. .p.r.o.g.r.a.m.m.a. .z.a.l. .l.e.i.d.e.n... .E.e.n. .o.g.e.n.b.l.i.k. .g.e.d.u.l.d.......1.1.0.3.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .h.e.t. .b.e.s.t.u.r.i.n.g.s.s.y.s.t.e.e.m.....1.1.0.4.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.t.r.o.l.e.r.e.n. .v.a.n. .d.e. .v.e.r.s.i.e. .v.a.n. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r.....1.1.0.5.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.B.e.z.i.g. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .%.s.....1.1.0.7.=.S.e.t.u.p. .i.s. .k.l.a.a.r. .m.e.t. .h.e.t. .c.o.n.f.i.g.u.r.e.r.e.n. .v.a.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.p. .u.w. .s.y.s.t.e.e.m... .H.e.t.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0416.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24142
Entropy (8bit):	3.50067586721218
Encrypted:	false
SSDEEP:	384:cuS60JBnWzm1xn9iW4WSWIWwWdW/WxW9W7WSWiAhWssvK4D:cT6YBosx9Ujsf
MD5:	88CF36612986147152BC34798D847FC8
SHA1:	C626EB6CA21D0BD8148C4990CA9BC3955A84AC2E
SHA-256:	FD410CE6CEA3FE21E0D45BA8A3A95459502275052C318971ECD548970DFCCDCF
SHA-512:	D5768CF9ECB1E158B3A9196CD340EB8DB5B294BB20433554D4D605C7A3AB4F7CA6027791FD63F011E68325AF52EB18D734B45F2FD670D109FF60E93B97D9A20D
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.6.].....1.1.0.0.=.E.r.r.o. .d.e. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .I.n.s.t.a.l.l.S.h.i.e.l.d. .W.i.z.a.r.d.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .%.1. .e.s.t... .p.r.e.p.a.r.a.n.d.o. .o. .%.2. .p.a.r.a. .a.j.u.d...-.l.o. .c.o.m. .o. .p.r.o.c.e.s.s.o. .d.e. .i.n.s.t.a.l.a.....o... . .A.g.u.a.r.d.e.......1.1.0.3.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.c.i.o.n.a.l.....1.1.0.4.=.V.e.r.i.f.i.c.a.n.d.o. .a. .v.e.r.s...o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.C.o.n.f.i.g.u.r.a.n.d.o. .o. .%.s.....1.1.0.7.=.A. .i.n.s.t.a.l.a.....o. .c.o.m.p.l.e.t.o.u. .a. .c.o.n.f.i.g.u.r.a.....o. .d.o. .i.n.s.t.a.l.a.d.o.r. .d.o. .W.i.n.d.o.w.s. .e.m. .s.e.u. .s.i.s.t.e.m.a... .O. .s.i.s.t.e.m.a. .p.r.e.c.i.s.a. .s.e.r. .r.e.i.n.i.c.i.a.d.o. .p.a.r.a. .p.o.d.e.r. .c.o.n.t.i.n.u.a.r. .c.o.m. .a. .

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0419.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	23432
Entropy (8bit):	4.02726434010301
Encrypted:	false
SSDEEP:	384:kiGLTiSapi6QnIw5sgVfCxOJebMVLDOU9L/esT:k/9tqMVLDOUJZ
MD5:	D12957CBC8D709DDACB854CCB7E09BEA
SHA1:	332F16C47A6F77390421E8DD9E1E5CD10625C46C
SHA-256:	79FE5A9A1DCD35ED68016FC5AA3720945F87A34C7B85F14763DC08F55796485E
SHA-512:	75351BAA104682FEDCC4B237C1DF1804C3C1EC2671E0200EAA4E37F26D1D28E3A6A33C93F6FF35CEC58E7701FA6A0961EFD7A2CBB44ED6C2CBD29D7C5DB057F5
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.1.9.].....1.1.0.0.=...H.8.1.:.0. .8.=.8.F.8.0.;.8.7.0.F.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ...4.5.B. .?.>.4.3.>.B.>.2.:.0. .:. .7.0.?.C.A.:.C. .<.0.A.B.5.@.0. .%.2.,. .2.K.?.>.;.=.O.N.I.5.3.>. .C.A.B.0.=.>.2.:.C. .?.@.>.3.@.0.<.<.K... . ...4.8.B.5.......1.1.0.3.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .>.?.5.@.0.F.8.>.=.=.>.9. .A.8.A.B.5.<.K.....1.1.0.4.=...@.>.2.5.@.:.0. .2.5.@.A.8.8. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=...0.A.B.@.>.9.:.0. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s.....1.1.0.6.=...0.A.B.@.>.9.:.0. .%.s.....1.1.0.7.=...@.>.3.@.0.<.<.0. .C.A.B.0.=.>.2.:.8. .7.0.2.5.@.H.8.;.0. .=.0.A.B.@.>.9.:.C. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .W.i.n.d.o.w.s. .2. .A.8.A.B.5.<.5... ...;.O. .?.@.>.4.>.;.6.5.=.8.O. .C.A.B.0.=.>.2.:.8. .=.5.>.1.E.>.4.8.<.>. .?.5.@.5.7.0.?.C.A.B.8.B.L. .A.8.A.B.5.<.C... ...0.6.<.8.B.5. .:.=.>.?.:.C. ."...5.@.5.7.0.?.C.A.:.".,. .G.B.>.1.K. .?.5.@.5.7.0.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0804.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	10760
Entropy (8bit):	5.78352212360944
Encrypted:	false
SSDEEP:	192:Nw8vvP/KID2jmCt1bRNJQYRyljRpRIHDJCL0PvrmeAdovo/BVEU3EDa+7VUX7AoU:7XD65P9PvabCU6l7
MD5:	3D94EA458231BB249E464A3246E47D39
SHA1:	A1660EFACE2D76B3BAB6E21980D64EC5DA9A3844
SHA-256:	B1422D24B8B703541404776BADF70D377DF435D519CC5FFF2EE6666581CE407C
SHA-512:	46BFBD5D1D86CFFCEEF1316B13815B1D9A099E247ECB7CA12974107F921787EAA917DDC04BB937C7BF293EAFF12A45B56952174C1059EB42B325DBBC48CE4FA4
Malicious:	false
Reputation:	unknown
Preview:	..[.P.r.o.p.e.r.t.i.e.s.].....F.o.n.t.N.a.m.e.=..[SO....F.o.n.t.S.i.z.e.=.9.........[.0.x.0.8.0.4.].....1.1.0.0.=..[..z.^.R.Y.S.......1.1.0.1.=.%.s.....1.1.0.2.=.%.1. ..[..z.^ck(W.Q.Y .%.2....[.\._.[.`.[.biRYO.v.[...z.0...z.P.0....1.1.0.3.=.ck(W.h.g.d\O.\|.~Hr,g....1.1.0.4.=.ck(W.h.g .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .Hr,g....1.1.0.5.=.ck(WM.n. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.ck(WM.n. .%.s.....1.1.0.7.=..[..z.^.](W.`.v.\|.~-N.[.b.N .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..vM.n..0 .......e/T.R.\|.~.N.O.~.~.[..0 ...US.Q. ..e/T.R. eg..e/T.R.\|.~.0....1.1.0.8.=.%.s.....1.1.2.5.=....b.[..z.^.v.......1.1.2.6.=..N.N.N..y.-N...bdk.[..z.^.v....0....1.1.2.7.=.I.n.s.t.a.l.l.e.r. .._{...e/T.R.`.v.\|.~..Mb...[.b .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. ..g.R.vM.n..0US.Q"./f"..S.zsS..e/T.R..US.Q".&T"..R.S(W.N.T/T.R.0....1.1.2.8.=..[..z.^.\.[.b .'.%.s.'. ..f.e.0/f&T.~.~......1.1.2.9.=.dk:ghV.].[....eHr .'.%.s.'..0.[..e.l.~.~.0....1.1.3.0.=.nx.[....1.1.3.1.=..S.m....1.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\0x0816.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	24772
Entropy (8bit):	3.4962564786346575
Encrypted:	false
SSDEEP:	384:ol0dQRxCLgWg2HuLWaQWIWdW7WwW8WtWxWdU0eWrWDWqWeRlWNudBv0s4n:omd0xCLa+i9g0kGudBch
MD5:	F5647EC2FA6F96103629860955AAED3C
SHA1:	960398A7F4406F91F37148DE2E83A86B660CFAD3
SHA-256:	C1ED2933A2CCB3B82F7A952741BF4C6D4F653D4997855C341F365671FCB9E87D
SHA-512:	CCDAB8B0884BDD7C55736EE419AAD5713B36DD9590232EA6BBCDFCE2A05058AAF708F0D19D42C450C2E3E7B82AD72D860B1CD21EA0C3671236DA5EFDDFCEBC5F
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.8.1.6.].....1.1.0.0.=.E.r.r.o. .n.a. .i.n.i.c.i.a.l.i.z.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o.....1.1.0.1.=.%.s.....1.1.0.2.=.O. .p.r.o.g.r.a.m.a. .d.e. .c.o.n.f.i.g.u.r.a.....o. .%.1. .e.s.t... .a. .p.r.e.p.a.r.a.r. .o. .%.2. .q.u.e. .o. .o.r.i.e.n.t.a.r... .a.o. .l.o.n.g.o. .d.o. .p.r.o.c.e.s.s.o. .d.e. .c.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a... . .A.g.u.a.r.d.e.......1.1.0.3.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .s.i.s.t.e.m.a. .o.p.e.r.a.t.i.v.o.....1.1.0.4.=.A. .v.e.r.i.f.i.c.a.r. .a. .v.e.r.s...o. .d.o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.(.R.).....1.1.0.5.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.....o. .d.o. .W.i.n.d.o.w.s.....1.1.0.6.=.A. .c.o.n.f.i.g.u.r.a.r. .o. .%.s.....1.1.0.7.=.C.o.n.f.i.g.u.r.a.....o. .d.o. .p.r.o.g.r.a.m.a. .d.o. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .n.o. .s.i.s.t.e.m.a. .c.o.n.c.l.u...d.a... ... .n.e.c.e.s.s...r.i.o. .r.e.i.n.i.c.i.a.r. .o.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetup.dll

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	624128
Entropy (8bit):	7.682447840603514
Encrypted:	false
SSDEEP:	12288:DG0Drt8hYjUSwYA7UCT9Te8so/Qf26dI9WgHnV:DfIYSLM8soYQ9Wg1
MD5:	A1F4859765FB2831E9E938978786E5A9
SHA1:	7E3FA7EC11142A2D4D39021466E295DF28E16D1A
SHA-256:	239FD6526AD6DEFA186CAADC6352BCE3E5F1DBA80B938960A46F909645B1FAC0
SHA-512:	19453A30E014D2EDEDDE5055F74C34102D2AAD0F7AC6BD9A77EEC0DC668D189A70BDA7EAA360BF1EA4D28A423B760472E71650DA6CB6221E2A8357163C1855A3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(..G(..G(..G...G+..GS..G,..G...G6..GG..G+..Gv..G..G...G..G..G$..G..G'..G(..G&..G...G...G...G...G..G)..G..G)..GRich(..G........PE..L......V...........!................h........ ..........................................................................G...\|...8...........................................................................................@7.......................text............x......PEC2MO...... ....rsrc................\|.............. ....reloc..............................@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\Microsoft .NET Framework 4.0 Full.prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	5.5315549627548615
Encrypted:	false
SSDEEP:	24:2dJER/304bIH4aSHqoBqd4zo7bR7FXBM+3itCv:cJER/EiI+JbzoHR7fSO
MD5:	A41C92076196F22C499456E28B717307
SHA1:	8A02F9E07F8147DC0BD1E80F036D948A998D96DA
SHA-256:	86F0C3170240059A4B5559FA37A67BA1B1E0FC63AC05618BC25873921DD9C2EC
SHA-512:	4DBBBA684655919F2E0C9CFDADF8DC1952B3024493153127CCE900E91FB777F20E8BECE953F294CE565474411A52DD2C23C5B1A3E074BD04335152BBEBB2DCD6
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\\\SetupPrerequisites\Microsoft .net\4.0\Full\dotNetFx40_Full_x86_x64.exe" URL="http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe" CheckSum="251743DFD3FDA414570524BAC9E55381" FileSize="0,50449456"></file>...</files>...<execute file="dotNetFx40_Full_x86_x64.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}" Description="This prerequisite installs the .NET Framework 4.0 full standalone package." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft .net framework 4.0 full.prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\Microsoft .NET Framework 4.6.2 Full.prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	852
Entropy (8bit):	5.574649055595306
Encrypted:	false
SSDEEP:	24:2dJg3lZjK5iQNo7qd4zo73IFs7NbBMMZ3w6Cv:cJgbgiQebzoB7Ntw
MD5:	2C483E72FFE687F26F1786EF83AB0B90
SHA1:	FAEBCD011FDA46E81CCBA651C6F366F1FF3CA560
SHA-256:	1EBE32F9DABE5633C32284CF408BFDE5B0030C6A11296F68587B370C205D64E6
SHA-512:	6283FE7F4B8DE81DD8E69DCEBE635625CAE192367EB4E8663EEA8D4C85A5A369342C6399A27193E13E387B13F8385F79E0A52169D2AC49FAAE65391FC6D57C34
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\\SetupPrerequisites\Microsoft .net\4.6.2\Full\NDP462-DevPack-KB3151934-ENU.exe" URL="https://www.microsoft.com/en-us/download/confirmation.aspx?id=53345" CheckSum="55BA952927271EE000AC9E9C29A773A2" FileSize="0,86788848"></file>...</files>...<execute file="NDP462-DevPack-KB3151934-ENU.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}" Description="This prerequisite installs the .NET Framework 4.6.2 Web Installer package." AltPrqURL="http://saturn.installshield.com/is/prerequisites/Microsoft .NET Framework 4.6.2 Web.prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2010 Redistributable Package (x64).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	870
Entropy (8bit):	5.534055912980872
Encrypted:	false
SSDEEP:	24:2dJObIyqy6lklZbowqd4zo7vg78PUyA3iM+v0hjDCv:cJMIBy6KlZTbzoU78POSv+jo
MD5:	80DDC85DF5C906B7F99B35B791BDFF10
SHA1:	39FE138666E0651D14B3F7E0F5E88990782D471F
SHA-256:	00BD1654C27BC26796A5ED6749EC66B59C153FD85AD9602E826A624E471BDB84
SHA-512:	F1DEBA415D85923A8F949CC3178B3CF2D4F729594A0040EF6CD15E42A38FE7371115E5A0134C20B754C19600AC55D56082D71F7FABEFBBBC5EF1AF792B961752
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\VC 2010 Redist\x64\vcredist_x64.exe" URL="http://download.microsoft.com/download/3/2/2/3224B87F-CFA0-4E70-BDA3-3DE650EFEBA5/vcredist_x64.exe" CheckSum="630D75210B325A280C3352F879297ED5" FileSize="0,5718872"></file>...</files>...<execute file="vcredist_x64.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<properties Id="{8A102FA5-9E73-477b-8937-2ED4C06AF304}" Description="This prerequisite installs the Microsoft Visual C++ 2010 Runtime Libraries (x64)." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft visual c++ 2010 redistributable package (x64).prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..</SetupPrereq>..

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2010 Redistributable Package (x86).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1016
Entropy (8bit):	5.5327569153074005
Encrypted:	false
SSDEEP:	24:2dJ2BbIkrBPOosqd4zofSrB+V78PUyAmM+v0hjfCv:cJgIkrlIbzoKrsV78POWv+jE
MD5:	460D807CA0FCB1F58539341DF0CA148D
SHA1:	3A534427F1B6B1BA5B538632409DC6B74CDED8C8
SHA-256:	E3FB60799EAA6D77FE7BF66A701B0F939EEB8FE3EBBB0BD13FC4379CB31E5B1F
SHA-512:	CC987917D55207CD86BD7D19A998B8E89B9392CFAF51BAFE3C55F5B7D1B4488D3B18FAAF2A32923C5094D271519DE7EF2CAD80C3301604DEDA0F761EF5FE9D4A
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\VC 2010 Redist\x86\vcredist_x86.exe" URL="http://download.microsoft.com/download/5/B/C/5BC5DBB3-652D-4DCE-B14A-475AB85EEF6E/vcredist_x86.exe" CheckSum="B88228D5FEF4B6DC019D69D4471F23EC" FileSize="0,5073240"></file>...</files>...<execute file="vcredist_x86.exe" cmdline="/q /norestart" cmdlinesilent="/q /norestart" returncodetoreboot="1641,3010" requiresmsiengine="1"></execute>...<dependencies>....<dependency File="<ISProductFolder>\SetupPrerequisites\Windows Installer 3.1 (x86).prq"></dependency>...</dependencies>...<properties Id="{83960519-644A-4722-BA7A-37D23C1D004F}" Description="This prerequisite installs the Microsoft Visual C++ 2010 Runtime Libraries (x86)." AltPrqURL="http://saturn.installshield.com/is/prerequisites/microsoft visual c++ 2010 redistributable package (x86).prq"></properties>...<behavior Hidden="1" Failure="4" Reboot="4"></behavior>..

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\Windows Installer 3.1 (x86).prq

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.379991792486219
Encrypted:	false
SSDEEP:	48:cmx7JdOue1nQb+9n6R9nhL5eofOlCIpdln6l1Xz0ws737JI:t7Pano+9nu9nhL57SCIpfnW1j0DW
MD5:	2CEE8889AB159E0071065B7B01A04A54
SHA1:	FE0D3E5B4078E15E98E98176D74AE414359F1F48
SHA-256:	7C452695E76E194D70EEAAF791B5A29354C268918169DA3F849D87EEBAD5F4C3
SHA-512:	5139B28E5B47C971204AAA4407576603C683B0C6C39A7EBD30F652FCF94EA64D3AC7C54A3E9AAF992E56362D6F6CCD3DB111E14659AB2198FB25856107756F21
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<SetupPrereq>...<conditions>....<condition Type="16" Comparison="2" Path="[SystemFolder]" FileName="msi.dll" ReturnValue="3.1.4000.2435"></condition>...</conditions>...<operatingsystemconditions>....<operatingsystemcondition MajorVersion="5" MinorVersion="0" PlatformId="2" CSDVersion="" ServicePackMajorMin="3"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="1" PlatformId="2" CSDVersion="" Bits="1" ProductType="1"></operatingsystemcondition>....<operatingsystemcondition MajorVersion="5" MinorVersion="2" PlatformId="2" CSDVersion="" Bits="1" ProductType="2\|3" ServicePackMajorMax="0"></operatingsystemcondition>...</operatingsystemconditions>...<files>....<file LocalFile="<ISProductFolder>\SetupPrerequisites\Windows Installer\3.1\x86\WindowsInstaller-KB893803-v2-x86.exe" URL="http://download.microsoft.com/download/1/4/7/147ded26-931c-4daf-9095-ec7baf996f46/WindowsInstaller-KB893803-v2-x86.exe" FileSize="0

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50449456
Entropy (8bit):	7.999857855558976
Encrypted:	true
SSDEEP:	1572864:cAVBjIQSzQe3cf7xOCHKYrLn+XxdjrALIjOqWY99:VVBIbzQe3u7KYrCDS9299
MD5:	251743DFD3FDA414570524BAC9E55381
SHA1:	58DA3D74DB353AAD03588CBB5CEA8234166D8B99
SHA-256:	65E064258F2E418816B304F646FF9E87AF101E4C9552AB064BB74D281C38659F
SHA-512:	241BA3F82F37818407BC00909C160B653B45A1A3D156E043B87BA18A7819294716705C952C7B46516C4AFD86E6F99BAD23E7235B951A371AE6728107F19E5F23
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}......}.......}...//..}.../...}.../...}.......}...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^...................@..........................@............@...... ..................@.......D...........................p.......l....................................V..@............................................text.............................. ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2585872
Entropy (8bit):	7.976224453143546
Encrypted:	false
SSDEEP:
MD5:	342F79337765760AD4E392EB67D5ED2C
SHA1:	8318455B36BA0A748307459279D46F2F4CDB5A0E
SHA-256:	69B61B2C00323CEA3686315617D0F452E205DAE10C47E02CBE1EA96FEA38F582
SHA-512:	70F32D415C70A97EECF0280EE9E6B10DB8F367EECFEDD92FCA6155A7DB19A776D2A96D5FCDBDE847036F4D7CF2E69B1D6DF6C073025582097F28C71F607B7E12
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ................................(.......... .....................................0............Z'..............!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...0.........&.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{83960519-644A-4722-BA7A-37D23C1D004F}\vcredist_x86.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5073240
Entropy (8bit):	7.998813387067771
Encrypted:	true
SSDEEP:
MD5:	B88228D5FEF4B6DC019D69D4471F23EC
SHA1:	372D9C1670343D3FB252209BA210D4DC4D67D358
SHA-256:	8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
SHA-512:	CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{8A102FA5-9E73-477b-8937-2ED4C06AF304}\vcredist_x64.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5718872
Entropy (8bit):	7.999141578918811
Encrypted:	true
SSDEEP:
MD5:	630D75210B325A280C3352F879297ED5
SHA1:	B330B760A8F16D5A31C2DC815627F5EB40861008
SHA-256:	B06546DDC8CA1E3D532F3F2593E88A6F49E81B66A9C2051D58508CC97B6A2023
SHA-512:	B6E107FA34764D336C9B59802C858845DF9F8661A1BEB41436FD638A044580557921E69883ED32737F853E203F0083358F642F3EFE0A80FAE7932C5E6137331F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ...............................3X.......... ...................................................,W.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............V.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\ISSetupPrerequisites\{BD1DE5DB-9AF6-4647-9DE2-13250D1D902A}\NDP462-DevPack-KB3151934-ENU.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	86788848
Entropy (8bit):	7.999877963075258
Encrypted:	true
SSDEEP:
MD5:	55BA952927271EE000AC9E9C29A773A2
SHA1:	E9662691AB9E6CE2D1EEEBB9F94524707375B5ED
SHA-256:	E21D111FCA26C1B39CC09A619127A962137C242CE086AD25B8B5E097A0C8E199
SHA-512:	1C2D25371C9469E7D23EFF61C2C2A0C28F0AF5442744AEBB69CA9179E4D796414AC963A418235943C9A6A7F108FBE72E2DA6C308A6DEBF508791C541E2CA9784
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}\|~.\|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...!:.T.....................6....................@..........................P........,...@..................................5..@........8............,..>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....8.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\data1.cab

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	54808537
Entropy (8bit):	7.99876508220103
Encrypted:	true
SSDEEP:
MD5:	65CFAAE3E506C9AA2A9764F1736FF38F
SHA1:	021F54C82207A30F536C7EE3EA69D269E693B4C9
SHA-256:	09741DAC76C1AA5D4A46494A3E0775CA616550ABBE3888DBBB6EC401832728AC
SHA-512:	BC26D63C587DACFA6C1F877DCFE276644D8B1CADFD1A89BCE5315865463F60400B838A96F493140DC56797114B7435494561530CD98AE0EF747F51A06EC31250
Malicious:	false
Reputation:	unknown
Preview:	ISc(l...........................f............................................................................................................................................................................................................................................................................................................................................................9...N..I..^.....................S:..A..("6"..r..E...H.;@`...h.....#.N.`L.".l....................................................+.....6.=U....q%..IQR.ag.c7UY..z.~..H."l.`.hdeJ.......sx.r.2...`w.otS.D.......b..YL...}e.....l2.Q.!...h.."O.....dV6.%.......E-\.0........ ..kH..Tif`.V...KRS!5CA..$..Y....P...k....E.......An}.j...`.I..\.i.)0..&......=p......f..@..9p......n.J.bF...:W..J1...n..b.R. 7.3........:..a.p....l..<...<+.oWW{'b..=`.....Xi...7.........i..7.F.G.z.u..,z.K..:....O.....=.A<.a...0.=m.<......C..}.'....M_....x>.a..,Ul..Fq..a_\).......,..>...g.\..i.1i......n...>..+..*~.e.....q.\|..C

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\data1.hdr

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	162815
Entropy (8bit):	4.080610091980609
Encrypted:	false
SSDEEP:
MD5:	29E0F2F27A360E991B83345EA3FBDE7D
SHA1:	DCCCB59AF0C321A1DE5563E936B4B760BCEE0B6C
SHA-256:	6FE5FEEFECE89D8E9CEF5748C96D778759A8DD898FB1D120C05180D8ECDE837E
SHA-512:	E1D0BB9AE435CADE4771531A507B18CC1618B7954020B8DD946373DB089D880019A0B1ADEA2B0BA8552A8817C9D9E30990F89CB9ED0AAA1CEA350ACD2A13079B
Malicious:	false
Reputation:	unknown
Preview:	ISc(l.........../_...{..........................................................................B~.........................................................................................................................................................................................................................................................................................9...N..I..^.....................S:..A..("6"..r..E...H.;@`...h.....#.N.`L.".l....................................................qJ........../_......................L.......L......(..........u,...,...,...,...,...........,...,...,...,...-..5-..A-..M-..}-...-...-...-..............1...........a......................../..E/..Q/..............i/..u/.../.../.../.../......./.../.../.............../.../......./.......0...0.......0..)0..........50..........A0..Y0..e0..}0...0...0...............0...........0...................................0.......................0...0.......0...............1...........................1

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\layout.bin

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	data
Category:	dropped
Size (bytes):	2384
Entropy (8bit):	3.4577970172580654
Encrypted:	false
SSDEEP:
MD5:	35308A914057746D647522C80386B555
SHA1:	25D119F844A36B2CEAAC9451D47051DC9FD41B8B
SHA-256:	4A3AFDC1E4B20EFF0103583963F4905378A3B59E72AA9B7C08AC3D7294D95F7D
SHA-512:	363A594F1FDAC65A8B453A984A32B03CE964666FAAF6B1E77F987D5257B0586B5BAACB44815B7996B3F7E3387C88286C0E5A7366ADE802C4A0D3B830995990DD
Malicious:	false
Reputation:	unknown
Preview:	c..S.@..P..........@.(.................................................................................................................................................................................................................................................... . ................... ...6...J.......p.......z.......\|......................................."...8...N...d...z...............................&...:...4...4.......................................(...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...4...s.e.t.u.p...i.n.i.....s.e.t.u.p...e.x.e...M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...0. .F.u.l.l...p.r.q...I.S.S.e.t.u.p.P.r.e.r.e.q.u.i.s.i.t.e.s...d.o.t.N.e.t.F.x.4.0._.F.u.l.l._.x.8.6._.x.6.4...e.x.e...I.S.S.e.t.u.p.P.r.e.r.e.q.u.i.s.i.t.e.s.\.{.3.2.D.7.E.3.D.1.-.C.9.D.F.-.4.F.A.6.-.9.F.9.B.-.4.D.5.1.1.7.A.B.2.9.1.7.}...M.i.c.r.o.s.o.f.t. ...N.E.T. .F.r.a.m.e.w.o.r.k. .4...6...2. .F.u.l.l...p.r.q...N.D.P.4.6.2.-.D.e.v.P.a.c.k.-.K.B.3.1.5.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\setup.exe

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	899584
Entropy (8bit):	6.634097534067204
Encrypted:	false
SSDEEP:
MD5:	0AF63F5DA767CFDE6DE4F770CA1D43CF
SHA1:	EE65CDD7C3AE594F49A3AD90EF213B910614E4BF
SHA-256:	9FB2722457D9D14835C26AB97BCD6C4568D0F3F2E32A14E54A4A797FBDEA180E
SHA-512:	15160588A9544EABD1D3E6DFE8D3221DB64D32469590012062A23772D51F623E74CB1C5D412AB633E403ECDF462F69436BC597A3F321761A56351F5A69CB7560
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Oi............Q1.......2......:2.......1..........0...c........."........../..C...............~(......Rich............PE..L..../.V.................\...Z......=........p....@..........................................................................<.......................................................................................p..d....5.. ....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...d....`.......L..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\setup.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3218
Entropy (8bit):	3.707704974093079
Encrypted:	false
SSDEEP:
MD5:	26F679F0945CBA869E3E2245E0090D72
SHA1:	693D69335ABC02F278970F53CEA702EC4F25FA8B
SHA-256:	E3C7091D0E7405CC6F248DBC7A71463F9ED01D1D0B5BD465175EDB80F593DA23
SHA-512:	3D739A5C24BB3D828C4E4841764CE98075C99810034FA01E590EEDFAF82A3E890EE58AF3B47FBB47552C0B5EA2216AFF0DEC433836C92733EFB2389CF025488E
Malicious:	false
Reputation:	unknown
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.n.S.c.r.e.e.n. .C.o.n.t.r.o.l.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.C.1.B.3.3.9.-.0.E.4.E.-.4.9.A.5.-.8.5.9.E.-.5.E.1.D.E.1.9.3.8.7.0.6.....C.o.m.p.a.n.y.N.a.m.e.=.L.G. .E.l.e.c.t.r.o.n.i.c.s. .I.n.c.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...l.g.e...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.8.0.4.,.0.x.0.4.0.4.,.0.x.0.4.1.3.,.0.x.0.4.0.9.,.0.x.0.4.0.c.,.0.x.0.4.0.7.,.0.x.0.4.1.0.,.0.x.0.4.1.1.,.0.x.0.4.1.2.,.0.x.0.4.1.6.,.0.

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\setup.inx

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	data
Category:	dropped
Size (bytes):	263335
Entropy (8bit):	7.385341141702601
Encrypted:	false
SSDEEP:
MD5:	FBE553A541574E5DF388139AAE5B4AA2
SHA1:	4A761EA0BB4DAE31097A13C63739F000573DB2C1
SHA-256:	FC9CC5F64031771C6E636BA2F925218DF2EC2BD1C80DA99E42ED4021FF163B99
SHA-512:	02D7B66B7BC691183D31648055C21B0EA8E1119FEAC4FE2165D7C2D08199387F5C36BAC505B37E9D07B900B64CF55A9073CCA5D89BDEE2E87B14FAF6C7E1C163
Malicious:	false
Reputation:	unknown
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a_=mQ.Y]A=.M1.)-!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-...............................]......a..(..H....YQQEY.0.o=55.={.gC[..W.....O.So##` ......,..x8........X......]..H.........5MM.5s..gW.CKgCC.....;..TDh..8P@........8.....p.e..Q...\| h......%]1II.1....S[wSS.[.G.W.o....L.`H ..D.. ........t....L......ayyIa......s..w!99.!....Gs[K[............T,.0,,......\|(.....l...P...yyy!a...........w.o.....W.;o?g..+O.....4.,$\.@....<......l......}uuI}.4..@....!99.!..s.w..3{.SGk.......0.D4\.... H.............4...Ye}!e. ..D....c.w......w3.;#.#C.[.THl....(.<,4p,.$.......a..t...8..L..YQQ=Y...w.{o..`.--..S.w3.7+kk .....$..H8@.X,0...y...........x...H...1miMQ.c4....{%9-%%.-c.sO.....'7?..... @\D.....H...................iuUaaUi...MEE%M..gk........?.7wK.....@.\|$d8......$.<................e}}Qe...I]1II.1.W.[.c_.;[s.....g..W..L<l...

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\Disk1\setup.isn

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Atari MSA archive data, 53900 sectors per track, starting track: 22332, ending track: 3470
Category:	dropped
Size (bytes):	260021
Entropy (8bit):	6.694949702521348
Encrypted:	false
SSDEEP:
MD5:	AE2D8A450097B805681CF7353D2156DC
SHA1:	CFFC8C62295F8DC4571BD3A3ECFFD5C4AE818E0B
SHA-256:	566479EDE0B15838C3E89D7BC39D35B9EABD825080C052C0F139C70E295F01B5
SHA-512:	5A6B9ED7F4E920E974C22A83FCA19062D117356A759571F7AFD47A56D75EA784038441C309548BBFB8255EAF7F0F8496EBFEBCD7CF06713D6E0A3B6244A5EDFD
Malicious:	false
Reputation:	unknown
Preview:	.....W<.....%.K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X..:...X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

C:\Users\user\AppData\Local\Temp\{EB03F53E-C6F6-4592-B57B-F035896D1449}\setup.ini

Download File

Process:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3218
Entropy (8bit):	3.707704974093079
Encrypted:	false
SSDEEP:
MD5:	26F679F0945CBA869E3E2245E0090D72
SHA1:	693D69335ABC02F278970F53CEA702EC4F25FA8B
SHA-256:	E3C7091D0E7405CC6F248DBC7A71463F9ED01D1D0B5BD465175EDB80F593DA23
SHA-512:	3D739A5C24BB3D828C4E4841764CE98075C99810034FA01E590EEDFAF82A3E890EE58AF3B47FBB47552C0B5EA2216AFF0DEC433836C92733EFB2389CF025488E
Malicious:	false
Reputation:	unknown
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.O.n.S.c.r.e.e.n. .C.o.n.t.r.o.l.....P.r.o.d.u.c.t.G.U.I.D.=.E.5.C.1.B.3.3.9.-.0.E.4.E.-.4.9.A.5.-.8.5.9.E.-.5.E.1.D.E.1.9.3.8.7.0.6.....C.o.m.p.a.n.y.N.a.m.e.=.L.G. .E.l.e.c.t.r.o.n.i.c.s. .I.n.c.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...l.g.e...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.8.0.4.,.0.x.0.4.0.4.,.0.x.0.4.1.3.,.0.x.0.4.0.9.,.0.x.0.4.0.c.,.0.x.0.4.0.7.,.0.x.0.4.1.0.,.0.x.0.4.1.1.,.0.x.0.4.1.2.,.0.x.0.4.1.6.,.0.

C:\Users\user\Desktop\cmdline.out

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	508593
Entropy (8bit):	2.2527340145675567
Encrypted:	false
SSDEEP:
MD5:	006BF18CDE258C5F02206D9ABCFBB521
SHA1:	9AC3A611BCD58E07BEFDF4DCEB1AC1E187955AC6
SHA-256:	7D41EB6FFA54A63506903E029C4809FA7B2FB5CF1C4CC33E8A1135F5769E7B14
SHA-512:	AB74F02A446B0C616FC4C979DCE66C384968B263C4CAA47849D1E8BF442B4AB31E08F1FB919306A11C2B87CFA9CEB396478F9BE82194EE5294BC5C131CE872EE
Malicious:	false
Reputation:	unknown
Preview:	--2022-05-30 13:45:42-- https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q..Resolving gscs-b2c.lge.com (gscs-b2c.lge.com)... 95.140.230.217..Connecting to gscs-b2c.lge.com (gscs-b2c.lge.com)\|95.140.230.217\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 329389870 (314M) [application/octet-stream]..Saving to: 'C:/Users/user/Desktop/download/Win_OSC_7.48.zip'.... 0K .......... .......... .......... .......... .......... 0% 544K 9m51s.. 50K .......... .......... .......... .......... .......... 0% 492K 10m22s.. 100K .......... .......... .......... .......... .......... 0% 904K 8m53s.. 150K .......... .......... .......... .......... .......... 0% 621K 8m49s.. 200K .......... .......... .......... .......... .......... 0% 606K 8m49s.. 250K .......... .......... .......... .......... .......... 0% 1.17M 8m6s.. 300K .......... .......... .......... .......... .......... 0% 664K 8m6s.. 350K .......... .......... .

C:\Users\user\Desktop\download\Win_OSC_7.48.zip

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	modified
Size (bytes):	329389870
Entropy (8bit):	7.999695094074275
Encrypted:	true
SSDEEP:
MD5:	1EAF4DDCA652C0693FEC21B31CB7F2BC
SHA1:	CB34C081E4F47B86DA17149E7427B160D0839D0B
SHA-256:	4528745902A0B1E935909F09ADD1D827B8EF9A92633A65BC651A0269888BB6F1
SHA-512:	84EAFE7E89899288E8135825315D00A0412AFC6658A633DDD46E5C9FDA9AB47E191481D6D9F53B32404A2222E90A087450DC1526667D4207B1A1D143F1D836B7
Malicious:	false
Reputation:	unknown
Preview:	PK...........TR_.q.....X......OSC_Gaming_7.48.exe.{\|T..7~f2I...A&..(Z5^.HM..A=.-...&PH...8U.2...`p26..T..OQQik[..ZZc..HL.Pn"bA.5..u......k.3......._>0s.....k......J%KQ...7.EiP._......C....e..].`.......Y8f.....w.7......1.?....c...-......y..<x.X..S....+W.n..._...W..v. ...................Gn.D..].mx...lP...p...7...\.j.{.e....}.=w...._U..6.2.....v.m.d.Q.9....l.....],.g....._........7.^.rA.M.....cB...WN..t+J....[9Z...#8.Qs..s.1.3__...P....#..X....c.....wW..E..D.c..;s..+..W.b...p.(}O.._.....>x7].:.=..uF.R......o..U.\|..o].3..2.V...\.~.V....Q.ec......p.KU.._e).....~.B.v......=.5w.]..:...nw..z..........?.......]S...A..(JokQ{..!".z}4.u..S./P.O.Ne.aB=...x~==.JY...k..E@5.6..&.....B....Z..N.E.f;....1R...........0T..W30<..[B../.Z/.5]V..._e..>9_S.J&{.u.. u.K/m.....9....ls...>...t.I..e.9.c.....Z6..!^..g.......+..B{..=.......r.%.......4..>.#>Go..w..c.Q{jW...k.........u7.v~.....G.....C.%>.K.w\|n.<m0hj...N\|78?%ry..,.<X....bTYo=y0q.....o.........:.r..'.

C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	333404296
Entropy (8bit):	7.998646449666471
Encrypted:	true
SSDEEP:
MD5:	3ACB26F0E75E1DF8A687C40E3F812BC4
SHA1:	CED318EAA2E2474E64808311E50519D44B5CA98D
SHA-256:	4066799D2EF3A8C70B4FBB05B0DB6B34EC7B33642484B441E679C38EBAF841E5
SHA-512:	45756FE5C3094AFB8B6C38EE450057B6FC725FFA4C53D4DF6C35C9C1DD1C4EF541B0C7949A20DAAED8126CF2F0A7AA7173480F7545FB3B9844C4BCC63DEE4412
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Oi............Q1.......2......:2.......1..........0...c........."........../..C...............~(......Rich............PE..L..../.V.................\...Z......=........p....@..........................................................................<.......................:...............................................................p..d....5.. ....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...d....`.......L..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1249
Entropy (8bit):	4.169951411456794
Encrypted:	false
SSDEEP:
MD5:	8419D71DA4F64189A6645D3856ADAD5B
SHA1:	2CB1E4F91B7496EB6D575B0D59FF80DDCDF19B86
SHA-256:	60A5484DCD6A9EF73497878E54AF2CB5F7096A89A0EFDE98DB26C5D042CD6B59
SHA-512:	228E236E710F8363138F4AC08B043BC65A35FA1F66C8AB597EDAA81428C45C0522E77D06C78320ABE9FA4B1100DF32106666E63789E59F84623BD3B9F72A1FB9
Malicious:	false
Reputation:	unknown
Preview:	..7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30....Scanning the drive for archives:.. 0M Scan C:\Users\user\Desktop\download\. .1 file, 329389870 bytes (315 MiB)....Extracting archive: C:\Users\user\Desktop\download\Win_OSC_7.48.zip..--..Path = C:\Users\user\Desktop\download\Win_OSC_7.48.zip..Type = zip..Physical Size = 329389870.... 0%. . 9% - OSC_Gaming_7.48.exe. . 16% - OSC_Gaming_7.48.exe. . 21% - OSC_Gaming_7.48.exe. . 29% - OSC_Gaming_7.48.exe. . 37% - OSC_Gaming_7.48.exe. . 44% - OSC_Gaming_7.48.exe. . 51% - OSC_Gaming_7.48.exe. . 57% - OSC_Gaming_7.48.exe. . 64% - OSC_Gaming_7.48.exe. . 71% - OSC_Gaming_7.48.exe. . 79% - OSC_Gaming_7.48.exe.

Static File Info

⊘No static file info

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 6328, Parent PID: 460

General

Target ID:	0
Start time:	13:45:41
Start date:	30/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q" > cmdline.out 2>&1
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6384, Parent PID: 6328

General

Target ID:	1
Start time:	13:45:41
Start date:	30/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wget.exePID: 6416, Parent PID: 6328

General

Target ID:	2
Start time:	13:45:42
Start date:	30/05/2022
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q"
Imagebase:	0x400000
File size:	3895184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 7za.exePID: 5876, Parent PID: 460

General

Target ID:	31
Start time:	13:49:30
Start date:	30/05/2022
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Win_OSC_7.48.zip"
Imagebase:	0x8a0000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6948, Parent PID: 5876

General

Target ID:	32
Start time:	13:49:31
Start date:	30/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: OSC_Gaming_7.48.exePID: 980, Parent PID: 5872

General

Target ID:	33
Start time:	13:49:57
Start date:	30/05/2022
Path:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Imagebase:	0x400000
File size:	333404296 bytes
MD5 hash:	3ACB26F0E75E1DF8A687C40E3F812BC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: dotNetFx40_Full_x86_x64.exePID: 6568, Parent PID: 980

General

Target ID:	37
Start time:	13:50:36
Start date:	30/05/2022
Path:	C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\{53F0EC7F-FD9B-4806-98F8-EB765FA5512A}\Disk1\ISSetupPrerequisites\{32D7E3D1-C9DF-4FA6-9F9B-4D5117AB2917}\dotNetFx40_Full_x86_x64.exe" /q /norestart
Imagebase:	0x1250000
File size:	50449456 bytes
MD5 hash:	251743DFD3FDA414570524BAC9E55381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wce, Description: wce, Source: 00000025.00000003.1030578560.000000000704E000.00000004.00000800.00020000.00000000.sdmp, Author: Benjamin DELPY (gentilkiwi) Rule: wce, Description: wce, Source: 00000025.00000003.1034122196.0000000007D6E000.00000004.00000800.00020000.00000000.sdmp, Author: Benjamin DELPY (gentilkiwi)
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: OSC_Gaming_7.48.exePID: 6984, Parent PID: 3968

General

Target ID:	38
Start time:	13:50:47
Start date:	30/05/2022
Path:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Imagebase:	0x400000
File size:	333404296 bytes
MD5 hash:	3ACB26F0E75E1DF8A687C40E3F812BC4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: OSC_Gaming_7.48.exePID: 4584, Parent PID: 3968

General

Target ID:	43
Start time:	13:50:54
Start date:	30/05/2022
Path:	C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\extract\OSC_Gaming_7.48.exe"
Imagebase:	0x400000
File size:	333404296 bytes
MD5 hash:	3ACB26F0E75E1DF8A687C40E3F812BC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: OSC_Gaming_7.48.exePID: 980, Parent PID: 5872COMMON

Execution Graph

Execution Coverage:	25.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00448260 Relevance: 138.3, APIs: 50, Strings: 28, Instructions: 1789
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00448260(void* __ecx, void* __eflags, CHAR** _a4, WCHAR* _a8, char _a11, char _a12, char _a15, intOrPtr _a16, char _a19) {
				int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				CHAR* _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				signed int _v60;
				CHAR* _v64;
				void* _v68;
				long _v72;
				void* _v80;
				void* _v92;
				void* _v108;
				void* _v112;
				intOrPtr _v120;
				char _v124;
				void* _v136;
				struct HINSTANCE__* _v144;
				void* _v152;
				void* _v156;
				void* _v168;
				void* _v180;
				void* _v196;
				void* _v200;
				long _v204;
				char _v216;
				void* _v228;
				void* _v244;
				void* _v248;
				char _v256;
				intOrPtr _v264;
				void* _v292;
				void* _v296;
				intOrPtr _v304;
				WCHAR* _v328;
				void* _v332;
				void* _v336;
				intOrPtr _v344;
				struct HINSTANCE__* _v368;
				char _v376;
				void _v475;
				char _v476;
				int _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				int _v492;
				intOrPtr _v500;
				struct HINSTANCE__* _v524;
				char _v532;
				intOrPtr _v540;
				struct HINSTANCE__* _v564;
				char _v572;
				char _v612;
				char _v616;
				struct _OVERLAPPED* _v620;
				struct _OVERLAPPED* _v624;
				struct HINSTANCE__* _v628;
				char _v668;
				void* _v672;
				CHAR* _v676;
				char _v680;
				char _v724;
				intOrPtr _v732;
				char _v764;
				char _v776;
				void _v875;
				char _v876;
				char _v916;
				void _v1015;
				char _v1016;
				char _v1044;
				void _v1303;
				char _v1304;
				char _v1376;
				void _v1894;
				short _v1896;
				void _v4967;
				char _v4968;
				void* __esi;
				void* __ebp;
				char _t782;
				struct HINSTANCE__* _t796;
				int _t802;
				void* _t804;
				long _t812;
				struct HINSTANCE__* _t822;
				intOrPtr* _t828;
				long _t833;
				struct HINSTANCE__* _t849;
				_Unknown_base(*)()* _t853;
				signed char _t856;
				void* _t867;
				struct HINSTANCE__* _t868;
				struct HINSTANCE__* _t869;
				void* _t889;
				void* _t897;
				struct HINSTANCE__* _t902;
				struct HINSTANCE__* _t907;
				struct HINSTANCE__* _t912;
				void* _t916;
				intOrPtr* _t918;
				long _t939;
				void* _t957;
				struct HINSTANCE__* _t958;
				void* _t986;
				long _t993;
				void* _t995;
				struct HINSTANCE__* _t1003;
				struct HINSTANCE__* _t1010;
				struct HINSTANCE__* _t1017;
				struct HINSTANCE__* _t1024;
				intOrPtr* _t1033;
				void* _t1042;
				void* _t1045;
				void* _t1048;
				void* _t1051;
				void* _t1054;
				void* _t1087;
				void* _t1090;
				void* _t1094;
				struct HINSTANCE__* _t1096;
				intOrPtr* _t1107;
				long _t1112;
				void* _t1123;
				void* _t1130;
				CHAR* _t1131;
				void* _t1136;
				void* _t1137;
				void* _t1138;
				struct HINSTANCE__* _t1140;
				void* _t1141;
				intOrPtr* _t1149;
				WCHAR* _t1158;
				long _t1159;
				struct HINSTANCE__* _t1167;
				long _t1170;
				struct HINSTANCE__* _t1172;
				CHAR* _t1186;
				struct HINSTANCE__* _t1187;
				CHAR* _t1189;
				CHAR* _t1191;
				void* _t1192;
				struct HINSTANCE__* _t1193;
				struct HINSTANCE__* _t1212;
				void* _t1241;
				signed int _t1264;
				void* _t1303;
				void* _t1325;
				signed int _t1326;
				void* _t1327;
				signed int _t1336;
				signed int _t1418;
				void* _t1419;
				void* _t1433;
				signed int _t1449;
				signed int _t1450;
				signed int _t1461;
				struct HINSTANCE__* _t1474;
				void* _t1475;
				void* _t1477;
				signed int _t1481;
				signed int _t1482;
				intOrPtr _t1498;
				intOrPtr _t1510;
				CHAR** _t1531;
				struct HINSTANCE__* _t1535;
				intOrPtr _t1546;
				intOrPtr _t1573;
				intOrPtr _t1629;
				signed int _t1640;
				CHAR** _t1651;
				long* _t1657;
				CHAR** _t1658;
				signed int _t1678;
				CHAR** _t1682;
				struct HINSTANCE__* _t1686;
				struct HINSTANCE__* _t1687;
				long* _t1688;
				CHAR** _t1689;
				CHAR* _t1693;
				CHAR** _t1694;
				struct HINSTANCE__* _t1696;
				struct HINSTANCE__* _t1701;
				void* _t1704;
				void* _t1709;
				void* _t1714;
				intOrPtr _t1715;
				void* _t1718;
				void* _t1719;
				void* _t1720;
				WCHAR* _t1723;
				signed int _t1725;
				void* _t1728;
				void* _t1729;
				void* _t1733;
				void* _t1734;
				void* _t1738;

				_push(0xffffffff);
				_push(0x465b07);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t1715;
				L0043B9F0(0x1354, __ecx, __ecx);
				_t1682 = _a4;
				_v20 = _t1715;
				if(_t1682 == 0) {
					L127:
					__eflags = 0;
					 *[fs:0x0] = _v16;
					return 0;
				} else {
					_t782 =  *0x47e910; // 0x1
					if(_t782 == 0 || _a16 == 0) {
						_push(0);
						_push( &_a19);
						_v336 = 0x4675a0;
						_v304 = 0x467598;
						L00401C68( &_v336);
						_t9 =  &_a12; // 0x467570
						_push(0);
						_push( &_a15);
						_push( *_t9);
						_v8 = 0;
						_v764 = 0x4675a0;
						_v732 = 0x467598;
						L0040176A( &_v764);
						_v876 = 0;
						memset( &_v875, 0, 0x18 << 2);
						asm("stosw");
						asm("stosb");
						_v8 = 2;
						lstrcpyA( &_v876, "NO DOUBT");
						_v1896 = 0;
						memset( &_v1894, 0, 0x81 << 2);
						asm("stosw");
						lstrcpyW( &_v1896, _a8);
						_v484 = _t1682;
						_v492 = 1;
						_v488 = 0x44fdb0;
						_v480 = 0;
						_t796 = E0045D83C( &_v876, lstrlenA,  &_v1896,  &_v876, lstrlenA( &_v876), 0,  &_v492); // executed
						_t1718 = _t1715 + 0x2c;
						__eflags = _t796;
						if(_t796 == 0) {
							_v8 = 0;
							L0040125C( &_v764);
							_v8 = 0xffffffff;
							L0040125C( &_v336);
							goto L127;
						} else {
							_v1304 = 0;
							_t1186 =  *_a4;
							memset( &_v1303, 0, 0x40 << 2);
							_t1719 = _t1718 + 0xc;
							asm("stosw");
							asm("stosb");
							_t1640 = 0;
							__eflags = 0;
							while(1) {
								_t1531 = _a4;
								__eflags = _t1640 -  *((intOrPtr*)(_t1531 + 4));
								if(_t1640 >=  *((intOrPtr*)(_t1531 + 4))) {
									break;
								}
								lstrcpyA( &_v1304, _t1186);
								_t1087 = lstrlenA( &_v1304) + 1;
								_t1191 =  &(_t1186[_t1087]);
								_v72 = E0043C90A( &_v1304, _t1191);
								_t1090 = lstrlenA(_t1191) + 1;
								_v60 = _t1640 + _t1087 + _t1090;
								_t1192 =  &(_t1191[_t1090]);
								_v68 = L0043BC14(_v72);
								_t1449 = _v72;
								_t1704 = _t1192;
								_t1450 = _t1449 >> 2;
								_t1186 = _t1192 + memcpy(_v68, _t1704, _t1450 << 2);
								_t1094 = memcpy(_t1704 + _t1450 + _t1450, _t1704, _t1449 & 0x00000003);
								_t1733 = _t1719 + 0x20;
								_v60 = _t1094 + _v60;
								_v64 = _t1186;
								_t1096 = lstrcmpiA( &_v1304, "skin.ini");
								__eflags = _t1096;
								if(_t1096 != 0) {
									L26:
									_t1193 = L0043BC14(8);
									_t1734 = _t1733 + 4;
									_v28 = _t1193;
									__eflags = _t1193;
									_v8 = 0x10;
									if(_t1193 == 0) {
										_t1193 = 0;
										__eflags = 0;
									} else {
										 *((intOrPtr*)(_t1193 + 4)) = _v72;
										_t1123 = L0043BC14(_v72);
										_t1481 = _v72;
										_t1709 = _v68;
										_t1482 = _t1481 >> 2;
										 *_t1193 = _t1123;
										memcpy(_t1123, _t1709, _t1482 << 2);
										memcpy(_t1709 + _t1482 + _t1482, _t1709, _t1481 & 0x00000003);
										_t1734 = _t1734 + 0x1c;
									}
									_v8 = 2;
									_v200 = 0x46758c;
									_v168 = 0x467584;
									L00447D40( &_v200, 0);
									_v8 = 0x11;
									L00447B80( &_v196,  &_v34);
									_v8 = 0x12;
									L00447D30( &_v180);
									_v8 = 0x13;
									L00447D70( &_v168, 0);
									_t1461 =  &_v200;
									_v28 = _t1461;
									_v8 = 0x15;
									__eflags =  &_v200;
									if( &_v200 != 0) {
										__eflags =  &_v1304;
										if( &_v1304 == 0) {
											_t1477 = 0;
											__eflags = 0;
										} else {
											asm("repne scasb");
											_t1477 =  !(_t1461 | 0xffffffff) - 1;
										}
										_push(1);
										_push( &_v32);
										_push(_t1477);
										_push( &_v1304);
										E0043018C( &_v200);
									}
									_t178 = _v200 + 4; // 0x24
									SetLastError( *(_t1714 +  *_t178 - 0xc4));
									_push( &_v28);
									_v8 = 0x16;
									_v28 = 0;
									_push(L004537A0( &_v724,  &_v200));
									_push( &_v256);
									_v8 = 0x17;
									_t1107 = L00453640();
									_v8 = 0x16;
									L0040125C( &_v724);
									 *( *_t1107 + 0x34) = _t1193;
									asm("sbb eax, eax");
									_v8 = 0x19;
									_t1112 = GetLastError();
									asm("sbb ecx, ecx");
									 *( *((intOrPtr*)( *( ~( &_v200) &  &_v168) + 4)) + ( ~( &_v200) &  &_v168)) = _t1112;
									E00430164( ~( &_v200) &  &_v180);
									asm("sbb ecx, ecx");
									_t1474 =  ~( &_v200) &  &_v196;
									__eflags = _t1474;
									_v8 = 0x18;
									_v24 = _t1474;
									E0040213C(_t1474, 1);
									_t1475 = _v200;
									_v8 = 2;
									_t206 = _t1475 + 4; // 0x24
									SetLastError( *(_t1714 +  *_t206 - 0xc4));
									_t1186 = _v64;
								} else {
									_push(_t1096);
									_push( &_a11);
									_push( &_v1304);
									_v152 = 0x4675a0;
									_v120 = 0x467598;
									E004300B2( &_v152);
									_push(0);
									_push( &_v37);
									_push("\\");
									_v8 = 3;
									_v376 = 0x4675a0;
									_v344 = 0x467598;
									E004300B2( &_v376);
									_push( &_v376);
									_push( &_v764);
									_push( &_v612);
									_v8 = 4;
									_t1130 = E00452AA0();
									_push( &_v152);
									_push(_t1130);
									_push( &_v244);
									_v8 = 5;
									_t1131 = E00452AA0();
									_t1733 = _t1733 + 0x18;
									_v28 = _t1131;
									_v8 = 6;
									_t1678 = GetTickCount();
									_v64 = 0;
									while(1) {
										__eflags = _v64 - 0xffff;
										if(__eflags >= 0) {
											break;
										}
										_t1136 = L00451EE0(_v28, __eflags,  &_v916);
										_v8 = 7;
										_t1137 = L00451740(_t1136,  &_v112, 0, 4);
										_v8 = 8;
										_t1138 = L00451C40(_v28, __eflags,  &_v532);
										_push(_t1137);
										_push(_t1138);
										_v8 = 9;
										_push( &_v572);
										_t1140 = E00458A20();
										_t1738 = _t1733 + 0xc;
										__eflags = _t1140;
										_v8 = 0xa;
										if(_t1140 == 0) {
											_t1141 = 0;
											__eflags = 0;
										} else {
											_t1141 = _t1140 + 4;
										}
										_t1498 =  *0x467594; // 0xffffffff
										E004024B9( &_v332, _t1141, 0, _t1498);
										_v8 = 9;
										L0040125C( &_v572);
										_v8 = 8;
										L0040125C( &_v532);
										_v8 = 7;
										L0040125C( &_v112);
										_v8 = 6;
										L0040125C( &_v916);
										L004517F0( &_v296,  &_v36, 1);
										_v8 = 0xb;
										_t1149 = L0042CD98( &_v296,  &_v776, 0x104);
										_v8 = 0xc;
										 *((char*)(_t1149 + 4)) = 1;
										wsprintfW( *(L00401E6C(_t1149,  *_t1149)), L"%hx.rra", _t1678 & 0x0000ffff);
										_t1733 = _t1738 + 0xc;
										_v8 = 0xb;
										L00438D56( &_v776);
										_t1510 =  *0x467594; // 0xffffffff
										asm("sbb eax, eax");
										L004057F3( &_v332,  ~( &_v296) &  &_v292, 0, _t1510);
										_t1158 = _v328;
										__eflags = _t1158;
										if(_t1158 == 0) {
											_t1158 = 0x467570;
										}
										_t1159 = GetFileAttributesW(_t1158); // executed
										__eflags = _t1159 - 0xffffffff;
										if(_t1159 != 0xffffffff) {
											_t1678 = _t1678 + 1;
											_v8 = 6;
											L0040125C( &_v296);
											_v64 =  &(_v64[1]);
											continue;
										} else {
											_v8 = 6;
											L0040125C( &_v296);
											_v8 = 5;
											L0040125C( &_v244);
											_v8 = 4;
											L0040125C( &_v612);
											_v8 = 3;
											L0040125C( &_v376);
											_v8 = 2;
											L0040125C( &_v152);
											_v676 = 0;
											_v672 = 0xffffffff;
											L004517F0( &_v668,  &_v35, 1);
											_v8 = 0xd;
											_t1167 = L0043BC14(4);
											_t1734 = _t1733 + 4;
											__eflags = _t1167;
											if(__eflags == 0) {
												_t1167 = 0;
												__eflags = 0;
											} else {
												 *_t1167 = 1;
											}
											_v628 = _t1167;
											_v624 = 0;
											_v620 = 0;
											_v616 = 0;
											_v680 = 0x467ef8;
											_push(0);
											_push(0);
											_push(2);
											_push(0x80);
											_push(1);
											_push(0x40000000);
											_push( &_v336);
											_v8 = 0xe;
											E00412F07( &_v680, __eflags); // executed
											_t1170 = _v72;
											__eflags = _t1170 - 0xffffffff;
											if(_t1170 == 0xffffffff) {
												_t1170 = 1;
											}
											_t1172 = WriteFile(_v672, _v68, _t1170,  &_v204, 0); // executed
											__eflags = _t1172;
											if(_t1172 == 0) {
												_push(1);
												_push( &_v668);
												L00413593( &_v1376);
												L0043BD6A( &_v1376, 0x46c528);
											}
											_t1629 =  *0x467594; // 0xffffffff
											asm("sbb eax, eax");
											_t138 =  &(_a4[3]); // 0xd
											E004024B9(_t138,  ~( &_v336) &  &_v332, 0, _t1629);
											_v680 = 0x467ef8;
											_v8 = 0xf;
											E004134DD( &_v680); // executed
											_v8 = 2;
											L0040125C( &_v668);
										}
										goto L35;
									}
									_push(0x50);
									L0041387B( &_v1044, __eflags);
									L0043BD6A( &_v1044, 0x46a390);
									goto L26;
								}
								L35:
								E0043AE17(_v68);
								_t1640 = _v60;
								_t1719 = _t1734 + 4;
							}
							_t213 =  &(_a4[2]); // 0x9
							_t802 = GetPrivateProfileIntA("SKINS", "VERSION", 1, L00452F40(_t213)); // executed
							_a4[0x14] = _t802;
							_t1686 = L0043BC14(0x1d8);
							_t1720 = _t1719 + 4;
							_v24 = _t1686;
							__eflags = _t1686;
							_v8 = 0x1a;
							if(_t1686 == 0) {
								_t1187 = 0;
								__eflags = 0;
							} else {
								L00449CC0(_t1686);
								_push(1);
								_push( &_a11);
								_t218 = _t1686 + 0x158; // 0x158
								L0040B243(_t218);
								_t221 = _t1686 + 0x184; // 0x184
								_v8 = 0x1b;
								E004523D0(_t221,  &_v34,  &_v32);
								_t225 = _t1686 + 0x194; // 0x194
								_v8 = 0x1c;
								E00452480(_t225,  &_v36,  &_v35);
								_t229 = _t1686 + 0x1a4; // 0x1a4
								_v8 = 0x1d;
								E00452530(_t229,  &_v50,  &_v37);
								_t233 = _t1686 + 0x1b4; // 0x1b4
								_v8 = 0x1e;
								E004525E0(_t233,  &_v30,  &_v29);
								_t237 = _t1686 + 0x1c8; // 0x1c8
								_v8 = 0x1f;
								E004527B0(_t237,  &_v33,  &_v31);
								 *((char*)(_t1686 + 0x180)) = 0;
								 *(_t1686 + 0x1c4) = 0xffffffff;
								_t1187 = _t1686;
							}
							_t1212 = L"ALL";
							_v8 = 2;
							__eflags = _t1212;
							_t1687 = _t1212;
							if(_t1212 == 0) {
								_t1687 = 0x47e150;
							}
							_t804 = L0043BA1F(_t1687);
							_t242 = _t1187 + 0x15c; // 0x15c
							L0040BF1A(_t242, _t1687, _t804);
							_v1016 = 0;
							memset( &_v1015, 0, 0x18 << 2);
							asm("stosw");
							asm("stosb");
							lstrcpyA( &_v1016, "TEXTCOLOR");
							_t248 =  &(_a4[2]); // 0x9
							GetPrivateProfileStringA("ALL",  &_v1016, 0x47e154,  &_v876, 0x64, L00452F40(_t248)); // executed
							_t251 = _t1187 + 0x1c4; // 0x1c4
							_t1688 = _t251;
							_t812 = GetSysColor(8);
							_push(_t1688);
							 *_t1688 = _t812;
							_t1723 = _t1720 + 0x10 - 0x28;
							_a8 = _t1723;
							L004472C0(_t1723,  &_v876,  &_a11, 1);
							_t1689 = _a4;
							L0044F620(_t1714, __eflags);
							_t256 = _t1187 + 0x184; // 0x184
							E0044B840(_t1689, L"ALL");
							_t257 = _t1187 + 0x194; // 0x194
							_push(L"ALL");
							E0044BDE0(_t1689);
							_t258 = _t1187 + 0x1b4; // 0x1b4
							_push(_t258);
							_push(L"ALL");
							E0044C900(_t1689);
							E0044D870(_t1689, L"ALL", _t258);
							 *((intOrPtr*)(_t1187 + 0x14c)) = _t1689;
							_v200 = 0x4675f0;
							_v168 = 0x4675e8;
							L00447D40( &_v200, 0);
							_t1535 = L"ALL";
							_v8 = 0x20;
							__eflags = _t1535;
							_t822 = _t1535;
							if(__eflags == 0) {
								_t822 = 0x47e150;
							}
							L00452E70( &_v196, __eflags, _t822,  &_a11);
							_v8 = 0x21;
							L00447D30( &_v180);
							_t268 =  &_v168; // 0x4675e8
							_v8 = 0x22;
							L00447D70(_t268, 0);
							_push( &_v28);
							_v8 = 0x23;
							_v28 = 0;
							_push(L00453DD0( &_v724,  &_v200));
							_push( &_v256);
							_v8 = 0x24;
							_t828 = L00453B70();
							_v8 = 0x23;
							E004061C1( &_v724);
							 *( *_t828 + 0x34) = _t1187;
							_t282 =  &_v168; // 0x4675e8
							asm("sbb eax, eax");
							_v8 = 0x26;
							_t833 = GetLastError();
							asm("sbb ecx, ecx");
							 *( *((intOrPtr*)( *( ~( &_v200) & _t282) + 4)) + ( ~( &_v200) & _t282)) = _t833;
							E00430164( ~( &_v200) &  &_v180);
							asm("sbb ecx, ecx");
							_v8 = 0x25;
							E0040213C( ~( &_v200) &  &_v196, 1);
							_t1241 = _v200;
							_v8 = 2;
							_t292 = _t1241 + 4; // 0x24
							SetLastError( *(_t1714 +  *_t292 - 0xc4));
							_v4968 = 0;
							memset( &_v4967, 0, 0x2ff << 2);
							asm("stosw");
							asm("stosb");
							_v476 = 0;
							memset( &_v475, 0, 0x18 << 2);
							_t1725 =  &(_t1723[0xc]);
							asm("stosw");
							__eflags =  &(_a4[2]);
							asm("stosb");
							GetPrivateProfileSectionNamesA( &_v4968, 0xc00, L00452F40( &(_a4[2]))); // executed
							_t1693 =  &_v4968;
							while(1) {
								__eflags =  *_t1693;
								if( *_t1693 == 0) {
									break;
								}
								lstrcpyA( &_v476, _t1693);
								_t308 = lstrlenA(_t1693) + 1; // 0x1
								_v28 =  &(_t1693[_t308]);
								_v112 = 0x4675f0;
								_v80 = 0x4675e8;
								L00447D40( &_v112, 0);
								_v8 = 0x27;
								L00447B80( &_v108,  &_a11);
								_v8 = 0x28;
								L00447D30( &_v92);
								_t318 =  &_v80; // 0x4675e8
								_v8 = 0x29;
								L00447D70(_t318, 0);
								_v24 =  &_v112;
								_t1336 =  &_v112;
								_v8 = 0x2b;
								__eflags = _t1336;
								if(_t1336 != 0) {
									__eflags =  &_v476;
									if( &_v476 == 0) {
										_t1433 = 0;
										__eflags = 0;
									} else {
										asm("repne scasb");
										_t1433 =  !(_t1336 | 0xffffffff) - 1;
									}
									L00447990( &_v112,  &_v476, _t1433,  &_v33, 1);
								}
								_t330 = _v112 + 4; // 0x24
								SetLastError( *(_t1714 +  *_t330 - 0x6c));
								_v8 = 0x2c;
								_t957 = L0043BA1F(L"ALL-");
								_t1725 = _t1725 + 4;
								_t958 = L0040B4AD( &_v108, L"ALL-", 0, _t957);
								__eflags = _t958 -  *0x467594; // 0xffffffff
								if(__eflags == 0) {
									L95:
									asm("sbb eax, eax");
									_v8 = 0x2e;
									 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v112) &  &_v80) + 4)) + ( ~( &_v112) &  &_v80))) = GetLastError();
									asm("sbb ecx, ecx");
									E00430164( ~( &_v112) &  &_v92);
									asm("sbb ecx, ecx");
									_v8 = 0x2d;
									_t1345 =  ~( &_v112) &  &_v108;
									_v68 =  ~( &_v112) &  &_v108;
								} else {
									__eflags = _t958;
									if(_t958 != 0) {
										goto L95;
									} else {
										_t1701 = L0043BC14(0x1d8);
										_t1729 = _t1725 + 4;
										_v24 = _t1701;
										__eflags = _t1701;
										_v8 = 0x2f;
										if(_t1701 == 0) {
											_t1701 = 0;
											__eflags = 0;
										} else {
											L00449CC0(_t1701);
											_push(1);
											_push( &_v31);
											_t340 = _t1701 + 0x158; // 0x158
											L0040B243(_t340);
											_t343 = _t1701 + 0x184; // 0x184
											_v8 = 0x30;
											E004523D0(_t343,  &_v29,  &_v30);
											_t347 = _t1701 + 0x194; // 0x194
											_v8 = 0x31;
											E00452480(_t347,  &_v32,  &_v50);
											_t351 = _t1701 + 0x1a4; // 0x1a4
											_v8 = 0x32;
											E00452530(_t351,  &_v35,  &_v34);
											_t355 = _t1701 + 0x1b4; // 0x1b4
											_v8 = 0x33;
											E004525E0(_t355,  &_v37,  &_v36);
											_t359 = _t1701 + 0x1c8; // 0x1c8
											_v8 = 0x34;
											E004527B0(_t359,  &_v53,  &_v51);
											 *((char*)(_t1701 + 0x180)) = 0;
											 *(_t1701 + 0x1c4) = 0xffffffff;
										}
										_v8 = 0x2c;
										_v248 = 0x4675f0;
										_v216 = 0x4675e8;
										L00447D40( &_v248, 0);
										_v8 = 0x35;
										L00447B80( &_v244,  &_v40);
										_v8 = 0x36;
										L00447D30( &_v228);
										_t372 =  &_v216; // 0x4675e8
										_v8 = 0x37;
										L00447D70(_t372, 0);
										_v24 =  &_v248;
										_v8 = 0x39;
										__eflags =  &_v248;
										if( &_v248 != 0) {
											_t1418 =  &_v476;
											__eflags = _t1418;
											if(_t1418 == 0) {
												_t1419 = 0;
												__eflags = 0;
											} else {
												asm("repne scasb");
												_t1419 =  !(_t1418 | 0xffffffff) - 1;
											}
											L00447990( &_v248,  &_v476, _t1419,  &_v38, 1);
										}
										_t384 = _v248 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t384 - 0xf4));
										_t1573 =  *0x4675e0; // 0xffffffff
										asm("sbb eax, eax");
										_t391 = _t1701 + 0x15c; // 0x15c
										_v8 = 0x3a;
										E0040C484(_t391,  ~( &_v248) &  &_v244, 0, _t1573);
										_t394 =  &_v216; // 0x4675e8
										asm("sbb eax, eax");
										_v8 = 0x3c;
										 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v248) & _t394) + 4)) + ( ~( &_v248) & _t394))) = GetLastError();
										asm("sbb ecx, ecx");
										E00430164( ~( &_v248) &  &_v228);
										asm("sbb ecx, ecx");
										_v8 = 0x3b;
										_v204 =  ~( &_v248) &  &_v244;
										E0040213C( ~( &_v248) &  &_v244, 1);
										_t986 = _v248;
										_v8 = 0x2c;
										_t405 = _t986 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t405 - 0xf4));
										_v1016 = 0;
										_v876 = 0;
										lstrcpyA( &_v1016, "TEXTCOLOR");
										GetPrivateProfileStringA( &_v476,  &_v1016, 0x47e154,  &_v876, 0x64, L00452F40( &(_a4[2])));
										_t417 = _t1701 + 0x1c4; // 0x1c4
										_t1657 = _t417;
										_t993 = GetSysColor(8);
										_push(_t1657);
										 *_t1657 = _t993;
										_t995 = E0040A5F5( &_v612);
										_t1725 = _t1729 - 0x28;
										_v8 = 0x3d;
										_v24 = _t1725;
										L0040B2B8(_t1725);
										_t1658 = _a4;
										L0044F620(_t1714, __eflags, _t995, 1,  &_v876,  &_v42, 1);
										_v8 = 0x2c;
										E004061C1( &_v612);
										_push(0);
										_push( &_v48);
										_v532 = 0x4675d8;
										_v500 = 0x4675d0;
										L0040B243( &_v532);
										_v24 =  &_v532;
										_v8 = 0x3f;
										__eflags =  &_v532;
										if( &_v532 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1054 = 0;
												__eflags = 0;
											} else {
												_t1054 = L0043BA3C( &_v476,  &_v476);
												_t1725 = _t1725 + 4;
											}
											_push(1);
											_push( &_v44);
											_push(_t1054);
											_push( &_v476);
											L0040B701( &_v532);
										}
										_t440 = _v532 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t440 - 0x210));
										_t1003 = _v524;
										_v8 = 0x40;
										__eflags = _t1003;
										if(_t1003 == 0) {
											_t1003 = 0x4675e4;
										}
										_t447 = _t1701 + 0x184; // 0x184
										E0044B840(_t1658, _t1003);
										_v8 = 0x2c;
										E004061C1( &_v532);
										_push(0);
										_push( &_v52);
										_v572 = 0x4675d8;
										_v540 = 0x4675d0;
										L0040B243( &_v572);
										_v24 =  &_v572;
										_v8 = 0x42;
										__eflags =  &_v572;
										if( &_v572 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1051 = 0;
												__eflags = 0;
											} else {
												_t1051 = L0043BA3C( &_v572,  &_v476);
												_t1725 = _t1725 + 4;
											}
											_push(1);
											_push( &_v46);
											_push(_t1051);
											_push( &_v476);
											L0040B701( &_v572);
										}
										_t464 = _v572 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t464 - 0x238));
										_t1010 = _v564;
										_v8 = 0x43;
										__eflags = _t1010;
										if(_t1010 == 0) {
											_t1010 = 0x4675e4;
										}
										_t471 = _t1701 + 0x194; // 0x194
										_push(_t1010);
										E0044BDE0(_t1658);
										_v8 = 0x2c;
										E004061C1( &_v572);
										_push(0);
										_push( &_v39);
										_v152 = 0x4675d8;
										_v120 = 0x4675d0;
										L0040B243( &_v152);
										_v24 =  &_v152;
										_v8 = 0x45;
										__eflags =  &_v152;
										if( &_v152 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1048 = 0;
												__eflags = 0;
											} else {
												_t1048 = L0043BA3C( &_v152,  &_v476);
												_t1725 = _t1725 + 4;
											}
											_push(1);
											_push( &_v41);
											_push(_t1048);
											_push( &_v476);
											L0040B701( &_v152);
										}
										_t488 = _v152 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t488 - 0x94));
										_t1017 = _v144;
										_v8 = 0x46;
										__eflags = _t1017;
										if(_t1017 == 0) {
											_t1017 = 0x4675e4;
										}
										_t496 = _t1701 + 0x1b4; // 0x1b4
										_t1659 = _t496;
										_push(_t496);
										_push(_t1017);
										E0044C900(_a4);
										_v8 = 0x2c;
										E004061C1( &_v152);
										_push(0);
										_push( &_v43);
										_v376 = 0x4675d8;
										_v344 = 0x4675d0;
										L0040B243( &_v376);
										_v24 =  &_v376;
										_v8 = 0x48;
										__eflags =  &_v376;
										if( &_v376 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1045 = 0;
												__eflags = 0;
											} else {
												_t1045 = L0043BA3C( &_v476,  &_v476);
												_t1725 = _t1725 + 4;
											}
											_push(1);
											_push( &_v45);
											_push(_t1045);
											_push( &_v476);
											L0040B701( &_v376);
										}
										_t513 = _v376 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t513 - 0x174));
										_t1024 = _v368;
										_v8 = 0x49;
										__eflags = _t1024;
										if(_t1024 == 0) {
											_t1024 = 0x4675e4;
										}
										E0044D870(_a4, _t1024, _t1659);
										_v8 = 0x2c;
										E004061C1( &_v376);
										_push(0);
										_push( &_v47);
										 *((intOrPtr*)(_t1701 + 0x14c)) = _a4;
										_v296 = 0x4675d8;
										_v264 = 0x4675d0;
										L0040B243( &_v296);
										_v24 =  &_v296;
										_v8 = 0x4b;
										__eflags =  &_v296;
										if( &_v296 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1042 = 0;
												__eflags = 0;
											} else {
												_t1042 = L0043BA3C( &_v476,  &_v476);
												_t1725 = _t1725 + 4;
											}
											_push(1);
											_push( &_v49);
											_push(_t1042);
											_push( &_v476);
											L0040B701( &_v296);
										}
										_t539 = _v296 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t539 - 0x124));
										_push( &_v60);
										_v8 = 0x4c;
										_v60 = 0;
										_push(L00453DD0( &_v724,  &_v296));
										_push( &_v256);
										_v8 = 0x4d;
										_t1033 = L00453B70();
										_v8 = 0x4c;
										E004061C1( &_v724);
										 *( *_t1033 + 0x34) = _t1701;
										_v8 = 0x2c;
										E004061C1( &_v296);
										_t558 =  &_v80; // 0x4675e8
										asm("sbb eax, eax");
										_v8 = 0x4f;
										 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v112) & _t558) + 4)) + ( ~( &_v112) & _t558))) = GetLastError();
										asm("sbb ecx, ecx");
										E00430164( ~( &_v112) &  &_v92);
										asm("sbb ecx, ecx");
										_v8 = 0x4e;
										_t1345 =  ~( &_v112) &  &_v108;
										__eflags = _t1345;
										_v64 = _t1345;
									}
								}
								E0040213C(_t1345, 1);
								_v8 = 2;
								SetLastError( *(_t1714 +  *((intOrPtr*)(_v112 + 4)) - 0x6c));
								_t1693 = _v28;
							}
							_t1189 =  &_v4968;
							while(1) {
								__eflags =  *_t1189;
								if( *_t1189 == 0) {
									break;
								}
								lstrcpyA( &_v476, _t1189);
								_t1189 =  &(_t1189[lstrlenA(_t1189) + 1]);
								_v112 = 0x4675f0;
								_v80 = 0x4675e8;
								L00447D40( &_v112, 0);
								_v8 = 0x50;
								L00447B80( &_v108,  &_a11);
								_v8 = 0x51;
								L00447D30( &_v92);
								_t595 =  &_v80; // 0x4675e8
								_v8 = 0x52;
								L00447D70(_t595, 0);
								_v24 =  &_v112;
								_v8 = 0x54;
								__eflags =  &_v112;
								if( &_v112 != 0) {
									_t1326 =  &_v476;
									__eflags = _t1326;
									if(_t1326 == 0) {
										_t1327 = 0;
										__eflags = 0;
									} else {
										asm("repne scasb");
										_t1327 =  !(_t1326 | 0xffffffff) - 1;
									}
									L00447990( &_v112,  &_v476, _t1327,  &_v49, 1);
								}
								_t607 = _v112 + 4; // 0x24
								SetLastError( *(_t1714 +  *_t607 - 0x6c));
								_v8 = 0x55;
								_t867 = L0043BA1F(L"ALL");
								_t1725 = _t1725 + 4;
								_t868 = L0040B4AD( &_v108, L"ALL", 0, _t867);
								__eflags = _t868 -  *0x467594; // 0xffffffff
								if(__eflags == 0) {
									L105:
									_t869 = lstrcmpA("SKINS",  &_v476);
									__eflags = _t869;
									if(_t869 != 0) {
										_t1696 = L0043BC14(0x1d8);
										_t1728 = _t1725 + 4;
										_v24 = _t1696;
										__eflags = _t1696;
										_v8 = 0x58;
										if(_t1696 == 0) {
											_t1696 = 0;
											__eflags = 0;
										} else {
											L00449CC0(_t1696);
											_push(1);
											_push( &_v47);
											_t633 = _t1696 + 0x158; // 0x158
											L0040B243(_t633);
											_t636 = _t1696 + 0x184; // 0x184
											_v8 = 0x59;
											E004523D0(_t636,  &_v43,  &_v45);
											_t640 = _t1696 + 0x194; // 0x194
											_v8 = 0x5a;
											E00452480(_t640,  &_v39,  &_v41);
											_t644 = _t1696 + 0x1a4; // 0x1a4
											_v8 = 0x5b;
											E00452530(_t644,  &_v52,  &_v46);
											_t648 = _t1696 + 0x1b4; // 0x1b4
											_v8 = 0x5c;
											E004525E0(_t648,  &_v48,  &_v44);
											_t652 = _t1696 + 0x1c8; // 0x1c8
											_v8 = 0x5d;
											E004527B0(_t652,  &_v38,  &_v42);
											 *((char*)(_t1696 + 0x180)) = 0;
											 *(_t1696 + 0x1c4) = 0xffffffff;
										}
										_v8 = 0x55;
										_v156 = 0x4675f0;
										_v124 = 0x4675e8;
										L00447D40( &_v156, 0);
										_v8 = 0x5e;
										L00447B80( &_v152,  &_v40);
										_v8 = 0x5f;
										L00447D30( &_v136);
										_t665 =  &_v124; // 0x4675e8
										_v8 = 0x60;
										L00447D70(_t665, 0);
										_t1264 =  &_v156;
										_v24 = _t1264;
										_v8 = 0x62;
										__eflags =  &_v156;
										if( &_v156 != 0) {
											__eflags =  &_v476;
											if( &_v476 == 0) {
												_t1303 = 0;
												__eflags = 0;
											} else {
												asm("repne scasb");
												_t1303 =  !(_t1264 | 0xffffffff) - 1;
											}
											L00447990( &_v156,  &_v476, _t1303,  &_v53, 1);
										}
										_t677 = _v156 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t677 - 0x98));
										_t1546 =  *0x4675e0; // 0xffffffff
										asm("sbb eax, eax");
										_t684 = _t1696 + 0x15c; // 0x15c
										_v8 = 0x63;
										E0040C484(_t684,  ~( &_v156) &  &_v152, 0, _t1546);
										_t687 =  &_v124; // 0x4675e8
										asm("sbb eax, eax");
										_v8 = 0x65;
										 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v156) & _t687) + 4)) + ( ~( &_v156) & _t687))) = GetLastError();
										asm("sbb ecx, ecx");
										E00430164( ~( &_v156) &  &_v136);
										asm("sbb ecx, ecx");
										_v8 = 0x64;
										_v60 =  ~( &_v156) &  &_v152;
										E0040213C( ~( &_v156) &  &_v152, 1);
										_t889 = _v156;
										_v8 = 0x55;
										_t698 = _t889 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t698 - 0x98));
										_v1016 = 0;
										_v876 = 0;
										lstrcpyA( &_v1016, "TEXTCOLOR");
										_t1651 = _a4;
										_t707 = _t1651 + 8; // 0x9
										GetPrivateProfileStringA( &_v476,  &_v1016, 0x47e154,  &_v876, 0x64, L00452F40(_t707));
										_t711 = _t1696 + 0x1c4; // 0x1c4
										_t897 = E0040A5F5( &_v612);
										_t1725 = _t1728 - 0x28;
										_v8 = 0x66;
										_v24 = _t1725;
										L0040B2B8(_t1725);
										L0044F620(_t1714, __eflags, _t897, 1,  &_v876,  &_v51, 1);
										_v8 = 0x55;
										E004061C1( &_v612);
										_push(1);
										_push( &_v33);
										_push( &_v476);
										_t902 =  *(E0040A5F5( &_v244) + 8);
										_v8 = 0x67;
										__eflags = _t902;
										if(_t902 == 0) {
											_t902 = 0x4675e4;
										}
										_t724 = _t1696 + 0x184; // 0x184
										E0044B840(_t1651, _t902);
										_v8 = 0x55;
										E004061C1( &_v244);
										_push(1);
										_push( &_v31);
										_push( &_v476);
										_t907 =  *(E0040A5F5( &_v916) + 8);
										_v8 = 0x68;
										__eflags = _t907;
										if(_t907 == 0) {
											_t907 = 0x4675e4;
										}
										_t732 = _t1696 + 0x194; // 0x194
										_push(_t907);
										E0044BDE0(_t1651);
										_v8 = 0x55;
										E004061C1( &_v916);
										_push(1);
										_push( &_v30);
										_push( &_v476);
										_t912 =  *(E0040A5F5( &_v296) + 8);
										_v8 = 0x69;
										__eflags = _t912;
										if(_t912 == 0) {
											_t912 = 0x4675e4;
										}
										_t740 = _t1696 + 0x1b4; // 0x1b4
										E0044D870(_t1651, _t912, _t740);
										_v8 = 0x55;
										E004061C1( &_v296);
										_push(1);
										_push( &_v29);
										_push( &_v476);
										 *((intOrPtr*)(_t1696 + 0x14c)) = _t1651;
										_t916 = E0040A5F5( &_v376);
										_v8 = 0x6a;
										_push( &_v28);
										_v28 = 0;
										_push(L00453DD0( &_v724, _t916));
										_push( &_v256);
										_v8 = 0x6b;
										_t918 = L00453B70();
										_v8 = 0x6a;
										E004061C1( &_v724);
										 *( *_t918 + 0x34) = _t1696;
										_v8 = 0x55;
										E004061C1( &_v376);
										_v8 = 2;
										E004061C1( &_v112);
										continue;
									} else {
										goto L106;
									}
								} else {
									__eflags = _t868;
									if(_t868 == 0) {
										L106:
										_t616 =  &_v80; // 0x4675e8
										asm("sbb eax, eax");
										_v8 = 0x57;
										_t939 = GetLastError();
										asm("sbb ecx, ecx");
										 *( *((intOrPtr*)( *( ~( &_v112) & _t616) + 4)) + ( ~( &_v112) & _t616)) = _t939;
										E00430164( ~( &_v112) &  &_v92);
										asm("sbb ecx, ecx");
										_v8 = 0x56;
										_v204 =  ~( &_v112) &  &_v108;
										E0040213C( ~( &_v112) &  &_v108, 1);
										_t1325 = _v112;
										_v8 = 2;
										_t627 = _t1325 + 4; // 0x24
										SetLastError( *(_t1714 +  *_t627 - 0x6c));
										continue;
									} else {
										goto L105;
									}
								}
								goto L128;
							}
							_t1694 = _a4;
							_t762 = _t1694 + 0x30; // 0x31
							L00458C10(_t762);
							_a4 = _t1725 + 0xffffffdc;
							L0042D1BA(_t1725 + 0xffffffdc,  &_v336, 1); // executed
							E004386C5(_t1725 + 0xffffffdc); // executed
							_t849 =  *(_t1694 + 0x68);
							__eflags = _t849;
							_v8 = 1;
							if(_t849 != 0) {
								_t853 = GetProcAddress(_t849, "GetThemeAppProperties");
								__eflags = _t853;
								if(_t853 != 0) {
									_t856 =  *_t853() >> 0x00000001 & 0x00000001;
									__eflags = _t856;
									 *(_t1694 + 0x64) = _t856;
								}
							}
							 *0x47e910 = 1;
							_v8 = 0;
							L0040125C( &_v764);
							_v8 = 0xffffffff;
							L0040125C( &_v336);
							 *[fs:0x0] = _v16;
							return 1;
						}
					} else {
						 *[fs:0x0] = _v16;
						return 1;
					}
				}
				L128:
			}

0x00448263
0x00448265
0x00448270
0x00448271
0x0044827e
0x00448285
0x0044828d
0x00448290
0x00449c9e
0x00449ca3
0x00449ca5
0x00449cb0
0x00448296
0x00448296
0x0044829d
0x004482c2
0x004482c3
0x004482ca
0x004482d0
0x004482da
0x004482df
0x004482e5
0x004482e6
0x004482e7
0x004482ee
0x004482f1
0x004482f7
0x00448301
0x00448313
0x0044831a
0x0044831c
0x0044831e
0x0044832b
0x0044832f
0x00448342
0x00448349
0x00448356
0x00448358
0x0044836b
0x00448379
0x00448383
0x0044838d
0x004483a4
0x004483a9
0x004483ac
0x004483ae
0x00449c83
0x00449c87
0x00449c92
0x00449c99
0x00000000
0x004483b4
0x004483bf
0x004483c6
0x004483cd
0x004483cd
0x004483cf
0x004483d1
0x004483d2
0x004483d2
0x004483d4
0x004483d4
0x004483d7
0x004483da
0x00000000
0x00000000
0x004483e8
0x004483f7
0x004483f8
0x00448405
0x0044840e
0x00448412
0x00448415
0x0044841c
0x00448425
0x00448429
0x0044842b
0x00448438
0x0044843a
0x0044843a
0x0044844d
0x00448450
0x00448453
0x00448459
0x0044845b
0x00448810
0x00448817
0x00448819
0x0044881c
0x0044881f
0x00448821
0x00448825
0x00448850
0x00448850
0x00448827
0x0044882b
0x0044882e
0x00448833
0x00448836
0x0044883d
0x00448840
0x00448845
0x0044884c
0x0044884c
0x0044884c
0x0044885a
0x0044885e
0x00448868
0x00448872
0x00448881
0x00448885
0x00448890
0x00448894
0x004488a1
0x004488a5
0x004488aa
0x004488b0
0x004488b9
0x004488bd
0x004488bf
0x004488c7
0x004488c9
0x004488dd
0x004488dd
0x004488cb
0x004488d6
0x004488da
0x004488da
0x004488e2
0x004488e4
0x004488eb
0x004488ec
0x004488f3
0x004488f3
0x004488fe
0x00448910
0x0044891f
0x00448927
0x0044892b
0x0044893a
0x00448944
0x00448945
0x00448949
0x00448956
0x0044895a
0x0044895f
0x00448970
0x00448972
0x0044897f
0x00448993
0x00448995
0x00448999
0x004489ac
0x004489b0
0x004489b0
0x004489b2
0x004489b6
0x004489b9
0x004489be
0x004489c4
0x004489c8
0x004489d3
0x004489d9
0x00448461
0x00448464
0x00448475
0x00448476
0x0044847d
0x00448483
0x00448486
0x0044848e
0x00448490
0x00448491
0x0044849c
0x004484a0
0x004484a6
0x004484ac
0x004484bd
0x004484c4
0x004484c5
0x004484c6
0x004484ca
0x004484de
0x004484df
0x004484e0
0x004484e1
0x004484e5
0x004484ea
0x004484ed
0x004484f0
0x004484fa
0x004484fc
0x00448503
0x00448503
0x0044850a
0x00000000
0x00000000
0x0044851a
0x00448529
0x0044852d
0x0044853e
0x00448542
0x00448547
0x00448548
0x0044854f
0x00448553
0x00448554
0x00448559
0x0044855c
0x0044855e
0x00448562
0x00448569
0x00448569
0x00448564
0x00448564
0x00448564
0x0044856b
0x0044857b
0x00448586
0x0044858a
0x00448595
0x00448599
0x004485a1
0x004485a5
0x004485b0
0x004485b4
0x004485c5
0x004485dc
0x004485e0
0x004485e7
0x004485eb
0x00448605
0x0044860b
0x00448614
0x00448618
0x0044861d
0x0044862b
0x0044863f
0x00448644
0x0044864a
0x0044864c
0x0044864e
0x0044864e
0x00448654
0x0044865a
0x0044865d
0x004487e0
0x004487e1
0x004487e5
0x004487ea
0x00000000
0x00448663
0x00448669
0x0044866d
0x00448678
0x0044867c
0x00448687
0x0044868b
0x00448696
0x0044869a
0x004486a5
0x004486a9
0x004486ba
0x004486c4
0x004486ce
0x004486d5
0x004486d9
0x004486de
0x004486e1
0x004486e3
0x004486ed
0x004486ed
0x004486e5
0x004486e5
0x004486e5
0x004486f6
0x004486fc
0x00448702
0x00448708
0x0044870f
0x00448715
0x00448716
0x00448717
0x00448719
0x0044871e
0x00448726
0x0044872b
0x00448732
0x00448736
0x0044873b
0x0044873e
0x00448741
0x00448743
0x00448743
0x0044875c
0x00448762
0x00448764
0x0044876c
0x0044876e
0x00448775
0x00448786
0x00448786
0x0044878b
0x00448799
0x004487a9
0x004487ac
0x004487b1
0x004487bd
0x004487c1
0x004487cc
0x004487d0
0x004487d0
0x00000000
0x0044865d
0x004487f2
0x004487fa
0x0044880b
0x00000000
0x0044880b
0x004489dc
0x004489e0
0x004489e5
0x004489ee
0x004489ee
0x004489f9
0x00448a0e
0x00448a19
0x00448a21
0x00448a23
0x00448a26
0x00448a29
0x00448a2b
0x00448a2f
0x00448ad5
0x00448ad5
0x00448a35
0x00448a37
0x00448a3f
0x00448a41
0x00448a42
0x00448a48
0x00448a55
0x00448a5b
0x00448a5f
0x00448a6c
0x00448a72
0x00448a76
0x00448a83
0x00448a89
0x00448a8d
0x00448a9a
0x00448aa0
0x00448aa4
0x00448ab1
0x00448ab7
0x00448abb
0x00448ac0
0x00448ac7
0x00448ad1
0x00448ad1
0x00448ad7
0x00448adc
0x00448ae0
0x00448ae2
0x00448ae4
0x00448ae6
0x00448ae6
0x00448aec
0x00448af4
0x00448afc
0x00448b0e
0x00448b15
0x00448b17
0x00448b25
0x00448b26
0x00448b2f
0x00448b52
0x00448b5a
0x00448b5a
0x00448b60
0x00448b66
0x00448b67
0x00448b69
0x00448b71
0x00448b7e
0x00448b83
0x00448b88
0x00448b8d
0x00448b9b
0x00448ba0
0x00448ba7
0x00448bae
0x00448bb3
0x00448bbb
0x00448bbc
0x00448bc1
0x00448bce
0x00448bdb
0x00448be1
0x00448beb
0x00448bf5
0x00448bfa
0x00448bff
0x00448c03
0x00448c05
0x00448c07
0x00448c09
0x00448c09
0x00448c19
0x00448c24
0x00448c28
0x00448c2f
0x00448c35
0x00448c39
0x00448c47
0x00448c4f
0x00448c53
0x00448c65
0x00448c66
0x00448c6a
0x00448c6e
0x00448c7b
0x00448c7f
0x00448c84
0x00448c8d
0x00448c95
0x00448c97
0x00448ca4
0x00448cb8
0x00448cba
0x00448cbe
0x00448cd1
0x00448cd7
0x00448cdb
0x00448ce0
0x00448cec
0x00448cf0
0x00448d02
0x00448d11
0x00448d18
0x00448d1a
0x00448d1c
0x00448d1d
0x00448d31
0x00448d31
0x00448d36
0x00448d38
0x00448d3b
0x00448d4e
0x00448d54
0x00448d5a
0x00448d5a
0x00448d5d
0x00000000
0x00000000
0x00448d6b
0x00448d78
0x00448d7e
0x00448d84
0x00448d8b
0x00448d92
0x00448d9e
0x00448da2
0x00448daa
0x00448dae
0x00448db5
0x00448db8
0x00448dbc
0x00448dc4
0x00448dc7
0x00448dca
0x00448dce
0x00448dd0
0x00448dd8
0x00448dda
0x00448dee
0x00448dee
0x00448ddc
0x00448de7
0x00448deb
0x00448deb
0x00448e01
0x00448e01
0x00448e09
0x00448e15
0x00448e1c
0x00448e20
0x00448e25
0x00448e33
0x00448e38
0x00448e3e
0x00449553
0x0044955b
0x0044955d
0x00449573
0x00449577
0x0044957e
0x0044958b
0x0044958d
0x00449591
0x00449593
0x00448e44
0x00448e44
0x00448e46
0x00000000
0x00448e4c
0x00448e56
0x00448e58
0x00448e5b
0x00448e5e
0x00448e60
0x00448e64
0x00448f08
0x00448f08
0x00448e6a
0x00448e6c
0x00448e74
0x00448e76
0x00448e77
0x00448e7d
0x00448e8a
0x00448e90
0x00448e94
0x00448ea1
0x00448ea7
0x00448eab
0x00448eb8
0x00448ebe
0x00448ec2
0x00448ecf
0x00448ed5
0x00448ed9
0x00448ee6
0x00448eec
0x00448ef0
0x00448ef5
0x00448efc
0x00448efc
0x00448f12
0x00448f16
0x00448f20
0x00448f2a
0x00448f32
0x00448f3d
0x00448f48
0x00448f4c
0x00448f53
0x00448f59
0x00448f5d
0x00448f68
0x00448f71
0x00448f75
0x00448f77
0x00448f79
0x00448f7f
0x00448f81
0x00448f95
0x00448f95
0x00448f83
0x00448f8e
0x00448f92
0x00448f92
0x00448fab
0x00448fab
0x00448fb6
0x00448fc8
0x00448fca
0x00448fd8
0x00448fe6
0x00448fec
0x00448ff0
0x00448ffb
0x00449003
0x00449005
0x0044901e
0x00449022
0x0044902c
0x0044903f
0x00449045
0x00449049
0x0044904f
0x00449054
0x0044905a
0x0044905e
0x00449070
0x0044907e
0x00449085
0x0044908c
0x004490ba
0x004490c2
0x004490c2
0x004490c8
0x004490ce
0x004490d4
0x004490e4
0x004490e9
0x004490ec
0x004490f2
0x004490f8
0x004490fd
0x00449102
0x0044910d
0x00449111
0x00449119
0x0044911b
0x00449122
0x0044912c
0x00449136
0x00449141
0x0044914a
0x0044914e
0x00449150
0x00449158
0x0044915a
0x0044916d
0x0044916d
0x0044915c
0x00449163
0x00449168
0x00449168
0x00449172
0x00449174
0x0044917b
0x0044917c
0x00449183
0x00449183
0x0044918e
0x004491a0
0x004491a2
0x004491a8
0x004491ac
0x004491ae
0x004491b0
0x004491b0
0x004491b5
0x004491bf
0x004491ca
0x004491ce
0x004491d6
0x004491d8
0x004491df
0x004491e9
0x004491f3
0x004491fe
0x00449207
0x0044920b
0x0044920d
0x00449215
0x00449217
0x0044922a
0x0044922a
0x00449219
0x00449220
0x00449225
0x00449225
0x0044922f
0x00449231
0x00449238
0x00449239
0x00449240
0x00449240
0x0044924b
0x0044925d
0x0044925f
0x00449265
0x00449269
0x0044926b
0x0044926d
0x0044926d
0x00449272
0x00449279
0x0044927c
0x00449287
0x0044928b
0x00449293
0x00449295
0x0044929c
0x004492a6
0x004492ad
0x004492b8
0x004492c1
0x004492c5
0x004492c7
0x004492cf
0x004492d1
0x004492e4
0x004492e4
0x004492d3
0x004492da
0x004492df
0x004492df
0x004492e9
0x004492eb
0x004492f2
0x004492f3
0x004492fa
0x004492fa
0x00449305
0x00449317
0x00449319
0x0044931f
0x00449323
0x00449325
0x00449327
0x00449327
0x0044932f
0x0044932f
0x00449335
0x00449336
0x00449337
0x00449342
0x00449346
0x0044934e
0x00449350
0x00449357
0x00449361
0x0044936b
0x00449376
0x0044937f
0x00449383
0x00449385
0x0044938d
0x0044938f
0x004493a2
0x004493a2
0x00449391
0x00449398
0x0044939d
0x0044939d
0x004493a7
0x004493a9
0x004493aa
0x004493b7
0x004493b8
0x004493b8
0x004493c3
0x004493d5
0x004493d7
0x004493dd
0x004493e1
0x004493e3
0x004493e5
0x004493e5
0x004493ef
0x004493fa
0x004493fe
0x00449409
0x0044940b
0x00449412
0x00449418
0x00449422
0x0044942c
0x00449437
0x00449440
0x00449444
0x00449446
0x0044944e
0x00449450
0x00449463
0x00449463
0x00449452
0x00449459
0x0044945e
0x0044945e
0x00449468
0x0044946a
0x00449471
0x00449472
0x00449479
0x00449479
0x00449484
0x00449496
0x004494a1
0x004494a9
0x004494ad
0x004494bf
0x004494c0
0x004494c4
0x004494c8
0x004494d5
0x004494d9
0x004494e4
0x004494e7
0x004494eb
0x004494f3
0x004494f8
0x004494fa
0x00449510
0x00449514
0x0044951b
0x00449528
0x0044952a
0x0044952e
0x0044952e
0x00449530
0x00449530
0x00448e46
0x00449535
0x0044953d
0x00449549
0x0044954b
0x0044954b
0x00449598
0x0044959e
0x0044959e
0x004495a1
0x00000000
0x00000000
0x004495af
0x004495c1
0x004495c5
0x004495cc
0x004495d3
0x004495db
0x004495e3
0x004495eb
0x004495ef
0x004495f6
0x004495f9
0x004495fd
0x00449605
0x0044960b
0x0044960f
0x00449611
0x00449613
0x00449619
0x0044961b
0x0044962f
0x0044962f
0x0044961d
0x00449628
0x0044962c
0x0044962c
0x00449642
0x00449642
0x0044964a
0x00449656
0x00449661
0x00449665
0x0044966a
0x00449678
0x0044967d
0x00449683
0x00449689
0x00449695
0x0044969b
0x0044969d
0x00449710
0x00449712
0x00449715
0x00449718
0x0044971a
0x0044971e
0x004497c2
0x004497c2
0x00449724
0x00449726
0x0044972e
0x00449730
0x00449731
0x00449737
0x00449744
0x0044974a
0x0044974e
0x0044975b
0x00449761
0x00449765
0x00449772
0x00449778
0x0044977c
0x00449789
0x0044978f
0x00449793
0x004497a0
0x004497a6
0x004497aa
0x004497af
0x004497b6
0x004497b6
0x004497cc
0x004497d0
0x004497da
0x004497e1
0x004497f0
0x004497f4
0x004497ff
0x00449803
0x0044980a
0x0044980d
0x00449811
0x00449816
0x0044981c
0x00449825
0x00449829
0x0044982b
0x00449833
0x00449835
0x00449849
0x00449849
0x00449837
0x00449842
0x00449846
0x00449846
0x0044985f
0x0044985f
0x0044986a
0x0044987c
0x00449882
0x00449890
0x0044989e
0x004498a4
0x004498a8
0x004498b3
0x004498b8
0x004498ba
0x004498d3
0x004498d7
0x004498e1
0x004498f4
0x004498fa
0x004498fe
0x00449901
0x00449906
0x0044990c
0x00449910
0x00449922
0x00449934
0x0044993b
0x00449942
0x00449948
0x0044994b
0x00449970
0x00449976
0x00449990
0x00449995
0x00449998
0x0044999e
0x004499a4
0x004499ab
0x004499b6
0x004499ba
0x004499c2
0x004499ca
0x004499cb
0x004499d7
0x004499da
0x004499de
0x004499e0
0x004499e2
0x004499e2
0x004499e7
0x004499f1
0x004499fc
0x00449a00
0x00449a08
0x00449a10
0x00449a11
0x00449a1d
0x00449a20
0x00449a24
0x00449a26
0x00449a28
0x00449a28
0x00449a2d
0x00449a34
0x00449a37
0x00449a42
0x00449a46
0x00449a4e
0x00449a56
0x00449a57
0x00449a63
0x00449a66
0x00449a6a
0x00449a6c
0x00449a6e
0x00449a6e
0x00449a73
0x00449a7d
0x00449a88
0x00449a8c
0x00449a94
0x00449a9c
0x00449a9d
0x00449aa4
0x00449aaa
0x00449ab2
0x00449ab6
0x00449abe
0x00449ad0
0x00449ad1
0x00449ad5
0x00449ad9
0x00449ae6
0x00449aea
0x00449af5
0x00449af8
0x00449afc
0x00449b04
0x00449b08
0x00000000
0x00000000
0x00000000
0x00000000
0x00449685
0x00449685
0x00449687
0x0044969f
0x004496a2
0x004496a7
0x004496a9
0x004496b6
0x004496c4
0x004496c6
0x004496ca
0x004496d7
0x004496dd
0x004496e1
0x004496e7
0x004496ec
0x004496ef
0x004496f3
0x004496fb
0x00000000
0x00000000
0x00000000
0x00000000
0x00449687
0x00000000
0x00449683
0x00449b12
0x00449b15
0x00449b19
0x00449b29
0x00449b2f
0x00449b34
0x00449b39
0x00449b3f
0x00449b41
0x00449b48
0x00449b50
0x00449b56
0x00449b58
0x00449b5e
0x00449b5e
0x00449b60
0x00449b60
0x00449b58
0x00449b69
0x00449b70
0x00449b74
0x00449b7f
0x00449b86
0x00449b93
0x00449ba0
0x00449ba0
0x004482a4
0x004482ac
0x004482b9
0x004482b9
0x0044829d
0x00000000

APIs

lstrcpyA.KERNEL32(00000000,NO DOUBT), ref: 0044832F
lstrcpyW.KERNEL32 ref: 00448358
lstrlenA.KERNEL32(00000000,00000000,?), ref: 00448393
lstrcpyA.KERNEL32(00000000,00000000), ref: 004483E8
lstrlenA.KERNEL32(00000000), ref: 004483F5
lstrlenA.KERNEL32(00000000,?,00467570,00467570,00000000,00000001), ref: 00448409
lstrcmpiA.KERNEL32(?,skin.ini,?,?,00467570,00467570,00000000,00000001), ref: 00448453
GetTickCount.KERNEL32 ref: 004484F4

Strings

uF, xrefs: 0044980A
PG, xrefs: 00448AE6
%hx.rra, xrefs: 004485FF
uF, xrefs: 00449A28
uF, xrefs: 00449327
_:A, xrefs: 004486F1
uF, xrefs: 004493E5
VERSION, xrefs: 00448A04
uF, xrefs: 00448DB5
NO DOUBT, xrefs: 00448325
PG, xrefs: 00448C09
uF, xrefs: 00448C2F
uF, xrefs: 00448F53
skin.ini, xrefs: 0044843F
uF, xrefs: 004491B0
puF, xrefs: 004482DF, 004482E7
ALL-, xrefs: 00448E17, 00448E2E
ALL, xrefs: 00448AD7, 00448AEB, 00448AFB, 00448B96, 00448BA7, 00448BBC, 00448BC7, 00448BFA, 00448C12, 0044965C, 00449673
uF, xrefs: 004499E2
U, xrefs: 00449AF8
SKINS, xrefs: 00448A09, 00449690
ALL, xrefs: 00448B4D
#aA, xrefs: 00448A4D
uF, xrefs: 00449A6E
TEXTCOLOR, xrefs: 00448B1F, 00449078, 0044992E
GetThemeAppProperties, xrefs: 00449B4A
puF, xrefs: 0044864E
uF, xrefs: 0044926D

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: lstrcpylstrlen$CountTicklstrcmpi
String ID: #aA$%hx.rra$ALL$ALL$ALL-$GetThemeAppProperties$NO DOUBT$PG$PG$SKINS$TEXTCOLOR$U$VERSION$_:A$puF$puF$skin.ini$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF
API String ID: 2150322807-3485418242
Opcode ID: e57fdd27d371fa3ed57b6cfb3151fbf8ba886b721e6ced6cfb5c54cb429ac8be
Instruction ID: c6ccdda356a978c162c066a671a73b98a54168ec2766c848471f4f05d0a47117
Opcode Fuzzy Hash: e57fdd27d371fa3ed57b6cfb3151fbf8ba886b721e6ced6cfb5c54cb429ac8be
Instruction Fuzzy Hash: 91F2C371900249EFEB14DBA4CD95BEEB7B8AF54308F0041DEE50A67281EB786B48CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0C0 Relevance: 76.0, APIs: 37, Strings: 6, Instructions: 786
stringwindowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0044A0C0(void* __eflags, char _a4, intOrPtr _a8) {
				char _v0;
				char _v4;
				WCHAR* _v8;
				char _v12;
				char _v16;
				struct HWND__** _v32;
				intOrPtr _v44;
				struct tagRECT _v68;
				struct HWND__** _v72;
				int _v76;
				int _v80;
				int _v84;
				struct tagRECT _v100;
				void* _v104;
				void* _v108;
				struct tagRECT _v124;
				char _v136;
				char _v145;
				void* _v148;
				char _v149;
				void* _v152;
				void* _v156;
				char _v160;
				intOrPtr _v164;
				void* _v168;
				char _v169;
				intOrPtr _v173;
				void* _v176;
				char _v179;
				signed int _v180;
				intOrPtr _v183;
				char _v184;
				void* _v188;
				intOrPtr _v192;
				void* _v204;
				void* _v216;
				char _v228;
				struct HDC__* _v232;
				void* _v236;
				void* _v240;
				void* _v244;
				intOrPtr _v248;
				struct HDC__* _v260;
				intOrPtr _v264;
				void* __ebp;
				void* _t334;
				void* _t337;
				void* _t342;
				void* _t345;
				void* _t348;
				void* _t350;
				void* _t352;
				void* _t355;
				void* _t358;
				signed int _t374;
				char _t376;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t386;
				signed int _t389;
				intOrPtr* _t393;
				signed int _t397;
				signed int _t400;
				signed int _t416;
				signed int _t419;
				intOrPtr _t424;
				intOrPtr _t425;
				int _t426;
				intOrPtr _t428;
				int _t429;
				signed int _t435;
				signed int _t438;
				long _t444;
				signed int _t449;
				intOrPtr _t479;
				struct HWND__** _t481;
				struct HWND__** _t483;
				signed int _t489;
				int _t501;
				char _t504;
				intOrPtr _t508;
				signed int _t510;
				void* _t513;
				signed int _t520;
				void* _t523;
				void* _t530;
				void* _t536;
				void* _t540;
				void* _t551;
				void* _t555;
				signed char _t563;
				signed char _t567;
				void* _t575;
				void* _t579;
				signed int _t595;
				void* _t607;
				RECT* _t611;
				intOrPtr _t666;
				struct HDC__* _t674;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t682;
				signed int _t684;
				signed int _t685;
				intOrPtr _t689;
				intOrPtr* _t690;
				void* _t691;
				signed int _t696;
				signed int _t699;
				intOrPtr _t712;
				void* _t713;
				intOrPtr* _t714;

				_push(0xffffffff);
				_push(0x465bcb);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t712;
				_t713 = _t712 - 0xb0;
				_t689 = _a8;
				_t479 = _t689 + 4;
				_v164 = _t479;
				_v148 = 0x4675f0;
				_v124.right = 0x4675e8;
				L00447D40( &_v148, 0);
				_v8 = 0;
				_v148 = _v173;
				E0040213C( &_v148, 0);
				_v12 = 1;
				L00447D30( &_v136);
				_t13 =  &_v124; // 0x4675e8
				_v12 = 2;
				L00447D70(_t13, 0);
				_t489 =  &_v160;
				_v188 = _t489;
				_v16 = 4;
				if( &_v160 != 0) {
					if(_t479 == 0) {
						_t611 = 0;
						__eflags = 0;
					} else {
						asm("repne scasb");
						_t611 =  !(_t489 | 0xffffffff) - 1;
					}
					L00447990( &_v148, _t479, _t611,  &_v169, 1);
				}
				SetLastError( *(_t713 +  *((intOrPtr*)(_v148 + 4)) + 0x38));
				_v4 = 5;
				if( *((intOrPtr*)(_t689 + 0x138)) >= 2) {
					_t449 =  *((intOrPtr*)(_t689 + 0x13c));
					if(_t449 != 0) {
						_v183 = 0;
						_v184 = 0;
						_v179 = 0;
						wsprintfA( &_v184, "-%04x", _t449 & 0x0000ffff);
						_t713 = _t713 + 0xc;
						_v100.top = 0x4675f0;
						_v68.top = 0x4675e8;
						L00447D40( &(_v100.top), 0);
						_v0 = 6;
						L00447B80( &(_v100.top),  &_v145);
						_v84 = 0;
						_v80 = 0;
						_v76 = 0;
						_v4 = 8;
						L00447D70( &_v72, 0);
						_t595 =  &_v108;
						_v180 = _t595;
						_v8 = 0xa;
						if( &_v108 != 0) {
							if( &_v176 == 0) {
								_t607 = 0;
								__eflags = 0;
							} else {
								asm("repne scasb");
								_t607 =  !(_t595 | 0xffffffff) - 1;
							}
							L00447990( &(_v100.top),  &_v176, _t607,  &_v149, 1);
						}
						_t55 = _v100.top + 4; // 0x24
						SetLastError( *(_t713 +  *_t55 + 0x64));
						_t666 =  *0x4675e0; // 0xffffffff
						asm("sbb eax, eax");
						_a4 = 0xb;
						L0040BE88( &_v136,  ~( &(_v100.top)) &  &(_v100.right), 0, _t666);
						_t65 =  &_v76; // 0x4675e8
						asm("sbb eax, eax");
						_v8 = 5;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v108) & _t65) + 4)) + ( ~( &_v108) & _t65))) = GetLastError();
						asm("sbb ecx, ecx");
						E00430164( ~( &_v108) &  &(_v100.bottom));
						asm("sbb ecx, ecx");
						E0040213C( ~( &_v108) &  &_v104, 1);
						_t73 = _v124.bottom + 4; // 0x24
						SetLastError( *(_t713 +  *_t73 + 0x64));
					}
				}
				_t714 = _t713 - 0x28;
				_t690 = _t714;
				_v176 = _t714;
				_v176 = _t690;
				 *_t690 = 0x4675f0;
				 *((intOrPtr*)(_t690 + 0x20)) = 0x4675e8;
				L00447D40(_t690, 0);
				asm("sbb eax, eax");
				_v8 = 0xc;
				L00452D50(_t690 + 4,  ~( &_v152) &  &_v148);
				_v12 = 0xd;
				L00447D30(_t690 + 0x14);
				_v12 = 0xe;
				L00447D70(_t690 + 0x20, 0);
				_v16 = 5;
				_t691 = L0044AE30(_v8);
				if(_t691 != 0) {
					_t481 = _v32;
					 *_t691 =  *_t481;
					_t105 = _t691 + 0xd0; // 0xd0
					 *(_t691 + 0xcc) = _t481[0x33];
					lstrcpyA(_t105,  &(_t481[0x34]));
					_t108 = _t691 + 4; // 0x4
					lstrcpyA(_t108, _v204);
					_t110 = _t691 + 0x68; // 0x68
					lstrcpyA(_t110,  &(_t481[0x1a]));
					 *(_t691 + 0x134) = _t481[0x4d];
					 *((short*)(_t691 + 0x13c)) = _t481[0x4f];
					_v100.left = 0;
					_v100.top = 0;
					_v100.right = 4;
					_v100.bottom = 8;
					MapDialogRect( *_t481,  &_v100);
					_t501 = _v100.right;
					 *(_t691 + 0x140) = _t501;
					 *(_t691 + 0x144) = _v100.bottom;
					 *((intOrPtr*)(_t691 + 0x150)) = MulDiv(_t501, 0x186a0, 6);
					 *((intOrPtr*)(_t691 + 0x154)) = MulDiv( *(_t691 + 0x144), 0x186a0, 0xd);
					__eflags =  *(_t691 + 0x1a0);
					if( *(_t691 + 0x1a0) != 0) {
						L21:
						_t132 = _t691 + 0x194; // 0x194
						_t334 = _t132;
						L22:
						L004539B0(_t334,  &_v228);
						while(1) {
							__eflags =  *(_t691 + 0x1a0);
							if( *(_t691 + 0x1a0) != 0) {
								goto L29;
							}
							_t135 = _t691 + 0x158; // 0x158
							_t684 = _t135;
							__eflags = _t684;
							if(__eflags == 0) {
								_t575 = 0;
								__eflags = 0;
							} else {
								_t136 = _t691 + 0x15c; // 0x15c
								_t575 = _t136;
							}
							_t435 = L00459360(_t575, __eflags, L"ALL");
							__eflags = _t435;
							if(_t435 != 0) {
								_t714 = _t714 - 0x28;
								_v216 = _t714;
								_push(1);
								_push(_t684);
								L0040B2B8(_t714);
								_t337 = L00451140(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
								L30:
								_t504 = _v228;
								__eflags = _t504 -  *((intOrPtr*)(_t337 + 4));
								if(_t504 ==  *((intOrPtr*)(_t337 + 4))) {
									GetClientRect( *_t481,  &_v68);
									_t674 = CreateDCW(L"DISPLAY", 0, 0, 0);
									_v232 = _t674;
									 *(_t691 + 0x148) = CreateCompatibleDC(_t674);
									_t342 = CreateCompatibleBitmap(_t674, _v80, _v76);
									_v236 = _t342;
									SelectObject( *(_t691 + 0x148), _t342);
									__eflags =  *(_t691 + 0x190);
									if( *(_t691 + 0x190) != 0) {
										L44:
										_t199 = _t691 + 0x184; // 0x184
										_t345 = _t199;
										L45:
										_v248 =  *((intOrPtr*)( *((intOrPtr*)(_t345 + 4))));
										while(1) {
											__eflags =  *(_t691 + 0x190);
											if( *(_t691 + 0x190) != 0) {
												goto L52;
											}
											_t203 = _t691 + 0x158; // 0x158
											_t681 = _t203;
											__eflags = _t681;
											if(__eflags == 0) {
												_t551 = 0;
												__eflags = 0;
											} else {
												_t204 = _t691 + 0x15c; // 0x15c
												_t551 = _t204;
											}
											_t416 = L00459360(_t551, __eflags, L"ALL");
											__eflags = _t416;
											if(_t416 != 0) {
												_t714 = _t714 - 0x28;
												_v264 = _t714;
												_push(1);
												_push(_t681);
												L0040B2B8(_t714);
												_t348 = L00450FC0(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
												L53:
												_t508 = _v248;
												__eflags = _t508 -  *((intOrPtr*)(_t348 + 4));
												if(_t508 ==  *((intOrPtr*)(_t348 + 4))) {
													__eflags =  *(_t691 + 0x1a0);
													if( *(_t691 + 0x1a0) != 0) {
														L61:
														_t240 = _t691 + 0x194; // 0x194
														_t350 = _t240;
														L62:
														_v188 =  *((intOrPtr*)( *((intOrPtr*)(_t350 + 4))));
														while(1) {
															__eflags =  *(_t691 + 0x1a0);
															if( *(_t691 + 0x1a0) != 0) {
																goto L69;
															}
															_t244 = _t691 + 0x158; // 0x158
															_t679 = _t244;
															__eflags = _t679;
															if(__eflags == 0) {
																_t536 = 0;
																__eflags = 0;
															} else {
																_t245 = _t691 + 0x15c; // 0x15c
																_t536 = _t245;
															}
															_t397 = L00459360(_t536, __eflags, L"ALL");
															__eflags = _t397;
															if(_t397 != 0) {
																_t714 = _t714 - 0x28;
																_v264 = _t714;
																_push(1);
																_push(_t679);
																L0040B2B8(_t714);
																_t352 = L00451140(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
																L70:
																_t510 = _v188;
																__eflags = _t510 -  *((intOrPtr*)(_t352 + 4));
																if(_t510 ==  *((intOrPtr*)(_t352 + 4))) {
																	_t483 = _v72;
																	E00450520(_v76,  *_t483, _t691);
																	__eflags =  *(_t691 + 0x1b0);
																	if( *(_t691 + 0x1b0) != 0) {
																		L78:
																		_t263 = _t691 + 0x1a4; // 0x1a4
																		_t355 = _t263;
																		L79:
																		_v236 =  *((intOrPtr*)( *((intOrPtr*)(_t355 + 4))));
																		while(1) {
																			__eflags =  *(_t691 + 0x1b0);
																			if( *(_t691 + 0x1b0) != 0) {
																				goto L86;
																			}
																			_t267 = _t691 + 0x158; // 0x158
																			_t677 = _t267;
																			__eflags = _t677;
																			if(__eflags == 0) {
																				_t523 = 0;
																				__eflags = 0;
																			} else {
																				_t268 = _t691 + 0x15c; // 0x15c
																				_t523 = _t268;
																			}
																			_t386 = L00459360(_t523, __eflags, L"ALL");
																			__eflags = _t386;
																			if(_t386 != 0) {
																				_t714 = _t714 - 0x28;
																				_v264 = _t714;
																				_push(1);
																				_push(_t677);
																				L0040B2B8(_t714);
																				_t358 = L004512C0(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
																				L87:
																				_t513 = _v236;
																				__eflags = _t513 -  *((intOrPtr*)(_t358 + 4));
																				if(_t513 ==  *((intOrPtr*)(_t358 + 4))) {
																					DeleteObject(_v244);
																					DeleteDC(_v260);
																					SetPropW( *_t483, L"PROP_PSKIN", _t691); // executed
																					 *(_t691 + 0x134) = SetWindowLongW( *_t483, 0xfffffffc, E0044FE00);
																					InvalidateRect( *_t483, 0, 0);
																					UpdateWindow( *_t483);
																					asm("sbb eax, eax");
																					 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v236) &  &_v204) + 4)) + ( ~( &_v236) &  &_v204))) = GetLastError();
																					asm("sbb esi, esi");
																					_t696 =  ~( &_v236) &  &_v216;
																					E0043AE17( *_t696);
																					_t675 = __imp__#6;
																					_t714 = _t714 + 4;
																					 *_t675( *((intOrPtr*)(_t696 + 8)));
																					asm("sbb esi, esi");
																					_t699 =  ~( &_v240) &  &_v236;
																					_t374 =  *(_t699 + 4);
																					__eflags = _t374;
																					if(_t374 == 0) {
																						L98:
																						 *(_t699 + 4) = 0;
																						 *((intOrPtr*)(_t699 + 8)) = 0;
																						 *((intOrPtr*)(_t699 + 0xc)) = 0;
																						SetLastError( *(_t714 +  *((intOrPtr*)(_v240 + 4)) + 0x38));
																						_t376 = 1;
																						L99:
																						 *[fs:0x0] = _v104;
																						return _t376;
																					}
																					_t520 =  *((intOrPtr*)(_t374 - 1));
																					__eflags = _t520;
																					if(_t520 == 0) {
																						L97:
																						_t377 = _t374 + 0xfffffffe;
																						__eflags = _t377;
																						 *_t675(_t377);
																						goto L98;
																					}
																					__eflags = _t520 - 0xff;
																					if(_t520 == 0xff) {
																						goto L97;
																					}
																					 *((char*)(_t374 - 1)) = _t520 - 1;
																					goto L98;
																				}
																				_t379 =  *(_t513 + 0x10);
																				__eflags = _t379;
																				if(_t379 != 0) {
																					__eflags =  *_t379;
																					if( *_t379 != 0) {
																						_t381 = GetDlgItem( *_t483,  *(_t379 + 0x14));
																						__eflags = _t381;
																						if(_t381 != 0) {
																							DrawIcon( *(_t691 + 0x148), ( *(_v236 + 0x10))[1], ( *(_v236 + 0x10))[2],  *( *(_v236 + 0x10)));
																						}
																					}
																				}
																				L004533D0( &_v236);
																				continue;
																			}
																			L86:
																			_t271 = _t691 + 0x1a4; // 0x1a4
																			_t358 = _t271;
																			goto L87;
																		}
																	}
																	_t259 = _t691 + 0x158; // 0x158
																	_t678 = _t259;
																	__eflags = _t678;
																	if(__eflags == 0) {
																		_t530 = 0;
																		__eflags = 0;
																	} else {
																		_t260 = _t691 + 0x15c; // 0x15c
																		_t530 = _t260;
																	}
																	_t389 = L00459360(_t530, __eflags, L"ALL");
																	__eflags = _t389;
																	if(_t389 == 0) {
																		goto L78;
																	} else {
																		_t714 = _t714 - 0x28;
																		_v264 = _t714;
																		_push(1);
																		_push(_t678);
																		L0040B2B8(_t714);
																		_t355 = L004512C0(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
																		goto L79;
																	}
																}
																_t393 =  *((intOrPtr*)( *((intOrPtr*)(_t510 + 0x10)) + 0x3c));
																_push( *((intOrPtr*)(_t393 + 4)));
																_push( *(_t691 + 0x148));
																_push( *_t393);
																E0045A0D0();
																_t714 = _t714 + 0xc;
																L004532B0( &_v188);
																continue;
															}
															L69:
															_t248 = _t691 + 0x194; // 0x194
															_t352 = _t248;
															goto L70;
														}
													}
													_t236 = _t691 + 0x158; // 0x158
													_t680 = _t236;
													__eflags = _t680;
													if(__eflags == 0) {
														_t540 = 0;
														__eflags = 0;
													} else {
														_t237 = _t691 + 0x15c; // 0x15c
														_t540 = _t237;
													}
													_t400 = L00459360(_t540, __eflags, L"ALL");
													__eflags = _t400;
													if(_t400 == 0) {
														goto L61;
													} else {
														_t714 = _t714 - 0x28;
														_v264 = _t714;
														_push(1);
														_push(_t680);
														L0040B2B8(_t714);
														_t350 = L00451140(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
														goto L62;
													}
												}
												_v124.left = MulDiv( *( *((intOrPtr*)(_t508 + 0x10)) + 8),  *(_t691 + 0x140), 4);
												_v124.top = MulDiv( *( *((intOrPtr*)(_v248 + 0x10)) + 0xc),  *(_t691 + 0x144), 8);
												_v124.right = MulDiv( *( *((intOrPtr*)(_v248 + 0x10)) + 0x10),  *(_t691 + 0x140), 4);
												_v124.bottom = MulDiv( *( *((intOrPtr*)(_v248 + 0x10)) + 0x14),  *(_t691 + 0x144), 8);
												FillRect( *(_t691 + 0x148),  &_v124,  *( *((intOrPtr*)(_v248 + 0x10)) + 4));
												L00453170( &_v260);
												continue;
											}
											L52:
											_t207 = _t691 + 0x184; // 0x184
											_t348 = _t207;
											goto L53;
										}
									}
									_t195 = _t691 + 0x158; // 0x158
									_t682 = _t195;
									__eflags = _t682;
									if(__eflags == 0) {
										_t555 = 0;
										__eflags = 0;
									} else {
										_t196 = _t691 + 0x15c; // 0x15c
										_t555 = _t196;
									}
									_t419 = L00459360(_t555, __eflags, L"ALL");
									__eflags = _t419;
									if(_t419 == 0) {
										goto L44;
									} else {
										_t714 = _t714 - 0x28;
										_v264 = _t714;
										_push(1);
										_push(_t682);
										L0040B2B8(_t714);
										_t345 = L00450FC0(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
										goto L45;
									}
								}
								 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t504 + 0x10)) + 0x3c)))) + 4) =  *_t481;
								_t424 = L0045B360( *_t481);
								_t714 = _t714 + 4;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v228 + 0x10)) + 0x3c)))) + 0xc)) = _t424;
								_t425 =  *((intOrPtr*)(_v228 + 0x10));
								_t563 =  *(_t425 + 0x38);
								__eflags = _t563 & 0x00000002;
								if((_t563 & 0x00000002) == 0) {
									_t426 = MulDiv( *(_t425 + 0x2c),  *(_t691 + 0x140), 4);
								} else {
									_t426 = 0x4000;
								}
								 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v228 + 0x10)) + 0x3c)) + 4)) + 0x38) = _t426;
								_t428 =  *((intOrPtr*)(_v228 + 0x10));
								_t567 =  *(_t428 + 0x38);
								__eflags = _t567 & 0x00000001;
								if((_t567 & 0x00000001) == 0) {
									_t429 = MulDiv( *(_t428 + 0x30),  *(_t691 + 0x144), 8);
								} else {
									_t429 = 0x4000;
								}
								 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v228 + 0x10)) + 0x3c)) + 4)) + 0x3c) = _t429;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v228 + 0x10)) + 0x3c)) + 4)) + 0x40)) =  *((intOrPtr*)(_t691 + 0x150));
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v228 + 0x10)) + 0x3c)) + 4)) + 0x44)) =  *((intOrPtr*)(_t691 + 0x154));
								L004532B0( &_v228);
								continue;
							}
							L29:
							_t139 = _t691 + 0x194; // 0x194
							_t337 = _t139;
							goto L30;
						}
					}
					_t128 = _t691 + 0x158; // 0x158
					_t685 = _t128;
					__eflags = _t685;
					if(__eflags == 0) {
						_t579 = 0;
						__eflags = 0;
					} else {
						_t129 = _t691 + 0x15c; // 0x15c
						_t579 = _t129;
					}
					_t438 = L00459360(_t579, __eflags, L"ALL");
					__eflags = _t438;
					if(_t438 == 0) {
						goto L21;
					} else {
						_t714 = _t714 - 0x28;
						_v216 = _t714;
						_push(1);
						_push(_t685);
						L0040B2B8(_t714);
						_t334 = L00451140(L0044B380( *((intOrPtr*)(_t691 + 0x14c)), __eflags));
						goto L22;
					}
				}
				asm("sbb eax, eax");
				_v44 = 0xffffffff;
				_t444 = GetLastError();
				asm("sbb ecx, ecx");
				 *( *((intOrPtr*)( *( ~( &_v188) &  &_v156) + 4)) + ( ~( &_v188) &  &_v156)) = _t444;
				E00430164( ~( &_v188) &  &_v168);
				asm("sbb ecx, ecx");
				E0040213C( ~( &_v188) &  &_v184, 1);
				SetLastError( *(_t714 +  *((intOrPtr*)(_v192 + 4)) + 0x38));
				_t376 = 0;
				goto L99;
			}

0x0044a0c0
0x0044a0c2
0x0044a0cd
0x0044a0ce
0x0044a0d5
0x0044a0de
0x0044a0e8
0x0044a0ef
0x0044a0f3
0x0044a0fb
0x0044a103
0x0044a112
0x0044a11d
0x0044a121
0x0044a12a
0x0044a132
0x0044a139
0x0044a13d
0x0044a145
0x0044a14a
0x0044a14e
0x0044a156
0x0044a160
0x0044a164
0x0044a174
0x0044a174
0x0044a166
0x0044a16d
0x0044a171
0x0044a171
0x0044a183
0x0044a183
0x0044a19e
0x0044a1ae
0x0044a1b5
0x0044a1bb
0x0044a1c7
0x0044a1d9
0x0044a1e3
0x0044a1e8
0x0044a1ec
0x0044a1f2
0x0044a1f9
0x0044a201
0x0044a20d
0x0044a21b
0x0044a223
0x0044a228
0x0044a22c
0x0044a230
0x0044a23f
0x0044a247
0x0044a24c
0x0044a250
0x0044a258
0x0044a262
0x0044a26a
0x0044a27c
0x0044a27c
0x0044a26c
0x0044a275
0x0044a279
0x0044a279
0x0044a28f
0x0044a28f
0x0044a298
0x0044a2a4
0x0044a2a6
0x0044a2b2
0x0044a2c2
0x0044a2ca
0x0044a2d3
0x0044a2dc
0x0044a2de
0x0044a2f8
0x0044a2fc
0x0044a304
0x0044a313
0x0044a319
0x0044a322
0x0044a32e
0x0044a32e
0x0044a1c7
0x0044a330
0x0044a333
0x0044a335
0x0044a340
0x0044a344
0x0044a34a
0x0044a350
0x0044a35f
0x0044a361
0x0044a36f
0x0044a377
0x0044a37f
0x0044a388
0x0044a390
0x0044a39c
0x0044a3a8
0x0044a3ac
0x0044a413
0x0044a428
0x0044a430
0x0044a438
0x0044a43e
0x0044a444
0x0044a449
0x0044a44e
0x0044a453
0x0044a462
0x0044a471
0x0044a478
0x0044a47f
0x0044a48a
0x0044a495
0x0044a4a0
0x0044a4a6
0x0044a4b3
0x0044a4ca
0x0044a4e0
0x0044a4e8
0x0044a4f4
0x0044a4f6
0x0044a53f
0x0044a53f
0x0044a53f
0x0044a545
0x0044a54c
0x0044a551
0x0044a557
0x0044a559
0x00000000
0x00000000
0x0044a55b
0x0044a55b
0x0044a561
0x0044a563
0x0044a56d
0x0044a56d
0x0044a565
0x0044a565
0x0044a565
0x0044a565
0x0044a574
0x0044a579
0x0044a57b
0x0044a57d
0x0044a582
0x0044a586
0x0044a588
0x0044a589
0x0044a59b
0x0044a5a8
0x0044a5a8
0x0044a5af
0x0044a5b1
0x0044a690
0x0044a6a7
0x0044a6aa
0x0044a6b4
0x0044a6cb
0x0044a6d9
0x0044a6dd
0x0044a6e9
0x0044a6eb
0x0044a734
0x0044a734
0x0044a734
0x0044a73a
0x0044a745
0x0044a749
0x0044a74f
0x0044a751
0x00000000
0x00000000
0x0044a753
0x0044a753
0x0044a759
0x0044a75b
0x0044a765
0x0044a765
0x0044a75d
0x0044a75d
0x0044a75d
0x0044a75d
0x0044a76c
0x0044a771
0x0044a773
0x0044a775
0x0044a77a
0x0044a77e
0x0044a780
0x0044a781
0x0044a793
0x0044a7a0
0x0044a7a0
0x0044a7a7
0x0044a7a9
0x0044a84f
0x0044a851
0x0044a89a
0x0044a89a
0x0044a89a
0x0044a8a0
0x0044a8a5
0x0044a8a9
0x0044a8af
0x0044a8b1
0x00000000
0x00000000
0x0044a8b3
0x0044a8b3
0x0044a8b9
0x0044a8bb
0x0044a8c5
0x0044a8c5
0x0044a8bd
0x0044a8bd
0x0044a8bd
0x0044a8bd
0x0044a8cc
0x0044a8d1
0x0044a8d3
0x0044a8d5
0x0044a8da
0x0044a8de
0x0044a8e0
0x0044a8e1
0x0044a8f3
0x0044a900
0x0044a900
0x0044a907
0x0044a909
0x0044a935
0x0044a947
0x0044a952
0x0044a954
0x0044a99d
0x0044a99d
0x0044a99d
0x0044a9a3
0x0044a9ae
0x0044a9b2
0x0044a9b8
0x0044a9ba
0x00000000
0x00000000
0x0044a9bc
0x0044a9bc
0x0044a9c2
0x0044a9c4
0x0044a9ce
0x0044a9ce
0x0044a9c6
0x0044a9c6
0x0044a9c6
0x0044a9c6
0x0044a9d5
0x0044a9da
0x0044a9dc
0x0044a9de
0x0044a9e3
0x0044a9e7
0x0044a9e9
0x0044a9ea
0x0044a9fc
0x0044aa09
0x0044aa09
0x0044aa10
0x0044aa12
0x0044aa5f
0x0044aa6a
0x0044aa79
0x0044aa91
0x0044aa9c
0x0044aaa5
0x0044aab5
0x0044aac6
0x0044aace
0x0044aad4
0x0044aad9
0x0044aae1
0x0044aae7
0x0044aaeb
0x0044aaf7
0x0044aaf9
0x0044aafb
0x0044aafe
0x0044ab00
0x0044ab1b
0x0044ab1b
0x0044ab1e
0x0044ab21
0x0044ab30
0x0044ab36
0x0044ab3b
0x0044ab45
0x0044ab53
0x0044ab53
0x0044ab02
0x0044ab05
0x0044ab07
0x0044ab15
0x0044ab15
0x0044ab15
0x0044ab19
0x00000000
0x0044ab19
0x0044ab09
0x0044ab0c
0x00000000
0x00000000
0x0044ab10
0x00000000
0x0044ab10
0x0044aa14
0x0044aa17
0x0044aa19
0x0044aa1b
0x0044aa1e
0x0044aa27
0x0044aa29
0x0044aa2b
0x0044aa46
0x0044aa46
0x0044aa2b
0x0044aa1e
0x0044aa50
0x00000000
0x0044aa50
0x0044aa03
0x0044aa03
0x0044aa03
0x00000000
0x0044aa03
0x0044a9b2
0x0044a956
0x0044a956
0x0044a95c
0x0044a95e
0x0044a968
0x0044a968
0x0044a960
0x0044a960
0x0044a960
0x0044a960
0x0044a96f
0x0044a974
0x0044a976
0x00000000
0x0044a978
0x0044a978
0x0044a97d
0x0044a981
0x0044a983
0x0044a984
0x0044a996
0x00000000
0x0044a996
0x0044a976
0x0044a914
0x0044a91c
0x0044a91d
0x0044a91e
0x0044a91f
0x0044a924
0x0044a92b
0x00000000
0x0044a92b
0x0044a8fa
0x0044a8fa
0x0044a8fa
0x00000000
0x0044a8fa
0x0044a8a9
0x0044a853
0x0044a853
0x0044a859
0x0044a85b
0x0044a865
0x0044a865
0x0044a85d
0x0044a85d
0x0044a85d
0x0044a85d
0x0044a86c
0x0044a871
0x0044a873
0x00000000
0x0044a875
0x0044a875
0x0044a87a
0x0044a87e
0x0044a880
0x0044a881
0x0044a893
0x00000000
0x0044a893
0x0044a873
0x0044a7c1
0x0044a7e2
0x0044a7ff
0x0044a81c
0x0044a839
0x0044a83f
0x00000000
0x0044a83f
0x0044a79a
0x0044a79a
0x0044a79a
0x00000000
0x0044a79a
0x0044a749
0x0044a6ed
0x0044a6ed
0x0044a6f3
0x0044a6f5
0x0044a6ff
0x0044a6ff
0x0044a6f7
0x0044a6f7
0x0044a6f7
0x0044a6f7
0x0044a706
0x0044a70b
0x0044a70d
0x00000000
0x0044a70f
0x0044a70f
0x0044a714
0x0044a718
0x0044a71a
0x0044a71b
0x0044a72d
0x00000000
0x0044a72d
0x0044a70d
0x0044a5c1
0x0044a5ce
0x0044a5d6
0x0044a5de
0x0044a5e5
0x0044a5e8
0x0044a5eb
0x0044a5ee
0x0044a604
0x0044a5f0
0x0044a5f0
0x0044a5f0
0x0044a613
0x0044a61a
0x0044a61d
0x0044a620
0x0044a623
0x0044a639
0x0044a625
0x0044a625
0x0044a625
0x0044a648
0x0044a65e
0x0044a678
0x0044a67b
0x00000000
0x0044a67b
0x0044a5a2
0x0044a5a2
0x0044a5a2
0x00000000
0x0044a5a2
0x0044a551
0x0044a4f8
0x0044a4f8
0x0044a4fe
0x0044a500
0x0044a50a
0x0044a50a
0x0044a502
0x0044a502
0x0044a502
0x0044a502
0x0044a511
0x0044a516
0x0044a518
0x00000000
0x0044a51a
0x0044a51a
0x0044a51f
0x0044a523
0x0044a525
0x0044a526
0x0044a538
0x00000000
0x0044a538
0x0044a518
0x0044a3b8
0x0044a3ba
0x0044a3ce
0x0044a3de
0x0044a3e0
0x0044a3e4
0x0044a3f3
0x0044a3f9
0x0044a40a
0x0044a40c
0x00000000

APIs

Part of subcall function 00447D40: GetLastError.KERNEL32(?,?,004521BC,00000000,?,FFFFFFFF,00000001), ref: 00447D59

Part of subcall function 00447D70: SetLastError.KERNEL32(?,004675F0,0044C457,00000000,00467570,?), ref: 00447D8A

SetLastError.KERNEL32(?,00000000), ref: 0044A19E
wsprintfA.USER32 ref: 0044A1EC
SetLastError.KERNEL32(004675F0,00000000), ref: 0044A2A4
GetLastError.KERNEL32(004675F0,00000000,FFFFFFFF), ref: 0044A2EE
SetLastError.KERNEL32(004675F0,00000001), ref: 0044A32E
GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044A3CE
SetLastError.KERNEL32(?,00000001,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044A40A
lstrcpyA.KERNEL32(000000D0,?,00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044A43E
lstrcpyA.KERNEL32(00000004,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044A449
lstrcpyA.KERNEL32(00000068,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 0044A453
MapDialogRect.USER32(00000000,?), ref: 0044A4A0
MulDiv.KERNEL32(?,000186A0,00000006), ref: 0044A4D0
MulDiv.KERNEL32(?,000186A0,0000000D), ref: 0044A4E6
MulDiv.KERNEL32(?,?,00000004), ref: 0044A604
MulDiv.KERNEL32(?,?,00000008), ref: 0044A639
GetClientRect.USER32 ref: 0044A690
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0044A6A1
CreateCompatibleDC.GDI32(00000000), ref: 0044A6AE
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0044A6CB
SelectObject.GDI32(?,00000000), ref: 0044A6DD
MulDiv.KERNEL32(?,?,00000004), ref: 0044A7BF
MulDiv.KERNEL32(?,?,00000008), ref: 0044A7DC
MulDiv.KERNEL32(?,?,00000004), ref: 0044A7F9
MulDiv.KERNEL32(?,?,00000008), ref: 0044A816
FillRect.USER32 ref: 0044A839
GetDlgItem.USER32 ref: 0044AA27
DrawIcon.USER32 ref: 0044AA46
DeleteObject.GDI32(?), ref: 0044AA5F
DeleteDC.GDI32(?), ref: 0044AA6A
SetPropW.USER32 ref: 0044AA79
SetWindowLongW.USER32 ref: 0044AA89
InvalidateRect.USER32(00000000,00000000,00000000,?,000000FC,0044FE00,?,PROP_PSKIN,00000000,?,?,?,?,?,00000000,?), ref: 0044AA9C
UpdateWindow.USER32 ref: 0044AAA5
GetLastError.KERNEL32(?,?,000000FC,0044FE00,?,PROP_PSKIN,00000000,?,?,?,?,?,00000000,?), ref: 0044AAC0
SysFreeString.OLEAUT32(?), ref: 0044AAEB
SysFreeString.OLEAUT32(?), ref: 0044AB19
SetLastError.KERNEL32(?), ref: 0044AB30

Strings

-%04x, xrefs: 0044A1DD
uF, xrefs: 0044A139
PROP_PSKIN, xrefs: 0044AA73
DISPLAY, xrefs: 0044A69C
ALL, xrefs: 0044A50C, 0044A56F, 0044A701, 0044A767, 0044A867, 0044A8C7, 0044A96A, 0044A9D0
uF, xrefs: 0044A2D3

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$Rect$Createlstrcpy$CompatibleDeleteFreeObjectStringWindow$BitmapClientDialogDrawFillIconInvalidateItemLongPropSelectUpdatewsprintf
String ID: -%04x$ALL$DISPLAY$PROP_PSKIN$uF$uF
API String ID: 1218932988-2354900732
Opcode ID: 4b98571ad283620b19c4fa14cbda3f37391c6c96ad16ae9927a0bacf65643a92
Instruction ID: a80bf79b4e0f8fc4857ea216f89aae5da12167f61d890b73002bfa7f378a6880
Opcode Fuzzy Hash: 4b98571ad283620b19c4fa14cbda3f37391c6c96ad16ae9927a0bacf65643a92
Instruction Fuzzy Hash: 0C62AF742047009FD324DF25C885FABB7E5BF88704F50891EE99A8B391EB74E805CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00417C8A Relevance: 75.9, APIs: 30, Strings: 13, Instructions: 675
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00417C8A(intOrPtr __ecx, void* __eflags) {
				void* _t348;
				void* _t351;
				struct _OVERLAPPED* _t354;
				void* _t357;
				void* _t358;
				WCHAR* _t366;
				int _t395;
				void* _t400;
				long _t406;
				signed int _t415;
				void* _t422;
				void* _t434;
				long _t439;
				WCHAR* _t449;
				WCHAR* _t462;
				WCHAR* _t464;
				long _t472;
				signed int _t473;
				long _t474;
				signed int _t487;
				long _t488;
				void* _t502;
				int _t506;
				int _t510;
				long _t515;
				WCHAR* _t520;
				WCHAR* _t525;
				long _t644;
				void* _t647;
				struct _OVERLAPPED* _t652;
				void* _t655;
				void* _t657;
				WCHAR* _t659;
				void* _t661;

				_t661 = __eflags;
				L0043B644(0x461ac5, _t655);
				_push(1);
				_push( *(_t655 + 8));
				 *((intOrPtr*)(_t655 - 0x88)) = __ecx;
				_t348 = E00418ED1(); // executed
				_t647 = _t348;
				E00418BDB(_t655 - 0x54, _t661);
				_t533 = 0;
				_push(0);
				 *(_t655 - 4) = 0;
				_t659 = _t657 - 0xbc0;
				 *(_t655 - 0x58) = _t659;
				E004186C8(_t659,  *(_t655 + 8), 1);
				_t351 = E00418C4B(_t655 - 0x54, _t661); // executed
				if(_t351 == 0) {
					 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
					 *(_t655 - 4) = 0x1a;
					E00418E8D(_t655 - 0x54);
					 *(_t655 - 4) =  *(_t655 - 4) | 0xffffffff;
					_t354 = E0041A273(_t655 - 0x4c) | 0xffffffff;
					__eflags = _t354;
					L64:
					 *[fs:0x0] =  *((intOrPtr*)(_t655 - 0xc));
					return _t354;
				}
				E00418E58(_t655 - 0x54, _t647, 0); // executed
				_t357 = FindFirstFileW( *(_t655 + 8), _t655 - 0xbe8); // executed
				 *(_t655 - 0x1c) = _t357;
				 *(_t655 - 4) = 1;
				if(_t357 != 0xffffffff) {
					_t644 = FindClose;
					__eflags = FindClose;
					if(FindClose != 0) {
						FindClose(_t357); // executed
						_t17 = _t655 - 0x1c;
						 *_t17 =  *(_t655 - 0x1c) | 0xffffffff;
						__eflags =  *_t17;
					}
					_t358 = L0043BC14(0x8000);
					__eflags =  *((intOrPtr*)(_t655 + 0x10)) - _t533;
					 *(_t655 - 0x10) = _t358;
					if( *((intOrPtr*)(_t655 + 0x10)) != _t533) {
						_t525 =  *(_t655 + 0xc);
						 *((intOrPtr*)(_t655 - 0x80)) = 0x46757c;
						__eflags = _t525 - _t533;
						 *((intOrPtr*)(_t655 - 0x60)) = 0x467574;
						if(_t525 == _t533) {
							_t525 = 0x47e150;
						}
						_push(_t533);
						_push(_t655 + 0xb);
						_push(_t525);
						_t25 = _t655 - 0x80; // 0x46757c
						L0040176A(_t25);
						_t27 = _t655 - 0x80; // 0x46757c
						 *(_t655 - 4) = 3;
						E0041A7BB( *((intOrPtr*)(_t655 + 0x10)), __eflags,  *((intOrPtr*)( *((intOrPtr*)(_t655 + 0x10)) + 8)), _t27);
						_t30 = _t655 - 0x80; // 0x46757c
						 *(_t655 - 4) = 1;
						L0040125C(_t30);
					}
					 *(_t655 - 0x24) = _t533;
					E00418E58(_t655 - 0x54, _t647, _t533); // executed
					E00418E14(_t655 - 0x54, _t655 - 0x24, 4); // executed
					__eflags =  *(_t655 - 0x24) - _t533;
					 *((intOrPtr*)(_t655 - 0x14)) = _t647 + 4;
					 *(_t655 - 0x28) = _t533;
					if( *(_t655 - 0x24) <= _t533) {
						L50:
						__eflags =  *((intOrPtr*)(_t655 + 0x10)) - _t533;
						if( *((intOrPtr*)(_t655 + 0x10)) != _t533) {
							_t366 =  *(_t655 + 0xc);
							 *((intOrPtr*)(_t655 - 0x140)) = 0x46757c;
							__eflags = _t366 - _t533;
							 *((intOrPtr*)(_t655 - 0x120)) = 0x467574;
							if(_t366 == _t533) {
								_t366 = 0x47e150;
							}
							_push(_t533);
							_push(_t655 + 0x1b);
							_push(_t366);
							_t266 = _t655 - 0x140; // 0x46757c
							L0040176A(_t266);
							_t268 = _t655 - 0x140; // 0x46757c
							 *(_t655 - 4) = 0x18;
							E00419C0E( *((intOrPtr*)(_t655 + 0x10)), _t268);
							_t270 = _t655 - 0x140; // 0x46757c
							 *(_t655 - 4) = 1;
							L0040125C(_t270);
						}
						E0043AE17( *(_t655 - 0x10));
						__eflags =  *(_t655 - 0x1c) - 0xffffffff;
						if( *(_t655 - 0x1c) != 0xffffffff) {
							__eflags = _t644 - _t533;
							if(_t644 != _t533) {
								FindClose( *(_t655 - 0x1c));
								_t275 = _t655 - 0x1c;
								 *_t275 =  *(_t655 - 0x1c) | 0xffffffff;
								__eflags =  *_t275;
							}
						}
						 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
						 *(_t655 - 4) = 0x19;
						goto L58;
					} else {
						do {
							 *(_t655 + 0xb) = _t533;
							E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)), _t533); // executed
							E00418E14(_t655 - 0x54,  *(_t655 - 0x10), 0x208);
							lstrcpyW(_t655 - 0x680,  *(_t655 - 0x10));
							 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x680) * 2;
							E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x680) * 2, _t533); // executed
							E00418E14(_t655 - 0x54,  *(_t655 - 0x10), 0x208);
							lstrcpyW(_t655 - 0x910,  *(_t655 - 0x10));
							 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x910) * 2;
							E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x910) * 2, _t533); // executed
							E00418E14(_t655 - 0x54,  *(_t655 - 0x10), 0x208);
							lstrcpyW(_t655 - 0x270,  *(_t655 - 0x10));
							 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x270) * 2;
							E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)) + 2 + lstrlenW(_t655 - 0x270) * 2, _t533); // executed
							E00418E14(_t655 - 0x54,  *(_t655 - 0x10), 0x1e);
							 *(_t655 - 0x18) = E0043C508( *(_t655 - 0x10));
							_t395 = lstrlenW( *(_t655 - 0x10));
							_push(_t533);
							 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + _t395 + _t395 + 2;
							_push(_t655 - 0x910);
							 *((intOrPtr*)(_t655 - 0xb8)) = 0x467fd8;
							 *((intOrPtr*)(_t655 - 0xb0)) = 0x467fd0;
							L00419FC2(_t655 - 0xc4);
							 *((intOrPtr*)(_t655 - 0xc4)) = 0x467fcc;
							 *(_t655 - 4) = 4;
							_push(_t655 - 0x214);
							_t400 = E00418779(_t655 - 0xc4, __eflags);
							_push(_t533);
							_push(_t400);
							 *(_t655 - 4) = 5;
							 *((intOrPtr*)(_t655 - 0x9c)) = 0x467fd8;
							 *((intOrPtr*)(_t655 - 0x94)) = 0x467fd0;
							E0041A1C5(_t655 - 0xa8);
							 *((intOrPtr*)(_t655 - 0xa8)) = 0x467fcc;
							 *(_t655 - 4) = 7;
							E0041A273(_t655 - 0x214);
							lstrcpyW(_t655 - 0x478,  *(_t655 + 0xc));
							_t406 = lstrcatW(_t655 - 0x478, 0x4764fc);
							__eflags =  *(_t655 - 0x98) - _t533;
							if( *(_t655 - 0x98) != _t533) {
								__imp__#7( *(_t655 - 0x98));
								__eflags = _t406;
								if(_t406 > 0) {
									lstrcatW(_t655 - 0x478,  *(_t655 - 0x98));
									_push(_t533);
									_push(_t655 - 0x478);
									 *((intOrPtr*)(_t655 - 0xf0)) = 0x467fd8;
									 *((intOrPtr*)(_t655 - 0xe8)) = 0x467fd0;
									L00419FC2(_t655 - 0xfc);
									 *((intOrPtr*)(_t655 - 0xfc)) = 0x467fcc;
									 *(_t655 - 4) = 8;
									_t515 = GetFileAttributesW( *(_t655 - 0xec)); // executed
									__eflags = _t515 - 0xffffffff;
									if(__eflags == 0) {
										_push(_t655 - 0xfc); // executed
										E0041940C(__eflags); // executed
										__eflags =  *((intOrPtr*)(_t655 + 0x14)) - _t533;
										if( *((intOrPtr*)(_t655 + 0x14)) != _t533) {
											 *((intOrPtr*)(_t655 - 0x174)) = 0x46757c;
											__eflags = _t655 == 0x478;
											 *((intOrPtr*)(_t655 - 0x154)) = 0x467574;
											_t520 = _t655 - 0x478;
											if(_t655 == 0x478) {
												_t520 = 0x47e150;
											}
											_push(_t533);
											_push(_t655 - 0x2a);
											_push(_t520);
											_t121 = _t655 - 0x174; // 0x46757c, executed
											L0040176A(_t121); // executed
											_t123 = _t655 - 0x174; // 0x46757c
											 *(_t655 - 4) = 9;
											E0041A7BB( *((intOrPtr*)(_t655 + 0x14)), __eflags,  *((intOrPtr*)( *((intOrPtr*)(_t655 + 0x14)) + 8)), _t123);
											_t126 = _t655 - 0x174; // 0x46757c
											 *(_t655 - 4) = 8;
											L0040125C(_t126);
										}
									}
									 *(_t655 - 4) = 7;
									E0041A273(_t655 - 0xfc);
								}
							}
							lstrcatW(_t655 - 0x478, _t655 - 0x680);
							_push(_t533);
							_push(_t655 - 0x680);
							 *((intOrPtr*)(_t655 - 0xd4)) = 0x467fd8;
							 *((intOrPtr*)(_t655 - 0xcc)) = 0x467fd0;
							L00419FC2(_t655 - 0xe0);
							 *((intOrPtr*)(_t655 - 0xe0)) = 0x467fcc;
							 *(_t655 - 4) = 0xa;
							_t415 = lstrcmpiW( *(E00418898(_t655 - 0xe0, __eflags, _t655 - 0x23c, _t533) + 0x10), L".cab");
							asm("sbb al, al");
							 *((char*)(_t655 - 0x1d)) =  ~_t415 + 1;
							E0041A273(_t655 - 0x23c);
							__eflags =  *((intOrPtr*)(_t655 - 0x1d)) - _t533;
							if(__eflags == 0) {
								L28:
								E00418BDB(_t655 - 0x80, __eflags);
								_push(2);
								_t659 = _t659 - 0x1c;
								 *(_t655 - 4) = 0xe;
								 *(_t655 + 8) = _t659;
								E004186C8(_t659, _t655 - 0x478, 1);
								_t422 = E00418D25(_t655 - 0x80, __eflags); // executed
								__eflags = _t422 - _t533;
								if(_t422 == _t533) {
									E0043AE17( *(_t655 - 0x10));
									 *((intOrPtr*)(_t655 - 0x80)) = 0x467fe4;
									 *(_t655 - 4) = 0xf;
									E00418E8D(_t655 - 0x80);
									 *(_t655 - 4) = 0xa;
									E0041A273(_t655 - 0x78);
									 *(_t655 - 4) = 7;
									E0041A273(_t655 - 0xe0);
									 *(_t655 - 4) = 4;
									E0041A273(_t655 - 0xa8);
									 *(_t655 - 4) = 1;
									E0041A273(_t655 - 0xc4);
									 *(_t655 - 4) = _t533;
									L00419BF2(_t655 - 0x1c);
									 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
									 *(_t655 - 4) = 0x10;
									_t652 = 0xfffffce0;
									L61:
									E00418E8D(_t655 - 0x54);
									 *(_t655 - 4) =  *(_t655 - 4) | 0xffffffff;
									E0041A273(_t655 - 0x4c);
									_t354 = _t652;
									goto L64;
								}
								__eflags =  *(_t655 - 0x18) - 0x4000;
								if( *(_t655 - 0x18) < 0x4000) {
									L35:
									__eflags =  *(_t655 - 0x18) - _t533;
									if( *(_t655 - 0x18) <= _t533) {
										L40:
										E00418E8D(_t655 - 0x80);
										_push(_t655 - 0x1c4); // executed
										_t434 = E00418833(_t655 - 0xc4, __eflags); // executed
										 *(_t655 + 8) =  *(_t434 + 0x10);
										_push(_t655 - 0x19c);
										 *(_t655 - 4) = 0x15;
										_t439 = lstrcmpiW( *(E00418833(_t655 - 0xe0, __eflags) + 0x10),  *(_t655 + 8));
										__eflags = _t439;
										 *(_t655 + 0xb) = _t439 != 0;
										E0041A273(_t655 - 0x19c);
										 *(_t655 - 4) = 0xe;
										E0041A273(_t655 - 0x1c4);
										__eflags =  *(_t655 + 0xb) - _t533;
										if( *(_t655 + 0xb) != _t533) {
											lstrcpyW(_t655 - 0x680,  *(_t655 + 0xc));
											lstrcatW(_t655 - 0x680, 0x4764fc);
											lstrcatW(_t655 - 0x680, _t655 - 0x910);
											_push(_t533);
											_push(_t655 - 0x708);
											_t462 = _t655 - 0x478;
											_push(_t462);
											L0042C886();
											 *(_t655 + 8) = _t462;
											_push(0x1001);
											_push(_t655 - 0x998);
											_t464 = _t655 - 0x680;
											_push(_t464);
											L0042C886();
											_push(_t464);
											 *(_t655 - 0x18) = _t464;
											_push( *(_t655 + 8));
											L0042C874();
											_push( *(_t655 + 8));
											 *(_t655 - 0x58) = _t464;
											L0042C862();
											_push( *(_t655 - 0x18));
											L0042C862();
											__eflags =  *(_t655 - 0x58) - _t533;
											if( *(_t655 - 0x58) > _t533) {
												DeleteFileW(_t655 - 0x478);
												lstrcpyW(_t655 - 0x478, _t655 - 0x680);
											}
										}
										__eflags =  *((intOrPtr*)(_t655 + 0x10)) - _t533;
										if( *((intOrPtr*)(_t655 + 0x10)) != _t533) {
											 *((intOrPtr*)(_t655 - 0x140)) = 0x46757c;
											__eflags = _t655 == 0x478;
											 *((intOrPtr*)(_t655 - 0x120)) = 0x467574;
											_t449 = _t655 - 0x478;
											if(_t655 == 0x478) {
												_t449 = 0x47e150;
											}
											_push(_t533);
											_push(_t655 - 0x29);
											_push(_t449);
											_t239 = _t655 - 0x140; // 0x46757c
											L0040176A(_t239);
											_t241 = _t655 - 0x140; // 0x46757c
											 *(_t655 - 4) = 0x16;
											E0041A7BB( *((intOrPtr*)(_t655 + 0x10)), __eflags,  *((intOrPtr*)( *((intOrPtr*)(_t655 + 0x10)) + 8)), _t241);
											_t244 = _t655 - 0x140; // 0x46757c
											 *(_t655 - 4) = 0xe;
											L0040125C(_t244);
										}
										 *((intOrPtr*)(_t655 - 0x80)) = 0x467fe4;
										 *(_t655 - 4) = 0x17;
										E00418E8D(_t655 - 0x80);
										 *(_t655 - 4) = 0xa;
										E0041A273(_t655 - 0x78);
										goto L48;
									}
									E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)), _t533); // executed
									E00418E14(_t655 - 0x54,  *(_t655 - 0x10),  *(_t655 - 0x18)); // executed
									_t472 =  *(_t655 - 0x18);
									 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + _t472;
									_t473 = WriteFile( *(_t655 - 0x7c),  *(_t655 - 0x10), _t472, _t655 - 0x84, _t533); // executed
									__eflags = _t473;
									if(_t473 == 0) {
										_t474 = _t473 | 0xffffffff;
										__eflags = _t474;
									} else {
										_t474 =  *(_t655 - 0x84);
									}
									__eflags = _t474 - 0xffffffff;
									if(_t474 == 0xffffffff) {
										E0043AE17( *(_t655 - 0x10));
										 *((intOrPtr*)(_t655 - 0x80)) = 0x467fe4;
										 *(_t655 - 4) = 0x13;
										E00418E8D(_t655 - 0x80);
										 *(_t655 - 4) = 0xa;
										E0041A273(_t655 - 0x78);
										 *(_t655 - 4) = 7;
										E0041A273(_t655 - 0xe0);
										 *(_t655 - 4) = 4;
										E0041A273(_t655 - 0xa8);
										 *(_t655 - 4) = 1;
										E0041A273(_t655 - 0xc4);
										 *(_t655 - 4) = _t533;
										L00419BF2(_t655 - 0x1c);
										 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
										 *(_t655 - 4) = 0x14;
										E00418E8D(_t655 - 0x54);
										 *(_t655 - 4) =  *(_t655 - 4) | 0xffffffff;
										E0041A273(_t655 - 0x4c);
										_t354 = 0xfffffcda;
										goto L64;
									} else {
										goto L40;
									}
								} else {
									goto L30;
								}
								while(1) {
									L30:
									E00418E58(_t655 - 0x54,  *((intOrPtr*)(_t655 - 0x14)), _t533); // executed
									E00418E14(_t655 - 0x54,  *(_t655 - 0x10), 0x4000);
									 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) + 0x4000;
									_t487 = WriteFile( *(_t655 - 0x7c),  *(_t655 - 0x10), 0x4000, _t655 - 0x8c, _t533); // executed
									__eflags = _t487;
									if(_t487 == 0) {
										_t488 = _t487 | 0xffffffff;
										__eflags = _t488;
									} else {
										_t488 =  *(_t655 - 0x8c);
									}
									__eflags = _t488 - 0xffffffff;
									if(_t488 == 0xffffffff) {
										break;
									}
									 *(_t655 - 0x18) =  *(_t655 - 0x18) - 0x4000;
									__eflags =  *(_t655 - 0x18) - 0x4000;
									if( *(_t655 - 0x18) >= 0x4000) {
										continue;
									}
									goto L35;
								}
								E0043AE17( *(_t655 - 0x10));
								 *((intOrPtr*)(_t655 - 0x80)) = 0x467fe4;
								 *(_t655 - 4) = 0x11;
								E00418E8D(_t655 - 0x80);
								 *(_t655 - 4) = 0xa;
								E0041A273(_t655 - 0x78);
								 *(_t655 - 4) = 7;
								E0041A273(_t655 - 0xe0);
								 *(_t655 - 4) = 4;
								E0041A273(_t655 - 0xa8);
								 *(_t655 - 4) = 1;
								E0041A273(_t655 - 0xc4);
								 *(_t655 - 4) = _t533;
								L00419BF2(_t655 - 0x1c);
								 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
								 *(_t655 - 4) = 0x12;
								_t652 = 0xfffffcda;
								goto L61;
							} else {
								lstrcpynW(_t655 - 0x14c, _t655 - 0x680, 5);
								_push(_t655 - 0x1ec);
								_t502 = E00418779(E004186F9(_t655 - 0xa8), __eflags);
								_push(_t533);
								_push(_t502);
								 *(_t655 - 4) = 0xb;
								 *((intOrPtr*)(_t655 - 0x10c)) = 0x467fd8;
								 *((intOrPtr*)(_t655 - 0x104)) = 0x467fd0;
								E0041A1C5(_t655 - 0x118);
								 *((intOrPtr*)(_t655 - 0x118)) = 0x467fcc;
								 *(_t655 - 4) = 0xd;
								E0041A273(_t655 - 0x1ec);
								_t506 = lstrcmpiW(_t655 - 0x14c, L"data");
								__eflags = _t506;
								if(_t506 != 0) {
									L25:
									 *(_t655 - 4) = 0xa;
									E0041A273(_t655 - 0x118);
									__eflags =  *(_t655 + 0xb) - _t533;
									if(__eflags == 0) {
										goto L28;
									}
									__eflags =  *((intOrPtr*)(_t655 + 0x18)) - _t533;
									if(__eflags != 0) {
										goto L28;
									}
									 *((intOrPtr*)(_t655 - 0x14)) =  *((intOrPtr*)(_t655 - 0x14)) +  *(_t655 - 0x18);
									goto L48;
								}
								_t510 = lstrcmpiW(_t655 - 0x680, L"data1.cab");
								__eflags = _t510;
								if(_t510 == 0) {
									goto L25;
								}
								__eflags =  *((intOrPtr*)(_t655 - 0x108)) - _t533;
								if( *((intOrPtr*)(_t655 - 0x108)) == _t533) {
									L24:
									 *(_t655 + 0xb) = 1;
									goto L25;
								}
								__imp__#7( *((intOrPtr*)(_t655 - 0x108)));
								__eflags = _t510;
								if(_t510 != 0) {
									goto L25;
								}
								goto L24;
							}
							L48:
							 *(_t655 - 4) = 7;
							E0041A273(_t655 - 0xe0);
							 *(_t655 - 4) = 4;
							E0041A273(_t655 - 0xa8);
							 *(_t655 - 4) = 1;
							E0041A273(_t655 - 0xc4);
							 *(_t655 - 0x28) =  &( *(_t655 - 0x28)->Internal);
							__eflags =  *(_t655 - 0x28) -  *(_t655 - 0x24);
						} while ( *(_t655 - 0x28) <  *(_t655 - 0x24));
						_t644 = FindClose;
						goto L50;
					}
				} else {
					 *(_t655 - 4) = 0;
					L00419BF2(_t655 - 0x1c);
					 *((intOrPtr*)(_t655 - 0x54)) = 0x467fe4;
					 *(_t655 - 4) = 2;
					_t533 = 0xfffffcdb;
					L58:
					E00418E8D(_t655 - 0x54);
					 *(_t655 - 4) =  *(_t655 - 4) | 0xffffffff;
					E0041A273(_t655 - 0x4c);
					_t354 = _t533;
					goto L64;
				}
			}

0x00417c8a
0x00417c8f
0x00417c9d
0x00417c9f
0x00417ca2
0x00417ca8
0x00417cae
0x00417cb4
0x00417cb9
0x00417cbb
0x00417cbc
0x00417cbf
0x00417cc4
0x00417ccc
0x00417cd4
0x00417cdb
0x00418692
0x0041869c
0x004186a3
0x004186a8
0x004186b4
0x004186b4
0x004186b7
0x004186bc
0x004186c5
0x004186c5
0x00417ce6
0x00417cf5
0x00417cfb
0x00417d01
0x00417d05
0x00417d2a
0x00417d30
0x00417d32
0x00417d35
0x00417d37
0x00417d37
0x00417d37
0x00417d37
0x00417d40
0x00417d45
0x00417d49
0x00417d4c
0x00417d4e
0x00417d51
0x00417d58
0x00417d5a
0x00417d61
0x00417d63
0x00417d63
0x00417d6b
0x00417d6c
0x00417d6d
0x00417d6e
0x00417d71
0x00417d79
0x00417d7d
0x00417d85
0x00417d8a
0x00417d8d
0x00417d91
0x00417d91
0x00417d9b
0x00417d9e
0x00417dac
0x00417db4
0x00417db7
0x00417dba
0x00417dbd
0x00418472
0x00418472
0x00418475
0x00418477
0x0041847a
0x00418484
0x00418486
0x00418490
0x00418492
0x00418492
0x0041849a
0x0041849b
0x0041849c
0x0041849d
0x004184a3
0x004184ab
0x004184b2
0x004184b6
0x004184bb
0x004184c1
0x004184c5
0x004184c5
0x004184cd
0x004184d2
0x004184d7
0x004184d9
0x004184db
0x004184e0
0x004184e2
0x004184e2
0x004184e2
0x004184e2
0x004184db
0x004184e6
0x004184ed
0x00000000
0x00417dc3
0x00417dcf
0x00417dd6
0x00417dd9
0x00417de9
0x00417df8
0x00417e0f
0x00417e12
0x00417e22
0x00417e31
0x00417e48
0x00417e4b
0x00417e5b
0x00417e6a
0x00417e81
0x00417e84
0x00417e91
0x00417e9f
0x00417ea5
0x00417eab
0x00417eac
0x00417eb5
0x00417ebc
0x00417ec6
0x00417ed0
0x00417ed5
0x00417edf
0x00417eef
0x00417ef0
0x00417ef5
0x00417ef6
0x00417efd
0x00417f01
0x00417f0b
0x00417f15
0x00417f1a
0x00417f2a
0x00417f2e
0x00417f3d
0x00417f4b
0x00417f51
0x00417f57
0x00417f63
0x00417f69
0x00417f6b
0x00417f7e
0x00417f8a
0x00417f8b
0x00417f92
0x00417f9c
0x00417fa6
0x00417fab
0x00417fbb
0x00417fbf
0x00417fc5
0x00417fc8
0x00417fd6
0x00417fd7
0x00417fdc
0x00417fdf
0x00417fe7
0x00417ff1
0x00417ff3
0x00417ffd
0x00418003
0x00418005
0x00418005
0x0041800d
0x0041800e
0x0041800f
0x00418010
0x00418016
0x0041801e
0x00418025
0x0041802d
0x00418032
0x00418038
0x0041803c
0x0041803c
0x00417fdf
0x00418047
0x0041804b
0x0041804b
0x00417f6b
0x0041805e
0x0041806a
0x0041806b
0x00418072
0x0041807c
0x00418086
0x0041808b
0x004180a3
0x004180b5
0x004180bd
0x004180c7
0x004180ca
0x004180cf
0x004180d2
0x004181b1
0x004181b4
0x004181b9
0x004181c1
0x004181c4
0x004181ca
0x004181d0
0x004181d8
0x004181dd
0x004181df
0x00418512
0x0041851d
0x00418523
0x00418527
0x0041852f
0x00418533
0x0041853e
0x00418542
0x0041854d
0x00418551
0x0041855c
0x00418560
0x00418568
0x0041856b
0x00418570
0x00418573
0x0041857a
0x004185f1
0x004185f4
0x004185f9
0x00418600
0x00418605
0x00000000
0x00418605
0x004181e5
0x004181ec
0x0041824c
0x0041824c
0x0041824f
0x0041829e
0x004182a1
0x004182b2
0x004182b3
0x004182c1
0x004182ca
0x004182cb
0x004182db
0x004182e1
0x004182e9
0x004182ed
0x004182f8
0x004182fc
0x00418301
0x00418304
0x00418314
0x00418322
0x00418336
0x00418342
0x00418343
0x00418344
0x0041834a
0x0041834b
0x00418350
0x00418359
0x0041835e
0x0041835f
0x00418365
0x00418366
0x0041836b
0x0041836c
0x0041836f
0x00418372
0x00418377
0x0041837a
0x0041837d
0x00418382
0x00418385
0x0041838a
0x0041838d
0x00418396
0x004183aa
0x004183aa
0x0041838d
0x004183ac
0x004183af
0x004183b7
0x004183c1
0x004183c3
0x004183cd
0x004183d3
0x004183d5
0x004183d5
0x004183dd
0x004183de
0x004183df
0x004183e0
0x004183e6
0x004183ee
0x004183f5
0x004183fd
0x00418402
0x00418408
0x0041840c
0x0041840c
0x00418411
0x0041841b
0x0041841f
0x00418427
0x0041842b
0x00000000
0x0041842b
0x00418258
0x00418266
0x0041826b
0x00418275
0x00418280
0x00418286
0x00418288
0x00418292
0x00418292
0x0041828a
0x0041828a
0x0041828a
0x00418295
0x00418298
0x0041860f
0x0041861a
0x00418620
0x00418624
0x0041862c
0x00418630
0x0041863b
0x0041863f
0x0041864a
0x0041864e
0x00418659
0x0041865d
0x00418665
0x00418668
0x0041866d
0x00418673
0x0041867a
0x0041867f
0x00418686
0x0041868b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004181ee
0x004181ee
0x004181f5
0x00418205
0x00418216
0x00418221
0x00418227
0x00418229
0x00418233
0x00418233
0x0041822b
0x0041822b
0x0041822b
0x00418236
0x00418239
0x00000000
0x00000000
0x00418244
0x00418247
0x0041824a
0x00000000
0x00000000
0x00000000
0x0041824a
0x00418584
0x0041858f
0x00418595
0x00418599
0x004185a1
0x004185a5
0x004185b0
0x004185b4
0x004185bf
0x004185c3
0x004185ce
0x004185d2
0x004185da
0x004185dd
0x004185e2
0x004185e5
0x004185ec
0x00000000
0x004180d8
0x004180e8
0x004180fa
0x00418102
0x00418107
0x00418108
0x0041810f
0x00418113
0x0041811d
0x00418127
0x0041812c
0x0041813c
0x00418140
0x00418151
0x00418157
0x00418159
0x0041818d
0x00418193
0x00418197
0x0041819c
0x0041819f
0x00000000
0x00000000
0x004181a1
0x004181a4
0x00000000
0x00000000
0x004181a9
0x00000000
0x004181a9
0x00418167
0x0041816d
0x0041816f
0x00000000
0x00000000
0x00418171
0x00418177
0x00418189
0x00418189
0x00000000
0x00418189
0x0041817f
0x00418185
0x00418187
0x00000000
0x00000000
0x00000000
0x00418187
0x00418430
0x00418436
0x0041843a
0x00418445
0x00418449
0x00418454
0x00418458
0x0041845d
0x00418463
0x00418463
0x0041846c
0x00000000
0x0041846c
0x00417d07
0x00417d0a
0x00417d0d
0x00417d12
0x00417d19
0x00417d20
0x004184f4
0x004184f7
0x004184fc
0x00418503
0x00418508
0x00000000
0x00418508

APIs

__EH_prolog.LIBCMT ref: 00417C8F

Part of subcall function 00418ED1: __EH_prolog.LIBCMT ref: 00418ED6
Part of subcall function 00418ED1: CloseHandle.KERNEL32(0043D41C,?,?,?,?), ref: 00418F39
Part of subcall function 00418ED1: CloseHandle.KERNEL32(?,?,?,?,?), ref: 00418F4A

Part of subcall function 00418C4B: __EH_prolog.LIBCMT ref: 00418C50
Part of subcall function 00418C4B: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000,?), ref: 00418CAD

Part of subcall function 00418E58: SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 00418E73

FindFirstFileW.KERNELBASE(?,?,?,00000001), ref: 00417CF5
FindClose.KERNELBASE(00000000), ref: 00417D35
lstrcpyW.KERNEL32 ref: 00417DF8
lstrlenW.KERNEL32(?), ref: 00417E01
lstrcpyW.KERNEL32 ref: 00417E31
lstrlenW.KERNEL32(?), ref: 00417E3A
lstrcpyW.KERNEL32 ref: 00417E6A

Part of subcall function 00418E8D: FindCloseChangeNotification.KERNELBASE(?,?,00418C64,00000000,00000000,?,00417CD9,?,00000001), ref: 00418EA5

Part of subcall function 0041A273: GetLastError.KERNEL32(00000000,00000001,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A28C
Part of subcall function 0041A273: SysFreeString.OLEAUT32(?), ref: 0041A29A
Part of subcall function 0041A273: SetLastError.KERNEL32(?,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2AD
Part of subcall function 0041A273: GetLastError.KERNEL32(?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2C5
Part of subcall function 0041A273: SysFreeString.OLEAUT32(?), ref: 0041A2E6
Part of subcall function 0041A273: SetLastError.KERNEL32(?,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2FA

Strings

.cab, xrefs: 004180AF
PG, xrefs: 004183D5
tuF, xrefs: 00418486
|uF, xrefs: 00418010
|uF, xrefs: 004183E0
data1.cab, xrefs: 00418161
data, xrefs: 0041814B
PG, xrefs: 00418005
|uF, xrefs: 00417D6E
tuF, xrefs: 00417FF3
tuF, xrefs: 00417D5A
PG, xrefs: 00417D63
PG, xrefs: 00418492

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CloseErrorLast$FileFindH_prologlstrcpy$FreeHandleStringlstrlen$ChangeCreateFirstNotificationPointer
String ID: .cab$PG$PG$PG$PG$data$data1.cab$tuF$tuF$tuF$|uF$|uF$|uF
API String ID: 3217791141-2638449905
Opcode ID: 1b2234954d0d7cc8205d0f7fdd56dbefa44969b48a84dccb0ecbefc9e95ba2e6
Instruction ID: 3a530725d389ed254fbc1789c1bf0555d55c614bc077312486283c6faa829e06
Opcode Fuzzy Hash: 1b2234954d0d7cc8205d0f7fdd56dbefa44969b48a84dccb0ecbefc9e95ba2e6
Instruction Fuzzy Hash: 70524E71C0425DEADF10DFA4CC85AEDBB74AF14308F10859EE519A3291EB785B88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00431B36 Relevance: 51.1, APIs: 5, Strings: 24, Instructions: 341
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00431B36() {
				void* __edi;
				void* __esi;
				char* _t104;
				char _t106;
				signed int _t111;
				signed int _t115;
				void* _t121;
				struct _CRITICAL_SECTION* _t124;
				char* _t126;
				char* _t129;
				intOrPtr* _t149;
				unsigned int _t163;
				char* _t172;
				char* _t175;
				intOrPtr _t182;
				intOrPtr* _t193;
				intOrPtr* _t204;
				intOrPtr* _t205;
				void* _t206;
				intOrPtr* _t207;
				intOrPtr* _t212;
				intOrPtr* _t217;
				intOrPtr* _t218;
				intOrPtr* _t219;
				void* _t241;
				void* _t243;
				intOrPtr* _t245;
				void* _t246;
				intOrPtr _t248;
				intOrPtr _t249;
				intOrPtr _t251;
				intOrPtr _t252;
				intOrPtr _t253;
				void* _t254;
				intOrPtr _t255;
				void* _t256;
				intOrPtr* _t257;
				intOrPtr* _t258;
				void* _t259;
				intOrPtr* _t260;
				void* _t261;
				intOrPtr* _t262;

				L0043B644(E004641A0, _t241);
				_t187 = L"ISlogit";
				_t245 = _t243 - 0xc8;
				_t104 = L"ISlogit";
				_t193 = _t245;
				 *((intOrPtr*)(_t241 - 0x18)) = _t245;
				 *_t193 = 0x46757c;
				 *((intOrPtr*)(_t193 + 0x20)) = 0x467574;
				if(_t104 == 0) {
					_t104 = 0x47e150;
				}
				_push(0);
				_push(_t241 - 0xe);
				_push(_t104);
				L0040176A(_t193);
				_push(0x80000001); // executed
				_t106 = E0042F1F4(_t193); // executed
				_t246 = _t245 + 0x2c;
				 *0x47e440 = _t106;
				if(_t106 != 0) {
					_push(0);
					_t248 = _t246 - 0x28;
					 *((intOrPtr*)(_t241 - 0x18)) = _t248;
					L00401732(_t248, L"TraceStd", _t241 - 0xe, 1);
					 *(_t241 - 4) =  *(_t241 - 4) & 0x00000000;
					_t249 = _t248 - 0x28;
					 *((intOrPtr*)(_t241 - 0x20)) = _t249;
					L00401732(_t249, _t187, _t241 - 0xf, 1);
					 *(_t241 - 4) =  *(_t241 - 4) | 0xffffffff;
					_push(0x80000001);
					_t111 = L0042F5D6();
					_push(0x20019);
					_t251 = _t249 + 0x58 - 0x28;
					 *0x47e441 = _t111 & 0xffffff00 | _t111 != 0x00000000;
					 *((intOrPtr*)(_t241 - 0x20)) = _t251;
					L00401732(_t251, 0x47e150, _t241 - 0xf, 1);
					_t115 = 1;
					_t252 = _t251 - 0x28;
					 *(_t241 - 4) = _t115;
					 *((intOrPtr*)(_t241 - 0x18)) = _t252;
					L00401732(_t252, L"FileNamePath", _t241 - 0xe, _t115);
					_t253 = _t252 - 0x28;
					 *((intOrPtr*)(_t241 - 0x14)) = _t253;
					 *(_t241 - 4) = 2;
					L00401732(_t253, _t187, _t241 - 0xd, 1);
					 *(_t241 - 4) =  *(_t241 - 4) | 0xffffffff;
					_push(0x80000001);
					_push(_t241 - 0xb4);
					_t121 = E0042F45D(0x46757c, _t111);
					_t254 = _t253 + 0x84;
					 *(_t241 - 4) = 3;
					L00401A1E(0x47e410, _t121);
					 *(_t241 - 4) =  *(_t241 - 4) | 0xffffffff;
					L0040125C(_t241 - 0xb4);
					if( *0x47e41c == 0) {
						_push(0);
						_push(_t241 - 0xb4);
						_t182 =  *((intOrPtr*)(L00431F6E() + 8));
						 *(_t241 - 4) = 4;
						 *((intOrPtr*)(_t241 - 0x18)) = 0x467570;
						if(_t182 != 0) {
							 *((intOrPtr*)(_t241 - 0x18)) = _t182;
						}
						_push(L"bin");
						_push(GetCurrentProcessId());
						_push(L"setuptrace");
						L004057E0(0x47e410, L"%s%s%d.%s",  *((intOrPtr*)(_t241 - 0x18)));
						 *(_t241 - 4) =  *(_t241 - 4) | 0xffffffff;
						_t254 = _t254 + 0x18;
						L0040125C(_t241 - 0xb4);
					}
					_t124 = L0043BC14(0x18);
					 *0x47e43c = _t124;
					InitializeCriticalSection(_t124);
					_push(0xc);
					_t255 = _t254 - 0x28;
					 *((intOrPtr*)(_t241 - 0x14)) = _t255;
					L00401708(_t255, "|uF", 1);
					_t106 = E0042CFBE();
					_t256 = _t255 + 0x2c;
					if(_t106 == 0) {
						_t257 = _t256 - 0x28;
						_t126 = L"FormatVersion=00000112\r\n\r\n";
						_t204 = _t257;
						 *((intOrPtr*)(_t241 - 0x14)) = _t257;
						 *_t204 = 0x46757c;
						 *((intOrPtr*)(_t204 + 0x20)) = 0x467574;
						if(_t126 == 0) {
							_t126 = 0x47e150;
						}
						_push(0);
						_push(_t241 - 0xd);
						_push(_t126);
						L0040176A(_t204);
						L0043302C();
						_t129 = L"(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved)\r\n\r\n";
						_t205 = _t257;
						 *((intOrPtr*)(_t241 - 0x14)) = _t257;
						 *_t205 = 0x46757c;
						 *((intOrPtr*)(_t205 + 0x20)) = 0x467574;
						if(_t129 == 0) {
							_t129 = 0x47e150;
						}
						_push(0);
						_push(_t241 - 0xd);
						_push(_t129);
						L0040176A(_t205);
						L0043302C();
						_t258 = _t257 + 0x28;
						GetLocalTime(_t241 - 0x30);
						_push(0);
						_push(_t241 - 0xd);
						_t206 = _t241 - 0x58;
						 *((intOrPtr*)(_t241 - 0x58)) = 0x46757c;
						 *((intOrPtr*)(_t241 - 0x38)) = 0x467574;
						L00401C68(_t206);
						_push( *(_t241 - 0x24) & 0x0000ffff);
						 *(_t241 - 4) = 5;
						_push( *(_t241 - 0x26) & 0x0000ffff);
						_push( *(_t241 - 0x28) & 0x0000ffff);
						_push( *(_t241 - 0x30) & 0x0000ffff);
						_push( *(_t241 - 0x2a) & 0x0000ffff);
						L004057E0(_t241 - 0x58, L"TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld\r\n",  *(_t241 - 0x2e) & 0x0000ffff);
						_push(_t206);
						_push(_t206);
						 *((intOrPtr*)(_t241 - 0x14)) = _t258;
						_t207 = _t258;
						_push(0);
						_push(_t241 - 0x58);
						 *_t207 = 0x46757c;
						 *((intOrPtr*)(_t207 + 0x20)) = 0x467574;
						L00401CDD(_t207);
						L0043302C();
						_t259 = _t258 + 0x28;
						 *((intOrPtr*)(_t241 - 0x80)) = 0x46757c;
						_push(0);
						_push(_t241 - 0xf);
						 *((intOrPtr*)(_t241 - 0x60)) = 0x467574;
						L00401C68(_t241 - 0x80);
						 *(_t241 - 4) = 6;
						_t149 = L00401813(_t241 - 0x80, _t241 - 0x8c, 0x104);
						 *(_t241 - 4) = 7;
						 *((char*)(_t149 + 4)) = 1;
						GetModuleFileNameW(0,  *(L00401E6C(_t149,  *_t149)), 0x104);
						 *(_t241 - 4) = 6;
						L00401A9C(_t241 - 0x8c);
						_t154 =  *((intOrPtr*)(_t241 - 0x78));
						if( *((intOrPtr*)(_t241 - 0x78)) == 0) {
							_t154 = 0x467570;
						}
						L004057E0(_t241 - 0x58, L"SetupExe: %ls\r\n", _t154);
						_t260 = _t259 - 0x1c;
						 *((intOrPtr*)(_t241 - 0x14)) = _t260;
						_t212 = _t260;
						_push(0);
						_push(_t241 - 0x58);
						 *_t212 = 0x46757c;
						 *((intOrPtr*)(_t212 + 0x20)) = 0x467574;
						L00401CDD(_t212);
						L0043302C();
						_t261 = _t260 + 0x28;
						L0042DF6C(_t241 - 0xfc);
						_t161 =  *((intOrPtr*)(_t241 - 0x78));
						 *(_t241 - 4) = 8;
						if( *((intOrPtr*)(_t241 - 0x78)) == 0) {
							_t161 = 0x467570;
						}
						L00439BD1(_t241 - 0xfc, 0x46757c, 0x467574, _t161);
						_t163 =  *(_t241 - 0xec);
						_push(_t163 & 0x0000ffff);
						_push(_t163 >> 0x10);
						_push( *(_t241 - 0xf0) & 0x0000ffff);
						L004057E0(_t241 - 0x58, L"SetupExeVersion: %ld.%ld.%ld.%ld\r\n",  *(_t241 - 0xf0) >> 0x10);
						_t262 = _t261 - 0x10;
						 *((intOrPtr*)(_t241 - 0x14)) = _t262;
						_t217 = _t262;
						_push(0);
						_push(_t241 - 0x58);
						 *_t217 = 0x46757c;
						 *((intOrPtr*)(_t217 + 0x20)) = 0x467574;
						L00401CDD(_t217);
						L0043302C();
						_t172 = L"\r\nTraceData:\r\n";
						_t218 = _t262;
						 *((intOrPtr*)(_t241 - 0x14)) = _t262;
						 *_t218 = 0x46757c;
						 *((intOrPtr*)(_t218 + 0x20)) = 0x467574;
						if(_t172 == 0) {
							_t172 = 0x47e150;
						}
						_push(0);
						_push(_t241 - 0xe);
						_push(_t172);
						L0040176A(_t218);
						L0043302C();
						_t175 = L"Category|SubCategory|Details\r\n";
						_t219 = _t262;
						 *((intOrPtr*)(_t241 - 0x14)) = _t262;
						 *_t219 = 0x46757c;
						 *((intOrPtr*)(_t219 + 0x20)) = 0x467574;
						if(_t175 == 0) {
							_t175 = 0x47e150;
						}
						_push(0);
						_push(_t241 - 0x19);
						_push(_t175);
						L0040176A(_t219);
						L0043302C();
						 *(_t241 - 4) = 6;
						 *((intOrPtr*)(_t241 - 0xfc)) = 0x46825c;
						L0042DFD4(_t241 - 0xfc);
						 *(_t241 - 4) = 5;
						L0040125C(_t241 - 0x80);
						 *(_t241 - 4) =  *(_t241 - 4) | 0xffffffff;
						_t106 = L0040125C(_t241 - 0x58);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t241 - 0xc));
				return _t106;
			}

0x00431b3b
0x00431b49
0x00431b4e
0x00431b51
0x00431b53
0x00431b5f
0x00431b64
0x00431b66
0x00431b69
0x00431b6b
0x00431b6b
0x00431b73
0x00431b75
0x00431b76
0x00431b77
0x00431b7c
0x00431b81
0x00431b86
0x00431b89
0x00431b90
0x00431b96
0x00431b9b
0x00431ba0
0x00431bab
0x00431bb0
0x00431bb4
0x00431bb9
0x00431bc3
0x00431bc8
0x00431bcc
0x00431bd1
0x00431bdb
0x00431be3
0x00431be6
0x00431bed
0x00431bfb
0x00431c02
0x00431c03
0x00431c06
0x00431c0b
0x00431c18
0x00431c1d
0x00431c25
0x00431c2c
0x00431c30
0x00431c35
0x00431c3f
0x00431c44
0x00431c45
0x00431c4a
0x00431c58
0x00431c5f
0x00431c64
0x00431c6e
0x00431c7a
0x00431c82
0x00431c84
0x00431c8c
0x00431c8f
0x00431c98
0x00431c9f
0x00431ca1
0x00431ca1
0x00431ca4
0x00431caf
0x00431cb0
0x00431cbe
0x00431cc3
0x00431cc7
0x00431cd0
0x00431cd0
0x00431cd7
0x00431cdd
0x00431ce3
0x00431ce9
0x00431ceb
0x00431cf0
0x00431cfa
0x00431cff
0x00431d04
0x00431d09
0x00431d0f
0x00431d12
0x00431d17
0x00431d1d
0x00431d20
0x00431d22
0x00431d25
0x00431d27
0x00431d27
0x00431d31
0x00431d32
0x00431d33
0x00431d34
0x00431d39
0x00431d3e
0x00431d43
0x00431d47
0x00431d4c
0x00431d4e
0x00431d51
0x00431d53
0x00431d53
0x00431d5b
0x00431d5c
0x00431d5d
0x00431d5e
0x00431d63
0x00431d68
0x00431d6f
0x00431d78
0x00431d79
0x00431d7a
0x00431d7d
0x00431d80
0x00431d83
0x00431d8c
0x00431d8d
0x00431d98
0x00431d9d
0x00431da2
0x00431da7
0x00431db6
0x00431dbb
0x00431dbc
0x00431dbd
0x00431dc0
0x00431dc5
0x00431dc6
0x00431dc7
0x00431dc9
0x00431dcc
0x00431dd1
0x00431dd6
0x00431ddf
0x00431de2
0x00431de3
0x00431de4
0x00431de7
0x00431dfc
0x00431e00
0x00431e07
0x00431e0b
0x00431e1b
0x00431e27
0x00431e2b
0x00431e30
0x00431e35
0x00431e37
0x00431e37
0x00431e46
0x00431e4b
0x00431e51
0x00431e54
0x00431e56
0x00431e57
0x00431e58
0x00431e5a
0x00431e5d
0x00431e62
0x00431e67
0x00431e70
0x00431e75
0x00431e78
0x00431e7e
0x00431e80
0x00431e80
0x00431e8c
0x00431e91
0x00431e9d
0x00431e9e
0x00431eab
0x00431eb6
0x00431ebb
0x00431ec1
0x00431ec4
0x00431ec6
0x00431ec7
0x00431ec8
0x00431eca
0x00431ecd
0x00431ed2
0x00431ed7
0x00431edc
0x00431ee0
0x00431ee5
0x00431ee7
0x00431eea
0x00431eec
0x00431eec
0x00431ef4
0x00431ef5
0x00431ef6
0x00431ef7
0x00431efc
0x00431f01
0x00431f06
0x00431f0a
0x00431f0f
0x00431f11
0x00431f14
0x00431f16
0x00431f16
0x00431f1e
0x00431f1f
0x00431f20
0x00431f21
0x00431f26
0x00431f34
0x00431f38
0x00431f42
0x00431f4a
0x00431f4e
0x00431f53
0x00431f5a
0x00431f5a
0x00431d09
0x00431f64
0x00431f6d

APIs

__EH_prolog.LIBCMT ref: 00431B3B
GetCurrentProcessId.KERNEL32(bin,00000000), ref: 00431CA9

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 00431CE3

Part of subcall function 0042CFBE: __EH_prolog.LIBCMT ref: 0042CFC3

GetLocalTime.KERNEL32(?), ref: 00431D6F
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000104,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00431E1B

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0043302C: __EH_prolog.LIBCMT ref: 00433031
Part of subcall function 0043302C: EnterCriticalSection.KERNEL32(0046757C,00467574,00000000), ref: 0043304D
Part of subcall function 0043302C: lstrlenA.KERNEL32(00000000,?,?,?), ref: 00433086
Part of subcall function 0043302C: LeaveCriticalSection.KERNEL32(?,004675A0,40000000,00000001,00000080,00000004,00000000,00000000,|uF,00000000,00000000,00000000,00000021,?,?,?), ref: 00433172

Strings

(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved), xrefs: 00431D3E, 00431D5D
FormatVersion=00000112, xrefs: 00431D12, 00431D33
|uF, xrefs: 00431B55
setuptrace, xrefs: 00431CB0
ISlogit, xrefs: 00431B49, 00431B76, 00431BC2, 00431C2B
FileNamePath, xrefs: 00431C13
puF, xrefs: 00431E37
puF, xrefs: 00431C98
TraceStd, xrefs: 00431BA6
PG, xrefs: 00431B6B
puF, xrefs: 00431E80
Category|SubCategory|Details, xrefs: 00431F01, 00431F20
bin, xrefs: 00431CA4
%s%s%d.%s, xrefs: 00431CB8
PG, xrefs: 00431F16
SetupExe: %ls, xrefs: 00431E40
|uF, xrefs: 00431C50, 00431CBD, 00431CF5
SetupExeVersion: %ld.%ld.%ld.%ld, xrefs: 00431EB0
tuF, xrefs: 00431B5A
TraceData:, xrefs: 00431ED7, 00431EF6
PG, xrefs: 00431D53
PG, xrefs: 00431D27
TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld, xrefs: 00431DB0
PG, xrefs: 00431EEC

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$CriticalSection$CurrentEnterFileFreeInitializeLeaveLocalModuleNameProcessStringTimelstrlen
String ID: TraceData:$%s%s%d.%s$(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved)$Category|SubCategory|Details$FileNamePath$FormatVersion=00000112$ISlogit$PG$PG$PG$PG$PG$SetupExe: %ls$SetupExeVersion: %ld.%ld.%ld.%ld$TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld$TraceStd$bin$puF$puF$puF$setuptrace$tuF$|uF$|uF
API String ID: 2518905246-3148618701
Opcode ID: 8dca59a37b2f7bbfee6b8d5547a136b585d01eadd0978c92e707d995a7c74579
Instruction ID: 9b3289c17acbbd65b6650bc256141ab94deb060abb7356dfaa3141cc0698eaac
Opcode Fuzzy Hash: 8dca59a37b2f7bbfee6b8d5547a136b585d01eadd0978c92e707d995a7c74579
Instruction Fuzzy Hash: C0C1A970D00208ABDB10EFE5C942BEEBBB8EF48308F50416FF505B7291D7795A44876A

Uniqueness

Uniqueness Score: -1.00%

Function 004386C5 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 126
filestringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004386C5(void* __ecx) {
				signed char _t59;
				WCHAR* _t60;
				int _t61;
				void* _t62;
				void* _t70;
				void* _t75;
				WCHAR* _t76;
				WCHAR* _t79;
				void* _t119;
				intOrPtr* _t122;
				void* _t124;
				void* _t125;
				void* _t128;
				void* _t129;
				void* _t133;
				signed int _t134;

				L0043B644(E00464BD4, _t125);
				_t129 = _t128 - 0x2c8;
				 *(_t125 - 0x10) =  *(_t125 - 0x10) & 0x00000000;
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				_t59 = E004388C5(_t125 + 8); // executed
				if((_t59 & 0x00000010) == 0) {
					_t60 =  *(_t125 + 0x10);
					if(_t60 == 0) {
						_t60 = 0x467570;
					}
					_t61 = DeleteFileW(_t60); // executed
					if(_t61 != 0) {
						goto L19;
					} else {
						_push(1);
						_push(_t125 + 8);
						L00413593(_t125 - 0x5c);
						L0043BD6A(_t125 - 0x5c, 0x46c528);
						L0043B644(0x464bff, _t125);
						 *(_t125 - 0x10) =  *(_t125 - 0x10) & 0x00000000;
						_push(_t95);
						_push(_t120);
						_push(_t115);
						_push(0);
						_push( *((intOrPtr*)(_t125 + 0xc)));
						 *((intOrPtr*)(_t125 - 0x38)) = 0x4675a0;
						 *((intOrPtr*)(_t125 - 0x18)) = 0x467598;
						L00401CDD(_t125 - 0x38);
						 *(_t125 - 4) = 1;
						_t70 = L00404D3C(_t125 - 0x38, _t125,  *(_t125 + 0x10));
						_t122 =  *((intOrPtr*)(_t125 + 8));
						_push(0);
						_push(_t70);
						 *_t122 = 0x4675a0;
						 *((intOrPtr*)(_t122 + 0x20)) = 0x467598;
						L00401CDD(_t122);
						 *(_t125 - 0x10) = 1;
						 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
						L0040125C(_t125 - 0x38);
						 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
						return _t122;
					}
				} else {
					_push(L"*.*");
					_push(_t125 + 8);
					_t75 = _t125 - 0x84;
					_push(_t75);
					 *(_t125 - 0x10) = 1;
					L24();
					_t76 =  *(_t75 + 8);
					_t133 = _t129 + 0xc;
					if(_t76 == 0) {
						_t76 = 0x467570;
					}
					_t119 = FindFirstFileW(_t76, _t125 - 0x2d4);
					 *(_t125 - 0x14) = _t119;
					 *(_t125 - 4) = 1;
					L0040125C(_t125 - 0x84);
					_t124 = FindClose;
					if(_t119 != 0xffffffff) {
						while( *(_t125 - 0x10) != 0) {
							if(lstrcmpW(_t125 - 0x2a8, ".") != 0 && lstrcmpW(_t125 - 0x2a8, L"..") != 0) {
								_t134 = _t133 - 0x28;
								 *(_t125 - 0x10) = _t134;
								_push(_t125 - 0x2a8);
								_push(_t125 + 8);
								_push(_t134);
								L24();
								E004386C5(_t125 + 8);
								_t133 = _t134 + 0x34;
							}
							 *(_t125 - 0x10) = FindNextFileW(_t119, _t125 - 0x2d4);
						}
						if(_t124 != 0) {
							FindClose(_t119);
							 *(_t125 - 0x14) =  *(_t125 - 0x14) | 0xffffffff;
						}
					}
					_t79 =  *(_t125 + 0x10);
					if(_t79 == 0) {
						_t79 = 0x467570;
					}
					if(RemoveDirectoryW(_t79) == 0) {
						_push(1);
						_push(_t125 + 8);
						L00413593(_t125 - 0x5c);
						L0043BD6A(_t125 - 0x5c, 0x46c528);
					}
					if( *(_t125 - 0x14) != 0xffffffff && _t124 != 0) {
						FindClose( *(_t125 - 0x14));
					}
					L19:
					 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
					_t62 = L0040125C(_t125 + 8);
					 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
					return _t62;
				}
			}

0x004386ca
0x004386cf
0x004386d5
0x004386dc
0x004386e4
0x004386ec
0x00438819
0x0043881e
0x00438820
0x00438820
0x00438826
0x0043882e
0x00000000
0x00438830
0x00438833
0x00438835
0x00438839
0x00438847
0x00438851
0x00438859
0x0043885d
0x0043885e
0x0043885f
0x00438860
0x00438867
0x00438872
0x00438875
0x00438878
0x00438883
0x0043888a
0x0043888f
0x00438892
0x00438894
0x00438897
0x00438899
0x0043889c
0x004388a1
0x004388a8
0x004388af
0x004388bc
0x004388c4
0x004388c4
0x004386f2
0x004386f5
0x004386fa
0x004386fb
0x00438701
0x00438702
0x00438709
0x0043870e
0x00438711
0x00438716
0x00438718
0x00438718
0x0043872b
0x0043872d
0x00438736
0x0043873a
0x0043873f
0x00438748
0x00438750
0x00438766
0x0043877a
0x00438785
0x00438788
0x0043878c
0x0043878d
0x0043878e
0x00438796
0x0043879b
0x0043879b
0x004387ac
0x004387ac
0x004387b3
0x004387b6
0x004387b8
0x004387b8
0x004387b3
0x004387bc
0x004387c1
0x004387c3
0x004387c3
0x004387d1
0x004387d6
0x004387d8
0x004387dc
0x004387ea
0x004387ea
0x004387f3
0x004387fc
0x004387fc
0x004387fe
0x004387fe
0x00438805
0x0043880f
0x00438818
0x00438818

APIs

__EH_prolog.LIBCMT ref: 004386CA

Part of subcall function 004388C5: GetFileAttributesW.KERNELBASE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004386E9), ref: 004388DC

DeleteFileW.KERNELBASE(00000000,?,00000001,00000000), ref: 00438826

Part of subcall function 0043884C: __EH_prolog.LIBCMT ref: 00438851

FindFirstFileW.KERNEL32(?,?,?,00000001,00000000), ref: 00438725
lstrcmpW.KERNEL32(?,00476DBC), ref: 00438762
lstrcmpW.KERNEL32(?,00479C34), ref: 00438774
FindNextFileW.KERNEL32(00000000,?), ref: 004387A6
FindClose.KERNEL32(00000000), ref: 004387B6
RemoveDirectoryW.KERNEL32(00000001), ref: 004387C9
FindClose.KERNEL32(000000FF), ref: 004387FC

Strings

puF, xrefs: 00438718
*.*, xrefs: 004386F5
puF, xrefs: 004387C3
puF, xrefs: 00438820

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileFind$CloseH_prologlstrcmp$AttributesDeleteDirectoryFirstNextRemove
String ID: *.*$puF$puF$puF
API String ID: 2533277616-1147433714
Opcode ID: f7c7e6987b862e3dee21dcf882a9dab091bbd8b8012d37e7a090cccbe7152263
Instruction ID: cf59c9ac0d68dfa3fbfb4a8693beaf12eabb0d65e9eba2020d8323a518b67387
Opcode Fuzzy Hash: f7c7e6987b862e3dee21dcf882a9dab091bbd8b8012d37e7a090cccbe7152263
Instruction Fuzzy Hash: 7F417231900309ABCF10EBA5CC45BEEB7B9AB08318F50416BF415A6291FF789A448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00437600 Relevance: 18.2, APIs: 12, Instructions: 162
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00437600(void** _a4, char _a7, intOrPtr _a8) {
				void* _v8;
				long _v12;
				char _v16;
				void* _v20;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				char _v36;
				int _t53;
				int _t58;
				long _t79;
				signed int _t97;
				void* _t99;

				_v28.Value = 0;
				_v27 = 0;
				_v26 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 5;
				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L6:
					_t53 = GetTokenInformation(_v8, 2, 0, 0,  &_v12); // executed
					if(_t53 != 0 || GetLastError() != 0x7a) {
						L8:
						_push(0);
						L9:
						_push(_v8);
						return E004375F1();
					} else {
						_t99 = L0043BC14(_v12);
						_v36 = _t99 != 0;
						_t58 = GetTokenInformation(_v8, 2, _t99, _v12,  &_v12); // executed
						if(_t58 != 0) {
							asm("sbb eax, eax");
							if(AllocateAndInitializeSid( &_v28, 2, 0x20, ( ~_a4 & 0x000000fd) + 0x223, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
								_t97 = 0;
								_v16 = 0;
								if( *_t99 <= 0) {
									L26:
									FreeSid(_v20);
									_a7 = E004375F1(_v8, _v16);
									if(_v36 != 0) {
										E0043AE17(_t99);
									}
									return _a7;
								}
								_t29 = _t99 + 4; // 0x4
								_a4 = _t29;
								while(EqualSid( *_a4, _v20) == 0) {
									_a4 =  &(_a4[2]);
									_t97 = _t97 + 1;
									if(_t97 <  *_t99) {
										continue;
									}
									goto L26;
								}
								if(_a8 == 0) {
									L25:
									_v16 = 1;
									goto L26;
								}
								_v16 = 0;
								if(( *(_t99 + 8 + _t97 * 8) & 0x00000010) != 0) {
									goto L26;
								}
								goto L25;
							}
							_a7 = E004375F1(_v8, 0);
							if(_v36 != 0) {
								E0043AE17(_t99);
							}
							return _a7;
						}
						_a7 = E004375F1(_v8, 0);
						if(_v36 != 0) {
							E0043AE17(_t99);
						}
						return _a7;
					}
				}
				_t79 = GetLastError();
				if(_t79 == 0x3f0) {
					OpenProcessToken(GetCurrentProcess(), 8,  &_v8);
					_t79 = GetLastError();
				}
				if(_t79 != 0x78) {
					if(_t79 == 0) {
						goto L8;
					}
					goto L6;
				} else {
					_push(1);
					goto L9;
				}
			}

0x00437612
0x00437615
0x00437618
0x0043761b
0x0043761e
0x00437621
0x0043763a
0x00437667
0x00437678
0x0043767c
0x00437685
0x00437685
0x00437686
0x00437686
0x00000000
0x00437695
0x0043769d
0x004376a9
0x004376b3
0x004376b7
0x004376e6
0x00437704
0x00437725
0x00437729
0x0043772c
0x00437764
0x00437767
0x0043777d
0x00437780
0x00437783
0x00437788
0x00000000
0x00437789
0x0043772e
0x00437731
0x00437734
0x00437746
0x0043774a
0x0043774d
0x00000000
0x00000000
0x00000000
0x0043774f
0x00437754
0x00437760
0x00437760
0x00000000
0x00437760
0x0043775b
0x0043775e
0x00000000
0x00000000
0x00000000
0x0043775e
0x00437714
0x00437717
0x0043771a
0x0043771f
0x00000000
0x00437720
0x004376c7
0x004376ca
0x004376cd
0x004376d2
0x00000000
0x004376d3
0x0043767c
0x0043763c
0x00437643
0x00437652
0x00437658
0x00437658
0x0043765d
0x00437665
0x00000000
0x00000000
0x00000000
0x0043765f
0x0043765f
0x00000000
0x0043765f

APIs

GetCurrentThread.KERNEL32 ref: 00437625
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0043762C
GetLastError.KERNEL32(?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0043763C
GetCurrentProcess.KERNEL32(00000008,00000001,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574), ref: 0043764B
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 00437652
GetLastError.KERNEL32(?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 00437658
GetTokenInformation.KERNELBASE(00000001,00000002,00000000,00000000,00000001,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp), ref: 00437678
GetLastError.KERNEL32(?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0043767E
GetTokenInformation.KERNELBASE(00000001,00000002,00000000,?,00000001,00000001,?,?,?,?,?,004377AA,00000001,00000001,?,?), ref: 004376B3
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,-00000222,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004376FC
EqualSid.ADVAPI32(00000001,?,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574), ref: 0043773C
FreeSid.ADVAPI32(?,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 00437767

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
String ID:
API String ID: 884311744-0
Opcode ID: c167247ae474566043ace3f5572536ebaa0c7269e4a4c26fa53c2f64d5c6c104
Instruction ID: 3aee4083740cdc45139debb95efd21e041ff4e4bcf2425fbde957e18f840f1b7
Opcode Fuzzy Hash: c167247ae474566043ace3f5572536ebaa0c7269e4a4c26fa53c2f64d5c6c104
Instruction Fuzzy Hash: B551C7B180C248BEEF219BA4DC82DEF7F689F09354F1450ABF590A2241D7395E44DB79

Uniqueness

Uniqueness Score: -1.00%

Function 0040E45D Relevance: 16.7, APIs: 11, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0040E45D() {
				int _v8;
				char _v12;
				void* _v31;
				struct _SECURITY_DESCRIPTOR _v32;
				char* _v36;
				intOrPtr _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				int _v108;
				int _v112;
				int _v116;
				int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				char* _v132;
				intOrPtr _v136;
				int _v140;
				int _v144;
				int _v148;
				int _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				void* _v164;
				intOrPtr _v168;
				int _v172;
				int _v176;
				int _v180;
				int _v184;
				void _v188;
				char _v192;
				void _v256;
				int _v260;
				void _v264;
				void _v328;
				int _v332;
				char _v336;
				void _v400;
				int _v404;
				char _v408;
				void _v472;
				int _v476;
				char _v480;
				void _v544;
				int _v548;
				char _v552;
				int _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				char _t130;
				char* _t133;
				struct _SECURITY_DESCRIPTOR* _t144;
				signed int _t149;
				signed int _t167;
				intOrPtr* _t181;
				char _t182;
				intOrPtr _t183;
				signed int _t184;

				_v32.Revision = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t149 = 0x27;
				_v192 = 0;
				_t167 = 0x10;
				_t106 = memset( &_v188, 0, _t149 << 2);
				_v264 = 0;
				_v260 = 0;
				_t107 = memset( &_v256, _t106, _t167 << 2);
				_v336 = 0;
				_v332 = 0;
				_t108 = memset( &_v328, _t107, _t167 << 2);
				_v552 = 0;
				_v548 = 0;
				_t109 = memset( &_v544, _t108, _t167 << 2);
				_v480 = 0;
				_v476 = 0;
				_t110 = memset( &_v472, _t109, _t167 << 2);
				_v408 = 0;
				_v404 = 0;
				memset( &_v400, _t110, _t167 << 2);
				if(InitializeSecurityDescriptor( &_v32, 1) == 0) {
					L18:
					return 0;
				}
				_t181 = __imp__CreateWellKnownSid;
				_t182 = 0x48;
				_push( &_v12);
				_push( &_v264);
				_push(0);
				_push(0x1a);
				_v12 = _t182;
				if( *_t181() == 0) {
					goto L18;
				}
				_v12 = _t182;
				_push( &_v12);
				_push( &_v336);
				_push(0);
				_push(0x17);
				if( *_t181() == 0) {
					goto L18;
				}
				_v12 = _t182;
				_push( &_v12);
				_push( &_v552);
				_push(0);
				_push(0x18);
				if( *_t181() == 0) {
					goto L18;
				}
				_v12 = _t182;
				_push( &_v12);
				_push( &_v480);
				_push(0);
				_push(0x10);
				if( *_t181() == 0) {
					goto L18;
				}
				_v12 = _t182;
				_push( &_v12);
				_push( &_v408);
				_push(0);
				_push(0x16);
				if( *_t181() == 0) {
					goto L18;
				}
				_t130 = 3;
				_v164 =  &_v264;
				_v192 = _t130;
				_v160 = _t130;
				_v128 = _t130;
				_v96 = _t130;
				_v64 = _t130;
				_v36 =  &_v408;
				_t183 = 2;
				_v132 =  &_v336;
				_t133 =  &_v192;
				_v100 =  &_v552;
				_v188 = _t183;
				_v184 = 0;
				_v180 = 0;
				_v176 = 0;
				_v172 = 0;
				_v168 = _t183;
				_v156 = _t183;
				_v152 = 0;
				_v148 = 0;
				_v144 = 0;
				_v140 = 0;
				_v136 = _t183;
				_v124 = _t183;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = _t183;
				_v92 = _t183;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = _t183;
				_v68 =  &_v480;
				_v60 = _t183;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = _t183;
				_v8 = 0;
				__imp__SetEntriesInAclW(5, _t133, 0,  &_v8);
				if(_t133 != 0) {
					L15:
					if(_v8 != 0 && LocalFree != 0) {
						LocalFree(_v8);
					}
					goto L18;
				}
				if(_v8 == 0) {
					goto L18;
				}
				if(SetSecurityDescriptorOwner( &_v32,  &_v264, 0) == 0 || SetSecurityDescriptorGroup( &_v32,  &_v264, 0) == 0 || SetSecurityDescriptorDacl( &_v32, 1, _v8, 0) == 0) {
					goto L15;
				} else {
					_t144 =  &_v32;
					__imp__CoInitializeSecurity(_t144, 0xffffffff, 0, 0, 6, _t183, 0, 0x2000, 0); // executed
					_t184 = 0 | _t144 >= 0x00000000;
					if(_v8 != 0 && LocalFree != 0) {
						LocalFree(_v8);
					}
					return _t184;
				}
			}

0x0040e470
0x0040e475
0x0040e476
0x0040e477
0x0040e478
0x0040e479
0x0040e47b
0x0040e47c
0x0040e487
0x0040e48d
0x0040e48e
0x0040e498
0x0040e49e
0x0040e4a4
0x0040e4ae
0x0040e4b4
0x0040e4ba
0x0040e4c4
0x0040e4ca
0x0040e4d0
0x0040e4da
0x0040e4e0
0x0040e4e6
0x0040e4f0
0x0040e4f6
0x0040e4fc
0x0040e50c
0x0040e71e
0x00000000
0x0040e71e
0x0040e514
0x0040e51a
0x0040e51e
0x0040e525
0x0040e526
0x0040e527
0x0040e529
0x0040e530
0x00000000
0x00000000
0x0040e539
0x0040e53c
0x0040e543
0x0040e544
0x0040e545
0x0040e54b
0x00000000
0x00000000
0x0040e554
0x0040e557
0x0040e55e
0x0040e55f
0x0040e560
0x0040e566
0x00000000
0x00000000
0x0040e56f
0x0040e572
0x0040e579
0x0040e57a
0x0040e57b
0x0040e581
0x00000000
0x00000000
0x0040e58a
0x0040e58d
0x0040e594
0x0040e595
0x0040e596
0x0040e59c
0x00000000
0x00000000
0x0040e5aa
0x0040e5ab
0x0040e5b1
0x0040e5b7
0x0040e5bd
0x0040e5c0
0x0040e5c3
0x0040e5d4
0x0040e5d7
0x0040e5db
0x0040e5e5
0x0040e5eb
0x0040e5f8
0x0040e5fe
0x0040e604
0x0040e60a
0x0040e610
0x0040e616
0x0040e61c
0x0040e622
0x0040e628
0x0040e62e
0x0040e634
0x0040e63a
0x0040e640
0x0040e643
0x0040e646
0x0040e649
0x0040e64c
0x0040e64f
0x0040e652
0x0040e655
0x0040e658
0x0040e65b
0x0040e65e
0x0040e661
0x0040e664
0x0040e667
0x0040e66a
0x0040e66d
0x0040e670
0x0040e673
0x0040e676
0x0040e679
0x0040e67c
0x0040e684
0x0040e70b
0x0040e70e
0x0040e71c
0x0040e71c
0x00000000
0x0040e70e
0x0040e68d
0x00000000
0x00000000
0x0040e6a7
0x00000000
0x0040e6d3
0x0040e6df
0x0040e6e5
0x0040e6f5
0x0040e6f7
0x0040e705
0x0040e705
0x00000000
0x0040e707

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040E504
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0040E52C
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0040E547
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0040E562
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0040E57D
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0040E598
SetEntriesInAclW.ADVAPI32(00000005,?,00000000,?), ref: 0040E67C
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 0040E69F
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 0040E6B5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0040E6C9
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00002000,00000000), ref: 0040E6E5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesGroupOwner
String ID:
API String ID: 2413923493-0
Opcode ID: 30771ede699795638ce45585d7c33b3ab1889e0f6038fa16c13870c92322da56
Instruction ID: b6f6645060ad6ca9c40c26e7b63631120ddee57154786cec1e73a4cccb72760d
Opcode Fuzzy Hash: 30771ede699795638ce45585d7c33b3ab1889e0f6038fa16c13870c92322da56
Instruction Fuzzy Hash: 4991A4B1D0021DABDB20CF9ACD84ADEBBB9BB48740F5045AAE509F7280D7705A848F61

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0042E6D0(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t4;

				_t3 = GetProcAddress(GetModuleHandleW(L"kernel32"), "GetNativeSystemInfo");
				_push(_a4);
				if(_t3 != 0) {
					_t4 =  *_t3(); // executed
					return _t4;
				} else {
					GetSystemInfo();
					return _t3; // executed
				}
			}

0x0042e6e1
0x0042e6e7
0x0042e6ed
0x0042e6f6
0x0042e6f8
0x0042e6ef
0x0042e6ef
0x0042e6f5
0x0042e6f5

APIs

GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,0042E6A7,0000000A,0000000A,004764FC,00000000,00000000,?,00000000), ref: 0042E6DA
GetProcAddress.KERNEL32(00000000), ref: 0042E6E1
GetSystemInfo.KERNEL32(?), ref: 0042E6EF
GetNativeSystemInfo.KERNELBASE(?), ref: 0042E6F6

Strings

GetNativeSystemInfo, xrefs: 0042E6D0
kernel32, xrefs: 0042E6D5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 3433367815-3846845290
Opcode ID: ff8190673f9c64e0761c3fb2caca0f58c050adcd6ab083de79350b67ee375f11
Instruction ID: c43005acd8ce07ad0062ff56ec2bad00ef37cc7a8b47c8e21498acb6c3c3691f
Opcode Fuzzy Hash: ff8190673f9c64e0761c3fb2caca0f58c050adcd6ab083de79350b67ee375f11
Instruction Fuzzy Hash: E3C00271748211AB8F502BA15D4DA9F36645A967197504556F505C0250EAB84D40DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00437791 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(004377CE,0040F1B3,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 00437791

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: daddccab8a9d475a1b554dc8ed83e1b9d29762d401bf043f880865d7794dc7e6
Instruction ID: fc5a192371ba4d7ecc1299a29fca2120c1d3a59738fca25a03236da5a4a36702
Opcode Fuzzy Hash: daddccab8a9d475a1b554dc8ed83e1b9d29762d401bf043f880865d7794dc7e6
Instruction Fuzzy Hash: D3C022B808C20008FA282A00280338832820380B23FF0208BF8028C2C0CBCB00C0A00C

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA4F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0003EA09), ref: 0043EA54

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 26e6f8602fd9498febdde38cbf8aecf7ed9e47f5ec123d15f2aa6ea9927fc93e
Instruction ID: 59fb5a74d4a5a4ea9a5c0420cb6aef3df8714fc38baa6541e29904e3be208cd1
Opcode Fuzzy Hash: 26e6f8602fd9498febdde38cbf8aecf7ed9e47f5ec123d15f2aa6ea9927fc93e
Instruction Fuzzy Hash: F0A00474545144D7C7105FD15D0D5043550775CF4D71415F5DC05C1354F7740441D71D

Uniqueness

Uniqueness Score: -1.00%

Function 004219A7 Relevance: 201.5, APIs: 6, Strings: 108, Instructions: 1963
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004219A7(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				void* _t838;
				signed int _t839;
				signed int _t846;
				signed int _t851;
				signed int _t860;
				signed int _t865;
				signed int _t866;
				signed int _t875;
				signed int _t880;
				signed int _t881;
				signed int _t890;
				signed int _t895;
				signed int _t904;
				signed int _t909;
				signed int _t918;
				signed int _t923;
				signed int _t935;
				signed int _t943;
				signed int _t951;
				signed int _t956;
				signed int _t963;
				signed int _t972;
				signed int _t978;
				intOrPtr _t985;
				signed int _t992;
				signed int _t999;
				signed int _t1003;
				intOrPtr _t1004;
				signed int _t1007;
				intOrPtr* _t1012;
				WCHAR** _t1013;
				WCHAR* _t1014;
				intOrPtr* _t1020;
				WCHAR** _t1021;
				WCHAR* _t1022;
				signed int _t1027;
				intOrPtr* _t1032;
				WCHAR** _t1033;
				WCHAR* _t1034;
				intOrPtr* _t1040;
				WCHAR** _t1041;
				WCHAR* _t1042;
				signed int _t1045;
				signed int _t1052;
				signed int _t1061;
				signed int _t1068;
				signed int _t1072;
				signed int _t1080;
				signed int _t1085;
				signed int _t1090;
				signed int _t1112;
				signed int _t1119;
				signed int _t1121;
				signed int _t1128;
				signed int _t1133;
				signed int _t1138;
				signed int _t1143;
				signed int _t1148;
				signed int _t1153;
				signed int _t1169;
				signed int _t1170;
				signed int _t1180;
				char* _t1185;
				signed int _t1191;
				intOrPtr _t1192;
				signed int _t1201;
				signed int _t1208;
				signed int _t1213;
				signed char _t1218;
				char* _t1219;
				signed int _t1226;
				char* _t1227;
				signed int _t1232;
				char* _t1233;
				signed int _t1237;
				char* _t1238;
				signed int _t1242;
				char* _t1243;
				signed short _t1250;
				char* _t1252;
				char* _t1256;
				char* _t1268;
				signed int _t1278;
				char* _t1280;
				char* _t1285;
				char* _t1289;
				char* _t1293;
				char* _t1297;
				signed int _t1303;
				char* _t1305;
				signed int _t1311;
				char* _t1312;
				signed int _t1316;
				char* _t1317;
				void* _t1398;
				intOrPtr _t1433;
				WCHAR* _t1452;
				WCHAR* _t1457;
				WCHAR* _t1465;
				WCHAR* _t1470;
				intOrPtr _t1571;
				void* _t1596;
				void* _t1597;
				void* _t1602;
				intOrPtr _t1663;
				intOrPtr _t1682;
				intOrPtr _t1691;
				intOrPtr _t1693;
				void* _t1694;

				L0043B644(0x462ceb, _t1694);
				_t1682 = __ecx;
				 *((intOrPtr*)(_t1694 - 0x10)) = __ecx;
				 *(_t1694 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x3ec)) == 0) {
					L111:
					_t833 = L00425D10(_t1694 + 8, L"file");
					__eflags = _t833;
					if(_t833 != 0) {
						_t834 = L00425D10(_t1694 + 8, L"properties");
						__eflags = _t834;
						if(_t834 != 0) {
							_t835 = L00425D10(_t1694 + 8, L"execute");
							__eflags = _t835;
							if(_t835 != 0) {
								_t836 = L00425D10(_t1694 + 8, L"dependency");
								__eflags = _t836;
								if(_t836 != 0) {
									_t837 = L00425D10(_t1694 + 8, L"behavior");
									__eflags = _t837;
									if(_t837 == 0) {
										_t839 = L"behavior";
										__eflags = _t839;
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										if(_t839 == 0) {
											_t839 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x11);
										_push(_t839);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x56;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0;
										E004061C1(_t1694 - 0x6c);
										_push(L"Optional");
										_push(_t1694 - 0x88);
										_t846 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x57;
										__eflags = _t846;
										 *((intOrPtr*)(_t1694 - 0xf4)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0xd4)) = 0x4675d0;
										if(_t846 == 0) {
											_t846 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x11);
										_push(_t846);
										L0040B34B(_t1694 - 0xf4);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0x88);
										E00426733(_t1694 - 0xf4, _t1694 - 0x18, 0xa);
										__eflags =  *(_t1694 - 0x18);
										if( *(_t1694 - 0x18) != 0) {
											 *((char*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x40c)) = 1;
										}
										_t851 = L"Optional";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t851;
										if(_t851 == 0) {
											_t851 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t851);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x5a;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										_push(L"Reboot");
										_push(_t1694 - 0xc0);
										_t860 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x5b;
										__eflags = _t860;
										if(_t860 == 0) {
											_t860 = 0x47e150;
										}
										L0040BDDD(_t1694 - 0xf4, _t860);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0xc0);
										E00426733(_t1694 - 0xf4, _t1694 - 0x18, 0xa);
										_t865 =  *(_t1694 - 0x18);
										__eflags = _t865;
										if(_t865 != 0) {
											 *( *((intOrPtr*)(_t1694 - 0x10)) + 0x404) = _t865;
										}
										_t866 = L"Reboot";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t866;
										if(_t866 == 0) {
											_t866 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t866);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x5c;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										_push(L"Failure");
										_push(_t1694 - 0xc0);
										_t875 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x5d;
										__eflags = _t875;
										if(_t875 == 0) {
											_t875 = 0x47e150;
										}
										L0040BDDD(_t1694 - 0xf4, _t875);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0xc0);
										E00426733(_t1694 - 0xf4, _t1694 - 0x18, 0xa);
										_t880 =  *(_t1694 - 0x18);
										__eflags = _t880;
										if(_t880 != 0) {
											 *( *((intOrPtr*)(_t1694 - 0x10)) + 0x408) = _t880;
										}
										_t881 = L"Failure";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t881;
										if(_t881 == 0) {
											_t881 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t881);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x5e;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(0);
										_push(1);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										_push(L"Lua");
										_push(_t1694 - 0xc0);
										_t890 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x5f;
										__eflags = _t890;
										if(_t890 == 0) {
											_t890 = 0x47e150;
										}
										L0040BDDD(_t1694 - 0xf4, _t890);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0xc0);
										E00426733(_t1694 - 0xf4, _t1694 - 0x18, 0xa);
										__eflags =  *(_t1694 - 0x18);
										if( *(_t1694 - 0x18) != 0) {
											 *((char*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x40d)) = 1;
										}
										_t895 = L"Lua";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t895;
										if(_t895 == 0) {
											_t895 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t895);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x60;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(0);
										_push(1);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										_push(L"Hidden");
										_push(_t1694 - 0xc0);
										_t904 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x61;
										__eflags = _t904;
										if(_t904 == 0) {
											_t904 = 0x47e150;
										}
										L0040BDDD(_t1694 - 0xf4, _t904);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0xc0);
										E00426733(_t1694 - 0xf4, _t1694 - 0x18, 0xa);
										__eflags =  *(_t1694 - 0x18);
										if( *(_t1694 - 0x18) != 0) {
											 *((char*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x261)) = 1;
										}
										_t909 = L"Hidden";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t909;
										if(_t909 == 0) {
											_t909 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t909);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x62;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(0);
										_push(1);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										_push(L"MsiProgress");
										_push(_t1694 - 0xc0);
										_t918 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
										 *(_t1694 - 4) = 0x63;
										__eflags = _t918;
										if(_t918 == 0) {
											_t918 = 0x47e150;
										}
										L0040BDDD(_t1694 - 0xf4, _t918);
										 *(_t1694 - 4) = 0x59;
										E0041A460(_t1694 - 0xc0);
										E00426733(_t1694 - 0xf4, _t1694 + 0x24, 0xa);
										__eflags =  *(_t1694 + 0x24);
										if( *(_t1694 + 0x24) != 0) {
											 *((char*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x262)) = 1;
										}
										_t923 = L"MsiProgress";
										 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
										__eflags = _t923;
										if(_t923 == 0) {
											_t923 = 0x47e150;
										}
										_push(0);
										_push(_t1694 - 0x13);
										_push(_t923);
										L0040B34B(_t1694 - 0x6c);
										_push(1);
										_push(0);
										_push(_t1694 - 0x6c);
										 *(_t1694 - 4) = 0x64;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0x59;
										E004061C1(_t1694 - 0x6c);
										_push(0);
										_push(1);
										_push(_t1694 - 0xf4);
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0;
										_t1398 = _t1694 - 0xf4;
										goto L218;
									}
								} else {
									_t935 = L"dependency";
									__eflags = _t935;
									 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
									if(_t935 == 0) {
										_t935 = 0x47e150;
									}
									_push(0);
									_push(_t1694 - 0x11);
									_push(_t935);
									L0040B34B(_t1694 - 0x6c);
									_push(1);
									_push(0);
									_push(_t1694 - 0x6c);
									 *(_t1694 - 4) = 0x52;
									L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									 *(_t1694 - 4) = 0;
									E004061C1(_t1694 - 0x6c);
									L004233F0();
									_push(L"File");
									_push(_t1694 - 0x88);
									 *(_t1694 - 4) = 0x53;
									_t943 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
									 *(_t1694 - 4) = 0x54;
									__eflags = _t943;
									if(_t943 == 0) {
										_t943 = 0x47e150;
									}
									L0040BDDD(_t1694 - 0x44, _t943);
									 *(_t1694 - 4) = 0x53;
									E0041A460(_t1694 - 0x88);
									L00425F64( *((intOrPtr*)(_t1694 - 0x10)) + 0x270, _t1694 - 0x44);
									_push(1);
									_push(0);
									_push(_t1694 - 0x44);
									L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									_t951 = L" -- Successful";
									 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
									__eflags = _t951;
									if(_t951 == 0) {
										_t951 = 0x47e150;
									}
									_push(0);
									_push(_t1694 + 0x27);
									_push(_t951);
									L0040B34B(_t1694 - 0x6c);
									_push(0);
									_push(1);
									_push(_t1694 - 0x6c);
									 *(_t1694 - 4) = 0x55;
									L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									 *(_t1694 - 4) = 0x53;
									E004061C1(_t1694 - 0x6c);
									 *(_t1694 - 4) = 0;
									_t1398 = _t1694 - 0x44;
									goto L218;
								}
							} else {
								_t956 = L"execute";
								__eflags = _t956;
								 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
								if(_t956 == 0) {
									_t956 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x11);
								_push(_t956);
								L0040B34B(_t1694 - 0x6c);
								_push(1);
								_push(0);
								_push(_t1694 - 0x6c);
								 *(_t1694 - 4) = 0x3f;
								L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
								 *(_t1694 - 4) = 0;
								E004061C1(_t1694 - 0x6c);
								_push(L"file");
								_push(_t1694 - 0x88);
								_t963 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x40;
								__eflags = _t963;
								if(_t963 == 0) {
									_t963 = 0x47e150;
								}
								L0040BDDD( *((intOrPtr*)(_t1694 - 0x10)) + 0x2a4, _t963);
								 *(_t1694 - 4) = 0;
								E0041A460(_t1694 - 0x88);
								__eflags =  *( *((intOrPtr*)(_t1694 - 0x10)) + 0x2d8);
								if(__eflags == 0) {
									_push(L"cmdline");
									_push(_t1694 - 0x88);
									_t1027 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
									 *(_t1694 - 4) = 0x41;
									__eflags = _t1027;
									 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
									if(_t1027 == 0) {
										_t1027 = 0x47e150;
									}
									_push(0);
									_push(_t1694 - 0x11);
									_push(_t1027);
									L0040B34B(_t1694 - 0x44);
									 *(_t1694 - 4) = 0x43;
									E0041A460(_t1694 - 0x88);
									_t1032 = L0040B799( *((intOrPtr*)(_t1694 - 0x10)) + 0x2cc, _t1694 - 0xa4, 0x104);
									 *(_t1694 - 4) = 0x44;
									 *((char*)(_t1032 + 4)) = 1;
									_t1033 = L0040BE33(_t1032,  *_t1032);
									_t1465 =  *(_t1694 - 0x3c);
									_t1034 =  *_t1033;
									__eflags = _t1465;
									if(_t1465 == 0) {
										_t1465 = 0x4675e4;
									}
									 *(_t1694 - 0x18) = ExpandEnvironmentStringsW(_t1465, _t1034, 0x104);
									 *(_t1694 - 4) = 0x43;
									L0040BBBE(_t1694 - 0xa4);
									__eflags =  *(_t1694 - 0x18) - 0x104;
									if( *(_t1694 - 0x18) > 0x104) {
										_t1040 = L0040B799( *((intOrPtr*)(_t1694 - 0x10)) + 0x2cc, _t1694 - 0xa4,  *(_t1694 - 0x18));
										 *(_t1694 - 4) = 0x45;
										 *((char*)(_t1040 + 4)) = 1;
										_t1041 = L0040BE33(_t1040,  *_t1040);
										_t1470 =  *(_t1694 - 0x3c);
										_t1042 =  *_t1041;
										__eflags = _t1470;
										if(_t1470 == 0) {
											_t1470 = 0x4675e4;
										}
										ExpandEnvironmentStringsW(_t1470, _t1042,  *(_t1694 - 0x18));
										 *(_t1694 - 4) = 0x43;
										L0040BBBE(_t1694 - 0xa4);
									}
									 *(_t1694 - 4) = 0;
									E004061C1(_t1694 - 0x44);
								}
								__eflags =  *( *((intOrPtr*)(_t1694 - 0x10)) + 0x300);
								if(__eflags == 0) {
									_push(L"cmdlinesilent");
									_push(_t1694 - 0x88);
									_t1007 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
									 *(_t1694 - 4) = 0x46;
									__eflags = _t1007;
									 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
									if(_t1007 == 0) {
										_t1007 = 0x47e150;
									}
									_push(0);
									_push(_t1694 - 0x11);
									_push(_t1007);
									L0040B34B(_t1694 - 0x44);
									 *(_t1694 - 4) = 0x48;
									E0041A460(_t1694 - 0x88);
									_t1012 = L0040B799( *((intOrPtr*)(_t1694 - 0x10)) + 0x2f4, _t1694 - 0xa4, 0x104);
									 *(_t1694 - 4) = 0x49;
									 *((char*)(_t1012 + 4)) = 1;
									_t1013 = L0040BE33(_t1012,  *_t1012);
									_t1452 =  *(_t1694 - 0x3c);
									_t1014 =  *_t1013;
									__eflags = _t1452;
									if(_t1452 == 0) {
										_t1452 = 0x4675e4;
									}
									 *(_t1694 - 0x18) = ExpandEnvironmentStringsW(_t1452, _t1014, 0x104);
									 *(_t1694 - 4) = 0x48;
									L0040BBBE(_t1694 - 0xa4);
									__eflags =  *(_t1694 - 0x18) - 0x104;
									if( *(_t1694 - 0x18) > 0x104) {
										_t1020 = L0040B799( *((intOrPtr*)(_t1694 - 0x10)) + 0x2f4, _t1694 - 0xa4,  *(_t1694 - 0x18));
										 *(_t1694 - 4) = 0x4a;
										 *((char*)(_t1020 + 4)) = 1;
										_t1021 = L0040BE33(_t1020,  *_t1020);
										_t1457 =  *(_t1694 - 0x3c);
										_t1022 =  *_t1021;
										__eflags = _t1457;
										if(_t1457 == 0) {
											_t1457 = 0x4675e4;
										}
										ExpandEnvironmentStringsW(_t1457, _t1022,  *(_t1694 - 0x18));
										 *(_t1694 - 4) = 0x48;
										L0040BBBE(_t1694 - 0xa4);
									}
									 *(_t1694 - 4) = 0;
									E004061C1(_t1694 - 0x44);
								}
								_push(L"returncodetoreboot");
								_push(_t1694 - 0x88);
								_t972 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x4b;
								__eflags = _t972;
								if(_t972 == 0) {
									_t972 = 0x47e150;
								}
								L0040BDDD( *((intOrPtr*)(_t1694 - 0x10)) + 0x31c, _t972);
								 *(_t1694 - 4) = 0;
								E0041A460(_t1694 - 0x88);
								_push(L"forcesilent");
								_push(_t1694 - 0x88);
								_t978 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x4c;
								__eflags = _t978;
								if(_t978 == 0) {
									_t978 = 0x47e150;
								}
								L0040BDDD( *((intOrPtr*)(_t1694 - 0x10)) + 0x344, _t978);
								 *(_t1694 - 4) = 0;
								E0041A460(_t1694 - 0x88);
								_push(0);
								_push(_t1694 - 0x11);
								_push(0x47e150);
								 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
								L0040B34B(_t1694 - 0x6c);
								 *(_t1694 - 4) = 0x4d;
								_push(_t1694 - 0x6c);
								_t985 =  *((intOrPtr*)(_t1694 - 0x10));
								_push(_t985 + 0x344);
								_t1433 =  *((intOrPtr*)(_t1694 - 0x10));
								_push(_t985 + 0x31c);
								_push(_t1433 + 0x2f4);
								_push(_t1433 + 0x2cc);
								_push(_t1433 + 0x2a4);
								L00421797(_t1433, __eflags);
								 *(_t1694 - 4) = 0;
								E004061C1(_t1694 - 0x6c);
								_t992 = L" -- Successful";
								 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
								__eflags = _t992;
								if(_t992 == 0) {
									_t992 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x11);
								_push(_t992);
								L0040B34B(_t1694 - 0x6c);
								_push(0);
								_push(1);
								_push(_t1694 - 0x6c);
								 *(_t1694 - 4) = 0x4e;
								L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
								 *(_t1694 - 4) = 0;
								E004061C1(_t1694 - 0x6c);
								_push(L"requiresmsiengine");
								_push(_t1694 - 0x88);
								_t999 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x4f;
								__eflags = _t999;
								 *((intOrPtr*)(_t1694 - 0x11c)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0xfc)) = 0x4675d0;
								if(_t999 == 0) {
									_t999 = 0x47e150;
								}
								_push(0);
								_push(_t1694 + 0x27);
								_push(_t999);
								L0040B34B(_t1694 - 0x11c);
								 *(_t1694 - 4) = 0x51;
								E0041A460(_t1694 - 0x88);
								_t1003 = L0040CD7B(_t1694 - 0x118, 0,  *((intOrPtr*)(_t1694 - 0x110)), 0x477b1c, L0043BA1F(0x477b1c));
								__eflags = _t1003;
								_t1004 =  *((intOrPtr*)(_t1694 - 0x10));
								if(_t1003 != 0) {
									 *((char*)(_t1004 + 0x3ed)) = 0;
								} else {
									 *((char*)(_t1004 + 0x3ed)) = 1;
								}
								 *(_t1694 - 4) = 0;
								_t1398 = _t1694 - 0x11c;
								goto L218;
							}
						} else {
							_t1045 = L"Id";
							__eflags = _t1045;
							 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
							 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
							if(_t1045 == 0) {
								_t1045 = 0x47e150;
							}
							_push(0);
							_push(_t1694 - 0x11);
							_push(_t1045);
							L0040B34B(_t1694 - 0x6c);
							_push(1);
							_push(0);
							_push(_t1694 - 0x6c);
							 *(_t1694 - 4) = 0x3b;
							L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
							 *(_t1694 - 4) = 0;
							E004061C1(_t1694 - 0x6c);
							_push(L"Id");
							_push(_t1694 - 0x88);
							_t1052 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
							 *(_t1694 - 4) = 0x3c;
							__eflags = _t1052;
							if(_t1052 == 0) {
								_t1052 = 0x47e150;
							}
							L0040BDDD( *((intOrPtr*)(_t1694 - 0x10)) + 0x27c, _t1052);
							 *(_t1694 - 4) = 0;
							E0041A460(_t1694 - 0x88);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t1694 - 0x10)) + 0x27c);
							L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
							_push(L"AltPrqURL");
							_push(_t1694 - 0x88);
							_t1061 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
							 *(_t1694 - 4) = 0x3d;
							__eflags = _t1061;
							if(_t1061 == 0) {
								_t1061 = 0x47e150;
							}
							L0040BDDD( *((intOrPtr*)(_t1694 - 0x10)) + 0x394, _t1061);
							 *(_t1694 - 4) = 0;
							E0041A460(_t1694 - 0x88);
							_push(1);
							_push(0);
							_push( *((intOrPtr*)(_t1694 - 0x10)) + 0x394);
							L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
							_t1068 = L" -- Successful";
							 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
							 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
							__eflags = _t1068;
							if(_t1068 == 0) {
								_t1068 = 0x47e150;
							}
							_push(0);
							_push(_t1694 + 0x27);
							_push(_t1068);
							L0040B34B(_t1694 - 0x6c);
							_push(0);
							_push(1);
							_push(_t1694 - 0x6c);
							 *(_t1694 - 4) = 0x3e;
							L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
							 *(_t1694 - 4) = 0;
							_t1398 = _t1694 - 0x6c;
							goto L218;
						}
					} else {
						_t1072 = L"file";
						__eflags = _t1072;
						 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
						if(_t1072 == 0) {
							_t1072 = 0x47e150;
						}
						_push(0);
						_push(_t1694 - 0x11);
						_push(_t1072);
						L0040B34B(_t1694 - 0x6c);
						_push(1);
						_push(0);
						_push(_t1694 - 0x6c);
						 *(_t1694 - 4) = 0x32;
						L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
						 *(_t1694 - 4) = 0;
						E004061C1(_t1694 - 0x6c);
						L00423383(_t1694 - 0x294, __eflags);
						_push(L"CheckSum");
						_push(_t1694 - 0x88);
						 *(_t1694 - 4) = 0x33;
						_t1080 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
						 *(_t1694 - 4) = 0x34;
						__eflags = _t1080;
						if(_t1080 == 0) {
							_t1080 = 0x47e150;
						}
						L0040BDDD(_t1694 - 0x244, _t1080);
						 *(_t1694 - 4) = 0x33;
						E0041A460(_t1694 - 0x88);
						_push(L"LocalFile");
						_push(_t1694 - 0x88);
						_t1085 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
						 *(_t1694 - 4) = 0x35;
						__eflags = _t1085;
						if(_t1085 == 0) {
							_t1085 = 0x47e150;
						}
						L0040BDDD(_t1694 - 0x294, _t1085);
						 *(_t1694 - 4) = 0x33;
						E0041A460(_t1694 - 0x88);
						_push(L"URL");
						_push(_t1694 - 0x88);
						_t1090 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
						 *(_t1694 - 4) = 0x36;
						__eflags = _t1090;
						if(_t1090 == 0) {
							_t1090 = 0x47e150;
						}
						L0040BDDD(_t1694 - 0x26c, _t1090);
						 *(_t1694 - 4) = 0x33;
						E0041A460(_t1694 - 0x88);
						_push(0);
						_push(_t1694 + 0x27);
						_push(0x47e150);
						 *((intOrPtr*)(_t1694 - 0x11c)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0xfc)) = 0x4675d0;
						L0040B34B(_t1694 - 0x11c);
						_push(0);
						_push(_t1694 - 0x11);
						_push(0x47e150);
						 *(_t1694 - 4) = 0x37;
						 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
						L0040B34B(_t1694 - 0x44);
						_push(0);
						_push(_t1694 - 0x13);
						_push(0x47e150);
						 *(_t1694 - 4) = 0x38;
						 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
						L0040B34B(_t1694 - 0x6c);
						_push(_t1694 - 0x11c);
						_push(_t1694 - 0x44);
						_push(_t1694 - 0x6c);
						_push(_t1694 - 0x26c);
						_push(_t1694 - 0x294);
						_push(_t1694 - 0x244);
						 *(_t1694 - 4) = 0x39;
						L00421797( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
						 *(_t1694 - 4) = 0x38;
						E004061C1(_t1694 - 0x6c);
						 *(_t1694 - 4) = 0x37;
						E004061C1(_t1694 - 0x44);
						 *(_t1694 - 4) = 0x33;
						E004061C1(_t1694 - 0x11c);
						L00425ECD( *((intOrPtr*)(_t1694 - 0x10)) + 0x264, _t1694 - 0x294);
						_t1112 = L" -- Successful";
						 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
						__eflags = _t1112;
						if(_t1112 == 0) {
							_t1112 = 0x47e150;
						}
						_push(0);
						_push(_t1694 + 0x27);
						_push(_t1112);
						L0040B34B(_t1694 - 0x6c);
						_push(1);
						_push(1);
						_push(_t1694 - 0x6c);
						 *(_t1694 - 4) = 0x3a;
						L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
						 *(_t1694 - 4) = 0x33;
						E004061C1(_t1694 - 0x6c);
						 *(_t1694 - 4) = 0;
						L0041EFC5(_t1694 - 0x294, __eflags);
					}
				} else {
					if(L00425D10(_t1694 + 8, L"operatingsystemcondition") != 0 ||  *((intOrPtr*)(_t1682 + 0x25e)) != 0) {
						__eflags =  *(_t1682 + 0x3ec);
						if( *(_t1682 + 0x3ec) == 0) {
							goto L111;
						} else {
							_t1119 = L00425D10(_t1694 + 8, L"condition");
							__eflags = _t1119;
							if(_t1119 != 0) {
								goto L111;
							} else {
								 *((intOrPtr*)(_t1694 - 0x94)) = 0x4675d8;
								 *((char*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x25f)) = 1;
								_t1121 = L"condition";
								 *((intOrPtr*)(_t1694 - 0x74)) = 0x4675d0;
								__eflags = _t1121;
								if(_t1121 == 0) {
									_t1121 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x19);
								_push(_t1121);
								L0040B34B(_t1694 - 0x94);
								_push(1);
								_push(0);
								_push(_t1694 - 0x94);
								 *(_t1694 - 4) = 0x1d;
								L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
								 *(_t1694 - 4) = 0;
								E004061C1(_t1694 - 0x94);
								_push(L"Type");
								_push(_t1694 - 0x160);
								_t1128 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x1e;
								__eflags = _t1128;
								 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
								if(_t1128 == 0) {
									_t1128 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x19);
								_push(_t1128);
								L0040B34B(_t1694 - 0x44);
								 *(_t1694 - 4) = 0x20;
								E0041A460(_t1694 - 0x160);
								_push(L"Comparison");
								_push(_t1694 - 0x200);
								_t1133 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x21;
								__eflags = _t1133;
								 *((intOrPtr*)(_t1694 - 0x11c)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0xfc)) = 0x4675d0;
								if(_t1133 == 0) {
									_t1133 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x12);
								_push(_t1133);
								L0040B34B(_t1694 - 0x11c);
								 *(_t1694 - 4) = 0x23;
								E0041A460(_t1694 - 0x200);
								_push(L"Path");
								_push(_t1694 - 0x21c);
								_t1138 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x24;
								__eflags = _t1138;
								 *((intOrPtr*)(_t1694 - 0x194)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x174)) = 0x4675d0;
								if(_t1138 == 0) {
									_t1138 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x1a);
								_push(_t1138);
								L0040B34B(_t1694 - 0x194);
								 *(_t1694 - 4) = 0x26;
								E0041A460(_t1694 - 0x21c);
								_push(L"FileName");
								_push(_t1694 - 0xe8);
								_t1143 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x27;
								__eflags = _t1143;
								 *((intOrPtr*)(_t1694 - 0x1e4)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x1c4)) = 0x4675d0;
								if(_t1143 == 0) {
									_t1143 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x95);
								_push(_t1143);
								L0040B34B(_t1694 - 0x1e4);
								 *(_t1694 - 4) = 0x29;
								E0041A460(_t1694 - 0xe8);
								_push(L"ReturnValue");
								_push(_t1694 - 0xc0);
								_t1148 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x2a;
								__eflags = _t1148;
								 *((intOrPtr*)(_t1694 - 0x1bc)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x19c)) = 0x4675d0;
								if(_t1148 == 0) {
									_t1148 = 0x47e150;
								}
								_push(0);
								_push(_t1694 - 0x13);
								_push(_t1148);
								L0040B34B(_t1694 - 0x1bc);
								 *(_t1694 - 4) = 0x2c;
								E0041A460(_t1694 - 0xc0);
								_push(L"Bits");
								_push(_t1694 - 0x88);
								_t1153 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
								 *(_t1694 - 4) = 0x2d;
								__eflags = _t1153;
								 *((intOrPtr*)(_t1694 - 0x144)) = 0x4675d8;
								 *((intOrPtr*)(_t1694 - 0x124)) = 0x4675d0;
								if(_t1153 == 0) {
									_t1153 = 0x47e150;
								}
								_push(0);
								_push(_t1694 + 0x27);
								_push(_t1153);
								L0040B34B(_t1694 - 0x144);
								 *(_t1694 - 4) = 0x2f;
								E0041A460(_t1694 - 0x88);
								_push(_t1694 - 0x1bc);
								_push(_t1694 - 0x144);
								_push(_t1694 - 0x1e4);
								_push(_t1694 - 0x194);
								_push(_t1694 - 0x11c);
								_push(_t1694 - 0x44);
								L00421797( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
								_t1169 = E004235DE( *((intOrPtr*)(_t1694 - 0x10)), __eflags, _t1694 - 0x44, _t1694 - 0x11c, _t1694 - 0x194, _t1694 - 0x1e4, _t1694 - 0x144, _t1694 - 0x1bc); // executed
								__eflags = _t1169;
								if(_t1169 != 0) {
									_t1170 = L" -- Successful";
									 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
									__eflags = _t1170;
									if(_t1170 == 0) {
										_t1170 = 0x47e150;
									}
									_push(0);
									_push(_t1694 - 0x11);
									_push(_t1170);
									L0040B34B(_t1694 - 0x6c);
									_push(0);
									_push(1);
									_push(_t1694 - 0x6c);
									 *(_t1694 - 4) = 0x31;
									L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									 *(_t1694 - 4) = 0x2f;
									E004061C1(_t1694 - 0x6c);
								} else {
									_t1180 = L" -- Failed!";
									 *((intOrPtr*)(_t1694 - 0x6c)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x4c)) = 0x4675d0;
									__eflags = _t1180;
									if(_t1180 == 0) {
										_t1180 = 0x47e150;
									}
									_push(0);
									_push(_t1694 - 0x11);
									_push(_t1180);
									L0040B34B(_t1694 - 0x6c);
									_t1691 =  *((intOrPtr*)(_t1694 - 0x10));
									_push(0);
									_push(1);
									_push(_t1694 - 0x6c);
									 *(_t1694 - 4) = 0x30;
									L0042189A(0, _t1691, __eflags);
									 *(_t1694 - 4) = 0x2f;
									E004061C1(_t1694 - 0x6c);
									 *((char*)(_t1691 + 0x260)) = 0;
								}
								 *(_t1694 - 4) = 0x2c;
								E004061C1(_t1694 - 0x144);
								 *(_t1694 - 4) = 0x29;
								E004061C1(_t1694 - 0x1bc);
								 *(_t1694 - 4) = 0x26;
								E004061C1(_t1694 - 0x1e4);
								 *(_t1694 - 4) = 0x23;
								E004061C1(_t1694 - 0x194);
								 *(_t1694 - 4) = 0x20;
								E004061C1(_t1694 - 0x11c);
								 *(_t1694 - 4) = 0;
								_t1398 = _t1694 - 0x44;
								goto L218;
							}
						}
					} else {
						_t1185 = L"operatingsystemcondition";
						_t1702 = _t1185;
						 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
						 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
						if(_t1185 == 0) {
							_t1185 = 0x47e150;
						}
						_push(0);
						_push(_t1694 - 0x1a);
						_push(_t1185);
						L0040B34B(_t1694 - 0x44);
						_push(1);
						_push(0);
						_push(_t1694 - 0x44);
						 *(_t1694 - 4) = 1;
						L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), _t1702);
						 *(_t1694 - 4) = 0;
						E004061C1(_t1694 - 0x44);
						_t1571 =  *((intOrPtr*)(_t1694 - 0x10));
						_push(1);
						_push( *((intOrPtr*)(_t1571 + 0x30)));
						 *((char*)(_t1571 + 0x25d)) = 1;
						_push(L"MajorVersion");
						_push( *(_t1694 + 0x24));
						if(L00423412(_t1571, _t1702) != 0) {
							_push(1);
							_push( *((intOrPtr*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x34)));
							_push(L"MinorVersion");
							_push( *(_t1694 + 0x24));
							_t1191 = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
							__eflags = _t1191;
							if(_t1191 != 0) {
								L15:
								_t1192 =  *((intOrPtr*)(_t1694 - 0x10));
								__eflags =  *((intOrPtr*)(_t1192 + 0x3c)) - 1;
								if(__eflags != 0) {
									L21:
									_push(5);
									_push( *( *((intOrPtr*)(_t1694 - 0x10)) + 0x254) & 0x0000ffff);
									_push(L"ServicePackMajorMin");
									_push( *(_t1694 + 0x24));
									__eflags = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									if(__eflags != 0) {
										_push(3);
										_push( *( *((intOrPtr*)(_t1694 - 0x10)) + 0x254) & 0x0000ffff);
										_push(L"ServicePackMajorMax");
										_push( *(_t1694 + 0x24));
										__eflags = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										if(__eflags != 0) {
											_push(5);
											_push( *((intOrPtr*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x38)));
											_push(L"BuildNumber");
											_push( *(_t1694 + 0x24));
											__eflags = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
											if(__eflags != 0) {
												_push(1);
												_push( *((intOrPtr*)( *((intOrPtr*)(_t1694 - 0x10)) + 0x3c)));
												_push(L"PlatformId");
												_push( *(_t1694 + 0x24));
												__eflags = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
												if(__eflags != 0) {
													_push(L"CSDVersion");
													_push(_t1694 - 0x21c);
													_t1201 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
													 *(_t1694 - 4) = 9;
													__eflags = _t1201;
													 *((intOrPtr*)(_t1694 - 0x94)) = 0x4675d8;
													 *((intOrPtr*)(_t1694 - 0x74)) = 0x4675d0;
													if(_t1201 == 0) {
														_t1201 = 0x47e150;
													}
													_push(0);
													_push(_t1694 - 0x1a);
													_push(_t1201);
													L0040B34B(_t1694 - 0x94);
													 *(_t1694 - 4) = 0xb;
													E0041A460(_t1694 - 0x21c);
													__eflags =  *(_t1694 - 0x88);
													if(__eflags == 0) {
														L47:
														_push(1);
														_push( *( *((intOrPtr*)(_t1694 - 0x10)) + 0x25a) & 0x000000ff);
														_push(L"ProductType");
														_push( *(_t1694 + 0x24));
														__eflags = L004234D0( *((intOrPtr*)(_t1694 - 0x10)), 0x4675d8, __eflags);
														if(__eflags != 0) {
															_push(L"Language");
															_push(_t1694 - 0x200);
															_t1208 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
															 *(_t1694 - 4) = 0x11;
															__eflags = _t1208;
															 *((intOrPtr*)(_t1694 - 0xcc)) = 0x4675d8;
															 *((intOrPtr*)(_t1694 - 0xac)) = 0x4675d0;
															if(_t1208 == 0) {
																_t1208 = 0x47e150;
															}
															_push(0);
															_push(_t1694 - 0x19);
															_push(_t1208);
															L0040B34B(_t1694 - 0xcc);
															 *(_t1694 - 4) = 0x13;
															E0041A460(_t1694 - 0x200);
															__eflags =  *(_t1694 - 0xc0);
															if(__eflags == 0) {
																L58:
																_push(L"Bits");
																_push(_t1694 - 0x160);
																_t1213 =  *(L004392EF( *(_t1694 + 0x24), __eflags) + 0x10);
																 *(_t1694 - 4) = 0x15;
																__eflags = _t1213;
																 *((intOrPtr*)(_t1694 - 0x144)) = 0x4675d8;
																 *((intOrPtr*)(_t1694 - 0x124)) = 0x4675d0;
																if(_t1213 == 0) {
																	_t1213 = 0x47e150;
																}
																_push(0);
																_push(_t1694 + 0x27);
																_push(_t1213);
																L0040B34B(_t1694 - 0x144);
																 *(_t1694 - 4) = 0x17;
																E0041A460(_t1694 - 0x160);
																E00426733(_t1694 - 0x144, _t1694 - 0x18, 0xa);
																_t1218 =  *(_t1694 - 0x18);
																__eflags = _t1218 & 0x00000001;
																if(__eflags == 0) {
																	__eflags = _t1218 & 0x00000002;
																	if(__eflags == 0) {
																		__eflags = _t1218 & 0x00000004;
																		if((_t1218 & 0x00000004) == 0) {
																			__eflags = _t1218 & 0x00000008;
																			if((_t1218 & 0x00000008) == 0) {
																				goto L81;
																			} else {
																				_t1226 = E0042E698();
																				__eflags = _t1226;
																				if(_t1226 != 0) {
																					goto L81;
																				} else {
																					_t1227 = L" -- Failed!";
																					 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																					 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																					__eflags = _t1227;
																					if(_t1227 == 0) {
																						_t1227 = 0x47e150;
																					}
																					_push(0);
																					_push(_t1694 - 0x12);
																					_push(_t1227);
																					L0040B34B(_t1694 - 0x44);
																					_push(0);
																					_push(1);
																					_push(_t1694 - 0x44);
																					 *(_t1694 - 4) = 0x1b;
																					L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																					 *(_t1694 - 4) = 0x17;
																					_t1602 = _t1694 - 0x44;
																					goto L65;
																				}
																			}
																		} else {
																			_t1232 = E0042E6B4();
																			__eflags = _t1232;
																			if(_t1232 != 0) {
																				goto L81;
																			} else {
																				_t1233 = L" -- Failed!";
																				 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																				 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																				__eflags = _t1233;
																				if(_t1233 == 0) {
																					_t1233 = 0x47e150;
																				}
																				_push(0);
																				_push(_t1694 - 0x12);
																				_push(_t1233);
																				L0040B34B(_t1694 - 0x44);
																				_push(0);
																				_push(1);
																				_push(_t1694 - 0x44);
																				 *(_t1694 - 4) = 0x1a;
																				L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																				 *(_t1694 - 4) = 0x17;
																				_t1602 = _t1694 - 0x44;
																				goto L65;
																			}
																		}
																	} else {
																		_t1237 = E0042E67F(__eflags);
																		__eflags = _t1237;
																		if(_t1237 != 0) {
																			goto L81;
																		} else {
																			_t1238 = L" -- Failed!";
																			 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																			 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																			__eflags = _t1238;
																			if(_t1238 == 0) {
																				_t1238 = 0x47e150;
																			}
																			_push(0);
																			_push(_t1694 - 0x12);
																			_push(_t1238);
																			L0040B34B(_t1694 - 0x44);
																			_push(0);
																			_push(1);
																			_push(_t1694 - 0x44);
																			 *(_t1694 - 4) = 0x19;
																			L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																			 *(_t1694 - 4) = 0x17;
																			_t1602 = _t1694 - 0x44;
																			goto L65;
																		}
																	}
																} else {
																	_t1242 = E0042E67F(__eflags);
																	__eflags = _t1242;
																	if(_t1242 == 0) {
																		L81:
																		_t1219 = L" -- Successful";
																		 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																		 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																		__eflags = _t1219;
																		if(_t1219 == 0) {
																			_t1219 = 0x47e150;
																		}
																		_push(0);
																		_push(_t1694 - 0x12);
																		_push(_t1219);
																		L0040B34B(_t1694 - 0x44);
																		_t1693 =  *((intOrPtr*)(_t1694 - 0x10));
																		_push(0);
																		_push(1);
																		_push(_t1694 - 0x44);
																		 *(_t1694 - 4) = 0x1c;
																		L0042189A(0, _t1693, __eflags);
																		 *(_t1694 - 4) = 0x17;
																		E004061C1(_t1694 - 0x44);
																		 *((char*)(_t1693 + 0x25e)) = 1;
																	} else {
																		_t1243 = L" -- Failed!";
																		 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																		 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																		__eflags = _t1243;
																		if(_t1243 == 0) {
																			_t1243 = 0x47e150;
																		}
																		_push(0);
																		_push(_t1694 - 0x12);
																		_push(_t1243);
																		L0040B34B(_t1694 - 0x44);
																		_push(0);
																		_push(1);
																		_push(_t1694 - 0x44);
																		 *(_t1694 - 4) = 0x18;
																		L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																		 *(_t1694 - 4) = 0x17;
																		_t1602 = _t1694 - 0x44;
																		L65:
																		E004061C1(_t1602);
																	}
																}
																 *(_t1694 - 4) = 0x13;
																_t1596 = _t1694 - 0x144;
															} else {
																L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																_t1250 = E00426733(_t1694 - 0xcc, _t1694 - 0x18, 0xa);
																__imp__GetSystemDefaultUILanguage(_t1694 - 0xcc, 0, 1);
																__eflags =  *(_t1694 - 0x18) - (_t1250 & 0x0000ffff);
																if(__eflags == 0) {
																	goto L58;
																} else {
																	_t1252 = L" -- Failed!";
																	 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
																	 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
																	__eflags = _t1252;
																	if(_t1252 == 0) {
																		_t1252 = 0x47e150;
																	}
																	_push(0);
																	_push(_t1694 + 0x27);
																	_push(_t1252);
																	L0040B34B(_t1694 - 0x44);
																	_push(0);
																	_push(1);
																	_push(_t1694 - 0x44);
																	 *(_t1694 - 4) = 0x14;
																	L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
																	 *(_t1694 - 4) = 0x13;
																	_t1596 = _t1694 - 0x44;
																}
															}
															E004061C1(_t1596);
															 *(_t1694 - 4) = 0xb;
															_t1597 = _t1694 - 0xcc;
														} else {
															_t1256 = L" -- Failed!";
															 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
															 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
															__eflags = _t1256;
															if(_t1256 == 0) {
																_t1256 = 0x47e150;
															}
															_push(0);
															_push(_t1694 + 0x27);
															_push(_t1256);
															L0040B34B(_t1694 - 0x44);
															_push(1);
															_push(1);
															_push(_t1694 - 0x44);
															 *(_t1694 - 4) = 0x10;
															L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
															 *(_t1694 - 4) = 0xb;
															_t1597 = _t1694 - 0x44;
														}
													} else {
														_push(1);
														_push(0);
														_push(_t1694 - 0x94);
														L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
														_push(1);
														_push(_t1694 - 0x12);
														_push(L"\n\t ");
														L0040B34B(_t1694 - 0x6c);
														 *(_t1694 - 4) = 0xc;
														L00425D35(_t1694 - 0x94, _t1694, __eflags, _t1694 - 0x6c);
														 *(_t1694 - 4) = 0xb;
														E004061C1(_t1694 - 0x6c);
														 *(_t1694 - 0x16c) = 0x4675d8;
														_t1268 =  *((intOrPtr*)(_t1694 - 0x10)) + 0x40;
														 *((intOrPtr*)(_t1694 - 0x14c)) = 0x4675d0;
														__eflags = _t1268;
														if(_t1268 == 0) {
															_t1268 = 0x47e150;
														}
														_push(0);
														_push(_t1694 - 0x12);
														_push(_t1268);
														L0040B34B(_t1694 - 0x16c);
														_push(1);
														_push(_t1694 - 0x19);
														_push(L"\n\t ");
														 *(_t1694 - 4) = 0xd;
														L0040B34B(_t1694 - 0x6c);
														 *(_t1694 - 4) = 0xe;
														L00425D35(_t1694 - 0x16c, _t1694, __eflags, _t1694 - 0x6c);
														 *(_t1694 - 4) = 0xd;
														E004061C1(_t1694 - 0x6c);
														asm("sbb eax, eax");
														_t1278 = L0040CD59(_t1694 - 0x90,  ~(_t1694 - 0x16c) & _t1694 - 0x00000168);
														__eflags = _t1278;
														if(_t1278 <= 0) {
															 *(_t1694 - 4) = 0xb;
															E004061C1(_t1694 - 0x16c);
															goto L47;
														} else {
															_t1280 = L" -- Failed!";
															 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
															 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
															__eflags = _t1280;
															if(_t1280 == 0) {
																_t1280 = 0x47e150;
															}
															_push(0);
															_push(_t1694 + 0x27);
															_push(_t1280);
															L0040B34B(_t1694 - 0x44);
															_push(0);
															_push(1);
															_push(_t1694 - 0x44);
															 *(_t1694 - 4) = 0xf;
															L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
															 *(_t1694 - 4) = 0xd;
															E004061C1(_t1694 - 0x44);
															 *(_t1694 - 4) = 0xb;
															_t1597 = _t1694 - 0x16c;
														}
													}
													E004061C1(_t1597);
													 *(_t1694 - 4) = 0;
													_t1398 = _t1694 - 0x94;
												} else {
													_t1285 = L" -- Failed!";
													 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
													 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
													__eflags = _t1285;
													if(_t1285 == 0) {
														_t1285 = 0x47e150;
													}
													_push(0);
													_push(_t1694 + 0x27);
													_push(_t1285);
													L0040B34B(_t1694 - 0x44);
													_push(1);
													_push(1);
													_push(_t1694 - 0x44);
													 *(_t1694 - 4) = 8;
													L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
													 *(_t1694 - 4) = 0;
													_t1398 = _t1694 - 0x44;
												}
											} else {
												_t1289 = L" -- Failed!";
												 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
												 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
												__eflags = _t1289;
												if(_t1289 == 0) {
													_t1289 = 0x47e150;
												}
												_push(0);
												_push(_t1694 + 0x27);
												_push(_t1289);
												L0040B34B(_t1694 - 0x44);
												_push(1);
												_push(1);
												_push(_t1694 - 0x44);
												 *(_t1694 - 4) = 7;
												L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
												 *(_t1694 - 4) = 0;
												_t1398 = _t1694 - 0x44;
											}
										} else {
											_t1293 = L" -- Failed!";
											 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
											 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
											__eflags = _t1293;
											if(_t1293 == 0) {
												_t1293 = 0x47e150;
											}
											_push(0);
											_push(_t1694 + 0x27);
											_push(_t1293);
											L0040B34B(_t1694 - 0x44);
											_push(1);
											_push(1);
											_push(_t1694 - 0x44);
											 *(_t1694 - 4) = 6;
											L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
											 *(_t1694 - 4) = 0;
											_t1398 = _t1694 - 0x44;
										}
									} else {
										_t1297 = L" -- Failed!";
										 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
										 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
										__eflags = _t1297;
										if(_t1297 == 0) {
											_t1297 = 0x47e150;
										}
										_push(0);
										_push(_t1694 + 0x27);
										_push(_t1297);
										L0040B34B(_t1694 - 0x44);
										_push(1);
										_push(1);
										_push(_t1694 - 0x44);
										 *(_t1694 - 4) = 5;
										L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										 *(_t1694 - 4) = 0;
										_t1398 = _t1694 - 0x44;
									}
								} else {
									_t1303 =  *(_t1192 + 0x38) >> 0x00000010 & 0x000000ff;
									__eflags = _t1303 - 0x5a;
									if(__eflags != 0) {
										goto L21;
									} else {
										_push(1);
										_push(_t1303);
										_push(L"MinorVersion");
										_push( *(_t1694 + 0x24));
										__eflags = L00423412( *((intOrPtr*)(_t1694 - 0x10)), __eflags);
										if(__eflags != 0) {
											goto L21;
										} else {
											_t1305 = L" -- Failed!";
											 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
											 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
											__eflags = _t1305;
											if(_t1305 == 0) {
												_t1305 = 0x47e150;
											}
											_push(0);
											_push(_t1694 + 0x27);
											_push(_t1305);
											L0040B34B(_t1694 - 0x44);
											_push(1);
											_push(1);
											_push(_t1694 - 0x44);
											 *(_t1694 - 4) = 4;
											L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
											 *(_t1694 - 4) = 0;
											_t1398 = _t1694 - 0x44;
										}
									}
								}
							} else {
								_t1663 =  *((intOrPtr*)(_t1694 - 0x10));
								__eflags =  *((intOrPtr*)(_t1663 + 0x3c)) - 1;
								_t1311 =  *(_t1663 + 0x38) >> 0x00000010 & 0x000000ff;
								if(__eflags != 0) {
									L12:
									_t1312 = L" -- Failed!";
									 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
									 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
									__eflags = _t1312;
									if(_t1312 == 0) {
										_t1312 = 0x47e150;
									}
									_push(0);
									_push(_t1694 + 0x27);
									_push(_t1312);
									L0040B34B(_t1694 - 0x44);
									_push(1);
									_push(1);
									_push(_t1694 - 0x44);
									 *(_t1694 - 4) = 3;
									L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), __eflags);
									 *(_t1694 - 4) = 0;
									_t1398 = _t1694 - 0x44;
								} else {
									_push(1);
									_push(_t1311);
									_push(L"MinorVersion");
									_push( *(_t1694 + 0x24));
									_t1316 = L00423412(_t1663, __eflags);
									__eflags = _t1316;
									if(_t1316 != 0) {
										goto L15;
									} else {
										goto L12;
									}
								}
							}
						} else {
							_t1317 = L" -- Failed!";
							 *((intOrPtr*)(_t1694 - 0x44)) = 0x4675d8;
							 *((intOrPtr*)(_t1694 - 0x24)) = 0x4675d0;
							_t1704 = _t1317;
							if(_t1317 == 0) {
								_t1317 = 0x47e150;
							}
							_push(0);
							_push(_t1694 + 0x27);
							_push(_t1317);
							L0040B34B(_t1694 - 0x44);
							_push(1);
							_push(1);
							_push(_t1694 - 0x44);
							 *(_t1694 - 4) = 2;
							L0042189A(0,  *((intOrPtr*)(_t1694 - 0x10)), _t1704);
							 *(_t1694 - 4) = 0;
							_t1398 = _t1694 - 0x44;
						}
						L218:
						E004061C1(_t1398);
					}
				}
				 *(_t1694 - 4) =  *(_t1694 - 4) | 0xffffffff;
				_t838 = E0041A460(_t1694 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t1694 - 0xc));
				return _t838;
			}

0x004219ac
0x004219b9
0x004219bc
0x004219c7
0x004219ca
0x0042258c
0x00422594
0x00422599
0x0042259b
0x004227dd
0x004227e2
0x004227e4
0x0042292a
0x0042292f
0x00422931
0x00422d9c
0x00422da1
0x00422da3
0x00422eb4
0x00422eb9
0x00422ebb
0x00422ec1
0x00422ed2
0x00422ed4
0x00422ed7
0x00422eda
0x00422edc
0x00422edc
0x00422ee4
0x00422ee5
0x00422ee6
0x00422eea
0x00422ef2
0x00422ef7
0x00422ef8
0x00422ef9
0x00422efd
0x00422f05
0x00422f08
0x00422f16
0x00422f1b
0x00422f21
0x00422f24
0x00422f28
0x00422f2a
0x00422f30
0x00422f36
0x00422f38
0x00422f38
0x00422f40
0x00422f41
0x00422f42
0x00422f49
0x00422f54
0x00422f58
0x00422f69
0x00422f6e
0x00422f71
0x00422f76
0x00422f76
0x00422f7d
0x00422f82
0x00422f87
0x00422f8a
0x00422f8c
0x00422f8e
0x00422f8e
0x00422f96
0x00422f97
0x00422f98
0x00422f9c
0x00422fa4
0x00422fa9
0x00422faa
0x00422fab
0x00422faf
0x00422fb7
0x00422fbb
0x00422fc3
0x00422fcb
0x00422fcc
0x00422fcd
0x00422fdb
0x00422fe0
0x00422fe6
0x00422fe9
0x00422fed
0x00422fef
0x00422ff1
0x00422ff1
0x00422ffd
0x00423008
0x0042300c
0x0042301d
0x00423022
0x00423025
0x00423027
0x0042302c
0x0042302c
0x00423032
0x00423037
0x0042303c
0x0042303f
0x00423041
0x00423043
0x00423043
0x0042304b
0x0042304c
0x0042304d
0x00423051
0x00423059
0x0042305e
0x0042305f
0x00423060
0x00423064
0x0042306c
0x00423070
0x00423078
0x00423080
0x00423081
0x00423082
0x00423090
0x00423095
0x0042309b
0x0042309e
0x004230a2
0x004230a4
0x004230a6
0x004230a6
0x004230b2
0x004230bd
0x004230c1
0x004230d2
0x004230d7
0x004230da
0x004230dc
0x004230e1
0x004230e1
0x004230e7
0x004230ec
0x004230f1
0x004230f4
0x004230f6
0x004230f8
0x004230f8
0x00423100
0x00423101
0x00423102
0x00423106
0x0042310e
0x00423113
0x00423114
0x00423115
0x00423119
0x00423121
0x00423125
0x0042312d
0x00423134
0x00423136
0x00423137
0x00423145
0x0042314a
0x00423150
0x00423153
0x00423157
0x00423159
0x0042315b
0x0042315b
0x00423167
0x00423172
0x00423176
0x00423187
0x0042318c
0x0042318f
0x00423194
0x00423194
0x0042319b
0x004231a0
0x004231a5
0x004231a8
0x004231aa
0x004231ac
0x004231ac
0x004231b4
0x004231b5
0x004231b6
0x004231ba
0x004231c2
0x004231c7
0x004231c8
0x004231c9
0x004231cd
0x004231d5
0x004231d9
0x004231e1
0x004231e8
0x004231ea
0x004231eb
0x004231f9
0x004231fe
0x00423204
0x00423207
0x0042320b
0x0042320d
0x0042320f
0x0042320f
0x0042321b
0x00423226
0x0042322a
0x0042323b
0x00423240
0x00423243
0x00423248
0x00423248
0x0042324f
0x00423254
0x00423259
0x0042325c
0x0042325e
0x00423260
0x00423260
0x00423268
0x00423269
0x0042326a
0x0042326e
0x00423276
0x0042327b
0x0042327c
0x0042327d
0x00423281
0x00423289
0x0042328d
0x00423295
0x0042329c
0x0042329e
0x0042329f
0x004232ad
0x004232b2
0x004232b8
0x004232bb
0x004232bf
0x004232c1
0x004232c3
0x004232c3
0x004232cf
0x004232da
0x004232de
0x004232ef
0x004232f4
0x004232f7
0x004232fc
0x004232fc
0x00423303
0x00423308
0x0042330d
0x00423310
0x00423312
0x00423314
0x00423314
0x0042331c
0x0042331d
0x0042331e
0x00423322
0x0042332a
0x0042332f
0x00423330
0x00423331
0x00423335
0x0042333d
0x00423341
0x00423349
0x00423350
0x00423352
0x00423353
0x00423358
0x0042335b
0x00000000
0x0042335b
0x00422da9
0x00422da9
0x00422dba
0x00422dbc
0x00422dbf
0x00422dc2
0x00422dc4
0x00422dc4
0x00422dcc
0x00422dcd
0x00422dce
0x00422dd2
0x00422dda
0x00422ddf
0x00422de0
0x00422de1
0x00422de5
0x00422ded
0x00422df0
0x00422df8
0x00422e06
0x00422e0b
0x00422e0c
0x00422e15
0x00422e18
0x00422e1c
0x00422e1e
0x00422e20
0x00422e20
0x00422e29
0x00422e34
0x00422e38
0x00422e4a
0x00422e52
0x00422e57
0x00422e58
0x00422e59
0x00422e5e
0x00422e63
0x00422e68
0x00422e6b
0x00422e6d
0x00422e6f
0x00422e6f
0x00422e77
0x00422e78
0x00422e79
0x00422e7d
0x00422e85
0x00422e89
0x00422e8b
0x00422e8c
0x00422e90
0x00422e98
0x00422e9c
0x00422ea1
0x00422ea4
0x00000000
0x00422ea4
0x00422937
0x00422937
0x00422948
0x0042294a
0x0042294d
0x00422950
0x00422952
0x00422952
0x0042295a
0x0042295b
0x0042295c
0x00422960
0x00422968
0x0042296d
0x0042296e
0x0042296f
0x00422973
0x0042297b
0x0042297e
0x0042298c
0x00422991
0x00422997
0x0042299a
0x0042299e
0x004229a0
0x004229a2
0x004229a2
0x004229b1
0x004229bc
0x004229bf
0x004229cd
0x004229cf
0x004229de
0x004229e3
0x004229e9
0x004229ec
0x004229f0
0x004229f2
0x004229f5
0x004229f8
0x004229fa
0x004229fa
0x00422a02
0x00422a03
0x00422a04
0x00422a08
0x00422a13
0x00422a17
0x00422a31
0x00422a38
0x00422a3c
0x00422a40
0x00422a45
0x00422a48
0x00422a4a
0x00422a4c
0x00422a4e
0x00422a4e
0x00422a66
0x00422a69
0x00422a6d
0x00422a72
0x00422a79
0x00422a8e
0x00422a95
0x00422a99
0x00422a9d
0x00422aa2
0x00422aa5
0x00422aa7
0x00422aa9
0x00422aab
0x00422aab
0x00422ab5
0x00422ac1
0x00422ac5
0x00422ac5
0x00422acd
0x00422ad0
0x00422ad0
0x00422ad8
0x00422ade
0x00422aed
0x00422af2
0x00422af8
0x00422afb
0x00422aff
0x00422b01
0x00422b04
0x00422b07
0x00422b09
0x00422b09
0x00422b11
0x00422b12
0x00422b13
0x00422b17
0x00422b22
0x00422b26
0x00422b40
0x00422b47
0x00422b4b
0x00422b4f
0x00422b54
0x00422b57
0x00422b59
0x00422b5b
0x00422b5d
0x00422b5d
0x00422b75
0x00422b78
0x00422b7c
0x00422b81
0x00422b88
0x00422b9d
0x00422ba4
0x00422ba8
0x00422bac
0x00422bb1
0x00422bb4
0x00422bb6
0x00422bb8
0x00422bba
0x00422bba
0x00422bc4
0x00422bd0
0x00422bd4
0x00422bd4
0x00422bdc
0x00422bdf
0x00422bdf
0x00422bed
0x00422bf2
0x00422bf8
0x00422bfb
0x00422bff
0x00422c01
0x00422c03
0x00422c03
0x00422c12
0x00422c1d
0x00422c20
0x00422c2e
0x00422c33
0x00422c39
0x00422c3c
0x00422c40
0x00422c42
0x00422c44
0x00422c44
0x00422c53
0x00422c5e
0x00422c61
0x00422c69
0x00422c6a
0x00422c6b
0x00422c73
0x00422c76
0x00422c79
0x00422c81
0x00422c85
0x00422c86
0x00422c94
0x00422c95
0x00422c98
0x00422c9f
0x00422ca6
0x00422cad
0x00422cae
0x00422cb6
0x00422cb9
0x00422cbe
0x00422cc3
0x00422cc8
0x00422ccb
0x00422ccd
0x00422ccf
0x00422ccf
0x00422cd7
0x00422cd8
0x00422cd9
0x00422cdd
0x00422ce5
0x00422ce9
0x00422ceb
0x00422cec
0x00422cf0
0x00422cf8
0x00422cfb
0x00422d09
0x00422d0e
0x00422d14
0x00422d17
0x00422d1b
0x00422d1d
0x00422d23
0x00422d29
0x00422d2b
0x00422d2b
0x00422d33
0x00422d34
0x00422d35
0x00422d3c
0x00422d47
0x00422d4b
0x00422d6b
0x00422d70
0x00422d72
0x00422d75
0x00422d80
0x00422d77
0x00422d77
0x00422d77
0x00422d86
0x00422d89
0x00000000
0x00422d89
0x004227ea
0x004227ea
0x004227fb
0x004227fd
0x00422800
0x00422803
0x00422805
0x00422805
0x0042280d
0x0042280e
0x0042280f
0x00422813
0x0042281b
0x00422820
0x00422821
0x00422822
0x00422826
0x0042282e
0x00422831
0x0042283f
0x00422844
0x0042284a
0x0042284d
0x00422851
0x00422853
0x00422855
0x00422855
0x00422864
0x0042286f
0x00422872
0x0042287d
0x00422884
0x00422885
0x00422886
0x00422894
0x00422899
0x0042289f
0x004228a2
0x004228a6
0x004228a8
0x004228aa
0x004228aa
0x004228b9
0x004228c4
0x004228c7
0x004228d2
0x004228d9
0x004228da
0x004228db
0x004228e0
0x004228e5
0x004228ea
0x004228ed
0x004228ef
0x004228f1
0x004228f1
0x004228f9
0x004228fa
0x004228fb
0x004228ff
0x00422907
0x0042290b
0x0042290d
0x0042290e
0x00422912
0x00422917
0x0042291a
0x00000000
0x0042291a
0x004225a1
0x004225a1
0x004225b2
0x004225b4
0x004225b7
0x004225ba
0x004225bc
0x004225bc
0x004225c4
0x004225c5
0x004225c6
0x004225ca
0x004225d2
0x004225d7
0x004225d8
0x004225d9
0x004225dd
0x004225e5
0x004225e8
0x004225f3
0x00422601
0x00422606
0x00422607
0x00422610
0x00422613
0x00422617
0x00422619
0x0042261b
0x0042261b
0x00422627
0x00422632
0x00422636
0x00422644
0x00422649
0x0042264f
0x00422652
0x00422656
0x00422658
0x0042265a
0x0042265a
0x00422666
0x00422671
0x00422675
0x00422683
0x00422688
0x0042268e
0x00422691
0x00422695
0x00422697
0x00422699
0x00422699
0x004226a5
0x004226b0
0x004226b4
0x004226bc
0x004226bd
0x004226be
0x004226c9
0x004226cf
0x004226d5
0x004226dd
0x004226de
0x004226df
0x004226e7
0x004226eb
0x004226ee
0x004226f1
0x004226f9
0x004226fa
0x004226fb
0x00422703
0x00422707
0x0042270a
0x0042270d
0x0042271b
0x0042271f
0x00422723
0x0042272a
0x00422731
0x00422738
0x00422739
0x0042273d
0x00422745
0x00422749
0x00422751
0x00422755
0x00422760
0x00422764
0x00422779
0x0042277e
0x00422783
0x00422788
0x0042278b
0x0042278d
0x0042278f
0x0042278f
0x00422797
0x00422798
0x00422799
0x0042279d
0x004227a5
0x004227aa
0x004227ac
0x004227ad
0x004227b1
0x004227b9
0x004227bd
0x004227c8
0x004227cb
0x004227cb
0x004219d0
0x004219df
0x004221e7
0x004221ed
0x00000000
0x004221f3
0x004221fb
0x00422200
0x00422202
0x00000000
0x00422208
0x00422215
0x0042221b
0x00422222
0x00422229
0x0042222c
0x0042222e
0x00422230
0x00422230
0x00422238
0x00422239
0x0042223a
0x00422241
0x00422249
0x00422251
0x00422252
0x00422253
0x00422257
0x00422262
0x00422265
0x00422273
0x00422278
0x0042227e
0x00422281
0x00422285
0x00422287
0x0042228a
0x0042228d
0x0042228f
0x0042228f
0x00422297
0x00422298
0x00422299
0x0042229d
0x004222a8
0x004222ac
0x004222ba
0x004222bf
0x004222c5
0x004222c8
0x004222cc
0x004222ce
0x004222d4
0x004222da
0x004222dc
0x004222dc
0x004222e4
0x004222e5
0x004222e6
0x004222ed
0x004222f8
0x004222fc
0x0042230a
0x0042230f
0x00422315
0x00422318
0x0042231c
0x0042231e
0x00422324
0x0042232a
0x0042232c
0x0042232c
0x00422334
0x00422335
0x00422336
0x0042233d
0x00422348
0x0042234c
0x0042235a
0x0042235f
0x00422365
0x00422368
0x0042236c
0x0042236e
0x00422374
0x0042237a
0x0042237c
0x0042237c
0x00422387
0x00422388
0x00422389
0x00422390
0x0042239b
0x0042239f
0x004223ad
0x004223b2
0x004223b8
0x004223bb
0x004223bf
0x004223c1
0x004223c7
0x004223cd
0x004223cf
0x004223cf
0x004223d7
0x004223d8
0x004223d9
0x004223e0
0x004223eb
0x004223ef
0x004223fd
0x00422402
0x00422408
0x0042240b
0x0042240f
0x00422411
0x00422417
0x0042241d
0x0042241f
0x0042241f
0x00422427
0x00422428
0x00422429
0x00422430
0x0042243b
0x0042243f
0x0042244d
0x00422454
0x0042245b
0x00422462
0x00422469
0x0042246d
0x0042246e
0x0042249d
0x004224a2
0x004224a4
0x004224f3
0x004224f8
0x004224fd
0x00422500
0x00422502
0x00422504
0x00422504
0x0042250c
0x0042250d
0x0042250e
0x00422512
0x0042251a
0x0042251e
0x00422520
0x00422521
0x00422525
0x0042252d
0x00422531
0x004224a6
0x004224a6
0x004224ab
0x004224b0
0x004224b3
0x004224b5
0x004224b7
0x004224b7
0x004224bf
0x004224c0
0x004224c1
0x004224c5
0x004224ca
0x004224cd
0x004224d1
0x004224d3
0x004224d6
0x004224da
0x004224e2
0x004224e6
0x004224eb
0x004224eb
0x0042253c
0x00422540
0x0042254b
0x0042254f
0x0042255a
0x0042255e
0x00422569
0x0042256d
0x00422578
0x0042257c
0x00422581
0x00422584
0x00000000
0x00422584
0x00422202
0x004219f1
0x004219f1
0x00421a02
0x00421a04
0x00421a07
0x00421a0a
0x00421a0c
0x00421a0c
0x00421a14
0x00421a15
0x00421a16
0x00421a1a
0x00421a22
0x00421a27
0x00421a28
0x00421a29
0x00421a2d
0x00421a35
0x00421a38
0x00421a3d
0x00421a40
0x00421a42
0x00421a45
0x00421a4c
0x00421a51
0x00421a5b
0x00421aa3
0x00421aa5
0x00421aa8
0x00421aad
0x00421ab0
0x00421ab5
0x00421ab7
0x00421b22
0x00421b22
0x00421b25
0x00421b29
0x00421b93
0x00421b96
0x00421b9f
0x00421ba0
0x00421ba5
0x00421bad
0x00421baf
0x00421bf7
0x00421c00
0x00421c01
0x00421c06
0x00421c0e
0x00421c10
0x00421c58
0x00421c5a
0x00421c5d
0x00421c62
0x00421c6a
0x00421c6c
0x00421cb4
0x00421cb6
0x00421cb9
0x00421cbe
0x00421cc6
0x00421cc8
0x00421d16
0x00421d1b
0x00421d21
0x00421d24
0x00421d28
0x00421d2a
0x00421d30
0x00421d33
0x00421d35
0x00421d35
0x00421d3d
0x00421d3e
0x00421d3f
0x00421d46
0x00421d51
0x00421d55
0x00421d5a
0x00421d60
0x00421e8f
0x00421e92
0x00421e9b
0x00421e9c
0x00421ea1
0x00421ea9
0x00421eab
0x00421efa
0x00421eff
0x00421f05
0x00421f08
0x00421f0c
0x00421f0e
0x00421f14
0x00421f1a
0x00421f1c
0x00421f1c
0x00421f24
0x00421f25
0x00421f26
0x00421f2d
0x00421f38
0x00421f3c
0x00421f41
0x00421f47
0x00421fbd
0x00421fc6
0x00421fcb
0x00421fd1
0x00421fd4
0x00421fd8
0x00421fda
0x00421fe0
0x00421fe6
0x00421fe8
0x00421fe8
0x00421ff0
0x00421ff1
0x00421ff2
0x00421ff9
0x00422004
0x00422008
0x00422019
0x0042201e
0x00422021
0x00422023
0x0042207a
0x0042207c
0x004220cb
0x004220cd
0x0042211f
0x00422121
0x00000000
0x00422123
0x00422123
0x00422128
0x0042212a
0x00000000
0x0042212c
0x0042212c
0x00422131
0x00422136
0x00422139
0x0042213b
0x0042213d
0x0042213d
0x00422145
0x00422146
0x00422147
0x0042214b
0x00422153
0x00422157
0x00422159
0x0042215a
0x0042215e
0x00422163
0x00422167
0x00000000
0x00422167
0x0042212a
0x004220cf
0x004220cf
0x004220d4
0x004220d6
0x00000000
0x004220dc
0x004220dc
0x004220e1
0x004220e6
0x004220e9
0x004220eb
0x004220ed
0x004220ed
0x004220f5
0x004220f6
0x004220f7
0x004220fb
0x00422103
0x00422107
0x00422109
0x0042210a
0x0042210e
0x00422113
0x00422117
0x00000000
0x00422117
0x004220d6
0x0042207e
0x0042207e
0x00422083
0x00422085
0x00000000
0x0042208b
0x0042208b
0x00422090
0x00422095
0x00422098
0x0042209a
0x0042209c
0x0042209c
0x004220a4
0x004220a5
0x004220a6
0x004220aa
0x004220b2
0x004220b6
0x004220b8
0x004220b9
0x004220bd
0x004220c2
0x004220c6
0x00000000
0x004220c6
0x00422085
0x00422025
0x00422025
0x0042202a
0x0042202c
0x0042216f
0x0042216f
0x00422174
0x00422179
0x0042217c
0x0042217e
0x00422180
0x00422180
0x00422188
0x00422189
0x0042218a
0x0042218e
0x00422193
0x00422196
0x0042219a
0x0042219c
0x0042219f
0x004221a3
0x004221ab
0x004221af
0x004221b4
0x00422032
0x00422032
0x00422037
0x0042203c
0x0042203f
0x00422041
0x00422043
0x00422043
0x0042204b
0x0042204c
0x0042204d
0x00422051
0x00422059
0x0042205d
0x0042205f
0x00422060
0x00422064
0x00422069
0x0042206d
0x00422070
0x00422070
0x00422070
0x0042202c
0x004221bb
0x004221bf
0x00421f49
0x00421f56
0x00421f67
0x00421f6c
0x00421f75
0x00421f78
0x00000000
0x00421f7a
0x00421f7a
0x00421f7f
0x00421f84
0x00421f87
0x00421f89
0x00421f8b
0x00421f8b
0x00421f93
0x00421f94
0x00421f95
0x00421f99
0x00421fa1
0x00421fa5
0x00421fa7
0x00421fa8
0x00421fac
0x00421fb1
0x00421fb5
0x00421fb5
0x00421f78
0x004221c5
0x004221ca
0x004221ce
0x00421ead
0x00421ead
0x00421eb2
0x00421eb7
0x00421eba
0x00421ebc
0x00421ebe
0x00421ebe
0x00421ec6
0x00421ec7
0x00421ec8
0x00421ecc
0x00421ed4
0x00421ed9
0x00421edb
0x00421edc
0x00421ee0
0x00421ee5
0x00421ee9
0x00421ee9
0x00421d66
0x00421d69
0x00421d71
0x00421d72
0x00421d73
0x00421d7b
0x00421d7d
0x00421d7e
0x00421d86
0x00421d95
0x00421d99
0x00421da1
0x00421da5
0x00421dad
0x00421db3
0x00421db6
0x00421dbc
0x00421dbe
0x00421dc0
0x00421dc0
0x00421dc8
0x00421dc9
0x00421dca
0x00421dd1
0x00421dd9
0x00421ddb
0x00421ddc
0x00421de4
0x00421de8
0x00421df7
0x00421dfb
0x00421e03
0x00421e07
0x00421e1a
0x00421e25
0x00421e2a
0x00421e2c
0x00421e86
0x00421e8a
0x00000000
0x00421e2e
0x00421e2e
0x00421e33
0x00421e38
0x00421e3b
0x00421e3d
0x00421e3f
0x00421e3f
0x00421e47
0x00421e48
0x00421e49
0x00421e4d
0x00421e55
0x00421e59
0x00421e5b
0x00421e5c
0x00421e60
0x00421e68
0x00421e6c
0x00421e71
0x00421e75
0x00421e75
0x00421e2c
0x004221d4
0x004221d9
0x004221dc
0x00421cca
0x00421cca
0x00421ccf
0x00421cd4
0x00421cd7
0x00421cd9
0x00421cdb
0x00421cdb
0x00421ce3
0x00421ce4
0x00421ce5
0x00421ce9
0x00421cf1
0x00421cf6
0x00421cf8
0x00421cf9
0x00421cfd
0x00421d02
0x00421d05
0x00421d05
0x00421c6e
0x00421c6e
0x00421c73
0x00421c78
0x00421c7b
0x00421c7d
0x00421c7f
0x00421c7f
0x00421c87
0x00421c88
0x00421c89
0x00421c8d
0x00421c95
0x00421c9a
0x00421c9c
0x00421c9d
0x00421ca1
0x00421ca6
0x00421ca9
0x00421ca9
0x00421c12
0x00421c12
0x00421c17
0x00421c1c
0x00421c1f
0x00421c21
0x00421c23
0x00421c23
0x00421c2b
0x00421c2c
0x00421c2d
0x00421c31
0x00421c39
0x00421c3e
0x00421c40
0x00421c41
0x00421c45
0x00421c4a
0x00421c4d
0x00421c4d
0x00421bb1
0x00421bb1
0x00421bb6
0x00421bbb
0x00421bbe
0x00421bc0
0x00421bc2
0x00421bc2
0x00421bca
0x00421bcb
0x00421bcc
0x00421bd0
0x00421bd8
0x00421bdd
0x00421bdf
0x00421be0
0x00421be4
0x00421be9
0x00421bec
0x00421bec
0x00421b2b
0x00421b31
0x00421b34
0x00421b37
0x00000000
0x00421b39
0x00421b3c
0x00421b3e
0x00421b3f
0x00421b44
0x00421b4c
0x00421b4e
0x00000000
0x00421b50
0x00421b50
0x00421b55
0x00421b5a
0x00421b5d
0x00421b5f
0x00421b61
0x00421b61
0x00421b69
0x00421b6a
0x00421b6b
0x00421b6f
0x00421b77
0x00421b7c
0x00421b7e
0x00421b7f
0x00421b83
0x00421b88
0x00421b8b
0x00421b8b
0x00421b4e
0x00421b37
0x00421ab9
0x00421ab9
0x00421ac2
0x00421ac6
0x00421ac9
0x00421adf
0x00421adf
0x00421ae4
0x00421ae9
0x00421aec
0x00421aee
0x00421af0
0x00421af0
0x00421af8
0x00421af9
0x00421afa
0x00421afe
0x00421b06
0x00421b0b
0x00421b0d
0x00421b0e
0x00421b12
0x00421b17
0x00421b1a
0x00421acb
0x00421acb
0x00421acd
0x00421ace
0x00421ad3
0x00421ad6
0x00421adb
0x00421add
0x00000000
0x00000000
0x00000000
0x00000000
0x00421add
0x00421ac9
0x00421a5d
0x00421a5d
0x00421a62
0x00421a67
0x00421a6a
0x00421a6c
0x00421a6e
0x00421a6e
0x00421a76
0x00421a77
0x00421a78
0x00421a7c
0x00421a84
0x00421a89
0x00421a8b
0x00421a8c
0x00421a90
0x00421a95
0x00421a98
0x00421a98
0x00423361
0x00423361
0x00423361
0x004219df
0x00423366
0x0042336d
0x00423378
0x00423380

APIs

__EH_prolog.LIBCMT ref: 004219AC

Part of subcall function 00425D10: SysStringLen.OLEAUT32(?), ref: 00425D1B

Part of subcall function 00423412: __EH_prolog.LIBCMT ref: 00423417

Part of subcall function 0042189A: __EH_prolog.LIBCMT ref: 0042189F
Part of subcall function 0042189A: SetWindowTextW.USER32(00000000,?), ref: 00421991

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Strings

FileName, xrefs: 0042235A
Bits, xrefs: 00421FC6, 004223FD
PG, xrefs: 00421B61
ServicePackMajorMax, xrefs: 00421C01
PG, xrefs: 0042213D
CheckSum, xrefs: 00422601
PG, xrefs: 00422E6F
properties, xrefs: 004227D5
-- Successful, xrefs: 0042216F, 0042218A, 004224F3, 0042250E, 0042277E, 00422799, 004228E0, 004228FB, 00422CBE, 00422CD9, 00422E5E, 00422E79
uF, xrefs: 00422B5D
ReturnValue, xrefs: 004223AD
PG, xrefs: 00423260
PlatformId, xrefs: 00421CB9
, xrefs: 00421D7E, 00421DDC
PG, xrefs: 00421A0C
PG, xrefs: 004220ED
PG, xrefs: 00422504
PG, xrefs: 00422EDC
BuildNumber, xrefs: 00421C5D
Path, xrefs: 0042230A
PG, xrefs: 00422F38
PG, xrefs: 00422230
-- Failed!, xrefs: 00421A5D, 00421A78, 00421ADF, 00421AFA, 00421B50, 00421B6B, 00421BB1, 00421BCC, 00421C12, 00421C2D, 00421C6E, 00421C89, 00421CCA, 00421CE5, 00421E2E, 00421E49, 00421EAD, 00421EC8, 00421F7A, 00421F95, 00422032, 0042204D, 0042208B, 004220A6, 004220DC, 004220F7, 0042212C, 00422147, 004224A6, 004224C1
ServicePackMajorMin, xrefs: 00421BA0
PG, xrefs: 00421D35
PG, xrefs: 00421E3F
PG, xrefs: 00422F8E
PG, xrefs: 00422CCF
PG, xrefs: 004228F1
file, xrefs: 0042258C, 004225A1, 004225C6, 0042298C
URL, xrefs: 00422683
PG, xrefs: 00422699
operatingsystemcondition, xrefs: 004219D0, 004219F1, 00421A16
PG, xrefs: 004229FA
PG, xrefs: 0042228F
PG, xrefs: 00423314
uF, xrefs: 00422A4E
PG, xrefs: 00421FE8
PG, xrefs: 00421DC0
PG, xrefs: 00421F1C
Failure, xrefs: 00423090, 004230E7, 00423102
PG, xrefs: 00421A6E
PG, xrefs: 00421F8B
Type, xrefs: 00422273
PG, xrefs: 00422180
PG, xrefs: 004225BC
PG, xrefs: 00422FF1
PG, xrefs: 004228AA
Y, xrefs: 0042333D
PG, xrefs: 0042265A
File, xrefs: 00422E06
returncodetoreboot, xrefs: 00422BED
Language, xrefs: 00421EFA
PG, xrefs: 00421AF0
requiresmsiengine, xrefs: 00422D09
Lua, xrefs: 00423145, 0042319B, 004231B6
behavior, xrefs: 00422EAC, 00422EC1, 00422EE6
ProductType, xrefs: 00421E9C
PG, xrefs: 00423043
Hidden, xrefs: 004231F9, 0042324F, 0042326A
PG, xrefs: 00422C03
PG, xrefs: 0042261B
MajorVersion, xrefs: 00421A4C
PG, xrefs: 004231AC
MinorVersion, xrefs: 00421AA8, 00421ACE, 00421B3F
PG, xrefs: 00422043
uF, xrefs: 00422AAB
PG, xrefs: 004230A6
PG, xrefs: 0042209C
PG, xrefs: 00421CDB
AltPrqURL, xrefs: 00422894
PG, xrefs: 00421C7F
dependency, xrefs: 00422D94, 00422DA9, 00422DCE
CSDVersion, xrefs: 00421D16
PG, xrefs: 00422DC4
Optional, xrefs: 00422F16, 00422F7D, 00422F98
PG, xrefs: 004230F8
execute, xrefs: 00422922, 00422937, 0042295C
MsiProgress, xrefs: 004232AD, 00423303, 0042331E
PG, xrefs: 0042232C
cmdlinesilent, xrefs: 00422AED
PG, xrefs: 0042241F
PG, xrefs: 00422D2B
PG, xrefs: 00422B09
PG, xrefs: 00421EBE
Reboot, xrefs: 00422FDB, 00423032, 0042304D
PG, xrefs: 0042237C
PG, xrefs: 004224B7
PG, xrefs: 00421C23
Comparison, xrefs: 004222BA
PG, xrefs: 00422805
forcesilent, xrefs: 00422C2E
PG, xrefs: 00422952
PG, xrefs: 00421BC2
PG, xrefs: 004232C3
uF, xrefs: 00422BBA
cmdline, xrefs: 004229DE
PG, xrefs: 0042315B
PG, xrefs: 00422E20
PG, xrefs: 0042320F
LocalFile, xrefs: 00422644
PG, xrefs: 004223CF
PG, xrefs: 00422855
PG, xrefs: 004222DC
condition, xrefs: 004221F3, 00422222, 0042223A
PG, xrefs: 0042278F
PG, xrefs: 004229A2
PG, xrefs: 00422C44

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLastString$FreeTextWindow
String ID: $ -- Failed!$ -- Successful$AltPrqURL$Bits$BuildNumber$CSDVersion$CheckSum$Comparison$Failure$File$FileName$Hidden$Language$LocalFile$Lua$MajorVersion$MinorVersion$MsiProgress$Optional$Path$PlatformId$ProductType$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$Reboot$ReturnValue$ServicePackMajorMax$ServicePackMajorMin$Type$URL$Y$behavior$cmdline$cmdlinesilent$condition$dependency$execute$file$forcesilent$operatingsystemcondition$properties$requiresmsiengine$returncodetoreboot$uF$uF$uF$uF
API String ID: 2045398859-2860531092
Opcode ID: e7e95bb7cbe5091781472d962e22a06c3d4c23fed99a5639533326b8fe898a98
Instruction ID: 87b6b5c40b60d8615d7a9e21d63ca7d57ef6fe4204e12cfa9169765c661ff36f
Opcode Fuzzy Hash: e7e95bb7cbe5091781472d962e22a06c3d4c23fed99a5639533326b8fe898a98
Instruction Fuzzy Hash: FD038470A00259AEDF14DB95C991FEEB778EF14308F5044AEF509B7281EB786E05CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0044D870 Relevance: 171.5, APIs: 60, Strings: 37, Instructions: 1741
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044D870(intOrPtr __ecx) {
				void* __ebp;
				int _t702;
				CHAR* _t704;
				int _t706;
				void* _t731;
				void* _t733;
				intOrPtr* _t753;
				intOrPtr* _t763;
				void* _t768;
				CHAR* _t773;
				int _t775;
				CHAR* _t777;
				int _t780;
				int _t787;
				CHAR* _t789;
				int _t801;
				CHAR* _t803;
				int _t812;
				CHAR* _t814;
				int _t819;
				int _t823;
				CHAR* _t825;
				int* _t831;
				int _t838;
				CHAR* _t840;
				int* _t846;
				int _t853;
				CHAR* _t855;
				long _t861;
				int _t868;
				CHAR* _t870;
				long _t876;
				int _t882;
				int _t884;
				int _t913;
				void* _t914;
				intOrPtr _t937;
				intOrPtr _t941;
				int _t943;
				int _t945;
				void* _t964;
				int _t975;
				int _t977;
				intOrPtr* _t1002;
				void* _t1011;
				void* _t1025;
				void* _t1026;
				long _t1029;
				void* _t1039;
				void* _t1040;
				long _t1043;
				int _t1058;
				intOrPtr* _t1064;
				long _t1069;
				intOrPtr* _t1077;
				void* _t1082;
				void* _t1086;
				void* _t1101;
				void* _t1102;
				long _t1107;
				void* _t1113;
				void* _t1114;
				long _t1119;
				signed int _t1264;
				intOrPtr _t1266;
				intOrPtr _t1275;
				signed int _t1282;
				void* _t1321;
				void* _t1356;
				intOrPtr _t1369;
				intOrPtr _t1379;
				int _t1387;
				void* _t1410;
				intOrPtr _t1422;
				intOrPtr _t1423;
				intOrPtr _t1425;
				intOrPtr _t1435;
				intOrPtr _t1437;
				void* _t1472;
				void* _t1475;
				intOrPtr _t1492;
				intOrPtr _t1513;
				intOrPtr _t1517;
				intOrPtr _t1542;
				intOrPtr* _t1557;
				CHAR* _t1559;
				int* _t1560;
				void* _t1565;
				void* _t1567;
				void* _t1571;
				void* _t1577;
				void* _t1579;
				void* _t1583;
				intOrPtr _t1589;
				signed int _t1596;
				int _t1603;
				CHAR* _t1605;
				intOrPtr* _t1606;
				int* _t1609;
				long* _t1613;
				long* _t1615;
				int _t1616;
				signed int _t1621;
				int _t1623;
				void** _t1627;
				int _t1628;
				void** _t1630;
				int _t1631;
				intOrPtr _t1632;
				int _t1643;
				int* _t1646;
				void* _t1647;
				intOrPtr _t1648;
				void* _t1649;
				void* _t1650;
				void* _t1651;
				void* _t1652;
				void* _t1653;
				void* _t1654;
				intOrPtr _t1655;
				void* _t1657;
				intOrPtr _t1658;
				void* _t1659;
				void* _t1660;
				void* _t1661;
				void* _t1664;
				void* _t1667;
				void* _t1668;
				void* _t1671;
				signed int _t1674;

				_push(0xffffffff);
				_push(E004664AE);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t1648;
				_t1649 = _t1648 - 0xad0;
				_t1643 =  *(_t1649 + 0xae8);
				_t1542 = __ecx;
				 *((intOrPtr*)(_t1649 + 0x14)) = __ecx;
				 *((intOrPtr*)(_t1649 + 0x1ac)) = 0x4675d8;
				 *((intOrPtr*)(_t1649 + 0x1cc)) = 0x4675d0;
				_t702 = _t1643;
				if(_t1643 == 0) {
					_t702 = 0x47e150;
				}
				_push(0);
				_push(_t1649 + 0x1b);
				_push(_t702);
				L0040B34B(_t1649 + 0x1b8);
				 *(_t1649 + 0xae8) = 0;
				_t704 = L00453100(_t1649 + 0x1ac);
				_t9 = _t1542 + 8; // 0x9
				_t706 = GetPrivateProfileIntA(_t704, "BUTTONS", 0, L00452F40(_t9)); // executed
				 *(_t1649 + 0xb0) = _t706;
				 *(_t1649 + 0xae8) = 0xffffffff;
				E004061C1(_t1649 + 0x1ac);
				 *((char*)(_t1649 + 0x394)) = 0;
				memset(_t1649 + 0x395, 0, 0x18 << 2);
				_t1650 = _t1649 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t1650 + 0x1dc)) = 0;
				memset(_t1650 + 0x1dd, 0, 0x18 << 2);
				_t1651 = _t1650 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t1651 + 0x4f0)) = 0;
				memset(_t1651 + 0x4f1, 0, 0xf9 << 2);
				_t1652 = _t1651 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t1652 + 0x8d8)) = 0;
				memset(_t1652 + 0x8d9, 0, 0x40 << 2);
				_t1653 = _t1652 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t1653 + 0x9dc)) = 0;
				memset(_t1653 + 0x9dd, 0, 0x40 << 2);
				_t1654 = _t1653 + 0xc;
				asm("stosw");
				asm("stosb");
				GetSysColor(8);
				GetSysColor(0x11);
				 *((intOrPtr*)(_t1654 + 0x10c)) = 0x4675f0;
				 *((intOrPtr*)(_t1654 + 0x12c)) = 0x4675e8;
				L00447D40(_t1654 + 0x10c, 0);
				_t1670 = _t1643;
				 *((intOrPtr*)(_t1654 + 0xae8)) = 1;
				if(_t1643 == 0) {
					_t1643 = 0x47e150;
				}
				L00452E70(_t1654 + 0x10c, _t1670, _t1643, _t1654 + 0x1b);
				 *((intOrPtr*)(_t1654 + 0x11c)) = 0;
				 *((intOrPtr*)(_t1654 + 0x120)) = 0;
				 *((intOrPtr*)(_t1654 + 0x124)) = 0;
				 *((char*)(_t1654 + 0xaec)) = 3;
				L00447D70(_t1654 + 0x12c, 0);
				 *((intOrPtr*)(_t1654 + 0xaec)) = 4;
				 *((intOrPtr*)(_t1654 + 0x188)) = 0x4675f0;
				 *((intOrPtr*)(_t1654 + 0x1a8)) = 0x4675e8;
				L00447D40(_t1654 + 0x188, 0);
				 *((char*)(_t1654 + 0xaec)) = 5;
				 *((char*)(_t1654 + 0x18c)) =  *((intOrPtr*)(_t1654 + 0x1b));
				E0040213C(_t1654 + 0x18c, 0);
				 *((char*)(_t1654 + 0xae8)) = 6;
				L00447D30(_t1654 + 0x198);
				 *((char*)(_t1654 + 0xaec)) = 7;
				L00447D70(_t1654 + 0x1a8, 0);
				 *((char*)(_t1654 + 0xaec)) = 8;
				 *((intOrPtr*)(_t1654 + 0x160)) = 0x4675f0;
				 *((intOrPtr*)(_t1654 + 0x180)) = 0x4675e8;
				L00447D40(_t1654 + 0x160, 0);
				 *((char*)(_t1654 + 0xae8)) = 9;
				L00447B80(_t1654 + 0x164, _t1654 + 0x1b);
				 *((intOrPtr*)(_t1654 + 0x170)) = 0;
				 *((intOrPtr*)(_t1654 + 0x174)) = 0;
				 *((intOrPtr*)(_t1654 + 0x178)) = 0;
				 *((char*)(_t1654 + 0xaec)) = 0xb;
				L00447D70(_t1654 + 0x180, 0);
				 *((char*)(_t1654 + 0xaec)) = 0xc;
				_t731 = L0043BA1F(0x478fcc);
				_t1655 = _t1654 + 4;
				_t1671 = L0040B4AD(_t1655 + 0x10c, 0x478fcc, 0, _t731) -  *0x4675e0; // 0xffffffff
				if(_t1671 != 0) {
					_t1101 = L00447450(_t1655 + 0x114, _t1655 + 0x3c, 0, _t1554);
					 *((char*)(_t1655 + 0xae8)) = 0xd;
					if(_t1101 == 0) {
						_t1102 = 0;
						__eflags = 0;
					} else {
						_t1102 = _t1101 + 4;
					}
					_t1425 =  *0x4675e0; // 0xffffffff
					E0040C484(_t1655 + 0x16c, _t1102, 0, _t1425);
					asm("sbb eax, eax");
					 *((char*)(_t1655 + 0xae8)) = 0xc;
					_t1107 = GetLastError();
					asm("sbb ecx, ecx");
					 *( *((intOrPtr*)( *( ~(_t1655 + 0x38) & _t1655 + 0x00000058) + 4)) + ( ~(_t1655 + 0x38) & _t1655 + 0x00000058)) = _t1107;
					E00430164( ~(_t1655 + 0x38) & _t1655 + 0x0000004c);
					asm("sbb ecx, ecx");
					E0040213C( ~(_t1655 + 0x38) & _t1655 + 0x0000003c, 1);
					SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x38) + 4)) + 0x38));
					_t1435 =  *0x4675e0; // 0xffffffff
					_t1113 = L00447450(_t1655 + 0x114, _t1655 + 0x38, _t1554, _t1435);
					 *((char*)(_t1655 + 0xae8)) = 0xe;
					if(_t1113 == 0) {
						_t1114 = 0;
						__eflags = 0;
					} else {
						_t1114 = _t1113 + 4;
					}
					_t1437 =  *0x4675e0; // 0xffffffff
					E0040C484(_t1655 + 0x194, _t1114, 0, _t1437);
					asm("sbb eax, eax");
					 *((char*)(_t1655 + 0xae8)) = 0xc;
					_t1119 = GetLastError();
					asm("sbb ecx, ecx");
					 *( *((intOrPtr*)( *( ~(_t1655 + 0x38) & _t1655 + 0x00000058) + 4)) + ( ~(_t1655 + 0x38) & _t1655 + 0x00000058)) = _t1119;
					E00430164( ~(_t1655 + 0x38) & _t1655 + 0x0000004c);
					asm("sbb ecx, ecx");
					_t1674 =  ~(_t1655 + 0x38) & _t1655 + 0x0000003c;
					E0040213C( ~(_t1655 + 0x38) & _t1655 + 0x0000003c, 1);
					SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x38) + 4)) + 0x38));
				}
				asm("sbb ecx, ecx");
				_t733 = L00459360( ~(_t1655 + 0x15c) & _t1655 + 0x00000160, _t1674, L"ALL");
				_t1675 = _t733;
				if(_t733 == 0) {
					L28:
					 *((intOrPtr*)(_t1655 + 0x18)) = 0;
					 *((intOrPtr*)(_t1655 + 0x24)) = 0;
					lstrcpyA(_t1655 + 0x8d8, L00452F40( *((intOrPtr*)( *((intOrPtr*)(L00453420(_t1655 + 0x78, L00453510(_t1655 + 0x38, _t1655 + 0x10, _t1655 + 0x1c)))) + 0x10)) + 4));
					 *((intOrPtr*)(_t1655 + 0x18)) = 0;
					 *((intOrPtr*)(_t1655 + 0x24)) = 0;
					lstrcpyA(_t1655 + 0x9e0, L00452F40( *((intOrPtr*)( *((intOrPtr*)(L00453420(_t1655 + 0x78, L00453510(_t1655 + 0x38, _t1655 + 0x10, _t1655 + 0x1c)))) + 0x10)) + 0x2c));
					 *((intOrPtr*)(_t1655 + 0x18)) = 0;
					 *((intOrPtr*)(_t1655 + 0x24)) = 0;
					 *((intOrPtr*)(_t1655 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L00453420(_t1655 + 0x7c, L00453510(_t1655 + 0x38, _t1655 + 0x10, _t1655 + 0x1c)))) + 0x10)) + 0x68));
					 *((intOrPtr*)(_t1655 + 0x18)) = 0;
					 *((intOrPtr*)(_t1655 + 0x24)) = 0;
					_t753 = L00453420(_t1655 + 0x78, L00453510(_t1655 + 0x38, _t1655 + 0x14, _t1655 + 0x1c));
					 *((intOrPtr*)(_t1655 + 0x14)) = 0;
					 *((intOrPtr*)(_t1655 + 0xc8)) =  *((intOrPtr*)( *((intOrPtr*)( *_t753 + 0x10)) + 0x5c));
					 *((intOrPtr*)(_t1655 + 0x20)) = 0;
					 *((intOrPtr*)(_t1655 + 0xbc)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L00453420(_t1655 + 0x78, L00453510(_t1655 + 0x34, _t1655 + 0x14, _t1655 + 0x1c)))) + 0x10)) + 0x60));
					 *((intOrPtr*)(_t1655 + 0x18)) = 0;
					 *((intOrPtr*)(_t1655 + 0x24)) = 0;
					_t763 = L00453420(_t1655 + 0x7c, L00453510(_t1655 + 0x34, _t1655 + 0x14, _t1655 + 0x1c));
					 *((intOrPtr*)(_t1655 + 0x28)) = 1;
					 *((intOrPtr*)(_t1655 + 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t763 + 0x10)) + 0x64));
					if( *((intOrPtr*)(_t1655 + 0xb0)) < 1) {
						L124:
						E004061C1(_t1655 + 0x15c);
						E004061C1(_t1655 + 0x184);
						_t768 = E004061C1(_t1655 + 0x108);
						 *[fs:0x0] =  *((intOrPtr*)(_t1655 + 0xae0));
						return _t768;
					}
					 *((intOrPtr*)(_t1655 + 0x1d4)) = _t1655 + 0xdc;
					 *((intOrPtr*)(_t1655 + 0x78)) = _t1655 + 0x84;
					do {
						_t1603 =  *(_t1655 + 0xaf0);
						_t1646 = L0043BC14(0x74);
						_t1657 = _t1655 + 4;
						 *(_t1657 + 0x10) = _t1646;
						 *((char*)(_t1657 + 0xae8)) = 0x15;
						if(_t1646 == 0) {
							_t1646 = 0;
							__eflags = 0;
						} else {
							_t251 =  &(_t1646[1]); // 0x4
							L004517F0(_t251, _t1657 + 0x23, 1);
							_t253 =  &(_t1646[0xb]); // 0x2c
							 *((char*)(_t1657 + 0xaf0)) = 0x16;
							L004517F0(_t253, _t1657 + 0x6d, 1);
						}
						 *((char*)(_t1657 + 0xaf0)) = 0xc;
						lstrcpyA(_t1657 + 0x394, "BUTTON");
						_t773 = L0043FAB7( *((intOrPtr*)(_t1657 + 0x28)), _t1657 + 0x4f0, 0xa);
						_t1658 = _t1657 + 0xc;
						lstrcatA(_t1658 + 0x394, _t773);
						 *((intOrPtr*)(_t1658 + 0x1ac)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x1cc)) = 0x4675d0;
						_t775 = _t1603;
						if(_t1603 == 0) {
							_t775 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x68);
						_push(_t775);
						L0040B34B(_t1658 + 0x1b8);
						 *((char*)(_t1658 + 0xae8)) = 0x17;
						_t777 = L00453100(_t1658 + 0x1ac);
						_t780 = GetPrivateProfileIntA(_t777, _t1658 + 0x398, 0, L00452F40( *((intOrPtr*)(_t1658 + 0x14)) + 8)); // executed
						 *_t1646 = _t780;
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x1ac);
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "UP");
						_t275 =  &(_t1646[1]); // 0x4
						_t1557 = L0042CD98(_t275, _t1658 + 0xd0, 0x104);
						 *((char*)(_t1658 + 0xae8)) = 0x18;
						_t1605 = L00452F40( *_t1557);
						_t787 =  *(_t1658 + 0xaf0);
						 *(_t1557 + 8) = _t1605;
						 *((intOrPtr*)(_t1658 + 0x294)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x2b4)) = 0x4675d0;
						if(_t787 == 0) {
							_t787 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x6a);
						_push(_t787);
						L0040B34B(_t1658 + 0x2a0);
						 *((char*)(_t1658 + 0xae8)) = 0x19;
						_t789 = L00453100(_t1658 + 0x294);
						GetPrivateProfileStringA(_t789, _t1658 + 0x1e8, 0x47e154, _t1605, 0x104, L00452F40( *((intOrPtr*)(_t1658 + 0x14)) + 8)); // executed
						E004061C1(_t1658 + 0x294);
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						if( *((intOrPtr*)(_t1658 + 0xd4)) != 0) {
							L00401E03( *((intOrPtr*)(_t1658 + 0xd0)),  *((intOrPtr*)( *((intOrPtr*)(_t1658 + 0xd0)) + 0x1c)));
						}
						if( *((intOrPtr*)(_t1658 + 0xd8)) != 0) {
							_t1043 = GetLastError();
							_push(1);
							_push(_t1658 + 0x6e);
							_push( *((intOrPtr*)(_t1658 + 0xd8)));
							E004300B2(_t1658 + 0x404);
							_t1379 =  *0x467594; // 0xffffffff
							asm("sbb eax, eax");
							 *((char*)(_t1658 + 0xaf4)) = 0x1a;
							E004024B9( *((intOrPtr*)(_t1658 + 0xd0)) + 4,  ~(_t1658 + 0x3f8) & _t1658 + 0x000003fc, 0, _t1379);
							 *((char*)(_t1658 + 0xae8)) = 0xc;
							L0040125C(_t1658 + 0x3f8);
							SetLastError(_t1043);
						}
						if(_t1646[4] == 0) {
							_t1039 = L00451850(_t1658 + 0x47c, _t1658 + 0x8dc, _t1658 + 0x70, 1);
							 *((char*)(_t1658 + 0xae8)) = 0x1b;
							if(_t1039 == 0) {
								_t1040 = 0;
								__eflags = 0;
							} else {
								_t1040 = _t1039 + 4;
							}
							_t1517 =  *0x467594; // 0xffffffff
							_t309 =  &(_t1646[2]); // 0x8
							E004024B9(_t309, _t1040, 0, _t1517);
							 *((char*)(_t1658 + 0xae8)) = 0xc;
							L0040125C(_t1658 + 0x470);
						}
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "DOWN");
						_t316 =  &(_t1646[0xb]); // 0x2c
						_t1606 = L0042CD98(_t316, _t1658 + 0xb8, 0x104);
						 *((char*)(_t1658 + 0xae8)) = 0x1c;
						_t1559 = L00452F40( *_t1606);
						_t801 =  *(_t1658 + 0xaf0);
						 *(_t1606 + 8) = _t1559;
						 *((intOrPtr*)(_t1658 + 0x2bc)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x2dc)) = 0x4675d0;
						if(_t801 == 0) {
							_t801 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x72);
						_push(_t801);
						L0040B34B(_t1658 + 0x2c8);
						 *((char*)(_t1658 + 0xae8)) = 0x1d;
						_t803 = L00453100(_t1658 + 0x2bc);
						GetPrivateProfileStringA(_t803, _t1658 + 0x1e8, 0x47e154, _t1559, 0x104, L00452F40( *((intOrPtr*)(_t1658 + 0x14)) + 8)); // executed
						E004061C1(_t1658 + 0x2bc);
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						if( *((intOrPtr*)(_t1658 + 0xbc)) != 0) {
							L00401E03( *((intOrPtr*)(_t1658 + 0xb8)),  *((intOrPtr*)( *((intOrPtr*)(_t1658 + 0xb8)) + 0x1c)));
						}
						if( *((intOrPtr*)(_t1658 + 0xc0)) != 0) {
							_t1029 = GetLastError();
							_push(1);
							_push(_t1658 + 0x74);
							_push( *((intOrPtr*)(_t1658 + 0xc0)));
							E004300B2(_t1658 + 0x42c);
							_t1369 =  *0x467594; // 0xffffffff
							asm("sbb eax, eax");
							 *((char*)(_t1658 + 0xaf4)) = 0x1e;
							E004024B9( *((intOrPtr*)(_t1658 + 0xb8)) + 4,  ~(_t1658 + 0x420) & _t1658 + 0x00000424, 0, _t1369);
							 *((char*)(_t1658 + 0xae8)) = 0xc;
							L0040125C(_t1658 + 0x420);
							SetLastError(_t1029);
						}
						if(_t1646[0xe] == 0) {
							_t1025 = L00451850(_t1658 + 0x454, _t1658 + 0x9e0, _t1658 + 0x76, 1);
							 *((char*)(_t1658 + 0xae8)) = 0x1f;
							if(_t1025 == 0) {
								_t1026 = 0;
								__eflags = 0;
							} else {
								_t1026 = _t1025 + 4;
							}
							_t1513 =  *0x467594; // 0xffffffff
							_t350 =  &(_t1646[0xc]); // 0x30
							E004024B9(_t350, _t1026, 0, _t1513);
							 *((char*)(_t1658 + 0xae8)) = 0xc;
							L0040125C(_t1658 + 0x448);
						}
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "POS");
						_t812 =  *(_t1658 + 0xaf0);
						 *((intOrPtr*)(_t1658 + 0x2ec)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x30c)) = 0x4675d0;
						if(_t812 == 0) {
							_t812 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x83);
						_push(_t812);
						L0040B34B(_t1658 + 0x2f8);
						 *((char*)(_t1658 + 0xae8)) = 0x20;
						_t814 = L00453100(_t1658 + 0x2ec);
						GetPrivateProfileStringA(_t814, _t1658 + 0x1e8, 0x47e154, _t1658 + 0x4f4, 0x3e8, L00452F40( *((intOrPtr*)(_t1658 + 0x14)) + 8)); // executed
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x2ec);
						_t369 =  &(_t1646[0x16]); // 0x58
						_t1560 = _t369;
						_t370 =  &(_t1646[0x15]); // 0x54
						_t1609 = _t370;
						 *_t1560 = 0xffffffff;
						 *_t1609 = 0xffffffff;
						_t819 = lstrcmpA(_t1658 + 0x4f0, 0x47e154);
						_t1701 = _t819;
						if(_t819 != 0) {
							_push(_t1560);
							_push(_t1609);
							_t1658 = _t1658 - 0x28;
							 *((intOrPtr*)(_t1658 + 0x40)) = _t1658;
							L004472C0(_t1658, _t1658 + 0x524, _t1658 + 0xa3, 1);
							L0044F390(_t1701);
						}
						_t1646[0x1a] = 0;
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "OPT");
						_t823 =  *(_t1658 + 0xaf0);
						 *((intOrPtr*)(_t1658 + 0x344)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x364)) = 0x4675d0;
						if(_t823 == 0) {
							_t823 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x65);
						_push(_t823);
						L0040B34B(_t1658 + 0x350);
						 *((char*)(_t1658 + 0xae8)) = 0x21;
						_t825 = L00453100(_t1658 + 0x344);
						_t1561 =  *((intOrPtr*)(_t1658 + 0x14)) + 8;
						GetPrivateProfileStringA(_t825, _t1658 + 0x1e8, 0x47e154, _t1658 + 0x4f4, 0x3e8, L00452F40( *((intOrPtr*)(_t1658 + 0x14)) + 8)); // executed
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x344);
						if(lstrcmpA(_t1658 + 0x4f0, 0x47e154) != 0) {
							_t396 =  &(_t1646[0x1a]); // 0x68
							_t831 = _t396;
							_t1472 = _t1658 + 0x71;
							_push(_t831);
							_t1658 = _t1658 - 0x28;
							 *_t831 = 2;
							 *((intOrPtr*)(_t1658 + 0x3c)) = _t1658;
							L004472C0(_t1658, _t1658 + 0x520, _t1472, 1);
							L0044F9D0(__eflags);
						} else {
							_t1646[0x1a] =  *(_t1658 + 0x2c);
						}
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "TRNSPRNTCLR");
						_t838 =  *(_t1658 + 0xaf0);
						 *((intOrPtr*)(_t1658 + 0x314)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x334)) = 0x4675d0;
						if(_t838 == 0) {
							_t838 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x67);
						_push(_t838);
						L0040B34B(_t1658 + 0x320);
						 *((char*)(_t1658 + 0xae8)) = 0x22;
						_t840 = L00453100(_t1658 + 0x314);
						GetPrivateProfileStringA(_t840, _t1658 + 0x1e8, 0x47e154, _t1658 + 0x4f4, 0x3e8, L00452F40(_t1561)); // executed
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x314);
						if(lstrcmpA(_t1658 + 0x4f0, 0x47e154) != 0) {
							_t418 =  &(_t1646[0x17]); // 0x5c
							_t846 = _t418;
							_t1475 = _t1658 + 0x4f0;
							_push(_t846);
							_t1658 = _t1658 - 0x28;
							 *_t846 = 0x808080;
							 *((intOrPtr*)(_t1658 + 0x3c)) = _t1658;
							L004472C0(_t1658, _t1475, _t1658 + 0xae, 1);
							L0044F620(_t1646, __eflags);
						} else {
							_t1646[0x17] =  *(_t1658 + 0xc4);
						}
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "TXTCLR");
						_t853 =  *(_t1658 + 0xaf0);
						 *((intOrPtr*)(_t1658 + 0x26c)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x28c)) = 0x4675d0;
						if(_t853 == 0) {
							_t853 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x69);
						_push(_t853);
						L0040B34B(_t1658 + 0x278);
						 *((char*)(_t1658 + 0xae8)) = 0x23;
						_t855 = L00453100(_t1658 + 0x26c);
						GetPrivateProfileStringA(_t855, _t1658 + 0x1e8, 0x47e154, _t1658 + 0x4f4, 0x3e8, L00452F40(_t1561)); // executed
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x26c);
						if(lstrcmpA(_t1658 + 0x4f0, 0x47e154) != 0) {
							_t440 =  &(_t1646[0x18]); // 0x60
							_t1613 = _t440;
							_t861 = GetSysColor(8);
							_push(_t1613);
							 *_t1613 = _t861;
							_t1658 = _t1658 - 0x28;
							 *((intOrPtr*)(_t1658 + 0x3c)) = _t1658;
							L004472C0(_t1658, _t1658 + 0x520, _t1658 + 0x97, 1);
							L0044F620(_t1646, __eflags);
						} else {
							_t1646[0x18] =  *(_t1658 + 0xb4);
						}
						lstrcpyA(_t1658 + 0x1dc, _t1658 + 0x394);
						lstrcatA(_t1658 + 0x1dc, "DISTXTCLR");
						_t868 =  *(_t1658 + 0xaf0);
						 *((intOrPtr*)(_t1658 + 0x36c)) = 0x4675d8;
						 *((intOrPtr*)(_t1658 + 0x38c)) = 0x4675d0;
						if(_t868 == 0) {
							_t868 = 0x47e150;
						}
						_push(0);
						_push(_t1658 + 0x63);
						_push(_t868);
						L0040B34B(_t1658 + 0x378);
						 *((char*)(_t1658 + 0xae8)) = 0x24;
						_t870 = L00453100(_t1658 + 0x36c);
						GetPrivateProfileStringA(_t870, _t1658 + 0x1e8, 0x47e154, _t1658 + 0x4f4, 0x3e8, L00452F40(_t1561)); // executed
						 *((char*)(_t1658 + 0xae8)) = 0xc;
						E004061C1(_t1658 + 0x36c);
						if(lstrcmpA(_t1658 + 0x4f0, 0x47e154) != 0) {
							_t462 =  &(_t1646[0x19]); // 0x64
							_t1615 = _t462;
							_t876 = GetSysColor(0x11);
							_push(_t1615);
							 *_t1615 = _t876;
							_t1658 = _t1658 - 0x28;
							 *((intOrPtr*)(_t1658 + 0x3c)) = _t1658;
							L004472C0(_t1658, _t1658 + 0x520, _t1658 + 0x98, 1);
							L0044F620(_t1646, __eflags);
						} else {
							_t1646[0x19] =  *(_t1658 + 0x1c);
						}
						wsprintfA(_t1658 + 0x4f0, "%x", _t1646[0x1a]);
						_t882 = _t1646[3];
						_t1659 = _t1658 + 0xc;
						_t1616 = 0x467570;
						if(_t882 != 0) {
							_t1616 = _t882;
						}
						 *((intOrPtr*)(_t1659 + 0x3c)) = 0x4675f0;
						 *((intOrPtr*)(_t1659 + 0x5c)) = 0x4675e8;
						L00447D40(_t1659 + 0x3c, 0);
						_t1711 = _t1616;
						 *((char*)(_t1659 + 0xae8)) = 0x25;
						_t884 = _t1616;
						if(_t1616 == 0) {
							_t884 = 0x47e150;
						}
						L00452E70(_t1659 + 0x3c, _t1711, _t884, _t1659 + 0x22);
						 *((intOrPtr*)(_t1659 + 0x4c)) = 0;
						 *((intOrPtr*)(_t1659 + 0x50)) = 0;
						 *((intOrPtr*)(_t1659 + 0x54)) = 0;
						 *((char*)(_t1659 + 0xaec)) = 0x27;
						L00447D70(_t1659 + 0x5c, 0);
						 *((char*)(_t1659 + 0xaec)) = 0x28;
						 *(_t1659 + 0xe0) = 0x4675f0;
						 *((intOrPtr*)(_t1659 + 0x100)) = 0x4675e8;
						L00447D40(_t1659 + 0xe0, 0);
						 *((char*)(_t1659 + 0xaec)) = 0x29;
						 *((char*)(_t1659 + 0xe4)) =  *((intOrPtr*)(_t1659 + 0x22));
						E0040213C(_t1659 + 0xe4, 0);
						 *((char*)(_t1659 + 0xae8)) = 0x2a;
						L00447D30(_t1659 + 0xf0);
						 *((char*)(_t1659 + 0xaec)) = 0x2b;
						L00447D70(_t1659 + 0x100, 0);
						_t1264 = _t1659 + 0xdc;
						 *((char*)(_t1659 + 0xae8)) = 0x2d;
						if(_t1264 != 0) {
							if(_t1659 + 0x4f0 == 0) {
								_t1356 = 0;
								__eflags = 0;
							} else {
								asm("repne scasb");
								_t1356 =  !(_t1264 | 0xffffffff) - 1;
							}
							L00447990(_t1659 + 0xec, _t1659 + 0x4fc, _t1356, _t1659 + 0x77, 1);
						}
						SetLastError( *(_t1659 +  *((intOrPtr*)( *(_t1659 + 0xdc) + 4)) + 0xdc));
						_t1266 =  *0x4675e0; // 0xffffffff
						asm("sbb eax, eax");
						 *((char*)(_t1659 + 0xaf4)) = 0x2e;
						L0040BE88(_t1659 + 0x48,  ~(_t1659 + 0xdc) & _t1659 + 0x000000e0, 0, _t1266);
						asm("sbb eax, eax");
						 *((char*)(_t1659 + 0xae8)) = 0x28;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1659 + 0xdc) & _t1659 + 0x000000fc) + 4)) + ( ~(_t1659 + 0xdc) & _t1659 + 0x000000fc))) = GetLastError();
						asm("sbb esi, esi");
						_t1621 =  ~(_t1659 + 0xdc) & _t1659 + 0x000000f0;
						E0043AE17( *_t1621);
						_t1660 = _t1659 + 4;
						__imp__#6( *((intOrPtr*)(_t1621 + 8)));
						asm("sbb ecx, ecx");
						E0040213C( ~(_t1660 + 0xdc) & _t1660 + 0x000000e0, 1);
						SetLastError( *(_t1660 +  *((intOrPtr*)( *(_t1660 + 0xdc) + 4)) + 0xdc));
						_push(_t1660 + 0x38);
						_push(_t1660 + 0x24);
						L004539C0();
						_t1275 =  *((intOrPtr*)(_t1660 + 0x24));
						if(_t1275 !=  *((intOrPtr*)( *((intOrPtr*)(_t1660 + 0x14)) + 0x44))) {
							_t1646[0x1b] =  *(_t1275 + 0x34);
						} else {
							_t1630 = L0043BC14(0xc);
							_t1660 = _t1660 + 4;
							 *(_t1660 + 0x10) = _t1630;
							 *((char*)(_t1660 + 0xae8)) = 0x2f;
							if(_t1630 == 0) {
								_t1630 = 0;
								__eflags = 0;
							} else {
								_t1577 = L0043BC14(0x30);
								 *_t1630 = _t1577;
								memset(_t1577, 0, 0xc << 2);
								_t1579 = L0043BC14(0x48);
								_t1630[1] = _t1579;
								memset(_t1579, 0, 0x12 << 2);
								_t1011 = L0043BC14(0x18);
								_t1667 = _t1660 + 0x24;
								if(_t1011 == 0) {
									_t1630[2] = 0;
									memset(0, 0, 6 << 2);
									_t1660 = _t1667 + 0xc;
								} else {
									_t1583 = E0044C8D0(_t1011);
									_t1630[2] = _t1583;
									memset(_t1583, 0, 6 << 2);
									_t1660 = _t1667 + 0xc;
								}
							}
							_t1646[0x1b] = _t1630;
							_t975 = _t1646[3];
							 *((char*)(_t1660 + 0xae8)) = 0x28;
							_t1631 = 0x467570;
							if(_t975 != 0) {
								_t1631 = _t975;
							}
							 *(_t1660 + 0x134) = 0x46758c;
							 *((intOrPtr*)(_t1660 + 0x154)) = 0x467584;
							L00447D40(_t1660 + 0x134, 0);
							_t1718 = _t1631;
							 *((char*)(_t1660 + 0xae8)) = 0x30;
							_t977 = _t1631;
							if(_t1631 == 0) {
								_t977 = 0x47e150;
							}
							L00452E70(_t1660 + 0x134, _t1718, _t977, _t1660 + 0x6f);
							 *((char*)(_t1660 + 0xae8)) = 0x31;
							L00447D30(_t1660 + 0x144);
							 *((char*)(_t1660 + 0xaec)) = 0x32;
							L00447D70(_t1660 + 0x154, 0);
							_push(_t1660 + 0x10);
							 *((char*)(_t1660 + 0xaf0)) = 0x33;
							 *((intOrPtr*)(_t1660 + 0x18)) = 0;
							_push(L004537A0(_t1660 + 0x4cc, _t1660 + 0x130));
							 *((char*)(_t1660 + 0xaec)) = 0x34;
							_push(_t1660 + 0x340);
							_t1632 =  *((intOrPtr*)(L00453640()));
							 *((char*)(_t1660 + 0xae8)) = 0x33;
							L0040125C(_t1660 + 0x4c4);
							_t564 = _t1632 + 0x34; // 0x24
							asm("sbb eax, eax");
							 *((char*)(_t1660 + 0xae8)) = 0x36;
							 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1660 + 0x130) & _t1660 + 0x00000150) + 4)) + ( ~(_t1660 + 0x130) & _t1660 + 0x00000150))) = GetLastError();
							asm("sbb ecx, ecx");
							E00430164( ~(_t1660 + 0x130) & _t1660 + 0x00000144);
							asm("sbb ecx, ecx");
							 *((char*)(_t1660 + 0xaec)) = 0x35;
							 *(_t1660 + 0x34) =  ~(_t1660 + 0x130) & _t1660 + 0x00000134;
							E0040213C( ~(_t1660 + 0x130) & _t1660 + 0x00000134, 1);
							 *((char*)(_t1660 + 0xae8)) = 0x28;
							SetLastError( *(_t1660 +  *((intOrPtr*)( *(_t1660 + 0x130) + 4)) + 0x130));
							_push( *((intOrPtr*)( *_t564 + 4)));
							_t583 =  &(_t1646[1]); // 0x4
							_t584 =  &(_t1646[0x1a]); // 0x68
							_t585 =  &(_t1646[0x17]); // 0x5c
							E0044AB60(_t1646[0x1b], _t1718, _t585, _t584, _t583,  *((intOrPtr*)( *_t564)));
							_push(_t1660 + 0x10);
							 *((intOrPtr*)(_t1660 + 0x18)) = 0;
							_push(L00453AC0(_t1660 + 0x4a0, _t1660 + 0x38));
							_push(_t1660 + 0x2e4);
							 *((char*)(_t1660 + 0xaf0)) = 0x37;
							_t1002 = L00453850();
							 *((char*)(_t1660 + 0xae8)) = 0x28;
							E004061C1(_t1660 + 0x498);
							 *( *_t1002 + 0x34) = _t1646[0x1b];
						}
						wsprintfA(_t1660 + 0x4f0, "%x", _t1646[0x1a]);
						_t913 = _t1646[0xd];
						_t1661 = _t1660 + 0xc;
						if(_t913 != 0) {
							L104:
							_t1623 = _t913;
						} else {
							_t913 = 0x467570;
							if(0x467570 == 0) {
								_t1623 = 0x47e150;
								goto L106;
							}
							goto L104;
						}
						L106:
						_t914 = L0043BA1F(_t1623);
						_t1655 = _t1661 + 4;
						L0040BF1A(_t1655 + 0x3c, _t1623, _t914);
						 *(_t1655 + 0x88) = 0x4675f0;
						 *(_t1655 + 0xa8) = 0x4675e8;
						L00447D40(_t1655 + 0x88, 0);
						 *((char*)(_t1655 + 0xae8)) = 0x38;
						L00447B80(_t1655 + 0x8c, _t1655 + 0x75);
						 *((char*)(_t1655 + 0xae8)) = 0x39;
						L00447D30(_t1655 + 0x98);
						_t613 = _t1655 + 0xa8; // 0x4675e8
						_t1282 = _t613;
						 *((char*)(_t1655 + 0xaec)) = 0x3a;
						L00447D70(_t1282, 0);
						 *((char*)(_t1655 + 0xae8)) = 0x3c;
						if(_t1655 + 0x84 != 0) {
							if(_t1655 + 0x4f0 == 0) {
								_t1321 = 0;
								__eflags = 0;
							} else {
								asm("repne scasb");
								_t1321 =  !(_t1282 | 0xffffffff) - 1;
							}
							L00447990(_t1655 + 0x94, _t1655 + 0x4f8, _t1321, _t1655 + 0x64, 1);
						}
						SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x84) + 4)) + 0x84));
						_t1492 =  *0x4675e0; // 0xffffffff
						asm("sbb eax, eax");
						 *((char*)(_t1655 + 0xaf4)) = 0x3d;
						L0040BE88(_t1655 + 0x48,  ~(_t1655 + 0x84) & _t1655 + 0x00000088, 0, _t1492);
						asm("sbb eax, eax");
						 *((char*)(_t1655 + 0xae8)) = 0x28;
						 *( *((intOrPtr*)( *( ~(_t1655 + 0x84) & _t1655 + 0x000000a4) + 4)) + ( ~(_t1655 + 0x84) & _t1655 + 0x000000a4)) = GetLastError();
						asm("sbb ecx, ecx");
						E00430164( ~(_t1655 + 0x84) & _t1655 + 0x00000098);
						asm("sbb ecx, ecx");
						E0040213C( ~(_t1655 + 0x84) & _t1655 + 0x00000088, 1);
						SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x84) + 4)) + 0x84));
						_push(_t1655 + 0x38);
						_push(_t1655 + 0xc8);
						L004539C0();
						_t937 =  *((intOrPtr*)(_t1655 + 0xc8));
						 *((intOrPtr*)(_t1655 + 0x24)) = _t937;
						if(_t937 !=  *((intOrPtr*)( *((intOrPtr*)(_t1655 + 0x14)) + 0x44))) {
							_t1646[0x1c] =  *(_t937 + 0x34);
						} else {
							_t1627 = L0043BC14(0xc);
							_t1655 = _t1655 + 4;
							 *(_t1655 + 0x10) = _t1627;
							 *((char*)(_t1655 + 0xae8)) = 0x3e;
							if(_t1627 == 0) {
								_t1627 = 0;
								__eflags = 0;
							} else {
								_t1565 = L0043BC14(0x30);
								 *_t1627 = _t1565;
								memset(_t1565, 0, 0xc << 2);
								_t1567 = L0043BC14(0x48);
								_t1627[1] = _t1567;
								memset(_t1567, 0, 0x12 << 2);
								_t964 = L0043BC14(0x18);
								_t1664 = _t1655 + 0x24;
								if(_t964 == 0) {
									_t1627[2] = 0;
									memset(0, 0, 6 << 2);
									_t1655 = _t1664 + 0xc;
								} else {
									_t1571 = E0044C8D0(_t964);
									_t1627[2] = _t1571;
									memset(_t1571, 0, 6 << 2);
									_t1655 = _t1664 + 0xc;
								}
							}
							_t1646[0x1c] = _t1627;
							_t943 = _t1646[0xd];
							 *((char*)(_t1655 + 0xae8)) = 0x28;
							_t1628 = 0x467570;
							if(_t943 != 0) {
								_t1628 = _t943;
							}
							 *((intOrPtr*)(_t1655 + 0x244)) = 0x46758c;
							 *((intOrPtr*)(_t1655 + 0x264)) = 0x467584;
							L00447D40(_t1655 + 0x244, 0);
							_t1727 = _t1628;
							 *((char*)(_t1655 + 0xae8)) = 0x3f;
							_t945 = _t1628;
							if(_t1628 == 0) {
								_t945 = 0x47e150;
							}
							L00452E70(_t1655 + 0x244, _t1727, _t945, _t1655 + 0x66);
							 *((char*)(_t1655 + 0xae8)) = 0x40;
							L00447D30(_t1655 + 0x254);
							 *((char*)(_t1655 + 0xaec)) = 0x41;
							L00447D70(_t1655 + 0x264, 0);
							 *((char*)(_t1655 + 0xaec)) = 0x42;
							_t1629 =  *((intOrPtr*)(E00452860( *((intOrPtr*)(_t1655 + 0x14)) + 0x30, _t1655 + 0x240)));
							 *((char*)(_t1655 + 0xae8)) = 0x28;
							L0040125C(_t1655 + 0x240);
							_t681 = _t1629 + 4; // 0x0
							_push( *_t681);
							_t682 =  &(_t1646[0xb]); // 0x2c
							_t684 =  &(_t1646[0x1a]); // 0x68
							_t685 =  &(_t1646[0x17]); // 0x5c
							E0044AB60(_t1646[0x1c], _t1727, _t685, _t684, _t682,  *((intOrPtr*)( *((intOrPtr*)(E00452860( *((intOrPtr*)(_t1655 + 0x14)) + 0x30, _t1655 + 0x240))))));
							 *(E00452980( *((intOrPtr*)(_t1655 + 0x14)) + 0x40, _t1655 + 0x38)) = _t1646[0x1c];
						}
						_push(_t1646);
						 *(E00452690( *((intOrPtr*)(_t1655 + 0xaf4)))) = _t1646;
						 *((char*)(_t1655 + 0xae8)) = 0xc;
						E004061C1(_t1655 + 0x38);
						_t941 =  *((intOrPtr*)(_t1655 + 0x28)) + 1;
						 *((intOrPtr*)(_t1655 + 0x28)) = _t941;
					} while (_t941 <=  *((intOrPtr*)(_t1655 + 0xb0)));
					goto L124;
				} else {
					asm("sbb ecx, ecx");
					if(L00459360( ~(_t1655 + 0x108) & _t1655 + 0x0000010c, _t1675, L"ALL") == 0) {
						goto L28;
					}
					if( *((intOrPtr*)(_t1655 + 0x190)) == 0) {
						L17:
						 *(_t1655 + 0x88) = 0x4675f0;
						 *(_t1655 + 0xa8) = 0x4675e8;
						L00447D40(_t1655 + 0x88, 0);
						_t1387 = L"ALL";
						 *((char*)(_t1655 + 0xae8)) = 0x10;
						_t1680 = _t1387;
						_t1058 = _t1387;
						if(_t1387 == 0) {
							_t1058 = 0x47e150;
						}
						L00452E70(_t1655 + 0x88, _t1680, _t1058, _t1655 + 0x23);
						 *(_t1655 + 0x98) = 0;
						 *((intOrPtr*)(_t1655 + 0x9c)) = 0;
						 *((intOrPtr*)(_t1655 + 0xa0)) = 0;
						_t141 = _t1655 + 0xa8; // 0x4675e8
						 *((char*)(_t1655 + 0xaec)) = 0x12;
						L00447D70(_t141, 0);
						_push(_t1655 + 0x2c);
						 *(_t1655 + 0xaf0) = 0x13;
						 *((intOrPtr*)(_t1655 + 0x34)) = 0;
						_push(L00453DD0(_t1655 + 0x248, _t1655 + 0x84));
						 *((char*)(_t1655 + 0xaec)) = 0x14;
						_push(_t1655 + 0x34);
						_t1064 = L00453B70();
						E004061C1(_t1655 + 0x240);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t1655 + 0x28)) =  *((intOrPtr*)( *_t1064 + 0x34));
						 *((char*)(_t1655 + 0xae8)) = 0xc;
						_t1069 = GetLastError();
						asm("sbb ecx, ecx");
						 *( *((intOrPtr*)( *( ~(_t1655 + 0x84) & _t1655 + 0x000000a4) + 4)) + ( ~(_t1655 + 0x84) & _t1655 + 0x000000a4)) = _t1069;
						E00430164( ~(_t1655 + 0x84) & _t1655 + 0x00000098);
						asm("sbb ecx, ecx");
						E0040213C( ~(_t1655 + 0x84) & _t1655 + 0x00000088, 1);
						SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x84) + 4)) + 0x84));
						L20:
						_t1589 =  *((intOrPtr*)(_t1655 + 0x28));
						 *(_t1655 + 0x10) = 0;
						 *((intOrPtr*)(_t1655 + 0x1c)) = 0;
						if( *((intOrPtr*)(_t1589 + 0x1c0)) != 0) {
							L26:
							__eflags = _t1589 + 0x1b4;
							L27:
							 *((intOrPtr*)(_t1655 + 0x34)) = 0;
							_t1077 = L00453420(_t1655 + 0x7c, L00453510(_t1655 + 0x38, _t1655 + 0x10, _t1655 + 0x2c));
							 *((intOrPtr*)(_t1655 + 0x2c)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(L00453420(_t1655 + 0xcc, L00453510(_t1655 + 0x1dc, _t1655 + 0x1c, _t1655 + 0x24)))) + 0x10)) =  *((intOrPtr*)( *_t1077 + 0x10));
							goto L28;
						}
						_t1647 = _t1589 + 0x158;
						_t1683 = _t1647;
						if(_t1647 == 0) {
							_t1410 = 0;
							__eflags = 0;
						} else {
							_t1410 = _t1589 + 0x15c;
						}
						_t1082 = L00459360(_t1410, _t1683, L"ALL");
						_t1684 = _t1082;
						if(_t1082 == 0) {
							goto L26;
						} else {
							_t1655 = _t1655 - 0x28;
							 *((intOrPtr*)(_t1655 + 0xf0)) = _t1655;
							_push(1);
							_push(_t1647);
							L0040B2B8(_t1655);
							L00451440(L0044B380( *((intOrPtr*)(_t1589 + 0x14c)), _t1684));
							goto L27;
						}
					}
					_t1086 = L00458F10();
					_t1668 = _t1655 + 0xc;
					 *((char*)(_t1668 + 0xaf0)) = 0xf;
					L00453CD0();
					asm("sbb eax, eax");
					 *((char*)(_t1668 + 0xae8)) = 0xc;
					 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1668 + 0x38) & _t1668 + 0x00000058) + 4)) + ( ~(_t1668 + 0x38) & _t1668 + 0x00000058))) = GetLastError();
					asm("sbb edi, edi");
					_t1596 =  ~(_t1668 + 0x38) & _t1668 + 0x0000004c;
					E0043AE17( *_t1596);
					_t1655 = _t1668 + 4;
					__imp__#6( *((intOrPtr*)(_t1596 + 8)), _t1668 + 0x28, _t1086, _t1655 + 0x38, L"ALL", _t1655 + 0x184);
					asm("sbb ecx, ecx");
					E0040213C( ~(_t1655 + 0x38) & _t1655 + 0x0000003c, 1);
					SetLastError( *(_t1655 +  *((intOrPtr*)( *(_t1655 + 0x38) + 4)) + 0x38));
					_t1422 =  *((intOrPtr*)(_t1655 + 0x24));
					if(_t1422 ==  *((intOrPtr*)( *((intOrPtr*)(_t1655 + 0x14)) + 0x58))) {
						goto L17;
					}
					_t1423 =  *((intOrPtr*)(_t1422 + 0x34));
					 *((intOrPtr*)(_t1655 + 0x28)) = _t1423;
					if(_t1423 != 0) {
						goto L20;
					}
					goto L17;
				}
			}

0x0044d870
0x0044d872
0x0044d87d
0x0044d87e
0x0044d885
0x0044d88d
0x0044d898
0x0044d89c
0x0044d8a0
0x0044d8ab
0x0044d8b6
0x0044d8b8
0x0044d8ba
0x0044d8ba
0x0044d8c3
0x0044d8c4
0x0044d8c5
0x0044d8cd
0x0044d8d9
0x0044d8e0
0x0044d8e5
0x0044d8f7
0x0044d904
0x0044d90b
0x0044d916
0x0044d929
0x0044d930
0x0044d930
0x0044d932
0x0044d934
0x0044d943
0x0044d94a
0x0044d94a
0x0044d94c
0x0044d94e
0x0044d95d
0x0044d964
0x0044d964
0x0044d966
0x0044d968
0x0044d977
0x0044d97e
0x0044d97e
0x0044d980
0x0044d982
0x0044d991
0x0044d998
0x0044d998
0x0044d9a2
0x0044d9a4
0x0044d9a5
0x0044d9a9
0x0044d9bd
0x0044d9c4
0x0044d9cb
0x0044d9d0
0x0044d9d2
0x0044d9dd
0x0044d9df
0x0044d9df
0x0044d9f1
0x0044d9f6
0x0044d9fd
0x0044da04
0x0044da13
0x0044da1b
0x0044da28
0x0044da33
0x0044da3a
0x0044da41
0x0044da52
0x0044da5a
0x0044da61
0x0044da6d
0x0044da75
0x0044da82
0x0044da8a
0x0044da97
0x0044da9f
0x0044daa6
0x0044daad
0x0044dab6
0x0044dac6
0x0044dacb
0x0044dad2
0x0044dad9
0x0044dae8
0x0044daf0
0x0044dafa
0x0044db02
0x0044db07
0x0044db25
0x0044db2b
0x0044db3f
0x0044db46
0x0044db4e
0x0044db55
0x0044db55
0x0044db50
0x0044db50
0x0044db50
0x0044db57
0x0044db67
0x0044db76
0x0044db78
0x0044db89
0x0044db95
0x0044db97
0x0044db9b
0x0044dbaa
0x0044dbb0
0x0044dbc5
0x0044dbcb
0x0044dbdf
0x0044dbe6
0x0044dbee
0x0044dbf5
0x0044dbf5
0x0044dbf0
0x0044dbf0
0x0044dbf0
0x0044dbf7
0x0044dc07
0x0044dc16
0x0044dc18
0x0044dc29
0x0044dc35
0x0044dc37
0x0044dc3b
0x0044dc4a
0x0044dc4e
0x0044dc50
0x0044dc65
0x0044dc65
0x0044dc7b
0x0044dc84
0x0044dc90
0x0044dc92
0x0044df8f
0x0044df9d
0x0044dfa1
0x0044dfd3
0x0044dfe3
0x0044dfe7
0x0044e013
0x0044e023
0x0044e027
0x0044e053
0x0044e057
0x0044e05b
0x0044e06c
0x0044e07e
0x0044e082
0x0044e089
0x0044e0be
0x0044e0c5
0x0044e0c9
0x0044e0da
0x0044e0e9
0x0044e0f9
0x0044e0fd
0x0044f34d
0x0044f354
0x0044f360
0x0044f36c
0x0044f37b
0x0044f389
0x0044f389
0x0044e111
0x0044e118
0x0044e11c
0x0044e11c
0x0044e12a
0x0044e12c
0x0044e12f
0x0044e135
0x0044e13d
0x0044e167
0x0044e167
0x0044e13f
0x0044e146
0x0044e149
0x0044e155
0x0044e158
0x0044e160
0x0044e160
0x0044e176
0x0044e17e
0x0044e193
0x0044e198
0x0044e1a4
0x0044e1ac
0x0044e1b7
0x0044e1c2
0x0044e1c4
0x0044e1c6
0x0044e1c6
0x0044e1cf
0x0044e1d0
0x0044e1d1
0x0044e1d9
0x0044e1e5
0x0044e1ed
0x0044e20b
0x0044e218
0x0044e21b
0x0044e223
0x0044e238
0x0044e24b
0x0044e25d
0x0044e266
0x0044e26a
0x0044e277
0x0044e279
0x0044e280
0x0044e285
0x0044e290
0x0044e29b
0x0044e29d
0x0044e29d
0x0044e2a6
0x0044e2a7
0x0044e2a8
0x0044e2b0
0x0044e2bc
0x0044e2c4
0x0044e2ec
0x0044e2f9
0x0044e305
0x0044e30f
0x0044e31c
0x0044e31c
0x0044e328
0x0044e32a
0x0044e33d
0x0044e33f
0x0044e340
0x0044e348
0x0044e34d
0x0044e35c
0x0044e374
0x0044e37c
0x0044e388
0x0044e390
0x0044e396
0x0044e396
0x0044e39f
0x0044e3b7
0x0044e3be
0x0044e3c6
0x0044e3cd
0x0044e3cd
0x0044e3c8
0x0044e3c8
0x0044e3c8
0x0044e3cf
0x0044e3d5
0x0044e3db
0x0044e3e7
0x0044e3ef
0x0044e3ef
0x0044e404
0x0044e417
0x0044e429
0x0044e432
0x0044e436
0x0044e443
0x0044e445
0x0044e44c
0x0044e451
0x0044e45c
0x0044e467
0x0044e469
0x0044e469
0x0044e472
0x0044e473
0x0044e474
0x0044e47c
0x0044e488
0x0044e490
0x0044e4b8
0x0044e4c5
0x0044e4d1
0x0044e4db
0x0044e4e8
0x0044e4e8
0x0044e4f4
0x0044e4f6
0x0044e509
0x0044e50b
0x0044e50c
0x0044e514
0x0044e519
0x0044e528
0x0044e540
0x0044e548
0x0044e554
0x0044e55c
0x0044e562
0x0044e562
0x0044e56b
0x0044e583
0x0044e58a
0x0044e592
0x0044e599
0x0044e599
0x0044e594
0x0044e594
0x0044e594
0x0044e59b
0x0044e5a1
0x0044e5a7
0x0044e5b3
0x0044e5bb
0x0044e5bb
0x0044e5d0
0x0044e5e3
0x0044e5e9
0x0044e5f0
0x0044e5fd
0x0044e608
0x0044e60a
0x0044e60a
0x0044e616
0x0044e617
0x0044e618
0x0044e620
0x0044e62c
0x0044e634
0x0044e663
0x0044e670
0x0044e678
0x0044e67d
0x0044e67d
0x0044e680
0x0044e680
0x0044e690
0x0044e696
0x0044e69c
0x0044e6a2
0x0044e6a4
0x0044e6a6
0x0044e6a7
0x0044e6a8
0x0044e6b4
0x0044e6c3
0x0044e6cc
0x0044e6cc
0x0044e6e1
0x0044e6e4
0x0044e6f7
0x0044e6fd
0x0044e704
0x0044e711
0x0044e71c
0x0044e71e
0x0044e71e
0x0044e727
0x0044e728
0x0044e729
0x0044e731
0x0044e73d
0x0044e745
0x0044e750
0x0044e776
0x0044e783
0x0044e78b
0x0044e7a5
0x0044e7b0
0x0044e7b0
0x0044e7b3
0x0044e7b7
0x0044e7b8
0x0044e7bb
0x0044e7c3
0x0044e7d2
0x0044e7db
0x0044e7a7
0x0044e7ab
0x0044e7ab
0x0044e7f0
0x0044e803
0x0044e809
0x0044e810
0x0044e81d
0x0044e828
0x0044e82a
0x0044e82a
0x0044e833
0x0044e834
0x0044e835
0x0044e83d
0x0044e849
0x0044e851
0x0044e87b
0x0044e888
0x0044e890
0x0044e8aa
0x0044e8b8
0x0044e8b8
0x0044e8bb
0x0044e8c2
0x0044e8c3
0x0044e8c6
0x0044e8ce
0x0044e8dd
0x0044e8e6
0x0044e8ac
0x0044e8b3
0x0044e8b3
0x0044e8fb
0x0044e90e
0x0044e914
0x0044e91b
0x0044e928
0x0044e933
0x0044e935
0x0044e935
0x0044e93e
0x0044e93f
0x0044e940
0x0044e948
0x0044e954
0x0044e95c
0x0044e986
0x0044e993
0x0044e99b
0x0044e9b5
0x0044e9c5
0x0044e9c5
0x0044e9c8
0x0044e9ce
0x0044e9cf
0x0044e9d1
0x0044e9dd
0x0044e9ec
0x0044e9f5
0x0044e9b7
0x0044e9be
0x0044e9be
0x0044ea0a
0x0044ea1d
0x0044ea23
0x0044ea2a
0x0044ea37
0x0044ea42
0x0044ea44
0x0044ea44
0x0044ea4d
0x0044ea4e
0x0044ea4f
0x0044ea57
0x0044ea63
0x0044ea6b
0x0044ea95
0x0044eaa2
0x0044eaaa
0x0044eac4
0x0044ead1
0x0044ead1
0x0044ead4
0x0044eada
0x0044eadb
0x0044eadd
0x0044eae9
0x0044eaf8
0x0044eb01
0x0044eac6
0x0044eaca
0x0044eaca
0x0044eb17
0x0044eb1d
0x0044eb20
0x0044eb25
0x0044eb2a
0x0044eb2c
0x0044eb2c
0x0044eb38
0x0044eb40
0x0044eb44
0x0044eb49
0x0044eb4b
0x0044eb53
0x0044eb55
0x0044eb57
0x0044eb57
0x0044eb66
0x0044eb6b
0x0044eb6f
0x0044eb73
0x0044eb7c
0x0044eb84
0x0044eb91
0x0044eb99
0x0044eba4
0x0044ebab
0x0044ebbc
0x0044ebc4
0x0044ebcb
0x0044ebd7
0x0044ebdf
0x0044ebec
0x0044ebf4
0x0044ebf9
0x0044ec00
0x0044ec0a
0x0044ec15
0x0044ec2a
0x0044ec2a
0x0044ec17
0x0044ec23
0x0044ec27
0x0044ec27
0x0044ec43
0x0044ec43
0x0044ec67
0x0044ec69
0x0044ec78
0x0044ec8a
0x0044ec92
0x0044eca7
0x0044eca9
0x0044ecc0
0x0044eccb
0x0044ecd4
0x0044ecd9
0x0044ece1
0x0044ece5
0x0044ecfb
0x0044ed01
0x0044ed1f
0x0044ed2d
0x0044ed2e
0x0044ed32
0x0044ed3a
0x0044ed40
0x0044efb2
0x0044ed46
0x0044ed4d
0x0044ed4f
0x0044ed52
0x0044ed58
0x0044ed60
0x0044edc0
0x0044edc0
0x0044ed62
0x0044ed69
0x0044ed72
0x0044ed74
0x0044ed7d
0x0044ed86
0x0044ed89
0x0044ed8d
0x0044ed92
0x0044ed97
0x0044edb9
0x0044edbc
0x0044edbc
0x0044ed99
0x0044eda0
0x0044eda9
0x0044edac
0x0044edac
0x0044edac
0x0044ed97
0x0044edc2
0x0044edc5
0x0044edca
0x0044edd2
0x0044edd7
0x0044edd9
0x0044edd9
0x0044ede3
0x0044edee
0x0044edf9
0x0044edfe
0x0044ee00
0x0044ee08
0x0044ee0a
0x0044ee0c
0x0044ee0c
0x0044ee1e
0x0044ee2a
0x0044ee32
0x0044ee3f
0x0044ee47
0x0044ee57
0x0044ee60
0x0044ee68
0x0044ee71
0x0044ee7d
0x0044ee85
0x0044ee8e
0x0044ee97
0x0044ee9f
0x0044eea4
0x0044eeb7
0x0044eeb9
0x0044eed7
0x0044eedb
0x0044eee6
0x0044eefb
0x0044ef01
0x0044ef09
0x0044ef0d
0x0044ef19
0x0044ef33
0x0044ef3e
0x0044ef3f
0x0044ef44
0x0044ef48
0x0044ef4f
0x0044ef5c
0x0044ef65
0x0044ef79
0x0044ef7a
0x0044ef7e
0x0044ef86
0x0044ef94
0x0044ef9c
0x0044efaa
0x0044efaa
0x0044efc6
0x0044efcc
0x0044efcf
0x0044efd4
0x0044efdf
0x0044efdf
0x0044efd6
0x0044efd6
0x0044efdd
0x0044efe3
0x00000000
0x0044efe3
0x00000000
0x0044efdd
0x0044efe8
0x0044efe9
0x0044efee
0x0044eff7
0x0044f004
0x0044f00f
0x0044f01a
0x0044f023
0x0044f033
0x0044f03f
0x0044f047
0x0044f04d
0x0044f04d
0x0044f054
0x0044f05c
0x0044f068
0x0044f072
0x0044f07d
0x0044f092
0x0044f092
0x0044f07f
0x0044f08b
0x0044f08f
0x0044f08f
0x0044f0ab
0x0044f0b0
0x0044f0cf
0x0044f0d1
0x0044f0e0
0x0044f0f2
0x0044f0fa
0x0044f10f
0x0044f111
0x0044f12f
0x0044f133
0x0044f13e
0x0044f153
0x0044f159
0x0044f177
0x0044f188
0x0044f189
0x0044f18d
0x0044f192
0x0044f19e
0x0044f1a2
0x0044f312
0x0044f1a8
0x0044f1af
0x0044f1b1
0x0044f1b4
0x0044f1ba
0x0044f1c2
0x0044f222
0x0044f222
0x0044f1c4
0x0044f1cb
0x0044f1d4
0x0044f1d6
0x0044f1df
0x0044f1e8
0x0044f1eb
0x0044f1ef
0x0044f1f4
0x0044f1f9
0x0044f21b
0x0044f21e
0x0044f21e
0x0044f1fb
0x0044f202
0x0044f20b
0x0044f20e
0x0044f20e
0x0044f20e
0x0044f1f9
0x0044f224
0x0044f227
0x0044f22c
0x0044f234
0x0044f239
0x0044f23b
0x0044f23b
0x0044f245
0x0044f250
0x0044f25b
0x0044f260
0x0044f262
0x0044f26a
0x0044f26c
0x0044f26e
0x0044f26e
0x0044f280
0x0044f28c
0x0044f294
0x0044f2a1
0x0044f2a9
0x0044f2ba
0x0044f2ca
0x0044f2d3
0x0044f2db
0x0044f2e0
0x0044f2e5
0x0044f2e6
0x0044f2ee
0x0044f2f2
0x0044f2f6
0x0044f30b
0x0044f30b
0x0044f31c
0x0044f326
0x0044f328
0x0044f330
0x0044f340
0x0044f343
0x0044f343
0x00000000
0x0044dc98
0x0044dca8
0x0044dcb8
0x00000000
0x00000000
0x0044dcc5
0x0044dd8c
0x0044dd94
0x0044dd9f
0x0044ddaa
0x0044ddaf
0x0044ddb4
0x0044ddbc
0x0044ddbe
0x0044ddc0
0x0044ddc2
0x0044ddc2
0x0044ddd4
0x0044ddd9
0x0044dde0
0x0044dde7
0x0044ddef
0x0044ddf6
0x0044ddfe
0x0044de0e
0x0044de17
0x0044de1f
0x0044de28
0x0044de31
0x0044de39
0x0044de3d
0x0044de4b
0x0044de5c
0x0044de67
0x0044de6b
0x0044de7a
0x0044de8c
0x0044de8e
0x0044de92
0x0044dea7
0x0044dead
0x0044decb
0x0044ded1
0x0044ded1
0x0044ded5
0x0044ded9
0x0044dee3
0x0044df31
0x0044df31
0x0044df37
0x0044df45
0x0044df56
0x0044df6e
0x0044df8c
0x00000000
0x0044df8c
0x0044dee5
0x0044deeb
0x0044deed
0x0044def7
0x0044def7
0x0044deef
0x0044deef
0x0044deef
0x0044defe
0x0044df03
0x0044df05
0x00000000
0x0044df07
0x0044df07
0x0044df0c
0x0044df13
0x0044df15
0x0044df16
0x0044df28
0x00000000
0x0044df2d
0x0044df05
0x0044dcdd
0x0044dce2
0x0044dcf2
0x0044dcfa
0x0044dd09
0x0044dd0b
0x0044dd1e
0x0044dd26
0x0044dd2c
0x0044dd31
0x0044dd39
0x0044dd3d
0x0044dd4d
0x0044dd53
0x0044dd68
0x0044dd72
0x0044dd7b
0x00000000
0x00000000
0x0044dd7d
0x0044dd82
0x0044dd86
0x00000000
0x00000000
0x00000000
0x0044dd86

APIs

GetPrivateProfileIntA.KERNEL32 ref: 0044D8F7
GetSysColor.USER32(00000008), ref: 0044D9A5
GetSysColor.USER32(00000011), ref: 0044D9A9

Part of subcall function 00447D70: SetLastError.KERNEL32(?,004675F0,0044C457,00000000,00467570,?), ref: 00447D8A

Part of subcall function 00447D40: GetLastError.KERNEL32(?,?,004521BC,00000000,?,FFFFFFFF,00000001), ref: 00447D59

GetLastError.KERNEL32(00000000,00000000,FFFFFFFF), ref: 0044DB89
SetLastError.KERNEL32(?,00000001), ref: 0044DBC5
GetLastError.KERNEL32(00000000,00000000,FFFFFFFF,?,00000000,FFFFFFFF), ref: 0044DC29
SetLastError.KERNEL32(?,00000001), ref: 0044DC65

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

GetLastError.KERNEL32 ref: 0044DD1C
SysFreeString.OLEAUT32(?), ref: 0044DD3D
SetLastError.KERNEL32(?,00000001), ref: 0044DD68

Part of subcall function 00447450: GetLastError.KERNEL32(00000000,FFFFFFFF,?,761B4D40,?,00000000,00465408,000000FF,0044F6EE,?,00000000,00000000,?,00478748,FFFFFFFF,00000000), ref: 0044748B
Part of subcall function 00447450: SetLastError.KERNEL32(004675E8,00000000,00000000,00000000,?,761B4D40,?,00000000,00465408,000000FF,0044F6EE,?,00000000,00000000,?,00478748), ref: 004474D9

SetLastError.KERNEL32(?,00000001), ref: 0044DECB
lstrcpyA.KERNEL32(?,00000000,?,00000000,?,?,ALL,00478FCC,00000000,00000000,00000000), ref: 0044DFD3
lstrcpyA.KERNEL32(?,00000000,?,00000000,?,?), ref: 0044E013
lstrcpyA.KERNEL32(?,BUTTON), ref: 0044E17E
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 0044E1A4
GetPrivateProfileIntA.KERNEL32 ref: 0044E20B
lstrcpyA.KERNEL32(?,?), ref: 0044E238
lstrcatA.KERNEL32(?,0047DD84), ref: 0044E24B
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,00000000,00000104,00000000), ref: 0044E2EC
SetLastError.KERNEL32(00000000,?,00000000,FFFFFFFF,?,?,00000001), ref: 0044E396
lstrcpyA.KERNEL32(?,?), ref: 0044E404
lstrcatA.KERNEL32(?,DOWN), ref: 0044E417
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,00000000,00000104,00000000), ref: 0044E4B8
GetLastError.KERNEL32(?), ref: 0044E4F6
SetLastError.KERNEL32(00000000,?,00000000,FFFFFFFF,?,?,00000001), ref: 0044E562

Part of subcall function 00451850: GetLastError.KERNEL32(761E9390,-00000007,00000000,?,?,?,00000000), ref: 00451890
Part of subcall function 00451850: SetLastError.KERNEL32(?,00000000,?,?,00000000), ref: 004518C6
Part of subcall function 00451850: GetLastError.KERNEL32 ref: 00451916
Part of subcall function 00451850: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00451967

lstrcpyA.KERNEL32(?,?), ref: 0044E5D0
lstrcatA.KERNEL32(?,POS), ref: 0044E5E3
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044E663
lstrcmpA.KERNEL32(?,0047E154), ref: 0044E69C
lstrcpyA.KERNEL32(?,?), ref: 0044E6E4
lstrcatA.KERNEL32(?,OPT), ref: 0044E6F7

Part of subcall function 0040B34B: __EH_prolog.LIBCMT ref: 0040B350
Part of subcall function 0040B34B: GetLastError.KERNEL32(?,00000001,00000001,?,0044B892,?,?,00000000), ref: 0040B379
Part of subcall function 0040B34B: SetLastError.KERNEL32(?,?,00000000,00000000,?,0044B892,?,?,00000000), ref: 0040B3CE

Part of subcall function 00453100: WideCharToMultiByte.KERNEL32(00000000,00000000,FFFFFFFF,00000001,00000004,00000000,00000000,00000000,?,00000000), ref: 0045315A

Part of subcall function 00452F40: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000001,00000000,00448A01), ref: 00452F69
Part of subcall function 00452F40: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00452FB5

GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044E776
lstrcmpA.KERNEL32(?,0047E154), ref: 0044E79D
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0044E7F0
lstrcatA.KERNEL32(?,TRNSPRNTCLR,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044E803
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044E87B
lstrcmpA.KERNEL32(?,0047E154,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044E8A2
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0044E8FB
lstrcatA.KERNEL32(?,TXTCLR), ref: 0044E90E
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044E986

Part of subcall function 004472C0: GetLastError.KERNEL32(?,000001C4,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447300
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447336
Part of subcall function 004472C0: GetLastError.KERNEL32 ref: 0044738A
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000), ref: 004473BD
Part of subcall function 004472C0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004473E6

Part of subcall function 0044F620: GetLastError.KERNEL32 ref: 0044F71F
Part of subcall function 0044F620: SysFreeString.OLEAUT32(?), ref: 0044F740

lstrcmpA.KERNEL32(?,0047E154), ref: 0044E9AD
GetSysColor.USER32(00000008), ref: 0044E9C8
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0044EA0A
lstrcatA.KERNEL32(?,DISTXTCLR), ref: 0044EA1D
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044EA95
lstrcmpA.KERNEL32(?,0047E154), ref: 0044EABC
GetSysColor.USER32(00000011), ref: 0044EAD4

Part of subcall function 004472C0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,?,00000000), ref: 00447410
Part of subcall function 004472C0: SetLastError.KERNEL32(?,?,00000000), ref: 0044741F
Part of subcall function 004472C0: SetLastError.KERNEL32(?,?,?,00000000), ref: 0044742E

Part of subcall function 0044F620: SetLastError.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00466510,000000FF,00448B8D), ref: 0044F76B
Part of subcall function 0044F620: GetLastError.KERNEL32 ref: 0044F7BC
Part of subcall function 0044F620: SysFreeString.OLEAUT32(?), ref: 0044F7E3
Part of subcall function 0044F620: SetLastError.KERNEL32(?,00000001,?,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00466510), ref: 0044F80A
Part of subcall function 0044F620: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0044F84F

Part of subcall function 0040213C: SysFreeString.OLEAUT32(?), ref: 00402163

wsprintfA.USER32 ref: 0044EB17
SetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00467570,?), ref: 0044EC67
GetLastError.KERNEL32(?,00000000,FFFFFFFF), ref: 0044ECBA
SysFreeString.OLEAUT32(?), ref: 0044ECE5
SetLastError.KERNEL32(?,00000001), ref: 0044ED1F
GetLastError.KERNEL32(?,00000000,?,?,00000000,00467570,?,00000000), ref: 0044EECA
wsprintfA.USER32 ref: 0044EFC6
SetLastError.KERNEL32(?,00000000,?), ref: 0044F0CF
GetLastError.KERNEL32(?,00000000,FFFFFFFF), ref: 0044F122
SetLastError.KERNEL32(?,00000001), ref: 0044F177

Part of subcall function 00452980: GetLastError.KERNEL32 ref: 004529BC
Part of subcall function 00452980: GetLastError.KERNEL32(?,?,?,?,004675F0,00000000,00000000), ref: 00452A2C
Part of subcall function 00452980: SysFreeString.OLEAUT32(00468E68), ref: 00452A4D
Part of subcall function 00452980: SetLastError.KERNEL32(?,00000001), ref: 00452A74

SetLastError.KERNEL32(?,00000001), ref: 0044EF33

Part of subcall function 0044AB60: GetLastError.KERNEL32 ref: 0044ABE7
Part of subcall function 0044AB60: SetLastError.KERNEL32(?,00000001), ref: 0044AC3A

Part of subcall function 00453AC0: GetLastError.KERNEL32(00000030,0046758C,?,?,00466838,000000FF,0044C803,?,?,00000034,00000038,00000000,?,?), ref: 00453AF3
Part of subcall function 00453AC0: SetLastError.KERNEL32(?,00000000,00000000,FFFFFFFF,?,?), ref: 00453B42

GetLastError.KERNEL32(?), ref: 0044E32A

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

GetLastError.KERNEL32(?,00000000,?,?,00000000,ALL,?), ref: 0044DE7A

Part of subcall function 00430164: SysFreeString.OLEAUT32(FFFFFFFF), ref: 00430172

Strings

uF, xrefs: 0044DDEF
PG, xrefs: 0044EFE3
uF, xrefs: 0044EB2E
puF, xrefs: 0044EFD6
TRNSPRNTCLR, xrefs: 0044E7FD
puF, xrefs: 0044F234
PG, xrefs: 0044E71E
OPT, xrefs: 0044E6F1
BUTTONS, xrefs: 0044D8F1
POS, xrefs: 0044E5DD
PG, xrefs: 0044E1C6
PG, xrefs: 0044EE0C
tuF, xrefs: 0044EC7A
PG, xrefs: 0044E29D
B, xrefs: 0044F2BA
=, xrefs: 0044F0F2
DOWN, xrefs: 0044E411
DISTXTCLR, xrefs: 0044EA17
PG, xrefs: 0044F26E
PG, xrefs: 0044DDC2
puF, xrefs: 0044EDD2
PG, xrefs: 0044EB57
(, xrefs: 0044F2D3
BUTTON, xrefs: 0044E170
PG, xrefs: 0044E82A
uF, xrefs: 0044D9B0
ALL, xrefs: 0044DC7D, 0044DCAA, 0044DCD7, 0044DDAF, 0044DDD3, 0044DEF9
PG, xrefs: 0044D9DF
PG, xrefs: 0044EA44
|uF, xrefs: 0044F277
7, xrefs: 0044EF7E
TXTCLR, xrefs: 0044E908
PG, xrefs: 0044E469
PG, xrefs: 0044D8BA
PG, xrefs: 0044E935
puF, xrefs: 0044EB25
PG, xrefs: 0044E60A

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$String$lstrcpy$FreePrivateProfile$lstrcat$ByteCharMultiWide$lstrcmp$Color$H_prolog$wsprintf
String ID: ($7$=$ALL$B$BUTTON$BUTTONS$DISTXTCLR$DOWN$OPT$POS$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$TRNSPRNTCLR$TXTCLR$puF$puF$puF$puF$tuF$|uF$uF$uF$uF
API String ID: 4245581301-657513555
Opcode ID: 935de6cf8bff963ab898827838dd62b424091d54bd40b7ac9b98e3dbc651f671
Instruction ID: 661903f9b319f6eb10ea5dc2418e2b1eef7df1c1690df6cfc1c75705d3c1c067
Opcode Fuzzy Hash: 935de6cf8bff963ab898827838dd62b424091d54bd40b7ac9b98e3dbc651f671
Instruction Fuzzy Hash: 2FF282711083819FD724DF65C885BEFB7E8AF95308F00492EF58A97281EB78A509CB57

Uniqueness

Uniqueness Score: -1.00%

Function 004075CC Relevance: 95.5, APIs: 14, Strings: 40, Instructions: 963
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004075CC(void* __ecx) {
				void* __ebx;
				void* __esi;
				struct HWND__* _t371;
				intOrPtr _t375;
				long _t377;
				void* _t380;
				struct HWND__* _t384;
				intOrPtr _t386;
				long _t393;
				long _t408;
				long _t411;
				long _t416;
				long _t420;
				void* _t423;
				long _t428;
				void* _t430;
				long _t431;
				long _t435;
				signed char _t439;
				long _t441;
				long _t446;
				long _t451;
				long _t454;
				long _t462;
				long _t470;
				long _t473;
				long _t477;
				long _t482;
				long _t485;
				long _t489;
				void* _t490;
				long _t492;
				long _t493;
				long _t494;
				long _t495;
				long _t502;
				long _t506;
				long _t509;
				void* _t523;
				long _t528;
				long _t532;
				long _t536;
				void* _t537;
				void* _t558;
				void* _t560;
				long _t561;
				void* _t562;
				long _t571;
				struct HWND__* _t577;
				long _t579;
				intOrPtr _t580;
				long _t592;
				long _t595;
				long _t600;
				struct HWND__* _t606;
				void* _t616;
				signed int _t618;
				intOrPtr _t633;
				long _t639;
				intOrPtr _t642;
				intOrPtr _t653;
				intOrPtr _t664;
				void* _t681;
				intOrPtr _t690;
				intOrPtr _t696;
				intOrPtr _t713;
				intOrPtr _t717;
				intOrPtr _t741;
				long _t762;
				long _t765;
				long _t766;
				long _t767;
				char* _t768;
				long _t769;
				struct _SHELLEXECUTEINFOW _t770;
				void* _t771;
				long _t772;
				void* _t774;
				long _t775;
				void* _t777;
				void* _t779;
				void* _t780;
				void* _t784;

				L0043B644(0x45f99f, _t777);
				_t780 = _t779 - 0xf18;
				_t371 =  *0x47e1c8; // 0x0
				_t774 = __ecx;
				 *((intOrPtr*)(_t777 - 0x18)) = 0;
				if(_t371 != 0) {
					 *((intOrPtr*)(_t777 - 0x18)) = GetDlgItem(_t371, 0x40b);
					 *0x47e1cc = GetDlgItem( *0x47e1c8, 0x12d);
				}
				_push(0);
				_push(_t777 - 0x2a);
				 *0x47e1d0 = 0;
				 *((intOrPtr*)(_t777 - 0xb0)) = 0x4675d8;
				 *((intOrPtr*)(_t777 - 0x90)) = 0x4675d0;
				L0040B243(_t777 - 0xb0);
				_t789 =  *((intOrPtr*)(_t774 + 0x101));
				 *(_t777 - 4) = 0;
				if( *((intOrPtr*)(_t774 + 0x101)) == 0) {
					 *(_t777 - 0x14) = 0;
					 *(_t777 - 0x1c) = E0040A374(_t774);
					_t375 =  *((intOrPtr*)(_t774 + 0xc8));
					 *((intOrPtr*)(_t774 + 0x16c)) = 0;
					_t633 =  *((intOrPtr*)( *((intOrPtr*)(_t375 + 0xc))));
					 *((intOrPtr*)(_t777 - 0x20)) = _t633;
					__eflags = _t633 -  *((intOrPtr*)(_t375 + 0xc));
					if(_t633 ==  *((intOrPtr*)(_t375 + 0xc))) {
						L113:
						_t775 =  *0x47e1d0 & 0x000000ff;
						L114:
						 *(_t777 - 4) =  *(_t777 - 4) | 0xffffffff;
						E004061C1(_t777 - 0xb0);
						_t377 = _t775;
						L115:
						 *[fs:0x0] =  *((intOrPtr*)(_t777 - 0xc));
						return _t377;
					} else {
						goto L31;
					}
					do {
						L31:
						 *((intOrPtr*)(_t774 + 0x16c)) =  *((intOrPtr*)(_t774 + 0x16c)) + 1;
						__eflags =  *(_t633 + 0x10);
						if( *(_t633 + 0x10) == 0) {
							goto L112;
						}
						_push(0x67a);
						_push(0);
						_push(0);
						_push( *(_t777 - 0x14));
						 *(_t774 + 0x102) =  *((intOrPtr*)(_t633 + 0x11));
						_push( *((intOrPtr*)(_t777 - 0x18)));
						L0040727F(_t774);
						_t762 =  *0x47e1cc; // 0x0
						__eflags = _t762;
						if(_t762 == 0) {
							_t762 = GetDlgItem( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0xc))(), 0x12d);
						}
						_t384 = GetDlgItem( *0x47e1c8, 0x3eb);
						__eflags = _t384;
						if(_t384 == 0) {
							_t384 = GetDlgItem( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0xc))(), 0x3ec);
						}
						__eflags =  *(_t777 - 0x1c);
						if(__eflags != 0) {
							_t384 =  *(_t777 - 0x1c);
							_t762 = _t384;
						}
						_push(0x47e1d0);
						_push( *0x47e1d4);
						_push(_t384);
						_push(_t762);
						E0041E31C(_t777 - 0x724, __eflags);
						__eflags =  *(_t777 - 0x1c);
						 *(_t777 - 4) = 0xa;
						if( *(_t777 - 0x1c) != 0) {
							 *(_t777 - 0x33c) =  *(_t777 - 0x1c);
						}
						_t386 =  *((intOrPtr*)(_t777 - 0x20));
						_t639 =  *(_t386 + 0x1c);
						__eflags = _t639;
						if(_t639 == 0) {
							_t639 = 0x4675e4;
						}
						_push(_t386 + 0x3c);
						_push(0);
						_push(_t639);
						L0041E85C(_t777 - 0x724); // executed
						__eflags =  *(_t777 - 0x318);
						if( *(_t777 - 0x318) == 0) {
							L55:
							_push( *((intOrPtr*)( *((intOrPtr*)(_t777 - 0x20)) + 0xc)));
							E00408C37(_t774); // executed
							__eflags =  *(_t777 - 0x1c);
							if( *(_t777 - 0x1c) == 0) {
								L57:
								__eflags =  *(_t777 - 0x337);
								if( *(_t777 - 0x337) == 0) {
									L62:
									 *((char*)(_t774 + 0xcd)) = 1;
									_t642 =  *0x47e1d4; // 0x2380b70
									_t393 =  *(E004083DD(_t642, _t777 - 0x2f4) + 8);
									 *(_t777 - 4) = 0x12;
									__eflags = _t393;
									if(_t393 == 0) {
										_t393 = 0x467570;
									}
									__eflags = _t393;
									 *((intOrPtr*)(_t777 - 0x22c)) = 0x4675d8;
									 *((intOrPtr*)(_t777 - 0x20c)) = 0x4675d0;
									if(_t393 == 0) {
										_t393 = 0x47e150;
									}
									_push(0);
									_push(_t777 - 0xd);
									_push(_t393);
									L0040B34B(_t777 - 0x22c);
									_push( *(_t777 - 0x14));
									 *(_t777 - 4) = 0x13;
									_push(_t777 - 0x22c);
									_push(_t777 - 0x724);
									_push(_t777 - 0x164); // executed
									E00409090(_t774); // executed
									 *(_t777 - 4) = 0x16;
									E004061C1(_t777 - 0x22c);
									 *(_t777 - 4) = 0x15;
									L0040125C(_t777 - 0x2f4);
									 *((char*)(_t774 + 0xcd)) = 0;
									__eflags =  *0x47e1d0; // 0x0
									if(__eflags != 0) {
										L144:
										 *(_t777 - 4) = 0xa;
										E004061C1(_t777 - 0x164);
										 *(_t777 - 4) = 0;
										E0041E775(_t777 - 0x724, __eflags);
										L145:
										 *(_t777 - 4) =  *(_t777 - 4) | 0xffffffff;
										E004061C1(_t777 - 0xb0);
										_t377 = 9;
										goto L115;
									} else {
										__eflags =  *(_t777 - 0x158);
										if( *(_t777 - 0x158) == 0) {
											_push(0x67f);
											_push(0);
											_push(0);
											_push( *(_t777 - 0x14));
											_push( *((intOrPtr*)(_t777 - 0x18)));
											L0040727F(_t774);
											_push(_t777 - 0x27c);
											_t408 =  *(E0040A924( *((intOrPtr*)(_t777 - 0x20)) + 0x14, __eflags) + 8);
											 *(_t777 - 4) = 0x20;
											__eflags = _t408;
											_t765 = 0x4675e4;
											if(__eflags != 0) {
												_t765 = _t408;
											}
											_t653 =  *0x47e1d4; // 0x2380b70
											_push(0x677);
											_push(_t777 - 0x1b4);
											_t411 =  *(E00403E82(_t653, __eflags) + 8);
											 *(_t777 - 4) = 0x21;
											__eflags = _t411;
											if(_t411 == 0) {
												_t411 = 0x467570;
											}
											L0040AF38(_t777 - 0xb0, _t411, _t765);
											 *(_t777 - 4) = 0x20;
											L0040125C(_t777 - 0x1b4);
											 *(_t777 - 4) = 0x15;
											E004061C1(_t777 - 0x27c);
											_t416 =  *(_t777 - 0xa8);
											__eflags = _t416;
											if(_t416 == 0) {
												_t416 = 0x4675e4;
											}
											_push(0);
											_push(0x30);
											_push(_t416);
											E004084D4(_t774);
											goto L144;
										}
										_push(0x67a);
										_push(0);
										_push(0);
										_push( *(_t777 - 0x14));
										_push( *((intOrPtr*)(_t777 - 0x18)));
										L0040727F(_t774);
										_t420 =  *( *((intOrPtr*)(_t777 - 0x20)) + 0x1c);
										__eflags = _t420;
										if(_t420 == 0) {
											_t420 = 0x4675e4;
										}
										__eflags = _t420;
										 *((intOrPtr*)(_t777 - 0x18c)) = 0x4675d8;
										 *((intOrPtr*)(_t777 - 0x16c)) = 0x4675d0;
										if(_t420 == 0) {
											_t420 = 0x47e150;
										}
										_push(0);
										_push(_t777 - 0x29);
										_push(_t420);
										L0040B34B(_t777 - 0x18c);
										_push(_t777 - 0x100);
										 *(_t777 - 4) = 0x17;
										_t423 = E0040A924(_t777 - 0x18c, __eflags);
										 *(_t777 - 4) = 0x18;
										E004066ED(_t774 + 0xd0, _t423);
										 *(_t777 - 4) = 0x17;
										E004061C1(_t777 - 0x100);
										_push(0);
										_push(_t777 - 0x35);
										 *((intOrPtr*)(_t777 - 0x60)) = 0x4675d8;
										 *((intOrPtr*)(_t777 - 0x40)) = 0x4675d0;
										L0040B243(_t777 - 0x60);
										_t428 =  *(_t774 + 0xd8);
										 *(_t777 - 4) = 0x19;
										__eflags = _t428;
										 *(_t777 - 0x28) = 0x4675e4;
										if(__eflags != 0) {
											 *(_t777 - 0x28) = _t428;
										}
										_t664 =  *0x47e1d4; // 0x2380b70
										_push(0x675);
										_push(_t777 - 0x27c); // executed
										_t430 = E00403E82(_t664, __eflags); // executed
										_t431 =  *(_t430 + 8);
										 *(_t777 - 4) = 0x1a;
										__eflags = _t431;
										if(_t431 == 0) {
											_t431 = 0x467570;
										}
										_t233 = _t777 - 0x28; // 0x4675e4
										L0040AF38(_t777 - 0x60, _t431,  *_t233);
										_t780 = _t780 + 0xc;
										 *(_t777 - 4) = 0x19;
										L0040125C(_t777 - 0x27c);
										_t435 =  *(_t777 - 0x58);
										__eflags = _t435;
										if(_t435 == 0) {
											_t435 = 0x4675e4;
										}
										E004085B5(_t774, _t774, _t435); // executed
										_push(_t777 - 0x164);
										_push(_t777 - 0x724); // executed
										_t439 = E00408647(_t774, __eflags); // executed
										asm("sbb al, al");
										_t441 =  ~_t439 + 1;
										__eflags = _t441;
										 *0x47e1d0 = _t441;
										if(_t441 != 0) {
											L127:
											_push(9);
											goto L128;
										} else {
											__eflags =  *(_t777 - 0x336);
											if( *(_t777 - 0x336) == 0) {
												__eflags =  *(_t777 - 0x320) & 0x00000018;
												if(__eflags != 0) {
													L124:
													_t446 = E0040A3D5(_t774, __eflags);
													__eflags = _t446;
													if(_t446 == 0) {
														L126:
														_push(7);
														L128:
														_pop(_t775);
														 *(_t777 - 4) = 0x17;
														E004061C1(_t777 - 0x60);
														 *(_t777 - 4) = 0x15;
														E004061C1(_t777 - 0x18c);
														 *(_t777 - 4) = 0xa;
														E004061C1(_t777 - 0x164);
														L129:
														 *(_t777 - 4) = 0;
														E0041E775(_t777 - 0x724, __eflags);
														goto L114;
													}
													L125:
													L0042FE59();
													goto L126;
												}
												L89:
												_push(0);
												_push(_t777 - 0x36);
												_push(0x47e150);
												 *((intOrPtr*)(_t777 - 0x254)) = 0x4675d8;
												 *((intOrPtr*)(_t777 - 0x234)) = 0x4675d0;
												L0040B34B(_t777 - 0x254);
												 *(_t777 - 4) = 0x1b;
												_t451 =  *( *((intOrPtr*)(_t777 - 0x20)) + 0x1c);
												__eflags = _t451;
												if(_t451 == 0) {
													_t451 = 0x4675e4;
												}
												_push(_t777 - 0x254);
												_push(1);
												_push(_t451);
												L0041E85C(_t777 - 0x724); // executed
												 *(_t777 - 4) = 0x19;
												E004061C1(_t777 - 0x254);
												_t454 = L0041F29B(_t777 - 0x724);
												__eflags = _t454;
												if(_t454 == 0) {
													L107:
													_push(0x679);
													_push(0);
													_push(0);
													_push( *(_t777 - 0x14));
													_push( *((intOrPtr*)(_t777 - 0x18)));
													L0040727F(_t774);
													goto L108;
												} else {
													__eflags =  *0x47df40; // 0x0
													if(__eflags != 0) {
														L94:
														_push(1);
														_push(_t777 - 0x22);
														_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
														E0040A5F5(_t777 - 0x88);
														_t462 = L"The prerequisite appears to have failed...";
														 *(_t777 - 4) = 0x1c;
														 *((intOrPtr*)(_t777 - 0xd8)) = 0x4675d8;
														__eflags = _t462;
														 *((intOrPtr*)(_t777 - 0xb8)) = 0x4675d0;
														if(_t462 == 0) {
															_t462 = 0x47e150;
														}
														_push(0);
														_push(_t777 - 0x21);
														_push(_t462);
														L0040B34B(_t777 - 0xd8);
														 *(_t777 - 4) = 0x1d;
														L0045D600(_t777 - 0xd8, _t777 - 0x88, 0x2a3);
														 *(_t777 - 4) = 0x1c;
														E004061C1(_t777 - 0xd8);
														 *(_t777 - 4) = 0x19;
														E004061C1(_t777 - 0x88);
														L97:
														__eflags =  *((intOrPtr*)(_t777 - 0x31c)) - 1;
														if( *((intOrPtr*)(_t777 - 0x31c)) != 1) {
															__eflags =  *((intOrPtr*)(_t777 - 0x31c)) - 2;
															if( *((intOrPtr*)(_t777 - 0x31c)) == 2) {
																_push(0x67f);
																_push(0);
																_push(0);
																_push( *(_t777 - 0x14));
																_push( *((intOrPtr*)(_t777 - 0x18)));
																L0040727F(_t774);
																_t470 =  *(_t774 + 0xd8);
																_t766 = 0x4675e4;
																__eflags = _t470;
																if(__eflags != 0) {
																	_t766 = _t470;
																}
																_t690 =  *0x47e1d4; // 0x2380b70
																_push(0x683);
																_push(_t777 - 0x1b4);
																_t473 =  *(E00403E82(_t690, __eflags) + 8);
																 *(_t777 - 4) = 0x1f;
																__eflags = _t473;
																if(_t473 == 0) {
																	_t473 = 0x467570;
																}
																L0040AF38(_t777 - 0x60, _t473, _t766);
																 *(_t777 - 4) = 0x19;
																L0040125C(_t777 - 0x1b4);
																_t477 =  *(_t777 - 0x58);
																__eflags = _t477;
																if(_t477 == 0) {
																	_t477 = 0x4675e4;
																}
																_push(0);
																_push(0x10);
																_push(_t477);
																E004084D4(_t774);
																 *(_t777 - 4) = 0x17;
																E004061C1(_t777 - 0x60);
																 *(_t777 - 4) = 0x15;
																E004061C1(_t777 - 0x18c);
																goto L144;
															}
															goto L107;
														}
														_push(0x67f);
														_push(0);
														_push(0);
														_push( *(_t777 - 0x14));
														_push( *((intOrPtr*)(_t777 - 0x18)));
														L0040727F(_t774);
														_t482 =  *(_t774 + 0xd8);
														_t767 = 0x4675e4;
														__eflags = _t482;
														if(__eflags != 0) {
															_t767 = _t482;
														}
														_t696 =  *0x47e1d4; // 0x2380b70
														_push(0x678);
														_push(_t777 - 0x1b4);
														_t485 =  *(E00403E82(_t696, __eflags) + 8);
														 *(_t777 - 4) = 0x1e;
														__eflags = _t485;
														if(_t485 == 0) {
															_t485 = 0x467570;
														}
														L0040AF38(_t777 - 0x60, _t485, _t767);
														_t780 = _t780 + 0xc;
														 *(_t777 - 4) = 0x19;
														L0040125C(_t777 - 0x1b4);
														_t489 =  *(_t777 - 0x58);
														__eflags = _t489;
														if(_t489 == 0) {
															_t489 = 0x4675e4;
														}
														_push(6);
														_push(0x24);
														_push(_t489);
														_t490 = E004084D4(_t774);
														__eflags = _t490 - 7;
														if(_t490 == 7) {
															goto L127;
														} else {
															L108:
															 *(_t777 - 4) = 0x17;
															E004061C1(_t777 - 0x60);
															 *(_t777 - 4) = 0x15;
															E004061C1(_t777 - 0x18c);
															__eflags =  *(_t774 + 0x102);
															if( *(_t774 + 0x102) == 0) {
																_t292 = _t777 - 0x14;
																 *_t292 =  *(_t777 - 0x14) + 1;
																__eflags =  *_t292;
															}
															 *(_t777 - 4) = 0xa;
															_t681 = _t777 - 0x164;
															goto L111;
														}
													}
													__eflags =  *0x47e988; // 0x0
													if(__eflags == 0) {
														goto L97;
													}
													goto L94;
												}
											}
											_t492 =  *(_t777 - 0x320) - 1;
											__eflags = _t492;
											if(_t492 == 0) {
												goto L126;
											}
											_t493 = _t492 - 1;
											__eflags = _t493;
											if(__eflags == 0) {
												goto L124;
											}
											_t494 = _t493 - 6;
											__eflags = _t494;
											if(__eflags == 0) {
												goto L124;
											}
											_t495 = _t494 - 8;
											__eflags = _t495;
											if(_t495 == 0) {
												goto L125;
											}
											__eflags = _t495 == 0x10;
											if(_t495 == 0x10) {
												__eflags =  *0x47e1d1; // 0x0
												if(__eflags == 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0x50))(1);
												} else {
													SendMessageW(E0040A374(_t774), 0x111, 6, 0);
												}
											}
											goto L89;
										}
									}
								}
								_t502 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0x4c))();
								__eflags = _t502;
								if(_t502 != 0) {
									goto L62;
								}
								_push(0);
								_push(_t777 - 0x23);
								 *((intOrPtr*)(_t777 - 0x1dc)) = 0x46757c;
								 *((intOrPtr*)(_t777 - 0x1bc)) = 0x467574;
								L00401C68(_t777 - 0x1dc);
								_t184 = _t777 - 0x1dc; // 0x46757c
								 *(_t777 - 4) = 0xf;
								_t506 = L004073E8(_t774);
								__eflags = _t506 - 4;
								if(_t506 == 4) {
									__eflags =  *0x47df40; // 0x0
									if(__eflags != 0) {
										L118:
										_push(1);
										_push(_t777 - 0x21);
										_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
										E0040A5F5(_t777 - 0x88);
										_t509 = L"MSI or .NET rebooting before prerequsite";
										 *(_t777 - 4) = 0x10;
										 *((intOrPtr*)(_t777 - 0xd8)) = 0x4675d8;
										__eflags = _t509;
										 *((intOrPtr*)(_t777 - 0xb8)) = 0x4675d0;
										if(_t509 == 0) {
											_t509 = 0x47e150;
										}
										_push(0);
										_push(_t777 - 0x22);
										_push(_t509);
										L0040B34B(_t777 - 0xd8);
										 *(_t777 - 4) = 0x11;
										L0045D600(_t777 - 0xd8, _t777 - 0x88, 0x256);
										 *(_t777 - 4) = 0x10;
										E004061C1(_t777 - 0xd8);
										 *(_t777 - 4) = 0xf;
										E004061C1(_t777 - 0x88);
										L121:
										_push( *((intOrPtr*)( *((intOrPtr*)(_t777 - 0x20)) + 0xc)) - 1);
										E00408C37(_t774);
										_t775 = 7;
										L123:
										_t322 = _t777 - 0x1dc; // 0x46757c
										 *(_t777 - 4) = 0xa;
										L0040125C(_t322);
										goto L129;
									}
									__eflags =  *0x47e988; // 0x0
									if(__eflags == 0) {
										goto L121;
									}
									goto L118;
								}
								__eflags = _t506;
								if(_t506 != 0) {
									_t775 = _t506;
									goto L123;
								}
								_t186 = _t777 - 0x1dc; // 0x46757c
								 *(_t777 - 4) = 0xa;
								L0040125C(_t186);
								goto L62;
							}
							__eflags =  *(_t774 + 0x110);
							if( *(_t774 + 0x110) != 0) {
								goto L62;
							}
							goto L57;
						} else {
							_t713 =  *0x47e1d4; // 0x2380b70
							__eflags =  *(_t713 + 1);
							if( *(_t713 + 1) != 0) {
								goto L55;
							}
							__eflags =  *(_t713 + 2);
							if( *(_t713 + 2) != 0) {
								goto L55;
							}
							__eflags =  *(_t774 + 0x102);
							if(__eflags != 0) {
								goto L55;
							}
							_push(0x685);
							_push(_t777 - 0x2cc);
							_t523 = E00403E82(_t713, __eflags);
							 *(_t777 - 4) = 0xb;
							_push(_t777 - 0x204);
							L0040B0D5(_t523);
							 *(_t777 - 4) = 0xd;
							L0040125C(_t777 - 0x2cc);
							_t717 =  *0x47e1d4; // 0x2380b70
							L00403659(_t717, _t777 - 0x13c);
							_t528 =  *(_t777 - 0x134);
							 *(_t777 - 4) = 0xe;
							__eflags = _t528;
							 *(_t777 - 0x34) = 0x467570;
							if(__eflags != 0) {
								 *(_t777 - 0x34) = _t528;
							}
							_push(_t777 - 0x2a4);
							_t532 =  *(E0040A924( *((intOrPtr*)(_t777 - 0x20)) + 0x14, __eflags) + 8);
							 *(_t777 - 0x30) = 0x4675e4;
							__eflags = _t532;
							if(_t532 != 0) {
								 *(_t777 - 0x30) = _t532;
							}
							E004061C1(_t777 - 0x2a4);
							_t158 = _t777 - 0x34; // 0x467570
							L0040AF4B(_t158, 2);
							_t536 =  *(_t777 - 0x1fc);
							__eflags = _t536;
							if(_t536 == 0) {
								_t536 = 0x4675e4;
							}
							_push(6);
							_push(0x24);
							_push(_t536);
							_t537 = E004084D4(_t774);
							__eflags = _t537 - 7;
							if(_t537 != 7) {
								 *(_t777 - 4) = 0xd;
								L0040125C(_t777 - 0x13c);
								 *(_t777 - 4) = 0xa;
								E004061C1(_t777 - 0x204);
								goto L55;
							} else {
								 *(_t777 - 0x14) =  *(_t777 - 0x14) + 1;
								_push(0x682);
								_push(0);
								_push(0);
								_push( *(_t777 - 0x14));
								_push( *((intOrPtr*)(_t777 - 0x18)));
								L0040727F(_t774);
								 *(_t777 - 4) = 0xd;
								L0040125C(_t777 - 0x13c);
								 *(_t777 - 4) = 0xa;
								_t681 = _t777 - 0x204;
								L111:
								E004061C1(_t681);
								 *(_t777 - 4) = 0;
								E0041E775(_t777 - 0x724, __eflags);
								goto L112;
							}
						}
						L112:
						L0040BC7F(_t777 - 0x20);
						_t633 =  *((intOrPtr*)(_t777 - 0x20));
						_t380 =  *((intOrPtr*)(_t774 + 0xc8)) + 8;
						__eflags = _t633 -  *((intOrPtr*)(_t380 + 4));
					} while (_t633 !=  *((intOrPtr*)(_t380 + 4)));
					goto L113;
				}
				E00408C37(_t774);
				GetModuleFileNameW(0, _t777 - 0xf24, 0x400);
				 *((intOrPtr*)(_t777 - 0x60)) = 0x46757c;
				 *((intOrPtr*)(_t777 - 0x40)) = 0x467574;
				L00401C68(_t777 - 0x60);
				_t15 = _t777 - 0x60; // 0x46757c
				 *(_t777 - 4) = 1;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0x44))(_t15, _t777 - 0x23, 0, 0xffffffff);
				_push(_t774 + 0x104);
				_push(L" /runprerequisites\"");
				_push(_t777 - 0x13c);
				_t558 = E0040CAC4();
				_t768 = "\"";
				 *(_t777 - 4) = 2;
				_push(_t768);
				_push(_t558);
				_push(_t777 - 0x88);
				_t560 = E0040CB5F(_t789);
				_t784 = _t780 + 0x18;
				_t561 =  *(_t560 + 8);
				 *(_t777 - 4) = 3;
				 *(_t777 - 0x1c) = 0x4675e4;
				if(_t561 != 0) {
					 *(_t777 - 0x1c) = _t561;
				}
				_t26 = _t777 - 0x1c; // 0x4675e4
				_t562 = L0043BA1F( *_t26);
				_t28 = _t777 - 0x1c; // 0x4675e4
				L00405885(_t777 - 0x5c,  *_t28, _t562);
				 *(_t777 - 4) = 2;
				E004061C1(_t777 - 0x88);
				 *(_t777 - 4) = 1;
				E004061C1(_t777 - 0x13c);
				 *((char*)(_t777 - 0xd)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0x48))(_t777 - 0x88) + 0xc)) != 0;
				L0040125C(_t777 - 0x88);
				_t792 =  *((intOrPtr*)(_t777 - 0xd));
				if( *((intOrPtr*)(_t777 - 0xd)) != 0) {
					_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)))) + 0x48))(_t777 - 0xd8));
					_push(L" /debuglog\"");
					_push(_t777 - 0x13c);
					 *(_t777 - 4) = 4;
					_t616 = E00406005();
					_push(_t768);
					_push(_t616);
					 *(_t777 - 4) = 5;
					_push(_t777 - 0x88);
					_t618 = L00405EDE(_t792);
					_t784 = _t784 + 0x18;
					 *(_t777 - 4) = 6;
					asm("sbb ecx, ecx");
					L004057F3(_t777 - 0x5c,  ~_t618 & _t618 + 0x00000004, 0,  *0x467594);
					 *(_t777 - 4) = 5;
					L0040125C(_t777 - 0x88);
					 *(_t777 - 4) = 4;
					L0040125C(_t777 - 0x13c);
					 *(_t777 - 4) = 1;
					L0040125C(_t777 - 0xd8);
				}
				_t769 =  *(_t777 - 0x58);
				if(_t769 == 0) {
					_t769 = 0x467570;
				}
				_push(1);
				_push(_t777 - 0xd);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
				_t571 =  *(E0040A5F5(_t777 - 0x88) + 8);
				 *(_t777 - 4) = 7;
				if(_t571 == 0) {
					_t571 = 0x4675e4;
				}
				 *(_t777 - 0x34) = _t571;
				_push(_t769);
				_push(L"Prerequisites need elevation; launching elevated with arguments: %s");
				_push(_t777 - 0x34);
				 *(_t777 - 0x30) = 0x1e3;
				E0040840D(0);
				 *(_t777 - 4) = 1;
				E004061C1(_t777 - 0x88);
				_t770 = 0x3c;
				E0043C5B0(_t777 - 0x114, 0, _t770);
				_t577 =  *0x47e1c8; // 0x0
				 *(_t777 - 0x10c) = _t577;
				 *((intOrPtr*)(_t777 - 0x104)) = _t777 - 0xf24;
				_t579 =  *(_t777 - 0x58);
				 *(_t777 - 0x114) = _t770;
				 *((intOrPtr*)(_t777 - 0x110)) = 0x800440;
				 *(_t777 - 0x108) = L"runas";
				 *(_t777 - 0x100) = 0x467570;
				if(_t579 != 0) {
					 *(_t777 - 0x100) = _t579;
				}
				_t580 =  *0x47e1d4; // 0x2380b70
				if( *((intOrPtr*)(_t580 + 1)) != 0 ||  *((intOrPtr*)(_t580 + 2)) != 0) {
					__eflags = 0;
				} else {
					_push(1);
					_pop(0);
				}
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t777 - 0xf8)) = 5;
				if(ShellExecuteExW(_t777 - 0x114) == 0) {
					_t771 = 0;
					__eflags =  *( *((intOrPtr*)(_t774 + 0xc8)) + 0x14);
					if(__eflags <= 0) {
						L23:
						_push(_t777 - 0x13c);
						_t592 =  *(E0040A924( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0xc8)) + 0xc)))) + 0x14, __eflags) + 8);
						 *(_t777 - 4) = 8;
						__eflags = _t592;
						_t772 = 0x4675e4;
						if(__eflags != 0) {
							_t772 = _t592;
						}
						_t741 =  *0x47e1d4; // 0x2380b70
						_push(0x683);
						_push(_t777 - 0x88);
						_t595 =  *(E00403E82(_t741, __eflags) + 8);
						 *(_t777 - 4) = 9;
						__eflags = _t595;
						if(_t595 == 0) {
							_t595 = 0x467570;
						}
						L0040AF38(_t777 - 0xb0, _t595, _t772);
						 *(_t777 - 4) = 8;
						L0040125C(_t777 - 0x88);
						 *(_t777 - 4) = 1;
						E004061C1(_t777 - 0x13c);
						_t600 =  *(_t777 - 0xa8);
						__eflags = _t600;
						if(_t600 == 0) {
							_t600 = 0x4675e4;
						}
						_push(0);
						_push(0x10);
						_push(_t600);
						E004084D4(_t774);
						 *(_t777 - 4) = 0;
						L0040125C(_t777 - 0x60);
						goto L145;
					} else {
						goto L22;
					}
					do {
						L22:
						_push(0x67f);
						_push(0);
						_push(0);
						_push(_t771);
						_push( *((intOrPtr*)(_t777 - 0x18)));
						L0040727F(_t774);
						_t771 = _t771 + 1;
						__eflags = _t771 -  *( *((intOrPtr*)(_t774 + 0xc8)) + 0x14);
					} while (__eflags < 0);
					goto L23;
				} else {
					WaitForInputIdle( *(_t777 - 0xdc), 0x2710);
					_t606 =  *0x47e1c8; // 0x0
					if(_t606 != 0) {
						ShowWindow(_t606, 0);
					}
					WaitForSingleObject( *(_t777 - 0xdc), 0xffffffff);
					GetExitCodeProcess( *(_t777 - 0xdc), _t777 - 0x28);
					CloseHandle( *(_t777 - 0xdc));
					_t775 =  *(_t777 - 0x28);
					 *(_t777 - 4) = 0;
					L0040125C(_t777 - 0x60);
					goto L114;
				}
			}

0x004075d1
0x004075d6
0x004075dc
0x004075ee
0x004075f0
0x004075f3
0x00407602
0x0040760d
0x0040760d
0x00407615
0x00407616
0x0040761d
0x00407623
0x0040762d
0x00407637
0x0040763c
0x00407642
0x00407645
0x004079ed
0x004079f5
0x004079f8
0x004079fe
0x00407a07
0x00407a09
0x00407a0c
0x00407a0f
0x00408120
0x00408120
0x00408127
0x00408127
0x00408131
0x00408136
0x00408138
0x0040813e
0x00408146
0x00000000
0x00000000
0x00000000
0x00407a15
0x00407a15
0x00407a15
0x00407a1b
0x00407a1e
0x00000000
0x00000000
0x00407a27
0x00407a2c
0x00407a2d
0x00407a2e
0x00407a33
0x00407a39
0x00407a3c
0x00407a41
0x00407a47
0x00407a49
0x00407a62
0x00407a62
0x00407a6f
0x00407a75
0x00407a77
0x00407a8a
0x00407a8a
0x00407a90
0x00407a93
0x00407a95
0x00407a98
0x00407a98
0x00407a9a
0x00407aa5
0x00407aab
0x00407aac
0x00407aad
0x00407ab2
0x00407ab5
0x00407ab9
0x00407abe
0x00407abe
0x00407ac4
0x00407acc
0x00407acf
0x00407ad1
0x00407ad3
0x00407ad3
0x00407ad8
0x00407ad9
0x00407ada
0x00407ae1
0x00407ae6
0x00407aec
0x00407c1e
0x00407c23
0x00407c26
0x00407c2b
0x00407c2e
0x00407c38
0x00407c38
0x00407c3e
0x00407ca5
0x00407cab
0x00407cb2
0x00407cbe
0x00407cc1
0x00407cc5
0x00407cc7
0x00407cc9
0x00407cc9
0x00407cd3
0x00407cd5
0x00407cdf
0x00407ce5
0x00407ce7
0x00407ce7
0x00407cef
0x00407cf0
0x00407cf1
0x00407cf8
0x00407cfd
0x00407d08
0x00407d0c
0x00407d13
0x00407d1a
0x00407d1b
0x00407d26
0x00407d2a
0x00407d35
0x00407d39
0x00407d3e
0x00407d44
0x00407d4a
0x004083a9
0x004083af
0x004083b3
0x004083be
0x004083c1
0x004083c6
0x004083c6
0x004083d0
0x004083d7
0x00000000
0x00407d50
0x00407d50
0x00407d56
0x00408301
0x00408306
0x00408307
0x0040830a
0x0040830d
0x00408310
0x0040831b
0x00408327
0x0040832a
0x0040832e
0x00408330
0x00408335
0x00408337
0x00408337
0x00408339
0x00408345
0x0040834a
0x00408350
0x00408353
0x00408357
0x00408359
0x0040835b
0x0040835b
0x00408369
0x00408377
0x0040837b
0x00408386
0x0040838a
0x0040838f
0x00408395
0x00408397
0x00408399
0x00408399
0x0040839e
0x0040839f
0x004083a1
0x004083a4
0x00000000
0x004083a4
0x00407d5c
0x00407d61
0x00407d62
0x00407d65
0x00407d68
0x00407d6b
0x00407d73
0x00407d76
0x00407d78
0x00407d7a
0x00407d7a
0x00407d7f
0x00407d81
0x00407d8b
0x00407d91
0x00407d93
0x00407d93
0x00407d9b
0x00407d9c
0x00407d9d
0x00407da4
0x00407db5
0x00407db6
0x00407dba
0x00407dc6
0x00407dca
0x00407dd5
0x00407dd9
0x00407de1
0x00407de2
0x00407de6
0x00407ded
0x00407df0
0x00407df5
0x00407dfb
0x00407dff
0x00407e01
0x00407e08
0x00407e0a
0x00407e0a
0x00407e0d
0x00407e19
0x00407e1e
0x00407e1f
0x00407e24
0x00407e27
0x00407e2b
0x00407e2d
0x00407e2f
0x00407e2f
0x00407e34
0x00407e3c
0x00407e41
0x00407e4a
0x00407e4e
0x00407e53
0x00407e56
0x00407e58
0x00407e5a
0x00407e5a
0x00407e62
0x00407e6f
0x00407e76
0x00407e77
0x00407e7e
0x00407e80
0x00407e80
0x00407e82
0x00407e87
0x00408221
0x00408221
0x00000000
0x00407e8d
0x00407e8d
0x00407e93
0x00407eef
0x00407ef6
0x0040820d
0x0040820f
0x00408214
0x00408216
0x0040821d
0x0040821d
0x00408223
0x00408223
0x00408227
0x0040822b
0x00408236
0x0040823a
0x00408245
0x00408249
0x0040824e
0x00408254
0x00408257
0x00000000
0x00408257
0x00408218
0x00408218
0x00000000
0x00408218
0x00407efc
0x00407eff
0x00407f00
0x00407f01
0x00407f0c
0x00407f16
0x00407f1c
0x00407f24
0x00407f28
0x00407f2b
0x00407f2d
0x00407f2f
0x00407f2f
0x00407f3a
0x00407f3b
0x00407f3d
0x00407f44
0x00407f4f
0x00407f53
0x00407f5e
0x00407f63
0x00407f65
0x004080aa
0x004080aa
0x004080af
0x004080b0
0x004080b3
0x004080b6
0x004080b9
0x00000000
0x00407f6b
0x00407f6b
0x00407f71
0x00407f7f
0x00407f82
0x00407f84
0x00407f85
0x00407f90
0x00407f95
0x00407f9a
0x00407fa0
0x00407faa
0x00407fac
0x00407fb2
0x00407fb4
0x00407fb4
0x00407fbc
0x00407fbd
0x00407fbe
0x00407fc5
0x00407fdd
0x00407fe1
0x00407fec
0x00407ff0
0x00407ffb
0x00407fff
0x00408004
0x00408004
0x0040800b
0x0040809d
0x004080a4
0x00408261
0x00408266
0x00408267
0x0040826a
0x0040826d
0x00408270
0x00408275
0x0040827b
0x00408280
0x00408282
0x00408284
0x00408284
0x00408286
0x00408292
0x00408297
0x0040829d
0x004082a0
0x004082a4
0x004082a6
0x004082a8
0x004082a8
0x004082b3
0x004082c1
0x004082c5
0x004082ca
0x004082cd
0x004082cf
0x004082d1
0x004082d1
0x004082d6
0x004082d7
0x004082d9
0x004082dc
0x004082e4
0x004082e8
0x004082f3
0x004082f7
0x00000000
0x004082f7
0x00000000
0x004080a4
0x00408011
0x00408016
0x00408017
0x0040801a
0x0040801d
0x00408020
0x00408025
0x0040802b
0x00408030
0x00408032
0x00408034
0x00408034
0x00408036
0x00408042
0x00408047
0x0040804d
0x00408050
0x00408054
0x00408056
0x00408058
0x00408058
0x00408063
0x00408068
0x00408071
0x00408075
0x0040807a
0x0040807d
0x0040807f
0x00408081
0x00408081
0x00408086
0x00408088
0x0040808a
0x0040808d
0x00408092
0x00408095
0x00000000
0x0040809b
0x004080be
0x004080c1
0x004080c5
0x004080d0
0x004080d4
0x004080d9
0x004080df
0x004080e1
0x004080e1
0x004080e1
0x004080e1
0x004080e4
0x004080e8
0x00000000
0x004080e8
0x00408095
0x00407f73
0x00407f79
0x00000000
0x00000000
0x00000000
0x00407f79
0x00407f65
0x00407e9b
0x00407e9b
0x00407e9c
0x00000000
0x00000000
0x00407ea2
0x00407ea2
0x00407ea3
0x00000000
0x00000000
0x00407ea9
0x00407ea9
0x00407eac
0x00000000
0x00000000
0x00407eb2
0x00407eb2
0x00407eb5
0x00000000
0x00000000
0x00407ebb
0x00407ebe
0x00407ec0
0x00407ec6
0x00407eea
0x00407ec8
0x00407ed8
0x00407ed8
0x00407ec6
0x00000000
0x00407ebe
0x00407e87
0x00407d4a
0x00407c48
0x00407c4b
0x00407c4d
0x00000000
0x00000000
0x00407c52
0x00407c53
0x00407c5a
0x00407c64
0x00407c6e
0x00407c73
0x00407c7c
0x00407c80
0x00407c85
0x00407c88
0x00408149
0x0040814f
0x0040815d
0x00408160
0x00408162
0x00408163
0x0040816e
0x00408173
0x00408178
0x0040817e
0x00408188
0x0040818a
0x00408194
0x00408196
0x00408196
0x0040819e
0x0040819f
0x004081a0
0x004081a7
0x004081bf
0x004081c3
0x004081ce
0x004081d2
0x004081dd
0x004081e1
0x004081e6
0x004081ef
0x004081f0
0x004081f7
0x004081fc
0x004081fc
0x00408202
0x00408206
0x00000000
0x00408206
0x00408151
0x00408157
0x00000000
0x00000000
0x00000000
0x00408157
0x00407c8e
0x00407c90
0x004081fa
0x00000000
0x004081fa
0x00407c96
0x00407c9c
0x00407ca0
0x00000000
0x00407ca0
0x00407c30
0x00407c36
0x00000000
0x00000000
0x00000000
0x00407af2
0x00407af2
0x00407af8
0x00407afb
0x00000000
0x00000000
0x00407b01
0x00407b04
0x00000000
0x00000000
0x00407b0a
0x00407b10
0x00000000
0x00000000
0x00407b1c
0x00407b21
0x00407b22
0x00407b2d
0x00407b31
0x00407b34
0x00407b3f
0x00407b43
0x00407b48
0x00407b55
0x00407b5a
0x00407b60
0x00407b64
0x00407b66
0x00407b6d
0x00407b6f
0x00407b6f
0x00407b78
0x00407b84
0x00407b87
0x00407b8a
0x00407b8c
0x00407b8e
0x00407b8e
0x00407b97
0x00407b9c
0x00407ba8
0x00407bad
0x00407bb3
0x00407bb5
0x00407bb7
0x00407bb7
0x00407bb9
0x00407bbb
0x00407bbd
0x00407bc0
0x00407bc5
0x00407bc8
0x00407c06
0x00407c0a
0x00407c15
0x00407c19
0x00000000
0x00407bca
0x00407bcd
0x00407bd0
0x00407bd5
0x00407bd6
0x00407bd7
0x00407bd8
0x00407bdd
0x00407be8
0x00407bec
0x00407bf1
0x00407bf5
0x004080ee
0x004080ee
0x004080f9
0x004080fc
0x00000000
0x004080fc
0x00407bc8
0x00408101
0x00408104
0x0040810f
0x00408112
0x00408118
0x00408118
0x00000000
0x00407a15
0x0040764f
0x00407661
0x0040766f
0x00407676
0x0040767d
0x00407688
0x0040768c
0x00407692
0x0040769b
0x004076a2
0x004076a7
0x004076a8
0x004076ad
0x004076b2
0x004076b6
0x004076b7
0x004076be
0x004076bf
0x004076c4
0x004076c7
0x004076ca
0x004076d0
0x004076d7
0x004076d9
0x004076d9
0x004076dc
0x004076df
0x004076e9
0x004076ec
0x004076f7
0x004076fb
0x00407706
0x0040770a
0x0040772a
0x0040772e
0x00407733
0x00407736
0x0040774e
0x00407755
0x0040775a
0x0040775b
0x0040775f
0x00407764
0x00407765
0x0040776c
0x00407770
0x00407771
0x00407776
0x00407784
0x0040778a
0x00407793
0x0040779e
0x004077a2
0x004077ad
0x004077b1
0x004077bc
0x004077c0
0x004077c0
0x004077c5
0x004077ca
0x004077cc
0x004077cc
0x004077d4
0x004077d6
0x004077d7
0x004077e7
0x004077ea
0x004077f0
0x004077f2
0x004077f2
0x004077f7
0x004077fa
0x004077fe
0x00407803
0x00407804
0x0040780b
0x00407819
0x0040781d
0x0040782a
0x0040782e
0x00407833
0x0040783b
0x00407847
0x0040784d
0x00407852
0x00407858
0x00407862
0x0040786c
0x00407876
0x00407878
0x00407878
0x0040787e
0x00407886
0x00407892
0x0040788d
0x0040788d
0x0040788f
0x0040788f
0x00407896
0x0040789b
0x004078b0
0x00407917
0x00407919
0x0040791c
0x0040793c
0x0040794b
0x00407959
0x0040795c
0x00407960
0x00407962
0x00407967
0x00407969
0x00407969
0x0040796b
0x00407977
0x0040797c
0x00407982
0x00407985
0x00407989
0x0040798b
0x0040798d
0x0040798d
0x0040799b
0x004079a9
0x004079ad
0x004079b8
0x004079bc
0x004079c1
0x004079c7
0x004079c9
0x004079cb
0x004079cb
0x004079d0
0x004079d1
0x004079d3
0x004079d6
0x004079de
0x004079e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040791e
0x0040791e
0x0040791e
0x00407923
0x00407924
0x00407925
0x00407926
0x0040792b
0x00407936
0x00407937
0x00407937
0x00000000
0x004078b2
0x004078bd
0x004078c3
0x004078ca
0x004078ce
0x004078ce
0x004078dc
0x004078ec
0x004078f8
0x004078fe
0x00407904
0x00407907
0x00000000
0x00407907

APIs

__EH_prolog.LIBCMT ref: 004075D1
GetDlgItem.USER32 ref: 004075FB
ShellExecuteExW.SHELL32(?), ref: 004078A8
WaitForInputIdle.USER32 ref: 004078BD
ShowWindow.USER32(00000000,00000000,?,?,?,?,00000001,?,?,?,?,?,EXECUTEMODE=None,00000000), ref: 004078CE
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,?,?,EXECUTEMODE=None,00000000), ref: 004078DC
GetExitCodeProcess.KERNEL32 ref: 004078EC
CloseHandle.KERNEL32(?,?,?,?,?,00000001,?,?,?,?,?,EXECUTEMODE=None,00000000), ref: 004078F8

Part of subcall function 0040727F: __EH_prolog.LIBCMT ref: 00407284
Part of subcall function 0040727F: IsWindow.USER32(?), ref: 004072A1
Part of subcall function 0040727F: SendMessageW.USER32(?,00001074,?,?), ref: 00407341
Part of subcall function 0040727F: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00407350

GetDlgItem.USER32 ref: 00407A5C
GetDlgItem.USER32 ref: 00407A6F
SendMessageW.USER32(00000000,00000111,00000006,00000000), ref: 00407ED8
GetDlgItem.USER32 ref: 00407A8A

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Part of subcall function 00408C37: __EH_prolog.LIBCMT ref: 00408C3C
Part of subcall function 00408C37: RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?,004675E4,?,00000000), ref: 00408C6E
Part of subcall function 00408C37: lstrlenW.KERNEL32(004675E4,?,00000001,?,?,00000000), ref: 00408D20
Part of subcall function 00408C37: RegSetValueExW.KERNELBASE(?,puF,00000000,00000001,004675E4,?,?,00000000), ref: 00408D37

GetDlgItem.USER32 ref: 0040760B

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

GetModuleFileNameW.KERNEL32(00000000,?,00000400,000000FF,?,00000000,?,EXECUTEMODE=None,00000000), ref: 00407661

Strings

puF, xrefs: 0040798D
/runprerequisites", xrefs: 004076A2
C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp, xrefs: 004077D7, 00407F85, 00408163
uF, xrefs: 0040827B
uF, xrefs: 00407AC7
uF, xrefs: 004077F2
tuF, xrefs: 00407C64
uF, xrefs: 00407F2F
puF, xrefs: 004082A8
puF, xrefs: 004077CC
PG, xrefs: 00407FB4
puF, xrefs: 0040786C
PG, xrefs: 00407CE7
puF, xrefs: 00408058
|uF, xrefs: 00407688, 0040768B
tuF, xrefs: 00407676
PG, xrefs: 00407D93
puF, xrefs: 00407B9C, 00407BA1
uF, xrefs: 00407E34
uF, xrefs: 00407E5A
The prerequisite appears to have failed..., xrefs: 00407F95, 00407FBE
uF, xrefs: 00407962
puF, xrefs: 00407E2F
puF, xrefs: 00407CC9
uF, xrefs: 00408399
uF, xrefs: 0040802B
Prerequisites need elevation; launching elevated with arguments: %s, xrefs: 004077FE
/debuglog", xrefs: 00407755
EXECUTEMODE=None, xrefs: 004075E4
uF, xrefs: 004082D1
, xrefs: 00408377
uF, xrefs: 00407D7A
uF, xrefs: 00408330
PG, xrefs: 00408196
puF, xrefs: 0040835B
|uF, xrefs: 00407C73, 00407C7B
uF, xrefs: 00408081
uF, xrefs: 004076DC
uF, xrefs: 004079CB
MSI or .NET rebooting before prerequsite, xrefs: 00408173, 004081A0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologItem$ErrorLast$MessageSend$FreeStringWaitWindow$CloseCodeExecuteExitFileHandleIdleInputModuleNameObjectOpenProcessShellShowSingleValuelstrlen
String ID: $ /debuglog"$ /runprerequisites"$C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp$EXECUTEMODE=None$MSI or .NET rebooting before prerequsite$Prerequisites need elevation; launching elevated with arguments: %s$PG$PG$PG$PG$The prerequisite appears to have failed...$puF$puF$puF$puF$puF$puF$puF$puF$puF$tuF$tuF$|uF$|uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF$uF
API String ID: 1538828012-2020028704
Opcode ID: ba5c8c83e7e1e1230b638d2574eb7890a44b6e97fe975e50a44b51af6befe8f4
Instruction ID: 67e77e118bde4d2e09e79c5e62debdc46d1c16b63d8159fe2c132a148043cb59
Opcode Fuzzy Hash: ba5c8c83e7e1e1230b638d2574eb7890a44b6e97fe975e50a44b51af6befe8f4
Instruction Fuzzy Hash: 89828570904248AEDF10DBA5CD85BDEB7B4AB15308F1080FEE549B72D2DB785E48CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C900 Relevance: 90.3, APIs: 32, Strings: 19, Instructions: 1017
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0044C900(intOrPtr __ecx) {
				void* __ebp;
				int _t448;
				CHAR* _t450;
				void* _t455;
				void* _t456;
				int _t460;
				void* _t468;
				void* _t469;
				signed int _t472;
				int _t474;
				int _t486;
				int _t498;
				CHAR* _t512;
				intOrPtr _t523;
				intOrPtr _t599;
				void* _t602;
				signed int _t603;
				intOrPtr _t604;
				intOrPtr* _t609;
				intOrPtr _t626;
				intOrPtr* _t636;
				intOrPtr* _t655;
				void* _t668;
				int _t682;
				intOrPtr _t703;
				intOrPtr _t713;
				intOrPtr _t770;
				signed int _t792;
				void* _t821;
				signed int _t825;
				void* _t826;
				signed int _t852;
				void* _t853;
				signed int _t864;
				void* _t865;
				signed int _t869;
				void* _t870;
				intOrPtr _t902;
				intOrPtr _t910;
				intOrPtr _t916;
				void* _t935;
				intOrPtr _t936;
				void* _t954;
				void** _t958;
				void* _t963;
				void* _t965;
				intOrPtr _t970;
				signed int _t977;
				intOrPtr _t978;
				signed int _t987;
				intOrPtr _t990;
				intOrPtr _t992;
				void* _t993;
				void* _t994;
				void* _t995;
				void* _t996;
				void* _t997;
				void* _t998;
				intOrPtr _t999;
				intOrPtr _t1000;
				intOrPtr _t1001;
				intOrPtr _t1002;
				void* _t1003;
				void* _t1004;
				void* _t1005;
				void* _t1007;
				void* _t1008;
				void* _t1010;

				_push(0xffffffff);
				_push(E0046616D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t992;
				_t993 = _t992 - 0x704;
				_t970 = __ecx;
				 *((char*)(_t993 + 0x94)) = 0;
				 *((char*)(_t993 + 0x32c)) = 0;
				memset(_t993 + 0x95, 0, 0x18 << 2);
				_t994 = _t993 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t994 + 0x124)) = 0;
				memset(_t994 + 0x32d, 0, 0xf9 << 2);
				_t995 = _t994 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t995 + 0x228)) = 0;
				memset(_t995 + 0x125, 0, 0x40 << 2);
				_t996 = _t995 + 0xc;
				asm("stosw");
				asm("stosb");
				memset(_t996 + 0x229, 0, 0x40 << 2);
				_t997 = _t996 + 0xc;
				asm("stosw");
				 *((intOrPtr*)(_t997 + 0x4c)) = _t970;
				asm("stosb");
				_t990 = L0043BC14(0x74);
				_t998 = _t997 + 4;
				 *((intOrPtr*)(_t998 + 0x50)) = _t990;
				 *(_t998 + 0x71c) = 0;
				if(_t990 == 0) {
					_t990 = 0;
					__eflags = 0;
				} else {
					L004517F0(_t990 + 4, _t998 + 0x4f, 1);
					_t19 = _t990 + 0x2c; // 0x2c
					 *(_t998 + 0x724) = 1;
					L004517F0(_t19, _t998 + 0x13, 1);
				}
				 *(_t998 + 0x724) = 0xffffffff;
				lstrcpyA(_t998 + 0x94, "BUTTONSUP");
				_t682 =  *(_t998 + 0x724);
				 *((intOrPtr*)(_t998 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t998 + 0x3c)) = 0x4675d0;
				_t448 = _t682;
				if(_t682 == 0) {
					_t448 = 0x47e150;
				}
				_push(0);
				_push(_t998 + 0x13);
				_push(_t448);
				L0040B34B(_t998 + 0x28);
				 *(_t998 + 0x71c) = 2;
				_t450 = L00453100(_t998 + 0x1c);
				_t971 = _t970 + 8;
				GetPrivateProfileStringA(_t450, _t998 + 0xa0, 0x47e154, _t998 + 0x128, 0x104, L00452F40(_t970 + 8)); // executed
				 *(_t998 + 0x71c) = 0xffffffff;
				E004061C1(_t998 + 0x1c);
				_t455 = L00451850(_t998 + 0x28, _t998 + 0x128, _t998 + 0x13, 1);
				 *(_t998 + 0x71c) = 3;
				if(_t455 == 0) {
					_t456 = 0;
					__eflags = 0;
				} else {
					_t456 = _t455 + 4;
				}
				_t703 =  *0x467594; // 0xffffffff
				_t38 = _t990 + 8; // 0x8
				E004024B9(_t38, _t456, 0, _t703);
				 *(_t998 + 0x71c) = 0xffffffff;
				L0040125C(_t998 + 0x1c);
				lstrcpyA(_t998 + 0x94, "BUTTONSDOWN");
				 *((intOrPtr*)(_t998 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t998 + 0x3c)) = 0x4675d0;
				_t460 = _t682;
				if(_t682 == 0) {
					_t460 = 0x47e150;
				}
				_push(0);
				_push(_t998 + 0x13);
				_push(_t460);
				L0040B34B(_t998 + 0x28);
				 *(_t998 + 0x71c) = 4;
				 *(_t998 + 0x14) = L00453100(_t998 + 0x1c);
				GetPrivateProfileStringA( *(_t998 + 0x14), _t998 + 0xa0, 0x47e154, _t998 + 0x22c, 0x104, L00452F40(_t971)); // executed
				 *(_t998 + 0x71c) = 0xffffffff;
				E004061C1(_t998 + 0x1c);
				_t468 = L00451850(_t998 + 0x28, _t998 + 0x22c, _t998 + 0x13, 1);
				 *(_t998 + 0x71c) = 5;
				if(_t468 == 0) {
					_t469 = 0;
					__eflags = 0;
				} else {
					_t469 = _t468 + 4;
				}
				_t713 =  *0x467594; // 0xffffffff
				_t58 = _t990 + 0x30; // 0x30
				E004024B9(_t58, _t469, 0, _t713);
				 *(_t998 + 0x71c) = 0xffffffff;
				_t472 = L0040125C(_t998 + 0x1c) | 0xffffffff;
				 *(_t990 + 0x58) = _t472;
				 *(_t990 + 0x54) = _t472;
				lstrcpyA(_t998 + 0x94, "BUTTONSOPT");
				_t1016 = _t682;
				 *((intOrPtr*)(_t998 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t998 + 0x3c)) = 0x4675d0;
				_t474 = _t682;
				if(_t682 == 0) {
					_t474 = 0x47e150;
				}
				_push(0);
				_push(_t998 + 0x13);
				_push(_t474);
				L0040B34B(_t998 + 0x28);
				 *(_t998 + 0x71c) = 6;
				 *(_t998 + 0x14) = L00453100(_t998 + 0x1c);
				GetPrivateProfileStringA( *(_t998 + 0x14), _t998 + 0xa0, 0x47e154, _t998 + 0x330, 0x3e8, L00452F40(_t971)); // executed
				 *(_t998 + 0x71c) = 0xffffffff;
				E004061C1(_t998 + 0x1c);
				_push(_t998 + 0x68);
				_t999 = _t998 - 0x28;
				 *(_t999 + 0x94) = 2;
				 *((intOrPtr*)(_t999 + 0x40)) = _t999;
				L004472C0(_t999, _t998 + 0x330, _t998 + 0x13, 1);
				L0044F9D0(_t1016);
				 *((intOrPtr*)(_t990 + 0x68)) =  *((intOrPtr*)(_t999 + 0x68));
				lstrcpyA(_t999 + 0x94, "BUTTONSTRNSPRNTCLR");
				_t1017 = _t682;
				 *((intOrPtr*)(_t999 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t999 + 0x3c)) = 0x4675d0;
				_t486 = _t682;
				if(_t682 == 0) {
					_t486 = 0x47e150;
				}
				_push(0);
				_push(_t999 + 0x13);
				_push(_t486);
				L0040B34B(_t999 + 0x28);
				 *(_t999 + 0x71c) = 7;
				 *(_t999 + 0x14) = L00453100(_t999 + 0x1c);
				GetPrivateProfileStringA( *(_t999 + 0x14), _t999 + 0xa0, 0x47e154, _t999 + 0x330, 0x3e8, L00452F40(_t971)); // executed
				 *(_t999 + 0x71c) = 0xffffffff;
				E004061C1(_t999 + 0x1c);
				_push(_t999 + 0x64);
				_t1000 = _t999 - 0x28;
				 *((intOrPtr*)(_t1000 + 0x90)) = 0x808080;
				 *((intOrPtr*)(_t1000 + 0x40)) = _t1000;
				L004472C0(_t1000, _t999 + 0x330, _t999 + 0x13, 1);
				L0044F620(_t990, _t1017);
				 *((intOrPtr*)(_t990 + 0x5c)) =  *((intOrPtr*)(_t1000 + 0x64));
				lstrcpyA(_t1000 + 0x94, "BUTTONSTXTCLR");
				_t1018 = _t682;
				 *((intOrPtr*)(_t1000 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t1000 + 0x3c)) = 0x4675d0;
				_t498 = _t682;
				if(_t682 == 0) {
					_t498 = 0x47e150;
				}
				_push(0);
				_push(_t1000 + 0x13);
				_push(_t498);
				L0040B34B(_t1000 + 0x28);
				 *(_t1000 + 0x71c) = 8;
				 *(_t1000 + 0x14) = L00453100(_t1000 + 0x1c);
				GetPrivateProfileStringA( *(_t1000 + 0x14), _t1000 + 0xa0, 0x47e154, _t1000 + 0x330, 0x3e8, L00452F40(_t971)); // executed
				 *(_t1000 + 0x71c) = 0xffffffff;
				E004061C1(_t1000 + 0x1c);
				 *((intOrPtr*)(_t1000 + 0x60)) = GetSysColor(8);
				_push(_t1000 + 0x60);
				_t1001 = _t1000 - 0x28;
				 *((intOrPtr*)(_t1001 + 0x40)) = _t1001;
				L004472C0(_t1001, _t1001 + 0x358, _t1000 + 0x17, 1);
				L0044F620(_t990, _t1018);
				 *((intOrPtr*)(_t990 + 0x60)) =  *((intOrPtr*)(_t1001 + 0x60));
				lstrcpyA(_t1001 + 0x94, "BUTTONSDISTXTCLR");
				_t1019 = _t682;
				 *((intOrPtr*)(_t1001 + 0x1c)) = 0x4675d8;
				 *((intOrPtr*)(_t1001 + 0x3c)) = 0x4675d0;
				if(_t682 == 0) {
					_t682 = 0x47e150;
				}
				_push(0);
				_push(_t1001 + 0x13);
				_push(_t682);
				L0040B34B(_t1001 + 0x28);
				 *(_t1001 + 0x71c) = 9;
				_t512 = L00453100(_t1001 + 0x1c);
				GetPrivateProfileStringA(_t512, _t1001 + 0xa0, 0x47e154, _t1001 + 0x330, 0x3e8, L00452F40(_t971)); // executed
				 *(_t1001 + 0x71c) = 0xffffffff;
				E004061C1(_t1001 + 0x1c);
				 *((intOrPtr*)(_t1001 + 0x5c)) = GetSysColor(0x11);
				_push(_t1001 + 0x5c);
				_t1002 = _t1001 - 0x28;
				 *((intOrPtr*)(_t1002 + 0x40)) = _t1002;
				L004472C0(_t1002, _t1002 + 0x358, _t1001 + 0x17, 1);
				L0044F620(_t990, _t1019);
				 *((intOrPtr*)(_t990 + 0x64)) =  *((intOrPtr*)(_t1002 + 0x5c));
				wsprintfA(_t1002 + 0x330, "%x",  *((intOrPtr*)(_t990 + 0x68)));
				_t523 =  *0x4675f4; // 0x24
				_t1003 = _t1002 + 0xc;
				 *((intOrPtr*)(_t1003 + 0x6c)) = 0x4675f0;
				 *((intOrPtr*)(_t1003 + 0x8c)) = 0x4675e8;
				 *((intOrPtr*)(_t1003 + _t523 + 0x6c)) = GetLastError();
				 *((intOrPtr*)(_t1003 + 0x71c)) = 0xa;
				L00447B80(_t1003 + 0x74, _t1003 + 0x13);
				 *((char*)(_t1003 + 0x71c)) = 0xb;
				L00447D30(_t1003 + 0x80);
				 *((char*)(_t1003 + 0x720)) = 0xc;
				L00447D70(_t1003 + 0x90, 0);
				 *((intOrPtr*)(_t1003 + 0x50)) = _t1003 + 0x6c;
				 *((char*)(_t1003 + 0x71c)) = 0xe;
				if(_t1003 + 0x6c != 0) {
					_t869 = _t1003 + 0x124;
					if(_t869 == 0) {
						_t870 = 0;
						__eflags = 0;
					} else {
						asm("repne scasb");
						_t870 =  !(_t869 | 0xffffffff) - 1;
					}
					L00447990(_t1003 + 0x7c, _t1003 + 0x12c, _t870, _t1003 + 0x4f, 1);
				}
				_t168 =  *((intOrPtr*)(_t1003 + 0x6c)) + 4; // 0x24
				SetLastError( *(_t1003 +  *_t168 + 0x6c));
				 *((intOrPtr*)(_t1003 + 0x720)) = 0xf;
				 *(_t1003 + 0x20) = 0x4675f0;
				 *((intOrPtr*)(_t1003 + 0x40)) = 0x4675e8;
				L00447D40(_t1003 + 0x20, 0);
				 *((char*)(_t1003 + 0x24)) =  *((intOrPtr*)(_t1003 + 0x13));
				 *((char*)(_t1003 + 0x720)) = 0x10;
				E0040213C(_t1003 + 0x24, 0);
				 *((char*)(_t1003 + 0x71c)) = 0x11;
				L00447D30(_t1003 + 0x30);
				_t183 = _t1003 + 0x40; // 0x4675e8
				 *((char*)(_t1003 + 0x720)) = 0x12;
				L00447D70(_t183, 0);
				 *((intOrPtr*)(_t1003 + 0x50)) = _t1003 + 0x1c;
				 *((char*)(_t1003 + 0x71c)) = 0x14;
				if(_t1003 + 0x1c != 0) {
					_t864 = _t1003 + 0x32c;
					if(_t864 == 0) {
						_t865 = 0;
						__eflags = 0;
					} else {
						asm("repne scasb");
						_t865 =  !(_t864 | 0xffffffff) - 1;
					}
					L00447990(_t1003 + 0x2c, _t1003 + 0x334, _t865, _t1003 + 0x1a, 1);
				}
				SetLastError( *(_t1003 +  *((intOrPtr*)( *(_t1003 + 0x1c) + 4)) + 0x1c));
				_t902 =  *0x4675e0; // 0xffffffff
				asm("sbb eax, eax");
				 *((char*)(_t1003 + 0x728)) = 0x15;
				L0040BE88(_t1003 + 0x7c,  ~(_t1003 + 0x1c) & _t1003 + 0x00000020, 0, _t902);
				asm("sbb eax, eax");
				 *((char*)(_t1003 + 0x71c)) = 0xf;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1003 + 0x1c) & _t1003 + 0x0000003c) + 4)) + ( ~(_t1003 + 0x1c) & _t1003 + 0x0000003c))) = GetLastError();
				asm("sbb esi, esi");
				_t977 =  ~(_t1003 + 0x1c) & _t1003 + 0x00000030;
				E0043AE17( *_t977);
				_t1004 = _t1003 + 4;
				__imp__#6( *((intOrPtr*)(_t977 + 8)));
				asm("sbb ecx, ecx");
				E0040213C( ~(_t1004 + 0x1c) & _t1004 + 0x00000020, 1);
				SetLastError( *(_t1004 +  *((intOrPtr*)( *(_t1004 + 0x1c) + 4)) + 0x1c));
				_t978 =  *((intOrPtr*)(_t1004 + 0x48));
				_push(_t1004 + 0x6c);
				_push(_t1004 + 0x58);
				L004539C0();
				_t770 =  *((intOrPtr*)(_t1004 + 0x58));
				if(_t770 !=  *((intOrPtr*)(_t978 + 0x44))) {
					 *((intOrPtr*)(_t990 + 0x6c)) =  *((intOrPtr*)(_t770 + 0x34));
				} else {
					_t958 = L0043BC14(0xc);
					_t1007 = _t1004 + 4;
					 *(_t1007 + 0x14) = _t958;
					 *((char*)(_t1007 + 0x71c)) = 0x16;
					if(_t958 == 0) {
						_t626 = 0;
						__eflags = 0;
					} else {
						_t935 = L0043BC14(0x30);
						 *_t958 = _t935;
						memset(_t935, 0, 0xc << 2);
						_t1008 = _t1007 + 0xc;
						_t963 = L0043BC14(0x48);
						 *( *((intOrPtr*)(_t1008 + 0x1c)) + 4) = _t963;
						memset(_t963, 0, 0x12 << 2);
						_t668 = L0043BC14(0x18);
						_t1010 = _t1008 + 0x18;
						if(_t668 == 0) {
							_t965 = 0;
							__eflags = 0;
						} else {
							_t965 = E0044C8D0(_t668);
						}
						_t936 =  *((intOrPtr*)(_t1010 + 0x14));
						 *(_t936 + 8) = _t965;
						memset(_t965, 0, 6 << 2);
						_t1007 = _t1010 + 0xc;
						_t626 = _t936;
					}
					 *((char*)(_t1007 + 0x720)) = 0xf;
					 *((intOrPtr*)(_t990 + 0x6c)) = _t626;
					 *((intOrPtr*)(_t1007 + 0x20)) = 0x46758c;
					 *((intOrPtr*)(_t1007 + 0x40)) = 0x467584;
					L00447D40(_t1007 + 0x20, 0);
					 *((char*)(_t1007 + 0x24)) =  *((intOrPtr*)(_t1007 + 0x1a));
					 *((char*)(_t1007 + 0x720)) = 0x17;
					E0040213C(_t1007 + 0x24, 0);
					 *((char*)(_t1007 + 0x71c)) = 0x18;
					L00447D30(_t1007 + 0x30);
					 *((char*)(_t1007 + 0x720)) = 0x19;
					L00447D70(_t1007 + 0x40, 0);
					 *((intOrPtr*)(_t1007 + 0x50)) = _t1007 + 0x1c;
					 *((char*)(_t1007 + 0x71c)) = 0x1b;
					if(_t1007 + 0x1c != 0) {
						_t852 = _t1007 + 0x124;
						_t1028 = _t852;
						if(_t852 == 0) {
							_t853 = 0;
							__eflags = 0;
						} else {
							asm("repne scasb");
							_t853 =  !(_t852 | 0xffffffff) - 1;
						}
						_push(1);
						_push(_t1007 + 0x1a);
						_push(_t853);
						_push(_t1007 + 0x12c);
						E0043018C(_t1007 + 0x2c);
					}
					SetLastError( *(_t1007 +  *((intOrPtr*)( *(_t1007 + 0x1c) + 4)) + 0x1c));
					 *((char*)(_t1007 + 0x724)) = 0x1c;
					 *(_t1007 + 0x1c) = 0;
					 *((char*)(_t1007 + 0x724)) = 0x1d;
					_t636 = L00453640();
					 *((char*)(_t1007 + 0x71c)) = 0x1c;
					L0040125C(_t1007 + 0xf8);
					_t959 =  *((intOrPtr*)( *_t636 + 0x34));
					asm("sbb eax, eax");
					 *((char*)(_t1007 + 0x71c)) = 0x1e;
					 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1007 + 0x1c) & _t1007 + 0x0000003c) + 4)) + ( ~(_t1007 + 0x1c) & _t1007 + 0x0000003c))) = GetLastError();
					asm("sbb esi, esi");
					_t987 =  ~(_t1007 + 0x1c) & _t1007 + 0x00000030;
					E0043AE17( *_t987);
					_t1004 = _t1007 + 4;
					__imp__#6( *((intOrPtr*)(_t987 + 8)), _t1007 + 0x54, L004537A0(_t1007 + 0x100, _t1007 + 0x1c), _t1007 + 0x14);
					asm("sbb ecx, ecx");
					E0040213C( ~(_t1004 + 0x1c) & _t1004 + 0x00000020, 1);
					 *((char*)(_t1004 + 0x71c)) = 0xf;
					SetLastError( *(_t1004 +  *((intOrPtr*)( *(_t1004 + 0x1c) + 4)) + 0x1c));
					_t289 = _t959 + 4; // 0x24
					_push( *_t289);
					_t290 = _t990 + 4; // 0x4
					_t292 = _t990 + 0x68; // 0x68
					_t293 = _t990 + 0x5c; // 0x5c
					E0044AB60( *((intOrPtr*)(_t990 + 0x6c)), _t1028, _t293, _t292, _t290,  *((intOrPtr*)( *((intOrPtr*)( *_t636 + 0x34)))));
					 *(_t1004 + 0x14) = 0;
					_push(_t1004 + 0x14);
					_push(L00453AC0(_t1004 + 0x100, _t1004 + 0x70));
					_push(_t1004 + 0x50);
					 *((char*)(_t1004 + 0x724)) = 0x1f;
					_t655 = L00453850();
					 *((char*)(_t1004 + 0x71c)) = 0xf;
					E004061C1(_t1004 + 0xf8);
					 *((intOrPtr*)( *_t655 + 0x34)) =  *((intOrPtr*)(_t990 + 0x6c));
					_t978 =  *((intOrPtr*)(_t1004 + 0x48));
				}
				wsprintfA(_t1004 + 0x32c, "%x",  *((intOrPtr*)(_t990 + 0x68)));
				_t1005 = _t1004 + 0xc;
				 *(_t1005 + 0x1c) = 0x4675f0;
				 *(_t1005 + 0x3c) = 0x4675e8;
				L00447D40(_t1005 + 0x1c, 0);
				 *((char*)(_t1005 + 0x71c)) = 0x20;
				L00447B80(_t1005 + 0x24, _t1005 + 0x1a);
				 *((char*)(_t1005 + 0x71c)) = 0x21;
				L00447D30(_t1005 + 0x30);
				 *((char*)(_t1005 + 0x720)) = 0x22;
				L00447D70(_t1005 + 0x40, 0);
				 *(_t1005 + 0x50) = _t1005 + 0x1c;
				 *((char*)(_t1005 + 0x71c)) = 0x24;
				if(_t1005 + 0x1c != 0) {
					_t825 = _t1005 + 0x228;
					if(_t825 == 0) {
						_t826 = 0;
						__eflags = 0;
					} else {
						asm("repne scasb");
						_t826 =  !(_t825 | 0xffffffff) - 1;
					}
					L00447990(_t1005 + 0x2c, _t1005 + 0x230, _t826, _t1005 + 0x1b, 1);
				}
				_t331 =  *(_t1005 + 0x1c) + 4; // 0x24
				SetLastError( *(_t1005 +  *_t331 + 0x1c));
				_t910 =  *0x4675e0; // 0xffffffff
				asm("sbb eax, eax");
				 *((char*)(_t1005 + 0x728)) = 0x25;
				E0040C484(_t1005 + 0x7c,  ~(_t1005 + 0x1c) & _t1005 + 0x00000020, 0, _t910);
				_t341 = _t1005 + 0x3c; // 0x4675e8
				asm("sbb eax, eax");
				 *((char*)(_t1005 + 0x71c)) = 0xf;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1005 + 0x1c) & _t341) + 4)) + ( ~(_t1005 + 0x1c) & _t341))) = GetLastError();
				asm("sbb ecx, ecx");
				E00430164( ~(_t1005 + 0x1c) & _t1005 + 0x00000030);
				asm("sbb ecx, ecx");
				E0040213C( ~(_t1005 + 0x1c) & _t1005 + 0x00000020, 1);
				_t349 =  *(_t1005 + 0x1c) + 4; // 0x24
				SetLastError( *(_t1005 +  *_t349 + 0x1c));
				 *(_t1005 + 0x20) = 0x4675f0;
				 *((intOrPtr*)(_t1005 + 0x40)) = 0x4675e8;
				L00447D40(_t1005 + 0x20, 0);
				 *((char*)(_t1005 + 0x720)) = 0x26;
				L00447B80(_t1005 + 0x20, _t1005 + 0x1b);
				 *((char*)(_t1005 + 0x71c)) = 0x27;
				L00447D30(_t1005 + 0x30);
				_t362 = _t1005 + 0x40; // 0x4675e8
				 *((char*)(_t1005 + 0x720)) = 0x28;
				L00447D70(_t362, 0);
				_t792 = _t1005 + 0x1c;
				 *(_t1005 + 0x50) = _t792;
				 *((char*)(_t1005 + 0x71c)) = 0x2a;
				if(_t1005 + 0x1c != 0) {
					if(_t1005 + 0x32c == 0) {
						_t821 = 0;
						__eflags = 0;
					} else {
						asm("repne scasb");
						_t821 =  !(_t792 | 0xffffffff) - 1;
					}
					L00447990(_t1005 + 0x2c, _t1005 + 0x334, _t821, _t1005 + 0x1a, 1);
				}
				_t374 =  *(_t1005 + 0x1c) + 4; // 0x24
				SetLastError( *(_t1005 +  *_t374 + 0x1c));
				_t916 =  *0x4675e0; // 0xffffffff
				asm("sbb eax, eax");
				 *((char*)(_t1005 + 0x728)) = 0x2b;
				L0040BE88(_t1005 + 0x7c,  ~(_t1005 + 0x1c) & _t1005 + 0x00000020, 0, _t916);
				_t384 = _t1005 + 0x3c; // 0x4675e8
				asm("sbb eax, eax");
				 *((char*)(_t1005 + 0x71c)) = 0xf;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t1005 + 0x1c) & _t384) + 4)) + ( ~(_t1005 + 0x1c) & _t384))) = GetLastError();
				asm("sbb ecx, ecx");
				E00430164( ~(_t1005 + 0x1c) & _t1005 + 0x00000030);
				asm("sbb ecx, ecx");
				E0040213C( ~(_t1005 + 0x1c) & _t1005 + 0x00000020, 1);
				_t392 =  *(_t1005 + 0x1c) + 4; // 0x24
				SetLastError( *(_t1005 +  *_t392 + 0x1c));
				_push(_t1005 + 0x6c);
				_t954 = _t978 + 0x40;
				_push(_t1005 + 0x14);
				L004539C0();
				_t599 =  *((intOrPtr*)(_t1005 + 0x14));
				 *((intOrPtr*)(_t1005 + 0x58)) = _t599;
				if(_t599 !=  *((intOrPtr*)(_t978 + 0x44))) {
					 *((intOrPtr*)(_t990 + 0x70)) =  *((intOrPtr*)(_t599 + 0x34));
				} else {
					_t603 = L0043BC14(0xc);
					_t1005 = _t1005 + 4;
					 *(_t1005 + 0x50) = _t603;
					_t1034 = _t603;
					 *((char*)(_t1005 + 0x71c)) = 0x2c;
					if(_t603 == 0) {
						_t604 = 0;
						__eflags = 0;
					} else {
						_t604 = L0044D7F0(_t603);
					}
					 *((intOrPtr*)(_t990 + 0x70)) = _t604;
					_push(1);
					_push(_t1005 + 0x1b);
					_push(_t1005 + 0x22c);
					 *((char*)(_t1005 + 0x728)) = 0xf;
					E004300B2(_t1005 + 0x28);
					_push(_t1005 + 0x14);
					 *((char*)(_t1005 + 0x724)) = 0x2d;
					 *(_t1005 + 0x1c) = 0;
					_push(L004537A0(_t1005 + 0x100, _t1005 + 0x1c));
					_push(_t1005 + 0x54);
					 *((char*)(_t1005 + 0x724)) = 0x2e;
					_t609 = L00453640();
					 *((char*)(_t1005 + 0x71c)) = 0x2d;
					L0040125C(_t1005 + 0xf8);
					 *((char*)(_t1005 + 0x71c)) = 0xf;
					L0040125C(_t1005 + 0x1c);
					_push( *((intOrPtr*)( *((intOrPtr*)( *_t609 + 0x34)) + 4)));
					_t424 = _t990 + 0x2c; // 0x2c
					_t426 = _t990 + 0x68; // 0x68
					_t427 = _t990 + 0x5c; // 0x5c
					E0044AB60( *((intOrPtr*)(_t990 + 0x70)), _t1034, _t427, _t426, _t424,  *((intOrPtr*)( *((intOrPtr*)( *_t609 + 0x34)))));
					 *((intOrPtr*)(E00452980(_t954, _t1005 + 0x6c))) =  *((intOrPtr*)(_t990 + 0x70));
				}
				_push(_t1005 + 0x50);
				 *(_t1005 + 0x54) = 0;
				 *((intOrPtr*)(E00452690( *((intOrPtr*)(_t1005 + 0x728))))) = _t990;
				_t602 = E004061C1(_t1005 + 0x6c);
				 *[fs:0x0] =  *((intOrPtr*)(_t1005 + 0x714));
				return _t602;
			}

0x0044c900
0x0044c902
0x0044c90d
0x0044c90e
0x0044c915
0x0044c91e
0x0044c92f
0x0044c937
0x0044c93f
0x0044c93f
0x0044c941
0x0044c943
0x0044c952
0x0044c95a
0x0044c95a
0x0044c95c
0x0044c95e
0x0044c96d
0x0044c975
0x0044c975
0x0044c977
0x0044c979
0x0044c98a
0x0044c98a
0x0044c98c
0x0044c98e
0x0044c992
0x0044c998
0x0044c99a
0x0044c99d
0x0044c9a3
0x0044c9ae
0x0044c9d8
0x0044c9d8
0x0044c9b0
0x0044c9ba
0x0044c9c6
0x0044c9c9
0x0044c9d1
0x0044c9d1
0x0044c9e7
0x0044c9f2
0x0044c9f8
0x0044c9ff
0x0044ca09
0x0044ca11
0x0044ca13
0x0044ca15
0x0044ca15
0x0044ca1e
0x0044ca20
0x0044ca21
0x0044ca26
0x0044ca2f
0x0044ca3a
0x0044ca3f
0x0044ca6d
0x0044ca73
0x0044ca7e
0x0044ca96
0x0044ca9d
0x0044caa8
0x0044caaf
0x0044caaf
0x0044caaa
0x0044caaa
0x0044caaa
0x0044cab1
0x0044cabb
0x0044cabe
0x0044cac7
0x0044cad2
0x0044cae4
0x0044caec
0x0044caf4
0x0044cafc
0x0044cafe
0x0044cb00
0x0044cb00
0x0044cb09
0x0044cb0b
0x0044cb0c
0x0044cb11
0x0044cb1a
0x0044cb2c
0x0044cb55
0x0044cb5b
0x0044cb66
0x0044cb7e
0x0044cb85
0x0044cb90
0x0044cb97
0x0044cb97
0x0044cb92
0x0044cb92
0x0044cb92
0x0044cb99
0x0044cba3
0x0044cba6
0x0044cbaf
0x0044cbc6
0x0044cbcf
0x0044cbd2
0x0044cbd5
0x0044cbdb
0x0044cbdd
0x0044cbe5
0x0044cbed
0x0044cbef
0x0044cbf1
0x0044cbf1
0x0044cbfa
0x0044cbfc
0x0044cbfd
0x0044cc02
0x0044cc0b
0x0044cc1d
0x0044cc46
0x0044cc4c
0x0044cc57
0x0044cc64
0x0044cc6c
0x0044cc6f
0x0044cc7c
0x0044cc84
0x0044cc8d
0x0044cca3
0x0044cca6
0x0044ccac
0x0044ccae
0x0044ccb6
0x0044ccbe
0x0044ccc0
0x0044ccc2
0x0044ccc2
0x0044cccb
0x0044cccd
0x0044ccce
0x0044ccd3
0x0044ccdc
0x0044ccee
0x0044cd17
0x0044cd1d
0x0044cd28
0x0044cd35
0x0044cd3d
0x0044cd40
0x0044cd4d
0x0044cd55
0x0044cd5e
0x0044cd74
0x0044cd77
0x0044cd7d
0x0044cd7f
0x0044cd87
0x0044cd8f
0x0044cd91
0x0044cd93
0x0044cd93
0x0044cd9c
0x0044cd9e
0x0044cd9f
0x0044cda4
0x0044cdad
0x0044cdbf
0x0044cde8
0x0044cdee
0x0044cdf9
0x0044ce0a
0x0044ce0e
0x0044ce13
0x0044ce1f
0x0044ce27
0x0044ce30
0x0044ce46
0x0044ce49
0x0044ce4f
0x0044ce51
0x0044ce59
0x0044ce61
0x0044ce63
0x0044ce63
0x0044ce6c
0x0044ce6e
0x0044ce6f
0x0044ce74
0x0044ce7d
0x0044ce88
0x0044ceb2
0x0044ceb8
0x0044cec3
0x0044ced4
0x0044ced8
0x0044cedd
0x0044cee9
0x0044cef1
0x0044cefa
0x0044cf14
0x0044cf17
0x0044cf1d
0x0044cf22
0x0044cf25
0x0044cf2d
0x0044cf42
0x0044cf48
0x0044cf58
0x0044cf64
0x0044cf6c
0x0044cf7a
0x0044cf82
0x0044cf8b
0x0044cf93
0x0044cf9d
0x0044cf9f
0x0044cfa8
0x0044cfbd
0x0044cfbd
0x0044cfaa
0x0044cfb6
0x0044cfba
0x0044cfba
0x0044cfd3
0x0044cfd3
0x0044cfe2
0x0044cfee
0x0044cff6
0x0044d001
0x0044d009
0x0044d011
0x0044d01c
0x0044d024
0x0044d02c
0x0044d035
0x0044d03d
0x0044d044
0x0044d048
0x0044d050
0x0044d059
0x0044d061
0x0044d06b
0x0044d06d
0x0044d076
0x0044d08b
0x0044d08b
0x0044d078
0x0044d084
0x0044d088
0x0044d088
0x0044d0a1
0x0044d0a1
0x0044d0b6
0x0044d0b8
0x0044d0c4
0x0044d0d4
0x0044d0dc
0x0044d0eb
0x0044d0ed
0x0044d104
0x0044d10c
0x0044d112
0x0044d117
0x0044d11f
0x0044d123
0x0044d133
0x0044d139
0x0044d14e
0x0044d150
0x0044d15c
0x0044d160
0x0044d161
0x0044d169
0x0044d16f
0x0044d3fd
0x0044d175
0x0044d17c
0x0044d17e
0x0044d181
0x0044d187
0x0044d18f
0x0044d1ef
0x0044d1ef
0x0044d191
0x0044d198
0x0044d19f
0x0044d1a7
0x0044d1a7
0x0044d1ae
0x0044d1bb
0x0044d1c0
0x0044d1c2
0x0044d1c7
0x0044d1cc
0x0044d1d9
0x0044d1d9
0x0044d1ce
0x0044d1d5
0x0044d1d5
0x0044d1db
0x0044d1e6
0x0044d1e9
0x0044d1e9
0x0044d1eb
0x0044d1eb
0x0044d1f7
0x0044d1ff
0x0044d202
0x0044d20a
0x0044d212
0x0044d21d
0x0044d225
0x0044d22d
0x0044d236
0x0044d23e
0x0044d249
0x0044d251
0x0044d25a
0x0044d262
0x0044d26c
0x0044d26e
0x0044d275
0x0044d277
0x0044d28c
0x0044d28c
0x0044d279
0x0044d285
0x0044d289
0x0044d289
0x0044d292
0x0044d294
0x0044d29c
0x0044d29d
0x0044d2a2
0x0044d2a2
0x0044d2b7
0x0044d2ca
0x0044d2d2
0x0044d2e8
0x0044d2f0
0x0044d2fe
0x0044d306
0x0044d30b
0x0044d318
0x0044d31a
0x0044d331
0x0044d339
0x0044d33f
0x0044d344
0x0044d34c
0x0044d350
0x0044d360
0x0044d366
0x0044d36f
0x0044d383
0x0044d385
0x0044d38a
0x0044d38b
0x0044d393
0x0044d397
0x0044d39b
0x0044d3a4
0x0044d3ac
0x0044d3c6
0x0044d3c7
0x0044d3cb
0x0044d3d3
0x0044d3e1
0x0044d3e9
0x0044d3f1
0x0044d3f4
0x0044d3f4
0x0044d411
0x0044d417
0x0044d41e
0x0044d426
0x0044d430
0x0044d439
0x0044d446
0x0044d44f
0x0044d457
0x0044d462
0x0044d46a
0x0044d473
0x0044d47b
0x0044d485
0x0044d487
0x0044d490
0x0044d4a5
0x0044d4a5
0x0044d492
0x0044d49e
0x0044d4a2
0x0044d4a2
0x0044d4bb
0x0044d4bb
0x0044d4c4
0x0044d4d0
0x0044d4d2
0x0044d4de
0x0044d4ee
0x0044d4f6
0x0044d4ff
0x0044d505
0x0044d507
0x0044d522
0x0044d526
0x0044d52e
0x0044d53d
0x0044d543
0x0044d54c
0x0044d558
0x0044d560
0x0044d568
0x0044d570
0x0044d57e
0x0044d586
0x0044d58f
0x0044d597
0x0044d59e
0x0044d5a2
0x0044d5aa
0x0044d5af
0x0044d5b3
0x0044d5bb
0x0044d5c5
0x0044d5d0
0x0044d5e5
0x0044d5e5
0x0044d5d2
0x0044d5de
0x0044d5e2
0x0044d5e2
0x0044d5fb
0x0044d5fb
0x0044d604
0x0044d610
0x0044d612
0x0044d61e
0x0044d62e
0x0044d636
0x0044d63f
0x0044d645
0x0044d647
0x0044d662
0x0044d666
0x0044d66e
0x0044d67d
0x0044d683
0x0044d68c
0x0044d698
0x0044d6a2
0x0044d6a3
0x0044d6a6
0x0044d6a9
0x0044d6ae
0x0044d6b7
0x0044d6bb
0x0044d7a0
0x0044d6c1
0x0044d6c3
0x0044d6c8
0x0044d6cb
0x0044d6cf
0x0044d6d1
0x0044d6d9
0x0044d6e4
0x0044d6e4
0x0044d6db
0x0044d6dd
0x0044d6dd
0x0044d6e6
0x0044d6ed
0x0044d6f6
0x0044d6f7
0x0044d6fc
0x0044d704
0x0044d713
0x0044d71c
0x0044d723
0x0044d730
0x0044d735
0x0044d739
0x0044d741
0x0044d74f
0x0044d756
0x0044d762
0x0044d76a
0x0044d774
0x0044d775
0x0044d77d
0x0044d781
0x0044d785
0x0044d799
0x0044d799
0x0044d7ae
0x0044d7af
0x0044d7c0
0x0044d7c2
0x0044d7d1
0x0044d7df

APIs

lstrcpyA.KERNEL32(?,BUTTONSUP), ref: 0044C9F2
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,00000104,00000000), ref: 0044CA6D
lstrcpyA.KERNEL32(?,BUTTONSDOWN,00000000,00000000,FFFFFFFF,?,?,00000001), ref: 0044CAE4
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,00000104,00000000), ref: 0044CB55

Part of subcall function 004517F0: GetLastError.KERNEL32(00467570,004675F0,?,0044BF31,?,00000001), ref: 00451813
Part of subcall function 004517F0: SetLastError.KERNEL32(?), ref: 00451841

Part of subcall function 00451850: GetLastError.KERNEL32(761E9390,-00000007,00000000,?,?,?,00000000), ref: 00451890
Part of subcall function 00451850: SetLastError.KERNEL32(?,00000000,?,?,00000000), ref: 004518C6
Part of subcall function 00451850: GetLastError.KERNEL32 ref: 00451916
Part of subcall function 00451850: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00451967

lstrcpyA.KERNEL32(?,BUTTONSOPT,00000000,00000000,FFFFFFFF,?,?,00000001), ref: 0044CBD5
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044CC46
lstrcpyA.KERNEL32(?,BUTTONSTRNSPRNTCLR,?,?,00000001), ref: 0044CCA6
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044CD17

Part of subcall function 004472C0: GetLastError.KERNEL32(?,000001C4,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447300
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447336
Part of subcall function 004472C0: GetLastError.KERNEL32 ref: 0044738A
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000), ref: 004473BD
Part of subcall function 004472C0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004473E6

Part of subcall function 0044F620: GetLastError.KERNEL32 ref: 0044F71F
Part of subcall function 0044F620: SysFreeString.OLEAUT32(?), ref: 0044F740

lstrcpyA.KERNEL32(?,BUTTONSTXTCLR,?,?,00000001), ref: 0044CD77
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044CDE8
GetSysColor.USER32(00000008), ref: 0044CE00
lstrcpyA.KERNEL32(?,BUTTONSDISTXTCLR,?,?,00000001), ref: 0044CE49
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044CEB2
GetSysColor.USER32(00000011), ref: 0044CECA
wsprintfA.USER32 ref: 0044CF17
GetLastError.KERNEL32 ref: 0044CF3C

Part of subcall function 00447D70: SetLastError.KERNEL32(?,004675F0,0044C457,00000000,00467570,?), ref: 00447D8A

SetLastError.KERNEL32(004675F0,00000000,?), ref: 0044CFEE
SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0044D0B6
GetLastError.KERNEL32(?,00000000,FFFFFFFF), ref: 0044D0FE
SysFreeString.OLEAUT32(?), ref: 0044D123
SetLastError.KERNEL32(?,00000001), ref: 0044D14E

Part of subcall function 0043018C: __EH_prolog.LIBCMT ref: 00430191
Part of subcall function 0043018C: GetLastError.KERNEL32(761B4C30,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001,00000000), ref: 004301BA
Part of subcall function 0043018C: SetLastError.KERNEL32(00000001,00000000,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001), ref: 004301ED
Part of subcall function 0043018C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,0000002B,00000000,00000000,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E), ref: 0043020D
Part of subcall function 0043018C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,0000002B,?,0043D41C,00000000,?,00000000,?,00430147,?,00000000,?,00000001), ref: 00430236
Part of subcall function 0043018C: SetLastError.KERNEL32(?,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001,00000000), ref: 00430244

GetLastError.KERNEL32(?,00000000,?,?), ref: 0044D32B
SysFreeString.OLEAUT32(?), ref: 0044D350
wsprintfA.USER32 ref: 0044D411

Part of subcall function 00447D40: GetLastError.KERNEL32(?,?,004521BC,00000000,?,FFFFFFFF,00000001), ref: 00447D59

SetLastError.KERNEL32(004675F0,00000000,?), ref: 0044D4D0
GetLastError.KERNEL32(004675F0,00000000,FFFFFFFF), ref: 0044D518
SetLastError.KERNEL32(004675F0,00000001), ref: 0044D558
SetLastError.KERNEL32(004675F0,00000000,?,00000000), ref: 0044D610
GetLastError.KERNEL32(004675F0,00000000,FFFFFFFF), ref: 0044D658
SetLastError.KERNEL32(004675F0,00000001), ref: 0044D698

Part of subcall function 0044AB60: GetLastError.KERNEL32 ref: 0044AD2A
Part of subcall function 0044AB60: SysFreeString.OLEAUT32(?), ref: 0044AD4F
Part of subcall function 0044AB60: SetLastError.KERNEL32(?), ref: 0044AD81

Part of subcall function 00452980: GetLastError.KERNEL32 ref: 004529BC
Part of subcall function 00452980: GetLastError.KERNEL32(?,?,?,?,004675F0,00000000,00000000), ref: 00452A2C
Part of subcall function 00452980: SysFreeString.OLEAUT32(00468E68), ref: 00452A4D
Part of subcall function 00452980: SetLastError.KERNEL32(?,00000001), ref: 00452A74

SetLastError.KERNEL32(?), ref: 0044D383

Part of subcall function 0044AB60: GetLastError.KERNEL32 ref: 0044ABE7
Part of subcall function 0044AB60: SetLastError.KERNEL32(?,00000001), ref: 0044AC3A

Part of subcall function 00453AC0: GetLastError.KERNEL32(00000030,0046758C,?,?,00466838,000000FF,0044C803,?,?,00000034,00000038,00000000,?,?), ref: 00453AF3
Part of subcall function 00453AC0: SetLastError.KERNEL32(?,00000000,00000000,FFFFFFFF,?,?), ref: 00453B42

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0044D2B7

Part of subcall function 004537A0: GetLastError.KERNEL32(?,0046758C,?,?,00466818,000000FF,0044C716,0046758C,?,00000000,?,?), ref: 004537D3
Part of subcall function 004537A0: SetLastError.KERNEL32(?,00000000,00000000,FFFFFFFF), ref: 00453822

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

uF, xrefs: 0044D044
BUTTONSOPT, xrefs: 0044CBC9
BUTTONSTXTCLR, xrefs: 0044CD6E
PG, xrefs: 0044CD93
BUTTONSDISTXTCLR, xrefs: 0044CE40
., xrefs: 0044D739
PG, xrefs: 0044CCC2
PG, xrefs: 0044CBF1
uF, xrefs: 0044CF2D
BUTTONSDOWN, xrefs: 0044CADE
(, xrefs: 0044D5A2
BUTTONSTRNSPRNTCLR, xrefs: 0044CC9D
uF, xrefs: 0044D4FF
PG, xrefs: 0044CE63
+, xrefs: 0044D62E
PG, xrefs: 0044CB00
,, xrefs: 0044D6D1
BUTTONSUP, xrefs: 0044C9E1
PG, xrefs: 0044CA15

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$String$Free$PrivateProfilelstrcpy$ByteCharMultiWide$H_prolog$Colorwsprintf
String ID: ($+$,$.$BUTTONSDISTXTCLR$BUTTONSDOWN$BUTTONSOPT$BUTTONSTRNSPRNTCLR$BUTTONSTXTCLR$BUTTONSUP$PG$PG$PG$PG$PG$PG$uF$uF$uF
API String ID: 1697702210-3296959565
Opcode ID: b309f852a6f49d70f8f0cf4da732518df62aea0dc74fa18dae942d6a71eb97c5
Instruction ID: 4299081e13fff2cd2e8472a050d3410a59bfe0aabd97e4c097a7bff9bcfb9907
Opcode Fuzzy Hash: b309f852a6f49d70f8f0cf4da732518df62aea0dc74fa18dae942d6a71eb97c5
Instruction Fuzzy Hash: C69260715083459FD724DF65C881BDBB7E4AF88304F00891EF59A97281EBB8E509CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0041BADB Relevance: 77.7, APIs: 12, Strings: 32, Instructions: 653
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0041BADB(void* __eax, int* __ebx, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t283;
				long _t291;
				void* _t298;
				void* _t308;
				void* _t318;
				signed int _t320;
				intOrPtr _t323;
				intOrPtr _t330;
				signed int _t332;
				short* _t334;
				short* _t336;
				void* _t339;
				signed int _t345;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t355;
				signed int _t372;
				signed int _t384;
				intOrPtr* _t385;
				intOrPtr _t392;
				void* _t397;
				void* _t398;
				long _t410;
				intOrPtr* _t414;
				char** _t415;
				long _t418;
				short* _t425;
				void* _t429;
				intOrPtr* _t431;
				char** _t432;
				int _t435;
				short* _t440;
				intOrPtr _t445;
				int* _t454;
				intOrPtr _t484;
				intOrPtr _t509;
				signed int _t554;
				short* _t559;
				intOrPtr* _t560;
				void* _t563;
				void* _t565;
				void* _t566;
				void* _t567;
				void* _t568;

				_t560 = __esi;
				_t454 = __ebx;
				 *(_t563 - 0x18) = __eax;
				_t554 = 1;
				_push(_t554);
				_push(_t563 - 0x11);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPrereqMgr.cpp");
				_t283 =  *((intOrPtr*)(E0040A5F5(_t563 - 0x64) + 8));
				 *(_t563 - 4) = __ebx;
				_t574 = _t283 - __ebx;
				if(_t283 == __ebx) {
					_t283 = 0x4675e4;
				}
				 *((intOrPtr*)(_t563 - 0x34)) = _t283;
				 *(_t563 - 0x30) = 0x36;
				E0040840D(_t454); // executed
				 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
				_t566 = _t565 + 0xc;
				E004061C1(_t563 - 0x64);
				E00403E82( *((intOrPtr*)( *_t560 + 0x2c))(_t563 - 0x114, 0x64c, _t563 - 0x34, L"Running setup prerequisites (%s)...",  *(_t563 - 0x18)), _t574); // executed
				_t291 =  *(_t563 - 0x10c);
				 *(_t563 - 4) = _t554;
				if(_t291 == _t454) {
					_t291 = 0x467570;
				}
				SendDlgItemMessageW( *0x47e1c8, 0x3eb, 0xc, _t454, _t291);
				 *((intOrPtr*)(_t563 - 0xc4)) = 0x46757c;
				 *((intOrPtr*)(_t563 - 0xa4)) = 0x467574;
				L00401C68(_t563 - 0xc4);
				 *(_t563 - 4) = 2;
				_t298 = L00403659( *((intOrPtr*)( *_t560 + 0x2c))(_t563 - 0x29, _t454), _t563 - 0x64);
				_t299 =  *(_t298 + 8);
				 *(_t563 - 4) = 3;
				if( *(_t298 + 8) == _t454) {
					_t299 = 0x467570;
				}
				_t26 = _t563 - 0xc4; // 0x46757c
				L004057E0(_t26, L"%%IS_PREREQ%%-%s", _t299);
				_t567 = _t566 + 0xc;
				 *(_t563 - 4) = 2;
				L0040125C(_t563 - 0x64);
				 *((intOrPtr*)(_t563 - 0xec)) = 0x46757c;
				 *((intOrPtr*)(_t563 - 0xcc)) = 0x467574;
				L00401C68(_t563 - 0xec);
				 *(_t563 - 4) = 4;
				_t308 = L00403659( *((intOrPtr*)( *_t560 + 0x2c))(_t563 - 0x11, _t454), _t563 - 0x64);
				_t309 =  *(_t308 + 8);
				 *(_t563 - 4) = 5;
				if( *(_t308 + 8) == _t454) {
					_t309 = 0x467570;
				}
				_t38 = _t563 - 0xec; // 0x46757c
				L004057E0(_t38, L"%%IS_PREREQF%%-%s", _t309);
				_t568 = _t567 + 0xc;
				 *(_t563 - 4) = 4;
				L0040125C(_t563 - 0x64);
				 *(_t563 - 0x10) = _t454;
				 *(_t563 - 4) = 6;
				 *(_t563 - 0x38) = _t454;
				if( *((intOrPtr*)( *_t560))() != 0) {
					L31:
					_push(_t563 - 0x12);
					_push(_t563 - 0x19);
					 *(_t563 - 0x30) = _t568 - 0x28;
					E0040C19D(_t568 - 0x28,  *((intOrPtr*)(_t563 + 0xc)), 1);
					_t318 = L0041C439(_t560); // executed
					__eflags = _t318 - _t454;
					if(_t318 == _t454) {
						L71:
						_t320 =  *((intOrPtr*)( *_t560))();
						__eflags = _t320;
						if(_t320 == 0) {
							__eflags =  *(_t563 - 0x38) - _t454;
							if( *(_t563 - 0x38) == _t454) {
								_t334 =  *(_t563 - 0xbc);
								__eflags = _t334 - _t454;
								if(_t334 == _t454) {
									_t334 = 0x467570;
								}
								RegDeleteValueW( *(_t563 - 0x10), _t334);
								_t336 =  *(_t563 - 0xe4);
								__eflags = _t336 - _t454;
								if(_t336 == _t454) {
									_t336 = 0x467570;
								}
								RegDeleteValueW( *(_t563 - 0x10), _t336);
							}
							__eflags =  *(_t563 + 0x10) - _t454;
							if( *(_t563 + 0x10) != _t454) {
								 *(_t563 + 0x10) = _t454;
								 *(_t563 - 4) = 0x16;
								_t332 = E0041C3FB(_t563 - 0x10, 0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0xf003f);
								__eflags = _t332;
								if(_t332 == 0) {
									RegDeleteValueW( *(_t563 - 0x10), L"  ISSetupPrerequisistes");
								}
								 *(_t563 - 4) = 6;
							}
						}
						_push(1);
						_push(_t563 + 0x17);
						_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPrereqMgr.cpp");
						_t323 =  *((intOrPtr*)(E0040A5F5(_t563 - 0x164) + 8));
						 *(_t563 - 4) = 0x17;
						__eflags = _t323 - _t454;
						if(_t323 == _t454) {
							_t323 = 0x4675e4;
						}
						_push( *((intOrPtr*)(_t563 - 0x28)));
						 *((intOrPtr*)(_t563 - 0x3c)) = _t323;
						 *(_t563 - 0x38) = 0xb3;
						_push(L"Prerequisites returning %d");
						_push(_t563 - 0x3c);
						E0040840D(_t454);
						 *(_t563 - 4) = 6;
						E004061C1(_t563 - 0x164);
						__eflags =  *(_t563 - 0x10) - _t454;
						if( *(_t563 - 0x10) != _t454) {
							RegCloseKey( *(_t563 - 0x10));
							 *(_t563 - 0x10) = _t454;
						}
						 *(_t563 - 4) = 2;
						L0040125C(_t563 - 0xec);
						 *(_t563 - 4) = 1;
						L0040125C(_t563 - 0xc4);
						_t275 = _t563 - 4;
						 *_t275 =  *(_t563 - 4) | 0xffffffff;
						__eflags =  *_t275;
						L0040125C(_t563 - 0x114);
						_t330 =  *((intOrPtr*)(_t563 - 0x28));
					} else {
						_t339 =  *((intOrPtr*)( *_t560))();
						__eflags = _t339 - 1;
						if(_t339 != 1) {
							L40:
							__eflags =  *((intOrPtr*)( *_t560))();
							if(__eflags != 0) {
								goto L71;
							} else {
								_push(_t560);
								E004060C1(_t563 - 0x2d4, __eflags); // executed
								 *(_t563 - 4) = 0x11;
								 *((intOrPtr*)(_t563 - 0x1d8)) =  *((intOrPtr*)(_t563 + 8));
								 *((char*)(_t563 - 0x1d4)) =  *(_t563 + 0x10);
								_t345 = E0042E349();
								__eflags = _t345 - 6;
								if(_t345 < 6) {
									L45:
									__eflags =  *((intOrPtr*)(_t563 - 0x12)) - _t454;
									 *(_t563 - 0x1d3) = _t454;
									if( *((intOrPtr*)(_t563 - 0x12)) != _t454) {
										goto L56;
									} else {
										_t345 =  *((intOrPtr*)( *_t560 + 0x28))(0x10);
										__eflags = _t345;
										if(_t345 != 0) {
											goto L56;
										} else {
											_t345 =  *((intOrPtr*)( *_t560 + 0x34))();
											__eflags = _t345;
											if(_t345 != 0) {
												__eflags =  *0x47df40 - _t454; // 0x0
												if(__eflags != 0) {
													L53:
													_push(1);
													_push(_t563 + 0xb);
													_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPrereqMgr.cpp");
													E0040A5F5(_t563 - 0x90);
													_t372 = L"Showing initialization dialog for prerequisites.";
													 *(_t563 - 4) = 0x12;
													 *((intOrPtr*)(_t563 - 0x64)) = 0x4675d8;
													__eflags = _t372;
													 *((intOrPtr*)(_t563 - 0x44)) = 0x4675d0;
													if(_t372 == 0) {
														_t372 = 0x47e150;
													}
													_push(_t454);
													_push(_t563 - 0x13);
													_push(_t372);
													L0040B34B(_t563 - 0x64);
													 *(_t563 - 4) = 0x13;
													L0045D600(_t563 - 0x64, _t563 - 0x90, 0x8d);
													 *(_t563 - 4) = 0x12;
													E004061C1(_t563 - 0x64);
													 *(_t563 - 4) = 0x11;
													_t345 = E004061C1(_t563 - 0x90);
												} else {
													__eflags =  *0x47e988 - _t454; // 0x0
													if(__eflags != 0) {
														goto L53;
													}
												}
												goto L56;
											} else {
												 *(_t563 - 4) = 6;
												E00406257(_t563 - 0x2d4);
												__eflags =  *(_t563 - 0x10) - _t454;
												if( *(_t563 - 0x10) != _t454) {
													RegCloseKey( *(_t563 - 0x10));
													 *(_t563 - 0x10) = _t454;
												}
												 *(_t563 - 4) = 2;
												L0040125C(_t563 - 0xec);
												 *(_t563 - 4) = 1;
												L0040125C(_t563 - 0xc4);
												 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
												L0040125C(_t563 - 0x114);
												_push(2);
												goto L68;
											}
										}
									}
								} else {
									__eflags =  *((intOrPtr*)(_t563 - 0x19)) - _t454;
									if( *((intOrPtr*)(_t563 - 0x19)) == _t454) {
										goto L45;
									} else {
										_t345 = E00437791();
										__eflags = _t345;
										if(_t345 != 0) {
											goto L45;
										} else {
											 *(_t563 - 0x1d3) = 1;
											L56:
											__eflags =  *((intOrPtr*)(_t563 - 0x12)) - _t454;
											_push( *((intOrPtr*)( *((intOrPtr*)( *_t560 + 0x2c))( *((intOrPtr*)(_t563 + 0xc)), _t345 & 0xffffff00 | __eflags == 0x00000000,  *((intOrPtr*)(_t563 + 0x14))) + 0x20)));
											_t349 = E004062DD(_t563 - 0x2d4, __eflags); // executed
											_t484 = 2;
											_t350 = _t349 - _t484;
											__eflags = _t350;
											if(_t350 == 0) {
												L69:
												 *((intOrPtr*)(_t563 - 0x28)) = _t484;
												goto L70;
											} else {
												_t352 = _t350 - 5;
												__eflags = _t352;
												if(_t352 == 0) {
													__eflags =  *0x47df40 - _t454; // 0x0
													if(__eflags != 0) {
														L62:
														_push(1);
														_push(_t563 + 0xf);
														_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPrereqMgr.cpp");
														E0040A5F5(_t563 - 0x90);
														_t355 = L"Prerequisites rebooting";
														 *(_t563 - 4) = 0x14;
														 *((intOrPtr*)(_t563 - 0x64)) = 0x4675d8;
														__eflags = _t355;
														 *((intOrPtr*)(_t563 - 0x44)) = 0x4675d0;
														if(_t355 == 0) {
															_t355 = 0x47e150;
														}
														_push(_t454);
														_push(_t563 + 0xb);
														_push(_t355);
														L0040B34B(_t563 - 0x64);
														 *(_t563 - 4) = 0x15;
														L0045D600(_t563 - 0x64, _t563 - 0x90, 0x96);
														 *(_t563 - 4) = 0x14;
														E004061C1(_t563 - 0x64);
														 *(_t563 - 4) = 0x11;
														E004061C1(_t563 - 0x90);
													} else {
														__eflags =  *0x47e988 - _t454; // 0x0
														if(__eflags != 0) {
															goto L62;
														}
													}
													 *(_t563 - 4) = 6;
													E00406257(_t563 - 0x2d4);
													__eflags =  *(_t563 - 0x10) - _t454;
													if( *(_t563 - 0x10) != _t454) {
														RegCloseKey( *(_t563 - 0x10));
														 *(_t563 - 0x10) = _t454;
													}
													 *(_t563 - 4) = 2;
													L0040125C(_t563 - 0xec);
													 *(_t563 - 4) = 1;
													L0040125C(_t563 - 0xc4);
													_t241 = _t563 - 4;
													 *_t241 =  *(_t563 - 4) | 0xffffffff;
													__eflags =  *_t241;
													L0040125C(_t563 - 0x114);
													_push(7);
													L68:
													_pop(_t330);
												} else {
													__eflags = _t352 == _t484;
													if(_t352 == _t484) {
														goto L69;
													} else {
													}
													L70:
													 *(_t563 - 4) = 6;
													E00406257(_t563 - 0x2d4);
													goto L71;
												}
											}
										}
									}
								}
							}
						} else {
							_t384 =  *((intOrPtr*)( *_t560 + 0x28))(0xe);
							__eflags = _t384;
							if(_t384 == 0) {
								goto L40;
							} else {
								_t385 =  *((intOrPtr*)(_t560 + 0xc));
								_t509 =  *_t385;
								__eflags = _t509 - _t385;
								 *((intOrPtr*)(_t563 + 8)) = _t509;
								while(__eflags != 0) {
									_push( *((intOrPtr*)( *_t560 + 0x2c))(_t454));
									_push(_t454);
									_push(_t454);
									E0041E31C(_t563 - 0x704, __eflags);
									_push(_t454);
									_push(_t563 + 0xf);
									_push(0x47e150);
									 *(_t563 - 4) = 0xc;
									 *((intOrPtr*)(_t563 - 0x64)) = 0x4675d8;
									 *((intOrPtr*)(_t563 - 0x44)) = 0x4675d0;
									L0040B34B(_t563 - 0x64);
									 *(_t563 - 4) = 0xd;
									_t392 =  *((intOrPtr*)( *((intOrPtr*)(_t563 + 8)) + 0x1c));
									__eflags = _t392 - _t454;
									if(_t392 == _t454) {
										_t392 = 0x4675e4;
									}
									L0041E85C(_t563 - 0x704);
									 *(_t563 - 4) = 0xc;
									E004061C1(_t563 - 0x64);
									E004060C1(_t563 - 0x2d4, __eflags);
									 *(_t563 - 4) = 0xe;
									_t397 =  *((intOrPtr*)( *_t560 + 0x1c))(_t563 - 0x164, 0xe, _t560, _t392, _t454, _t563 - 0x64);
									 *(_t563 - 4) = 0xf;
									_push(_t563 - 0x90);
									_t398 = L0040B0D5(_t397);
									_push(_t454);
									_push(_t398);
									_push(_t563 - 0x704);
									_push(_t563 - 0x13c);
									 *(_t563 - 4) = 0x10;
									E00409090(_t563 - 0x2d4);
									E004061C1(_t563 - 0x13c);
									 *(_t563 - 4) = 0xf;
									E004061C1(_t563 - 0x90);
									 *(_t563 - 4) = 0xe;
									L0040125C(_t563 - 0x164);
									 *(_t563 - 4) = 0xc;
									E00406257(_t563 - 0x2d4);
									 *(_t563 - 4) = 6;
									E0041E775(_t563 - 0x704, __eflags);
									L0040BC7F(_t563 + 8);
									__eflags =  *((intOrPtr*)(_t563 + 8)) -  *((intOrPtr*)(_t560 + 0xc));
								}
								goto L71;
							}
						}
					}
				} else {
					 *(_t563 - 0x18) = _t454;
					_t410 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", _t454, 0xf003f, _t563 - 0x18); // executed
					if(_t410 == _t454) {
						_t46 = _t563 - 0x10; // 0x467570
						_t410 = L00409079(_t46);
						 *(_t563 - 0x10) =  *(_t563 - 0x18);
					}
					 *(_t563 - 0x38) = _t410;
					if( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0xc)) + 0xc)) != _t454 || _t410 != _t454) {
						L24:
						_push(_t454);
						_push(_t563 - 0x13);
						 *((intOrPtr*)(_t563 - 0x64)) = 0x46757c;
						 *((intOrPtr*)(_t563 - 0x44)) = 0x467574;
						L00401C68(_t563 - 0x64);
						_t559 =  *(_t563 - 0xbc);
						 *(_t563 - 4) = 0xa;
						__eflags = _t559 - _t454;
						 *(_t563 - 0x30) = 0x104;
						if(_t559 == _t454) {
							_t559 = 0x467570;
						}
						_t110 = _t563 - 0x64; // 0x46757c
						_t414 = L00401813(_t110, _t563 - 0x9c, 0x105);
						 *(_t563 - 4) = 0xb;
						 *((char*)(_t414 + 4)) = 1;
						_t415 = L00401E6C(_t414,  *_t414);
						 *(_t563 - 0x20) = _t454;
						_t116 = _t563 - 0x10; // 0x467570, executed
						_t418 = RegQueryValueExW( *_t116, _t559, _t454, _t563 - 0x20,  *_t415, _t563 - 0x30); // executed
						__eflags = _t418 - _t454;
						 *((char*)(_t563 - 0x11)) = _t418 == _t454;
						 *(_t563 - 4) = 0xa;
						L00401A9C(_t563 - 0x9c);
						__eflags =  *((intOrPtr*)(_t563 - 0x11)) - _t454;
						if( *((intOrPtr*)(_t563 - 0x11)) != _t454) {
							L0041D18D(_t563 - 0x64, _t563 - 0x20, 0xa);
							 *((intOrPtr*)( *_t560 + 0x20))( *(_t563 - 0x20));
							_t425 =  *(_t563 - 0xbc);
							__eflags = _t425 - _t454;
							if(_t425 == _t454) {
								_t425 = 0x467570;
							}
							RegDeleteValueW( *(_t563 - 0x10), _t425);
						}
						 *(_t563 - 4) = 6;
						L0040125C(_t563 - 0x64);
						goto L31;
					} else {
						_push(_t454);
						_push(_t563 - 0x13);
						 *((intOrPtr*)(_t563 - 0x90)) = 0x46757c;
						 *((intOrPtr*)(_t563 - 0x70)) = 0x467574;
						L00401C68(_t563 - 0x90);
						_t429 =  *(_t563 - 0xe4);
						 *(_t563 - 4) = 7;
						 *(_t563 - 0x68) = 0x104;
						 *(_t563 - 0x18) = 0x467570;
						if(_t429 != _t454) {
							 *(_t563 - 0x18) = _t429;
						}
						_t62 = _t563 - 0x90; // 0x46757c
						_t431 = L00401813(_t62, _t563 - 0x9c, 0x105);
						 *(_t563 - 4) = 8;
						 *((char*)(_t431 + 4)) = 1;
						_t432 = L00401E6C(_t431,  *_t431);
						 *(_t563 - 0x20) = _t454;
						_t68 = _t563 - 0x18; // 0x467570
						_t435 = RegQueryValueExW( *(_t563 - 0x10),  *_t68, _t454, _t563 - 0x20,  *_t432, _t563 - 0x68); // executed
						 *(_t563 - 0x20) = _t435;
						 *(_t563 - 4) = 7;
						L00401A9C(_t563 - 0x9c);
						if( *(_t563 - 0x20) != _t454) {
							L23:
							 *(_t563 - 4) = 6;
							L0040125C(_t563 - 0x90);
							goto L24;
						} else {
							 *((intOrPtr*)( *_t560 + 0x18))(0x11, _t563 - 0x90, _t454);
							_t440 =  *(_t563 - 0xe4);
							if(_t440 == _t454) {
								_t440 = 0x467570;
							}
							RegDeleteValueW( *(_t563 - 0x10), _t440);
							if( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0xc)) + 0xc)) != _t454) {
								goto L23;
							} else {
								_push(1);
								_push(_t563 + 0x13);
								_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPrereqMgr.cpp");
								_t445 =  *((intOrPtr*)(E0040A5F5(_t563 - 0x13c) + 8));
								 *(_t563 - 4) = 9;
								if(_t445 == _t454) {
									_t445 = 0x4675e4;
								}
								 *((intOrPtr*)(_t563 - 0x24)) = _t445;
								_push(_t454);
								_push(L"Prerequisites returning %d");
								_push(_t563 - 0x24);
								 *(_t563 - 0x20) = 0x5a;
								E0040840D(_t454);
								 *(_t563 - 4) = 7;
								E004061C1(_t563 - 0x13c);
								 *(_t563 - 4) = 6;
								L0040125C(_t563 - 0x90);
								 *(_t563 - 4) = 4;
								L00409079(_t563 - 0x10);
								 *(_t563 - 4) = 2;
								L0040125C(_t563 - 0xec);
								 *(_t563 - 4) = 1;
								L0040125C(_t563 - 0xc4);
								 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
								L0040125C(_t563 - 0x114);
								_t330 = 0;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t563 - 0xc));
				return _t330;
			}

0x0041badb
0x0041badb
0x0041badb
0x0041bae3
0x0041bae7
0x0041bae8
0x0041bae9
0x0041baf3
0x0041baf6
0x0041baf9
0x0041bafb
0x0041bafd
0x0041bafd
0x0041bb05
0x0041bb0b
0x0041bb18
0x0041bb1d
0x0041bb21
0x0041bb27
0x0041bb41
0x0041bb46
0x0041bb4c
0x0041bb51
0x0041bb53
0x0041bb53
0x0041bb67
0x0041bb7d
0x0041bb87
0x0041bb8d
0x0041bb9a
0x0041bba3
0x0041bba8
0x0041bbab
0x0041bbb1
0x0041bbb3
0x0041bbb3
0x0041bbb9
0x0041bbc5
0x0041bbca
0x0041bbd0
0x0041bbd4
0x0041bbe4
0x0041bbee
0x0041bbf4
0x0041bc01
0x0041bc0a
0x0041bc0f
0x0041bc12
0x0041bc18
0x0041bc1a
0x0041bc1a
0x0041bc20
0x0041bc2c
0x0041bc31
0x0041bc37
0x0041bc3b
0x0041bc40
0x0041bc47
0x0041bc4b
0x0041bc52
0x0041bedf
0x0041bee2
0x0041bee6
0x0041beec
0x0041bef4
0x0041befb
0x0041bf00
0x0041bf02
0x0041c2de
0x0041c2e2
0x0041c2e4
0x0041c2e6
0x0041c2e8
0x0041c2eb
0x0041c2ed
0x0041c2f3
0x0041c2f5
0x0041c2f7
0x0041c2f7
0x0041c306
0x0041c308
0x0041c30e
0x0041c310
0x0041c312
0x0041c312
0x0041c31b
0x0041c31b
0x0041c31d
0x0041c320
0x0041c322
0x0041c337
0x0041c33b
0x0041c340
0x0041c342
0x0041c34c
0x0041c34c
0x0041c352
0x0041c352
0x0041c320
0x0041c359
0x0041c35b
0x0041c35c
0x0041c36c
0x0041c36f
0x0041c373
0x0041c375
0x0041c377
0x0041c377
0x0041c37c
0x0041c37f
0x0041c385
0x0041c38c
0x0041c391
0x0041c392
0x0041c3a0
0x0041c3a4
0x0041c3a9
0x0041c3ac
0x0041c3b1
0x0041c3b7
0x0041c3b7
0x0041c3c0
0x0041c3c4
0x0041c3cf
0x0041c3d3
0x0041c3d8
0x0041c3d8
0x0041c3d8
0x0041c3e2
0x0041c3e7
0x0041bf08
0x0041bf0c
0x0041bf0e
0x0041bf11
0x0041c054
0x0041c05a
0x0041c05c
0x00000000
0x0041c062
0x0041c062
0x0041c069
0x0041c071
0x0041c075
0x0041c07e
0x0041c084
0x0041c089
0x0041c091
0x0041c0ad
0x0041c0ad
0x0041c0b0
0x0041c0b6
0x00000000
0x0041c0bc
0x0041c0c2
0x0041c0c5
0x0041c0c7
0x00000000
0x0041c0cd
0x0041c0d1
0x0041c0d4
0x0041c0d6
0x0041c12c
0x0041c132
0x0041c13c
0x0041c13f
0x0041c141
0x0041c142
0x0041c14d
0x0041c152
0x0041c157
0x0041c15d
0x0041c164
0x0041c166
0x0041c169
0x0041c16b
0x0041c16b
0x0041c173
0x0041c174
0x0041c175
0x0041c179
0x0041c18e
0x0041c192
0x0041c19a
0x0041c19e
0x0041c1a9
0x0041c1ad
0x0041c134
0x0041c134
0x0041c13a
0x00000000
0x00000000
0x0041c13a
0x00000000
0x0041c0d8
0x0041c0de
0x0041c0e2
0x0041c0e7
0x0041c0ea
0x0041c0ef
0x0041c0f5
0x0041c0f5
0x0041c0fe
0x0041c102
0x0041c10d
0x0041c111
0x0041c116
0x0041c120
0x0041c125
0x00000000
0x0041c125
0x0041c0d6
0x0041c0c7
0x0041c093
0x0041c093
0x0041c096
0x00000000
0x0041c098
0x0041c098
0x0041c09d
0x0041c09f
0x00000000
0x0041c0a1
0x0041c0a1
0x0041c1b2
0x0041c1b2
0x0041c1c6
0x0041c1cf
0x0041c1d6
0x0041c1d7
0x0041c1d7
0x0041c1d9
0x0041c2cc
0x0041c2cc
0x00000000
0x0041c1df
0x0041c1df
0x0041c1df
0x0041c1e2
0x0041c1f1
0x0041c1f7
0x0041c201
0x0041c204
0x0041c206
0x0041c207
0x0041c212
0x0041c217
0x0041c21c
0x0041c222
0x0041c229
0x0041c22b
0x0041c22e
0x0041c230
0x0041c230
0x0041c238
0x0041c239
0x0041c23a
0x0041c23e
0x0041c253
0x0041c257
0x0041c25f
0x0041c263
0x0041c26e
0x0041c272
0x0041c1f9
0x0041c1f9
0x0041c1ff
0x00000000
0x00000000
0x0041c1ff
0x0041c27d
0x0041c281
0x0041c286
0x0041c289
0x0041c28e
0x0041c294
0x0041c294
0x0041c29d
0x0041c2a1
0x0041c2ac
0x0041c2b0
0x0041c2b5
0x0041c2b5
0x0041c2b5
0x0041c2bf
0x0041c2c4
0x0041c2c6
0x0041c2c6
0x0041c1e4
0x0041c1e4
0x0041c1e6
0x00000000
0x00000000
0x0041c1ec
0x0041c2cf
0x0041c2d5
0x0041c2d9
0x00000000
0x0041c2d9
0x0041c1e2
0x0041c1d9
0x0041c09f
0x0041c096
0x0041c091
0x0041bf17
0x0041bf1d
0x0041bf20
0x0041bf22
0x00000000
0x0041bf28
0x0041bf28
0x0041bf2b
0x0041bf2d
0x0041bf2f
0x0041bf32
0x0041bf45
0x0041bf46
0x0041bf47
0x0041bf4e
0x0041bf56
0x0041bf57
0x0041bf58
0x0041bf60
0x0041bf64
0x0041bf6b
0x0041bf6e
0x0041bf76
0x0041bf7a
0x0041bf7d
0x0041bf7f
0x0041bf81
0x0041bf81
0x0041bf92
0x0041bf9a
0x0041bf9e
0x0041bfaa
0x0041bfbc
0x0041bfc0
0x0041bfc9
0x0041bfcd
0x0041bfd0
0x0041bfd5
0x0041bfd6
0x0041bfe3
0x0041bfea
0x0041bfeb
0x0041bfef
0x0041bffa
0x0041c005
0x0041c009
0x0041c014
0x0041c018
0x0041c023
0x0041c027
0x0041c032
0x0041c036
0x0041c03e
0x0041c046
0x0041c046
0x00000000
0x0041bf32
0x0041bf22
0x0041bf11
0x0041bc58
0x0041bc5b
0x0041bc6f
0x0041bc77
0x0041bc79
0x0041bc7c
0x0041bc84
0x0041bc84
0x0041bc8a
0x0041bc90
0x0041be1b
0x0041be1e
0x0041be1f
0x0041be23
0x0041be2a
0x0041be2d
0x0041be32
0x0041be38
0x0041be3c
0x0041be3e
0x0041be45
0x0041be47
0x0041be47
0x0041be58
0x0041be5b
0x0041be62
0x0041be66
0x0041be6a
0x0041be79
0x0041be7f
0x0041be82
0x0041be88
0x0041be90
0x0041be94
0x0041be98
0x0041be9d
0x0041bea0
0x0041beab
0x0041beb7
0x0041beba
0x0041bec0
0x0041bec2
0x0041bec4
0x0041bec4
0x0041becd
0x0041becd
0x0041bed6
0x0041beda
0x00000000
0x0041bc9e
0x0041bca1
0x0041bca2
0x0041bca9
0x0041bcb3
0x0041bcb6
0x0041bcbb
0x0041bcc1
0x0041bcc7
0x0041bcce
0x0041bcd5
0x0041bcd7
0x0041bcd7
0x0041bce6
0x0041bcec
0x0041bcf3
0x0041bcf7
0x0041bcfb
0x0041bd0a
0x0041bd0f
0x0041bd15
0x0041bd21
0x0041bd24
0x0041bd28
0x0041bd30
0x0041be0c
0x0041be12
0x0041be16
0x00000000
0x0041bd36
0x0041bd44
0x0041bd47
0x0041bd4f
0x0041bd51
0x0041bd51
0x0041bd5a
0x0041bd66
0x00000000
0x0041bd6c
0x0041bd6f
0x0041bd71
0x0041bd72
0x0041bd82
0x0041bd85
0x0041bd8b
0x0041bd8d
0x0041bd8d
0x0041bd92
0x0041bd95
0x0041bd99
0x0041bd9e
0x0041bd9f
0x0041bda6
0x0041bdb4
0x0041bdb8
0x0041bdc3
0x0041bdc7
0x0041bdcf
0x0041bdd3
0x0041bdde
0x0041bde2
0x0041bded
0x0041bdf1
0x0041bdf6
0x0041be00
0x0041be05
0x0041be05
0x0041bd66
0x0041bd30
0x0041bc90
0x0041c3ef
0x0041c3f8

APIs

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

SendDlgItemMessageW.USER32 ref: 0041BB67
RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion,?,000F003F,?,?,?,?,?,?,00467570), ref: 0041BC6F
RegQueryValueExW.KERNELBASE(00467570,puF,?,?,?,00000104,?,00000105), ref: 0041BD15
RegDeleteValueW.ADVAPI32(00467570,?,?,?,?,?,00000104,?,00000105), ref: 0041BD5A

Part of subcall function 00409079: RegCloseKey.ADVAPI32(0043D41C,00467574,0042F4CA), ref: 00409085

Strings

PG, xrefs: 0041C16B
uF, xrefs: 0041C377
|uF, xrefs: 0041BBB9, 0041BBC4
uF, xrefs: 0041BD8D
puF, xrefs: 0041BD51
ISSetupPrerequisistes, xrefs: 0041C344
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0041C32A
puF, xrefs: 0041BD0F
PG, xrefs: 0041C230
6, xrefs: 0041BB0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 0041BC65
%%IS_PREREQF%%-%s, xrefs: 0041BC26
puF, xrefs: 0041BC1A
Prerequisites returning %d, xrefs: 0041BD99, 0041C38C
uF, xrefs: 0041BF81
%%IS_PREREQ%%-%s, xrefs: 0041BBBF
Showing initialization dialog for prerequisites., xrefs: 0041C152, 0041C175
|uF, xrefs: 0041BC20, 0041BC2B
puF, xrefs: 0041BE7F, 0041BC79
puF, xrefs: 0041C312
puF, xrefs: 0041BBB3
puF, xrefs: 0041BE47
tuF, xrefs: 0041BB70
Running setup prerequisites (%s)..., xrefs: 0041BB12
|uF, xrefs: 0041BE58
Prerequisites rebooting, xrefs: 0041C217, 0041C23A
uF, xrefs: 0041BAFD
puF, xrefs: 0041BB53
puF, xrefs: 0041C2F7
|uF, xrefs: 0041BCE6
puF, xrefs: 0041BEC4
C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPrereqMgr.cpp, xrefs: 0041BAE9, 0041BD72, 0041C142, 0041C207, 0041C35C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Value$CloseDeleteErrorH_prologItemLastMessageOpenQuerySend
String ID: ISSetupPrerequisistes$%%IS_PREREQ%%-%s$%%IS_PREREQF%%-%s$6$C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPrereqMgr.cpp$Prerequisites rebooting$Prerequisites returning %d$PG$PG$Running setup prerequisites (%s)...$Showing initialization dialog for prerequisites.$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\RunOnce$puF$puF$puF$puF$puF$puF$puF$puF$puF$puF$tuF$|uF$|uF$|uF$|uF$uF$uF$uF$uF
API String ID: 1870291207-767489211
Opcode ID: 02a92da76aaab019fb5196c8c7220eb5dd3e7687a532671651521a5fa81aabd8
Instruction ID: f88319ccbf94cc4ef3d56b79fbe0eb665a740ce9dc40e15c204b92f1420d6e6d
Opcode Fuzzy Hash: 02a92da76aaab019fb5196c8c7220eb5dd3e7687a532671651521a5fa81aabd8
Instruction Fuzzy Hash: 1A525070900248EFDF11DB94CD95BEDBBB4AF15308F1040AEE54AB7292EB785E84CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044BDE0 Relevance: 75.9, APIs: 26, Strings: 17, Instructions: 692
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0044BDE0(intOrPtr __ecx) {
				void* __ebp;
				intOrPtr _t273;
				CHAR* _t275;
				int _t277;
				void* _t284;
				CHAR* _t288;
				intOrPtr _t292;
				CHAR* _t294;
				intOrPtr _t304;
				CHAR* _t306;
				int* _t311;
				intOrPtr _t318;
				intOrPtr _t331;
				intOrPtr* _t338;
				intOrPtr _t343;
				intOrPtr _t344;
				intOrPtr _t346;
				intOrPtr* _t377;
				intOrPtr _t383;
				intOrPtr* _t407;
				intOrPtr _t416;
				long _t425;
				intOrPtr _t434;
				void* _t435;
				intOrPtr _t440;
				int* _t444;
				intOrPtr _t446;
				int* _t475;
				signed int _t504;
				intOrPtr _t506;
				intOrPtr _t515;
				intOrPtr _t523;
				void* _t552;
				intOrPtr _t561;
				intOrPtr _t562;
				intOrPtr _t578;
				intOrPtr _t596;
				intOrPtr _t598;
				intOrPtr* _t606;
				intOrPtr _t608;
				intOrPtr _t609;
				void* _t611;
				void* _t613;
				void* _t617;
				int _t622;
				CHAR* _t624;
				signed int _t632;
				void** _t633;
				intOrPtr _t635;
				signed int _t640;
				intOrPtr _t644;
				intOrPtr _t645;
				void* _t646;
				void* _t647;
				void* _t648;
				void* _t649;
				void* _t651;
				void* _t652;
				intOrPtr _t653;
				intOrPtr _t654;
				intOrPtr _t655;
				void* _t656;
				void* _t657;
				void* _t660;

				_push(0xffffffff);
				_push(0x465f0e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t645;
				_t646 = _t645 - 0x6a8;
				_t440 =  *((intOrPtr*)(_t646 + 0x6bc));
				_t598 = __ecx;
				 *((intOrPtr*)(_t646 + 0x14)) = __ecx;
				 *((intOrPtr*)(_t646 + 0xc8)) = 0x4675d8;
				 *((intOrPtr*)(_t646 + 0xe8)) = 0x4675d0;
				_t273 = _t440;
				if(_t440 == 0) {
					_t273 = 0x47e150;
				}
				_push(0);
				_push(_t646 + 0x1b);
				_push(_t273);
				L0040B34B(_t646 + 0xd4);
				 *(_t646 + 0x6c0) = 0;
				_t275 = L00453100(_t646 + 0xc8);
				_t9 = _t598 + 8; // 0x9
				_t277 = GetPrivateProfileIntA(_t275, "IMAGES", 0, L00452F40(_t9)); // executed
				_t622 = _t277;
				 *(_t646 + 0x30) = _t622;
				 *(_t646 + 0x6c0) = 0xffffffff;
				E004061C1(_t646 + 0xc8);
				 *((char*)(_t646 + 0x214)) = 0;
				memset(_t646 + 0x215, 0, 0x18 << 2);
				_t647 = _t646 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t647 + 0x188)) = 0;
				memset(_t647 + 0x189, 0, 0x18 << 2);
				_t648 = _t647 + 0xc;
				asm("stosw");
				asm("stosb");
				 *((char*)(_t648 + 0x2d0)) = 0;
				_t284 = memset(_t648 + 0x2d1, 0, 0xf9 << 2);
				_t649 = _t648 + 0xc;
				asm("stosw");
				 *(_t649 + 0x1c) = 1;
				asm("stosb");
				if(_t622 < 1) {
					L44:
					 *[fs:0x0] =  *((intOrPtr*)(_t649 + 0x6b8));
					return _t284;
				} else {
					 *((intOrPtr*)(_t649 + 0xc4)) = _t649 + 0x44;
					while(1) {
						_t644 = L0043BC14(0x40);
						_t651 = _t649 + 4;
						 *((intOrPtr*)(_t651 + 0x10)) = _t644;
						 *(_t651 + 0x6c0) = 1;
						if(_t644 == 0) {
							_t644 = 0;
							__eflags = 0;
						} else {
							L004517F0(_t644, _t651 + 0x1b, 1);
						}
						 *(_t651 + 0x6c8) = 0xffffffff;
						lstrcpyA(_t651 + 0x214, "IMAGE");
						_t288 = L0043FAB7( *((intOrPtr*)(_t651 + 0x1c)), _t651 + 0x2d0, 0xa);
						_t652 = _t651 + 0xc;
						lstrcatA(_t652 + 0x214, _t288);
						_t606 = L0042CD98(_t644, _t652 + 0x34, 0x104);
						 *(_t652 + 0x6c0) = 2;
						_t624 = L00452F40( *_t606);
						_t292 = _t440;
						 *(_t606 + 8) = _t624;
						 *((intOrPtr*)(_t652 + 0xc8)) = 0x4675d8;
						 *((intOrPtr*)(_t652 + 0xe8)) = 0x4675d0;
						if(_t440 == 0) {
							_t292 = 0x47e150;
						}
						_push(0);
						_push(_t652 + 0x25);
						_push(_t292);
						L0040B34B(_t652 + 0xd4);
						 *(_t652 + 0x6c0) = 3;
						_t294 = L00453100(_t652 + 0xc8);
						_t607 =  *((intOrPtr*)(_t652 + 0x14)) + 8;
						GetPrivateProfileStringA(_t294, _t652 + 0x220, 0x47e154, _t624, 0x104, L00452F40( *((intOrPtr*)(_t652 + 0x14)) + 8)); // executed
						E004061C1(_t652 + 0xc8);
						 *(_t652 + 0x6c0) = 0xffffffff;
						if( *((intOrPtr*)(_t652 + 0x38)) != 0) {
							_t561 =  *((intOrPtr*)(_t652 + 0x34));
							 *((intOrPtr*)(_t652 + 0x10)) = _t561;
							_t434 =  *((intOrPtr*)(_t561 + 0x1c));
							_t446 = _t434;
							if(_t434 == 0) {
								_t446 = 0x47e150;
							}
							_t435 = L0043BA1F(_t446);
							_t562 =  *((intOrPtr*)(_t652 + 0x14));
							_t652 = _t652 + 4;
							L0040BF1A(_t562 + 4, _t446, _t435);
						}
						if( *((intOrPtr*)(_t652 + 0x3c)) != 0) {
							_t425 = GetLastError();
							_push(1);
							_push(_t652 + 0x26);
							_push( *((intOrPtr*)(_t652 + 0x3c)));
							E004300B2(_t652 + 0x1f8);
							_t596 =  *0x467594; // 0xffffffff
							asm("sbb eax, eax");
							 *((intOrPtr*)(_t652 + 0x6cc)) = 4;
							E004024B9( *((intOrPtr*)(_t652 + 0x40)) + 4,  ~(_t652 + 0x1ec) & _t652 + 0x000001f0, 0, _t596);
							 *(_t652 + 0x6c0) = 0xffffffff;
							L0040125C(_t652 + 0x1ec);
							SetLastError(_t425);
						}
						lstrcpyA(_t652 + 0x188, _t652 + 0x214);
						lstrcatA(_t652 + 0x188, "POS");
						_t304 =  *((intOrPtr*)(_t652 + 0x6c8));
						 *((intOrPtr*)(_t652 + 0xf0)) = 0x4675d8;
						_t670 = _t304;
						 *((intOrPtr*)(_t652 + 0x110)) = 0x4675d0;
						if(_t304 == 0) {
							_t304 = 0x47e150;
						}
						_push(0);
						_push(_t652 + 0x28);
						_push(_t304);
						L0040B34B(_t652 + 0xfc);
						 *(_t652 + 0x6c0) = 5;
						_t306 = L00453100(_t652 + 0xf0);
						GetPrivateProfileStringA(_t306, _t652 + 0x194, 0x47e154, _t652 + 0x2d4, 0x3e8, L00452F40(_t607)); // executed
						 *(_t652 + 0x6c0) = 0xffffffff;
						E004061C1(_t652 + 0xf0);
						_t78 = _t644 + 0x30; // 0x30
						_t311 = _t78;
						_t79 = _t644 + 0x2c; // 0x2c
						_t475 = _t79;
						_push(_t311);
						_push(_t475);
						_t653 = _t652 - 0x28;
						 *_t475 = 0;
						 *_t311 = 0;
						 *((intOrPtr*)(_t653 + 0x40)) = _t653;
						L004472C0(_t653, _t653 + 0x304, _t653 + 0x5a, 1);
						L0044F390(_t670);
						_t85 = _t644 + 0x38; // 0x38
						_t444 = _t85;
						 *_t444 = 0;
						lstrcpyA(_t653 + 0x188, _t653 + 0x214);
						lstrcatA(_t653 + 0x188, "OPT");
						_t318 =  *((intOrPtr*)(_t653 + 0x6c8));
						 *((intOrPtr*)(_t653 + 0x138)) = 0x4675d8;
						_t671 = _t318;
						 *((intOrPtr*)(_t653 + 0x158)) = 0x4675d0;
						if(_t318 == 0) {
							_t318 = 0x47e150;
						}
						_push(0);
						_push(_t653 + 0x27);
						_push(_t318);
						L0040B34B(_t653 + 0x144);
						 *(_t653 + 0x6c0) = 6;
						 *(_t653 + 0x10) = L00453100(_t653 + 0x138);
						GetPrivateProfileStringA( *(_t653 + 0x10), _t653 + 0x194, 0x47e154, _t653 + 0x2d4, 0x3e8, L00452F40(_t607)); // executed
						 *(_t653 + 0x6c0) = 0xffffffff;
						E004061C1(_t653 + 0x138);
						_push(_t444);
						_t654 = _t653 - 0x28;
						 *((intOrPtr*)(_t654 + 0x3c)) = _t654;
						 *_t444 = 0;
						L004472C0(_t654, _t654 + 0x2fc, _t653 + 0x27, 1);
						L0044F9D0(_t671);
						lstrcpyA(_t654 + 0x188, _t654 + 0x214);
						lstrcatA(_t654 + 0x188, "TRNSPRNTCLR");
						_t331 =  *((intOrPtr*)(_t654 + 0x6c8));
						 *((intOrPtr*)(_t654 + 0x160)) = 0x4675d8;
						_t672 = _t331;
						 *((intOrPtr*)(_t654 + 0x180)) = 0x4675d0;
						if(_t331 == 0) {
							_t331 = 0x47e150;
						}
						_push(0);
						_push(_t654 + 0x2b);
						_push(_t331);
						L0040B34B(_t654 + 0x16c);
						 *(_t654 + 0x6c0) = 7;
						 *(_t654 + 0x10) = L00453100(_t654 + 0x160);
						GetPrivateProfileStringA( *(_t654 + 0x10), _t654 + 0x194, 0x47e154, _t654 + 0x2d4, 0x3e8, L00452F40(_t607)); // executed
						 *(_t654 + 0x6c0) = 0xffffffff;
						E004061C1(_t654 + 0x160);
						_t121 = _t644 + 0x34; // 0x34
						_t338 = _t121;
						_push(_t338);
						_t655 = _t654 - 0x28;
						 *_t338 = 0x808080;
						 *((intOrPtr*)(_t655 + 0x3c)) = _t655;
						L004472C0(_t655, _t655 + 0x300, _t654 + 0x20, 1);
						L0044F620(_t644, _t672);
						wsprintfA(_t655 + 0x2d0, "%x",  *_t444);
						_t343 =  *((intOrPtr*)(_t644 + 8));
						_t656 = _t655 + 0xc;
						_t608 = 0x467570;
						if(_t343 != 0) {
							_t608 = _t343;
						}
						_t344 =  *0x4675f4; // 0x24
						 *((intOrPtr*)(_t656 + 0x9c)) = 0x4675f0;
						 *((intOrPtr*)(_t656 + 0xbc)) = 0x4675e8;
						 *((intOrPtr*)(_t656 + _t344 + 0x9c)) = GetLastError();
						_t674 = _t608;
						 *((intOrPtr*)(_t656 + 0x6c0)) = 8;
						_t346 = _t608;
						if(_t608 == 0) {
							_t346 = 0x47e150;
						}
						L00452E70(_t656 + 0xa8, _t674, _t346, _t656 + 0x29);
						 *((char*)(_t656 + 0x6c0)) = 9;
						L00447D30(_t656 + 0xb0);
						 *((char*)(_t656 + 0x6c4)) = 0xa;
						L00447D70(_t656 + 0xc0, 0);
						_t578 =  *0x4675f4; // 0x24
						 *((intOrPtr*)(_t656 + 0x6c0)) = 0xb;
						 *(_t656 + 0x44) = 0x4675f0;
						 *(_t656 + 0x64) = 0x4675e8;
						 *((intOrPtr*)(_t656 + _t578 + 0x44)) = GetLastError();
						 *((char*)(_t656 + 0x6c4)) = 0xc;
						L00447B80(_t656 + 0x48, _t656 + 0x21);
						 *((char*)(_t656 + 0x6c0)) = 0xd;
						L00447D30(_t656 + 0x58);
						 *((char*)(_t656 + 0x6c4)) = 0xe;
						L00447D70(_t656 + 0x68, 0);
						_t504 = _t656 + 0x44;
						 *((char*)(_t656 + 0x6c0)) = 0x10;
						if(_t504 != 0) {
							if(_t656 + 0x2d0 == 0) {
								_t552 = 0;
								__eflags = 0;
							} else {
								asm("repne scasb");
								_t552 =  !(_t504 | 0xffffffff) - 1;
							}
							L00447990(_t656 + 0x54, _t656 + 0x2dc, _t552, _t656 + 0x22, 1);
						}
						_t159 =  *(_t656 + 0x44) + 4; // 0x24
						SetLastError( *(_t656 +  *_t159 + 0x44));
						_t506 =  *0x4675e0; // 0xffffffff
						asm("sbb eax, eax");
						 *((char*)(_t656 + 0x6cc)) = 0x11;
						L0040BE88(_t656 + 0xac,  ~(_t656 + 0x44) & _t656 + 0x00000048, 0, _t506);
						_t169 = _t656 + 0x64; // 0x4675e8
						asm("sbb eax, eax");
						 *((char*)(_t656 + 0x6c0)) = 0xb;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t656 + 0x44) & _t169) + 4)) + ( ~(_t656 + 0x44) & _t169))) = GetLastError();
						asm("sbb esi, esi");
						_t632 =  ~(_t656 + 0x44) & _t656 + 0x00000058;
						E0043AE17( *_t632);
						_t174 = _t632 + 8; // 0x468e68
						_t649 = _t656 + 4;
						__imp__#6( *_t174);
						asm("sbb ecx, ecx");
						E0040213C( ~(_t649 + 0x44) & _t649 + 0x00000048, 1);
						SetLastError( *(_t649 +  *((intOrPtr*)( *(_t649 + 0x44) + 4)) + 0x44));
						_push(_t649 + 0x9c);
						_push(_t649 + 0x40);
						L004539C0();
						_t515 =  *((intOrPtr*)(_t649 + 0x40));
						if(_t515 !=  *((intOrPtr*)( *((intOrPtr*)(_t649 + 0x14)) + 0x44))) {
							 *(_t644 + 0x3c) =  *(_t515 + 0x34);
						} else {
							_t633 = L0043BC14(0xc);
							_t657 = _t649 + 4;
							 *(_t657 + 0x2c) = _t633;
							 *((char*)(_t657 + 0x6c0)) = 0x12;
							if(_t633 == 0) {
								_t633 = 0;
								__eflags = 0;
							} else {
								_t611 = L0043BC14(0x30);
								 *_t633 = _t611;
								memset(_t611, 0, 0xc << 2);
								_t613 = L0043BC14(0x48);
								_t633[1] = _t613;
								memset(_t613, 0, 0x12 << 2);
								_t416 = L0043BC14(0x18);
								_t660 = _t657 + 0x24;
								 *((intOrPtr*)(_t660 + 0x10)) = _t416;
								 *((char*)(_t660 + 0x6c0)) = 0x13;
								if(_t416 == 0) {
									_t633[2] = 0;
									memset(0, 0, 6 << 2);
									_t657 = _t660 + 0xc;
								} else {
									_t617 = E0044C8D0(_t416);
									_t633[2] = _t617;
									memset(_t617, 0, 6 << 2);
									_t657 = _t660 + 0xc;
								}
							}
							 *(_t644 + 0x3c) = _t633;
							_t609 =  *((intOrPtr*)(_t644 + 8));
							if(_t609 == 0) {
								_t609 = 0x467570;
							}
							_t523 =  *0x467590; // 0x24
							 *(_t657 + 0x70) = 0x46758c;
							 *(_t657 + 0x90) = 0x467584;
							 *((intOrPtr*)(_t657 + _t523 + 0x70)) = GetLastError();
							_t681 = _t609;
							 *((char*)(_t657 + 0x6c0)) = 0x14;
							_t383 = _t609;
							if(_t609 == 0) {
								_t383 = 0x47e150;
							}
							L00452E70(_t657 + 0x74, _t681, _t383, _t657 + 0x24);
							 *((char*)(_t657 + 0x6c0)) = 0x15;
							L00447D30(_t657 + 0x84);
							 *((char*)(_t657 + 0x6c4)) = 0x16;
							L00447D70(_t657 + 0x94, 0);
							 *((char*)(_t657 + 0x6c8)) = 0x17;
							 *(_t657 + 0x18) = 0;
							 *((char*)(_t657 + 0x6c4)) = 0x18;
							_t635 =  *((intOrPtr*)(L00453640()));
							 *((char*)(_t657 + 0x6c0)) = 0x17;
							L0040125C(_t657 + 0x278);
							_t225 = _t635 + 0x34; // 0x30
							asm("sbb eax, eax");
							 *((char*)(_t657 + 0x6c0)) = 0x19;
							 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t657 + 0x70) & _t657 + 0x00000090) + 4)) + ( ~(_t657 + 0x70) & _t657 + 0x00000090))) = GetLastError();
							asm("sbb esi, esi");
							_t640 =  ~(_t657 + 0x70) & _t657 + 0x00000084;
							E0043AE17( *_t640);
							_t232 = _t640 + 8; // 0xffffffff
							_t649 = _t657 + 4;
							__imp__#6( *_t232, _t657 + 0x11c, L004537A0(_t657 + 0x280, _t657 + 0x70), _t657 + 0x10);
							asm("sbb ecx, ecx");
							E0040213C( ~(_t649 + 0x70) & _t649 + 0x00000074, 1);
							 *(_t649 + 0x6c0) = 0xb;
							SetLastError( *(_t649 +  *((intOrPtr*)( *(_t649 + 0x70) + 4)) + 0x70));
							_push( *((intOrPtr*)( *_t225 + 4)));
							_t243 = _t644 + 0x34; // 0x34
							E0044AB60( *(_t644 + 0x3c), _t681, _t243, _t444, _t644,  *((intOrPtr*)( *_t225)));
							_push(_t649 + 0x10);
							 *(_t649 + 0x18) = 0;
							_push(L00453AC0(_t649 + 0x2ac, _t649 + 0x9c));
							_push(_t649 + 0x120);
							 *((char*)(_t649 + 0x6c8)) = 0x1a;
							_t407 = L00453850();
							 *(_t649 + 0x6c0) = 0xb;
							E004061C1(_t649 + 0x2a4);
							 *( *_t407 + 0x34) =  *(_t644 + 0x3c);
						}
						 *(_t649 + 0x34) = 0;
						_t377 = L004531C0(_t649 + 0x128, L00453510(_t649 + 0x138, _t649 + 0x1c, _t649 + 0x2c));
						 *(_t649 + 0x6c0) = 0xffffffff;
						 *((intOrPtr*)( *_t377 + 0x10)) = _t644;
						E004061C1(_t649 + 0x9c);
						_t284 =  *(_t649 + 0x1c) + 1;
						 *(_t649 + 0x1c) = _t284;
						if(_t284 >  *((intOrPtr*)(_t649 + 0x30))) {
							goto L44;
						}
						_t440 =  *((intOrPtr*)(_t649 + 0x6c8));
					}
					goto L44;
				}
			}

0x0044bde0
0x0044bde2
0x0044bded
0x0044bdee
0x0044bdf5
0x0044bdfc
0x0044be06
0x0044be0a
0x0044be0e
0x0044be19
0x0044be24
0x0044be26
0x0044be28
0x0044be28
0x0044be31
0x0044be33
0x0044be34
0x0044be3c
0x0044be48
0x0044be53
0x0044be58
0x0044be6b
0x0044be71
0x0044be7a
0x0044be7e
0x0044be89
0x0044be9c
0x0044bea4
0x0044bea4
0x0044bea6
0x0044bea8
0x0044beb7
0x0044bebf
0x0044bebf
0x0044bec1
0x0044bec3
0x0044bed2
0x0044beda
0x0044beda
0x0044bedc
0x0044bee1
0x0044bee9
0x0044beea
0x0044c8a8
0x0044c8b2
0x0044c8c0
0x0044bef0
0x0044bef4
0x0044bf04
0x0044bf0b
0x0044bf0d
0x0044bf10
0x0044bf16
0x0044bf21
0x0044bf33
0x0044bf33
0x0044bf23
0x0044bf2c
0x0044bf2c
0x0044bf42
0x0044bf4d
0x0044bf62
0x0044bf67
0x0044bf73
0x0044bf8a
0x0044bf8e
0x0044bf9e
0x0044bfa0
0x0044bfa2
0x0044bfa5
0x0044bfb2
0x0044bfbd
0x0044bfbf
0x0044bfbf
0x0044bfc8
0x0044bfca
0x0044bfcb
0x0044bfd3
0x0044bfdf
0x0044bfe7
0x0044bff2
0x0044c017
0x0044c020
0x0044c029
0x0044c036
0x0044c038
0x0044c03c
0x0044c040
0x0044c045
0x0044c047
0x0044c049
0x0044c049
0x0044c04f
0x0044c054
0x0044c058
0x0044c060
0x0044c060
0x0044c06b
0x0044c06d
0x0044c07d
0x0044c07f
0x0044c080
0x0044c088
0x0044c08d
0x0044c09c
0x0044c0af
0x0044c0bd
0x0044c0c9
0x0044c0d4
0x0044c0da
0x0044c0da
0x0044c0f0
0x0044c103
0x0044c109
0x0044c110
0x0044c11b
0x0044c11d
0x0044c128
0x0044c12a
0x0044c12a
0x0044c133
0x0044c135
0x0044c136
0x0044c13e
0x0044c14a
0x0044c155
0x0044c17f
0x0044c188
0x0044c193
0x0044c198
0x0044c198
0x0044c19b
0x0044c19b
0x0044c19e
0x0044c19f
0x0044c1a0
0x0044c1a3
0x0044c1a9
0x0044c1b1
0x0044c1c4
0x0044c1cd
0x0044c1d9
0x0044c1d9
0x0044c1e5
0x0044c1eb
0x0044c1fe
0x0044c204
0x0044c20b
0x0044c216
0x0044c218
0x0044c223
0x0044c225
0x0044c225
0x0044c22e
0x0044c230
0x0044c231
0x0044c239
0x0044c245
0x0044c257
0x0044c280
0x0044c289
0x0044c294
0x0044c299
0x0044c29e
0x0044c2aa
0x0044c2b2
0x0044c2b8
0x0044c2c1
0x0044c2d6
0x0044c2e9
0x0044c2ef
0x0044c2f6
0x0044c301
0x0044c303
0x0044c30e
0x0044c310
0x0044c310
0x0044c319
0x0044c31b
0x0044c31c
0x0044c324
0x0044c330
0x0044c342
0x0044c36b
0x0044c374
0x0044c37f
0x0044c384
0x0044c384
0x0044c38b
0x0044c38c
0x0044c38f
0x0044c397
0x0044c3a6
0x0044c3af
0x0044c3c4
0x0044c3ca
0x0044c3cd
0x0044c3d2
0x0044c3d7
0x0044c3d9
0x0044c3d9
0x0044c3db
0x0044c3e0
0x0044c3eb
0x0044c403
0x0044c405
0x0044c407
0x0044c412
0x0044c414
0x0044c416
0x0044c416
0x0044c428
0x0044c434
0x0044c43c
0x0044c44a
0x0044c452
0x0044c457
0x0044c45d
0x0044c468
0x0044c470
0x0044c482
0x0044c48d
0x0044c495
0x0044c49e
0x0044c4a6
0x0044c4b1
0x0044c4b9
0x0044c4be
0x0044c4c2
0x0044c4cc
0x0044c4d7
0x0044c4ec
0x0044c4ec
0x0044c4d9
0x0044c4e5
0x0044c4e9
0x0044c4e9
0x0044c502
0x0044c502
0x0044c50b
0x0044c517
0x0044c51d
0x0044c529
0x0044c53c
0x0044c544
0x0044c54d
0x0044c553
0x0044c555
0x0044c56c
0x0044c574
0x0044c57a
0x0044c57f
0x0044c584
0x0044c587
0x0044c58b
0x0044c59b
0x0044c5a1
0x0044c5b6
0x0044c5cb
0x0044c5cc
0x0044c5d0
0x0044c5d9
0x0044c5e2
0x0044c841
0x0044c5e8
0x0044c5ef
0x0044c5f1
0x0044c5f4
0x0044c5fa
0x0044c602
0x0044c66e
0x0044c66e
0x0044c604
0x0044c60b
0x0044c614
0x0044c616
0x0044c61f
0x0044c628
0x0044c62b
0x0044c62f
0x0044c634
0x0044c637
0x0044c63d
0x0044c645
0x0044c667
0x0044c66a
0x0044c66a
0x0044c647
0x0044c64e
0x0044c657
0x0044c65a
0x0044c65a
0x0044c65a
0x0044c645
0x0044c670
0x0044c673
0x0044c678
0x0044c67a
0x0044c67a
0x0044c67f
0x0044c685
0x0044c68d
0x0044c6a2
0x0044c6a4
0x0044c6a6
0x0044c6ae
0x0044c6b0
0x0044c6b2
0x0044c6b2
0x0044c6c1
0x0044c6cd
0x0044c6d5
0x0044c6e3
0x0044c6eb
0x0044c701
0x0044c709
0x0044c722
0x0044c733
0x0044c73c
0x0044c744
0x0044c749
0x0044c759
0x0044c75b
0x0044c772
0x0044c77a
0x0044c783
0x0044c788
0x0044c78d
0x0044c790
0x0044c794
0x0044c7a4
0x0044c7aa
0x0044c7b3
0x0044c7c7
0x0044c7d2
0x0044c7d6
0x0044c7dd
0x0044c7ed
0x0044c7f6
0x0044c80e
0x0044c80f
0x0044c813
0x0044c81b
0x0044c829
0x0044c831
0x0044c839
0x0044c839
0x0044c855
0x0044c872
0x0044c880
0x0044c88b
0x0044c88e
0x0044c89b
0x0044c89e
0x0044c8a2
0x00000000
0x00000000
0x0044befd
0x0044befd
0x00000000
0x0044bf04

APIs

GetPrivateProfileIntA.KERNEL32 ref: 0044BE6B
lstrcpyA.KERNEL32(?,IMAGE), ref: 0044BF4D
lstrcatA.KERNEL32(?,00000000,?,?,?,00000000), ref: 0044BF73

Part of subcall function 0040B34B: __EH_prolog.LIBCMT ref: 0040B350
Part of subcall function 0040B34B: GetLastError.KERNEL32(?,00000001,00000001,?,0044B892,?,?,00000000), ref: 0040B379
Part of subcall function 0040B34B: SetLastError.KERNEL32(?,?,00000000,00000000,?,0044B892,?,?,00000000), ref: 0040B3CE

Part of subcall function 00453100: WideCharToMultiByte.KERNEL32(00000000,00000000,FFFFFFFF,00000001,00000004,00000000,00000000,00000000,?,00000000), ref: 0045315A

Part of subcall function 00452F40: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000001,00000000,00448A01), ref: 00452F69
Part of subcall function 00452F40: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00452FB5

GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,00000000,00000104,00000000), ref: 0044C017

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

GetLastError.KERNEL32(?,00000000,00000104,?,?,?,?), ref: 0044C06D
SetLastError.KERNEL32(00000000), ref: 0044C0DA
lstrcpyA.KERNEL32(?,?), ref: 0044C0F0
lstrcatA.KERNEL32(?,POS), ref: 0044C103
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044C17F
lstrcpyA.KERNEL32(?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,00000104), ref: 0044C1EB
lstrcatA.KERNEL32(?,OPT,?,?,?,?,?,?,?,?,?,00000104,?,?,?,00000000), ref: 0044C1FE
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044C280
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0044C2D6
lstrcatA.KERNEL32(?,TRNSPRNTCLR), ref: 0044C2E9
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044C36B

Part of subcall function 004472C0: GetLastError.KERNEL32(?,000001C4,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447300
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447336
Part of subcall function 004472C0: GetLastError.KERNEL32 ref: 0044738A
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000), ref: 004473BD
Part of subcall function 004472C0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004473E6

Part of subcall function 0044F620: GetLastError.KERNEL32 ref: 0044F71F
Part of subcall function 0044F620: SysFreeString.OLEAUT32(?), ref: 0044F740

wsprintfA.USER32 ref: 0044C3C4
GetLastError.KERNEL32 ref: 0044C3FD
GetLastError.KERNEL32(00000000,00467570,?), ref: 0044C47C
SetLastError.KERNEL32(004675F0,00000000,?), ref: 0044C517
GetLastError.KERNEL32(004675F0,00000000,FFFFFFFF), ref: 0044C566
SysFreeString.OLEAUT32(00468E68), ref: 0044C58B
SetLastError.KERNEL32(?,00000001), ref: 0044C5B6
GetLastError.KERNEL32 ref: 0044C69C
GetLastError.KERNEL32(?,00000000,0046758C,?,00000000,?,?), ref: 0044C76C
SysFreeString.OLEAUT32(FFFFFFFF), ref: 0044C794
SetLastError.KERNEL32(?), ref: 0044C7C7

Strings

puF, xrefs: 0044C3D2
TRNSPRNTCLR, xrefs: 0044C2E3
uF, xrefs: 0044C54D
IMAGE, xrefs: 0044BF3C
puF, xrefs: 0044C67A
PG, xrefs: 0044C225
PG, xrefs: 0044C310
uF, xrefs: 0044C3EB
PG, xrefs: 0044C416
PG, xrefs: 0044C6B2
PG, xrefs: 0044C049
OPT, xrefs: 0044C1F8
POS, xrefs: 0044C0FD
PG, xrefs: 0044BFBF
PG, xrefs: 0044BE28
IMAGES, xrefs: 0044BE65
PG, xrefs: 0044C12A

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$String$PrivateProfile$ByteCharFreeMultiWidelstrcatlstrcpy$H_prolog$wsprintf
String ID: IMAGE$IMAGES$OPT$POS$PG$PG$PG$PG$PG$PG$PG$PG$TRNSPRNTCLR$puF$puF$uF$uF
API String ID: 1832196173-3277003244
Opcode ID: 4481b82ea4d0d7006da76bdf166215b25bea6890638662039da137425df23a6c
Instruction ID: 724fced019e76a5f221b875d522fb91ba546d1612fe31f2ae11f55f91c491de3
Opcode Fuzzy Hash: 4481b82ea4d0d7006da76bdf166215b25bea6890638662039da137425df23a6c
Instruction Fuzzy Hash: 2A526D711083819FE324DF64C895BEBB7E5FBD4308F004A1EF58997291EBB4A909CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00445DE0 Relevance: 74.5, APIs: 27, Strings: 15, Instructions: 1028
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00445DE0(void* __eflags) {
				void* __ebp;
				struct HWND__* _t396;
				signed int _t397;
				intOrPtr* _t399;
				void* _t405;
				signed int _t423;
				short* _t436;
				short* _t437;
				signed int _t438;
				signed int _t439;
				void* _t441;
				signed int _t442;
				struct tagPOINT _t455;
				signed int _t462;
				signed char _t475;
				signed int _t484;
				long _t485;
				struct tagPOINT _t488;
				intOrPtr _t492;
				intOrPtr _t494;
				short* _t507;
				signed int _t508;
				short* _t510;
				signed int _t511;
				int _t526;
				short* _t527;
				void* _t529;
				short* _t530;
				short* _t531;
				void* _t532;
				signed int _t533;
				intOrPtr _t535;
				void* _t536;
				signed int _t537;
				intOrPtr _t539;
				signed int _t541;
				signed int _t544;
				void* _t546;
				void* _t549;
				signed int _t551;
				void* _t552;
				signed int _t559;
				void* _t560;
				long _t576;
				long _t585;
				WCHAR* _t593;
				void* _t594;
				signed char _t634;
				struct HWND__* _t639;
				intOrPtr _t641;
				intOrPtr _t695;
				intOrPtr _t723;
				intOrPtr _t725;
				void* _t742;
				intOrPtr _t791;
				intOrPtr _t794;
				intOrPtr _t819;
				struct tagPOINT _t841;
				intOrPtr _t858;
				intOrPtr _t860;
				intOrPtr _t866;
				intOrPtr _t869;
				signed int _t873;
				signed int _t878;
				signed int _t879;
				struct HWND__* _t880;
				void* _t882;
				intOrPtr _t885;
				int _t889;
				void* _t891;
				signed int _t892;
				void* _t896;
				void* _t899;
				WCHAR* _t903;
				signed int _t908;
				signed int _t913;
				void* _t915;
				struct HWND__* _t916;
				void* _t919;
				intOrPtr _t921;
				void* _t922;
				void* _t923;
				void* _t924;
				void* _t926;

				_push(0xffffffff);
				_push(0x46530d);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t921;
				_t922 = _t921 - 0x298;
				_push(_t878);
				_push(1);
				_push(_t922 + 0x12);
				 *(_t922 + 0x40) = 0;
				L0040B243(_t922 + 0xdc);
				_push(1);
				_push(_t922 + 0x13);
				 *((intOrPtr*)(_t922 + 0x2b8)) = 0;
				L0040B243(_t922 + 0x104);
				_t879 = _t878 | 0xffffffff;
				 *((char*)(_t922 + 0x124)) = 0;
				 *((char*)(_t922 + 0x125)) = 0;
				 *(_t922 + 0x128) = _t879;
				 *(_t922 + 0x12c) = _t879;
				 *(_t922 + 0x130) = _t879;
				 *(_t922 + 0x134) = _t879;
				 *(_t922 + 0x138) = _t879;
				 *(_t922 + 0x13c) = _t879;
				_t819 =  *0x4675f4; // 0x24
				_t915 = GetLastError;
				 *(_t922 + 0x2b0) = 1;
				 *(_t922 + 0x40) = 0x4675f0;
				 *(_t922 + 0x60) = 0x4675e8;
				 *((intOrPtr*)(_t922 + _t819 + 0x40)) = GetLastError();
				 *((char*)(_t922 + 0x2b4)) = 2;
				L00447B80(_t922 + 0x44, _t922 + 0x13);
				 *(_t922 + 0x2b0) = 3;
				L00447D30(_t922 + 0x54);
				 *((char*)(_t922 + 0x2b4)) = 4;
				L00447D70(_t922 + 0x64, 0);
				_t889 =  *(_t922 + 0x2c0);
				 *((char*)(_t922 + 0x2b8)) = 5;
				_t396 = GetDlgItem( *(_t922 + 0x2bc), _t889);
				 *(_t922 + 0x14) = _t396;
				if(_t396 != 0) {
					_t397 =  *(_t922 + 0x2c8);
					__eflags = _t397;
					if(_t397 == 0) {
						L7:
						_t399 = L00447500(_t922 + 0x78, 0x30c);
						 *(_t922 + 0x2b0) = 0xf;
						 *((char*)(_t399 + 4)) = 1;
						GetDlgItemTextW( *(_t922 + 0x2bc), _t889,  *(L0040BE33(_t399,  *_t399)), 0x30c);
						 *(_t922 + 0x2b0) = 5;
						__eflags =  *(_t922 + 0x7c);
						if( *(_t922 + 0x7c) != 0) {
							_t794 =  *((intOrPtr*)(_t922 + 0x78));
							 *((intOrPtr*)(_t922 + 0x1c)) = _t794;
							_t593 =  *(_t794 + 0x1c);
							__eflags = _t593;
							_t903 = _t593;
							if(_t593 == 0) {
								_t903 = 0x47e150;
							}
							_t594 = L0043BA1F(_t903);
							_t866 =  *((intOrPtr*)(_t922 + 0x20));
							_t922 = _t922 + 4;
							L0040BF1A(_t866 + 4, _t903, _t594);
						}
						__eflags =  *(_t922 + 0x80);
						if( *(_t922 + 0x80) == 0) {
							L14:
							_t405 = L00447B00(_t922 + 0x40);
							_push(1);
							_push(_t922 + 0x12);
							L0040B243(_t922 + 0x1e8);
							_push(1);
							_push(_t922 + 0x3f);
							 *((char*)(_t922 + 0x2b8)) = 0x11;
							L0040B243(_t922 + 0x210);
							_push(1);
							_push(_t922 + 0x36);
							 *((char*)(_t922 + 0x2b8)) = 0x12;
							L0040B243(_t922 + 0x260);
							_push(1);
							_push(_t922 + 0x37);
							 *((char*)(_t922 + 0x2b8)) = 0x13;
							L0040B243(_t922 + 0x238);
							_push(1);
							_push(_t922 + 0x33);
							 *((char*)(_t922 + 0x2b8)) = 0x14;
							L0040B243(_t922 + 0x198);
							 *(_t922 + 0x2bc) = 0x15;
							 *((intOrPtr*)(_t922 + 0x2c)) = 0;
							 *((intOrPtr*)(_t922 + 0x28)) = 0;
							L004472C0(_t922 + 0x174, _t405, _t922 + 0x32, 1);
							 *((char*)(_t922 + 0x2b4)) = 0x16;
							__eflags =  *((short*)(L00447C00(_t922 + 0x170, 0))) - 0x40;
							if(__eflags == 0) {
								E0040C91A(_t922 + 0x174, _t915, 0, 1);
							}
							_push(0x4685e4);
							_t891 = L00446E20(__eflags, _t922 + 0x16c, _t922 + 0x190);
							_t923 = _t922 + 0xc;
							__eflags =  *(_t922 + 0x1a8);
							if( *(_t922 + 0x1a8) != 0) {
								_push(1);
								_push(_t923 + 0x35);
								L0040B243(_t923 + 0x148);
								_push(1);
								_push(_t923 + 0x34);
								 *((char*)(_t923 + 0x2b8)) = 0x17;
								L0040B243(_t923 + 0x1c0);
								_t422 =  *(_t923 + 0x198);
								__eflags =  *(_t923 + 0x198);
								 *(_t923 + 0x2b0) = 0x18;
								if(__eflags == 0) {
									_t422 = 0x4675e4;
								}
								_push(_t923 + 0x1c);
								_t423 = L0045DA3C(__eflags, _t422, L"%d,%d", _t923 + 0x20);
								_t924 = _t923 + 0x10;
								__eflags = _t423;
								if(__eflags == 0) {
									_push(",");
									L00446E20(__eflags, _t924 + 0x194, _t924 + 0xd4);
									_push(",");
									L00446E20(__eflags, _t924 + 0x1a0, _t924 + 0x108);
									_t924 = _t924 + 0x18;
								} else {
									_t551 =  *(_t924 + 0x20);
									__eflags = _t551;
									if(_t551 == 0) {
										_t552 = 0x47e154;
									} else {
										_t552 = L0043FAB7(_t551, _t924 + 0x78, 0xa);
										_t924 = _t924 + 0xc;
									}
									L004472C0(_t924 + 0x28c, _t552, _t924 + 0x1b, 1);
									_t858 =  *0x4675e0; // 0xffffffff
									asm("sbb eax, eax");
									 *((char*)(_t924 + 0x2bc)) = 0x19;
									E0040C484(_t924 + 0xe4,  ~(_t924 + 0x280) & _t924 + 0x00000284, 0, _t858);
									 *((char*)(_t924 + 0x2b0)) = 0x18;
									E004061C1(_t924 + 0x280);
									_t559 =  *(_t924 + 0x1c);
									__eflags = _t559;
									if(_t559 == 0) {
										_t560 = 0x47e154;
									} else {
										_t560 = L0043FAB7(_t559, _t924 + 0x78, 0xa);
										_t924 = _t924 + 0xc;
									}
									L004472C0(_t924 + 0x90, _t560, _t924 + 0x1a, 1);
									_t860 =  *0x4675e0; // 0xffffffff
									asm("sbb eax, eax");
									 *((char*)(_t924 + 0x2bc)) = 0x1a;
									E0040C484(_t924 + 0x10c,  ~(_t924 + 0x84) & _t924 + 0x00000088, 0, _t860);
									 *((char*)(_t924 + 0x2b0)) = 0x18;
									E004061C1(_t924 + 0x84);
								}
								__eflags = _t891 -  *0x4675e0; // 0xffffffff
								if(__eflags != 0) {
									_push(0x4685e4);
									_t532 = L00446E20(__eflags, _t924 + 0x16c, _t924 + 0x258);
									_t924 = _t924 + 0xc;
									_t533 = L00447C00(_t924 + 0x25c, 0);
									__eflags =  *_t533 - 0x31;
									 *((char*)(_t924 + 0x124)) = _t533 & 0xffffff00 |  *_t533 == 0x00000031;
									_t535 =  *0x4675e0; // 0xffffffff
									__eflags = _t532 - _t535;
									if(__eflags != 0) {
										_push(0x4685e4);
										_t536 = L00446E20(__eflags, _t924 + 0x16c, _t924 + 0x230);
										_t924 = _t924 + 0xc;
										_t537 = L00447C00(_t924 + 0x234, 0);
										__eflags =  *_t537 - 0x31;
										 *((char*)(_t924 + 0x125)) = _t537 & 0xffffff00 |  *_t537 == 0x00000031;
										_t539 =  *0x4675e0; // 0xffffffff
										__eflags = _t536 - _t539;
										if(__eflags != 0) {
											_push(0x4685e4);
											_t899 = L00446E20(__eflags, _t924 + 0x16c, _t924 + 0x1e0);
											_t541 =  *(_t924 + 0x1f8);
											_t924 = _t924 + 0xc;
											__eflags = _t541;
											if(_t541 != 0) {
												_t548 =  *(_t924 + 0x1e8);
												__eflags =  *(_t924 + 0x1e8);
												if(__eflags == 0) {
													_t548 = 0x4675e4;
												}
												_push(_t924 + 0xc0);
												_push(_t924 + 0xcc);
												_t549 = L0045DA3C(__eflags, _t548, L"%d,%d,%d", _t924 + 0xc8);
												_t924 = _t924 + 0x14;
												__eflags = _t549 - 3;
												if(_t549 == 3) {
													 *((intOrPtr*)(_t924 + 0x128)) =  *((intOrPtr*)(_t924 + 0xc4));
													 *((intOrPtr*)(_t924 + 0x12c)) =  *((intOrPtr*)(_t924 + 0xcc));
													 *((intOrPtr*)(_t924 + 0x130)) =  *((intOrPtr*)(_t924 + 0xc0));
												}
											}
											__eflags = _t899 -  *0x4675e0; // 0xffffffff
											if(__eflags != 0) {
												_push(0x4685e4);
												L00446E20(__eflags, _t924 + 0x16c, _t924 + 0x208);
												_t544 =  *(_t924 + 0x220);
												_t924 = _t924 + 0xc;
												__eflags = _t544;
												if(_t544 != 0) {
													_t545 =  *(_t924 + 0x210);
													__eflags =  *(_t924 + 0x210);
													if(__eflags == 0) {
														_t545 = 0x4675e4;
													}
													_push(_t924 + 0x6c);
													_push(_t924 + 0xd0);
													_t546 = L0045DA3C(__eflags, _t545, L"%d,%d,%d", _t924 + 0xcc);
													_t924 = _t924 + 0x14;
													__eflags = _t546 - 3;
													if(_t546 == 3) {
														 *((intOrPtr*)(_t924 + 0x134)) =  *((intOrPtr*)(_t924 + 0xc8));
														 *((intOrPtr*)(_t924 + 0x138)) =  *((intOrPtr*)(_t924 + 0xd0));
														 *((intOrPtr*)(_t924 + 0x13c)) =  *((intOrPtr*)(_t924 + 0x6c));
													}
												}
											}
										}
									}
								}
								 *((char*)(_t924 + 0x2b0)) = 0x17;
								E004061C1(_t924 + 0x1b8);
								 *((char*)(_t924 + 0x2b0)) = 0x16;
								E004061C1(_t924 + 0x140);
								 *((char*)(_t924 + 0x2b0)) = 0x15;
								E004061C1(_t924 + 0x168);
								 *((char*)(_t924 + 0x2b0)) = 0x14;
								E004061C1(_t924 + 0x190);
								 *((char*)(_t924 + 0x2b0)) = 0x13;
								E004061C1(_t924 + 0x230);
								 *((char*)(_t924 + 0x2b0)) = 0x12;
								E004061C1(_t924 + 0x258);
								 *((char*)(_t924 + 0x2b0)) = 0x11;
								E004061C1(_t924 + 0x208);
								 *((char*)(_t924 + 0x2b0)) = 5;
								E004061C1(_t924 + 0x1e0);
								_t436 = L00447C00(_t924 + 0x104, 0);
								__eflags =  *_t436 - 0x30;
								if( *_t436 < 0x30) {
									L46:
									_t437 = L00447C00(_t924 + 0xdc, 0);
									__eflags =  *_t437 - 0x30;
									if( *_t437 < 0x30) {
										L56:
										_t438 = L0045B360( *((intOrPtr*)(_t924 + 0x2bc)));
										_t923 = _t924 + 4;
										__eflags = _t438;
										if(_t438 == 0) {
											L61:
											_t439 =  *(_t923 + 0xdc);
											__eflags = _t439;
											if(_t439 == 0) {
												_t439 = 0x4675e4;
											}
											_push(0);
											_push(_t923 + 0x1b);
											_push(_t439);
											 *((intOrPtr*)(_t923 + 0x14c)) = 0x4675a0;
											 *((intOrPtr*)(_t923 + 0x16c)) = 0x467598;
											L0040176A(_t923 + 0x14c);
											_t634 = 2;
											 *(_t923 + 0x38) = 2;
											_t441 = _t923 + 0x140;
											 *(_t923 + 0x2b0) = 0x1f;
											L64:
											_t442 =  *(_t441 + 8);
											__eflags = _t442;
											if(_t442 == 0) {
												_t442 = 0x467570;
											}
											_t916 =  *(_t923 + 0x1c);
											_t880 =  *(_t923 + 0x2c8);
											_t892 =  *(_t923 + 0x2c4);
											asm("sbb ecx, ecx");
											E00445850(_t892, _t880, _t916, 2, 0, _t442, 0,  ~( *(_t923 + 0x130)), (( *(_t923 + 0x13c) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x13c) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x138) & 0x000000ff, 0,  *((intOrPtr*)(_t923 + 0x2d0)));
											__eflags = _t634 & 0x00000002;
											 *(_t923 + 0x2b0) = 0x1e;
											if((_t634 & 0x00000002) != 0) {
												_t634 = _t634 & 0xfffffffd;
												__eflags = _t634;
												 *(_t923 + 0x38) = _t634;
												L0040125C(_t923 + 0x140);
											}
											__eflags = _t634 & 0x00000001;
											 *(_t923 + 0x2b0) = 5;
											if((_t634 & 0x00000001) != 0) {
												L0040125C(_t923 + 0x1b8);
											}
											goto L70;
										}
										_t507 = L00447C00(_t923 + 0x104, 0);
										__eflags =  *_t507;
										if( *_t507 == 0) {
											goto L61;
										}
										_t508 =  *(_t923 + 0x104);
										__eflags = _t508;
										if(_t508 == 0) {
											_t508 = 0x4675e4;
										}
										_push(0);
										_push(_t923 + 0x1a);
										_push(_t508);
										 *((intOrPtr*)(_t923 + 0x1c4)) = 0x4675a0;
										 *((intOrPtr*)(_t923 + 0x1e4)) = 0x467598;
										L0040176A(_t923 + 0x1c4);
										_t634 = 1;
										 *(_t923 + 0x38) = 1;
										_t441 = _t923 + 0x1b8;
										 *(_t923 + 0x2b0) = 0x1e;
										goto L64;
									}
									_t510 = L00447C00(_t924 + 0xdc, 0);
									__eflags =  *_t510 - 0x39;
									if( *_t510 > 0x39) {
										goto L56;
									}
									goto L48;
								} else {
									_t531 = L00447C00(_t924 + 0x104, 0);
									__eflags =  *_t531 - 0x39;
									if( *_t531 <= 0x39) {
										L48:
										_t511 = L0045B360( *((intOrPtr*)(_t924 + 0x2bc)));
										_t926 = _t924 + 4;
										__eflags = _t511;
										if(_t511 == 0) {
											L50:
											_t742 = _t926 + 0xd4;
											L51:
											_t896 = E0043C90A(_t742, L00447B00(_t742));
											_t923 = _t926 + 4;
											__eflags =  *(_t926 + 0x2c8);
											if( *(_t926 + 0x2c8) == 0) {
												_t526 = GetDeviceCaps(GetWindowDC(0), 0xc);
												__eflags = _t526 - 0x10;
												if(_t526 <= 0x10) {
													_t527 = L00447C00(_t923 + 0xdc, 0);
													__eflags =  *_t527;
													if( *_t527 != 0) {
														_t529 = E0043C90A(_t923 + 0xd4, L00447B00(_t923 + 0xd4));
														_t923 = _t923 + 4;
														_t896 = _t529;
													}
												}
											}
											asm("sbb eax, eax");
											_t892 =  *(_t923 + 0x2cc);
											E00445850(_t892,  *(_t923 + 0x2cc),  *((intOrPtr*)(_t923 + 0x20)), 2,  *((intOrPtr*)(_t923 + 0x2dc)), 0x47e150, _t896,  ~( *(_t923 + 0x130)), (( *(_t923 + 0x13c) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x138) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x138) & 0x000000ff, 0,  *((intOrPtr*)(_t923 + 0x2d0)));
											_t880 =  *(_t923 + 0x2bc);
											_t916 =  *(_t923 + 0x14);
											L70:
											SetWindowTextW(_t916, 0x47e150); // executed
											E00445BA0(_t892, 0);
											GetWindowRect(_t916, _t923 + 0xb0);
											 *((intOrPtr*)(_t923 + 0x28)) =  *((intOrPtr*)(_t923 + 0xb4));
											 *(_t923 + 0x24) =  *(_t923 + 0xb0);
											 *((intOrPtr*)(_t923 + 0x78)) =  *((intOrPtr*)(_t923 + 0xb8));
											 *((intOrPtr*)(_t923 + 0x7c)) =  *((intOrPtr*)(_t923 + 0xbc));
											ScreenToClient(_t880, _t923 + 0x24);
											ScreenToClient(_t880, _t923 + 0x70);
											L00445B40(_t892, _t923 + 0x2c);
											L00445B10(_t892, _t923 + 0x68);
											__eflags =  *(_t923 + 0x2c4);
											if( *(_t923 + 0x2c4) == 0) {
												_t455 =  *(_t923 + 0x24);
												_t695 =  *((intOrPtr*)(_t923 + 0x28));
												_t882 =  *((intOrPtr*)(_t923 + 0xb8)) -  *(_t923 + 0xb0);
												_t919 =  *((intOrPtr*)(_t923 + 0xbc)) -  *((intOrPtr*)(_t923 + 0xb4));
												 *(_t923 + 0x1c) = _t455;
												__eflags =  *(_t923 + 0x125);
												 *((intOrPtr*)(_t923 + 0x20)) = _t695;
												if( *(_t923 + 0x125) != 0) {
													 *(_t923 + 0x24) = _t455 + 1;
													 *((intOrPtr*)(_t923 + 0x28)) = _t695 + 1;
													_t882 = _t882 - 2;
													_t919 = _t919 - 2;
													SetWindowLongW( *(_t923 + 0x18), 0xfffffff0, GetWindowLongW( *(_t923 + 0x14), 0xfffffff0) ^ 0x00000003 | 0x0000100c);
													_t484 = GetWindowLongW( *(_t923 + 0x14), 0xffffffec);
													_t639 =  *(_t923 + 0x14);
													_t485 = _t484 | 0x00020000;
													__eflags = _t485;
													SetWindowLongW(_t639, 0xffffffec, _t485);
													SetWindowPos(_t639, 0, 0, 0, 0, 0, 0x27);
												}
												L00445A90(_t892,  *(_t923 + 0x1c));
												L00445AD0(_t892,  *((intOrPtr*)(_t923 + 0x20)));
												L00445C30(_t892, _t919);
												L00445BF0(_t892, _t882);
												L00445C70(_t892, 0x4000);
												_t462 =  *(_t923 + 0x128);
												__eflags = _t462 - 0xffffffff;
												if(_t462 != 0xffffffff) {
													__eflags = (( *(_t923 + 0x130) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x12c) & 0x000000ff) << 0x00000008 | _t462 & 0x000000ff;
													L00445B70(_t892, (( *(_t923 + 0x130) & 0x000000ff) << 0x00000008 |  *(_t923 + 0x12c) & 0x000000ff) << 0x00000008 | _t462 & 0x000000ff);
												}
											} else {
												_t488 =  *(_t923 + 0x70);
												_t841 =  *(_t923 + 0x24);
												_t641 =  *((intOrPtr*)(_t923 + 0x74)) -  *((intOrPtr*)(_t923 + 0x28));
												_t723 =  *((intOrPtr*)(_t923 + 0x2c));
												_t885 = _t488 - _t841;
												__eflags = _t723 - _t885;
												if(_t723 > _t885) {
													_push(_t841);
												} else {
													_push(_t488 - _t723);
												}
												L00445A90(_t892);
												_t725 =  *((intOrPtr*)(_t923 + 0x68));
												__eflags = _t725 - _t641;
												if(_t725 > _t641) {
													_push( *((intOrPtr*)(_t923 + 0x28)));
												} else {
													asm("cdq");
													_push(( *((intOrPtr*)(_t923 + 0x74)) - _t725 -  *((intOrPtr*)(_t923 + 0x28)) - _t841 >> 1) +  *((intOrPtr*)(_t923 + 0x28)));
												}
												L00445AD0(_t892);
												 *((intOrPtr*)( *((intOrPtr*)(_t892 + 8)) + 0x3c)) = 0x4000;
												_t492 =  *((intOrPtr*)(_t923 + 0x68));
												__eflags = _t492 - _t641;
												if(_t492 <= _t641) {
													_t641 = _t492;
												}
												L00445C30(_t892, _t641);
												_t494 =  *((intOrPtr*)(_t923 + 0x2c));
												__eflags = _t494 - _t885;
												if(_t494 > _t885) {
													_t494 = _t885;
												}
												L00445BF0(_t892, _t494);
												__eflags =  *((intOrPtr*)(_t923 + 0x2c)) - _t885;
												L00445C70(_t892, ((0 |  *((intOrPtr*)(_t923 + 0x2c)) - _t885 > 0x00000000) - 0x00000001 & 0x00003ffc) + 4);
												ShowWindow(_t916, 0);
											}
											E00445BA0(_t892, 0xffffffff);
											asm("sbb eax, eax");
											 *(_t923 + 0x2b0) = 0x21;
											 *( *((intOrPtr*)( *( ~(_t923 + 0x40) & _t923 + 0x00000060) + 4)) + ( ~(_t923 + 0x40) & _t923 + 0x00000060)) = GetLastError();
											asm("sbb ecx, ecx");
											E00430164( ~(_t923 + 0x40) & _t923 + 0x00000054);
											asm("sbb ecx, ecx");
											__eflags =  ~(_t923 + 0x40) & _t923 + 0x00000044;
											 *((char*)(_t923 + 0x2b4)) = 0x20;
											E0040213C( ~(_t923 + 0x40) & _t923 + 0x00000044, 1);
											SetLastError( *(_t923 +  *((intOrPtr*)( *(_t923 + 0x40) + 4)) + 0x40));
											 *(_t923 + 0x2b0) = 0x22;
											E004061C1(_t923 + 0xfc);
											 *(_t923 + 0x2b0) = 0xffffffff;
											E004061C1(_t923 + 0xd4);
											_t475 = 1;
											goto L87;
										}
										_t530 = L00447C00(_t926 + 0x104, 0);
										__eflags =  *_t530;
										_t742 = _t926 + 0xfc;
										if( *_t530 != 0) {
											goto L51;
										}
										goto L50;
									}
									goto L46;
								}
							}
							 *(_t923 + 0x2b0) = 0x15;
							E004061C1(_t923 + 0x168);
							 *(_t923 + 0x2b0) = 0x14;
							E004061C1(_t923 + 0x190);
							 *(_t923 + 0x2b0) = 0x13;
							E004061C1(_t923 + 0x230);
							 *(_t923 + 0x2b0) = 0x12;
							E004061C1(_t923 + 0x258);
							 *(_t923 + 0x2b0) = 0x11;
							E004061C1(_t923 + 0x208);
							 *(_t923 + 0x2b0) = 5;
							E004061C1(_t923 + 0x1e0);
							asm("sbb eax, eax");
							 *(_t923 + 0x2b0) = 0x1c;
							_t576 = GetLastError();
							asm("sbb ecx, ecx");
							 *( *((intOrPtr*)( *( ~(_t923 + 0x40) & _t923 + 0x00000060) + 4)) + ( ~(_t923 + 0x40) & _t923 + 0x00000060)) = _t576;
							E00430164( ~(_t923 + 0x40) & _t923 + 0x00000054);
							asm("sbb ecx, ecx");
							__eflags =  ~(_t923 + 0x40) & _t923 + 0x00000044;
							 *((char*)(_t923 + 0x2b4)) = 0x1b;
							E0040213C( ~(_t923 + 0x40) & _t923 + 0x00000044, 1);
							SetLastError( *(_t923 +  *((intOrPtr*)( *(_t923 + 0x40) + 4)) + 0x40));
							 *(_t923 + 0x2b0) = 0x1d;
							goto L18;
						} else {
							_t585 = GetLastError();
							L004472C0(_t922 + 0x14c,  *(_t922 + 0x80), _t922 + 0x12, 1);
							_t791 =  *0x4675e0; // 0xffffffff
							asm("sbb eax, eax");
							__eflags =  ~(_t922 + 0x140) & _t922 + 0x00000144;
							 *(_t922 + 0x2bc) = 0x10;
							E0040C484( *((intOrPtr*)(_t922 + 0x78)) + 4,  ~(_t922 + 0x140) & _t922 + 0x00000144, 0, _t791);
							 *(_t922 + 0x2b0) = 5;
							E004061C1(_t922 + 0x140);
							SetLastError(_t585);
							L13:
							goto L14;
						}
					}
					__eflags =  *_t397;
					if( *_t397 == 0) {
						goto L7;
					} else {
						 *(_t922 + 0x88) = 0x4675f0;
						 *((intOrPtr*)(_t922 + 0xa8)) = 0x4675e8;
						L00447D40(_t922 + 0x88, 0);
						 *((char*)(_t922 + 0x2b4)) = 8;
						 *((char*)(_t922 + 0x8c)) =  *((intOrPtr*)(_t922 + 0x13));
						E0040213C(_t922 + 0x8c, 0);
						 *(_t922 + 0x2b0) = 9;
						L00447D30(_t922 + 0x98);
						_t57 = _t922 + 0xa8; // 0x4675e8
						 *((char*)(_t922 + 0x2b4)) = 0xa;
						L00447D70(_t57, 0);
						_t800 = _t922 + 0x84;
						 *(_t922 + 0x6c) = _t922 + 0x84;
						 *(_t922 + 0x2b0) = 0xc;
						__eflags = _t922 + 0x84;
						if(_t922 + 0x84 != 0) {
							_t873 =  *(_t922 + 0x2c8);
							asm("repne scasb");
							L00447990(_t922 + 0x94, _t873,  !(_t800 | 0xffffffff) - 1, _t922 + 0x12, 1);
							_t879 = _t873 | 0xffffffff;
							__eflags = _t879;
						}
						SetLastError( *(_t922 +  *((intOrPtr*)( *(_t922 + 0x84) + 4)) + 0x84));
						_t869 =  *0x4675e0; // 0xffffffff
						asm("sbb eax, eax");
						 *(_t922 + 0x2bc) = 0xd;
						E0040C484(_t922 + 0x50,  ~(_t922 + 0x84) & _t922 + 0x00000088, 0, _t869);
						asm("sbb eax, eax");
						 *(_t922 + 0x2b0) = 0xe;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t922 + 0x84) & _t922 + 0x000000a4) + 4)) + ( ~(_t922 + 0x84) & _t922 + 0x000000a4))) = GetLastError();
						asm("sbb esi, esi");
						_t908 =  ~(_t922 + 0x84) & _t922 + 0x00000098;
						E0043AE17( *_t908);
						_t922 = _t922 + 4;
						__imp__#6( *((intOrPtr*)(_t908 + 8)));
						asm("sbb ecx, ecx");
						E0040213C( ~(_t922 + 0x84) & _t922 + 0x00000088, 1);
						 *(_t922 + 0x2b0) = 5;
						SetLastError( *(_t922 +  *((intOrPtr*)( *(_t922 + 0x84) + 4)) + 0x84));
						goto L13;
					}
				} else {
					_t32 = _t922 + 0x60; // 0x4675e8
					asm("sbb eax, eax");
					 *(_t922 + 0x2b0) = 6;
					 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t922 + 0x40) & _t32) + 4)) + ( ~(_t922 + 0x40) & _t32))) = GetLastError();
					asm("sbb esi, esi");
					_t913 =  ~(_t922 + 0x40) & _t922 + 0x00000054;
					E0043AE17( *_t913);
					_t37 = _t913 + 8; // 0x468e68
					_t923 = _t922 + 4;
					__imp__#6( *_t37);
					asm("sbb ecx, ecx");
					E0040213C( ~(_t923 + 0x40) & _t923 + 0x00000044, 1);
					SetLastError( *(_t923 +  *((intOrPtr*)( *(_t923 + 0x40) + 4)) + 0x40));
					 *(_t923 + 0x2b0) = 7;
					L18:
					E004061C1(_t923 + 0xfc);
					 *(_t923 + 0x2b0) = _t879;
					E004061C1(_t923 + 0xd4);
					_t475 = 0;
					L87:
					 *[fs:0x0] =  *((intOrPtr*)(_t923 + 0x2a8));
					return _t475;
				}
			}

0x00445de0
0x00445de2
0x00445ded
0x00445dee
0x00445df5
0x00445dfe
0x00445e05
0x00445e07
0x00445e0f
0x00445e13
0x00445e1c
0x00445e1e
0x00445e26
0x00445e2d
0x00445e32
0x00445e35
0x00445e3c
0x00445e43
0x00445e4a
0x00445e51
0x00445e58
0x00445e5f
0x00445e66
0x00445e6d
0x00445e73
0x00445e79
0x00445e84
0x00445e8c
0x00445e9a
0x00445ea5
0x00445ead
0x00445eb6
0x00445ebe
0x00445ec8
0x00445ed0
0x00445ed5
0x00445ee5
0x00445eed
0x00445ef5
0x00445ef9
0x00445f7a
0x00445f87
0x00445f89
0x0044612b
0x00446139
0x00446140
0x00446148
0x00446162
0x0044616c
0x00446174
0x00446176
0x00446178
0x0044617c
0x00446180
0x00446183
0x00446185
0x00446187
0x00446189
0x00446189
0x0044618f
0x00446194
0x00446198
0x004461a0
0x004461a0
0x004461ac
0x004461ae
0x00446218
0x0044621c
0x00446227
0x00446229
0x00446231
0x0044623a
0x0044623c
0x00446244
0x0044624c
0x00446255
0x00446257
0x0044625f
0x00446267
0x00446270
0x00446272
0x0044627a
0x00446282
0x0044628b
0x0044628d
0x00446295
0x0044629d
0x004462b3
0x004462bb
0x004462bf
0x004462c3
0x004462d1
0x004462de
0x004462e2
0x004462ef
0x004462ef
0x004462fb
0x0044630e
0x00446317
0x0044631a
0x0044631c
0x00446432
0x00446434
0x0044643c
0x00446445
0x00446447
0x0044644f
0x00446457
0x0044645c
0x00446465
0x00446467
0x0044646e
0x00446470
0x00446470
0x0044647d
0x00446485
0x0044648a
0x0044648d
0x0044648f
0x0044658e
0x0044659c
0x004465a8
0x004465b6
0x004465bb
0x00446495
0x00446495
0x00446499
0x0044649b
0x004464af
0x0044649d
0x004464a5
0x004464aa
0x004464aa
0x004464c3
0x004464c8
0x004464d7
0x004464ed
0x004464f5
0x00446501
0x00446508
0x0044650d
0x00446511
0x00446513
0x00446527
0x00446515
0x0044651d
0x00446522
0x00446522
0x0044653b
0x00446540
0x0044654f
0x00446565
0x0044656d
0x00446579
0x00446580
0x00446580
0x004465be
0x004465c4
0x004465d1
0x004465df
0x004465e4
0x004465f2
0x004465f7
0x004465fe
0x00446605
0x0044660a
0x0044660c
0x00446619
0x00446627
0x0044662c
0x0044663a
0x0044663f
0x00446646
0x0044664d
0x00446652
0x00446654
0x00446661
0x00446674
0x00446676
0x0044667d
0x00446680
0x00446682
0x00446684
0x0044668b
0x0044668d
0x0044668f
0x0044668f
0x004466a2
0x004466aa
0x004466b2
0x004466b7
0x004466ba
0x004466bd
0x004466d4
0x004466db
0x004466e2
0x004466e2
0x004466bd
0x004466e9
0x004466ef
0x004466fc
0x0044670a
0x0044670f
0x00446716
0x00446719
0x0044671b
0x0044671d
0x00446724
0x00446726
0x00446728
0x00446728
0x00446738
0x00446740
0x00446748
0x0044674d
0x00446750
0x00446753
0x00446767
0x0044676e
0x00446775
0x00446775
0x00446753
0x0044671b
0x004466ef
0x00446654
0x0044660c
0x00446783
0x0044678b
0x00446797
0x0044679f
0x004467ab
0x004467b3
0x004467bf
0x004467c7
0x004467d3
0x004467db
0x004467e7
0x004467ef
0x004467fb
0x00446803
0x0044680f
0x00446817
0x00446825
0x0044682a
0x0044682e
0x00446844
0x0044684d
0x00446852
0x00446856
0x00446988
0x00446990
0x00446995
0x00446998
0x0044699a
0x00446a04
0x00446a04
0x00446a0b
0x00446a0d
0x00446a0f
0x00446a0f
0x00446a18
0x00446a1a
0x00446a1b
0x00446a23
0x00446a2e
0x00446a39
0x00446a3e
0x00446a43
0x00446a47
0x00446a4e
0x00446a59
0x00446a59
0x00446a5c
0x00446a5e
0x00446a60
0x00446a60
0x00446aa0
0x00446aae
0x00446ab5
0x00446abc
0x00446aca
0x00446acf
0x00446ad2
0x00446add
0x00446adf
0x00446adf
0x00446ae9
0x00446aed
0x00446aed
0x00446af2
0x00446af5
0x00446b00
0x00446b09
0x00446b09
0x00000000
0x00446b00
0x004469a5
0x004469aa
0x004469ae
0x00000000
0x00000000
0x004469b0
0x004469b7
0x004469b9
0x004469bb
0x004469bb
0x004469c4
0x004469c6
0x004469c7
0x004469cf
0x004469da
0x004469e5
0x004469ea
0x004469ef
0x004469f3
0x004469fa
0x00000000
0x004469fa
0x00446865
0x0044686a
0x0044686e
0x00000000
0x00000000
0x00000000
0x00446830
0x00446839
0x0044683e
0x00446842
0x00446874
0x0044687c
0x00446881
0x00446884
0x00446886
0x004468a3
0x004468a3
0x004468aa
0x004468b5
0x004468be
0x004468c1
0x004468c3
0x004468d0
0x004468d6
0x004468d9
0x004468e4
0x004468e9
0x004468ed
0x004468fc
0x00446901
0x00446904
0x00446904
0x004468ed
0x004468d9
0x00446955
0x00446960
0x00446973
0x00446978
0x0044697f
0x00446b0e
0x00446b14
0x00446b1e
0x00446b2c
0x00446b4d
0x00446b55
0x00446b62
0x00446b66
0x00446b6a
0x00446b72
0x00446b7b
0x00446b87
0x00446b93
0x00446b95
0x00446c65
0x00446c69
0x00446c6d
0x00446c76
0x00446c78
0x00446c7c
0x00446c7e
0x00446c82
0x00446c93
0x00446c97
0x00446c9b
0x00446c9e
0x00446cb3
0x00446cc0
0x00446cc2
0x00446cc6
0x00446cc6
0x00446ccf
0x00446ce2
0x00446ce2
0x00446cef
0x00446cfb
0x00446d03
0x00446d0b
0x00446d17
0x00446d1c
0x00446d23
0x00446d26
0x00446d4f
0x00446d54
0x00446d54
0x00446b9b
0x00446b9b
0x00446ba7
0x00446bad
0x00446baf
0x00446bb3
0x00446bb5
0x00446bb7
0x00446bbe
0x00446bb9
0x00446bbb
0x00446bbb
0x00446bc1
0x00446bc6
0x00446bca
0x00446bcc
0x00446be8
0x00446bce
0x00446bda
0x00446be1
0x00446be1
0x00446beb
0x00446bf3
0x00446bfa
0x00446bfe
0x00446c00
0x00446c02
0x00446c02
0x00446c07
0x00446c0c
0x00446c10
0x00446c12
0x00446c14
0x00446c14
0x00446c19
0x00446c24
0x00446c36
0x00446c3e
0x00446c3e
0x00446d5d
0x00446d6c
0x00446d6e
0x00446d89
0x00446d8d
0x00446d95
0x00446da4
0x00446da8
0x00446daa
0x00446db2
0x00446dc7
0x00446dd4
0x00446ddf
0x00446deb
0x00446df6
0x00446dfb
0x00000000
0x00446dfb
0x00446891
0x00446896
0x0044689a
0x004468a1
0x00000000
0x00000000
0x00000000
0x004468a1
0x00000000
0x00446842
0x0044682e
0x00446329
0x00446331
0x0044633d
0x00446345
0x00446351
0x00446359
0x00446365
0x0044636d
0x00446379
0x00446381
0x0044638d
0x00446395
0x004463a4
0x004463a6
0x004463b7
0x004463c3
0x004463c5
0x004463c9
0x004463d8
0x004463dc
0x004463de
0x004463e6
0x004463fb
0x004463fd
0x00000000
0x004461b0
0x004461b0
0x004461ca
0x004461cf
0x004461de
0x004461e7
0x004461f4
0x004461fc
0x00446208
0x00446210
0x00446216
0x00446216
0x00000000
0x00446216
0x004461ae
0x00445f8f
0x00445f92
0x00000000
0x00445f98
0x00445fa1
0x00445fac
0x00445fb7
0x00445fc9
0x00445fd1
0x00445fd8
0x00445fe4
0x00445fec
0x00445ff3
0x00445ffa
0x00446002
0x00446007
0x0044600e
0x00446019
0x00446021
0x00446023
0x00446025
0x0044603a
0x00446048
0x0044604d
0x0044604d
0x0044604d
0x00446069
0x0044606b
0x0044607a
0x0044608d
0x00446095
0x004460aa
0x004460ac
0x004460bf
0x004460ca
0x004460d3
0x004460d8
0x004460e0
0x004460e4
0x004460fa
0x00446100
0x0044610c
0x00446216
0x00000000
0x00446216
0x00445efb
0x00445eff
0x00445f05
0x00445f07
0x00445f1a
0x00445f22
0x00445f28
0x00445f2d
0x00445f32
0x00445f35
0x00445f39
0x00445f49
0x00445f4f
0x00445f64
0x00445f6a
0x00446408
0x0044640f
0x0044641b
0x00446422
0x00446427
0x00446e00
0x00446e0b
0x00446e18
0x00446e18

APIs

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

GetLastError.KERNEL32 ref: 00445E98

Part of subcall function 00447D70: SetLastError.KERNEL32(?,004675F0,0044C457,00000000,00467570,?), ref: 00447D8A

GetDlgItem.USER32 ref: 00445EED
GetLastError.KERNEL32 ref: 00445F18
SysFreeString.OLEAUT32(00468E68), ref: 00445F39
SetLastError.KERNEL32(?,00000001), ref: 00445F64

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00446069
GetLastError.KERNEL32(?,00000000,FFFFFFFF), ref: 004460BD
SysFreeString.OLEAUT32(?), ref: 004460E4

Strings

TG, xrefs: 00446527
PG, xrefs: 00446189
uF, xrefs: 00446A0F
uF, xrefs: 00446470
", xrefs: 00446DD4
uF, xrefs: 00445EFF
uF, xrefs: 004469BB
%d,%d,%d, xrefs: 004466AC, 00446742
, xrefs: 00446DAA
uF, xrefs: 0044668F
uF, xrefs: 00446728
%d,%d, xrefs: 0044647F
puF, xrefs: 00446A60
TG, xrefs: 004464AF
uF, xrefs: 00445FF3

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog$Item
String ID: $"$%d,%d$%d,%d,%d$PG$TG$TG$puF$uF$uF$uF$uF$uF$uF$uF
API String ID: 3725637536-3830241909
Opcode ID: db0013e343e7b435a2f82c33855bac134f2be7761cad5f8a0656da3446a46ebf
Instruction ID: f630f6fb56b10bdf29cbf1c05b0e9869091fa5646b784fc8fd914268d2b27cbc
Opcode Fuzzy Hash: db0013e343e7b435a2f82c33855bac134f2be7761cad5f8a0656da3446a46ebf
Instruction Fuzzy Hash: B292867110C3819FE734DB25C895BDFB7E4AF95304F10492EE58A97282EB78A908CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00450550 Relevance: 58.3, APIs: 27, Strings: 6, Instructions: 503
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00450550() {
				signed int _t219;
				signed int _t220;
				intOrPtr _t223;
				signed int _t224;
				signed int _t227;
				void* _t230;
				signed int _t235;
				intOrPtr* _t239;
				intOrPtr _t246;
				intOrPtr _t249;
				signed int _t257;
				signed int _t258;
				struct HWND__* _t260;
				intOrPtr _t266;
				intOrPtr* _t267;
				intOrPtr _t273;
				intOrPtr _t288;
				int _t292;
				int _t295;
				int _t298;
				intOrPtr* _t311;
				struct HWND__* _t313;
				intOrPtr* _t316;
				signed int _t320;
				intOrPtr* _t321;
				signed int _t323;
				intOrPtr _t324;
				int _t326;
				intOrPtr* _t334;
				intOrPtr _t337;
				int _t361;
				int _t364;
				int _t365;
				int _t369;
				intOrPtr* _t386;
				struct HWND__* _t429;
				intOrPtr* _t433;
				signed int _t434;
				void* _t436;
				intOrPtr _t437;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr* _t440;
				intOrPtr _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				void* _t445;

				 *((short*)(_t442 + 0x48)) = 0;
				memset(_t442 + 0x4a, 0, 0x18 << 2);
				_t443 = _t442 + 0xc;
				asm("stosw");
				_t429 =  *(_t443 + 0xb0);
				GetClassNameW(_t429, _t443 + 0x48, 0x64);
				if(lstrcmpiW(L"Button", _t443 + 0x48) != 0) {
					_t219 = lstrcmpiW(L"Static", _t443 + 0x48);
					__eflags = _t219;
					if(_t219 != 0) {
						_t220 = lstrcmpiW(L"msctls_progress32", _t443 + 0x48);
						__eflags = _t220;
						if(_t220 == 0) {
							_t223 =  *((intOrPtr*)( *( *((intOrPtr*)(_t443 + 0xb4)) + 8) + 0x14c));
							__eflags =  *(_t223 + 0x64);
							if( *(_t223 + 0x64) != 0) {
								_t224 =  *(_t223 + 0x6c);
								__eflags = _t224;
								if(_t224 != 0) {
									 *_t224(_t429, " ", " ");
								}
							}
						}
						goto L60;
					} else {
						_t227 = GetWindowLongW(_t429, 0xfffffff0) & 0x0000001f;
						__eflags = _t227 - 3;
						if(_t227 != 3) {
							__eflags = _t227 - 0xe;
							if(_t227 == 0xe) {
								goto L60;
							} else {
								__eflags = _t227 - 0xf;
								if(_t227 == 0xf) {
									goto L60;
								} else {
									__eflags = _t227 - 0xd;
									if(_t227 == 0xd) {
										goto L60;
									} else {
										 *((intOrPtr*)(_t443 + 0x2e)) = 0;
										 *((intOrPtr*)(_t443 + 0x36)) = 0;
										 *((intOrPtr*)(_t443 + 0x3e)) = 0;
										 *((intOrPtr*)(_t443 + 0x46)) = 0;
										 *((short*)(_t443 + 0x38)) = 0;
										 *((short*)(_t443 + 0x4a)) = 0;
										GetWindowTextW(_t429, _t443 + 0x2c, 0xa);
										__eflags =  *(_t443 + 0x2c) - 0x40;
										if( *(_t443 + 0x2c) == 0x40) {
											goto L60;
										} else {
											_t230 = SetWindowLongW(_t429, 0xfffffffc, E00450B60);
											SetPropW(_t429, L"PROP_STAT_PSKIN",  *( *((intOrPtr*)(_t443 + 0xb4)) + 8)); // executed
											SetPropW(_t429, L"PROP_STAT_OLDPROC", _t230);
											return 1;
										}
									}
								}
							}
						} else {
							_t235 = GetWindowLongW(_t429, 0xfffffff0);
							__eflags = _t235 & 0x10000000;
							if((_t235 & 0x10000000) == 0) {
								goto L60;
							} else {
								GetWindowRect(_t429, _t443 + 0x2c);
								_t432 =  *((intOrPtr*)(_t443 + 0xb8));
								MapWindowPoints(0,  *( *((intOrPtr*)(_t443 + 0xb8)) + 4), _t443 + 0x2c, 2);
								_t239 = L0043BC14(0x18);
								_t444 = _t443 + 4;
								_t440 = _t239;
								 *_t440 = SendMessageW(_t429, 0x171, 0, 0);
								_t157 = _t440 + 4; // 0x4
								_t334 = _t157;
								 *_t334 =  *((intOrPtr*)(_t444 + 0x2c));
								 *((intOrPtr*)(_t334 + 4)) =  *((intOrPtr*)(_t444 + 0x34));
								 *((intOrPtr*)(_t334 + 8)) =  *((intOrPtr*)(_t444 + 0x3c));
								 *((intOrPtr*)(_t334 + 0xc)) =  *((intOrPtr*)(_t444 + 0x40));
								 *((intOrPtr*)(_t440 + 0x14)) = GetWindowLongW(_t429, 0xfffffff4);
								_t320 =  *(L004512C0( *((intOrPtr*)( *((intOrPtr*)(_t443 + 0xb8)) + 8))) + 0xc);
								 *(_t444 + 0x18) = _t320;
								_t337 = L004512C0( *((intOrPtr*)(_t432 + 8)));
								_t246 =  *0x47e940; // 0x2220d20
								 *(_t444 + 0x24) = _t320;
								 *(_t444 + 0x28) = 0;
								_t386 =  *((intOrPtr*)(_t337 + 4));
								 *((intOrPtr*)(_t444 + 0x20)) = _t337;
								_t321 = _t386;
								 *(_t444 + 0x13) = 1;
								_t433 =  *((intOrPtr*)(_t386 + 4));
								__eflags = _t433 - _t246;
								if(_t433 != _t246) {
									do {
										_t257 =  *(_t444 + 0x18);
										_t321 = _t433;
										__eflags = _t257 -  *((intOrPtr*)(_t433 + 0xc));
										_t258 = _t257 & 0xffffff00 | _t257 -  *((intOrPtr*)(_t433 + 0xc)) < 0x00000000;
										__eflags = _t258;
										 *(_t444 + 0x13) = _t258;
										if(_t258 == 0) {
											_t433 =  *((intOrPtr*)(_t433 + 8));
										} else {
											_t433 =  *_t433;
										}
										__eflags = _t433 -  *0x47e940; // 0x2220d20
									} while (__eflags != 0);
								}
								__eflags =  *(_t337 + 8);
								if( *(_t337 + 8) == 0) {
									 *((intOrPtr*)(_t444 + 0x14)) = _t321;
									__eflags =  *(_t444 + 0x13);
									if( *(_t444 + 0x13) == 0) {
										L47:
										_t249 =  *((intOrPtr*)(_t444 + 0x14));
										__eflags =  *((intOrPtr*)(_t249 + 0xc)) -  *(_t444 + 0x24);
										if( *((intOrPtr*)(_t249 + 0xc)) <  *(_t444 + 0x24)) {
											_push(_t444 + 0x24);
											_push(_t321);
											_push(_t433);
											_push(_t444 + 0x20);
											goto L49;
										}
									} else {
										__eflags = _t321 -  *_t386;
										if(_t321 !=  *_t386) {
											E004586F0(_t444 + 0x14);
											_t337 =  *((intOrPtr*)(_t444 + 0x20));
											goto L47;
										} else {
											_push(_t444 + 0x24);
											_push(_t321);
											_push(_t433);
											_push(_t444 + 0x1c);
											goto L49;
										}
									}
								} else {
									_push(_t444 + 0x24);
									_push(_t321);
									_push(_t433);
									_push(_t444 + 0x18);
									L49:
									_t249 =  *((intOrPtr*)(L00457530(_t337)));
								}
								 *((intOrPtr*)(_t249 + 0x10)) = _t440;
								ShowWindow(_t429, 0);
								return 1;
							}
						}
					}
				} else {
					_t434 = GetWindowLongW(_t429, 0xfffffff0);
					_t441 =  *((intOrPtr*)(_t443 + 0xb4));
					_t323 = _t434 & 0x0000000f;
					if(_t323 == 7) {
						_t313 = ( *(_t441 + 8))[0x53];
						if( *((intOrPtr*)(_t313 + 0x64)) != 0) {
							_t316 =  *((intOrPtr*)(_t313 + 0x6c));
							if(_t316 != 0) {
								 *_t316(_t429, " ", " ");
							}
						}
						L00450C20(_t429,  *(_t441 + 8));
						_t443 = _t443 + 8;
					}
					if(_t323 == 9 || _t323 == 3) {
						_t260 = ( *(_t441 + 8))[0x53];
						if( *((intOrPtr*)(_t260 + 0x64)) != 0) {
							_t311 =  *((intOrPtr*)(_t260 + 0x6c));
							if(_t311 != 0) {
								 *_t311(_t429, " ", " ");
							}
						}
						L00450DE0(_t429,  *(_t441 + 8));
					}
					if(_t323 == 0 || _t323 == 1) {
						SetWindowLongW(_t429, 0xfffffff0, _t434 | 0x0000000b);
						 *((intOrPtr*)(_t443 + 0x20)) = GetWindowLongW(_t429, 0xfffffff4);
						_t436 = L00451440( *(_t441 + 8));
						_t266 = L00457A10(_t436, _t443 + 0x20);
						_t437 =  *((intOrPtr*)(_t436 + 4));
						 *((intOrPtr*)(_t443 + 0x14)) = _t266;
						if(_t266 == _t437 ||  *((intOrPtr*)(_t443 + 0x20)) <  *((intOrPtr*)(_t266 + 0xc))) {
							 *((intOrPtr*)(_t443 + 0x1c)) = _t437;
							_t267 = _t443 + 0x1c;
						} else {
							_t267 = _t443 + 0x14;
						}
						_t438 =  *_t267;
						if(_t438 !=  *((intOrPtr*)(L00451440( *(_t441 + 8)) + 4))) {
							_t439 =  *((intOrPtr*)(_t438 + 0x10));
							_t324 = 0;
							__eflags = 0;
						} else {
							L00451440( *(_t441 + 8));
							_push(_t443 + 0x24);
							_t324 = 0;
							_push(_t443 + 0x40);
							 *(_t443 + 0x2c) = 0;
							 *((intOrPtr*)(_t443 + 0x30)) = 0;
							L00454E50();
							_t439 =  *((intOrPtr*)( *((intOrPtr*)(_t443 + 0x40)) + 0x10));
						}
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)))) + 4) =  *( *(_t441 + 8));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)))) + 4) =  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)))) + 4);
						_t273 = L0045B360( *( *(_t441 + 8)));
						_t445 = _t443 + 4;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)))) + 0xc)) = _t273;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)))) + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)))) + 0xc));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x38)) = _t324;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x38)) = _t324;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x3c)) = _t324;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x3c)) = _t324;
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x40) = ( *(_t441 + 8))[0x54];
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x40) =  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x40);
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x44) = ( *(_t441 + 8))[0x55];
						 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x44) =  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x44);
						GetWindowRect(_t429, _t445 + 0x2c);
						_t326 =  *((intOrPtr*)(_t445 + 0x34)) -  *(_t445 + 0x2c);
						 *(_t445 + 0x1c) =  *((intOrPtr*)(_t445 + 0x38)) -  *(_t445 + 0x30);
						_t361 = 0x186a0;
						_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4));
						 *(_t445 + 0x14) = 0x186a0;
						if(( *(_t288 + 0x34) & 0x00100000) != 0) {
							_t361 =  *(_t288 + 0x40);
							 *(_t445 + 0x14) =  *(_t288 + 0x44);
						}
						 *(_t445 + 0x1c) = MulDiv( *(_t288 + 0x24), _t361, 0x186a0);
						_t292 = MulDiv( *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x28),  *(_t445 + 0x18), 0x186a0);
						_t364 =  *(_t445 + 0x18);
						 *(_t445 + 0x14) = _t292;
						if(_t364 > _t326) {
							_t326 = _t364;
						} else {
							 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x40) = MulDiv(_t326, 0x186a0,  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x24));
							 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x40) =  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x40);
							_t292 =  *(_t445 + 0x14);
						}
						_t365 =  *(_t445 + 0x1c);
						if(_t292 > _t365) {
							 *(_t445 + 0x1c) = _t292;
						} else {
							 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x44) = MulDiv(_t365, 0x186a0,  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x28));
							 *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x6c)) + 4)) + 0x44) =  *( *((intOrPtr*)( *((intOrPtr*)(_t439 + 0x70)) + 4)) + 0x44);
						}
						ScreenToClient( *( *(_t441 + 8)), _t445 + 0x2c);
						_t295 =  *(_t439 + 0x54);
						if(_t295 != 0xffffffff) {
							 *(_t445 + 0x18) = MulDiv(_t295, ( *(_t441 + 8))[0x50], 4);
							_t298 = MulDiv( *(_t439 + 0x58), ( *(_t441 + 8))[0x51], 8);
							_t369 =  *(_t445 + 0x18);
						} else {
							_t369 =  *(_t445 + 0x2c);
							_t298 =  *(_t445 + 0x30);
						}
						MoveWindow(_t429, _t369, _t298, _t326,  *(_t445 + 0x1c), 0);
						return 1;
					} else {
						L60:
						return 1;
					}
				}
			}

0x00450565
0x0045056c
0x0045056c
0x0045056e
0x00450570
0x0045057f
0x00450599
0x004508f3
0x004508f5
0x004508f7
0x00450b10
0x00450b12
0x00450b14
0x00450b20
0x00450b29
0x00450b2b
0x00450b2d
0x00450b30
0x00450b32
0x00450b3f
0x00450b3f
0x00450b32
0x00450b2b
0x00000000
0x004508fd
0x00450908
0x0045090b
0x0045090f
0x00450a70
0x00450a74
0x00000000
0x00450a7a
0x00450a7a
0x00450a7e
0x00000000
0x00450a84
0x00450a84
0x00450a88
0x00000000
0x00450a8e
0x00450a94
0x00450a9a
0x00450a9f
0x00450aa4
0x00450aa8
0x00450aaf
0x00450ab4
0x00450aba
0x00450ac0
0x00000000
0x00450ac2
0x00450aca
0x00450ae9
0x00450af2
0x00450b03
0x00450b03
0x00450ac0
0x00450a88
0x00450a7e
0x00450915
0x00450918
0x0045091a
0x0045091f
0x00000000
0x00450925
0x0045092b
0x00450937
0x00450945
0x0045094d
0x00450952
0x00450955
0x00450967
0x0045096a
0x0045096a
0x00450973
0x0045097a
0x00450981
0x00450988
0x0045098d
0x00450998
0x0045099e
0x004509a7
0x004509a9
0x004509ae
0x004509b2
0x004509ba
0x004509bd
0x004509c1
0x004509c3
0x004509c8
0x004509cb
0x004509cd
0x004509cf
0x004509cf
0x004509d3
0x004509d5
0x004509d8
0x004509db
0x004509dd
0x004509e1
0x004509e7
0x004509e3
0x004509e3
0x004509e3
0x004509ea
0x004509ea
0x004509cf
0x004509f5
0x004509f7
0x00450a0b
0x00450a0f
0x00450a11
0x00450a32
0x00450a32
0x00450a39
0x00450a3d
0x00450a47
0x00450a48
0x00450a49
0x00450a4a
0x00000000
0x00450a4a
0x00450a13
0x00450a13
0x00450a15
0x00450a29
0x00450a2e
0x00000000
0x00450a17
0x00450a1f
0x00450a20
0x00450a21
0x00450a22
0x00000000
0x00450a22
0x00450a15
0x004509f9
0x00450a01
0x00450a02
0x00450a03
0x00450a04
0x00450a4b
0x00450a50
0x00450a50
0x00450a55
0x00450a58
0x00450a6d
0x00450a6d
0x0045091f
0x0045090f
0x0045059f
0x004505a8
0x004505aa
0x004505b3
0x004505b9
0x004505be
0x004505c9
0x004505cb
0x004505d0
0x004505dd
0x004505dd
0x004505d0
0x004505e4
0x004505e9
0x004505e9
0x004505ef
0x004505f9
0x00450604
0x00450606
0x0045060b
0x00450618
0x00450618
0x0045060b
0x00450625
0x00450625
0x0045062c
0x0045063e
0x00450650
0x00450659
0x00450662
0x00450667
0x0045066c
0x00450670
0x00450683
0x00450687
0x0045067d
0x0045067d
0x0045067d
0x0045068e
0x00450698
0x004506c6
0x004506c9
0x004506c9
0x0045069a
0x0045069d
0x004506aa
0x004506ab
0x004506ad
0x004506b0
0x004506b4
0x004506b8
0x004506c1
0x004506c1
0x004506d5
0x004506e5
0x004506ee
0x004506f6
0x004506fb
0x0045070b
0x00450714
0x0045071d
0x00450726
0x0045072f
0x00450741
0x00450753
0x00450765
0x0045077d
0x00450780
0x00450796
0x0045079d
0x004507a1
0x004507a6
0x004507a9
0x004507b4
0x004507b9
0x004507bc
0x004507bc
0x004507dc
0x004507e8
0x004507ee
0x004507f2
0x004507f8
0x00450831
0x004507fa
0x00450816
0x00450828
0x0045082b
0x0045082b
0x00450833
0x00450839
0x0045086e
0x0045083b
0x00450857
0x00450869
0x00450869
0x0045087d
0x00450883
0x00450889
0x004508ae
0x004508bc
0x004508c2
0x0045088b
0x0045088b
0x0045088f
0x0045088f
0x004508d1
0x004508e6
0x00450b44
0x00450b44
0x00450b50
0x00450b50
0x0045062c

APIs

GetClassNameW.USER32 ref: 0045057F
lstrcmpiW.KERNEL32(Button,00000000), ref: 00450595
GetWindowLongW.USER32(?,000000F0), ref: 004505A2
SetWindowLongW.USER32 ref: 0045063E
GetWindowLongW.USER32(?,000000F4), ref: 00450647
GetWindowRect.USER32 ref: 00450780
MulDiv.KERNEL32(?,000186A0,000186A0), ref: 004507CA
MulDiv.KERNEL32(?,?,000186A0), ref: 004507E8
MulDiv.KERNEL32(?,000186A0,?), ref: 0045080A
MulDiv.KERNEL32(?,000186A0,?), ref: 0045084B
ScreenToClient.USER32 ref: 0045087D
MulDiv.KERNEL32(?,?,00000004), ref: 004508A2
MulDiv.KERNEL32(?,?,00000008), ref: 004508BC
MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 004508D1
lstrcmpiW.KERNEL32(Static,00000000), ref: 004508F3
GetWindowLongW.USER32(?,000000F0), ref: 00450906
GetWindowLongW.USER32(?,000000F0), ref: 00450918
GetWindowRect.USER32 ref: 0045092B
MapWindowPoints.USER32 ref: 00450945
SendMessageW.USER32(?,00000171,00000000,00000000), ref: 00450961
GetWindowLongW.USER32(?,000000F4), ref: 0045098B
ShowWindow.USER32(?,00000000), ref: 00450A58
GetWindowTextW.USER32 ref: 00450AB4
SetWindowLongW.USER32 ref: 00450ACA
SetPropW.USER32 ref: 00450AE9
SetPropW.USER32 ref: 00450AF2
lstrcmpiW.KERNEL32(msctls_progress32,00000000), ref: 00450B10

Strings

Button, xrefs: 00450590
Static, xrefs: 004508EE
msctls_progress32, xrefs: 00450B0B
PROP_STAT_PSKIN, xrefs: 00450AE3
PROP_STAT_OLDPROC, xrefs: 00450AEC
@, xrefs: 00450ABA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$Long$lstrcmpi$PropRect$ClassClientMessageMoveNamePointsScreenSendShowText
String ID: @$Button$PROP_STAT_OLDPROC$PROP_STAT_PSKIN$Static$msctls_progress32
API String ID: 2230541734-847272177
Opcode ID: c2aea60285bd3bdaa9f03c60e9c0ea1dc02b6018832b9fe9582a9aba83f71ae6
Instruction ID: b2c7fc5385e5b0b427dda1c4441f25282cc4c4d74dcb73e0fc857ae3a704ef5f
Opcode Fuzzy Hash: c2aea60285bd3bdaa9f03c60e9c0ea1dc02b6018832b9fe9582a9aba83f71ae6
Instruction Fuzzy Hash: 2C1226786043019FC310CF24C880E6BBBE5BB89714F148A6EF9899B352D775ED46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7CF Relevance: 54.7, APIs: 11, Strings: 20, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0041F7CF(long __ecx) {
				void* __ebx;
				char* _t185;
				char* _t192;
				long _t204;
				void* _t206;
				long _t209;
				char* _t210;
				char* _t217;
				char* _t222;
				char* _t227;
				long _t235;
				char* _t236;
				long _t238;
				long _t241;
				int _t247;
				long _t250;
				long _t258;
				long _t260;
				long _t266;
				int _t270;
				long _t275;
				int _t277;
				long _t280;
				intOrPtr _t289;
				long _t290;
				long _t300;
				void* _t339;
				char* _t355;
				long _t356;
				char* _t358;
				struct _SHELLEXECUTEINFOW _t363;
				void* _t369;
				void* _t371;
				intOrPtr _t372;
				long _t373;

				L0043B644(E00462762, _t369);
				_t372 = _t371 - 0x120;
				 *((intOrPtr*)(_t369 - 0x10)) = _t372;
				 *(_t369 - 0x14) = __ecx;
				if( *0x47df40 != 0 ||  *0x47e988 != 0) {
					_push(1);
					_push(_t369 - 0x16);
					_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPreRequisite.cpp");
					E0040A5F5(_t369 - 0xb4);
					_t185 = L"CSetupPreRequisite::ExecuteGenericPrerequisite";
					_t289 = 0x4675d0;
					 *(_t369 - 4) = 0;
					 *((intOrPtr*)(_t369 - 0xdc)) = 0x4675d8;
					 *((intOrPtr*)(_t369 - 0xbc)) = 0x4675d0;
					if(_t185 == 0) {
						_t185 = 0x47e150;
					}
					_push(0);
					_push(_t369 - 0x15);
					_push(_t185);
					L0040B34B(_t369 - 0xdc);
					 *(_t369 - 4) = 1;
					L0045D600(_t369 - 0xdc, _t369 - 0xb4, 0x15c);
					 *(_t369 - 4) =  *(_t369 - 4) & 0x00000000;
					E004061C1(_t369 - 0xdc);
					 *(_t369 - 4) =  *(_t369 - 4) | 0xffffffff;
					E004061C1(_t369 - 0xb4);
				} else {
					_t289 = 0x4675d0;
				}
				_t355 =  *(_t369 + 8);
				_t373 = _t372 - 0x28;
				_t300 = _t373;
				 *(_t369 - 0x24) = 0;
				_t382 = _t355;
				 *(_t369 - 0x28) = _t373;
				 *_t300 = 0x46757c;
				 *((intOrPtr*)(_t300 + 0x20)) = 0x467574;
				_t192 = _t355;
				if(_t355 == 0) {
					_t192 = 0x47e150;
				}
				_push(0);
				_push(_t369 - 0x15);
				_push(_t192);
				L0040176A(_t300);
				E0041FEB5(_t369 - 0x12c, _t382); // executed
				_t363 = 0x3c;
				 *(_t369 - 4) = 2;
				 *(_t369 - 4) = 3;
				E0043C5B0(_t369 - 0x8c, 0, _t363);
				 *(_t369 - 0x8c) = _t363;
				asm("sbb ecx, ecx");
				 *(_t369 - 0x70) = 0 | L00429866(_t382,  ~( *(_t369 - 0x14) + 0x344) &  *(_t369 - 0x14) + 0x00000348, 0x477b1c) == 0x00000000;
				 *((intOrPtr*)(_t369 - 0x88)) = 0x800440;
				 *(_t369 - 0x74) = _t355;
				 *((intOrPtr*)(_t369 - 0xb4)) = 0x4675d8;
				 *((intOrPtr*)(_t369 - 0x94)) = _t289;
				if(_t355 == 0) {
					_t355 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xb);
				_push(_t355);
				L0040B34B(_t369 - 0xb4);
				_t356 =  *(_t369 - 0x14);
				 *(_t369 - 4) = 4;
				L00425DE0(_t369 - 0xb4, _t356 + 0x2a4);
				_t204 =  *(_t369 - 0xac);
				 *(_t369 - 0x7c) = 0x4675e4;
				if(_t204 != 0) {
					 *(_t369 - 0x7c) = _t204;
				}
				if(E00408742(_t356) != 0 || L0041FE2B(_t356) != 0) {
					 *(_t369 - 0x80) = L"open";
				}
				if( *((intOrPtr*)(_t369 + 0xc)) != 0) {
					L17:
					_t206 = _t356 + 0x2f4;
				} else {
					_t206 = _t356 + 0x2cc;
					if( *((char*)(_t356 + 0x261)) != 0) {
						goto L17;
					}
				}
				_push(_t206);
				_push(_t369 - 0xdc);
				L004258DD(_t356);
				_t209 =  *(_t369 - 0xd4);
				 *(_t369 - 4) = 5;
				 *(_t369 - 0x78) = 0x4675e4;
				if(_t209 != 0) {
					 *(_t369 - 0x78) = _t209;
				}
				_t210 = L"Launching: ";
				 *((intOrPtr*)(_t369 - 0x50)) = 0x4675d8;
				 *((intOrPtr*)(_t369 - 0x30)) = _t289;
				_t391 = _t210;
				if(_t210 == 0) {
					_t210 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xf);
				_push(_t210);
				L0040B34B(_t369 - 0x50);
				_push(0);
				_push(0);
				_push(_t369 - 0x50);
				 *(_t369 - 4) = 6;
				L0042189A(_t289,  *(_t369 - 0x14), _t391);
				 *(_t369 - 4) = 5;
				E004061C1(_t369 - 0x50);
				_push(0);
				_push(0);
				_push(_t369 - 0xb4);
				L0042189A(_t289,  *(_t369 - 0x14), _t391);
				_t217 = L" [";
				 *((intOrPtr*)(_t369 - 0x50)) = 0x4675d8;
				 *((intOrPtr*)(_t369 - 0x30)) = _t289;
				_t392 = _t217;
				if(_t217 == 0) {
					_t217 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xf);
				_push(_t217);
				L0040B34B(_t369 - 0x50);
				_push(0);
				_push(0);
				_push(_t369 - 0x50);
				 *(_t369 - 4) = 7;
				L0042189A(_t289,  *(_t369 - 0x14), _t392);
				 *(_t369 - 4) = 5;
				E004061C1(_t369 - 0x50);
				_t222 =  *(_t369 - 0x80);
				 *((intOrPtr*)(_t369 - 0x50)) = 0x4675d8;
				_t393 = _t222;
				 *((intOrPtr*)(_t369 - 0x30)) = _t289;
				if(_t222 == 0) {
					_t222 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xf);
				_push(_t222);
				L0040B34B(_t369 - 0x50);
				_push(0);
				_push(0);
				_push(_t369 - 0x50);
				 *(_t369 - 4) = 8;
				L0042189A(_t289,  *(_t369 - 0x14), _t393);
				 *(_t369 - 4) = 5;
				E004061C1(_t369 - 0x50);
				_t227 = L"] ";
				 *((intOrPtr*)(_t369 - 0x50)) = 0x4675d8;
				 *((intOrPtr*)(_t369 - 0x30)) = _t289;
				_t394 = _t227;
				if(_t227 == 0) {
					_t227 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xf);
				_push(_t227);
				L0040B34B(_t369 - 0x50);
				_push(0);
				_push(0);
				_push(_t369 - 0x50);
				 *(_t369 - 4) = 9;
				L0042189A(_t289,  *(_t369 - 0x14), _t394);
				 *(_t369 - 4) = 5;
				E004061C1(_t369 - 0x50);
				_push(0);
				_push(1);
				_push(_t369 - 0xdc);
				L0042189A(_t289,  *(_t369 - 0x14), _t394);
				E00421321( *(_t369 - 0x14));
				_t235 =  *(_t369 - 0xd4);
				 *(_t369 - 0x14) = 0x4675e4;
				if(_t235 != 0) {
					 *(_t369 - 0x14) = _t235;
				}
				_t236 =  *(_t369 - 0x80);
				 *((intOrPtr*)(_t369 - 0x50)) = 0x4675d8;
				 *((intOrPtr*)(_t369 - 0x30)) = _t289;
				if(_t236 == 0) {
					_t236 = 0x47e150;
				}
				_push(0);
				_push(_t369 + 0xf);
				_push(_t236);
				L0040B34B(_t369 - 0x50);
				_t238 =  *(_t369 - 0x48);
				 *(_t369 - 4) = 0xa;
				 *(_t369 - 0x28) = 0x4675e4;
				if(_t238 != 0) {
					 *(_t369 - 0x28) = _t238;
				}
				_t290 =  *(_t369 - 0xac);
				if(_t290 == 0) {
					_t290 = 0x4675e4;
				}
				_push(1);
				_t358 = "C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPreRequisite.cpp";
				_push(_t369 - 0x16);
				_push(_t358);
				_t241 =  *(E0040A5F5(_t369 - 0x104) + 8);
				 *(_t369 - 4) = 0xb;
				if(_t241 == 0) {
					_t241 = 0x4675e4;
				}
				_push( *(_t369 - 0x14));
				 *(_t369 - 0x20) = _t241;
				 *((intOrPtr*)(_t369 - 0x1c)) = 0x180;
				_push( *(_t369 - 0x28));
				_push(_t290);
				_push(L"Creating new process for prerequisite, launching command line %s [%s] %s");
				_push(_t369 - 0x20);
				E0040840D(_t290);
				 *(_t369 - 4) = 0xa;
				E004061C1(_t369 - 0x104);
				 *(_t369 - 4) = 5;
				E004061C1(_t369 - 0x50);
				_t247 = ShellExecuteExW(_t369 - 0x8c); // executed
				if(_t247 == 0) {
					_push(1);
					_push(_t369 + 0xf);
					_push(_t358);
					_t250 =  *(E0040A5F5(_t369 - 0x104) + 8);
					 *(_t369 - 4) = 0xe;
					__eflags = _t250;
					if(_t250 == 0) {
						_t250 = 0x4675e4;
					}
					_push( *((intOrPtr*)(_t369 - 0x6c)));
					 *(_t369 - 0x20) = _t250;
					 *((intOrPtr*)(_t369 - 0x1c)) = 0x1af;
					_push(GetLastError());
					_push(L"Could not launch prerequisite, last error: %d, ShellExecute: %d");
					_push(_t369 - 0x20);
					E0040840D(_t290);
					 *(_t369 - 4) = 5;
					_t339 = _t369 - 0x104;
					goto L56;
				} else {
					if( *(_t369 - 0x54) != 0) {
						__eflags = 0;
						while(1) {
							L44:
							_t260 = MsgWaitForMultipleObjects(1, _t369 - 0x54, 0, 0xffffffff, 0x4ff);
							__eflags = _t260;
							if(_t260 == 0) {
								break;
							}
							__eflags = _t260 - 1;
							if(_t260 == 1) {
								do {
									_t270 = PeekMessageW(_t369 - 0x44, 0, 0x113, 0x113, 1); // executed
									__eflags = _t270;
									if(_t270 != 0) {
										goto L48;
									} else {
										_t277 = PeekMessageW(_t369 - 0x44, 0, 0, 0, 0x4270001); // executed
										__eflags = _t277;
										if(_t277 == 0) {
											goto L44;
										} else {
											goto L48;
										}
									}
									L56:
									E004061C1(_t339);
									 *(_t369 - 4) = 4;
									E004061C1(_t369 - 0xdc);
									 *(_t369 - 4) = 3;
									E004061C1(_t369 - 0xb4);
									_t177 = _t369 - 4;
									 *_t177 =  *(_t369 - 4) | 0xffffffff;
									__eflags =  *_t177;
									E0041FF50(_t369 - 0x12c);
									_t258 =  *(_t369 - 0x24);
									goto L57;
									L48:
									TranslateMessage(_t369 - 0x44);
									DispatchMessageW(_t369 - 0x44); // executed
									_t275 = WaitForSingleObject( *(_t369 - 0x54), 0);
									__eflags = _t275;
								} while (_t275 != 0);
								continue;
							}
							break;
						}
						GetExitCodeProcess( *(_t369 - 0x54), _t369 - 0x24); // executed
						CloseHandle( *(_t369 - 0x54));
						_push(1);
						_push(_t369 + 0xf);
						_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPreRequisite.cpp");
						_t266 =  *(E0040A5F5(_t369 - 0x104) + 8);
						 *(_t369 - 4) = 0xd;
						__eflags = _t266;
						if(_t266 == 0) {
							_t266 = 0x4675e4;
						}
						_push( *(_t369 - 0x24));
						 *(_t369 - 0x20) = _t266;
						 *((intOrPtr*)(_t369 - 0x1c)) = 0x1ab;
						_push(L"Prerequisite process exited with return code %d");
						_push(_t369 - 0x20);
						E0040840D(0);
						 *(_t369 - 4) = 5;
						_t339 = _t369 - 0x104;
						goto L56;
					} else {
						_push(1);
						_push(_t369 + 0xf);
						_push(_t358);
						_t280 =  *(E0040A5F5(_t369 - 0x104) + 8);
						 *(_t369 - 4) = 0xc;
						if(_t280 == 0) {
							_t280 = 0x4675e4;
						}
						 *(_t369 - 0x20) = _t280;
						_push(L"No process created by successful prerequisite launch");
						_push(_t369 - 0x20);
						 *((intOrPtr*)(_t369 - 0x1c)) = 0x187;
						E0040840D(_t290);
						 *(_t369 - 4) = 5;
						E004061C1(_t369 - 0x104);
						 *(_t369 - 4) = 4;
						E004061C1(_t369 - 0xdc);
						 *(_t369 - 4) = 3;
						E004061C1(_t369 - 0xb4);
						 *(_t369 - 4) =  *(_t369 - 4) | 0xffffffff;
						E0041FF50(_t369 - 0x12c);
						_t258 = 0;
					}
				}
				L57:
				 *[fs:0x0] =  *((intOrPtr*)(_t369 - 0xc));
				return _t258;
			}

0x0041f7d4
0x0041f7d9
0x0041f7eb
0x0041f7ee
0x0041f7f1
0x0041f803
0x0041f805
0x0041f806
0x0041f811
0x0041f816
0x0041f81b
0x0041f822
0x0041f827
0x0041f831
0x0041f837
0x0041f839
0x0041f839
0x0041f841
0x0041f842
0x0041f843
0x0041f84a
0x0041f862
0x0041f866
0x0041f86b
0x0041f875
0x0041f87a
0x0041f884
0x0041f88b
0x0041f88b
0x0041f88b
0x0041f890
0x0041f893
0x0041f896
0x0041f898
0x0041f89b
0x0041f89d
0x0041f8a0
0x0041f8a6
0x0041f8ad
0x0041f8af
0x0041f8b1
0x0041f8b1
0x0041f8b9
0x0041f8bb
0x0041f8bc
0x0041f8bd
0x0041f8c8
0x0041f8d5
0x0041f8d6
0x0041f8e1
0x0041f8e5
0x0041f8f2
0x0041f905
0x0041f91e
0x0041f923
0x0041f92d
0x0041f930
0x0041f936
0x0041f93c
0x0041f93e
0x0041f93e
0x0041f946
0x0041f948
0x0041f949
0x0041f950
0x0041f955
0x0041f95e
0x0041f969
0x0041f96e
0x0041f974
0x0041f97d
0x0041f97f
0x0041f97f
0x0041f98b
0x0041f998
0x0041f998
0x0041f9a3
0x0041f9b4
0x0041f9b4
0x0041f9a5
0x0041f9ac
0x0041f9b2
0x00000000
0x00000000
0x0041f9b2
0x0041f9ba
0x0041f9c1
0x0041f9c4
0x0041f9c9
0x0041f9cf
0x0041f9d5
0x0041f9dc
0x0041f9de
0x0041f9de
0x0041f9e1
0x0041f9e6
0x0041f9eb
0x0041f9ee
0x0041f9f5
0x0041f9f7
0x0041f9f7
0x0041f9fc
0x0041f9fe
0x0041f9ff
0x0041fa03
0x0041fa0b
0x0041fa10
0x0041fa12
0x0041fa13
0x0041fa17
0x0041fa1f
0x0041fa23
0x0041fa2b
0x0041fa33
0x0041fa35
0x0041fa36
0x0041fa3b
0x0041fa40
0x0041fa45
0x0041fa48
0x0041fa4a
0x0041fa4c
0x0041fa4c
0x0041fa51
0x0041fa53
0x0041fa54
0x0041fa58
0x0041fa60
0x0041fa65
0x0041fa67
0x0041fa68
0x0041fa6c
0x0041fa74
0x0041fa78
0x0041fa7d
0x0041fa80
0x0041fa83
0x0041fa85
0x0041fa88
0x0041fa8a
0x0041fa8a
0x0041fa8f
0x0041fa91
0x0041fa92
0x0041fa96
0x0041fa9e
0x0041faa3
0x0041faa5
0x0041faa6
0x0041faaa
0x0041fab2
0x0041fab6
0x0041fabb
0x0041fac0
0x0041fac5
0x0041fac8
0x0041faca
0x0041facc
0x0041facc
0x0041fad1
0x0041fad3
0x0041fad4
0x0041fad8
0x0041fae0
0x0041fae5
0x0041fae7
0x0041fae8
0x0041faec
0x0041faf4
0x0041faf8
0x0041fb00
0x0041fb08
0x0041fb0a
0x0041fb0b
0x0041fb13
0x0041fb18
0x0041fb1e
0x0041fb27
0x0041fb29
0x0041fb29
0x0041fb2c
0x0041fb2f
0x0041fb34
0x0041fb37
0x0041fb39
0x0041fb39
0x0041fb3e
0x0041fb40
0x0041fb41
0x0041fb45
0x0041fb4a
0x0041fb4d
0x0041fb53
0x0041fb5a
0x0041fb5c
0x0041fb5c
0x0041fb5f
0x0041fb67
0x0041fb69
0x0041fb69
0x0041fb71
0x0041fb73
0x0041fb78
0x0041fb79
0x0041fb85
0x0041fb88
0x0041fb93
0x0041fb95
0x0041fb95
0x0041fb97
0x0041fb9a
0x0041fba0
0x0041fba7
0x0041fbaa
0x0041fbab
0x0041fbb0
0x0041fbb1
0x0041fbbf
0x0041fbc3
0x0041fbcb
0x0041fbcf
0x0041fbdb
0x0041fbe3
0x0041fd43
0x0041fd45
0x0041fd46
0x0041fd52
0x0041fd55
0x0041fd59
0x0041fd5b
0x0041fd5d
0x0041fd5d
0x0041fd5f
0x0041fd62
0x0041fd65
0x0041fd72
0x0041fd76
0x0041fd7b
0x0041fd7c
0x0041fd84
0x0041fd88
0x00000000
0x0041fbe9
0x0041fbed
0x0041fc76
0x0041fc78
0x0041fc78
0x0041fc86
0x0041fc8c
0x0041fc8e
0x00000000
0x00000000
0x0041fc90
0x0041fc93
0x0041fc95
0x0041fc9e
0x0041fca0
0x0041fca2
0x00000000
0x0041fca4
0x0041fcb0
0x0041fcb2
0x0041fcb4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fcb4
0x0041fd8e
0x0041fd8e
0x0041fd99
0x0041fd9d
0x0041fda8
0x0041fdac
0x0041fdb4
0x0041fdb4
0x0041fdb4
0x0041fdbe
0x0041fdc3
0x00000000
0x0041fcb6
0x0041fcba
0x0041fcc4
0x0041fcce
0x0041fcd4
0x0041fcd4
0x00000000
0x0041fcd8
0x00000000
0x0041fc93
0x0041fce1
0x0041fcea
0x0041fcf3
0x0041fcf5
0x0041fcf6
0x0041fd06
0x0041fd09
0x0041fd0d
0x0041fd0f
0x0041fd11
0x0041fd11
0x0041fd16
0x0041fd19
0x0041fd1f
0x0041fd26
0x0041fd2b
0x0041fd2c
0x0041fd34
0x0041fd38
0x00000000
0x0041fbef
0x0041fbf2
0x0041fbf4
0x0041fbf5
0x0041fc01
0x0041fc04
0x0041fc0a
0x0041fc0c
0x0041fc0c
0x0041fc0e
0x0041fc14
0x0041fc19
0x0041fc1a
0x0041fc21
0x0041fc27
0x0041fc32
0x0041fc3d
0x0041fc41
0x0041fc4c
0x0041fc50
0x0041fc55
0x0041fc5f
0x0041fc64
0x0041fc64
0x0041fbed
0x0041fdc5
0x0041fdca
0x0041fdd3

APIs

__EH_prolog.LIBCMT ref: 0041F7D4

Part of subcall function 0042189A: __EH_prolog.LIBCMT ref: 0042189F
Part of subcall function 0042189A: SetWindowTextW.USER32(00000000,?), ref: 00421991

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

ShellExecuteExW.SHELL32(?), ref: 0041FBDB

Part of subcall function 0040840D: __EH_prolog.LIBCMT ref: 00408412

Part of subcall function 0041FF50: SetCurrentDirectoryW.KERNELBASE(?,?,0041FDC3), ref: 0041FF66

Strings

Creating new process for prerequisite, launching command line %s [%s] %s, xrefs: 0041FBAB
Prerequisite process exited with return code %d, xrefs: 0041FD26
uF, xrefs: 0041FD11
PG, xrefs: 0041F9F0
CSetupPreRequisite::ExecuteGenericPrerequisite, xrefs: 0041F816, 0041F843
Launching: , xrefs: 0041F9E1, 0041F9FF
tuF, xrefs: 0041F8A6
uF, xrefs: 0041FB8E
Could not launch prerequisite, last error: %d, ShellExecute: %d, xrefs: 0041FD76
uF, xrefs: 0041FB53
PG, xrefs: 0041F839
PG, xrefs: 0041F93E
uF, xrefs: 0041FB69
uF, xrefs: 0041F974
uF, xrefs: 0041FB1E
C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPreRequisite.cpp, xrefs: 0041F806, 0041FB73, 0041FB79, 0041FBF5, 0041FCF6, 0041FD46
No process created by successful prerequisite launch, xrefs: 0041FC14
open, xrefs: 0041F998, 0041FA92, 0041FB41
uF, xrefs: 0041F9D5
PG, xrefs: 0041F8B1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$CurrentDirectoryExecuteFreeShellStringTextWindow
String ID: C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPreRequisite.cpp$CSetupPreRequisite::ExecuteGenericPrerequisite$Could not launch prerequisite, last error: %d, ShellExecute: %d$Creating new process for prerequisite, launching command line %s [%s] %s$Launching: $No process created by successful prerequisite launch$Prerequisite process exited with return code %d$PG$PG$PG$PG$open$tuF$uF$uF$uF$uF$uF$uF$uF
API String ID: 1685500064-133213772
Opcode ID: 3a8f4c0a90ce9e195b4d339f32a6b1be6b23064ce2737dfb8ab6542bef08964f
Instruction ID: 0ddd0887789e2d96b456f70b1a016552036fd73f754d30dc929dad635bb5569c
Opcode Fuzzy Hash: 3a8f4c0a90ce9e195b4d339f32a6b1be6b23064ce2737dfb8ab6542bef08964f
Instruction Fuzzy Hash: FD026471A00219AFDF10DBD5CD85BEEBBB8AF14304F1041AEE505B7281EB785E49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409090 Relevance: 53.0, APIs: 2, Strings: 28, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00409090(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t209;
				intOrPtr _t215;
				intOrPtr _t223;
				void* _t225;
				void* _t232;
				intOrPtr _t239;
				intOrPtr _t243;
				intOrPtr _t247;
				intOrPtr _t254;
				intOrPtr _t264;
				intOrPtr _t267;
				intOrPtr _t272;
				intOrPtr _t277;
				intOrPtr _t278;
				intOrPtr _t280;
				intOrPtr _t288;
				intOrPtr _t293;
				intOrPtr _t300;
				void* _t308;
				intOrPtr _t311;
				intOrPtr* _t332;
				intOrPtr _t356;
				intOrPtr _t369;
				signed char _t396;
				signed char _t400;
				intOrPtr* _t401;
				void* _t403;
				void* _t405;
				void* _t406;
				intOrPtr* _t408;
				void* _t409;
				intOrPtr _t410;

				L0043B644(0x45fb7f, _t403);
				_t406 = _t405 - 0x2a8;
				 *((intOrPtr*)(_t403 - 0x10)) = __ecx;
				_t400 = 0;
				_t396 = 1;
				 *((intOrPtr*)(_t403 - 0x1c)) = 0;
				 *(_t403 - 0x24) = _t396;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc8))))))() == _t396) {
					 *(_t403 - 0x24) = 0;
				}
				_t209 =  *0x47e1c8; // 0x0
				 *((intOrPtr*)(_t403 - 0x2c)) = _t400;
				if(_t209 != _t400) {
					 *((intOrPtr*)(_t403 - 0x2c)) = GetDlgItem(_t209, 0x40b);
				}
				L00409756( *((intOrPtr*)(_t403 + 0xc)), _t403 - 0xfc);
				_push(_t400);
				 *(_t403 - 4) = _t396;
				_push( *((intOrPtr*)(_t403 + 0x10)));
				 *((intOrPtr*)(_t403 - 0x5c)) = 0x4675d8;
				 *((intOrPtr*)(_t403 - 0x3c)) = 0x4675d0;
				L0040B2B8(_t403 - 0x5c);
				 *(_t403 - 4) = 2;
				E0040A76F(_t403 - 0x5c, _t403 - 0xfc);
				_t215 = L0041F26E( *((intOrPtr*)(_t403 + 0xc)));
				 *((intOrPtr*)(_t403 - 0x34)) = _t215;
				 *((intOrPtr*)(_t403 - 0x14)) = _t400;
				if(_t215 <= _t400) {
					L51:
					_t401 =  *((intOrPtr*)(_t403 + 8));
					_push(0);
					_push(_t403 - 0x5c);
					 *_t401 = 0x4675d8;
					 *((intOrPtr*)(_t401 + 0x20)) = 0x4675d0;
					L0040B2B8(_t401);
					 *((intOrPtr*)(_t403 - 0x1c)) = 1;
					goto L52;
				} else {
					do {
						_push( *((intOrPtr*)(_t403 - 0x14)));
						_push(_t403 - 0xac);
						L0041F1D0( *((intOrPtr*)(_t403 + 0xc)));
						 *(_t403 - 4) = 3;
						if( *((intOrPtr*)(_t403 - 0x14)) != _t400) {
							L18:
							_t223 = E0040A5A5(_t403 - 0x58);
							_t408 = _t406 - 0x28;
							_t332 = _t408;
							 *((intOrPtr*)(_t403 - 0x18)) = _t408;
							 *_t332 = 0x46757c;
							 *((intOrPtr*)(_t332 + 0x20)) = 0x467574;
							if(_t223 == _t400) {
								_t223 = 0x47e150;
							}
							_push(_t400);
							_push(_t403 - 0x2d);
							_push(_t223);
							L0040176A(_t332);
							_t225 = E0042DD60();
							_t409 = _t408 + 0x28;
							if(_t225 == 0) {
								_t401 =  *((intOrPtr*)(_t403 + 8));
								_push(0);
								_push(_t403 + 0xf);
								_push(0x47e150);
								 *_t401 = 0x4675d8;
								 *((intOrPtr*)(_t401 + 0x20)) = 0x4675d0;
								L0040B34B(_t401);
								 *((intOrPtr*)(_t403 - 0x1c)) = 1;
								goto L60;
							} else {
								if( *((intOrPtr*)(_t403 - 0x14)) == _t400 &&  *(_t403 - 0x24) != _t400) {
									_t280 =  *((intOrPtr*)(_t403 - 0x54));
									if(_t280 == _t400) {
										_t280 = 0x4675e4;
									}
									_t426 = _t280 - _t400;
									 *((intOrPtr*)(_t403 - 0x1c4)) = 0x46757c;
									 *((intOrPtr*)(_t403 - 0x1a4)) = 0x467574;
									if(_t280 == _t400) {
										_t280 = 0x47e150;
									}
									_t76 = _t403 - 0x1c4; // 0x46757c
									L0040176A(_t76);
									_t78 = _t403 - 0x1c4; // 0x46757c
									 *(_t403 - 4) = 0xa;
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x10)) + 0xc8)))) + 4))(_t78, _t280, _t403 - 0x30, _t400);
									_t82 = _t403 - 0x1c4; // 0x46757c
									 *(_t403 - 4) = 3;
									L0040125C(_t82);
								}
								_push(_t400);
								_push(_t403 - 0x5c);
								 *((intOrPtr*)(_t403 - 0x84)) = 0x4675d8;
								 *((intOrPtr*)(_t403 - 0x64)) = 0x4675d0;
								L0040B2B8(_t403 - 0x84);
								_push(_t403 - 0x2b4);
								 *(_t403 - 4) = 0xb;
								_t232 = E0040A7F4(_t403 - 0xac, _t426);
								 *(_t403 - 4) = 0xc;
								E0040A76F(_t403 - 0x84, _t232);
								 *(_t403 - 4) = 0xb;
								E004061C1(_t403 - 0x2b4);
								_push(_t400);
								_push(_t403 - 0x2e);
								 *((intOrPtr*)(_t403 - 0x124)) = 0x4675d8;
								 *((intOrPtr*)(_t403 - 0x104)) = 0x4675d0;
								L0040B243(_t403 - 0x124);
								_push(_t403 - 0x28c);
								 *(_t403 - 4) = 0xd;
								_t239 =  *((intOrPtr*)(E0040A7F4(_t403 - 0xac, _t426) + 8));
								 *(_t403 - 4) = 0xe;
								if(_t239 == _t400) {
									_t239 = 0x4675e4;
								}
								_t341 =  *((intOrPtr*)(_t403 - 0xf4));
								if( *((intOrPtr*)(_t403 - 0xf4)) == _t400) {
									_t341 = 0x4675e4;
								}
								_push(_t239);
								L0040AF38(_t403 - 0x124, L"%s.%s", _t341);
								_t406 = _t409 + 0x10;
								 *(_t403 - 4) = 0xd;
								E004061C1(_t403 - 0x28c);
								_t243 =  *((intOrPtr*)(_t403 - 0x11c));
								if(_t243 == _t400) {
									_t243 = 0x4675e4;
								}
								_push(_t243);
								if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x10)) + 0xc8)))) + 0x58))() == 0) {
									_t247 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x10)) + 0xc8))))))();
									__eflags = _t247;
									if(_t247 != 0) {
										goto L50;
									}
									__eflags =  *0x47e1c8 - _t400; // 0x0
									if(__eflags != 0) {
										_push(0x681);
										_push(_t400);
										_push(_t400);
										_push( *((intOrPtr*)(_t403 + 0x14)));
										_push( *((intOrPtr*)(_t403 - 0x2c)));
										L0040727F( *((intOrPtr*)(_t403 - 0x10)));
										_push(_t400);
										_push(_t403 - 0x25);
										 *((intOrPtr*)(_t403 - 0x14c)) = 0x4675d8;
										 *((intOrPtr*)(_t403 - 0x12c)) = 0x4675d0;
										L0040B243(_t403 - 0x14c);
										_push(_t403 - 0x214);
										 *(_t403 - 4) = 0xf;
										_t264 =  *((intOrPtr*)(E0040A7F4(_t403 - 0x84, __eflags) + 8));
										 *(_t403 - 4) = 0x10;
										__eflags = _t264 - _t400;
										 *((intOrPtr*)(_t403 - 0x18)) = 0x4675e4;
										if(__eflags != 0) {
											 *((intOrPtr*)(_t403 - 0x18)) = _t264;
										}
										_t356 =  *0x47e1d4; // 0x2380b70
										_push(0x681);
										_push(_t403 - 0x264);
										_t267 =  *((intOrPtr*)(E00403E82(_t356, __eflags) + 8));
										 *(_t403 - 4) = 0x11;
										__eflags = _t267 - _t400;
										if(_t267 == _t400) {
											_t267 = 0x467570;
										}
										_t143 = _t403 - 0x18; // 0x4675e4
										_push( *_t143);
										L0040AF38(_t403 - 0x14c, L"%s: %s", _t267);
										_t406 = _t406 + 0x10;
										 *(_t403 - 4) = 0x10;
										L0040125C(_t403 - 0x264);
										 *(_t403 - 4) = 0xf;
										E004061C1(_t403 - 0x214);
										_t272 =  *((intOrPtr*)(_t403 - 0x144));
										__eflags = _t272 - _t400;
										if(_t272 == _t400) {
											_t272 = 0x4675e4;
										}
										E004085B5( *((intOrPtr*)(_t403 - 0x10)), _t400, _t272);
										E00406737( *((intOrPtr*)(_t403 - 0x10)));
										 *(_t403 - 4) = 0xd;
										E004061C1(_t403 - 0x14c);
									}
									_push(_t403 - 0x34);
									_push( *((intOrPtr*)(_t403 - 0x14)));
									_push(_t403 - 0x84);
									_push( *((intOrPtr*)(_t403 + 0xc)));
									_t254 = L00409786( *((intOrPtr*)(_t403 - 0x10)), __eflags);
									__eflags = _t254;
									if(_t254 == 0) {
										_t401 =  *((intOrPtr*)(_t403 + 8));
										_push(0);
										_push(_t403 + 0xf);
										_push(0x47e150);
										 *_t401 = 0x4675d8;
										 *((intOrPtr*)(_t401 + 0x20)) = 0x4675d0;
										L0040B34B(_t401);
										 *((intOrPtr*)(_t403 - 0x1c)) = 1;
										 *(_t403 - 4) = 0xb;
										E004061C1(_t403 - 0x124);
										 *(_t403 - 4) = 3;
										E004061C1(_t403 - 0x84);
										L60:
										 *(_t403 - 4) = 2;
										E004061C1(_t403 - 0xac);
										L52:
										 *(_t403 - 4) = 1;
										E004061C1(_t403 - 0x5c);
										 *(_t403 - 4) =  *(_t403 - 4) & 0x00000000;
										E004061C1(_t403 - 0xfc);
										 *[fs:0x0] =  *((intOrPtr*)(_t403 - 0xc));
										return _t401;
									} else {
										goto L50;
									}
								} else {
									_push(0x680);
									_push(_t400);
									_push(_t400);
									_push( *((intOrPtr*)(_t403 + 0x14)));
									_push( *((intOrPtr*)(_t403 - 0x2c)));
									L0040727F( *((intOrPtr*)(_t403 - 0x10)));
									_t277 =  *((intOrPtr*)(_t403 - 0x7c));
									 *((intOrPtr*)(_t403 - 0x18)) = 0x4675e4;
									if(_t277 != _t400) {
										 *((intOrPtr*)(_t403 - 0x18)) = _t277;
									}
									_t278 =  *((intOrPtr*)(_t403 - 0x11c));
									if(_t278 == _t400) {
										_t278 = 0x4675e4;
									}
									_t121 = _t403 - 0x18; // 0x4675e4
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x10)) + 0xc8)))) + 0x30))(_t278, 1, 1,  *_t121,  *(_t403 - 0x24));
									_t400 = 0;
									goto L50;
								}
							}
						}
						_t369 =  *0x47e1d4; // 0x2380b70
						E00404705(_t369, _t403 - 0xd4);
						_t288 =  *0x4675c4; // 0x4765f0
						 *(_t403 - 4) = 4;
						 *((intOrPtr*)(_t403 - 0x1ec)) = 0x46757c;
						 *((intOrPtr*)(_t403 - 0x1cc)) = 0x467574;
						if(_t288 == _t400) {
							_t288 = 0x47e150;
						}
						_push(_t400);
						_push(_t403 + 0x13);
						_push(_t288);
						_t31 = _t403 - 0x1ec; // 0x46757c
						L0040176A(_t31);
						_t32 = _t403 - 0x1ec; // 0x46757c
						 *(_t403 - 4) = 5;
						L0040B11C(_t403 - 0xd4, _t403, _t32);
						_t35 = _t403 - 0x1ec; // 0x46757c
						 *(_t403 - 4) = 4;
						L0040125C(_t35);
						_t293 =  *((intOrPtr*)(_t403 - 0xf4));
						if(_t293 == _t400) {
							_t293 = 0x4675e4;
						}
						_t417 = _t293 - _t400;
						 *((intOrPtr*)(_t403 - 0x174)) = 0x46757c;
						 *((intOrPtr*)(_t403 - 0x154)) = 0x467574;
						if(_t293 == _t400) {
							_t293 = 0x47e150;
						}
						_push(_t400);
						_push(_t403 - 0x2f);
						_push(_t293);
						_t41 = _t403 - 0x174; // 0x46757c
						L0040176A(_t41);
						_t42 = _t403 - 0x174; // 0x46757c
						 *(_t403 - 4) = 6;
						L0040B11C(_t403 - 0xd4, _t403, _t42);
						_t45 = _t403 - 0x174; // 0x46757c
						 *(_t403 - 4) = 4;
						L0040125C(_t45);
						_push(_t403 - 0x23c);
						_t300 =  *((intOrPtr*)(E0040A7F4(_t403 - 0xac, _t417) + 8));
						 *(_t403 - 4) = 7;
						if(_t300 == _t400) {
							_t300 = 0x4675e4;
						}
						 *((intOrPtr*)(_t403 - 0x19c)) = 0x46757c;
						 *((intOrPtr*)(_t403 - 0x17c)) = 0x467574;
						if(_t300 == _t400) {
							_t300 = 0x47e150;
						}
						_push(_t400);
						_push(_t403 - 0x1d);
						_push(_t300);
						_t54 = _t403 - 0x19c; // 0x46757c
						L0040176A(_t54);
						_t55 = _t403 - 0x19c; // 0x46757c
						 *(_t403 - 4) = 8;
						L0040B11C(_t403 - 0xd4, _t403, _t55);
						_t58 = _t403 - 0x19c; // 0x46757c
						 *(_t403 - 4) = 7;
						L0040125C(_t58);
						 *(_t403 - 4) = 4;
						E004061C1(_t403 - 0x23c);
						_push(4);
						_t410 = _t406 - 0x28;
						 *((intOrPtr*)(_t403 - 0x18)) = _t410;
						L00401708(_t410, _t403 - 0xd4, 1); // executed
						_t308 = E0042CFBE(); // executed
						_t406 = _t410 + 0x2c;
						if(_t308 != 0) {
							_push(_t400);
							_push(_t400);
							_push(_t403 - 0x214);
							_t311 =  *((intOrPtr*)(L00401840(_t403 - 0xd4, __eflags) + 8));
							 *(_t403 - 4) = 9;
							__eflags = _t311 - _t400;
							if(_t311 == _t400) {
								_t311 = 0x467570;
							}
							_t401 =  *((intOrPtr*)(_t403 + 8));
							__eflags = _t311;
							 *_t401 = 0x4675d8;
							 *((intOrPtr*)(_t401 + 0x20)) = 0x4675d0;
							if(_t311 == 0) {
								_t311 = 0x47e150;
							}
							_push(0);
							_push(_t403 + 0xf);
							_push(_t311);
							L0040B34B(_t401);
							 *((intOrPtr*)(_t403 - 0x1c)) = 1;
							 *(_t403 - 4) = 4;
							L0040125C(_t403 - 0x214);
							 *(_t403 - 4) = 3;
							L0040125C(_t403 - 0xd4);
							goto L60;
						} else {
							 *(_t403 - 4) = 3;
							L0040125C(_t403 - 0xd4);
							goto L18;
						}
						L50:
						 *(_t403 - 4) = 0xb;
						E004061C1(_t403 - 0x124);
						 *(_t403 - 4) = 3;
						E004061C1(_t403 - 0x84);
						 *(_t403 - 4) = 2;
						E004061C1(_t403 - 0xac);
						 *((intOrPtr*)(_t403 - 0x14)) =  *((intOrPtr*)(_t403 - 0x14)) + 1;
					} while ( *((intOrPtr*)(_t403 - 0x14)) <  *((intOrPtr*)(_t403 - 0x34)));
					goto L51;
				}
			}

0x00409095
0x0040909a
0x004090a2
0x004090b0
0x004090b2
0x004090b3
0x004090b6
0x004090bd
0x004090bf
0x004090bf
0x004090c2
0x004090c7
0x004090cc
0x004090da
0x004090da
0x004090e7
0x004090ec
0x004090ed
0x004090f0
0x00409100
0x00409103
0x00409106
0x00409115
0x00409119
0x00409121
0x00409128
0x0040912b
0x0040912e
0x0040962c
0x0040962c
0x00409632
0x00409634
0x00409637
0x00409639
0x0040963c
0x00409641
0x00000000
0x00409134
0x00409134
0x00409134
0x00409140
0x00409141
0x00409149
0x0040914d
0x004092de
0x004092e1
0x004092e6
0x004092eb
0x004092ed
0x004092f0
0x004092f6
0x004092fd
0x004092ff
0x004092ff
0x00409307
0x00409308
0x00409309
0x0040930a
0x0040930f
0x00409314
0x00409319
0x00409721
0x00409727
0x00409729
0x0040972a
0x00409731
0x00409733
0x00409736
0x0040973b
0x00000000
0x0040931f
0x00409322
0x00409329
0x0040932e
0x00409330
0x00409330
0x00409335
0x00409337
0x00409341
0x0040934b
0x0040934d
0x0040934d
0x00409358
0x0040935e
0x00409366
0x0040936d
0x00409379
0x0040937c
0x00409382
0x00409386
0x00409386
0x0040938e
0x0040938f
0x00409396
0x0040939c
0x0040939f
0x004093b0
0x004093b1
0x004093b5
0x004093c1
0x004093c5
0x004093d0
0x004093d4
0x004093dc
0x004093dd
0x004093e4
0x004093ea
0x004093f0
0x00409401
0x00409402
0x0040940b
0x0040940e
0x00409414
0x00409416
0x00409416
0x0040941b
0x00409423
0x00409425
0x00409425
0x0040942a
0x00409438
0x0040943d
0x00409446
0x0040944a
0x0040944f
0x00409457
0x00409459
0x00409459
0x00409461
0x0040946f
0x004094d1
0x004094d3
0x004094d5
0x00000000
0x00000000
0x004094db
0x004094e1
0x004094e7
0x004094ef
0x004094f0
0x004094f1
0x004094f4
0x004094f7
0x004094ff
0x00409500
0x00409507
0x0040950d
0x00409513
0x00409524
0x00409525
0x0040952e
0x00409531
0x00409535
0x00409537
0x0040953e
0x00409540
0x00409540
0x00409543
0x0040954f
0x00409554
0x0040955a
0x0040955d
0x00409561
0x00409563
0x00409565
0x00409565
0x0040956a
0x0040956a
0x0040957a
0x0040957f
0x00409588
0x0040958c
0x00409597
0x0040959b
0x004095a0
0x004095a6
0x004095a8
0x004095aa
0x004095aa
0x004095b3
0x004095bb
0x004095c6
0x004095ca
0x004095ca
0x004095d5
0x004095dc
0x004095df
0x004095e0
0x004095e3
0x004095e8
0x004095ea
0x004096e0
0x004096e6
0x004096e8
0x004096e9
0x004096f0
0x004096f2
0x004096f5
0x00409700
0x00409707
0x0040970b
0x00409716
0x0040971a
0x00409742
0x00409748
0x0040974c
0x00409648
0x0040964b
0x0040964f
0x00409654
0x0040965e
0x0040966a
0x00409673
0x00000000
0x00000000
0x00000000
0x00409471
0x00409471
0x00409479
0x0040947a
0x0040947b
0x0040947e
0x00409481
0x00409486
0x00409489
0x00409492
0x00409494
0x00409494
0x00409497
0x0040949f
0x004094a1
0x004094a1
0x004094ac
0x004094bc
0x004094bf
0x00000000
0x004094bf
0x0040946f
0x00409319
0x00409153
0x00409160
0x00409165
0x0040916a
0x00409170
0x0040917a
0x00409184
0x00409186
0x00409186
0x0040918e
0x0040918f
0x00409190
0x00409191
0x00409197
0x0040919c
0x004091a9
0x004091ad
0x004091b2
0x004091b8
0x004091bc
0x004091c1
0x004091c9
0x004091cb
0x004091cb
0x004091d0
0x004091d2
0x004091dc
0x004091e6
0x004091e8
0x004091e8
0x004091f0
0x004091f1
0x004091f2
0x004091f3
0x004091f9
0x004091fe
0x0040920b
0x0040920f
0x00409214
0x0040921a
0x0040921e
0x0040922f
0x00409235
0x00409238
0x0040923e
0x00409240
0x00409240
0x00409247
0x00409251
0x0040925b
0x0040925d
0x0040925d
0x00409265
0x00409266
0x00409267
0x00409268
0x0040926e
0x00409273
0x00409280
0x00409284
0x00409289
0x0040928f
0x00409293
0x0040929e
0x004092a2
0x004092a7
0x004092af
0x004092b4
0x004092ba
0x004092bf
0x004092c4
0x004092c9
0x00409676
0x0040967d
0x0040967e
0x0040968a
0x0040968d
0x00409691
0x00409693
0x00409695
0x00409695
0x0040969a
0x0040969d
0x0040969f
0x004096a1
0x004096a4
0x004096a6
0x004096a6
0x004096ae
0x004096b0
0x004096b1
0x004096b4
0x004096b9
0x004096c6
0x004096ca
0x004096d5
0x004096d9
0x00000000
0x004092cf
0x004092d5
0x004092d9
0x00000000
0x004092d9
0x004095f0
0x004095f6
0x004095fa
0x00409605
0x00409609
0x00409614
0x00409618
0x0040961d
0x00409623
0x00000000
0x00409134

APIs

__EH_prolog.LIBCMT ref: 00409095
GetDlgItem.USER32 ref: 004090D4

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

Part of subcall function 0040A7F4: __EH_prolog.LIBCMT ref: 0040A7F9

Part of subcall function 0040727F: __EH_prolog.LIBCMT ref: 00407284
Part of subcall function 0040727F: IsWindow.USER32(?), ref: 004072A1
Part of subcall function 0040727F: SendMessageW.USER32(?,00001074,?,?), ref: 00407341
Part of subcall function 0040727F: SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 00407350

Strings

tuF, xrefs: 00409341
uF, xrefs: 004094A1
uF, xrefs: 00409330
PG, xrefs: 004091E8
puF, xrefs: 00409695
|uF, xrefs: 00409191
uF, xrefs: 00409459
uF, xrefs: 00409240
uF, xrefs: 00409416
uF, xrefs: 00409425
|uF, xrefs: 004091F3
uF, xrefs: 004091CB
tuF, xrefs: 004092F6
PG, xrefs: 0040925D
uF, xrefs: 004094AC
tuF, xrefs: 0040917A
%s.%s, xrefs: 00409432
%s: %s, xrefs: 00409574
tuF, xrefs: 004091DC
|uF, xrefs: 00409358
uF, xrefs: 004095AA
PG, xrefs: 004096A6
PG, xrefs: 0040934D
tuF, xrefs: 00409251
PG, xrefs: 004092FF
|uF, xrefs: 00409268
PG, xrefs: 00409186
puF, xrefs: 00409565

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLastMessageSend$ItemWindow
String ID: %s.%s$%s: %s$PG$PG$PG$PG$PG$PG$puF$puF$tuF$tuF$tuF$tuF$tuF$|uF$|uF$|uF$|uF$uF$uF$uF$uF$uF$uF$uF$uF$uF
API String ID: 2719409768-594911846
Opcode ID: b9834be2f5b04be26ff2322b8d1c30b2ce0cd493f16c444a917534a476156c43
Instruction ID: 44e304f8a60d340e2b328a61529f81c26fcec0c07184ef1f5abfba046fbe7d81
Opcode Fuzzy Hash: b9834be2f5b04be26ff2322b8d1c30b2ce0cd493f16c444a917534a476156c43
Instruction Fuzzy Hash: 3C124070901159EBCF11DB95C985BDDBBB8AF18308F1080EEE549B7282DB785E44CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044B840 Relevance: 49.4, APIs: 20, Strings: 8, Instructions: 383
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0044B840(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				int _v16;
				intOrPtr _v24;
				int _v28;
				int _v68;
				intOrPtr _v84;
				intOrPtr _v108;
				int _v120;
				intOrPtr _v128;
				void* _v176;
				void _v1023;
				char _v1024;
				char _v1036;
				char _v1040;
				char _v1076;
				char _v1084;
				void _v1123;
				char _v1124;
				char _v1128;
				char _v1136;
				char _v1200;
				void _v1223;
				char _v1224;
				char _v1240;
				char _v1244;
				void* _v1252;
				void* _v1264;
				char _v1272;
				char _v1276;
				void* _v1280;
				void* _v1284;
				intOrPtr _v1288;
				char _v1300;
				char _v1308;
				char _v1320;
				char _v1328;
				void* _v1340;
				char _v1344;
				void* _v1352;
				char _v1360;
				char _v1364;
				char _v1366;
				void* _v1372;
				void* _v1376;
				char _v1378;
				intOrPtr _v1380;
				intOrPtr _v1384;
				char _v1389;
				intOrPtr _v1396;
				char _v1404;
				intOrPtr _v1412;
				char _v1415;
				signed int _v1428;
				void* _v1432;
				char _v1437;
				char _v1440;
				void* _v1444;
				int _v1448;
				char _v1452;
				char _v1456;
				void* _v1464;
				void* _v1468;
				intOrPtr _v1472;
				intOrPtr _v1480;
				char _v1486;
				void* _v1544;
				intOrPtr _v1552;
				void* __ebp;
				intOrPtr _t138;
				CHAR* _t140;
				int _t142;
				void* _t149;
				CHAR* _t153;
				intOrPtr _t155;
				CHAR* _t157;
				long _t170;
				intOrPtr _t179;
				CHAR* _t181;
				intOrPtr _t202;
				void* _t205;
				int* _t221;
				void* _t228;
				int* _t284;
				signed int _t326;
				unsigned int _t327;
				signed int _t330;
				signed int _t336;
				void* _t337;
				intOrPtr _t338;
				int _t341;
				long* _t343;
				intOrPtr _t347;
				void* _t348;
				intOrPtr _t351;
				void* _t354;
				intOrPtr _t355;
				void* _t356;
				signed int _t357;
				void* _t358;
				signed int _t366;

				_push(0xffffffff);
				_push(0x465dbc);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t347;
				_t348 = _t347 - 0x54c;
				_t138 = _a4;
				_t228 = __ecx;
				_v1308 = 0x4675d8;
				_v1276 = 0x4675d0;
				if(_t138 == 0) {
					_t138 = 0x47e150;
				}
				_push(0);
				_push( &_v1366);
				_push(_t138);
				L0040B34B( &_v1308);
				_v16 = 0;
				_t140 = L00453100( &_v1320);
				_t8 = _t228 + 8; // 0x9
				_t345 = _t8;
				_t142 = GetPrivateProfileIntA(_t140, "RECTS", 0, L00452F40(_t8)); // executed
				_t341 = _t142;
				_v1364 = _t341;
				_v16 = 0xffffffff;
				E004061C1( &_v1320);
				_v1124 = 0;
				memset( &_v1123, 0, 0x18 << 2);
				asm("stosw");
				asm("stosb");
				_v1224 = 0;
				memset( &_v1223, 0, 0x18 << 2);
				asm("stosw");
				asm("stosb");
				_v1024 = 0;
				_t149 = memset( &_v1023, 0, 0xf9 << 2);
				_t351 = _t348 + 0x24;
				asm("stosw");
				_v1372 = 1;
				asm("stosb");
				if(_t341 >= 1) {
					do {
						_t343 = L0043BC14(0x18);
						lstrcpyA( &_v1124, "RECT");
						_t153 = L0043FAB7(_v1372,  &_v1024, 0xa);
						_t354 = _t351 + 0x10;
						lstrcatA( &_v1124, _t153);
						_t155 = _v8;
						_v1272 = 0x4675d8;
						_t361 = _t155;
						_v1240 = 0x4675d0;
						if(_t155 == 0) {
							_t155 = 0x47e150;
						}
						_push(0);
						_push( &_v1378);
						_push(_t155);
						L0040B34B( &_v1272);
						_v28 = 1;
						_t157 = L00453100( &_v1284);
						GetPrivateProfileStringA(_t157,  &_v1136, 0x47e154,  &_v1036, 0x3e8, L00452F40(_t345)); // executed
						asm("sbb eax, eax");
						_v28 = 0xffffffff;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v1284) &  &_v1252) + 4)) + ( ~( &_v1284) &  &_v1252))) = GetLastError();
						asm("sbb ecx, ecx");
						E00430164( ~( &_v1284) &  &_v1264);
						asm("sbb ecx, ecx");
						E0040213C( ~( &_v1284) &  &_v1280, 1);
						_t44 = _v1288 + 4; // 0x24
						SetLastError( *(_t354 +  *_t44 + 0x7c));
						_t170 = GetSysColor(0xf);
						_push(_t343);
						 *_t343 = _t170;
						_t355 = _t354 - 0x28;
						_v1384 = _t355;
						L004472C0(_t355,  &_v1040,  &_v1389, 1);
						L0044F620(_t345, _t361);
						_t343[1] = CreateSolidBrush( *_t343);
						lstrcpyA( &_v1300,  &_v1200);
						lstrcatA( &_v1300, "POS");
						_v1396 = 0x4675d8;
						_t179 = _v84;
						_v1364 = 0x4675d0;
						_t362 = _t179;
						if(_t179 == 0) {
							_t179 = 0x47e150;
						}
						L0040B34B( &_v1360);
						_v68 = 2;
						_t181 = L00453100( &_v1372);
						GetPrivateProfileStringA(_t181,  &_v1276, 0x47e154,  &_v1076, 0x3e8, L00452F40(_t345)); // executed
						asm("sbb eax, eax");
						_v68 = 0xffffffff;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v1372) &  &_v1340) + 4)) + ( ~( &_v1372) &  &_v1340))) = GetLastError();
						asm("sbb edi, edi");
						_t326 =  ~( &_v1372) &  &_v1352;
						E0043AE17( *_t326);
						_t71 = _t326 + 8; // 0xffffffff
						_t356 = _t355 + 4;
						__imp__#6();
						asm("sbb ecx, ecx");
						E0040213C( ~( &_v1376) &  &_v1372, 1);
						SetLastError( *(_t356 +  *((intOrPtr*)(_v1380 + 4)) + 0x4c));
						_t80 =  &(_t343[3]); // 0xc
						_t81 =  &(_t343[2]); // 0x8
						_t357 = _t356 - 0x28;
						 *_t80 = 0;
						 *_t81 = 0;
						_v1428 = _t357;
						L004472C0(_t357,  &_v1084,  &_v1437, 1);
						L0044F390(_t362, _t81, _t80,  *_t71, _t179,  &_v1415, 0);
						lstrcpyA( &_v1344,  &_v1244);
						lstrcatA( &_v1344, "AREA");
						_t202 = _v128;
						_v1480 = 0x4675d8;
						_v1448 = 0x4675d0;
						if(_t202 == 0) {
							_t202 = 0x47e150;
						}
						_push(0);
						_push( &_v1456);
						_push(_t202);
						L0040B34B( &_v1440);
						_v108 = 3;
						_t327 = _v1440 + _v1440 + 2;
						_t205 = _v1432;
						if(_t327 >= _v1428 || _t205 == 0) {
							E0043AE17(_t205);
							_t330 = (_t327 >> 6) + 1 << 6;
							_t366 = _t330;
							_v1428 = _t330;
							_t205 = L0043BC14(_t330);
							_t357 = _t357 + 8;
							_v1432 = _t205;
						}
						L00453E80( &_v1452, _t205, _v1428, 0);
						GetPrivateProfileStringA(_v1444,  &_v1328, 0x47e154,  &_v1128, 0x3e8, L00452F40(_t345)); // executed
						asm("sbb eax, eax");
						_v120 = 0xffffffff;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v1464) &  &_v1432) + 4)) + ( ~( &_v1464) &  &_v1432))) = GetLastError();
						asm("sbb edi, edi");
						_t336 =  ~( &_v1464) &  &_v1444;
						E0043AE17( *_t336);
						_t358 = _t357 + 4;
						__imp__#6( *((intOrPtr*)(_t336 + 8)));
						asm("sbb ecx, ecx");
						E0040213C( ~( &_v1468) &  &_v1464, 1);
						SetLastError( *(_t358 +  *((intOrPtr*)(_v1472 + 4)) + 0x24));
						_t121 =  &(_t343[5]); // 0x14
						_t284 = _t121;
						_t122 =  &(_t343[4]); // 0x10
						_t221 = _t122;
						_push(_t284);
						_push(_t221);
						_t351 = _t358 - 0x28;
						 *_t221 = 0;
						 *_t284 = 0;
						_v1480 = _t351;
						L004472C0(_t351,  &_v1136,  &_v1486, 1);
						L0044F390(_t366);
						_t337 = _v1544;
						_push( &_v1452);
						_push( &_v1404);
						_v1452 = _t337;
						_v1448 = 0;
						L00453F30();
						_t149 = _v1544;
						_t338 = _t337 + 1;
						 *(_v1412 + 0x10) = _t343;
						_v1552 = _t338;
					} while (_t338 <= _t149);
				}
				 *[fs:0x0] = _v24;
				return _t149;
			}

0x0044b840
0x0044b842
0x0044b84d
0x0044b84e
0x0044b855
0x0044b85b
0x0044b868
0x0044b86a
0x0044b872
0x0044b87a
0x0044b87c
0x0044b87c
0x0044b885
0x0044b887
0x0044b888
0x0044b88d
0x0044b896
0x0044b8a1
0x0044b8a6
0x0044b8a6
0x0044b8bb
0x0044b8c1
0x0044b8c7
0x0044b8cb
0x0044b8d6
0x0044b8e9
0x0044b8f1
0x0044b8f3
0x0044b8f5
0x0044b904
0x0044b90c
0x0044b90e
0x0044b910
0x0044b91f
0x0044b927
0x0044b927
0x0044b929
0x0044b92e
0x0044b936
0x0044b937
0x0044b93d
0x0044b94e
0x0044b956
0x0044b96b
0x0044b970
0x0044b97c
0x0044b982
0x0044b989
0x0044b991
0x0044b993
0x0044b99e
0x0044b9a0
0x0044b9a0
0x0044b9a9
0x0044b9ab
0x0044b9ac
0x0044b9b4
0x0044b9bd
0x0044b9c8
0x0044b9f2
0x0044ba05
0x0044ba07
0x0044ba25
0x0044ba29
0x0044ba34
0x0044ba46
0x0044ba4c
0x0044ba55
0x0044ba61
0x0044ba69
0x0044ba6f
0x0044ba70
0x0044ba72
0x0044ba7b
0x0044ba8a
0x0044ba91
0x0044baaf
0x0044bab2
0x0044bac5
0x0044bacb
0x0044bad3
0x0044bada
0x0044bae2
0x0044bae4
0x0044bae6
0x0044bae6
0x0044baf7
0x0044bb00
0x0044bb0b
0x0044bb35
0x0044bb45
0x0044bb47
0x0044bb61
0x0044bb69
0x0044bb6f
0x0044bb74
0x0044bb79
0x0044bb7c
0x0044bb80
0x0044bb90
0x0044bb96
0x0044bbab
0x0044bbb1
0x0044bbb4
0x0044bbb9
0x0044bbbc
0x0044bbc2
0x0044bbca
0x0044bbdd
0x0044bbe4
0x0044bbf9
0x0044bc0c
0x0044bc12
0x0044bc19
0x0044bc23
0x0044bc2b
0x0044bc2d
0x0044bc2d
0x0044bc36
0x0044bc38
0x0044bc39
0x0044bc3e
0x0044bc4b
0x0044bc56
0x0044bc5c
0x0044bc60
0x0044bc67
0x0044bc70
0x0044bc70
0x0044bc74
0x0044bc78
0x0044bc7d
0x0044bc80
0x0044bc80
0x0044bc90
0x0044bcbc
0x0044bccc
0x0044bcce
0x0044bce8
0x0044bcf0
0x0044bcf6
0x0044bcfb
0x0044bd03
0x0044bd07
0x0044bd17
0x0044bd1d
0x0044bd32
0x0044bd38
0x0044bd38
0x0044bd3b
0x0044bd3b
0x0044bd3e
0x0044bd3f
0x0044bd40
0x0044bd43
0x0044bd49
0x0044bd51
0x0044bd64
0x0044bd6b
0x0044bd70
0x0044bd7f
0x0044bd80
0x0044bd88
0x0044bd8c
0x0044bd97
0x0044bda3
0x0044bda7
0x0044bdaa
0x0044bdad
0x0044bdad
0x0044b93d
0x0044bdc1
0x0044bdcf

APIs

GetPrivateProfileIntA.KERNEL32 ref: 0044B8BB
lstrcpyA.KERNEL32(?,RECT,00000000), ref: 0044B956
lstrcatA.KERNEL32(?,00000000), ref: 0044B97C
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044B9F2
GetLastError.KERNEL32 ref: 0044BA1B

Part of subcall function 00430164: SysFreeString.OLEAUT32(FFFFFFFF), ref: 00430172

SetLastError.KERNEL32(004675D8,00000001), ref: 0044BA61
GetSysColor.USER32(0000000F), ref: 0044BA69

Part of subcall function 004472C0: GetLastError.KERNEL32(?,000001C4,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447300
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000,?,00000000,?,?,00000001,?,?,?,?,?,?,?,?,ALL), ref: 00447336
Part of subcall function 004472C0: GetLastError.KERNEL32 ref: 0044738A
Part of subcall function 004472C0: SetLastError.KERNEL32(?,00000000), ref: 004473BD
Part of subcall function 004472C0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004473E6

Part of subcall function 0044F620: GetLastError.KERNEL32 ref: 0044F71F
Part of subcall function 0044F620: SysFreeString.OLEAUT32(?), ref: 0044F740

CreateSolidBrush.GDI32(00000000), ref: 0044BA99
lstrcpyA.KERNEL32(?,?), ref: 0044BAB2
lstrcatA.KERNEL32(?,POS), ref: 0044BAC5
GetPrivateProfileStringA.KERNEL32(00000000,?,0047E154,?,000003E8,00000000), ref: 0044BB35
GetLastError.KERNEL32 ref: 0044BB5B
SysFreeString.OLEAUT32(FFFFFFFF), ref: 0044BB80
SetLastError.KERNEL32(?,00000001), ref: 0044BBAB
lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0044BBF9
lstrcatA.KERNEL32(?,AREA), ref: 0044BC0C
GetPrivateProfileStringA.KERNEL32(?,?,0047E154,?,000003E8,00000000), ref: 0044BCBC
GetLastError.KERNEL32 ref: 0044BCE2
SysFreeString.OLEAUT32(?), ref: 0044BD07
SetLastError.KERNEL32(?,00000001), ref: 0044BD32

Strings

POS, xrefs: 0044BABF
PG, xrefs: 0044BAE6
PG, xrefs: 0044BC2D
RECT, xrefs: 0044B950
AREA, xrefs: 0044BBFF
RECTS, xrefs: 0044B8B5
PG, xrefs: 0044B9A0
PG, xrefs: 0044B87C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$String$FreePrivateProfile$lstrcatlstrcpy$BrushByteCharColorCreateMultiSolidWide
String ID: AREA$POS$PG$PG$PG$PG$RECT$RECTS
API String ID: 1379342469-17773960
Opcode ID: f017ce8ad931d17f1f432b1da383ce6f49470dd94cf5afe7ff3a8605bfc81aa9
Instruction ID: 9d159e5d69fa1934c1e5999d076b314b2b6a42d3c2f651502a52543152baf937
Opcode Fuzzy Hash: f017ce8ad931d17f1f432b1da383ce6f49470dd94cf5afe7ff3a8605bfc81aa9
Instruction Fuzzy Hash: 02E183712083419FD724DF24C845BABB7F4EF89708F004A2EF59A87291EBB4A509CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0044FE00 Relevance: 49.4, APIs: 25, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0044FE00() {
				int _t97;
				int _t102;
				long _t104;
				int _t113;
				int _t115;
				intOrPtr _t121;
				intOrPtr* _t122;
				intOrPtr _t123;
				int _t134;
				signed int _t136;
				int _t141;
				intOrPtr _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				intOrPtr* _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				int _t166;
				struct HWND__* _t175;
				intOrPtr* _t177;
				intOrPtr _t204;
				struct HWND__* _t217;
				int _t231;
				long _t238;
				intOrPtr* _t239;
				intOrPtr* _t240;
				struct HDC__* _t243;
				struct HDC__* _t245;
				void* _t246;
				struct HWND__* _t247;
				struct HDC__* _t248;
				void* _t249;
				intOrPtr* _t250;
				void* _t251;
				void* _t256;
				void* _t257;

				_t175 =  *(_t257 + 0xe0);
				_t256 = GetPropW(_t175, L"PROP_PSKIN");
				if(_t256 != 0) {
					_t231 =  *(_t257 + 0xf0);
					__eflags = _t231 - 0x2b;
					if(__eflags > 0) {
						_t97 = _t231 - 0x135;
						__eflags = _t97;
						if(_t97 == 0) {
							 *(_t257 + 0x20) = 0;
							memset(_t257 + 0x22, 0, 0x18 << 2);
							_t257 = _t257 + 0xc;
							asm("stosw");
							GetClassNameW( *(_t257 + 0xf8), _t257 + 0x20, 0x32);
							_t102 = lstrcmpiW(L"Button", _t257 + 0x20);
							__eflags = _t102;
							if(_t102 != 0) {
								goto L33;
							} else {
								_t243 =  *(_t257 + 0xf4);
								SetBkMode(_t243, 1);
								SetTextColor(_t243,  *(L004515C0(_t256)));
								goto L52;
							}
						} else {
							__eflags = _t97 != 3;
							if(_t97 != 3) {
								goto L34;
							} else {
								_t217 =  *(_t257 + 0xf8);
								 *(_t257 + 0x20) = 0;
								memset(_t257 + 0x22, 0, 0x18 << 2);
								_t257 = _t257 + 0xc;
								 *(_t257 + 0x14) = _t217;
								asm("stosw");
								GetClassNameW(_t217, _t257 + 0x24, 0x32);
								_t113 = lstrcmpiW(L"Button", _t257 + 0x20);
								__eflags = _t113;
								if(_t113 != 0) {
									_t115 = lstrcmpiW(L"Static", _t257 + 0x20);
									__eflags = _t115;
									if(_t115 != 0) {
										goto L33;
									} else {
										_t245 =  *(_t257 + 0xf4);
										SetBkMode(_t245, 1);
										SetTextColor(_t245,  *(L004515C0(_t256)));
										_t77 = _t256 + 0x1c8; // 0x1c8
										_t246 = _t77;
										L004558D0(_t246, _t257 + 0x18, _t257 + 0x10);
										_t247 =  *(_t246 + 4);
										_t121 =  *((intOrPtr*)(_t257 + 0x18));
										__eflags = _t121 - _t247;
										if(_t121 == _t247) {
											L46:
											 *(_t257 + 0x14) = _t247;
											_t122 = _t257 + 0x14;
										} else {
											__eflags =  *((intOrPtr*)(_t257 + 0x10)) -  *((intOrPtr*)(_t121 + 0xc));
											if( *((intOrPtr*)(_t257 + 0x10)) <  *((intOrPtr*)(_t121 + 0xc))) {
												goto L46;
											} else {
												_t122 = _t257 + 0x18;
											}
										}
										_t123 =  *_t122;
										goto L48;
									}
								} else {
									_t248 =  *(_t257 + 0xf4);
									SetBkMode(_t248, 1);
									SetTextColor(_t248,  *(L004515C0(_t256)));
									L00453580(_t257 + 0x1c, _t257 + 0x10);
									_t123 =  *((intOrPtr*)(_t257 + 0x1c));
									L48:
									__eflags = _t123 -  *((intOrPtr*)(_t256 + 0x1cc));
									if(_t123 ==  *((intOrPtr*)(_t256 + 0x1cc))) {
										L52:
										return GetStockObject(5);
									} else {
										return  *((intOrPtr*)(_t123 + 0x10));
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							 *(_t257 + 0x84) = 0;
							memset(_t257 + 0x86, 0, 0x18 << 2);
							_t257 = _t257 + 0xc;
							asm("stosw");
							_t238 =  *(_t257 + 0xf8);
							GetClassNameW( *(_t238 + 0x14), _t257 + 0x84, 0x64);
							_t134 = lstrcmpiW(L"Button", _t257 + 0x84);
							__eflags = _t134;
							if(_t134 != 0) {
								goto L33;
							} else {
								_t136 = GetWindowLongW( *(_t238 + 0x14), 0xfffffff0);
								__eflags = (_t136 & 0x0000000f) - 0xb;
								if((_t136 & 0x0000000f) != 0xb) {
									goto L33;
								} else {
									E00450290(_t175, _t238);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							_t141 = _t231 - 2;
							__eflags = _t141;
							if(_t141 == 0) {
								_t249 = L004512C0(_t256);
								L004539B0(_t249, _t257 + 0x10);
								_t144 =  *((intOrPtr*)(_t257 + 0x10));
								__eflags = _t144 -  *((intOrPtr*)(_t249 + 4));
								while(_t144 !=  *((intOrPtr*)(_t249 + 4))) {
									E0043AE17( *((intOrPtr*)(_t144 + 0x10)));
									_t257 = _t257 + 4;
									L004533D0(_t257 + 0x10);
									_t144 =  *((intOrPtr*)(_t257 + 0x10));
									__eflags = _t144 -  *((intOrPtr*)(_t249 + 4));
								}
								L00453300(_t249, _t257 + 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t249 + 4)))),  *((intOrPtr*)(_t249 + 4)));
								_t147 =  *((intOrPtr*)(_t256 + 0x1cc));
								_t250 =  *_t147;
								__eflags = _t250 - _t147;
								if(_t250 == _t147) {
									_t204 =  *0x47e950; // 0x2220be0
								} else {
									do {
										DeleteObject( *(_t250 + 0x10));
										_t160 =  *((intOrPtr*)(_t250 + 8));
										_t204 =  *0x47e950; // 0x2220be0
										__eflags = _t160 - _t204;
										if(_t160 == _t204) {
											_t161 =  *((intOrPtr*)(_t250 + 4));
											__eflags = _t250 -  *((intOrPtr*)(_t161 + 8));
											while(_t250 ==  *((intOrPtr*)(_t161 + 8))) {
												_t250 = _t161;
												_t161 =  *((intOrPtr*)(_t161 + 4));
												__eflags = _t250 -  *((intOrPtr*)(_t161 + 8));
											}
											__eflags =  *((intOrPtr*)(_t250 + 8)) - _t161;
											if( *((intOrPtr*)(_t250 + 8)) != _t161) {
												_t250 = _t161;
											}
										} else {
											_t250 = _t160;
											_t162 =  *_t250;
											__eflags = _t162 - _t204;
											while(_t162 != _t204) {
												_t250 = _t162;
												_t162 =  *_t250;
												__eflags = _t162 - _t204;
											}
										}
										__eflags = _t250 -  *((intOrPtr*)(_t256 + 0x1cc));
									} while (_t250 !=  *((intOrPtr*)(_t256 + 0x1cc)));
								}
								_t239 =  *((intOrPtr*)(_t256 + 0x1cc));
								_t34 = _t256 + 0x1c8; // 0x1c8
								_t251 = _t34;
								_t148 =  *_t239;
								__eflags =  *(_t256 + 0x1d4);
								 *((intOrPtr*)(_t257 + 0x10)) = _t148;
								if( *(_t256 + 0x1d4) == 0) {
									L29:
									__eflags = _t148 - _t239;
									if(_t148 != _t239) {
										do {
											L004535F0(_t257 + 0x10);
											_push(_t148);
											_push(_t257 + 0x14);
											L004554D0(_t251);
											_t148 =  *((intOrPtr*)(_t257 + 0x10));
											__eflags = _t148 - _t239;
										} while (_t148 != _t239);
										goto L31;
									}
								} else {
									__eflags = _t148 - _t148;
									if(_t148 != _t148) {
										goto L29;
									} else {
										_t177 =  *((intOrPtr*)(_t239 + 4));
										__eflags = _t177 - _t204;
										_t240 = _t177;
										if(_t177 != _t204) {
											do {
												L00455910(_t251,  *((intOrPtr*)(_t240 + 8)));
												_t240 =  *_t240;
												E0043AE17(_t177);
												_t204 =  *0x47e950; // 0x2220be0
												_t257 = _t257 + 4;
												__eflags = _t240 - _t204;
												_t177 = _t240;
											} while (_t240 != _t204);
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t251 + 4)) + 4)) = _t204;
										 *((intOrPtr*)(_t251 + 0xc)) = 0;
										 *((intOrPtr*)( *((intOrPtr*)(_t251 + 4)))) =  *((intOrPtr*)(_t251 + 4));
										 *((intOrPtr*)( *((intOrPtr*)(_t251 + 4)) + 8)) =  *((intOrPtr*)(_t251 + 4));
										L31:
										_t175 =  *(_t257 + 0xec);
									}
								}
								DeleteDC( *(_t256 + 0x148));
								RemovePropW(_t175, L"PROP_PSKIN");
								SetWindowLongW(_t175, 0xfffffffc,  *(_t256 + 0x134));
								L33:
								_t231 =  *(_t257 + 0xf0);
								goto L34;
							} else {
								_t166 = _t141 - 0xd;
								__eflags = _t166;
								if(_t166 == 0) {
									BitBlt(BeginPaint(_t175, _t257 + 0x20),  *(_t257 + 0x2c),  *(_t257 + 0x30),  *(_t257 + 0x44),  *(_t257 + 0x44),  *(_t256 + 0x148),  *(_t257 + 0x2c),  *(_t257 + 0x30), 0xcc0020);
									EndPaint(_t175, _t257 + 0x20);
									goto L34;
								} else {
									__eflags = _t166 != 5;
									if(_t166 != 5) {
										L34:
										_t104 = CallWindowProcW( *(_t256 + 0x134), _t175, _t231,  *(_t257 + 0xf4),  *(_t257 + 0xf8)); // executed
										return _t104;
									} else {
										return 1;
									}
								}
							}
						}
					}
				} else {
					return DefWindowProcW(_t175,  *(_t257 + 0xf0),  *(_t257 + 0xf4),  *(_t257 + 0xf8));
				}
			}

0x0044fe07
0x0044fe1d
0x0044fe23
0x0044fe51
0x0044fe5e
0x0044fe61
0x004500f8
0x004500f8
0x004500fd
0x00450215
0x00450225
0x00450225
0x00450227
0x00450238
0x00450248
0x0045024e
0x00450250
0x00000000
0x00450256
0x00450256
0x00450260
0x00450271
0x00000000
0x00450271
0x00450103
0x00450103
0x00450106
0x00000000
0x0045010c
0x0045010c
0x00450113
0x00450125
0x00450125
0x0045012b
0x00450131
0x00450133
0x00450149
0x0045014b
0x0045014d
0x00450195
0x00450197
0x00450199
0x00000000
0x0045019f
0x0045019f
0x004501a9
0x004501ba
0x004501c4
0x004501c4
0x004501d2
0x004501d7
0x004501da
0x004501de
0x004501e0
0x004501f3
0x004501f3
0x004501f7
0x004501e2
0x004501e9
0x004501eb
0x00000000
0x004501ed
0x004501ed
0x004501ed
0x004501eb
0x004501fb
0x00000000
0x004501fb
0x0045014f
0x0045014f
0x00450159
0x0045016a
0x00450180
0x00450185
0x004501fd
0x004501fd
0x00450203
0x00450277
0x00450289
0x00450205
0x00450212
0x00450212
0x00450203
0x0045014d
0x00450106
0x0044fe67
0x0044fe67
0x0045007b
0x00450091
0x00450091
0x00450093
0x00450095
0x004500aa
0x004500bd
0x004500c3
0x004500c5
0x00000000
0x004500c7
0x004500cd
0x004500d6
0x004500d8
0x00000000
0x004500de
0x004500e2
0x004500ea
0x004500f3
0x004500f3
0x004500d8
0x0044fe6d
0x0044fe6f
0x0044fe6f
0x0044fe72
0x0044fee1
0x0044feea
0x0044fef2
0x0044fef6
0x0044fef8
0x0044fefe
0x0044ff03
0x0044ff0a
0x0044ff0f
0x0044ff16
0x0044ff16
0x0044ff28
0x0044ff2d
0x0044ff33
0x0044ff35
0x0044ff37
0x0044ff87
0x0044ff39
0x0044ff3f
0x0044ff43
0x0044ff45
0x0044ff48
0x0044ff4e
0x0044ff50
0x0044ff64
0x0044ff67
0x0044ff6a
0x0044ff6c
0x0044ff6e
0x0044ff71
0x0044ff71
0x0044ff76
0x0044ff79
0x0044ff7b
0x0044ff7b
0x0044ff52
0x0044ff52
0x0044ff54
0x0044ff56
0x0044ff58
0x0044ff5a
0x0044ff5c
0x0044ff5e
0x0044ff5e
0x0044ff58
0x0044ff7d
0x0044ff7d
0x0044ff85
0x0044ff8d
0x0044ff99
0x0044ff99
0x0044ff9f
0x0044ffa1
0x0044ffa3
0x0044ffa7
0x0044fff4
0x0044fff4
0x0044fff6
0x0044fff8
0x0044fffe
0x00450007
0x00450008
0x0045000b
0x00450010
0x00450014
0x00450014
0x00000000
0x0044fff8
0x0044ffa9
0x0044ffab
0x0044ffad
0x00000000
0x0044ffaf
0x0044ffaf
0x0044ffb2
0x0044ffb4
0x0044ffb6
0x0044ffb8
0x0044ffbe
0x0044ffc3
0x0044ffc6
0x0044ffcb
0x0044ffd1
0x0044ffd4
0x0044ffd6
0x0044ffd6
0x0044ffb8
0x0044ffdd
0x0044ffe3
0x0044ffea
0x0044ffef
0x00450018
0x00450018
0x00450018
0x0044ffad
0x00450026
0x00450032
0x00450042
0x00450048
0x00450048
0x00000000
0x0044fe74
0x0044fe74
0x0044fe74
0x0044fe77
0x0044fec3
0x0044fecf
0x00000000
0x0044fe79
0x0044fe79
0x0044fe7c
0x0045004f
0x00450068
0x00450078
0x0044fe85
0x0044fe91
0x0044fe91
0x0044fe7c
0x0044fe77
0x0044fe72
0x0044fe67
0x0044fe25
0x0044fe4e
0x0044fe4e

APIs

GetPropW.USER32(?,PROP_PSKIN), ref: 0044FE17
DefWindowProcW.USER32(?,?,?,?), ref: 0044FE3E

Strings

PROP_PSKIN, xrefs: 0044FE11, 0045002C
Button, xrefs: 004500B8, 00450144, 00450243
Static, xrefs: 00450190

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ProcPropWindow
String ID: Button$PROP_PSKIN$Static
API String ID: 8399546-3691526359
Opcode ID: b2b70bb4a61786d26364ad5d400a97821fc5cf578f80f0a872657ad56ff8822e
Instruction ID: d1c9205e2360913286ec22845f4452829af93fd3d38973e32bf51cc7719d19a7
Opcode Fuzzy Hash: b2b70bb4a61786d26364ad5d400a97821fc5cf578f80f0a872657ad56ff8822e
Instruction Fuzzy Hash: ABD1D2352042419FD720DF14DC84EABB3A5FB88715F00492EF94AD7251EB78ED09CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2B3 Relevance: 47.7, APIs: 1, Strings: 26, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0041F2B3(intOrPtr __ecx) {
				void* __ebx;
				char* _t159;
				char* _t166;
				char* _t171;
				char* _t176;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr _t192;
				signed char _t200;
				signed char _t202;
				signed char _t204;
				char* _t205;
				char* _t210;
				intOrPtr _t215;
				char* _t216;
				char* _t221;
				char* _t225;
				char* _t229;
				char _t233;
				char* _t234;
				signed char _t239;
				long _t243;
				void* _t246;
				void* _t292;
				void* _t319;
				void* _t321;
				void* _t322;
				intOrPtr _t329;
				intOrPtr _t330;

				L0043B644(E004626C1, _t319);
				_t322 = _t321 - 0xb8;
				_t155 =  *(_t319 + 8);
				 *((intOrPtr*)(_t319 - 0x14)) = __ecx;
				_t246 = __ecx + 0x36c;
				 *(_t319 - 0x15) = 1;
				if( *(_t319 + 8) == 0) {
					_t155 = 0x47e150;
				}
				L0040BDDD(_t246, _t155);
				_t329 =  *0x47df40; // 0x0
				if(_t329 != 0) {
					L4:
					_push(1);
					_push(_t319 - 0x16);
					_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPreRequisite.cpp");
					E0040A5F5(_t319 - 0xc4);
					_t159 = L"CSetupPrerequisite::ExecutePrerequisite";
					 *(_t319 - 4) = 0;
					 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
					 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
					if(_t159 == 0) {
						_t159 = 0x47e150;
					}
					_push(0);
					_push(_t319 - 0xd);
					_push(_t159);
					L0040B34B(_t319 - 0x40);
					 *(_t319 - 4) = 1;
					L0045D600(_t319 - 0x40, _t319 - 0xc4, 0x116);
					 *(_t319 - 4) = 0;
					E004061C1(_t319 - 0x40);
					 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
					E004061C1(_t319 - 0xc4);
					L7:
					_t166 = L"Data File Location: ";
					 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
					 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
					_t333 = _t166;
					if(_t166 == 0) {
						_t166 = 0x47e150;
					}
					_push(0);
					_push(_t319 - 0xd);
					_push(_t166);
					L0040B34B(_t319 - 0x40);
					_push(0);
					_push(0);
					_push(_t319 - 0x40);
					 *(_t319 - 4) = 2;
					L0042189A(0,  *((intOrPtr*)(_t319 - 0x14)), _t333);
					 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
					E004061C1(_t319 - 0x40);
					_t171 =  *(_t319 + 8);
					 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
					_t334 = _t171;
					 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
					if(_t171 == 0) {
						_t171 = 0x47e150;
					}
					_push(0);
					_push(_t319 - 0xd);
					_push(_t171);
					L0040B34B(_t319 - 0x40);
					_push(0);
					_push(1);
					_push(_t319 - 0x40);
					 *(_t319 - 4) = 3;
					L0042189A(0,  *((intOrPtr*)(_t319 - 0x14)), _t334);
					 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
					E004061C1(_t319 - 0x40);
					_t176 =  *(_t319 + 8);
					 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
					 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
					if(_t176 == 0) {
						_t176 = 0x47e150;
					}
					_push(0);
					_push(_t319 - 0xd);
					_push(_t176);
					L0040B34B(_t319 - 0x40);
					_t178 =  *((intOrPtr*)(_t319 - 0x38));
					 *(_t319 - 4) = 4;
					 *((intOrPtr*)(_t319 - 0x44)) = 0x4675e4;
					if(_t178 != 0) {
						 *((intOrPtr*)(_t319 - 0x44)) = _t178;
					}
					_push(1);
					_push(_t319 - 0x16);
					_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\SetupPreRequisite.cpp");
					_t181 =  *((intOrPtr*)(E0040A5F5(_t319 - 0xc4) + 8));
					 *(_t319 - 4) = 5;
					if(_t181 == 0) {
						_t181 = 0x4675e4;
					}
					_push( *((intOrPtr*)(_t319 - 0x44)));
					 *((intOrPtr*)(_t319 - 0x4c)) = _t181;
					 *((intOrPtr*)(_t319 - 0x48)) = 0x11b;
					_push(L"Attempting to execute prerequisite: %s");
					_push(_t319 - 0x4c);
					E0040840D(0);
					 *(_t319 - 4) = 4;
					E004061C1(_t319 - 0xc4);
					 *(_t319 - 4) =  *(_t319 - 4) | 0xffffffff;
					E004061C1(_t319 - 0x40);
					_push(4);
					_t324 = _t322 + 0xc - 0x28;
					 *((intOrPtr*)(_t319 - 0x44)) = _t322 + 0xc - 0x28;
					L00401732(_t324, E0040A5A5( *((intOrPtr*)(_t319 - 0x14)) + 8), _t319 - 0xd, 1); // executed
					_t190 = E0042CFBE(); // executed
					if(_t190 != 0) {
						_t243 =  *((intOrPtr*)(_t319 - 0x14));
						__eflags =  *((char*)(_t243 + 0x262));
						if( *((char*)(_t243 + 0x262)) == 0) {
							L22:
							_t192 = E0041F7CF(_t243,  *(_t319 + 8),  *(_t319 + 0xc) & 0x000000ff); // executed
							L23:
							 *((intOrPtr*)(_t319 - 0x14)) = _t192;
							_push(0);
							_push(_t319 + 0xb);
							 *((intOrPtr*)(_t319 - 0x74)) = 0x4675d8;
							 *((intOrPtr*)(_t319 - 0x54)) = 0x4675d0;
							L0040B243(_t319 - 0x74);
							 *(_t319 - 4) = 6;
							L0040AF38(_t319 - 0x74, L"Return Code from EXE: %d",  *((intOrPtr*)(_t319 - 0x14)));
							_push(0);
							_push(1);
							_push(_t319 - 0x74);
							L0042189A(_t243, _t243, __eflags);
							__eflags = E00408742(_t243);
							if(__eflags == 0) {
								_t233 = E00421393(_t243, __eflags); // executed
								__eflags = _t233;
								 *((char*)(_t243 + 0x3ee)) = _t233;
								if(_t233 != 0) {
									_t234 = L"Reboot Required";
									 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
									 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
									__eflags = _t234;
									if(_t234 == 0) {
										_t234 = 0x47e150;
									}
									_push(0);
									_push(_t319 + 0xf);
									_push(_t234);
									L0040B34B(_t319 - 0x40);
									_push(0);
									_push(1);
									_push(_t319 - 0x40);
									 *(_t319 - 4) = 7;
									L0042189A(_t243, _t243, __eflags);
									 *(_t319 - 4) = 6;
									E004061C1(_t319 - 0x40);
								}
							}
							_push( *((intOrPtr*)(_t319 - 0x14)));
							_t200 = L0042124F(_t243);
							__eflags = _t200;
							if(_t200 != 0) {
								_t215 =  *((intOrPtr*)(_t243 + 0x404));
								__eflags = _t215 - 4;
								if(_t215 != 4) {
									__eflags = _t215 - 1;
									if(_t215 != 1) {
										__eflags = _t215 - 0x20;
										if(_t215 != 0x20) {
											_t216 = L"Exit Code Match -- Rebooting Now";
											 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
											 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
											__eflags = _t216;
											if(_t216 == 0) {
												_t216 = 0x47e150;
											}
											_push(0);
											_push(_t319 + 0xf);
											_push(_t216);
											L0040B34B(_t319 - 0x40);
											_push(0);
											_push(1);
											_push(_t319 - 0x40);
											 *(_t319 - 4) = 0xb;
											L0042189A(_t243, _t243, __eflags);
											 *(_t319 - 4) = 6;
											_t292 = _t319 - 0x40;
										} else {
											_t221 = L"Exit Code Match -- Rebooting Later";
											 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
											 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
											__eflags = _t221;
											if(_t221 == 0) {
												_t221 = 0x47e150;
											}
											_push(0);
											_push(_t319 + 0xf);
											_push(_t221);
											L0040B34B(_t319 - 0x40);
											_push(0);
											_push(1);
											_push(_t319 - 0x40);
											 *(_t319 - 4) = 0xa;
											L0042189A(_t243, _t243, __eflags);
											 *(_t319 - 4) = 6;
											_t292 = _t319 - 0x40;
										}
									} else {
										_t225 = L"Exit Code Match -- Exiting Now";
										 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
										 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
										__eflags = _t225;
										if(_t225 == 0) {
											_t225 = 0x47e150;
										}
										_push(0);
										_push(_t319 + 0xf);
										_push(_t225);
										L0040B34B(_t319 - 0x40);
										_push(0);
										_push(1);
										_push(_t319 - 0x40);
										 *(_t319 - 4) = 9;
										L0042189A(_t243, _t243, __eflags);
										 *(_t319 - 4) = 6;
										_t292 = _t319 - 0x40;
									}
								} else {
									_t229 = L"Exit Code Match -- Reboot Ignored";
									 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
									 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
									__eflags = _t229;
									if(_t229 == 0) {
										_t229 = 0x47e150;
									}
									_push(0);
									_push(_t319 + 0xf);
									_push(_t229);
									L0040B34B(_t319 - 0x40);
									_push(0);
									_push(1);
									_push(_t319 - 0x40);
									 *(_t319 - 4) = 8;
									L0042189A(_t243, _t243, __eflags);
									 *(_t319 - 4) = 6;
									_t292 = _t319 - 0x40;
								}
								E004061C1(_t292);
								 *((char*)(_t243 + 0x3ee)) = 1;
							}
							L0042177C(_t243);
							_t202 = E00408742(_t243);
							__eflags = _t202;
							if(_t202 == 0) {
								L56:
								_t148 = _t319 - 4;
								 *_t148 =  *(_t319 - 4) | 0xffffffff;
								__eflags =  *_t148;
								E004061C1(_t319 - 0x74);
								_t204 =  *(_t319 - 0x15);
								goto L57;
							} else {
								__eflags =  *((intOrPtr*)(_t319 - 0x14)) - 0x669;
								if( *((intOrPtr*)(_t319 - 0x14)) == 0x669) {
									L48:
									_t205 = L"MSI Returned ERROR_SUCCESS_REBOOT_INITIATED";
									 *((intOrPtr*)(_t319 - 0x40)) = 0x4675d8;
									 *((intOrPtr*)(_t319 - 0x20)) = 0x4675d0;
									__eflags = _t205;
									if(_t205 == 0) {
										_t205 = 0x47e150;
									}
									_push(0);
									_push(_t319 + 0xf);
									_push(_t205);
									L0040B34B(_t319 - 0x40);
									_push(0);
									_push(1);
									_push(_t319 - 0x40);
									 *(_t319 - 4) = 0xc;
									L0042189A(_t243, _t243, __eflags);
									 *(_t319 - 4) = 6;
									E004061C1(_t319 - 0x40);
									 *((char*)(_t243 + 0x3ee)) = 1;
									L51:
									__eflags =  *((intOrPtr*)(_t319 - 0x14)) - 0x642;
									if( *((intOrPtr*)(_t319 - 0x14)) == 0x642) {
										_t210 = L"MSI Returned ERROR_INSTALL_USEREXIT";
										 *((intOrPtr*)(_t319 - 0x9c)) = 0x4675d8;
										 *((intOrPtr*)(_t319 - 0x7c)) = 0x4675d0;
										__eflags = _t210;
										if(_t210 == 0) {
											_t210 = 0x47e150;
										}
										_push(0);
										_push(_t319 + 0xf);
										_push(_t210);
										L0040B34B(_t319 - 0x9c);
										_push(0);
										_push(1);
										_push(_t319 - 0x9c);
										 *(_t319 - 4) = 0xd;
										L0042189A(_t243, _t243, __eflags);
										 *(_t319 - 4) = 6;
										E004061C1(_t319 - 0x9c);
										__eflags =  *((char*)(_t243 + 0x40c));
										if( *((char*)(_t243 + 0x40c)) == 0) {
											_t146 = _t319 - 0x15;
											 *_t146 =  *(_t319 - 0x15) & 0x00000000;
											__eflags =  *_t146;
										}
									}
									goto L56;
								}
								__eflags =  *((intOrPtr*)(_t319 - 0x14)) - 0xbc2;
								if( *((intOrPtr*)(_t319 - 0x14)) != 0xbc2) {
									goto L51;
								}
								goto L48;
							}
						}
						_t239 = E00408742(_t243);
						__eflags = _t239;
						if(_t239 == 0) {
							goto L22;
						}
						_push( *(_t319 + 0xc));
						_push( *(_t319 + 8));
						_t192 = L0041FF75(_t243);
						goto L23;
					} else {
						_t204 = _t190 + 1;
						L57:
						 *[fs:0x0] =  *((intOrPtr*)(_t319 - 0xc));
						return _t204;
					}
				}
				_t330 =  *0x47e988; // 0x0
				if(_t330 == 0) {
					goto L7;
				}
				goto L4;
			}

0x0041f2b8
0x0041f2bd
0x0041f2c3
0x0041f2c7
0x0041f2cc
0x0041f2d6
0x0041f2da
0x0041f2dc
0x0041f2dc
0x0041f2e2
0x0041f2e7
0x0041f2f7
0x0041f301
0x0041f304
0x0041f306
0x0041f307
0x0041f312
0x0041f317
0x0041f31c
0x0041f321
0x0041f326
0x0041f329
0x0041f32b
0x0041f32b
0x0041f333
0x0041f334
0x0041f335
0x0041f339
0x0041f34e
0x0041f352
0x0041f35a
0x0041f35d
0x0041f362
0x0041f36c
0x0041f371
0x0041f371
0x0041f376
0x0041f37b
0x0041f37e
0x0041f380
0x0041f382
0x0041f382
0x0041f38a
0x0041f38b
0x0041f38c
0x0041f390
0x0041f398
0x0041f39c
0x0041f39d
0x0041f39e
0x0041f3a5
0x0041f3aa
0x0041f3b1
0x0041f3b6
0x0041f3b9
0x0041f3bc
0x0041f3be
0x0041f3c1
0x0041f3c3
0x0041f3c3
0x0041f3cb
0x0041f3cc
0x0041f3cd
0x0041f3d1
0x0041f3d9
0x0041f3dd
0x0041f3df
0x0041f3e0
0x0041f3e7
0x0041f3ec
0x0041f3f3
0x0041f3f8
0x0041f3fb
0x0041f400
0x0041f403
0x0041f405
0x0041f405
0x0041f40d
0x0041f40e
0x0041f40f
0x0041f413
0x0041f418
0x0041f41b
0x0041f424
0x0041f42b
0x0041f42d
0x0041f42d
0x0041f433
0x0041f435
0x0041f436
0x0041f446
0x0041f449
0x0041f44f
0x0041f451
0x0041f451
0x0041f456
0x0041f459
0x0041f45f
0x0041f466
0x0041f46b
0x0041f46c
0x0041f47a
0x0041f47e
0x0041f483
0x0041f48a
0x0041f48f
0x0041f494
0x0041f499
0x0041f4ad
0x0041f4b2
0x0041f4bc
0x0041f4c5
0x0041f4c8
0x0041f4cf
0x0041f4eb
0x0041f4f5
0x0041f4fa
0x0041f4fa
0x0041f500
0x0041f502
0x0041f506
0x0041f509
0x0041f50c
0x0041f517
0x0041f524
0x0041f531
0x0041f533
0x0041f535
0x0041f536
0x0041f542
0x0041f544
0x0041f548
0x0041f54d
0x0041f54f
0x0041f555
0x0041f557
0x0041f55c
0x0041f561
0x0041f564
0x0041f566
0x0041f568
0x0041f568
0x0041f570
0x0041f572
0x0041f573
0x0041f577
0x0041f57c
0x0041f581
0x0041f583
0x0041f586
0x0041f58a
0x0041f592
0x0041f596
0x0041f596
0x0041f555
0x0041f59b
0x0041f5a0
0x0041f5a5
0x0041f5a7
0x0041f5ad
0x0041f5b3
0x0041f5b6
0x0041f5fc
0x0041f5ff
0x0041f645
0x0041f648
0x0041f68b
0x0041f690
0x0041f695
0x0041f698
0x0041f69a
0x0041f69c
0x0041f69c
0x0041f6a4
0x0041f6a6
0x0041f6a7
0x0041f6ab
0x0041f6b0
0x0041f6b5
0x0041f6b7
0x0041f6ba
0x0041f6be
0x0041f6c3
0x0041f6c7
0x0041f64a
0x0041f64a
0x0041f64f
0x0041f654
0x0041f657
0x0041f659
0x0041f65b
0x0041f65b
0x0041f663
0x0041f665
0x0041f666
0x0041f66a
0x0041f66f
0x0041f674
0x0041f676
0x0041f679
0x0041f67d
0x0041f682
0x0041f686
0x0041f686
0x0041f601
0x0041f601
0x0041f606
0x0041f60b
0x0041f60e
0x0041f610
0x0041f612
0x0041f612
0x0041f61a
0x0041f61c
0x0041f61d
0x0041f621
0x0041f626
0x0041f62b
0x0041f62d
0x0041f630
0x0041f634
0x0041f639
0x0041f63d
0x0041f63d
0x0041f5b8
0x0041f5b8
0x0041f5bd
0x0041f5c2
0x0041f5c5
0x0041f5c7
0x0041f5c9
0x0041f5c9
0x0041f5d1
0x0041f5d3
0x0041f5d4
0x0041f5d8
0x0041f5dd
0x0041f5e2
0x0041f5e4
0x0041f5e7
0x0041f5eb
0x0041f5f0
0x0041f5f4
0x0041f5f4
0x0041f6ca
0x0041f6cf
0x0041f6cf
0x0041f6d8
0x0041f6df
0x0041f6e4
0x0041f6e6
0x0041f7af
0x0041f7af
0x0041f7af
0x0041f7af
0x0041f7b6
0x0041f7bb
0x00000000
0x0041f6ec
0x0041f6ec
0x0041f6f3
0x0041f6fe
0x0041f6fe
0x0041f703
0x0041f708
0x0041f70b
0x0041f70d
0x0041f70f
0x0041f70f
0x0041f717
0x0041f719
0x0041f71a
0x0041f71e
0x0041f723
0x0041f728
0x0041f72a
0x0041f72d
0x0041f731
0x0041f739
0x0041f73d
0x0041f742
0x0041f749
0x0041f749
0x0041f750
0x0041f752
0x0041f757
0x0041f75f
0x0041f762
0x0041f764
0x0041f766
0x0041f766
0x0041f76e
0x0041f770
0x0041f771
0x0041f778
0x0041f77d
0x0041f785
0x0041f787
0x0041f78a
0x0041f78e
0x0041f799
0x0041f79d
0x0041f7a2
0x0041f7a9
0x0041f7ab
0x0041f7ab
0x0041f7ab
0x0041f7ab
0x0041f7a9
0x00000000
0x0041f750
0x0041f6f5
0x0041f6fc
0x00000000
0x00000000
0x00000000
0x0041f6fc
0x0041f6e6
0x0041f4d3
0x0041f4d8
0x0041f4da
0x00000000
0x00000000
0x0041f4dc
0x0041f4e1
0x0041f4e4
0x00000000
0x0041f4be
0x0041f4be
0x0041f7be
0x0041f7c3
0x0041f7cc
0x0041f7cc
0x0041f4bc
0x0041f2f9
0x0041f2ff
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041F2B8

Part of subcall function 00408742: __EH_prolog.LIBCMT ref: 00408747

Part of subcall function 0041FF75: __EH_prolog.LIBCMT ref: 0041FF7A

Strings

uF, xrefs: 0041F424
PG, xrefs: 0041F3C3
uF, xrefs: 0041F451
Exit Code Match -- Reboot Ignored, xrefs: 0041F5B8, 0041F5D4
PG, xrefs: 0041F766
C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPreRequisite.cpp, xrefs: 0041F307, 0041F436
PG, xrefs: 0041F382
MSI Returned ERROR_INSTALL_USEREXIT, xrefs: 0041F752, 0041F771
PG, xrefs: 0041F65B
CSetupPrerequisite::ExecutePrerequisite, xrefs: 0041F317, 0041F335
Exit Code Match -- Rebooting Now, xrefs: 0041F68B, 0041F6A7
Data File Location: , xrefs: 0041F371, 0041F38C
Exit Code Match -- Rebooting Later, xrefs: 0041F64A, 0041F666
PG, xrefs: 0041F612
PG, xrefs: 0041F2DC
Attempting to execute prerequisite: %s, xrefs: 0041F466
Return Code from EXE: %d, xrefs: 0041F51E
PG, xrefs: 0041F32B
MSI Returned ERROR_SUCCESS_REBOOT_INITIATED, xrefs: 0041F6FE, 0041F71A
PG, xrefs: 0041F70F
PG, xrefs: 0041F69C
Reboot Required, xrefs: 0041F557, 0041F573
PG, xrefs: 0041F405
PG, xrefs: 0041F5C9
Exit Code Match -- Exiting Now, xrefs: 0041F601, 0041F61D
PG, xrefs: 0041F568

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: Attempting to execute prerequisite: %s$C:\CodeBases\isdev\src\Runtime\Shared\Setup\SetupPreRequisite.cpp$CSetupPrerequisite::ExecutePrerequisite$Data File Location: $Exit Code Match -- Exiting Now$Exit Code Match -- Reboot Ignored$Exit Code Match -- Rebooting Later$Exit Code Match -- Rebooting Now$MSI Returned ERROR_INSTALL_USEREXIT$MSI Returned ERROR_SUCCESS_REBOOT_INITIATED$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$Reboot Required$Return Code from EXE: %d$uF$uF
API String ID: 3519838083-103639088
Opcode ID: 2a4ccae34912a203cca2bf511f23aa5fc73ddaec78d199a5f81020a745b19533
Instruction ID: f72bc2a4fc6638f5c551a9ad1fcb3bb0a3b0cf5e5edc0f52bf6cad48da1ed40b
Opcode Fuzzy Hash: 2a4ccae34912a203cca2bf511f23aa5fc73ddaec78d199a5f81020a745b19533
Instruction Fuzzy Hash: 40F16170A00218EADF14DB95C991BEEB778AB14304F50417FF406B72D2EB785E4ACB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041112E Relevance: 40.9, APIs: 1, Strings: 22, Instructions: 613
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0041112E(char* __ecx, void* __eflags) {
				void* _t264;
				intOrPtr _t269;
				void* _t277;
				void* _t287;
				intOrPtr _t298;
				intOrPtr _t303;
				char _t314;
				char _t319;
				char _t324;
				void* _t337;
				void* _t347;
				void* _t357;
				signed int _t360;
				void* _t367;
				void* _t377;
				void* _t387;
				signed int _t403;
				signed int _t408;
				void* _t409;
				intOrPtr* _t473;
				intOrPtr* _t479;
				void* _t502;
				char* _t506;
				void* _t512;
				void* _t514;
				char* _t516;
				intOrPtr _t517;
				intOrPtr _t518;
				char* _t519;
				intOrPtr _t520;
				char* _t521;
				intOrPtr _t522;
				intOrPtr _t523;
				intOrPtr _t524;
				char* _t525;
				intOrPtr _t527;
				intOrPtr _t528;
				intOrPtr _t529;
				intOrPtr _t530;
				intOrPtr _t531;
				intOrPtr _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				intOrPtr _t535;
				intOrPtr _t536;
				intOrPtr _t537;
				intOrPtr _t538;
				intOrPtr _t539;
				intOrPtr _t540;
				intOrPtr _t541;
				intOrPtr _t542;
				char* _t543;
				intOrPtr _t544;
				intOrPtr _t545;
				char* _t546;
				intOrPtr _t547;
				intOrPtr _t548;
				char* _t549;
				intOrPtr* _t550;
				intOrPtr _t551;
				char* _t552;
				intOrPtr* _t553;
				intOrPtr _t554;
				char* _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				char* _t558;
				intOrPtr _t559;
				intOrPtr _t560;

				_t563 = __eflags;
				L0043B644(0x460c43, _t512);
				_t506 = __ecx;
				L0043334B(_t512 - 0x120, __eflags);
				_push(0);
				 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
				_t516 = _t514 - 0xec;
				 *(_t512 - 0x1c) = _t516;
				_t408 = 1;
				L00401732(_t516, "=", _t512 - 0xf, _t408);
				_t517 = _t516 - 0x28;
				 *((intOrPtr*)(_t512 - 0x14)) = _t517;
				 *(_t512 - 4) = _t408;
				L00401708(_t517, _t506 + 0x10c, _t408);
				 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
				_t264 = E004336A5(_t512 - 0x120, _t502, _t563); // executed
				if(_t264 != 0) {
					_push(4);
					_t518 = _t517 - 0x28;
					 *((intOrPtr*)(_t512 - 0x14)) = _t518;
					L00401732(_t518, L"ScriptDriven", _t512 - 0xf, _t408);
					_t519 = _t518 - 0x28;
					 *(_t512 - 0x1c) = _t519;
					_t509 = L"Startup";
					 *(_t512 - 4) = 2;
					L00401732(_t519, L"Startup", _t512 - 0xd, _t408);
					 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
					_t269 = E0043439C(_t512 - 0x120, _t502, __eflags);
					_t520 = _t519 - 0x28;
					 *((intOrPtr*)(_t506 + 0x44)) = _t269;
					 *((intOrPtr*)(_t512 - 0x14)) = _t520;
					_push(_t408);
					_push(_t512 - 0xd);
					_push(0x47e154);
					L00401B15(_t520);
					_t521 = _t520 - 0x28;
					 *(_t512 - 0x1c) = _t521;
					 *(_t512 - 4) = 3;
					L00401732(_t521, L"Product", _t512 - 0xf, _t408);
					_t522 = _t521 - 0x28;
					 *((intOrPtr*)(_t512 - 0x18)) = _t522;
					 *(_t512 - 4) = 4;
					L00401732(_t522, _t509, _t512 - 0xe, _t408);
					 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
					_push(_t512 - 0x6c);
					_t277 = E004342AF(_t512 - 0x120, _t502, __eflags);
					 *(_t512 - 4) = 5;
					L00401A1E(_t506 + 0x1ac, _t277);
					 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
					L0040125C(_t512 - 0x6c);
					__eflags =  *((intOrPtr*)(_t506 + 0x44)) - 4;
					 *(_t512 - 0x1c) = L"ProductCode";
					if( *((intOrPtr*)(_t506 + 0x44)) == 4) {
						 *(_t512 - 0x1c) = L"ProductGUID";
					}
					_t523 = _t522 - 0x28;
					 *((intOrPtr*)(_t512 - 0x18)) = _t523;
					_push(_t408);
					_push(_t512 - 0xe);
					_push(0x47e154);
					L00401B15(_t523);
					_t524 = _t523 - 0x28;
					 *((intOrPtr*)(_t512 - 0x14)) = _t524;
					_t45 = _t512 - 0x1c; // 0x477534
					 *(_t512 - 4) = 6;
					L00401732(_t524,  *_t45, _t512 - 0xd, _t408);
					_t525 = _t524 - 0x28;
					 *(_t512 - 0x1c) = _t525;
					 *(_t512 - 4) = 7;
					L00401732(_t525, _t509, _t512 - 0xf, _t408);
					 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
					_push(_t512 - 0x6c);
					_t287 = E004342AF(_t512 - 0x120, _t502, __eflags);
					 *(_t512 - 4) = 8;
					L00401A1E(_t506 + 0x24c, _t287);
					 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
					L0040125C(_t512 - 0x6c);
					__eflags =  *((intOrPtr*)(_t506 + 0x44)) - 4;
					if( *((intOrPtr*)(_t506 + 0x44)) == 4) {
						_push(0);
						_t527 = _t525 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t527;
						L00401732(_t527, L"MediaFormat", _t512 - 0xe, _t408);
						_t528 = _t527 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t528;
						 *(_t512 - 4) = 9;
						L00401732(_t528, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_t298 = E0043439C(_t512 - 0x120, _t502, __eflags);
						_push(_t408);
						 *((intOrPtr*)(_t506 + 0x28)) = _t298;
						_t529 = _t528 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t529;
						L00401732(_t529, L"LogMode", _t512 - 0xe, _t408);
						_t530 = _t529 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t530;
						 *(_t512 - 4) = 0xa;
						L00401732(_t530, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_t303 = E0043439C(_t512 - 0x120, _t502, __eflags);
						_push(5);
						 *((intOrPtr*)(_t506 + 0x2c)) = _t303;
						_t531 = _t530 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t531;
						L00401732(_t531, L"SplashTime", _t512 - 0xe, _t408);
						_t532 = _t531 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t532;
						 *(_t512 - 4) = 0xb;
						L00401732(_t532, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						 *((intOrPtr*)(_t506 + 0x24)) = E0043439C(_t512 - 0x120, _t502, __eflags);
						_push(E00437791());
						_t533 = _t532 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t533;
						L00401732(_t533, L"AllUsers", _t512 - 0xe, _t408);
						 *(_t512 - 4) = 0xc;
						_t534 = _t533 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t534;
						L00401732(_t534, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_t314 = E00434511(_t512 - 0x120, _t502, __eflags);
						_push(0);
						 *((char*)(_t506 + 0xe)) = _t314;
						_t535 = _t534 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t535;
						L00401732(_t535, L"SmallProgress", _t512 - 0xe, _t408);
						_t536 = _t535 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t536;
						 *(_t512 - 4) = 0xd;
						L00401732(_t536, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_t319 = E00434511(_t512 - 0x120, _t502, __eflags);
						_push(0);
						 *((char*)(_t506 + 8)) = _t319;
						_t537 = _t536 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t537;
						L00401732(_t537, L"ShowPasswordDialog", _t512 - 0xe, _t408);
						_t538 = _t537 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t538;
						 *(_t512 - 4) = 0xe;
						L00401732(_t538, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_t324 = E00434511(_t512 - 0x120, _t502, __eflags);
						_push(_t408);
						 *((char*)(_t506 + 0xa)) = _t324;
						_t539 = _t538 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t539;
						L00401732(_t539, L"CheckMD5", _t512 - 0xe, _t408);
						_t540 = _t539 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t540;
						 *(_t512 - 4) = 0xf;
						L00401732(_t540, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						 *((char*)(_t506 + 0xb)) = E00434511(_t512 - 0x120, _t502, __eflags);
						_t541 = _t540 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t541;
						_push(_t408);
						_push(_t512 - 0xe);
						_push(0x47e154);
						L00401B15(_t541);
						_t542 = _t541 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t542;
						 *(_t512 - 4) = 0x10;
						L00401732(_t542, L"CompanyName", _t512 - 0xd, _t408);
						_t543 = _t542 - 0x28;
						 *(_t512 - 0x1c) = _t543;
						 *(_t512 - 4) = 0x11;
						L00401732(_t543, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t337 = E004342AF(_t512 - 0x120, _t502, __eflags);
						 *(_t512 - 4) = 0x12;
						L00401A1E(_t506 + 0x1d4, _t337);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t544 = _t543 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t544;
						_push(_t408);
						_push(_t512 - 0xe);
						_push(0x47e154);
						L00401B15(_t544);
						_t545 = _t544 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t545;
						 *(_t512 - 4) = 0x13;
						L00401732(_t545, L"CompanyURL", _t512 - 0xd, _t408);
						_t546 = _t545 - 0x28;
						 *(_t512 - 0x1c) = _t546;
						 *(_t512 - 4) = 0x14;
						L00401732(_t546, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t347 = E004342AF(_t512 - 0x120, _t502, __eflags);
						 *(_t512 - 4) = 0x15;
						L00401A1E(_t506 + 0x1fc, _t347);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t547 = _t546 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t547;
						_push(_t408);
						_push(_t512 - 0xe);
						_push(0x47e154);
						L00401B15(_t547);
						_t548 = _t547 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t548;
						 *(_t512 - 4) = 0x16;
						L00401732(_t548, L"Skin", _t512 - 0xd, _t408);
						_t549 = _t548 - 0x28;
						 *(_t512 - 0x1c) = _t549;
						 *(_t512 - 4) = 0x17;
						L00401732(_t549, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t357 = E004342AF(_t512 - 0x120, _t502, __eflags);
						 *(_t512 - 4) = 0x18;
						L00401A1E(_t506 + 0x224, _t357);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t550 = _t549 - 0x28;
						_t360 = L"http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s";
						_t473 = _t550;
						__eflags = _t360;
						 *((intOrPtr*)(_t512 - 0x18)) = _t550;
						 *_t473 = 0x46757c;
						 *((intOrPtr*)(_t473 + 0x20)) = 0x467574;
						if(_t360 == 0) {
							_t360 = 0x47e150;
						}
						_t504 = _t512 - 0xe;
						_push(0);
						_push(_t512 - 0xe);
						_push(_t360);
						L0040176A(_t473);
						_t551 = _t550 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t551;
						 *(_t512 - 4) = 0x19;
						L00401732(_t551, L"ErrorReportURL", _t512 - 0xd, _t408);
						_t552 = _t551 - 0x28;
						 *(_t512 - 0x1c) = _t552;
						 *(_t512 - 4) = 0x1a;
						L00401732(_t552, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t367 = E004342AF(_t512 - 0x120, _t512 - 0xe, __eflags);
						 *(_t512 - 4) = 0x1b;
						L00401A1E(_t506 + 0xe4, _t367);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t553 = _t552 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t553;
						_t479 = _t553;
						_push(0);
						_push(_t506 + 0x184);
						 *_t479 = 0x46757c;
						 *((intOrPtr*)(_t479 + 0x20)) = 0x467574;
						L00401CDD(_t479);
						_t554 = _t553 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t554;
						 *(_t512 - 4) = 0x1c;
						L00401732(_t554, L"InstallGUID", _t512 - 0xe, _t408);
						_t555 = _t554 - 0x28;
						 *(_t512 - 0x1c) = _t555;
						 *(_t512 - 4) = 0x1d;
						L00401732(_t555, _t509, _t512 - 0xd, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t377 = E004342AF(_t512 - 0x120, _t504, __eflags);
						 *(_t512 - 4) = 0x1e;
						L00401A1E(_t506 + 0x184, _t377);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t556 = _t555 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t556;
						_push(_t408);
						_push(_t512 - 0xe);
						_push("setup.exe");
						L00401B15(_t556);
						_t557 = _t556 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t557;
						 *(_t512 - 4) = 0x1f;
						L00401732(_t557, L"LauncherName", _t512 - 0xd, _t408);
						_t558 = _t557 - 0x28;
						 *(_t512 - 0x1c) = _t558;
						 *(_t512 - 4) = 0x20;
						L00401732(_t558, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x44);
						_t387 = E004342AF(_t512 - 0x120, _t504, __eflags);
						 *(_t512 - 4) = 0x21;
						L00401A1E(_t506 + 0x274, _t387);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						L0040125C(_t512 - 0x44);
						_t559 = _t558 - 0x28;
						 *((intOrPtr*)(_t512 - 0x18)) = _t559;
						_push(_t408);
						_push(_t512 - 0xe);
						_push(0x47e154);
						L00401B15(_t559);
						_t560 = _t559 - 0x28;
						 *((intOrPtr*)(_t512 - 0x14)) = _t560;
						 *(_t512 - 4) = 0x22;
						L00401732(_t560, L"cmdline", _t512 - 0xd, _t408);
						_t561 = _t560 - 0x28;
						 *(_t512 - 0x1c) = _t560 - 0x28;
						 *(_t512 - 4) = 0x23;
						L00401732(_t561, _t509, _t512 - 0xf, _t408);
						 *(_t512 - 4) =  *(_t512 - 4) & 0x00000000;
						_push(_t512 - 0x6c);
						E004342AF(_t512 - 0x120, _t504, __eflags);
						 *(_t512 - 4) = 0x24;
						__eflags =  *(_t512 - 0x60);
						if(__eflags != 0) {
							E004109B7(_t506, __eflags, _t512 - 0x6c);
							__eflags =  *(_t512 - 0x60);
							if( *(_t512 - 0x60) != 0) {
								_push(_t512 - 0x6c);
								_push(" ");
								_push(_t512 - 0x44);
								_t403 = E00406005();
								 *(_t512 - 4) = 0x25;
								asm("sbb ecx, ecx");
								_t499 =  ~_t403 & _t403 + 0x00000004;
								__eflags =  ~_t403 & _t403 + 0x00000004;
								L004057F3(_t506 + 0x98, _t499, 0,  *0x467594);
								 *(_t512 - 4) = 0x24;
								L0040125C(_t512 - 0x44);
							}
						}
						_t249 = _t512 - 4;
						 *_t249 =  *(_t512 - 4) & 0x00000000;
						__eflags =  *_t249;
						L0040125C(_t512 - 0x6c);
					}
					_push(_t512 - 0x120);
					_t409 = L004118AF(_t506);
				} else {
					_t409 = 0;
				}
				_t253 = _t512 - 4;
				 *(_t512 - 4) =  *(_t512 - 4) | 0xffffffff;
				L00433631(_t512 - 0x120,  *_t253);
				 *[fs:0x0] =  *((intOrPtr*)(_t512 - 0xc));
				return _t409;
			}

0x0041112e
0x00411133
0x00411141
0x00411149
0x0041114e
0x00411150
0x00411154
0x0041115c
0x00411161
0x00411169
0x0041116e
0x00411179
0x0041117e
0x00411181
0x00411186
0x00411190
0x00411197
0x004111a0
0x004111a5
0x004111aa
0x004111b4
0x004111b9
0x004111c1
0x004111c5
0x004111cc
0x004111d0
0x004111d5
0x004111df
0x004111e4
0x004111e7
0x004111ec
0x004111f2
0x004111f3
0x004111f4
0x004111f9
0x004111fe
0x00411206
0x00411210
0x00411214
0x00411219
0x00411221
0x00411227
0x0041122b
0x00411230
0x00411237
0x0041123e
0x0041124a
0x0041124e
0x00411253
0x0041125a
0x0041125f
0x00411263
0x0041126a
0x0041126c
0x0041126c
0x00411273
0x0041127b
0x0041127e
0x0041127f
0x00411280
0x00411285
0x0041128a
0x00411292
0x00411297
0x0041129a
0x0041129e
0x004112a3
0x004112ab
0x004112b1
0x004112b5
0x004112ba
0x004112c1
0x004112c8
0x004112d4
0x004112d8
0x004112dd
0x004112e4
0x004112e9
0x004112ed
0x004112f3
0x004112f8
0x004112fd
0x00411307
0x0041130c
0x00411314
0x0041131a
0x0041131e
0x00411323
0x0041132d
0x00411332
0x00411333
0x00411336
0x0041133e
0x00411348
0x0041134d
0x00411355
0x0041135b
0x0041135f
0x00411364
0x0041136e
0x00411373
0x00411375
0x00411378
0x00411380
0x0041138a
0x0041138f
0x00411397
0x0041139d
0x004113a1
0x004113a6
0x004113b5
0x004113bd
0x004113c1
0x004113c6
0x004113d0
0x004113d5
0x004113d9
0x004113e1
0x004113e7
0x004113ec
0x004113f6
0x004113fb
0x004113fd
0x00411400
0x00411408
0x00411412
0x00411417
0x0041141f
0x00411425
0x00411429
0x0041142e
0x00411438
0x0041143d
0x0041143f
0x00411442
0x0041144a
0x00411454
0x00411459
0x00411461
0x00411467
0x0041146b
0x00411470
0x0041147a
0x0041147f
0x00411480
0x00411483
0x0041148b
0x00411495
0x0041149a
0x004114a2
0x004114a8
0x004114ac
0x004114b1
0x004114c0
0x004114c3
0x004114cb
0x004114ce
0x004114cf
0x004114d0
0x004114d5
0x004114da
0x004114e2
0x004114ec
0x004114f0
0x004114f5
0x004114fd
0x00411503
0x00411507
0x0041150c
0x00411513
0x0041151a
0x00411526
0x0041152a
0x0041152f
0x00411536
0x0041153b
0x00411543
0x00411546
0x00411547
0x00411548
0x0041154d
0x00411552
0x0041155a
0x00411564
0x00411568
0x0041156d
0x00411575
0x0041157b
0x0041157f
0x00411584
0x0041158b
0x00411592
0x0041159e
0x004115a2
0x004115a7
0x004115ae
0x004115b3
0x004115bb
0x004115be
0x004115bf
0x004115c0
0x004115c5
0x004115ca
0x004115d2
0x004115dc
0x004115e0
0x004115e5
0x004115ed
0x004115f3
0x004115f7
0x004115fc
0x00411603
0x0041160a
0x00411616
0x0041161a
0x0041161f
0x00411626
0x0041162b
0x0041162e
0x00411633
0x00411637
0x00411639
0x0041163c
0x00411642
0x00411649
0x0041164b
0x0041164b
0x00411650
0x00411653
0x00411655
0x00411656
0x00411657
0x0041165c
0x00411664
0x0041166e
0x00411672
0x00411677
0x0041167f
0x00411685
0x00411689
0x0041168e
0x00411695
0x0041169c
0x004116a8
0x004116ac
0x004116b1
0x004116b8
0x004116bd
0x004116c6
0x004116c9
0x004116cb
0x004116cd
0x004116ce
0x004116d4
0x004116db
0x004116e0
0x004116e8
0x004116f2
0x004116f6
0x004116fb
0x00411703
0x00411709
0x0041170d
0x00411712
0x00411719
0x00411720
0x0041172c
0x00411730
0x00411735
0x0041173c
0x00411741
0x00411746
0x0041174c
0x0041174d
0x0041174e
0x00411753
0x00411758
0x00411760
0x0041176a
0x0041176e
0x00411773
0x0041177b
0x00411781
0x00411785
0x0041178a
0x00411791
0x00411798
0x004117a4
0x004117a8
0x004117ad
0x004117b4
0x004117b9
0x004117c1
0x004117c4
0x004117c5
0x004117c6
0x004117cb
0x004117d0
0x004117d8
0x004117e2
0x004117e6
0x004117eb
0x004117f3
0x004117f9
0x004117fd
0x00411802
0x00411809
0x00411810
0x00411817
0x0041181b
0x0041181e
0x00411826
0x0041182b
0x0041182e
0x00411833
0x00411837
0x0041183c
0x0041183d
0x00411850
0x00411856
0x00411859
0x00411859
0x00411862
0x0041186a
0x0041186e
0x0041186e
0x0041182e
0x00411873
0x00411873
0x00411873
0x0041187a
0x0041187a
0x00411887
0x0041188d
0x00411199
0x00411199
0x00411199
0x0041188f
0x0041188f
0x00411899
0x004118a5
0x004118ae

APIs

__EH_prolog.LIBCMT ref: 00411133

Part of subcall function 0043334B: __EH_prolog.LIBCMT ref: 00433350

Part of subcall function 004336A5: __EH_prolog.LIBCMT ref: 004336AA

Part of subcall function 00433631: __EH_prolog.LIBCMT ref: 00433636

Strings

MediaFormat, xrefs: 00411302
LauncherName, xrefs: 00411765
Startup, xrefs: 004111C5, 004111CB, 00411226, 004112B0, 00411319, 0041135A, 0041139C, 004113E6, 00411424, 00411466, 004114A7, 00411502, 0041157A, 004115F2, 00411684, 00411708, 00411780, 004117F8
ScriptDriven, xrefs: 004111AF
4uG, xrefs: 00411297
CompanyURL, xrefs: 0041155F
Skin, xrefs: 004115D7
ErrorReportURL, xrefs: 00411669
CheckMD5, xrefs: 00411490
setup.exe, xrefs: 0041174E
tuF, xrefs: 004116D4
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s, xrefs: 0041162E, 00411656
SmallProgress, xrefs: 0041140D
Product, xrefs: 0041120B
AllUsers, xrefs: 004113CB
SplashTime, xrefs: 00411385
ShowPasswordDialog, xrefs: 0041144F
PG, xrefs: 0041164B
LogMode, xrefs: 00411343
CompanyName, xrefs: 004114E7
InstallGUID, xrefs: 004116ED
cmdline, xrefs: 004117DD

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: 4uG$AllUsers$CheckMD5$CompanyName$CompanyURL$ErrorReportURL$InstallGUID$LauncherName$LogMode$MediaFormat$Product$PG$ScriptDriven$ShowPasswordDialog$Skin$SmallProgress$SplashTime$Startup$cmdline$http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s$setup.exe$tuF
API String ID: 3519838083-3926900056
Opcode ID: d1a7a93e46259c0696b6038d4afc5b3caa6a5575deaee05acdfedcab230a7bdf
Instruction ID: e947c9c9c33f877980167354a6bbd37e3650a4bbefdf2f9a152f32bc66e233f0
Opcode Fuzzy Hash: d1a7a93e46259c0696b6038d4afc5b3caa6a5575deaee05acdfedcab230a7bdf
Instruction Fuzzy Hash: 84328571D15248BEDB04EBA5C946BEEBB7C9F19308F5041AEE40573192DB781F08CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00408C37 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 335
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00408C37(WCHAR* __ecx) {
				void* __esi;
				long _t129;
				WCHAR* _t132;
				WCHAR* _t135;
				short* _t158;
				signed int _t168;
				intOrPtr _t172;
				signed int _t181;
				WCHAR* _t186;
				WCHAR* _t188;
				void* _t189;
				int _t198;
				void* _t199;
				int _t200;
				intOrPtr _t217;
				intOrPtr _t251;
				WCHAR* _t261;
				WCHAR* _t262;
				void* _t268;
				WCHAR* _t269;
				void* _t271;

				L0043B644(0x45faa3, _t271);
				 *(_t271 - 0x1c) = __ecx;
				 *(_t271 - 0x18) = 0;
				 *(_t271 - 4) = 0;
				 *(_t271 - 0x14) = 0;
				_t129 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 0xf003f, _t271 - 0x14); // executed
				if(_t129 != 0) {
					L9:
					if(( *(_t271 - 0x1c))[0x80] != 0) {
						 *(_t271 - 0x10) = 0;
						 *(_t271 - 4) = 3;
						 *(_t271 + 8) = 0;
						_t132 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0xf003f, _t271 + 8); // executed
						__eflags = _t132;
						if(_t132 != 0) {
							L13:
							 *(_t271 + 8) = 0;
							_t135 = RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0xf003f, 0, _t271 + 8, _t271 - 0x14);
							__eflags = _t135;
							if(_t135 != 0) {
								L36:
								__eflags =  *(_t271 - 0x10);
								if( *(_t271 - 0x10) != 0) {
									_t135 = RegCloseKey( *(_t271 - 0x10));
									 *(_t271 - 0x10) = 0;
								}
								__eflags =  *(_t271 - 0x18);
								if( *(_t271 - 0x18) != 0) {
									_t135 = RegCloseKey( *(_t271 - 0x18));
								}
								L40:
								 *[fs:0x0] =  *((intOrPtr*)(_t271 - 0xc));
								return _t135;
							}
							_t135 = L00409079(_t271 - 0x10);
							__eflags = _t135;
							 *(_t271 - 0x10) =  *(_t271 + 8);
							if(_t135 != 0) {
								goto L36;
							}
							L15:
							 *((intOrPtr*)( *(( *(_t271 - 0x1c))[0x64]) + 0x1c))(_t271 - 0x48, 0x12);
							__eflags =  *(_t271 - 0x3c);
							 *(_t271 - 4) = 4;
							if( *(_t271 - 0x3c) == 0) {
								_t186 = GetCommandLineW();
								__eflags = _t186;
								if(_t186 == 0) {
									_t186 = 0x47e150;
								}
								L00401E03(_t271 - 0x48, _t186);
							}
							_push(1);
							_push(_t271 + 0xb);
							_push(" ");
							L0040176A(_t271 - 0xc0);
							 *(_t271 - 4) = 5;
							E0040A5B2(_t271 - 0x48, _t271, __eflags, _t271 - 0xc0);
							 *(_t271 - 4) = 4;
							L0040125C(_t271 - 0xc0);
							_t217 =  *0x47e1d4; // 0x2380b70
							L00403789(_t217, _t271 - 0x70);
							_push(0);
							_push(_t271 - 0x98);
							 *(_t271 - 4) = 6;
							L004056FB(_t271 - 0x70, 0x80000001, __eflags);
							asm("sbb eax, eax");
							 *(_t271 - 4) = 7;
							 *(_t271 + 8) = L0040B6E0( ~(_t271 - 0x70) & _t271 - 0x0000006c, 0);
							asm("sbb eax, eax");
							_t261 = L0040B6E0( ~(_t271 - 0x98) & _t271 - 0x00000094, 0);
							 *(_t271 - 0x1c) = _t261;
							_t268 = E0040238F(_t271 - 0x44, L".exe", 0, L0043BA1F(L".exe"));
							_t158 = L0040CC86(_t271 - 0x44, 0);
							__eflags =  *_t158 - 0x22;
							if( *_t158 == 0x22) {
								__eflags =  *0x467594 -  *(_t271 + 8); // 0xffffffff
								if(__eflags == 0) {
									__eflags = _t261 - 1;
									if(_t261 == 1) {
										_t168 = E00401A68(_t271 - 0x70, _t271 - 0xc0, 0,  *(_t271 - 0x64) -  *((intOrPtr*)(_t271 - 0x8c)));
										 *(_t271 - 4) = 9;
										asm("sbb ecx, ecx");
										__eflags =  ~_t168 & _t168 + 0x00000004;
										L0040BFCB(_t271 - 0x44, _t261,  ~_t168 & _t168 + 0x00000004, 0,  *0x467594);
										 *(_t271 - 4) = 7;
										L0040125C(_t271 - 0xc0);
									}
								}
							} else {
								__eflags =  *(_t271 + 8);
								if( *(_t271 + 8) != 0) {
									_t172 =  *0x467594; // 0xffffffff
									__eflags = _t172 - _t261;
									if(_t172 == _t261) {
										__eflags = _t172 - _t268;
										_t87 = _t268 + 4; // 0x4
										_t262 = _t87;
										if(_t172 == _t268) {
											_t262 =  *(_t271 - 0x3c);
										}
									} else {
										_t262 = _t261 +  *((intOrPtr*)(_t271 - 0x8c));
									}
								} else {
									_t262 =  *(_t271 - 0x64);
								}
								_t270 = "\"";
								L0040B64C(_t271 - 0x44, _t262, "\"", L0043BA1F("\""));
								__eflags =  *0x467594 -  *(_t271 + 8); // 0xffffffff
								if(__eflags == 0) {
									__eflags =  *(_t271 - 0x1c);
									if( *(_t271 - 0x1c) == 0) {
										_t181 = E00401A68(_t271 - 0x70, _t271 - 0xc0, 0,  *(_t271 - 0x64) -  *((intOrPtr*)(_t271 - 0x8c)));
										 *(_t271 - 4) = 8;
										asm("sbb ecx, ecx");
										__eflags =  ~_t181 & _t181 + 0x00000004;
										L0040BFCB(_t271 - 0x44, 0,  ~_t181 & _t181 + 0x00000004, 0,  *0x467594);
										 *(_t271 - 4) = 7;
										L0040125C(_t271 - 0xc0);
									}
								}
								L0040B64C(_t271 - 0x44, 0, _t270, L0043BA1F(_t270));
							}
							_t269 =  *(_t271 - 0x40);
							__eflags = _t269;
							if(_t269 == 0) {
								_t269 = 0x467570;
							}
							RegSetValueExW( *(_t271 - 0x10), L"  ISSetupPrerequisistes", 0, 1, _t269, lstrlenW(_t269) + _t160 + 2); // executed
							 *(_t271 - 4) = 6;
							L0040125C(_t271 - 0x98);
							 *(_t271 - 4) = 4;
							L0040125C(_t271 - 0x70);
							 *(_t271 - 4) = 3;
							_t135 = L0040125C(_t271 - 0x48);
							goto L36;
						}
						_t188 = L00409079(_t271 - 0x10);
						__eflags = _t188;
						 *(_t271 - 0x10) =  *(_t271 + 8);
						if(_t188 == 0) {
							goto L15;
						}
						goto L13;
					}
					 *(_t271 - 4) =  *(_t271 - 4) | 0xffffffff;
					_t135 = L00409079(_t271 - 0x18);
					goto L40;
				}
				_t189 = L00409079(_t271 - 0x18);
				 *(_t271 - 0x18) =  *(_t271 - 0x14);
				if(_t189 == 0) {
					_t251 =  *0x47e1d4; // 0x2380b70
					L00403659(_t251, _t271 - 0x48);
					_push(0);
					_push(_t271 - 0x1d);
					 *(_t271 - 4) = 1;
					 *(_t271 - 0x98) = 0x46757c;
					 *((intOrPtr*)(_t271 - 0x78)) = 0x467574;
					L00401C68(_t271 - 0x98);
					_t194 =  *(_t271 - 0x40);
					 *(_t271 - 4) = 2;
					if( *(_t271 - 0x40) == 0) {
						_t194 = 0x467570;
					}
					_t17 = _t271 - 0x98; // 0x46757c
					L004057E0(_t17, L"%%IS_PREREQ%%-%s", _t194);
					_push(1);
					_push( *(_t271 + 8));
					E0040A677(_t271 - 0x70);
					_t198 =  *(_t271 - 0x90);
					 *(_t271 - 0x14) = 0x467570;
					if(_t198 != 0) {
						 *(_t271 - 0x14) = _t198;
					}
					_t199 =  *(_t271 - 0x68);
					 *(_t271 + 8) = 0x4675e4;
					if(_t199 != 0) {
						 *(_t271 + 8) = _t199;
					}
					_t200 = lstrlenW( *(_t271 + 8));
					_t30 = _t271 - 0x14; // 0x467570
					RegSetValueExW( *(_t271 - 0x18),  *_t30, 0, 1,  *(_t271 + 8), _t200 + _t200 + 2); // executed
					E004061C1(_t271 - 0x70);
					_t33 = _t271 - 0x98; // 0x46757c
					 *(_t271 - 4) = 1;
					L0040125C(_t33);
					 *(_t271 - 4) = 0;
					L0040125C(_t271 - 0x48);
				}
			}

0x00408c3c
0x00408c4c
0x00408c4f
0x00408c68
0x00408c6b
0x00408c6e
0x00408c76
0x00408d5f
0x00408d68
0x00408d7b
0x00408d81
0x00408d8e
0x00408d91
0x00408d97
0x00408d99
0x00408dad
0x00408db0
0x00408dc3
0x00408dc9
0x00408dcb
0x00409036
0x00409036
0x0040903f
0x00409044
0x00409046
0x00409046
0x00409049
0x0040904c
0x00409051
0x00409051
0x00409053
0x00409059
0x00409061
0x00409061
0x00408dd4
0x00408ddc
0x00408dde
0x00408de1
0x00000000
0x00000000
0x00408de7
0x00408df8
0x00408dfb
0x00408dfe
0x00408e02
0x00408e04
0x00408e0a
0x00408e0c
0x00408e0e
0x00408e0e
0x00408e17
0x00408e17
0x00408e1f
0x00408e21
0x00408e22
0x00408e2d
0x00408e3c
0x00408e40
0x00408e4b
0x00408e4f
0x00408e54
0x00408e5e
0x00408e69
0x00408e6a
0x00408e6e
0x00408e72
0x00408e7f
0x00408e88
0x00408e91
0x00408e9c
0x00408eb5
0x00408eb8
0x00408ed0
0x00408ed2
0x00408ed7
0x00408edb
0x00408f8f
0x00408f95
0x00408f97
0x00408f9a
0x00408fb1
0x00408fc1
0x00408fc7
0x00408fca
0x00408fd1
0x00408fdc
0x00408fe0
0x00408fe0
0x00408f9a
0x00408ee1
0x00408ee1
0x00408ee4
0x00408eeb
0x00408ef0
0x00408ef2
0x00408efe
0x00408f00
0x00408f00
0x00408f03
0x00408f05
0x00408f05
0x00408ef4
0x00408efa
0x00408efa
0x00408ee6
0x00408ee6
0x00408ee6
0x00408f08
0x00408f1a
0x00408f22
0x00408f28
0x00408f2a
0x00408f2d
0x00408f44
0x00408f54
0x00408f5a
0x00408f5d
0x00408f64
0x00408f6f
0x00408f73
0x00408f73
0x00408f2d
0x00408f85
0x00408f85
0x00408fe5
0x00408fe8
0x00408fea
0x00408fec
0x00408fec
0x00409009
0x00409015
0x00409019
0x00409021
0x00409025
0x0040902d
0x00409031
0x00000000
0x00409031
0x00408d9e
0x00408da6
0x00408da8
0x00408dab
0x00000000
0x00000000
0x00000000
0x00408dab
0x00408d6a
0x00408d71
0x00000000
0x00408d71
0x00408c7f
0x00408c89
0x00408c8c
0x00408c92
0x00408c9c
0x00408ca4
0x00408ca5
0x00408cac
0x00408cb0
0x00408cba
0x00408cc1
0x00408cc6
0x00408cc9
0x00408ccf
0x00408cd1
0x00408cd1
0x00408cd7
0x00408ce3
0x00408cee
0x00408cf0
0x00408cf3
0x00408cf8
0x00408cfe
0x00408d07
0x00408d09
0x00408d09
0x00408d0c
0x00408d0f
0x00408d18
0x00408d1a
0x00408d1a
0x00408d20
0x00408d31
0x00408d37
0x00408d40
0x00408d45
0x00408d4b
0x00408d4f
0x00408d57
0x00408d5a
0x00408d5a

APIs

__EH_prolog.LIBCMT ref: 00408C3C
lstrlenW.KERNEL32(004675E4,?,00000001,?,?,00000000), ref: 00408D20
RegSetValueExW.KERNELBASE(?,puF,00000000,00000001,004675E4,?,?,00000000), ref: 00408D37
RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,000F003F,?,?,00000000), ref: 00408D91
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,000F003F,00000000,?,?,?,00000000), ref: 00408DC3
RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?,004675E4,?,00000000), ref: 00408C6E

Part of subcall function 00409079: RegCloseKey.ADVAPI32(0043D41C,00467574,0042F4CA), ref: 00409085

GetCommandLineW.KERNEL32(?,00000000), ref: 00408E04

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

lstrlenW.KERNEL32(?,00000000,.exe,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,004763CC,?,00000001), ref: 00408FF2
RegSetValueExW.KERNELBASE(?, ISSetupPrerequisistes,00000000,00000001,?,?,?,00000000), ref: 00409009
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00409044
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00409051

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00408D88, 00408DBD
puF, xrefs: 00408FEC
puF, xrefs: 00408D31
Software\Microsoft\Windows\CurrentVersion, xrefs: 00408C62
tuF, xrefs: 00408CBA
.exe, xrefs: 00408EB0, 00408EB7, 00408EC3
uF, xrefs: 00408D0F
puF, xrefs: 00408CD1
%%IS_PREREQ%%-%s, xrefs: 00408CDD
PG, xrefs: 00408E0E
|uF, xrefs: 00408CD7, 00408CE2
ISSetupPrerequisistes, xrefs: 00409001

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$CloseH_prolog$OpenValuelstrlen$CommandCreateFreeLineString
String ID: ISSetupPrerequisistes$%%IS_PREREQ%%-%s$.exe$PG$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\RunOnce$puF$puF$puF$tuF$|uF$uF
API String ID: 2088090489-3045285432
Opcode ID: 3516312ac8812193a318dbfc178a3ca888e8dc00eea67fcfb46b0b06dda123d1
Instruction ID: 7ceb75032be40624c279d8c0dd95b1dcad9832986b55b64dd1405486b5aa2c2e
Opcode Fuzzy Hash: 3516312ac8812193a318dbfc178a3ca888e8dc00eea67fcfb46b0b06dda123d1
Instruction Fuzzy Hash: E5D14E71900109AEDF10DBA4CD85EEEBB79EF14308F1041BEE509B7292EB785E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0E2 Relevance: 30.1, APIs: 3, Strings: 14, Instructions: 372
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040F0E2(void* __ebx, intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t320;
				WCHAR* _t325;
				intOrPtr _t328;
				intOrPtr* _t329;
				intOrPtr* _t330;
				long _t337;
				void* _t338;
				long _t339;
				long _t341;
				void* _t352;
				intOrPtr _t355;
				WCHAR* _t356;
				intOrPtr* _t357;
				void* _t372;
				WCHAR* _t381;
				char* _t382;
				void* _t387;
				char* _t391;
				void* _t396;
				void* _t404;
				void* _t407;
				void* _t417;
				void* _t419;
				WCHAR* _t422;
				void* _t431;
				WCHAR* _t437;
				void* _t438;
				void* _t442;
				char* _t443;
				void* _t448;
				void* _t456;
				void* _t458;
				void* _t466;
				void* _t471;
				WCHAR* _t479;
				void* _t483;
				long _t489;
				long _t491;
				char* _t498;
				void* _t503;
				void* _t504;
				void* _t513;
				char* _t514;
				void* _t519;
				void* _t533;
				char* _t546;
				void* _t549;
				WCHAR* _t559;
				void* _t568;
				void* _t581;
				long _t582;
				intOrPtr* _t603;
				intOrPtr* _t642;
				void* _t669;
				intOrPtr* _t745;
				void* _t761;
				intOrPtr _t768;
				long _t769;
				intOrPtr _t771;
				intOrPtr* _t772;
				intOrPtr _t775;
				long _t777;
				long _t778;
				intOrPtr* _t780;
				intOrPtr _t781;
				intOrPtr* _t782;
				intOrPtr* _t783;
				void* _t785;
				void* _t787;
				void* _t789;
				intOrPtr* _t793;
				intOrPtr _t794;
				intOrPtr _t795;
				intOrPtr _t796;
				intOrPtr _t797;
				intOrPtr _t799;
				intOrPtr _t800;
				intOrPtr _t801;
				intOrPtr _t803;
				intOrPtr _t804;
				intOrPtr _t805;

				_t320 =  *0x390;
				_t581 = __ebx + __ebx;
				if(_t581 == 0) {
					_push(_t581);
					_t775 = __ecx;
					 *((intOrPtr*)(_t785 - 0x34)) = __ecx;
					_t582 = 0;
					 *(_t785 - 4) = 0;
					_t767 = __ecx + 8;
					 *((intOrPtr*)(_t785 - 0xe0)) = __ecx;
					L0043B670(_t785 - 0x120, __ecx + 8, 0x40);
					_t789 = _t787 - 0x434 + 0xc;
					_push(1);
					_push(_t785 - 0xd);
					_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
					 *(_t785 - 4) = 2;
					_t325 =  *(E0040A5F5(_t785 - 0x418) + 8);
					__eflags = _t325;
					if(_t325 == 0) {
						_t325 = 0x4675e4;
					}
					lstrcpyW(_t775 + 0x50, _t325);
					E004061C1(_t785 - 0x418);
					_t328 = E0043C804(_t582, _t767, _t775 + 0x50, _t785, _t767, 3, 0x43b31a,  *(_t785 - 4), 0x46ba20);
					_t790 = _t789 + 0x14;
					__eflags = _t328 - _t582;
					 *((intOrPtr*)(_t785 - 0x30)) = _t328;
					if(_t328 != _t582) {
						_t768 =  *((intOrPtr*)(_t785 - 0x34));
						__eflags = _t328 - 0x80042002;
						if(__eflags != 0) {
							_t777 = 0x80042000;
							__eflags = _t328 - 0x80042000;
							if(_t328 != 0x80042000) {
								_push(_t582);
								L00402FDA(_t768);
							}
						} else {
							_t790 = _t790 - 0x28;
							 *((intOrPtr*)(_t785 - 0x14)) =  *((intOrPtr*)(_t768 + 0x26c));
							_t780 = _t768 + 4;
							 *((intOrPtr*)(_t785 - 0x74)) = _t790;
							E00403E82( *((intOrPtr*)( *_t780 + 0x2c))(_t790, 0x7d9, 0x10, 1, _t582), __eflags);
							 *(_t785 - 4) = 0x2b;
							_t352 = L004037B9(_t785 - 0x7c,  *((intOrPtr*)( *_t780 + 0x2c))());
							_push( *((intOrPtr*)(_t785 - 0x14)));
							 *(_t785 - 4) = 0x2d;
							L00403C38(_t352);
							 *(_t785 - 4) = 2;
							_t777 = 0x80042000;
						}
						_t329 =  *((intOrPtr*)(_t768 + 0x288));
						__eflags = _t329 - _t582;
						if(_t329 != _t582) {
							 *((intOrPtr*)(_t768 + 0x298)) = 5;
							 *((intOrPtr*)( *_t329 + 0xb4))(_t329, _t768);
						}
						_t330 =  *((intOrPtr*)(_t768 + 0x294));
						__eflags = _t330 - _t582;
						if(_t330 != _t582) {
							 *(_t785 - 0x1c) = _t582;
							 *(_t785 - 4) = 0x2e;
							_t338 =  *((intOrPtr*)( *_t330))(_t330, 0x476f58, _t785 - 0x1c);
							__eflags = _t338 - _t582;
							if(_t338 >= _t582) {
								_t341 =  *(_t785 - 0x1c);
								 *((intOrPtr*)( *_t341 + 0x10))(_t341);
							}
							_t339 =  *(_t785 - 0x1c);
							 *(_t785 - 4) = 2;
							__eflags = _t339 - _t582;
							if(_t339 != _t582) {
								 *((intOrPtr*)( *_t339 + 8))(_t339);
							}
						}
						__eflags =  *((intOrPtr*)(_t785 - 0x30)) - _t777;
						if( *((intOrPtr*)(_t785 - 0x30)) != _t777) {
							_t769 =  *(_t768 + 0x390);
						} else {
							_t769 = _t777;
						}
						_t778 = _t769;
						goto L69;
					} else {
						_t781 =  *((intOrPtr*)(_t785 + 8));
						_t771 =  *((intOrPtr*)(_t785 - 0x34));
						 *0x47e26c = _t781;
						 *((intOrPtr*)(_t771 + 0x268)) = _t781;
						 *((char*)(_t771 + 0x258)) = L004377C9();
						_t355 = L0043BC14(0x314);
						 *((intOrPtr*)(_t785 - 0x30)) = _t355;
						__eflags = _t355 - _t582;
						 *(_t785 - 4) = 3;
						if(_t355 == _t582) {
							_t356 = 0;
							__eflags = 0;
						} else {
							_push(_t781);
							_t356 = L0040FCE8(_t355);
						}
						_t782 = _t771 + 0x25c;
						 *(_t785 - 4) = 2;
						 *_t782 = _t356;
						_t357 = L0043BC14(8);
						__eflags = _t357 - _t582;
						if(_t357 == _t582) {
							_t357 = 0;
							__eflags = 0;
						} else {
							 *_t357 =  *_t782;
						}
						_t793 = _t790 - 0x28;
						 *((intOrPtr*)(_t771 + 0x260)) = _t357;
						 *((intOrPtr*)(_t785 - 0x30)) = _t793;
						_t603 = _t793;
						 *_t603 = 0x46757c;
						 *((intOrPtr*)(_t603 + 0x20)) = 0x467574;
						L00401CDD(_t603);
						_t794 = _t793 - 0x28;
						 *((intOrPtr*)(_t785 - 0x14)) = _t794;
						 *(_t785 - 4) = 4;
						L00401708(_t794, _t785 + 0xc, 1);
						_t783 = _t771 + 4;
						 *(_t785 - 4) = 2;
						L0040FFEC( *((intOrPtr*)( *((intOrPtr*)(_t771 + 4)) + 0x2c))(_t785 + 0x34, _t582), __eflags);
						Sleep( *( *((intOrPtr*)( *_t783 + 0x2c))() + 0x40) * 0x3e8); // executed
						_t372 = E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(), _t785 - 0x440);
						__eflags =  *((intOrPtr*)(_t372 + 0xc)) - _t582;
						 *((char*)(_t785 - 0xd)) =  *((intOrPtr*)(_t372 + 0xc)) == _t582;
						L0040125C(_t785 - 0x440);
						__eflags =  *((intOrPtr*)(_t785 - 0xd)) - _t582;
						if( *((intOrPtr*)(_t785 - 0xd)) != _t582) {
							_t803 = _t794 - 0x28;
							 *((intOrPtr*)(_t785 - 0x54)) = _t803;
							_t804 = _t803 - 0x28;
							 *((intOrPtr*)(_t785 - 0x84)) = _t804;
							L00401732(_t804, 0x47e150, _t785 - 0x29, 1);
							_t805 = _t804 - 0x28;
							 *((intOrPtr*)(_t785 - 0x50)) = _t805;
							 *(_t785 - 4) = 6;
							L00401732(_t805, 0x47e150, _t785 - 0x2a, 1);
							_t582 = 0;
							__eflags = 0;
							 *(_t785 - 4) = 2;
							E0042D54C(); // executed
							_t794 = _t805 + 0x58;
							 *(_t785 - 4) = 2;
							E00412312( *((intOrPtr*)( *_t783 + 0x2c))(_t803, 0), __eflags);
						}
						_t795 = _t794 - 0x28;
						 *((intOrPtr*)(_t785 - 0x4c)) = _t795;
						E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(), _t795);
						L0040EF88( *((intOrPtr*)(_t771 + 0x3a4)));
						__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t783 + 0x2c))() + 0x13)) - _t582;
						if(__eflags != 0) {
							 *((char*)( *((intOrPtr*)(_t771 + 0x3a4)) + 0x21)) = 1;
						}
						_t381 = E004195E7(_t771, __eflags); // executed
						__eflags = _t381;
						if(_t381 == 0) {
							L18:
							_t382 = L"setup.ini";
							 *((intOrPtr*)(_t785 - 0x238)) = 0x46757c;
							 *((intOrPtr*)(_t785 - 0x218)) = 0x467574;
							__eflags = _t382;
							if(_t382 == 0) {
								_t382 = 0x47e150;
							}
							_t64 = _t785 - 0x238; // 0x46757c
							L0040176A(_t64);
							 *(_t785 - 4) = 8;
							_t387 = E00404705( *((intOrPtr*)( *_t783 + 0x2c))(_t382, _t785 - 0x28, _t582), _t785 - 0x2b0);
							_t68 = _t785 - 0x238; // 0x46757c
							 *(_t785 - 4) = 9;
							_push(_t785 - 0x148);
							L00405670(_t387, __eflags);
							 *(_t785 - 4) = 0xc;
							L0040125C(_t785 - 0x2b0);
							_t73 = _t785 - 0x238; // 0x46757c
							 *(_t785 - 4) = 0xb;
							L0040125C(_t73);
							_t391 = L"setup.ini";
							 *((intOrPtr*)(_t785 - 0x210)) = 0x46757c;
							 *((intOrPtr*)(_t785 - 0x1f0)) = 0x467574;
							__eflags = _t391;
							if(_t391 == 0) {
								_t391 = 0x47e150;
							}
							_t78 = _t785 - 0x210; // 0x46757c
							L0040176A(_t78);
							 *(_t785 - 4) = 0xd;
							_t396 = E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(_t391, _t785 - 0x1d, _t582), _t785 - 0x328);
							_t82 = _t785 - 0x210; // 0x46757c
							 *(_t785 - 4) = 0xe;
							L00405670(_t396, __eflags);
							 *(_t785 - 4) = 0x11;
							L0040125C(_t785 - 0x328);
							_t87 = _t785 - 0x210; // 0x46757c
							 *(_t785 - 4) = 0x10;
							L0040125C(_t87);
							_t796 = _t795 - 0x28;
							 *((intOrPtr*)(_t785 - 0x8c)) = _t796;
							L00401708(_t796, _t785 - 0xdc, 1);
							_t797 = _t796 - 0x28;
							 *((intOrPtr*)(_t785 - 0x58)) = _t797;
							 *(_t785 - 4) = 0x12;
							L00401708(_t797, _t785 - 0x148, 1);
							 *(_t785 - 4) = 0x10;
							_t404 = E00416E73(_t771, _t761, __eflags); // executed
							L00415C13(_t771, _t404, 0x8e);
							_t407 =  *((intOrPtr*)( *_t783 + 0x2c))(_t785 - 0xdc, _t82);
							__eflags =  *((intOrPtr*)(_t407 + 3)) - _t582;
							if( *((intOrPtr*)(_t407 + 3)) != _t582) {
								L00401A1E(_t785 - 0xdc, _t785 - 0x148);
							}
							 *((intOrPtr*)(_t785 - 0xb4)) = 0x46757c;
							 *((intOrPtr*)(_t785 - 0x94)) = 0x467574;
							L00401CDD(_t785 - 0xb4);
							_t798 = _t797 - 0x28;
							 *((intOrPtr*)(_t785 - 0x78)) = _t798;
							_t642 = _t798;
							 *(_t785 - 4) = 0x13;
							 *_t642 = 0x46757c;
							 *((intOrPtr*)(_t642 + 0x20)) = 0x467574;
							L00401CDD(_t642);
							 *(_t785 - 4) = 0x13;
							E004108D1( *((intOrPtr*)( *_t783 + 0x2c))(_t785 + 0x34, _t785 - 0xdc, _t582, _t785 + 0x34, _t582), _t771, __eflags); // executed
							_t417 =  *((intOrPtr*)( *_t783 + 0x2c))();
							__eflags =  *((intOrPtr*)(_t417 + 0xf)) - _t582;
							if( *((intOrPtr*)(_t417 + 0xf)) != _t582) {
								 *((char*)( *((intOrPtr*)(_t771 + 0x3a4)) + 0x20)) = 1;
							}
							_t419 =  *((intOrPtr*)( *_t783 + 0x2c))();
							__eflags =  *((intOrPtr*)(_t419 + 0x19)) - _t582;
							if( *((intOrPtr*)(_t419 + 0x19)) != _t582) {
								 *((intOrPtr*)(_t771 + 0x390)) = 0xffffec77;
								L00415C13(_t771, 0x8000ffff, 0xa5);
							}
							__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t783 + 0x2c))() + 0x1a)) - _t582;
							if(__eflags == 0) {
								_t422 = E004195E7(_t771, __eflags);
								__eflags = _t422;
								if(_t422 != 0) {
									L35:
									_t799 = _t798 - 0x28;
									 *((intOrPtr*)(_t785 - 0x88)) = _t799;
									E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(), _t799);
									_t800 = _t799 - 0x28;
									 *((intOrPtr*)(_t785 - 0x68)) = _t800;
									 *(_t785 - 4) = 0x15;
									E00404705( *((intOrPtr*)( *_t783 + 0x2c))(), _t800);
									 *(_t785 - 4) = 0x13;
									_t431 = E00417132(_t771, _t761); // executed
									L00415C13(_t771, _t431, 0xbd);
									_t437 =  *(L00403759( *((intOrPtr*)( *_t783 + 0x2c))(), _t785 - 0x3c8) + 8);
									__eflags = _t437 - _t582;
									if(_t437 == _t582) {
										_t437 = 0x467570;
									}
									_t438 = CreateMutexW(_t582, _t582, _t437); // executed
									 *(_t785 - 0x40) = _t438;
									 *(_t785 - 0x3c) = _t582;
									 *(_t785 - 4) = 0x16;
									L0040125C(_t785 - 0x3c8);
									__eflags = WaitForSingleObject( *(_t785 - 0x40), _t582) - 0x102;
									if(__eflags != 0) {
										_t442 =  *((intOrPtr*)( *_t783 + 0x2c))();
										__eflags =  *((intOrPtr*)(_t442 + 0x12)) - _t582;
										if( *((intOrPtr*)(_t442 + 0x12)) != _t582) {
											L50:
											_t443 = L"ISSetup.dll";
											 *((intOrPtr*)(_t785 - 0x170)) = 0x46757c;
											 *((intOrPtr*)(_t785 - 0x150)) = 0x467574;
											__eflags = _t443;
											if(_t443 == 0) {
												_t443 = 0x47e150;
											}
											_t200 = _t785 - 0x170; // 0x46757c
											L0040176A(_t200);
											 *(_t785 - 4) = 0x1b;
											_t448 = E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(_t443, _t785 - 0x25, _t582), _t785 - 0x2d8);
											_t790 = _t800 - 0x28;
											_t204 = _t785 - 0x170; // 0x46757c
											_t763 = _t204;
											 *((intOrPtr*)(_t785 - 0x44)) = _t790;
											 *(_t785 - 4) = 0x1c;
											L00405670(_t448, __eflags);
											 *(_t785 - 4) = 0x1c;
											E00412349( *((intOrPtr*)( *_t783 + 0x2c))(_t790, _t204), __eflags);
											 *(_t785 - 4) = 0x1b;
											L0040125C(_t785 - 0x2d8);
											 *(_t785 - 4) = 0x16;
											_t212 = _t785 - 0x170; // 0x46757c
											_t669 = _t212;
										} else {
											_t513 =  *((intOrPtr*)( *_t783 + 0x2c))();
											__eflags =  *((intOrPtr*)(_t513 + 0x13)) - _t582;
											if( *((intOrPtr*)(_t513 + 0x13)) != _t582) {
												goto L50;
											} else {
												_t514 = L"ISSetup.dll";
												 *((intOrPtr*)(_t785 - 0x1e8)) = 0x46757c;
												 *((intOrPtr*)(_t785 - 0x1c8)) = 0x467574;
												__eflags = _t514;
												if(_t514 == 0) {
													_t514 = 0x47e150;
												}
												_t184 = _t785 - 0x1e8; // 0x46757c
												L0040176A(_t184);
												 *(_t785 - 4) = 0x1e;
												_t519 = E00404705( *((intOrPtr*)( *_t783 + 0x2c))(_t514, _t785 - 0x26, _t582), _t785 - 0x378);
												_t790 = _t800 - 0x28;
												_t763 = _t785 - 0x1e8;
												 *((intOrPtr*)(_t785 - 0x48)) = _t790;
												 *(_t785 - 4) = 0x1f;
												L00405670(_t519, __eflags);
												 *(_t785 - 4) = 0x1f;
												E00412349( *((intOrPtr*)( *_t783 + 0x2c))(_t790, _t785 - 0x1e8), __eflags);
												 *(_t785 - 4) = 0x1e;
												L0040125C(_t785 - 0x378);
												 *(_t785 - 4) = 0x16;
												_t669 = _t785 - 0x1e8;
											}
										}
										L0040125C(_t669);
										_t456 =  *((intOrPtr*)( *_t783 + 0x2c))();
										__eflags =  *((intOrPtr*)(_t456 + 3)) - _t582;
										if( *((intOrPtr*)(_t456 + 3)) != _t582) {
											_t498 = L"ISSetup.dll";
											 *((intOrPtr*)(_t785 - 0x198)) = 0x46757c;
											 *((intOrPtr*)(_t785 - 0x178)) = 0x467574;
											__eflags = _t498;
											if(_t498 == 0) {
												_t498 = 0x47e150;
											}
											_t218 = _t785 - 0x198; // 0x46757c
											L0040176A(_t218);
											 *(_t785 - 4) = 0x21;
											_t503 = L00403789( *((intOrPtr*)( *_t783 + 0x2c))(_t498, _t785 - 0x27, _t582), _t785 - 0x350);
											 *(_t785 - 4) = 0x22;
											_t504 = L00401840(_t503, __eflags);
											_t790 = _t790 - 0x28;
											_t763 = _t785 - 0x198;
											 *((intOrPtr*)(_t785 - 0x5c)) = _t790;
											 *(_t785 - 4) = 0x23;
											L00405670(_t504, __eflags);
											 *(_t785 - 4) = 0x23;
											E00412349( *((intOrPtr*)( *_t783 + 0x2c))(_t790, _t785 - 0x198, _t785 - 0x300, _t582, _t582), __eflags);
											 *(_t785 - 4) = 0x22;
											L0040125C(_t785 - 0x300);
											 *(_t785 - 4) = 0x21;
											L0040125C(_t785 - 0x350);
											 *(_t785 - 4) = 0x16;
											L0040125C(_t785 - 0x198);
										}
										_t458 =  *((intOrPtr*)( *_t783 + 0x2c))();
										__eflags =  *((intOrPtr*)(_t458 + 0x12)) - _t582;
										if( *((intOrPtr*)(_t458 + 0x12)) != _t582) {
											L59:
											L00401B15(_t785 - 0x288);
											 *(_t785 - 4) = 0x25;
											L00401B15(_t785 - 0x260);
											 *(_t785 - 4) = 0x26;
											_t466 = E004083DD( *((intOrPtr*)( *_t783 + 0x2c))(0xd8, "ISSetup.dll", _t785 - 0x16, 1, "ISSetup.dll", _t785 - 0x15, 1), _t785 - 0x3f0);
											_t801 = _t790 - 0x28;
											 *((intOrPtr*)(_t785 - 0x64)) = _t801;
											 *(_t785 - 4) = 0x27;
											L00405670(_t466, __eflags);
											 *(_t785 - 4) = 0x28;
											_t471 = E00404705( *((intOrPtr*)( *_t783 + 0x2c))(_t801, _t785 - 0x288), _t785 - 0x3a0);
											_t790 = _t801 - 0x28;
											_t763 = _t785 - 0x260;
											 *((intOrPtr*)(_t785 - 0x6c)) = _t801 - 0x28;
											_push(_t785 - 0x260);
											 *(_t785 - 4) = 0x29;
											L00405670(_t471, __eflags);
											 *(_t785 - 4) = 0x2a;
											L00415C13(_t771, E00416E73(_t771, _t785 - 0x260, __eflags), _t801 - 0x28);
											 *(_t785 - 4) = 0x27;
											L0040125C(_t785 - 0x3a0);
											 *(_t785 - 4) = 0x26;
											L0040125C(_t785 - 0x3f0);
											 *(_t785 - 4) = 0x25;
											L0040125C(_t785 - 0x260);
											 *(_t785 - 4) = 0x16;
											L0040125C(_t785 - 0x288);
										} else {
											__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t783 + 0x2c))() + 0x13)) - _t582;
											if(__eflags != 0) {
												goto L59;
											}
										}
										_t479 = E00412653(_t771, __eflags); // executed
										__eflags = _t479;
										if(__eflags == 0) {
											L00415C13(_t771, 0xffffec75, 0xdc);
										}
										E00412B0A(_t771, __eflags);
										__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t783 + 0x2c))())) - _t582;
										if(__eflags == 0) {
											_push(0xe4);
											_t483 = L00413DE1(_t771, _t763, __eflags); // executed
										} else {
											_push(0xe2);
											_t483 = L00413C06(_t582, _t771, __eflags);
										}
										_push(_t483);
										L00415C13(_t771);
										 *(_t785 - 4) = 0x13;
										E00412614(_t785 - 0x40);
										 *(_t785 - 4) = 0x10;
										L0040125C(_t785 - 0xb4);
										 *(_t785 - 4) = 0xb;
										L0040125C(_t785 - 0xdc);
										 *(_t785 - 4) = 2;
										L0040125C(_t785 - 0x148);
										_t772 =  *((intOrPtr*)(_t771 + 0x28c));
										 *(_t785 - 0x24) = _t582;
										__eflags = _t772 - _t582;
										if(_t772 != _t582) {
											 *((intOrPtr*)( *_t772))(_t772, 0x476f68, _t785 - 0x24);
										}
										_t489 =  *(_t785 - 0x24);
										 *(_t785 - 0x38) = _t582;
										 *(_t785 - 4) = 0x2f;
										 *((intOrPtr*)( *_t489 + 0xe4))(_t489, _t785 - 0x38);
										_t491 =  *(_t785 - 0x24);
										_t778 =  *(_t785 - 0x38);
										__eflags = _t491 - _t582;
										 *(_t785 - 4) = 2;
										if(_t491 != _t582) {
											 *((intOrPtr*)( *_t491 + 8))(_t491);
										}
										goto L69;
									} else {
										E00403E82( *((intOrPtr*)( *_t783 + 0x2c))(_t785 - 0x1c0, 0x7da), __eflags);
										__eflags =  *((intOrPtr*)(_t785 - 0x1b4)) - _t582;
										 *(_t785 - 4) = 0x17;
										if( *((intOrPtr*)(_t785 - 0x1b4)) == _t582) {
											_t546 = L"Another instance of this setup is already running. Please wait for the other instance to finish and then try again.";
											__eflags = _t546;
											if(_t546 == 0) {
												_t546 = 0x47e150;
											}
											L00401E03(_t785 - 0x1c0, _t546);
										}
										_t798 = _t800 - 0x28;
										 *((intOrPtr*)(_t785 - 0x80)) = _t800 - 0x28;
										L00401708(_t800 - 0x28, _t785 - 0x1c0, 1);
										 *(_t785 - 4) = 0x18;
										_t533 = L004037B9(_t785 - 0x70,  *((intOrPtr*)( *_t783 + 0x2c))(0x40, 1, _t582));
										_push(_t582);
										 *(_t785 - 4) = 0x1a;
										L00403C38(_t533);
										 *(_t785 - 4) = 0x16;
										L0040125C(_t785 - 0x1c0);
										 *(_t785 - 4) = 0x13;
										E00412614(_t785 - 0x40);
										goto L43;
									}
								} else {
									_t549 =  *((intOrPtr*)( *_t783 + 0x2c))();
									__eflags =  *((intOrPtr*)(_t549 + 0x13)) - _t582;
									if( *((intOrPtr*)(_t549 + 0x13)) != _t582) {
										goto L35;
									} else {
										__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t783 + 0x2c))() + 0x10)) - _t582;
										if(__eflags != 0) {
											L34:
											_t790 = _t798 - 0x28;
											 *((intOrPtr*)(_t785 - 0x60)) = _t790;
											_t745 = _t790;
											 *((char*)( *((intOrPtr*)(_t771 + 0x3a4)) + 0x20)) = 1;
											_push(_t582);
											_push(_t785 - 0xb4);
											 *_t745 = 0x46757c;
											 *((intOrPtr*)(_t745 + 0x20)) = 0x467574;
											L00401CDD(_t745);
											_t778 = L0041746C(_t771, _t761, __eflags);
											 *(_t785 - 4) = 0x10;
											L0040125C(_t785 - 0xb4);
											 *(_t785 - 4) = 0xb;
											L0040125C(_t785 - 0xdc);
											 *(_t785 - 4) = 2;
											L0040125C(_t785 - 0x148);
											L69:
											L0043B670( *((intOrPtr*)(_t785 - 0xe0)) + 8, _t785 - 0x120, 0x40);
											 *(_t785 - 4) = _t582;
											L0040125C(_t785 + 0xc);
											_t290 = _t785 - 4;
											 *_t290 =  *(_t785 - 4) | 0xffffffff;
											__eflags =  *_t290;
											L0040125C(_t785 + 0x34);
											_t337 = _t778;
										} else {
											_t559 = E004173CF(_t771, __eflags); // executed
											__eflags = _t559;
											if(_t559 == 0) {
												goto L35;
											} else {
												goto L34;
											}
										}
									}
								}
							} else {
								_push(1);
								 *((intOrPtr*)(_t771 + 0x390)) = 0xffffec77;
								L00402FDA(_t771);
								L43:
								_t164 = _t785 - 0xb4; // 0x46757c
								 *(_t785 - 4) = 0x10;
								L0040125C(_t164);
								 *(_t785 - 4) = 0xb;
								L0040125C(_t785 - 0xdc);
								 *(_t785 - 4) = 2;
								L0040125C(_t785 - 0x148);
								goto L44;
							}
						} else {
							E0041784A(_t771); // executed
							_t568 =  *((intOrPtr*)( *_t783 + 0x2c))(_t785 + 0x34);
							__eflags =  *((intOrPtr*)(_t568 + 0x14)) - _t582;
							if( *((intOrPtr*)(_t568 + 0x14)) == _t582) {
								goto L18;
							} else {
								 *((char*)( *((intOrPtr*)(_t771 + 0x3a4)) + 0x20)) = 1;
								L44:
								L0043B670( *((intOrPtr*)(_t785 - 0xe0)) + 8, _t785 - 0x120, 0x40);
								 *(_t785 - 4) = _t582;
								L0040125C(_t785 + 0xc);
								 *(_t785 - 4) =  *(_t785 - 4) | 0xffffffff;
								L0040125C(_t785 + 0x34);
								_t337 = 0;
							}
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t785 - 0xc));
					return _t337;
				} else {
					asm("in eax, 0xef");
					asm("invalid");
					return _t320 + 0x83;
				}
			}

0x0040f0e2
0x0040f0e7
0x0040f0e9
0x0040f115
0x0040f117
0x0040f11a
0x0040f11d
0x0040f11f
0x0040f122
0x0040f12f
0x0040f135
0x0040f13a
0x0040f140
0x0040f142
0x0040f143
0x0040f14e
0x0040f157
0x0040f15a
0x0040f15c
0x0040f15e
0x0040f15e
0x0040f168
0x0040f174
0x0040f189
0x0040f18e
0x0040f191
0x0040f193
0x0040f196
0x0040fc02
0x0040fc05
0x0040fc0a
0x0040fc66
0x0040fc6b
0x0040fc6d
0x0040fc6f
0x0040fc72
0x0040fc72
0x0040fc0c
0x0040fc17
0x0040fc1a
0x0040fc1d
0x0040fc22
0x0040fc34
0x0040fc3d
0x0040fc48
0x0040fc4d
0x0040fc52
0x0040fc56
0x0040fc5b
0x0040fc5f
0x0040fc5f
0x0040fc77
0x0040fc7d
0x0040fc7f
0x0040fc81
0x0040fc8f
0x0040fc8f
0x0040fc95
0x0040fc9b
0x0040fc9d
0x0040fc9f
0x0040fcae
0x0040fcb2
0x0040fcb4
0x0040fcb6
0x0040fcb8
0x0040fcbe
0x0040fcbe
0x0040fcc1
0x0040fcc4
0x0040fcc8
0x0040fcca
0x0040fccf
0x0040fccf
0x0040fcca
0x0040fcd2
0x0040fcd5
0x0040fcdb
0x0040fcd7
0x0040fcd7
0x0040fcd7
0x0040fce1
0x00000000
0x0040f19c
0x0040f19c
0x0040f19f
0x0040f1a2
0x0040f1a8
0x0040f1b8
0x0040f1be
0x0040f1c4
0x0040f1c7
0x0040f1c9
0x0040f1cd
0x0040f1d9
0x0040f1d9
0x0040f1cf
0x0040f1cf
0x0040f1d2
0x0040f1d2
0x0040f1db
0x0040f1e3
0x0040f1e7
0x0040f1e9
0x0040f1ee
0x0040f1f1
0x0040f1f9
0x0040f1f9
0x0040f1f3
0x0040f1f5
0x0040f1f5
0x0040f1fb
0x0040f1fe
0x0040f204
0x0040f207
0x0040f20e
0x0040f214
0x0040f21b
0x0040f220
0x0040f228
0x0040f22e
0x0040f232
0x0040f23a
0x0040f23f
0x0040f248
0x0040f25e
0x0040f274
0x0040f279
0x0040f282
0x0040f286
0x0040f28b
0x0040f28e
0x0040f290
0x0040f298
0x0040f29b
0x0040f2a0
0x0040f2ae
0x0040f2b3
0x0040f2bb
0x0040f2c6
0x0040f2ca
0x0040f2d1
0x0040f2d1
0x0040f2d3
0x0040f2d9
0x0040f2de
0x0040f2e5
0x0040f2ee
0x0040f2ee
0x0040f2f3
0x0040f2fa
0x0040f305
0x0040f310
0x0040f31c
0x0040f31f
0x0040f327
0x0040f327
0x0040f32d
0x0040f332
0x0040f334
0x0040f35c
0x0040f35c
0x0040f361
0x0040f36d
0x0040f377
0x0040f379
0x0040f37b
0x0040f37b
0x0040f386
0x0040f38c
0x0040f39c
0x0040f3a5
0x0040f3aa
0x0040f3b0
0x0040f3bb
0x0040f3be
0x0040f3c9
0x0040f3cd
0x0040f3d2
0x0040f3d8
0x0040f3dc
0x0040f3e1
0x0040f3e6
0x0040f3f2
0x0040f3fc
0x0040f3fe
0x0040f400
0x0040f400
0x0040f40b
0x0040f411
0x0040f421
0x0040f42a
0x0040f42f
0x0040f435
0x0040f443
0x0040f44e
0x0040f452
0x0040f457
0x0040f45d
0x0040f461
0x0040f471
0x0040f476
0x0040f47f
0x0040f484
0x0040f48f
0x0040f495
0x0040f499
0x0040f4a0
0x0040f4a4
0x0040f4ac
0x0040f4b5
0x0040f4b8
0x0040f4bb
0x0040f4ca
0x0040f4ca
0x0040f4da
0x0040f4e4
0x0040f4ee
0x0040f4f3
0x0040f4fc
0x0040f4ff
0x0040f503
0x0040f507
0x0040f50d
0x0040f514
0x0040f521
0x0040f52a
0x0040f533
0x0040f536
0x0040f539
0x0040f541
0x0040f541
0x0040f549
0x0040f54c
0x0040f54f
0x0040f55d
0x0040f567
0x0040f567
0x0040f573
0x0040f576
0x0040f592
0x0040f597
0x0040f599
0x0040f629
0x0040f630
0x0040f635
0x0040f643
0x0040f648
0x0040f64f
0x0040f655
0x0040f65e
0x0040f665
0x0040f669
0x0040f671
0x0040f68b
0x0040f68e
0x0040f690
0x0040f692
0x0040f692
0x0040f69a
0x0040f6a0
0x0040f6a3
0x0040f6ac
0x0040f6b0
0x0040f6bf
0x0040f6c4
0x0040f7cc
0x0040f7cf
0x0040f7d2
0x0040f881
0x0040f881
0x0040f886
0x0040f892
0x0040f89c
0x0040f89e
0x0040f8a0
0x0040f8a0
0x0040f8ab
0x0040f8b1
0x0040f8c1
0x0040f8ca
0x0040f8cf
0x0040f8d2
0x0040f8d2
0x0040f8da
0x0040f8e1
0x0040f8e5
0x0040f8ee
0x0040f8f7
0x0040f902
0x0040f906
0x0040f90b
0x0040f90f
0x0040f90f
0x0040f7d8
0x0040f7dc
0x0040f7df
0x0040f7e2
0x00000000
0x0040f7e8
0x0040f7e8
0x0040f7ed
0x0040f7f9
0x0040f803
0x0040f805
0x0040f807
0x0040f807
0x0040f812
0x0040f818
0x0040f828
0x0040f831
0x0040f836
0x0040f839
0x0040f841
0x0040f848
0x0040f84c
0x0040f855
0x0040f85e
0x0040f869
0x0040f86d
0x0040f872
0x0040f876
0x0040f876
0x0040f7e2
0x0040f915
0x0040f91e
0x0040f921
0x0040f924
0x0040f92a
0x0040f92f
0x0040f93b
0x0040f945
0x0040f947
0x0040f949
0x0040f949
0x0040f954
0x0040f95a
0x0040f96a
0x0040f973
0x0040f983
0x0040f987
0x0040f98c
0x0040f98f
0x0040f997
0x0040f99e
0x0040f9a2
0x0040f9ab
0x0040f9b4
0x0040f9bf
0x0040f9c3
0x0040f9ce
0x0040f9d2
0x0040f9dd
0x0040f9e1
0x0040f9e1
0x0040f9ea
0x0040f9ed
0x0040f9f0
0x0040fa02
0x0040fa13
0x0040fa29
0x0040fa2d
0x0040fa42
0x0040fa4b
0x0040fa50
0x0040fa5b
0x0040fa62
0x0040fa66
0x0040fa76
0x0040fa7f
0x0040fa84
0x0040fa87
0x0040fa8f
0x0040fa92
0x0040fa96
0x0040fa9a
0x0040faa1
0x0040faad
0x0040fab8
0x0040fabc
0x0040fac7
0x0040facb
0x0040fad6
0x0040fada
0x0040fae5
0x0040fae9
0x0040f9f2
0x0040f9f9
0x0040f9fc
0x00000000
0x00000000
0x0040f9fc
0x0040faf0
0x0040faf5
0x0040faf7
0x0040fb05
0x0040fb05
0x0040fb0c
0x0040fb18
0x0040fb1a
0x0040fb2a
0x0040fb31
0x0040fb1c
0x0040fb1c
0x0040fb23
0x0040fb23
0x0040fb36
0x0040fb39
0x0040fb41
0x0040fb45
0x0040fb50
0x0040fb54
0x0040fb5f
0x0040fb63
0x0040fb6e
0x0040fb72
0x0040fb77
0x0040fb7d
0x0040fb80
0x0040fb82
0x0040fb90
0x0040fb90
0x0040fb92
0x0040fb98
0x0040fb9f
0x0040fba3
0x0040fba9
0x0040fbac
0x0040fbaf
0x0040fbb1
0x0040fbb5
0x0040fbba
0x0040fbba
0x00000000
0x0040f6ca
0x0040f6df
0x0040f6e4
0x0040f6ea
0x0040f6ee
0x0040f6f0
0x0040f6f7
0x0040f6f9
0x0040f6fb
0x0040f6fb
0x0040f707
0x0040f707
0x0040f717
0x0040f71c
0x0040f722
0x0040f72b
0x0040f736
0x0040f73b
0x0040f73e
0x0040f742
0x0040f74d
0x0040f751
0x0040f759
0x0040f75d
0x00000000
0x0040f75d
0x0040f59f
0x0040f5a3
0x0040f5a6
0x0040f5a9
0x00000000
0x0040f5ab
0x0040f5b2
0x0040f5b5
0x0040f5c2
0x0040f5c8
0x0040f5cb
0x0040f5ce
0x0040f5d0
0x0040f5da
0x0040f5db
0x0040f5dc
0x0040f5e2
0x0040f5e9
0x0040f5fb
0x0040f5fd
0x0040f601
0x0040f60c
0x0040f610
0x0040f61b
0x0040f61f
0x0040fbbd
0x0040fbd0
0x0040fbdb
0x0040fbde
0x0040fbe3
0x0040fbe3
0x0040fbe3
0x0040fbea
0x0040fbef
0x0040f5b7
0x0040f5b9
0x0040f5be
0x0040f5c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f5c0
0x0040f5b5
0x0040f5a9
0x0040f578
0x0040f578
0x0040f57c
0x0040f586
0x0040f762
0x0040f762
0x0040f768
0x0040f76c
0x0040f777
0x0040f77b
0x0040f786
0x0040f78a
0x00000000
0x0040f78a
0x0040f336
0x0040f33c
0x0040f345
0x0040f348
0x0040f34b
0x00000000
0x0040f34d
0x0040f353
0x0040f78f
0x0040f7a2
0x0040f7ad
0x0040f7b0
0x0040f7b5
0x0040f7bc
0x0040f7c1
0x0040f7c1
0x0040f34b
0x0040f334
0x0040fbf6
0x0040fbff
0x0040f0eb
0x0040f0f0
0x0040f0f2
0x0040f0f4
0x0040f0f4

APIs

lstrcpyW.KERNEL32 ref: 0040F168
__setjmp3.LIBCMT ref: 0040F189

Strings

bg, xrefs: 0040F4AC
uF, xrefs: 0040F15E
setup.ini, xrefs: 0040F35C, 0040F385, 0040F3E1, 0040F40A
tuF, xrefs: 0040F4E4
|uF, xrefs: 0040F40B
tuF, xrefs: 0040F50D
tuF, xrefs: 0040F36D
|uF, xrefs: 0040F386
PG, xrefs: 0040F400
|uF, xrefs: 0040F762
tuF, xrefs: 0040F3F2
|uF, xrefs: 0040F4DA
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 0040F143
PG, xrefs: 0040F37B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: __setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$PG$PG$setup.ini$tuF$tuF$tuF$tuF$|uF$|uF$|uF$|uF$bg$uF
API String ID: 4290241082-2868026322
Opcode ID: 31ec3f398471d110e56e24c9855d326c17161bdfa866b21b51d8aed51654e6de
Instruction ID: f608195a9a33c6ec87bd3572c88375e9c959762368e4b100a8a92b3bc6af8daa
Opcode Fuzzy Hash: 31ec3f398471d110e56e24c9855d326c17161bdfa866b21b51d8aed51654e6de
Instruction Fuzzy Hash: 81E1A570A00258EFDB14EB69C945BDDBBB8AF58304F0041AEF449B7392DB785E48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8DB Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042B8DB(void* __ecx, void* __eflags) {
				WCHAR* _t115;
				void* _t121;
				WCHAR* _t122;
				void* _t131;
				WCHAR* _t132;
				void* _t140;
				WCHAR* _t141;
				void* _t149;
				WCHAR* _t150;
				void* _t158;
				WCHAR* _t159;
				void* _t169;
				void* _t176;
				WCHAR* _t191;
				WCHAR* _t200;
				WCHAR* _t204;
				intOrPtr* _t228;
				WCHAR* _t241;
				signed int _t245;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t253;
				intOrPtr* _t254;

				L0043B644(0x463794, _t250);
				_t253 = _t252 - 0x5c;
				_t248 = __ecx; // executed
				E0042B4CE(__ecx, __eflags); // executed
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)) + 0x26c)) =  *((intOrPtr*)(__ecx + 4));
				_t115 =  *(L00403659( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)) + 4)) + 0x2c))(), _t250 - 0x68) + 8);
				_t257 = _t115;
				 *(_t250 - 4) = 0;
				if(_t115 != 0) {
					_t241 = _t115;
					_t204 = 0x467570;
				} else {
					_t204 = 0x467570;
					_t241 = 0x467570;
				}
				_t121 = E00404109( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4)) + 0x2c))(_t250 - 0x40, 0x7d1, _t241, 0, 0), _t257); // executed
				_t122 =  *(_t121 + 8);
				_t258 = _t122;
				if(_t122 == 0) {
					_t122 = _t204;
				}
				SetDlgItemTextW( *(_t248 + 4), 0x3f0, _t122); // executed
				L0040125C(_t250 - 0x40);
				 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
				L0040125C(_t250 - 0x68);
				_t25 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
				_t131 = E00403E82( *((intOrPtr*)( *_t25 + 0x2c))(_t250 - 0x68, 0x72a), _t258); // executed
				_t132 =  *(_t131 + 8);
				_t259 = _t132;
				if(_t132 == 0) {
					_t132 = _t204;
				}
				SetDlgItemTextW( *(_t248 + 4), 1, _t132);
				L0040125C(_t250 - 0x68);
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
				_t140 = E00403E82( *((intOrPtr*)( *_t33 + 0x2c))(_t250 - 0x68, 0x71e), _t259); // executed
				_t141 =  *(_t140 + 8);
				_t260 = _t141;
				if(_t141 == 0) {
					_t141 = _t204;
				}
				SetDlgItemTextW( *(_t248 + 4), 9, _t141); // executed
				L0040125C(_t250 - 0x68);
				_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
				_t149 = E00403E82( *((intOrPtr*)( *_t41 + 0x2c))(_t250 - 0x68, 0x749), _t260); // executed
				_t150 =  *(_t149 + 8);
				_t261 = _t150;
				if(_t150 == 0) {
					_t150 = _t204;
				}
				SetDlgItemTextW( *(_t248 + 4), 0x34, _t150); // executed
				L0040125C(_t250 - 0x68);
				_t49 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
				_t158 = E00403E82( *((intOrPtr*)( *_t49 + 0x2c))(_t250 - 0x68, 0x74a), _t261); // executed
				_t159 =  *(_t158 + 8);
				if(_t159 == 0) {
					_t159 = _t204;
				}
				SetDlgItemTextW( *(_t248 + 4), 0x33, _t159); // executed
				L0040125C(_t250 - 0x68);
				EnableWindow(GetDlgItem( *(_t248 + 4), 9), 0); // executed
				EnableWindow(GetDlgItem( *(_t248 + 4), 2), 0); // executed
				_t169 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4)) + 0x2c))();
				_t263 =  *((char*)(_t169 + 0x12));
				if( *((char*)(_t169 + 0x12)) != 0) {
					_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
					_t191 =  *(E00403E82( *((intOrPtr*)( *_t65 + 0x2c))(_t250 - 0x68, 0x752), _t263) + 8);
					_t264 = _t191;
					if(_t191 == 0) {
						_t191 = 0x467570;
					}
					SetDlgItemTextW( *(_t248 + 4), 0x135, _t191);
					L0040125C(_t250 - 0x68);
					_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4; // 0x103
					_t200 =  *(E00403E82( *((intOrPtr*)( *_t73 + 0x2c))(_t250 - 0x68, 0x751), _t264) + 8);
					_t265 = _t200;
					if(_t200 == 0) {
						_t200 = 0x467570;
					}
					SetDlgItemTextW( *(_t248 + 4), 0x133, _t200);
					L0040125C(_t250 - 0x68);
				}
				_t254 = _t253 - 0x28;
				 *((intOrPtr*)(_t250 - 0x14)) = _t254;
				_t228 = _t254;
				 *_t228 = 0x46757c;
				 *((intOrPtr*)(_t228 + 0x20)) = 0x467574;
				L00401CDD(_t228);
				_t245 = 1;
				 *(_t250 - 4) = _t245;
				_t176 = L004037B9(_t250 - 0x18,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4)) + 0x2c))(_t248 + 0x18, 0));
				 *(_t250 - 4) = 3;
				E00406E05(_t176, _t265); // executed
				 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t250 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t248 + 0xc)) + 4)) + 4)) + 0x2c))( *(_t248 + 4));
				 *(_t250 - 4) = 4;
				L00406F7B( *(_t248 + 4), _t248 + 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t250 - 0xc));
				return _t245;
			}

0x0042b8e0
0x0042b8e5
0x0042b8eb
0x0042b8ed
0x0042b8fb
0x0042b91a
0x0042b91f
0x0042b921
0x0042b924
0x0042b92f
0x0042b931
0x0042b926
0x0042b926
0x0042b92b
0x0042b92b
0x0042b952
0x0042b957
0x0042b95a
0x0042b95c
0x0042b95e
0x0042b95e
0x0042b96f
0x0042b974
0x0042b979
0x0042b980
0x0042b990
0x0042b99e
0x0042b9a3
0x0042b9a6
0x0042b9a8
0x0042b9aa
0x0042b9aa
0x0042b9b2
0x0042b9b7
0x0042b9c7
0x0042b9d5
0x0042b9da
0x0042b9dd
0x0042b9df
0x0042b9e1
0x0042b9e1
0x0042b9e9
0x0042b9ee
0x0042b9fe
0x0042ba0c
0x0042ba11
0x0042ba14
0x0042ba16
0x0042ba18
0x0042ba18
0x0042ba20
0x0042ba25
0x0042ba35
0x0042ba43
0x0042ba48
0x0042ba4d
0x0042ba4f
0x0042ba4f
0x0042ba57
0x0042ba5c
0x0042ba71
0x0042ba81
0x0042ba93
0x0042ba96
0x0042ba9a
0x0042baa7
0x0042baba
0x0042babd
0x0042babf
0x0042bac1
0x0042bac1
0x0042bacf
0x0042bad4
0x0042bae4
0x0042baf7
0x0042bafa
0x0042bafc
0x0042bafe
0x0042bafe
0x0042bb0c
0x0042bb11
0x0042bb11
0x0042bb16
0x0042bb1c
0x0042bb1f
0x0042bb24
0x0042bb2a
0x0042bb31
0x0042bb3b
0x0042bb3f
0x0042bb4f
0x0042bb59
0x0042bb5d
0x0042bb65
0x0042bb75
0x0042bb7f
0x0042bb89
0x0042bb95
0x0042bb9e

APIs

__EH_prolog.LIBCMT ref: 0042B8E0

Part of subcall function 0042B4CE: __EH_prolog.LIBCMT ref: 0042B4D3
Part of subcall function 0042B4CE: SendDlgItemMessageW.USER32 ref: 0042B543
Part of subcall function 0042B4CE: GetObjectW.GDI32(00000000,0000005C,?), ref: 0042B54F
Part of subcall function 0042B4CE: lstrcpyW.KERNEL32 ref: 0042B57F
Part of subcall function 0042B4CE: CreateFontIndirectW.GDI32(?), ref: 0042B58C
Part of subcall function 0042B4CE: SendDlgItemMessageW.USER32 ref: 0042B5CF

SetDlgItemTextW.USER32 ref: 0042B96F
SetDlgItemTextW.USER32 ref: 0042B9B2
SetDlgItemTextW.USER32 ref: 0042B9E9
SetDlgItemTextW.USER32 ref: 0042BA20
SetDlgItemTextW.USER32 ref: 0042BA57
GetDlgItem.USER32 ref: 0042BA6C
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 0042BA71
GetDlgItem.USER32 ref: 0042BA7C
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 0042BA81
SetDlgItemTextW.USER32 ref: 0042BACF
SetDlgItemTextW.USER32 ref: 0042BB0C

Part of subcall function 00406F7B: GetDlgItem.USER32 ref: 00406F93
Part of subcall function 00406F7B: GetDlgItem.USER32 ref: 00406FB7

Strings

puF, xrefs: 0042BAC1
puF, xrefs: 0042B931
tuF, xrefs: 0042BB2A
puF, xrefs: 0042BAFE
puF, xrefs: 0042B926

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Item$Text$CallbackDispatcherH_prologMessageSendUser$CreateFontIndirectObjectlstrcpy
String ID: puF$puF$puF$puF$tuF
API String ID: 464785693-930786248
Opcode ID: 5a99a0c649eac1569bed5e63e41264ca416ba6882f8a466a5e8e53f08f502d2b
Instruction ID: 96dff168a68f69b1f365421a8a49ad6aef4358e4feea897085550075b3f9b842
Opcode Fuzzy Hash: 5a99a0c649eac1569bed5e63e41264ca416ba6882f8a466a5e8e53f08f502d2b
Instruction Fuzzy Hash: 48A108747002059FD710EF68C989E99BBF8EF44308B0585AEE55EDB6A2EB34ED05CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00416E73 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 234
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00416E73(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t77;
				signed int _t80;
				intOrPtr _t81;
				intOrPtr _t95;
				intOrPtr _t102;
				void* _t120;
				void* _t125;
				signed int _t126;
				void* _t129;
				intOrPtr* _t150;
				void* _t155;
				intOrPtr _t161;
				char* _t163;
				void* _t165;
				void* _t167;
				void* _t169;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;

				_t155 = __edx;
				L0043B644(0x461763, _t165);
				_t161 = __ecx;
				 *((intOrPtr*)(_t165 - 0x1c)) = __ecx;
				 *(_t165 - 4) =  *(_t165 - 4) & 0x00000000;
				 *(_t165 - 0x10) =  *(_t165 - 0x10) & 0x00000000;
				_t157 = __ecx + 8;
				 *((intOrPtr*)(_t165 - 0x48)) = __ecx;
				L0043B670(_t165 - 0x88, __ecx + 8, 0x40);
				_t169 = _t167 - 0xa4 + 0xc;
				_t129 = 1;
				_push(_t129);
				_push(_t165 - 0x15);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				 *(_t165 - 4) = 2;
				_t77 =  *(E0040A5F5(_t165 - 0xb0) + 8);
				if(_t77 == 0) {
					_t77 = 0x4675e4;
				}
				lstrcpyW(_t161 + 0x50, _t77);
				E004061C1(_t165 - 0xb0);
				_t80 = E0043C804(_t129, _t157, _t161 + 0x50, _t165, _t157, 3, 0x43b31a,  *(_t165 - 4), 0x46cf00);
				_t170 = _t169 + 0x14;
				_t163 = L"ISSetupDLLOp";
				if(_t80 != 0) {
					 *(_t165 - 0x10) = _t80;
					L14:
					if( *(_t165 - 0x10) >= 0) {
						_t81 =  *((intOrPtr*)(_t165 + 0x38));
						__eflags = _t81;
						if(_t81 == 0) {
							_t81 = 0x467570;
						}
						_push(_t81);
						_push(L00401806(_t165 + 8));
						_push(_t129);
						_push(L"Success");
						_push(L"Result=%s\tCopied=%ld\tSourceFile=%s\tTargetFile=%s");
						_t171 = _t170 - 0x28;
						 *((intOrPtr*)(_t165 - 0x34)) = _t171;
						L00401732(_t171, L"CopyDisk1FileToTempEnd", _t165 - 0x12, _t129);
						 *((intOrPtr*)(_t165 - 0x3c)) = _t171 - 0x28;
						 *(_t165 - 4) = 6;
						L00401732(_t171 - 0x28, _t163, _t165 - 0x14, _t129);
						 *(_t165 - 4) = 2;
						L00432D64();
						L21:
						L0043B670( *((intOrPtr*)(_t165 - 0x48)) + 8, _t165 - 0x88, 0x40);
						 *(_t165 - 4) =  *(_t165 - 4) & 0x00000000;
						L0040125C(_t165 + 8);
						 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
						L0040125C(_t165 + 0x30);
						 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
						return  *(_t165 - 0x10);
					}
					L15:
					_t95 =  *((intOrPtr*)(_t165 + 0x38));
					if(_t95 == 0) {
						_t95 = 0x467570;
					}
					_push(_t95);
					_push(L00401806(_t165 + 8));
					_push( *(_t165 - 0x10));
					_push(_t129);
					_push(L"Failure");
					_push(L"Result=%s\t\tError=0x%08lx\tCopied=%ld\tSourceFile=%s\tTargetFile=%s");
					_t176 = _t170 - 0x28;
					 *((intOrPtr*)(_t165 - 0x24)) = _t176;
					L00401732(_t176, L"CopyDisk1FileToTempEnd", _t165 - 0x17, _t129);
					 *((intOrPtr*)(_t165 - 0x2c)) = _t176 - 0x28;
					 *(_t165 - 4) = 5;
					L00401732(_t176 - 0x28, _t163, _t165 - 0x11, _t129);
					 *(_t165 - 4) = 2;
					L00432D64();
					goto L21;
				}
				_t102 =  *((intOrPtr*)(_t165 + 0x38));
				if(_t102 == 0) {
					_t102 = 0x467570;
				}
				_push(_t102);
				_push(L00401806(_t165 + 8));
				_push(L"SourceFile=%s\tTargetFile=%s");
				_t178 = _t170 - 0x28;
				 *((intOrPtr*)(_t165 - 0x28)) = _t178;
				L00401732(_t178, L"CopyDisk1FileToTempBegin", _t165 - 0x16, _t129);
				_t179 = _t178 - 0x28;
				 *((intOrPtr*)(_t165 - 0x20)) = _t179;
				 *(_t165 - 4) = 3;
				L00401732(_t179, _t163, _t165 - 0x13, _t129);
				 *(_t165 - 4) = 2;
				L00432D64();
				_t170 = _t179 + 0x5c;
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				if(L00402DE6( ~(_t165 + 8) & _t165 + 0x0000000c,  ~(_t165 + 0x30) & _t165 + 0x00000034) != 0) {
					_push(0xc);
					_t180 = _t170 - 0x28;
					 *((intOrPtr*)(_t165 - 0x44)) = _t180;
					L00401708(_t180, _t165 + 0x30, _t129); // executed
					_t120 = E0042CFBE(); // executed
					_t170 = _t180 + 0x2c;
					_t188 = _t120;
					if(_t120 == 0) {
						_push(0x8000);
						_t181 = _t170 - 0x28;
						 *((intOrPtr*)(_t165 - 0x30)) = _t181;
						L00401708(_t181, _t165 + 0x30, _t129);
						_t182 = _t181 - 0x28;
						 *((intOrPtr*)(_t165 - 0x40)) = _t182;
						 *(_t165 - 4) = 4;
						L00401708(_t182, _t165 + 8, _t129);
						 *(_t165 - 4) = 2;
						_t125 = E0042D8B5(_t155, _t188); // executed
						_t170 = _t182 + 0x54;
						if(_t125 == 0) {
							_t126 =  *0x47e3d4; // 0x2
							if(_t126 > 0) {
								_t126 = _t126 & 0x0000ffff | 0x80070000;
							}
							 *(_t165 - 0x10) = _t126;
						}
					}
				}
				if( *(_t165 - 0x10) < 0) {
					goto L15;
				} else {
					_t170 = _t170 - 0x28;
					 *((intOrPtr*)(_t165 - 0x38)) = _t170;
					_t150 = _t170;
					_push(0);
					_push(_t165 + 0x30);
					 *_t150 = 0x46757c;
					 *((intOrPtr*)(_t150 + 0x20)) = 0x467574;
					L00401CDD(_t150);
					L0040EF21( *((intOrPtr*)( *((intOrPtr*)(_t165 - 0x1c)) + 0x3a4)));
					goto L14;
				}
			}

0x00416e73
0x00416e78
0x00416e85
0x00416e88
0x00416e8b
0x00416e8f
0x00416e93
0x00416ea0
0x00416ea3
0x00416ea8
0x00416eb0
0x00416eb7
0x00416eb8
0x00416eb9
0x00416ebe
0x00416ec7
0x00416ecc
0x00416ece
0x00416ece
0x00416ed8
0x00416ee4
0x00416ef9
0x00416efe
0x00416f08
0x00416f0d
0x00417030
0x00417033
0x00417037
0x00417096
0x00417099
0x0041709b
0x0041709d
0x0041709d
0x0041709f
0x004170a8
0x004170a9
0x004170aa
0x004170af
0x004170b4
0x004170bc
0x004170c6
0x004170d3
0x004170d9
0x004170dd
0x004170e2
0x004170e6
0x004170ee
0x004170fe
0x00417103
0x0041710d
0x00417112
0x00417119
0x00417126
0x0041712f
0x0041712f
0x00417039
0x00417039
0x0041703e
0x00417040
0x00417040
0x00417042
0x0041704b
0x0041704f
0x00417052
0x00417053
0x00417058
0x0041705d
0x00417062
0x0041706c
0x00417079
0x0041707f
0x00417083
0x00417088
0x0041708c
0x00000000
0x00417091
0x00416f13
0x00416f18
0x00416f1a
0x00416f1a
0x00416f1c
0x00416f25
0x00416f26
0x00416f2b
0x00416f33
0x00416f3d
0x00416f42
0x00416f4a
0x00416f50
0x00416f54
0x00416f59
0x00416f5d
0x00416f65
0x00416f6a
0x00416f7a
0x00416f85
0x00416f87
0x00416f8c
0x00416f91
0x00416f96
0x00416f9b
0x00416fa0
0x00416fa3
0x00416fa5
0x00416fa7
0x00416faf
0x00416fb4
0x00416fb9
0x00416fbe
0x00416fc6
0x00416fcb
0x00416fcf
0x00416fd4
0x00416fd8
0x00416fdd
0x00416fe2
0x00416fe4
0x00416feb
0x00416ff2
0x00416ff2
0x00416ff7
0x00416ff7
0x00416fe2
0x00416fa5
0x00416ffe
0x00000000
0x00417000
0x00417000
0x00417006
0x00417009
0x0041700b
0x0041700d
0x0041700e
0x00417014
0x0041701b
0x00417029
0x00000000
0x00417029

APIs

__EH_prolog.LIBCMT ref: 00416E78

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 00416ED8
__setjmp3.LIBCMT ref: 00416EF9

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0040EF21: __EH_prolog.LIBCMT ref: 0040EF26

Strings

uF, xrefs: 00416ECE
CopyDisk1FileToTempBegin, xrefs: 00416F38
ISSetupDLLOp, xrefs: 00416F08, 00416F4F, 0041707E, 004170D8
CopyDisk1FileToTempEnd, xrefs: 00417067, 004170C1
Success, xrefs: 004170AA
tuF, xrefs: 00417014
Result=%sCopied=%ldSourceFile=%sTargetFile=%s, xrefs: 004170AF
SourceFile=%sTargetFile=%s, xrefs: 00416F26
Failure, xrefs: 00417053
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 00416EB9
Result=%sError=0x%08lxCopied=%ldSourceFile=%sTargetFile=%s, xrefs: 00417058
puF, xrefs: 00416F01

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$CopyDisk1FileToTempBegin$CopyDisk1FileToTempEnd$Failure$ISSetupDLLOp$Result=%sError=0x%08lxCopied=%ldSourceFile=%sTargetFile=%s$Result=%sCopied=%ldSourceFile=%sTargetFile=%s$SourceFile=%sTargetFile=%s$Success$puF$tuF$uF
API String ID: 1495275635-3148530149
Opcode ID: 4b898fa0edb066ab54897a6f256ff7e310ba8fddff73689081e2f79864983ff5
Instruction ID: 6342371070af4e4be790be4e90a306fb5febe399b560a1abcbf31a0cc5a961d4
Opcode Fuzzy Hash: 4b898fa0edb066ab54897a6f256ff7e310ba8fddff73689081e2f79864983ff5
Instruction Fuzzy Hash: CB819971E00208AFDB00EB65CD46FEE7B7CAF15348F50416FF805A7181E7789A4587AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041E892 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041E892(signed int __edi, intOrPtr __esi) {
				char* _t88;
				void* _t92;
				void* _t95;
				signed int _t96;
				void* _t105;
				char* _t113;
				signed int _t114;
				char* _t116;
				intOrPtr _t117;
				char* _t119;
				intOrPtr _t120;
				char* _t122;
				intOrPtr _t123;
				char* _t125;
				intOrPtr _t126;
				char* _t138;
				intOrPtr _t139;
				char* _t141;
				intOrPtr _t142;
				void* _t152;
				intOrPtr* _t154;
				void* _t168;
				signed int _t184;
				signed int* _t187;
				intOrPtr _t189;
				void* _t191;
				void* _t193;
				char* _t194;
				char* _t195;
				char* _t197;

				_t189 = __esi;
				_t184 = __edi;
				_t88 =  *(_t191 + 8);
				 *((intOrPtr*)(_t191 - 0x44)) = 0x4675d8;
				_t199 = _t88 - __edi;
				 *((intOrPtr*)(_t191 - 0x24)) = 0x4675d0;
				if(_t88 == __edi) {
					_t88 = 0x47e150;
				}
				_push(_t184);
				_push(_t191 - 0x11);
				_push(_t88);
				L0040B34B(_t191 - 0x44);
				_push(1);
				_push(_t191 - 0x44);
				_push(_t191 - 0xbc);
				 *(_t191 - 4) = _t184;
				_t92 = L0041F0A4(_t199);
				_push(1);
				_push(_t189 + 4);
				_push(_t191 - 0x94);
				 *(_t191 - 4) = 1;
				_t95 = L0041F0A4(_t199);
				 *(_t191 - 4) = 2;
				_t96 = E0040ABC8(_t95, _t92);
				asm("sbb bl, bl");
				 *(_t191 - 4) = 1;
				E004061C1(_t191 - 0x94);
				 *(_t191 - 4) =  *(_t191 - 4) & 0x00000000;
				E004061C1(_t191 - 0xbc);
				 *(_t191 - 4) =  *(_t191 - 4) | 0xffffffff;
				E004061C1(_t191 - 0x44);
				if( ~_t96 + 1 != 0) {
					 *((char*)(_t191 + 0xf)) = 1;
				}
				_t100 =  *(_t191 + 8);
				_t152 = _t189 + 4;
				if( *(_t191 + 8) == _t184) {
					_t100 = 0x47e150;
				}
				L0040BDDD(_t152, _t100);
				_push(4);
				_t194 = _t193 - 0x28;
				 *(_t191 + 8) = _t194;
				L00401732(_t194, E0040A5A5(_t189 + 8), _t191 + 0xb, 1); // executed
				_t105 = E0042CFBE(); // executed
				_t195 =  &(_t194[0x2c]);
				_t202 = _t105;
				if(_t105 != 0) {
					_push(0xffffffff);
					_t197 = _t195 - 0x28;
					 *(_t191 + 8) = _t197;
					_push(_t197);
					E0040A6F4(_t152);
					_push(_t191 - 0x6c); // executed
					E0041EB9B(_t202); // executed
					_t110 = L"PrereqEngine: ";
					 *(_t191 - 4) = 3;
					_t168 = _t189 + 0x3c0;
					if(L"PrereqEngine: " == 0) {
						_t110 = 0x47e150;
					}
					L0040BDDD(_t168, _t110);
					 *(_t189 + 0x25c) =  *(_t189 + 0x25c) & 0x00000000;
					 *(_t189 + 0x25e) =  *(_t189 + 0x25e) & 0x00000000;
					 *(_t189 + 0x25d) =  *(_t189 + 0x25d) & 0x00000000;
					 *((char*)(_t189 + 0x260)) = 1;
					L00425F23(_t152, _t189 + 0x264);
					_t113 =  *0x4675e0; // 0xffffffff
					_t187 = _t189 + 0x298;
					 *(_t191 + 8) = _t113;
					_t114 =  *_t187;
					if(_t114 == 0) {
						_t154 = __imp__#6;
					} else {
						_t154 = __imp__#6;
						 *_t154(_t114);
						 *_t187 =  *_t187 & 0x00000000;
					}
					E0040C91A(_t189 + 0x280, _t191, 0,  *(_t191 + 8));
					_t116 =  *0x4675e0; // 0xffffffff
					 *(_t191 + 8) = _t116;
					_t117 =  *((intOrPtr*)(_t189 + 0x2c0));
					if(_t117 != 0) {
						 *_t154(_t117);
						 *((intOrPtr*)(_t189 + 0x2c0)) = 0;
					}
					E0040C91A(_t189 + 0x2a8, _t191, 0,  *(_t191 + 8));
					if( *((char*)(_t191 + 0xf)) == 0) {
						_t138 =  *0x4675e0; // 0xffffffff
						 *(_t191 + 0xc) = _t138;
						_t139 =  *((intOrPtr*)(_t189 + 0x2e8));
						if(_t139 != 0) {
							 *_t154(_t139);
							 *((intOrPtr*)(_t189 + 0x2e8)) = 0;
						}
						E0040C91A(_t189 + 0x2d0, _t191, 0,  *(_t191 + 0xc));
						_t141 =  *0x4675e0; // 0xffffffff
						 *(_t191 + 0xc) = _t141;
						_t142 =  *((intOrPtr*)(_t189 + 0x310));
						if(_t142 != 0) {
							 *_t154(_t142);
							 *((intOrPtr*)(_t189 + 0x310)) = 0;
						}
						E0040C91A(_t189 + 0x2f8, _t191, 0,  *(_t191 + 0xc));
					}
					_t119 =  *0x4675e0; // 0xffffffff
					 *(_t191 + 0xc) = _t119;
					_t120 =  *((intOrPtr*)(_t189 + 0x338));
					if(_t120 != 0) {
						 *_t154(_t120);
						 *((intOrPtr*)(_t189 + 0x338)) = 0;
					}
					E0040C91A(_t189 + 0x320, _t191, 0,  *(_t191 + 0xc));
					_t122 =  *0x4675e0; // 0xffffffff
					 *(_t191 + 0xc) = _t122;
					_t123 =  *((intOrPtr*)(_t189 + 0x360));
					if(_t123 != 0) {
						 *_t154(_t123);
						 *((intOrPtr*)(_t189 + 0x360)) = 0;
					}
					E0040C91A(_t189 + 0x348, _t191, 0,  *(_t191 + 0xc));
					_t125 =  *0x4675e0; // 0xffffffff
					 *(_t191 + 0xc) = _t125;
					_t126 =  *((intOrPtr*)(_t189 + 0x3b0));
					if(_t126 != 0) {
						 *_t154(_t126);
						 *((intOrPtr*)(_t189 + 0x3b0)) = 0;
					}
					E0040C91A(_t189 + 0x398, _t191, 0,  *(_t191 + 0xc));
					L00425FBB(_t154, _t189 + 0x270);
					_t129 =  *((intOrPtr*)(_t191 - 0x64));
					 *(_t191 - 4) = 4;
					 *((intOrPtr*)(_t191 - 0x18)) = _t189;
					if( *((intOrPtr*)(_t191 - 0x64)) == 0) {
						_t129 = 0x467570;
					}
					_t78 = _t191 - 0x18; // 0x4675e4, executed
					L00438DFB(_t78, _t129); // executed
					_t131 =  *((intOrPtr*)(_t191 + 0x10));
					 *(_t191 - 4) = 3;
					if( *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x10)) + 0xc)) != 0) {
						E004066ED(_t189 + 0x2cc, E004066ED(_t189 + 0x2f4, _t131));
					}
					L0042177C(_t189);
					 *(_t191 - 4) =  *(_t191 - 4) | 0xffffffff;
					_t105 = L0040125C(_t191 - 0x6c);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0xc));
				return _t105;
			}

0x0041e892
0x0041e892
0x0041e892
0x0041e895
0x0041e89c
0x0041e89e
0x0041e8a5
0x0041e8a7
0x0041e8a7
0x0041e8af
0x0041e8b0
0x0041e8b1
0x0041e8b5
0x0041e8bd
0x0041e8bf
0x0041e8c6
0x0041e8c9
0x0041e8cc
0x0041e8d6
0x0041e8d8
0x0041e8df
0x0041e8e2
0x0041e8e6
0x0041e8ee
0x0041e8f2
0x0041e901
0x0041e903
0x0041e909
0x0041e90e
0x0041e918
0x0041e91d
0x0041e924
0x0041e92b
0x0041e92d
0x0041e92d
0x0041e931
0x0041e934
0x0041e939
0x0041e93b
0x0041e93b
0x0041e943
0x0041e948
0x0041e94d
0x0041e955
0x0041e963
0x0041e968
0x0041e96d
0x0041e970
0x0041e972
0x0041e978
0x0041e97c
0x0041e981
0x0041e984
0x0041e985
0x0041e98d
0x0041e98e
0x0041e996
0x0041e99b
0x0041e9a4
0x0041e9ac
0x0041e9ae
0x0041e9ae
0x0041e9b4
0x0041e9b9
0x0041e9c0
0x0041e9c7
0x0041e9d4
0x0041e9db
0x0041e9e0
0x0041e9e5
0x0041e9eb
0x0041e9ee
0x0041e9f2
0x0041ea02
0x0041e9f4
0x0041e9f4
0x0041e9fb
0x0041e9fd
0x0041e9fd
0x0041ea13
0x0041ea18
0x0041ea1f
0x0041ea22
0x0041ea2a
0x0041ea2d
0x0041ea2f
0x0041ea2f
0x0041ea3f
0x0041ea48
0x0041ea4a
0x0041ea4f
0x0041ea52
0x0041ea5a
0x0041ea5d
0x0041ea5f
0x0041ea5f
0x0041ea6f
0x0041ea74
0x0041ea79
0x0041ea7c
0x0041ea84
0x0041ea87
0x0041ea89
0x0041ea89
0x0041ea99
0x0041ea99
0x0041ea9e
0x0041eaa3
0x0041eaa6
0x0041eaae
0x0041eab1
0x0041eab3
0x0041eab3
0x0041eac3
0x0041eac8
0x0041eacd
0x0041ead0
0x0041ead8
0x0041eadb
0x0041eadd
0x0041eadd
0x0041eaed
0x0041eaf2
0x0041eaf7
0x0041eafa
0x0041eb02
0x0041eb05
0x0041eb07
0x0041eb07
0x0041eb17
0x0041eb22
0x0041eb27
0x0041eb2a
0x0041eb30
0x0041eb33
0x0041eb35
0x0041eb35
0x0041eb3b
0x0041eb3e
0x0041eb50
0x0041eb53
0x0041eb5d
0x0041eb72
0x0041eb72
0x0041eb79
0x0041eb7e
0x0041eb85
0x0041eb85
0x0041eb8f
0x0041eb98

APIs

SysFreeString.OLEAUT32(FFFFFFFF), ref: 0041E9FB
SysFreeString.OLEAUT32(?), ref: 0041EA2D
SysFreeString.OLEAUT32(?), ref: 0041EA5D
SysFreeString.OLEAUT32(?), ref: 0041EA87
SysFreeString.OLEAUT32(?), ref: 0041EAB1
SysFreeString.OLEAUT32(?), ref: 0041EADB
SysFreeString.OLEAUT32(?), ref: 0041EB05

Strings

PrereqEngine: , xrefs: 0041E996, 0041E9B3
PG, xrefs: 0041E93B
PG, xrefs: 0041E9AE
PG, xrefs: 0041E8A7
puF, xrefs: 0041EB35
uF, xrefs: 0041EB3B
Q, xrefs: 0041E968
Cu, xrefs: 0041E9DB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FreeString
String ID: PrereqEngine: $PG$PG$PG$puF$Cu$Q$uF
API String ID: 3341692771-3577620960
Opcode ID: c816221f8fcb12f4165037941a2ada6e8b8ed57f23a28585915a09ca2743f0e4
Instruction ID: bec0424b9c4153f167b588c74807cfd6cb49bbf19a66ab97c676609426f6114d
Opcode Fuzzy Hash: c816221f8fcb12f4165037941a2ada6e8b8ed57f23a28585915a09ca2743f0e4
Instruction Fuzzy Hash: E491A070900304EBCB11DF66C885BDEB7E9BF44308F10851EF45AE7281EB78AA45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041919A Relevance: 25.7, APIs: 17, Instructions: 221
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041919A() {
				void* _t74;
				long _t75;
				long _t79;
				void* _t80;
				long _t82;
				void* _t83;
				void* _t84;
				long _t93;
				void* _t96;
				void** _t112;
				void** _t113;
				void** _t114;
				void** _t115;
				void* _t125;
				void* _t127;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t138;

				L0043B644(0x461c1c, _t138);
				 *(_t138 - 0x14) = 0;
				 *(_t138 - 4) = 0;
				 *(_t138 - 0x10) = 0;
				 *(_t138 - 0x18) = 0;
				 *(_t138 - 4) = 2;
				_t74 = CreateFileW( *(_t138 + 8), 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t127 = _t74;
				if( *(_t138 - 0x14) != _t127) {
					E0041A563(_t138 - 0x14);
					 *(_t138 - 0x14) = _t127;
				}
				if( *(_t138 - 0x14) == 0xffffffff) {
					L9:
					_t75 = GetLastError();
					 *(_t138 - 4) = 1;
					E0041A3C1(_t138 - 0x18);
					 *(_t138 - 4) = 0;
					E0041A563(_t138 - 0x10);
					 *(_t138 - 4) =  *(_t138 - 4) | 0xffffffff;
					E0041A563(_t138 - 0x14);
					_t79 = _t75;
					L59:
					 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
					return _t79;
				}
				_t80 = CreateFileMappingW( *(_t138 - 0x14), 0, 2, 0, 0, 0); // executed
				_t130 = _t80;
				if( *(_t138 - 0x10) != _t130) {
					E0041A563(_t138 - 0x10);
					 *(_t138 - 0x10) = _t130;
				}
				if( *(_t138 - 0x10) == 0) {
					goto L9;
				} else {
					GetSystemInfo(_t138 - 0x40); // executed
					_t82 =  *(_t138 - 0x3c);
					 *(_t138 + 8) = _t82;
					_t83 = MapViewOfFile( *(_t138 - 0x10), 4, 0, 0, _t82); // executed
					_t131 = _t83;
					_t84 =  *(_t138 - 0x18);
					if(_t84 != _t131) {
						E0041A3C1(_t138 - 0x18);
						_t84 = _t131;
						 *(_t138 - 0x18) = _t84;
					}
					if(_t84 != 0) {
						_t125 = UnmapViewOfFile;
						if( *_t84 != 0x5a4d) {
							_t132 =  *(_t138 + 8);
							L41:
							_t112 =  *(_t138 + 0xc);
							if(_t112 != 0) {
								 *_t112 = _t84;
								_t84 = 0;
								 *(_t138 - 0x18) = 0;
							}
							_t113 =  *(_t138 + 0x10);
							if(_t113 != 0) {
								 *(_t138 - 0x14) = 0;
								 *_t113 =  *(_t138 - 0x14);
							}
							_t114 =  *(_t138 + 0x14);
							if(_t114 != 0) {
								 *(_t138 - 0x10) = 0;
								 *_t114 =  *(_t138 - 0x10);
							}
							_t115 =  *(_t138 + 0x18);
							if(_t115 != 0) {
								 *_t115 = _t132;
							}
							if(_t84 != 0 && _t125 != 0) {
								UnmapViewOfFile(_t84);
								 *(_t138 - 0x18) = 0;
							}
							_t133 = CloseHandle;
							if( *(_t138 - 0x10) != 0 && CloseHandle != 0) {
								CloseHandle( *(_t138 - 0x10));
								 *(_t138 - 0x10) = 0;
							}
							if( *(_t138 - 0x14) != 0 && _t133 != 0) {
								CloseHandle( *(_t138 - 0x14));
							}
							_t79 = 0;
							goto L59;
						}
						_t132 =  *((intOrPtr*)(_t84 + 0x3c)) + _t84;
						if(IsBadReadPtr(_t132, 0xf8) != 0 ||  *_t132 != 0x4550) {
							 *(_t138 - 4) = 1;
							E0041A3C1(_t138 - 0x18);
							 *(_t138 - 4) = 0;
							E0041A563(_t138 - 0x10);
							if( *(_t138 - 0x14) != 0 && CloseHandle != 0) {
								CloseHandle( *(_t138 - 0x14));
							}
							goto L35;
						} else {
							_t93 =  *(_t132 + 0x54);
							 *(_t138 - 0x1c) = _t93;
							if( *(_t138 + 8) >= _t93) {
								L39:
								_t84 =  *(_t138 - 0x18);
								goto L41;
							}
							UnmapViewOfFile( *(_t138 - 0x18));
							_t135 = MapViewOfFile( *(_t138 - 0x10), 4, 0, 0,  *(_t138 - 0x1c));
							_t96 =  *(_t138 - 0x18);
							if(_t96 != _t135) {
								if(_t96 != 0 && UnmapViewOfFile != 0) {
									UnmapViewOfFile(_t96);
								}
								_t96 = _t135;
								 *(_t138 - 0x18) = _t96;
							}
							if( *_t96 == 0x5a4d) {
								_t132 =  *((intOrPtr*)(_t96 + 0x3c)) + _t96;
								if(IsBadReadPtr(_t132, 0xf8) != 0 ||  *_t132 != 0x4550) {
									if( *(_t138 - 0x18) == 0 || _t125 == 0) {
										goto L29;
									} else {
										UnmapViewOfFile( *(_t138 - 0x18));
										goto L28;
									}
								} else {
									goto L39;
								}
							} else {
								if(_t96 == 0 || _t125 == 0) {
									L29:
									_t137 = CloseHandle;
									if( *(_t138 - 0x10) != 0 && CloseHandle != 0) {
										CloseHandle( *(_t138 - 0x10));
										 *(_t138 - 0x10) = 0;
									}
									if( *(_t138 - 0x14) != 0 && _t137 != 0) {
										CloseHandle( *(_t138 - 0x14));
									}
									L35:
									_t79 = 0xc1;
									goto L59;
								} else {
									UnmapViewOfFile(_t96);
									L28:
									 *(_t138 - 0x18) = 0;
									goto L29;
								}
							}
						}
					} else {
						goto L9;
					}
				}
			}

0x0041919f
0x004191ac
0x004191af
0x004191b2
0x004191b5
0x004191cb
0x004191cf
0x004191d5
0x004191da
0x004191df
0x004191e4
0x004191e4
0x004191eb
0x0041924b
0x0041924b
0x00419256
0x0041925a
0x00419262
0x00419265
0x0041926a
0x00419271
0x00419276
0x004193fd
0x00419403
0x0041940b
0x0041940b
0x004191f6
0x004191fc
0x00419201
0x00419206
0x0041920b
0x0041920b
0x00419211
0x00000000
0x00419213
0x00419217
0x0041921d
0x00419228
0x0041922b
0x00419231
0x00419233
0x00419238
0x0041923d
0x00419242
0x00419244
0x00419244
0x00419249
0x00419282
0x00419288
0x00419390
0x00419393
0x00419393
0x00419398
0x0041939a
0x0041939c
0x0041939e
0x0041939e
0x004193a1
0x004193a6
0x004193ab
0x004193ae
0x004193ae
0x004193b0
0x004193b5
0x004193ba
0x004193bd
0x004193bd
0x004193bf
0x004193c4
0x004193c6
0x004193c6
0x004193ca
0x004193d1
0x004193d3
0x004193d3
0x004193d9
0x004193df
0x004193e8
0x004193ea
0x004193ea
0x004193f0
0x004193f9
0x004193f9
0x004193fb
0x00000000
0x004193fb
0x00419296
0x004192a1
0x00419362
0x00419366
0x0041936e
0x00419371
0x00419379
0x00419387
0x00419387
0x00000000
0x004192b3
0x004192b3
0x004192b9
0x004192bc
0x0041938b
0x0041938b
0x00000000
0x0041938b
0x004192c5
0x004192d7
0x004192d9
0x004192de
0x004192e2
0x004192e9
0x004192e9
0x004192eb
0x004192ed
0x004192ed
0x004192f5
0x0041930a
0x00419315
0x00419322
0x00000000
0x00419328
0x0041932b
0x00000000
0x0041932b
0x00000000
0x00000000
0x00000000
0x004192f7
0x004192f9
0x00419330
0x00419333
0x00419339
0x00419342
0x00419344
0x00419344
0x0041934a
0x00419353
0x00419353
0x00419355
0x00419355
0x00000000
0x004192ff
0x0041932b
0x0041932b
0x0041932d
0x00000000
0x0041932d
0x004192f9
0x004192f5
0x00000000
0x00000000
0x00000000
0x00419249

APIs

__EH_prolog.LIBCMT ref: 0041919F
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 004191CF
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000,?,00000000), ref: 004191F6
GetSystemInfo.KERNELBASE(?,?,00000000), ref: 00419217
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,00000000), ref: 0041922B
GetLastError.KERNEL32(?,00000000), ref: 0041924B
IsBadReadPtr.KERNEL32(?,000000F8,?,00000000), ref: 00419299
UnmapViewOfFile.KERNEL32(?,?,00000000), ref: 004192C5
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,?,?,00000000), ref: 004192D1
UnmapViewOfFile.KERNEL32(?,?,00000000), ref: 004192E9
IsBadReadPtr.KERNEL32(?,000000F8,?,00000000), ref: 0041930D
UnmapViewOfFile.KERNEL32(?,?,00000000), ref: 0041932B
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00419342
CloseHandle.KERNEL32(000000FF,?,00000000), ref: 00419353
UnmapViewOfFile.KERNEL32(?,?,00000000), ref: 004193D1
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004193E8
CloseHandle.KERNEL32(000000FF,?,00000000), ref: 004193F9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: File$View$CloseHandleUnmap$CreateRead$ErrorH_prologInfoLastMappingSystem
String ID:
API String ID: 3113575335-0
Opcode ID: ef878607647eba4915f4d228c7df1db7dc50f793ecaad8b1d6742ee74d3fcefb
Instruction ID: d98aeb024423ca084dbe03321319571a5cbc587566ab19fffe76ada0561d7445
Opcode Fuzzy Hash: ef878607647eba4915f4d228c7df1db7dc50f793ecaad8b1d6742ee74d3fcefb
Instruction Fuzzy Hash: 28811C7190021EEFCF20DF94C8A55FEBBB5BB08304F14456BE925A3290D7785E80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E759 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040E759(void* __eflags) {
				void* __esi;
				intOrPtr _t45;
				intOrPtr _t53;
				void* _t59;
				intOrPtr* _t76;
				void* _t85;
				void* _t91;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr* _t97;
				void* _t100;

				_t100 = __eflags;
				E0040E45D(); // executed
				__imp__#17();
				_push(_t91 - 2);
				 *((intOrPtr*)(_t91 - 0x34)) = 0x46757c;
				 *((intOrPtr*)(_t91 - 0x14)) = 0x467574;
				L00401C68(_t91 - 0x34);
				 *((char*)(L00401813(_t91 - 0x34, _t91 - 0x40, 0x104) + 4)) = 1;
				GetModuleFileNameW(0,  *(L00401E6C(_t36,  *_t36)), 0x104);
				L00401A9C(_t91 - 0x40);
				_push( *((intOrPtr*)(_t91 + 8)));
				E00431B36(); // executed
				_push(0);
				_push(_t91 - 0x8c);
				_t45 =  *((intOrPtr*)(L004056FB(_t91 - 0x34, 0, _t100) + 8));
				if(_t45 == 0) {
					_t45 = 0x467570;
				}
				_push(_t45);
				_push(L"EXE=%s");
				_t94 = _t93 - 0x28;
				 *((intOrPtr*)(_t91 - 8)) = _t94;
				L00401732(_t94, L"EXEProcessBegin", _t91 - 2, 1);
				_t95 = _t94 - 0x28;
				 *((intOrPtr*)(_t91 - 8)) = _t95;
				L00401732(_t95, L"ISSetupInit", _t91 - 1, 1);
				L00432D64();
				L0040125C(_t91 - 0x8c);
				L00401000(_t91 - 0x64);
				_t53 =  *((intOrPtr*)(_t91 + 0x10));
				_t97 = _t95 + 0x58 - 0x28;
				_t76 = _t97;
				_t102 = _t53;
				 *((intOrPtr*)(_t91 - 8)) = _t97;
				 *_t76 = 0x46757c;
				 *((intOrPtr*)(_t76 + 0x20)) = 0x467574;
				if(_t53 == 0) {
					_t53 = 0x47e150;
				}
				_push(0);
				_push(_t91 - 1);
				_push(_t53);
				L0040176A(_t76);
				 *((intOrPtr*)(_t91 + 0x10)) = _t97 - 0x28;
				L00401708(_t97 - 0x28, _t91 - 0x34, 1);
				_push( *((intOrPtr*)(_t91 + 8)));
				_push(_t91 - 0x64);
				_t59 = L0040F105(E0040E8AD(_t91 - 0x43c), _t102); // executed
				_t85 = _t59;
				E0040EACB(_t91 - 0x43c);
				L0040102D(_t91 - 0x64);
				L0040125C(_t91 - 0x34);
				if( *((intOrPtr*)(_t91 - 0xc)) >= 0) {
					__imp__CoUninitialize();
				}
				return _t85;
			}

0x0040e759
0x0040e759
0x0040e75e
0x0040e772
0x0040e776
0x0040e779
0x0040e77c
0x0040e795
0x0040e7a5
0x0040e7ae
0x0040e7b3
0x0040e7b6
0x0040e7c2
0x0040e7c3
0x0040e7cf
0x0040e7d4
0x0040e7d6
0x0040e7d6
0x0040e7db
0x0040e7dc
0x0040e7e1
0x0040e7e9
0x0040e7f4
0x0040e7f9
0x0040e801
0x0040e80c
0x0040e811
0x0040e81f
0x0040e827
0x0040e82c
0x0040e82f
0x0040e832
0x0040e834
0x0040e836
0x0040e839
0x0040e83b
0x0040e83e
0x0040e840
0x0040e840
0x0040e848
0x0040e849
0x0040e84a
0x0040e84b
0x0040e858
0x0040e85e
0x0040e863
0x0040e86f
0x0040e877
0x0040e882
0x0040e884
0x0040e88c
0x0040e894
0x0040e89c
0x0040e89e
0x0040e89e
0x0040e8aa

APIs

Part of subcall function 0040E45D: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040E504
Part of subcall function 0040E45D: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0040E52C
Part of subcall function 0040E45D: CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0040E547
Part of subcall function 0040E45D: CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0040E562
Part of subcall function 0040E45D: CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0040E57D

#17.COMCTL32(?,00000000), ref: 0040E75E

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000104,?,00000000,?,00000000), ref: 0040E7A5

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

Part of subcall function 00431B36: __EH_prolog.LIBCMT ref: 00431B3B

Part of subcall function 004056FB: __EH_prolog.LIBCMT ref: 00405700

Part of subcall function 00432D64: __EH_prolog.LIBCMT ref: 00432D69

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

CoUninitialize.OLE32(?,?,?,00000001), ref: 0040E89E

Strings

Ph\nG, xrefs: 0040E7DB
P8, xrefs: 0040E86F
tuF, xrefs: 0040E76C
ISSetupInit, xrefs: 0040E807
puF, xrefs: 0040E7D6
PG, xrefs: 0040E840
EXE=%s, xrefs: 0040E7DC
|uF, xrefs: 0040E767
Ph$nG, xrefs: 0040E806
Ph<nG, xrefs: 0040E7EE
EXEProcessBegin, xrefs: 0040E7EF

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$CreateKnownWell$String$AllocDescriptorFileFreeInitializeModuleNameSecurityUninitialize
String ID: EXE=%s$EXEProcessBegin$ISSetupInit$Ph$nG$Ph<nG$Ph\nG$P8$PG$puF$tuF$|uF
API String ID: 3798238771-1704349238
Opcode ID: d917c08008817e7127da51e108d882a9edb0a6db301e1952770ab5e8602e4713
Instruction ID: 15209428b2f2ad028752625c6de39a2cc3de179bd53ef4870b0e3646163fe8d9
Opcode Fuzzy Hash: d917c08008817e7127da51e108d882a9edb0a6db301e1952770ab5e8602e4713
Instruction Fuzzy Hash: 2B417F71D01208ABCB00FBA6C8869DE7B79EF44308F50447BF405B7291EB799A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421393 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00421393(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t57;
				void* _t61;
				void* _t63;

				_t69 = __eflags;
				L0043B644(E00462910, _t63);
				_push(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce");
				_t57 = __ecx;
				_push(0x80000002); // executed
				_t27 = E00421686(__eflags); // executed
				_push(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx");
				_push(0x80000002);
				_t28 = E00421686(__eflags); // executed
				_push(L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\FileRenameOperations");
				_push(0x80000002);
				 *((intOrPtr*)(_t63 - 0x14)) = _t28;
				_t29 = E00421686(__eflags); // executed
				 *((intOrPtr*)(_t63 - 0x18)) = _t29;
				_t30 = E00421722(_t57, _t69, 0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", L"PendingFileRenameOperations"); // executed
				_push(L"rename");
				_push(L"[WindowsFolder]Wininit.ini");
				_t61 = _t30;
				 *((intOrPtr*)(_t63 - 0x1c)) = L004214BA(_t57, _t57);
				_push(0);
				_push(_t63 - 0xd);
				 *((intOrPtr*)(_t63 - 0x44)) = 0x4675d8;
				 *((intOrPtr*)(_t63 - 0x24)) = 0x4675d0;
				L0040B243(_t63 - 0x44);
				 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
				if(_t27 <=  *((intOrPtr*)(_t57 + 0x3f0))) {
					__eflags =  *((intOrPtr*)(_t63 - 0x14)) -  *((intOrPtr*)(_t57 + 0x3f4));
					if(__eflags <= 0) {
						__eflags = _t61 -  *((intOrPtr*)(_t57 + 0x3f8));
						if(__eflags <= 0) {
							__eflags =  *((intOrPtr*)(_t63 - 0x18)) -  *((intOrPtr*)(_t57 + 0x3fc));
							if(__eflags <= 0) {
								__eflags =  *((intOrPtr*)(_t63 - 0x1c)) -  *((intOrPtr*)(_t57 + 0x400));
								if(__eflags > 0) {
									_push(L"Wininit.ini rename");
									goto L10;
								}
							} else {
								_push(L"FileRenameOperations");
								goto L10;
							}
						} else {
							_push(L"PendingFileRenameOperations");
							goto L10;
						}
					} else {
						_push(L"RunOnceEx");
						goto L10;
					}
				} else {
					_push(L"RunOnce");
					L10:
					_push(L"Reboot required - %s key added");
					_push(_t63 - 0x44);
					L0040AF38();
				}
				_t71 =  *((intOrPtr*)(_t63 - 0x38));
				if( *((intOrPtr*)(_t63 - 0x38)) == 0) {
					__eflags = 0;
				} else {
					_push(0);
					_push(1);
					_pop(0);
					_push(0);
					_push(_t63 - 0x44);
					L0042189A(0, _t57, _t71);
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				E004061C1(_t63 - 0x44);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return 0;
			}

0x00421393
0x00421398
0x004213a8
0x004213ad
0x004213af
0x004213b0
0x004213b5
0x004213ba
0x004213bf
0x004213c4
0x004213c9
0x004213cc
0x004213cf
0x004213e1
0x004213e4
0x004213e9
0x004213ee
0x004213f5
0x004213fc
0x00421402
0x00421404
0x00421408
0x0042140f
0x00421416
0x0042141b
0x00421425
0x00421431
0x00421437
0x00421440
0x00421446
0x00421452
0x00421458
0x00421464
0x0042146a
0x0042146c
0x00000000
0x0042146c
0x0042145a
0x0042145a
0x00000000
0x0042145a
0x00421448
0x00421448
0x00000000
0x00421448
0x00421439
0x00421439
0x00000000
0x00421439
0x00421427
0x00421427
0x00421471
0x00421474
0x00421479
0x0042147a
0x0042147f
0x00421482
0x00421486
0x0042149b
0x00421488
0x00421488
0x0042148a
0x0042148c
0x00421490
0x00421491
0x00421494
0x00421494
0x0042149d
0x004214a4
0x004214b1
0x004214b9

APIs

__EH_prolog.LIBCMT ref: 00421398

Part of subcall function 00421686: __EH_prolog.LIBCMT ref: 0042168B
Part of subcall function 00421686: RegEnumValueW.KERNELBASE(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 004216DA
Part of subcall function 00421686: RegCloseKey.ADVAPI32(?,00000000,00020019,?), ref: 0042170B

Part of subcall function 00421722: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00020019), ref: 00421753
Part of subcall function 00421722: RegCloseKey.ADVAPI32(00000000,?,?,00020019), ref: 0042176F

Part of subcall function 004214BA: __EH_prolog.LIBCMT ref: 004214BF

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

Strings

[WindowsFolder]Wininit.ini, xrefs: 004213EE
Wininit.ini rename, xrefs: 0042146C
RunOnce, xrefs: 00421427
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 004213A8
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004213D9
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx, xrefs: 004213B5
RunOnceEx, xrefs: 00421439
PendingFileRenameOperations, xrefs: 004213D4, 00421448
Reboot required - %s key added, xrefs: 00421474
rename, xrefs: 004213E9
SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 004213C4
FileRenameOperations, xrefs: 0042145A

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$CloseErrorLastValue$EnumQuery
String ID: FileRenameOperations$PendingFileRenameOperations$Reboot required - %s key added$RunOnce$RunOnceEx$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$Wininit.ini rename$[WindowsFolder]Wininit.ini$rename
API String ID: 323153067-749191870
Opcode ID: b618247505b0eb66d8ab6c888a21456e6ad832e07df9afa472a5e942ed1e6a08
Instruction ID: 5a6a060e638bdc520eae3cdf7c4863b7f5a764f282be0921b48db8ccac0b53f3
Opcode Fuzzy Hash: b618247505b0eb66d8ab6c888a21456e6ad832e07df9afa472a5e942ed1e6a08
Instruction Fuzzy Hash: 5D31E970F80215B7CB14FAA59986BEDB3B8EB60704FA0811BF409B3291D7BC6D05869D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F45D Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042F45D(void* __edi, void* __eflags) {
				short* _t54;
				long _t55;
				void* _t56;
				short* _t64;
				long _t65;
				intOrPtr* _t67;
				char** _t68;
				void* _t92;
				long _t93;
				short* _t95;
				intOrPtr* _t97;
				void* _t100;

				_t92 = __edi;
				L0043B644(0x463e0f, _t100);
				 *((intOrPtr*)(_t100 - 0x1c)) = 0;
				_push(0);
				_push(_t100 - 0xd);
				 *((intOrPtr*)(_t100 - 4)) = 3;
				 *((intOrPtr*)(_t100 - 0x50)) = 0x46757c;
				 *((intOrPtr*)(_t100 - 0x30)) = 0x467574;
				L00401C68(_t100 - 0x50);
				 *(_t100 - 0x14) = 0;
				_t54 =  *(_t100 + 0x18);
				 *((char*)(_t100 - 4)) = 5;
				if(_t54 == 0) {
					_t54 = 0x467570;
				}
				 *(_t100 - 0x18) = 0;
				_t55 = RegOpenKeyExW( *(_t100 + 0xc), _t54, 0,  *(_t100 + 0x88), _t100 - 0x18); // executed
				if(_t55 == 0) {
					_t55 = L00409079(_t100 - 0x14);
					 *(_t100 - 0x14) =  *(_t100 - 0x18);
				}
				_push(_t92);
				_t93 = _t55;
				if(_t55 == 0) {
					_t64 =  *(_t100 + 0x40);
					if(_t64 == 0) {
						_t64 = 0x467570;
					}
					_t65 = RegQueryValueExW( *(_t100 - 0x14), _t64, 0, _t100 - 0x18, 0, _t100 + 0x88); // executed
					_t93 = _t65;
					if(_t93 == 0) {
						_t95 =  *(_t100 + 0x40);
						if(_t95 == 0) {
							_t95 = 0x467570;
						}
						_t24 = _t100 - 0x50; // 0x46757c
						_t67 = L00401813(_t24, _t100 - 0x28,  *(_t100 + 0x88));
						 *((char*)(_t100 - 4)) = 6;
						 *((char*)(_t67 + 4)) = 1;
						_t68 = L00401E6C(_t67,  *_t67);
						 *(_t100 + 0xc) = 0;
						_t93 = RegQueryValueExW( *(_t100 - 0x14), _t95, 0, _t100 + 0xc,  *_t68, _t100 + 0x88);
						 *((char*)(_t100 - 4)) = 5;
						L00401A9C(_t100 - 0x28);
					}
				}
				 *0x47e3d4 = _t93;
				_t33 = _t100 - 0x50; // 0x46757c
				_t56 = _t33;
				if(_t93 != 0) {
					_t56 = _t100 + 0x60;
				}
				_t97 =  *((intOrPtr*)(_t100 + 8));
				_push(0);
				_push(_t56);
				 *_t97 = 0x46757c;
				 *((intOrPtr*)(_t97 + 0x20)) = 0x467574;
				L00401CDD(_t97);
				 *((intOrPtr*)(_t100 - 0x1c)) = 1;
				if( *(_t100 - 0x14) != 0) {
					RegCloseKey( *(_t100 - 0x14));
					 *(_t100 - 0x14) = 0;
				}
				_t41 = _t100 - 0x50; // 0x46757c
				 *((char*)(_t100 - 4)) = 3;
				L0040125C(_t41);
				 *((char*)(_t100 - 4)) = 2;
				L0040125C(_t100 + 0x10);
				 *((char*)(_t100 - 4)) = 1;
				L0040125C(_t100 + 0x38);
				 *((char*)(_t100 - 4)) = 0;
				L0040125C(_t100 + 0x60);
				 *[fs:0x0] =  *((intOrPtr*)(_t100 - 0xc));
				return _t97;
			}

0x0042f45d
0x0042f462
0x0042f46e
0x0042f474
0x0042f475
0x0042f479
0x0042f480
0x0042f487
0x0042f48e
0x0042f493
0x0042f496
0x0042f499
0x0042f49f
0x0042f4a1
0x0042f4a1
0x0042f4a9
0x0042f4b8
0x0042f4c0
0x0042f4c5
0x0042f4cd
0x0042f4cd
0x0042f4d0
0x0042f4d3
0x0042f4d5
0x0042f4d7
0x0042f4dc
0x0042f4de
0x0042f4de
0x0042f4fa
0x0042f4fc
0x0042f500
0x0042f502
0x0042f507
0x0042f509
0x0042f509
0x0042f517
0x0042f51b
0x0042f522
0x0042f526
0x0042f52a
0x0042f53c
0x0042f54a
0x0042f54c
0x0042f550
0x0042f550
0x0042f500
0x0042f555
0x0042f55e
0x0042f55e
0x0042f561
0x0042f563
0x0042f563
0x0042f566
0x0042f569
0x0042f56a
0x0042f56d
0x0042f573
0x0042f57a
0x0042f57f
0x0042f589
0x0042f58e
0x0042f594
0x0042f594
0x0042f597
0x0042f59a
0x0042f59e
0x0042f5a6
0x0042f5aa
0x0042f5b2
0x0042f5b6
0x0042f5be
0x0042f5c1
0x0042f5cd
0x0042f5d5

APIs

__EH_prolog.LIBCMT ref: 0042F462

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,?,00000000,00467574,ISlogit), ref: 0042F4B8
RegQueryValueExW.KERNELBASE(0043D41C,?,00000000,?,00000000,?,0046757C), ref: 0042F4FA
RegQueryValueExW.ADVAPI32(0043D41C,?,00000000,?,?,?,?,?), ref: 0042F545
RegCloseKey.ADVAPI32(0043D41C,|uF,00000000), ref: 0042F58E

Strings

ISlogit, xrefs: 0042F46A
puF, xrefs: 0042F4DE
|uF, xrefs: 0042F517
tuF, xrefs: 0042F573
tuF, xrefs: 0042F487
puF, xrefs: 0042F509
puF, xrefs: 0042F4A1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLastQueryValue$CloseOpen
String ID: ISlogit$puF$puF$puF$tuF$tuF$|uF
API String ID: 380463501-1708496979
Opcode ID: be7c6011147f6f9ff38b500df7e216da6865174299ba953723bd44c0651b9b05
Instruction ID: 98b49663a27b1fdfa938125dba1a87e00d15c21e5714260dbd5a0b0e067741e6
Opcode Fuzzy Hash: be7c6011147f6f9ff38b500df7e216da6865174299ba953723bd44c0651b9b05
Instruction Fuzzy Hash: 584160B1900249AFDF11DF94C885AEEBB78FB14348F50407EE406A7251EB749E48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045D83C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0045D83C(void* __edx, void* __esi, long _a4, void* _a8, char _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				long _v12;
				long _v16;
				char _v20;
				void* _v24;
				void* _v28;
				long _v32;
				void* _t47;
				void* _t55;
				void* _t57;
				intOrPtr* _t60;
				char _t67;
				void* _t72;
				signed int _t74;
				void* _t76;
				void* _t82;
				long _t85;
				void* _t87;
				intOrPtr _t88;
				intOrPtr _t101;

				_t82 = __edx;
				_t1 =  &_v20; // 0x467570
				_t2 =  &_a12; // 0x467570
				_v20 = 0x7863513;
				_v8 = L0045D9D0(_a8,  *_t2, _t1, 4);
				_t47 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
				_t72 = _t47;
				_v28 = _t72;
				if(_t72 == 0xffffffff) {
					L18:
					E0043AE17(_v8);
					return 0;
				}
				_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				L0045DA0E( &_v12,  &_v16, _a20);
				_t85 = GetFileSize(_t72,  &_a4);
				_t55 = CreateFileMappingW(_t72, 0, _v12, _a4, _t85, 0); // executed
				_v24 = _t55;
				if(_t55 == 0) {
					L17:
					CloseHandle(_v28);
					goto L18;
				}
				_t57 = MapViewOfFile(_t55, _v16, 0, 0, 0); // executed
				_a8 = _t57;
				if(_t57 == 0) {
					L16:
					FindCloseChangeNotification(_v24); // executed
					goto L17;
				}
				_t76 = 0;
				_t74 = _a4 | _t85;
				_t87 = 0;
				_v32 = 0;
				if(0 < 0 || 0 <= 0 && _t74 <= 0) {
					L12:
					_t88 = _a20;
					if(_t88 != 0) {
						_t60 =  *((intOrPtr*)(_t88 + 4));
						if(_t60 != 0) {
							 *((intOrPtr*)(_t88 + 0xc)) =  *_t60(_a8, _t74, _t76,  *((intOrPtr*)(_t88 + 8)));
						}
					}
					_push(1);
					_pop(0);
					UnmapViewOfFile(_a8);
					goto L16;
				} else {
					do {
						asm("cdq");
						_push(_t82);
						_push(_a12);
						_push(_v32);
						_push(_t87);
						if(_a16 == 0) {
							_t67 = L0045D9BB( *((intOrPtr*)(_t87 + _a8)),  *((intOrPtr*)(L0043D910() + _v8)));
						} else {
							_t67 = L0045D9A6( *((intOrPtr*)(_t87 + _a8)),  *((intOrPtr*)(L0043D910() + _v8)));
						}
						 *((char*)(_t87 + _a8)) = _t67;
						_t87 = _t87 + 1;
						asm("adc [ebp-0x1c], edi");
						_t76 = 0;
						_t101 = _v32;
					} while (_t101 < 0 || _t101 <= 0 && _t87 < _t74);
					goto L12;
				}
			}

0x0045d83c
0x0045d844
0x0045d84c
0x0045d84f
0x0045d861
0x0045d877
0x0045d87d
0x0045d882
0x0045d885
0x0045d997
0x0045d99a
0x0045d9a5
0x0045d9a5
0x0045d892
0x0045d895
0x0045d898
0x0045d8a0
0x0045d8b3
0x0045d8bf
0x0045d8c7
0x0045d8ca
0x0045d98d
0x0045d990
0x00000000
0x0045d996
0x0045d8d7
0x0045d8df
0x0045d8e2
0x0045d984
0x0045d987
0x00000000
0x0045d987
0x0045d8eb
0x0045d8ed
0x0045d8ef
0x0045d8f3
0x0045d8f6
0x0045d95a
0x0045d95a
0x0045d95f
0x0045d961
0x0045d966
0x0045d975
0x0045d975
0x0045d966
0x0045d978
0x0045d97a
0x0045d97e
0x00000000
0x0045d8fe
0x0045d8fe
0x0045d904
0x0045d905
0x0045d906
0x0045d907
0x0045d90a
0x0045d90b
0x0045d93a
0x0045d90d
0x0045d920
0x0045d920
0x0045d944
0x0045d947
0x0045d94a
0x0045d94d
0x0045d94f
0x0045d94f
0x00000000
0x0045d8fe

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?,00000000,?,00416123,?,00467570,00467570), ref: 0045D877
GetFileSize.KERNEL32(00000000,?,?,?,761B6980,?,?,?,00000000,?,00416123,?,00467570,00467570,00000000,00000001), ref: 0045D8AD
CreateFileMappingW.KERNELBASE(00000000,00000000,?,?,00000000,00000000,?,?,761B6980,?,?,?,00000000,?,00416123,?), ref: 0045D8BF
MapViewOfFile.KERNELBASE(00000000,?,00000000,00000000,00000000,?,?,761B6980,?,?,?,00000000,?,00416123,?,00467570), ref: 0045D8D7
__allrem.LIBCMT ref: 0045D90D
__allrem.LIBCMT ref: 0045D927
UnmapViewOfFile.KERNEL32(?,?,?,761B6980,?,?,?,00000000,?,00416123,?,00467570,00467570,00000000,00000001), ref: 0045D97E
FindCloseChangeNotification.KERNELBASE(?,?,?,761B6980,?,?,?,00000000,?,00416123,?,00467570,00467570,00000000,00000001), ref: 0045D987
CloseHandle.KERNEL32(?,?,?,761B6980,?,?,?,00000000,?,00416123,?,00467570,00467570,00000000,00000001), ref: 0045D990

Strings

puF, xrefs: 0045D84C
puF, xrefs: 0045D844, 0045D849

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: File$CloseCreateView__allrem$ChangeFindHandleMappingNotificationSizeUnmap
String ID: puF$puF
API String ID: 51985612-1259210721
Opcode ID: 14f64ba42120dd9b2b0de8c8904ee1e1a98b683e80a01260ca246d0a5367f04a
Instruction ID: cde1025324d3e8a46b5b1291910e1a3a8185f2ea8edf70cd1f9688d289ad3624
Opcode Fuzzy Hash: 14f64ba42120dd9b2b0de8c8904ee1e1a98b683e80a01260ca246d0a5367f04a
Instruction Fuzzy Hash: 6341ACB1D00249BFCF219FA5DC45DAFBFB9EF85311F10402AFD25A6262D6359A40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042B4CE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 128
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042B4CE(void* __ecx, void* __eflags) {
				WCHAR* _t56;
				struct HFONT__* _t60;
				void* _t69;
				WCHAR* _t70;
				void* _t76;
				void* _t93;
				signed int* _t108;
				void* _t111;
				void* _t113;
				signed int _t125;

				L0043B644(0x463754, _t113);
				_t111 = __ecx;
				E004038F3( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)) + 4)) + 0x2c))(), _t113 - 0x38); // executed
				 *(_t113 - 4) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 0xdc)) == 0) {
					L2:
					GetObjectW(SendDlgItemMessageW( *(_t111 + 4), 0x34, 0x31, 0, 0), 0x5c, _t113 - 0xbc);
					 *((intOrPtr*)(_t113 - 0xac)) = 0x2bc;
					L00401A1E(_t111 + 0x44, _t113 - 0x38);
					_t56 =  *(_t111 + 0x4c);
					if(_t56 == 0) {
						_t56 = 0x467570;
					}
					lstrcpyW(_t113 - 0xa0, _t56);
					_t60 = CreateFontIndirectW(_t113 - 0xbc);
					 *(_t113 - 0x10) = _t60;
					_t108 =  *((intOrPtr*)(_t111 + 0xc)) + 0xdc;
					_t93 =  *_t108;
					if(_t93 != _t60) {
						if(_t93 != 0 && DeleteObject != 0) {
							DeleteObject(_t93);
							 *_t108 =  *_t108 & 0x00000000;
							_t125 =  *_t108;
						}
						 *_t108 =  *(_t113 - 0x10);
					}
					L9:
					SendDlgItemMessageW( *(_t111 + 4), 0x34, 0x30,  *( *((intOrPtr*)(_t111 + 0xc)) + 0xdc), 1);
					_t69 = E00403E82( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t111 + 0xc)) + 4)) + 4)) + 0x2c))(_t113 - 0x60, 0x72b), _t125); // executed
					_t70 =  *(_t69 + 8);
					if(_t70 == 0) {
						_t70 = 0x467570;
					}
					SetDlgItemTextW( *(_t111 + 4), 0xc, _t70); // executed
					L0040125C(_t113 - 0x60);
					EnableWindow(GetDlgItem( *(_t111 + 4), 0xc),  *( *((intOrPtr*)(_t111 + 0xc)) + 0xd8) & 0x000000ff); // executed
					 *(_t113 - 4) =  *(_t113 - 4) | 0xffffffff;
					L0040125C(_t113 - 0x38);
					_t76 = 1;
					 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0xc));
					return _t76;
				}
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				if(L00402DE6( ~(_t113 - 0x38) & _t113 - 0x00000034,  ~(__ecx + 0x44) & __ecx + 0x00000048) == 0) {
					goto L9;
				}
				goto L2;
			}

0x0042b4d3
0x0042b4e0
0x0042b4f7
0x0042b50d
0x0042b512
0x0042b53a
0x0042b54f
0x0042b55c
0x0042b566
0x0042b56b
0x0042b570
0x0042b572
0x0042b572
0x0042b57f
0x0042b58c
0x0042b595
0x0042b598
0x0042b59e
0x0042b5a2
0x0042b5a6
0x0042b5b2
0x0042b5b4
0x0042b5b4
0x0042b5b4
0x0042b5ba
0x0042b5ba
0x0042b5bc
0x0042b5cf
0x0042b5ea
0x0042b5ef
0x0042b5f4
0x0042b5f6
0x0042b5f6
0x0042b601
0x0042b60a
0x0042b626
0x0042b62c
0x0042b633
0x0042b63d
0x0042b641
0x0042b649
0x0042b649
0x0042b51c
0x0042b529
0x0042b534
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042B4D3
SendDlgItemMessageW.USER32 ref: 0042B543
GetObjectW.GDI32(00000000,0000005C,?), ref: 0042B54F
lstrcpyW.KERNEL32 ref: 0042B57F
CreateFontIndirectW.GDI32(?), ref: 0042B58C
SendDlgItemMessageW.USER32 ref: 0042B5CF
SetDlgItemTextW.USER32 ref: 0042B601
GetDlgItem.USER32 ref: 0042B614
KiUserCallbackDispatcher.NTDLL(00000000,?), ref: 0042B626

Strings

puF, xrefs: 0042B5F6
puF, xrefs: 0042B572

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Item$MessageSend$CallbackCreateDispatcherFontH_prologIndirectObjectTextUserlstrcpy
String ID: puF$puF
API String ID: 917695708-1259210721
Opcode ID: cb96a394491934d7aa1d01201a3a1453bb61ebf248b26e7e7bb56c7fc16ab84e
Instruction ID: 8f0b8f0fb4bb40e91c3f67d509fcb26cb1696836f4a39ea93e70d5a26caed20a
Opcode Fuzzy Hash: cb96a394491934d7aa1d01201a3a1453bb61ebf248b26e7e7bb56c7fc16ab84e
Instruction Fuzzy Hash: 93413B71600215AFDB14DBA4DC85FAAB7F8EF04308F00856EF55AEB6A1EB74E944CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0042D8B5 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042D8B5(void* __edx, void* __eflags) {
				void* _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t128;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int _t138;
				void* _t148;
				long _t149;
				intOrPtr _t152;
				void* _t155;
				long _t173;
				signed int _t180;
				intOrPtr* _t207;
				intOrPtr* _t211;
				intOrPtr* _t213;
				void* _t214;
				signed int _t217;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				void* _t227;
				void* _t229;
				intOrPtr _t230;
				signed int _t231;
				void* _t232;
				signed int _t233;
				void* _t234;
				void* _t235;
				void* _t236;
				void* _t237;
				intOrPtr* _t238;
				intOrPtr* _t241;
				intOrPtr* _t243;
				void* _t245;

				_t245 = __eflags;
				_t214 = __edx;
				L0043B644(0x463ba2, _t227);
				_t230 = _t229 - 0xfc;
				 *((intOrPtr*)(_t227 - 0x10)) = _t230;
				 *(_t227 - 4) = 0;
				_t231 = _t230 - 0x28;
				 *(_t227 - 0x14) = _t231;
				_t180 = _t231;
				_push(0);
				 *0x47e3d4 = 0;
				_push(_t227 + 0x30);
				 *(_t227 - 4) = 2;
				 *_t180 = 0x46757c;
				 *((intOrPtr*)(_t180 + 0x20)) = 0x467574;
				L00401CDD(_t180); // executed
				_t116 = E0042DF10(_t180, _t245); // executed
				_t232 = _t231 + 0x28;
				_t246 = _t116;
				if(_t116 != 0) {
					_push(0xc);
					_t233 = _t232 - 0x28;
					 *(_t227 - 0x14) = _t233;
					_push(0);
					_push(0);
					_push(_t233);
					L00401840(_t227 + 0x30, __eflags); // executed
					_t119 = E0042CFBE(); // executed
					_t234 = _t233 + 0x2c;
					__eflags = _t119;
					if(_t119 != 0) {
						_t120 =  *(_t227 + 0x10);
						__eflags = _t120;
						if(_t120 == 0) {
							_t120 = 0x467570;
						}
						_t217 = 0xffffffffffffffff;
						L0042D88F(6, _t120, 0xffffffffffffffff, 0xffffffffffffffff);
						_t122 =  *(_t227 + 0x38);
						_t235 = _t234 + 0x10;
						__eflags = _t122;
						if(_t122 == 0) {
							_t122 = 0x467570;
						}
						L0042D88F(5, _t122, _t217, _t217);
						_t236 = _t235 + 0x10;
						while(1) {
							L9:
							 *(_t227 - 0x14) = _t217;
							 *((intOrPtr*)(_t227 - 0x1c)) = 0;
							 *((intOrPtr*)(_t227 - 0x18)) = 0;
							L00412E5D(_t227 - 0x68, __eflags);
							_push(0);
							_push(_t227 + 8);
							 *(_t227 - 4) = 3;
							 *((intOrPtr*)(_t227 - 0xe0)) = 0x4675a0;
							 *((intOrPtr*)(_t227 - 0xc0)) = 0x467598;
							L00401CDD(_t227 - 0xe0);
							_push(0);
							_push(0);
							_push(3);
							_push(0x80);
							_push(1);
							_push(0x80000000);
							_push(_t227 - 0xe0);
							 *(_t227 - 4) = 4;
							_t128 = E00412F07(_t227 - 0x68, __eflags); // executed
							_t221 = _t128;
							 *(_t227 - 4) = 3;
							L0040125C(_t227 - 0xe0);
							__eflags = _t221;
							if(_t221 != 0) {
								break;
							}
							__eflags =  *0x47e3f8; // 0x0
							if(__eflags != 0) {
								 *(_t227 - 4) = 6;
								L0042D88F(7, 0, L0041EEA2(_t227 - 0x68), _t214);
								_t236 = _t236 + 0x10;
								 *(_t227 - 4) = 3;
							}
							L00412E5D(_t227 - 0xb8, __eflags);
							_push(0);
							_push(_t227 + 0x30);
							 *(_t227 - 4) = 9;
							 *((intOrPtr*)(_t227 - 0x108)) = 0x4675a0;
							 *((intOrPtr*)(_t227 - 0xe8)) = 0x467598;
							L00401CDD(_t227 - 0x108);
							_push(0);
							_push(0);
							_push(2);
							_push(0x80);
							_push(1);
							_push(0x40000000);
							_push(_t227 - 0x108);
							 *(_t227 - 4) = 0xa;
							_t134 = E00412F07(_t227 - 0xb8, __eflags); // executed
							_t222 = _t134;
							 *(_t227 - 4) = 9;
							L0040125C(_t227 - 0x108);
							__eflags = _t222;
							if(_t222 == 0) {
								_t136 = L0042D88F(0, 0, _t217, _t217);
								_t237 = _t236 + 0x10;
								__eflags = _t136 - 2;
								if(_t136 != 2) {
									_t137 = L0043BC14( *((intOrPtr*)(_t227 + 0x58)));
									__eflags = _t137;
									_t72 = _t227 - 0x24;
									 *_t72 = _t137 != 0;
									__eflags =  *_t72;
									 *(_t227 - 0x20) = _t137;
									do {
										 *(_t227 - 4) = 0x10;
										_t138 = E0041B498(_t227 - 0x68,  *(_t227 - 0x20),  *((intOrPtr*)(_t227 + 0x58))); // executed
										_t223 = _t138;
										__eflags = _t223 - _t217;
										 *(_t227 - 4) = 0xf;
										if(_t223 != _t217) {
											__eflags = _t223;
											if(_t223 != 0) {
												goto L23;
											}
										}
										L25:
										__eflags =  *(_t227 - 0x24);
										if( *(_t227 - 0x24) != 0) {
											E0043AE17( *(_t227 - 0x20));
										}
										 *((intOrPtr*)(_t227 - 0xb8)) = 0x467ef8;
										 *(_t227 - 4) = 0x12;
										E004134DD(_t227 - 0xb8); // executed
										 *(_t227 - 4) = 3;
										L0040125C(_t227 - 0xac);
										 *((intOrPtr*)(_t227 - 0x68)) = 0x467ef8;
										 *(_t227 - 4) = 0x13;
										E004134DD(_t227 - 0x68);
										 *(_t227 - 4) = 2;
										L0040125C(_t227 - 0x5c);
										__eflags = _t223 - _t217;
										_t148 = L0042D88F(((0 | _t223 == _t217) - 0x00000001 & 0x000000fe) + 3, 0,  *((intOrPtr*)(_t227 - 0x1c)),  *((intOrPtr*)(_t227 - 0x18)));
										_t236 = _t237 + 0x10;
										__eflags = _t148 - 4;
										if(__eflags == 0) {
											goto L9;
										} else {
											_t149 = GetLastError();
											__eflags = _t223 - _t217;
											 *0x47e3d4 = _t149;
											 *(_t227 - 4) = 0;
											 *((char*)(_t227 + 0x5b)) = _t223 != _t217;
											L0040125C(_t227 + 8);
											 *(_t227 - 4) = _t217;
											L0040125C(_t227 + 0x30);
											_t152 =  *((intOrPtr*)(_t227 + 0x5b));
										}
										goto L31;
										L23:
										E004317E3(_t227 - 0xb8,  *(_t227 - 0x20), _t223); // executed
										 *((intOrPtr*)(_t227 - 0x1c)) =  *((intOrPtr*)(_t227 - 0x1c)) + _t223;
										asm("adc [ebp-0x18], ebx");
										_t155 = L0042D88F(4, 0,  *((intOrPtr*)(_t227 - 0x1c)),  *((intOrPtr*)(_t227 - 0x18)));
										_t237 = _t237 + 0x10;
										__eflags = _t155 - 2;
									} while (_t155 != 2);
									_t223 = _t217;
									goto L25;
								} else {
									 *((intOrPtr*)(_t227 - 0xb8)) = 0x467ef8;
									 *(_t227 - 4) = 0xd;
									E004134DD(_t227 - 0xb8);
									 *(_t227 - 4) = 3;
									L0040125C(_t227 - 0xac);
									 *((intOrPtr*)(_t227 - 0x68)) = 0x467ef8;
									 *(_t227 - 4) = 0xe;
									goto L18;
								}
							} else {
								_t238 = _t236 - 0x28;
								 *((intOrPtr*)(_t227 + 0x58)) = _t238;
								_t207 = _t238;
								_push(0);
								 *0x47e3d4 = _t222;
								_push(_t227 + 0x30);
								 *_t207 = 0x46757c;
								 *((intOrPtr*)(_t207 + 0x20)) = 0x467574;
								L00401CDD(_t207);
								L0042D43D(__eflags);
								 *((intOrPtr*)(_t227 - 0xb8)) = 0x467ef8;
								 *(_t227 - 4) = 0xb;
								E004134DD(_t227 - 0xb8);
								 *(_t227 - 4) = 3;
								L0040125C(_t227 - 0xac);
								 *((intOrPtr*)(_t227 - 0x68)) = 0x467ef8;
								 *(_t227 - 4) = 0xc;
								L18:
								E004134DD(_t227 - 0x68);
								 *(_t227 - 4) = 2;
								L0040125C(_t227 - 0x5c);
								 *(_t227 - 4) = 0;
								L0040125C(_t227 + 8);
								 *(_t227 - 4) = _t217;
								goto L30;
							}
							goto L31;
						}
						_t241 = _t236 - 0x28;
						 *((intOrPtr*)(_t227 + 0x58)) = _t241;
						_t211 = _t241;
						_push(0);
						 *0x47e3d4 = _t221;
						_push(_t227 + 8);
						 *_t211 = 0x46757c;
						 *((intOrPtr*)(_t211 + 0x20)) = 0x467574;
						L00401CDD(_t211);
						L0042D43D(__eflags);
						 *((intOrPtr*)(_t227 - 0x68)) = 0x467ef8;
						 *(_t227 - 4) = 5;
						goto L18;
					} else {
						goto L3;
					}
				} else {
					_t173 = GetLastError();
					_t243 = _t232 - 0x28;
					 *0x47e3d4 = _t173;
					 *((intOrPtr*)(_t227 + 0x58)) = _t243;
					_t213 = _t243;
					_push(0);
					_push(_t227 + 0x30);
					 *_t213 = 0x46757c;
					 *((intOrPtr*)(_t213 + 0x20)) = 0x467574;
					L00401CDD(_t213);
					L0042D43D(_t246);
					L3:
					 *(_t227 - 4) = 0;
					L0040125C(_t227 + 8);
					 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
					L30:
					L0040125C(_t227 + 0x30);
					_t152 = 0;
				}
				L31:
				 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
				return _t152;
			}

0x0042d8b5
0x0042d8b5
0x0042d8ba
0x0042d8bf
0x0042d8c8
0x0042d8cd
0x0042d8d0
0x0042d8d6
0x0042d8d9
0x0042d8e5
0x0042d8e6
0x0042d8ec
0x0042d8ed
0x0042d8f1
0x0042d8f3
0x0042d8f6
0x0042d8fb
0x0042d900
0x0042d903
0x0042d905
0x0042d933
0x0042d938
0x0042d93d
0x0042d940
0x0042d941
0x0042d942
0x0042d943
0x0042d948
0x0042d94d
0x0042d950
0x0042d952
0x0042d95c
0x0042d95f
0x0042d961
0x0042d963
0x0042d963
0x0042d968
0x0042d970
0x0042d975
0x0042d978
0x0042d97b
0x0042d97d
0x0042d97f
0x0042d97f
0x0042d989
0x0042d98e
0x0042d991
0x0042d991
0x0042d994
0x0042d997
0x0042d99a
0x0042d99d
0x0042d9a5
0x0042d9a6
0x0042d9ad
0x0042d9b1
0x0042d9bb
0x0042d9c5
0x0042d9ca
0x0042d9cb
0x0042d9cc
0x0042d9ce
0x0042d9d3
0x0042d9db
0x0042d9e0
0x0042d9e4
0x0042d9e8
0x0042d9f3
0x0042d9f5
0x0042d9f9
0x0042d9fe
0x0042da00
0x00000000
0x00000000
0x0042da3f
0x0042da45
0x0042da4a
0x0042da58
0x0042da5d
0x0042dab8
0x0042dab8
0x0042dac5
0x0042dacd
0x0042dace
0x0042dad5
0x0042dad9
0x0042dae3
0x0042daed
0x0042daf2
0x0042daf3
0x0042daf4
0x0042daf6
0x0042dafb
0x0042db03
0x0042db08
0x0042db0f
0x0042db13
0x0042db1e
0x0042db20
0x0042db24
0x0042db29
0x0042db2b
0x0042db90
0x0042db95
0x0042db98
0x0042db9b
0x0042dbf7
0x0042dbfc
0x0042dbff
0x0042dbff
0x0042dbff
0x0042dc03
0x0042dc06
0x0042dc0c
0x0042dc13
0x0042dc18
0x0042dc40
0x0042dc42
0x0042dc49
0x0042dc4b
0x0042dc4d
0x00000000
0x00000000
0x0042dc4d
0x0042dc7c
0x0042dc7c
0x0042dc7f
0x0042dc84
0x0042dc89
0x0042dc8a
0x0042dc9a
0x0042dc9e
0x0042dca9
0x0042dcad
0x0042dcb2
0x0042dcbc
0x0042dcc0
0x0042dcc8
0x0042dccc
0x0042dcd6
0x0042dce6
0x0042dceb
0x0042dcee
0x0042dcf1
0x00000000
0x0042dcf7
0x0042dcf7
0x0042dcfd
0x0042dd02
0x0042dd07
0x0042dd0a
0x0042dd0e
0x0042dd16
0x0042dd19
0x0042dd1e
0x0042dd1e
0x00000000
0x0042dc4f
0x0042dc59
0x0042dc5e
0x0042dc61
0x0042dc6d
0x0042dc72
0x0042dc75
0x0042dc75
0x0042dc7a
0x00000000
0x0042db9d
0x0042dba2
0x0042dbae
0x0042dbb2
0x0042dbbd
0x0042dbc1
0x0042dbc6
0x0042dbc9
0x00000000
0x0042dbc9
0x0042db2d
0x0042db2d
0x0042db33
0x0042db36
0x0042db38
0x0042db39
0x0042db3f
0x0042db40
0x0042db46
0x0042db4d
0x0042db52
0x0042db5f
0x0042db6b
0x0042db6f
0x0042db7a
0x0042db7e
0x0042db83
0x0042db86
0x0042dbcd
0x0042dbd0
0x0042dbd8
0x0042dbdc
0x0042dbe4
0x0042dbe7
0x0042dbec
0x00000000
0x0042dbec
0x00000000
0x0042db2b
0x0042da02
0x0042da08
0x0042da0b
0x0042da0d
0x0042da0e
0x0042da14
0x0042da15
0x0042da1b
0x0042da22
0x0042da27
0x0042da2f
0x0042da36
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d907
0x0042d907
0x0042d90d
0x0042d910
0x0042d915
0x0042d918
0x0042d91d
0x0042d91e
0x0042d91f
0x0042d921
0x0042d924
0x0042d929
0x0042d954
0x0042d954
0x0042dd3e
0x0042dd43
0x0042dd47
0x0042dd4a
0x0042dd4f
0x0042dd4f
0x0042dd51
0x0042dd56
0x0042dd5f

APIs

__EH_prolog.LIBCMT ref: 0042D8BA

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0042DF10: __EH_prolog.LIBCMT ref: 0042DF15

GetLastError.KERNEL32 ref: 0042D907

Part of subcall function 0042D43D: __EH_prolog.LIBCMT ref: 0042D442

Part of subcall function 004134DD: InterlockedDecrement.KERNEL32(?), ref: 004134EE
Part of subcall function 004134DD: FindCloseChangeNotification.KERNELBASE(?), ref: 00413516

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

puF, xrefs: 0042D97F
ISSetupDLLOp, xrefs: 0042D8C6
_:A, xrefs: 0042DA2F, 0042DB57, 0042DB9D, 0042DC8A, 0042DCB2
tuF, xrefs: 0042D8E0
|uF, xrefs: 0042D8DB
tuF, xrefs: 0042DB46
puF, xrefs: 0042D963

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$ChangeCloseDecrementFindFreeInterlockedNotificationString
String ID: ISSetupDLLOp$_:A$puF$puF$tuF$tuF$|uF
API String ID: 1138071173-4177064392
Opcode ID: 18a254ba8049492d909be94d120215555544a50827fe40c42e70c5ed12a71b9f
Instruction ID: 2823931a04d843cee91b1d18614cc9e15ba8da964fcb4676783f66f8d16ed6fa
Opcode Fuzzy Hash: 18a254ba8049492d909be94d120215555544a50827fe40c42e70c5ed12a71b9f
Instruction Fuzzy Hash: 04C1A170D04258AEDB10EFA5C881BEDBB78AF15308F5040DEE449B7291E7780B85DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042D54C Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 245
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042D54C() {
				intOrPtr* _t115;
				WCHAR** _t116;
				WCHAR* _t117;
				void* _t127;
				intOrPtr* _t133;
				void* _t140;
				void* _t142;
				void* _t144;
				void* _t164;
				WCHAR* _t167;
				intOrPtr* _t170;
				WCHAR* _t181;
				intOrPtr* _t183;
				void* _t185;
				intOrPtr* _t192;
				signed int _t216;
				intOrPtr* _t219;
				void* _t221;
				void* _t223;
				void* _t224;
				int _t225;
				intOrPtr* _t226;
				intOrPtr _t227;
				intOrPtr* _t229;

				L0043B644(0x463b0d, _t221);
				_t224 = _t223 - 0x184;
				 *(_t221 - 0x18) =  *(_t221 - 0x18) & 0x00000000;
				_t231 =  *((intOrPtr*)(_t221 + 0x44));
				 *(_t221 - 4) = 2;
				if( *((intOrPtr*)(_t221 + 0x44)) == 0) {
					_t170 = L00401813(_t221 + 0x38, _t221 - 0x50, 0x104);
					 *(_t221 - 4) = 3;
					 *((char*)(_t170 + 4)) = 1;
					GetTempPathW(0x104,  *(L00401E6C(_t170,  *_t170)));
					 *(_t221 - 4) = 2;
					L00401A9C(_t221 - 0x50);
				}
				_t225 = _t224 - 0x28;
				 *(_t221 - 0x10) = _t225;
				E00402943(_t221 + 0x38, _t225); // executed
				E0042DF10(_t221 + 0x38, _t231); // executed
				_t226 = _t225 + 0x28;
				_push(0);
				_push(_t221 - 0x13);
				 *((intOrPtr*)(_t221 - 0x44)) = 0x46757c;
				 *((intOrPtr*)(_t221 - 0x24)) = 0x467574;
				L00401C68(_t221 - 0x44);
				 *(_t221 - 0x10) =  *(_t221 - 0x10) & 0x00000000;
				 *(_t221 - 4) = 4;
				while(1) {
					_t233 =  *((char*)(_t221 + 0xc));
					if( *((char*)(_t221 + 0xc)) != 0) {
						_t115 = L00401813(_t221 - 0x44, _t221 - 0x50, 0x104);
						 *(_t221 - 4) = 9;
						 *((char*)(_t115 + 4)) = 1;
						_t116 = L00401E6C(_t115,  *_t115);
						_t181 =  *(_t221 + 0x40);
						_t117 =  *_t116;
						__eflags = _t181;
						if(_t181 == 0) {
							_t181 = 0x467570;
						}
						GetTempFileNameW(_t181, L"_is",  *(_t221 - 0x10), _t117);
						 *(_t221 - 4) = 4;
						L00401A9C(_t221 - 0x50);
						__eflags =  *(_t221 - 0x10);
						if( *(_t221 - 0x10) == 0) {
							_t167 =  *(_t221 - 0x3c);
							__eflags = _t167;
							if(_t167 == 0) {
								_t167 = 0x467570;
							}
							DeleteFileW(_t167);
						}
					} else {
						_push(L0042D471(_t221 - 0xf0));
						_push("{");
						_push(_t221 - 0x168);
						 *(_t221 - 4) = 5;
						_t140 = E00406005();
						_push(0x479c4c);
						_push(_t140);
						 *(_t221 - 4) = 6;
						_push(_t221 - 0xc8);
						_t142 = L00405EDE(_t233);
						_t226 = _t226 + 0x1c;
						_push(_t142);
						_push(_t221 - 0x118);
						 *(_t221 - 4) = 7;
						_t144 = L00405670(_t221 + 0x38, _t233);
						 *(_t221 - 4) = 8;
						L00401A1E(_t221 - 0x44, _t144);
						 *(_t221 - 4) = 7;
						L0040125C(_t221 - 0x118);
						 *(_t221 - 4) = 6;
						L0040125C(_t221 - 0xc8);
						 *(_t221 - 4) = 5;
						L0040125C(_t221 - 0x168);
						 *(_t221 - 4) = 4;
						L0040125C(_t221 - 0xf0);
					}
					_t234 =  *((intOrPtr*)(_t221 + 0x1c));
					if( *((intOrPtr*)(_t221 + 0x1c)) != 0) {
						_t226 = _t226 - 0x28;
						 *((intOrPtr*)(_t221 - 0x1c)) = _t226;
						_t183 = _t226;
						_push(0);
						_push(_t221 + 0x10);
						 *_t183 = 0x46757c;
						 *((intOrPtr*)(_t183 + 0x20)) = 0x467574;
						L00401CDD(_t183);
						_push(_t221 - 0x140);
						E004302CE(_t221 - 0x44, __eflags);
						_t185 = _t221 - 0x140;
					} else {
						_push(1);
						_push(_t221 - 0x12);
						_push(0x47e150);
						L0040176A(_t221 - 0xa0);
						_push(1);
						_push(_t221 - 0x11);
						_push(L".tmp");
						 *(_t221 - 4) = 0xa;
						L0040176A(_t221 - 0x78);
						 *(_t221 - 4) = 0xb;
						L00401E2C(_t221 - 0x44, _t234, _t221 - 0x78, _t221 - 0xa0);
						 *(_t221 - 4) = 0xa;
						L0040125C(_t221 - 0x78);
						 *(_t221 - 4) = 4;
						_t185 = _t221 - 0xa0;
					}
					L0040125C(_t185);
					if( *((char*)(_t221 + 0xc)) == 0) {
						_t164 = E00402943(_t221 - 0x44, _t221 - 0x190);
						 *(_t221 - 4) = 0xc;
						L00401A1E(_t221 - 0x44, _t164);
						 *(_t221 - 4) = 4;
						L0040125C(_t221 - 0x190);
					}
					_push(0xc);
					_t227 = _t226 - 0x28;
					 *((intOrPtr*)(_t221 - 0x1c)) = _t227;
					L00401708(_t227, _t221 - 0x44, 1); // executed
					_t127 = E0042CFBE(); // executed
					_t226 = _t227 + 0x2c;
					if(_t127 == 0) {
						break;
					}
					_t78 = _t221 - 0x10;
					 *_t78 =  *(_t221 - 0x10) + 1;
					if( *_t78 >= 0) {
						continue;
					}
					_t216 = 1;
					L00401732( *((intOrPtr*)(_t221 + 8)), 0x47e150, _t221 + 0xf, _t216);
					 *(_t221 - 0x18) = _t216;
					 *(_t221 - 4) = 2;
					L0040125C(_t221 - 0x44);
					 *(_t221 - 4) = 1;
					L0040125C(_t221 + 0x10);
					 *(_t221 - 4) =  *(_t221 - 4) & 0x00000000;
					L0040125C(_t221 + 0x38);
					_t133 =  *((intOrPtr*)(_t221 + 8));
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t221 - 0xc));
					return _t133;
				}
				__eflags =  *((char*)(_t221 + 0xc));
				if( *((char*)(_t221 + 0xc)) == 0) {
					_t229 = _t226 - 0x28;
					 *((intOrPtr*)(_t221 + 0xc)) = _t229;
					_t192 = _t229;
					_push(0);
					_push(_t221 - 0x44);
					 *_t192 = 0x46757c;
					 *((intOrPtr*)(_t192 + 0x20)) = 0x467574;
					L00401CDD(_t192); // executed
					E0042DF10(_t192, __eflags); // executed
				}
				_t219 =  *((intOrPtr*)(_t221 + 8));
				_push(0);
				_push(_t221 - 0x44);
				 *_t219 = 0x46757c;
				 *((intOrPtr*)(_t219 + 0x20)) = 0x467574;
				L00401CDD(_t219);
				 *(_t221 - 0x18) = 1;
				 *(_t221 - 4) = 2;
				L0040125C(_t221 - 0x44);
				 *(_t221 - 4) = 1;
				L0040125C(_t221 + 0x10);
				 *(_t221 - 4) =  *(_t221 - 4) & 0x00000000;
				L0040125C(_t221 + 0x38);
				_t133 = _t219;
				goto L19;
			}

0x0042d551
0x0042d556
0x0042d55c
0x0042d563
0x0042d567
0x0042d573
0x0042d57d
0x0042d584
0x0042d588
0x0042d594
0x0042d59d
0x0042d5a1
0x0042d5a1
0x0042d5a6
0x0042d5ae
0x0042d5b2
0x0042d5b7
0x0042d5bc
0x0042d5cc
0x0042d5ce
0x0042d5d2
0x0042d5d5
0x0042d5d8
0x0042d5dd
0x0042d5e1
0x0042d5e5
0x0042d5e5
0x0042d5e9
0x0042d691
0x0042d698
0x0042d69c
0x0042d6a0
0x0042d6a5
0x0042d6a8
0x0042d6aa
0x0042d6ac
0x0042d6ae
0x0042d6ae
0x0042d6bd
0x0042d6c6
0x0042d6ca
0x0042d6cf
0x0042d6d3
0x0042d6d5
0x0042d6d8
0x0042d6da
0x0042d6dc
0x0042d6dc
0x0042d6e2
0x0042d6e2
0x0042d5ef
0x0042d5fb
0x0042d602
0x0042d607
0x0042d608
0x0042d60c
0x0042d611
0x0042d616
0x0042d61d
0x0042d621
0x0042d622
0x0042d627
0x0042d62a
0x0042d631
0x0042d635
0x0042d639
0x0042d642
0x0042d646
0x0042d651
0x0042d655
0x0042d660
0x0042d664
0x0042d66f
0x0042d673
0x0042d67e
0x0042d682
0x0042d682
0x0042d6e8
0x0042d6ec
0x0042d74a
0x0042d750
0x0042d753
0x0042d755
0x0042d757
0x0042d758
0x0042d75a
0x0042d75d
0x0042d76b
0x0042d76c
0x0042d771
0x0042d6ee
0x0042d6f1
0x0042d6f3
0x0042d6f4
0x0042d6ff
0x0042d707
0x0042d709
0x0042d70a
0x0042d712
0x0042d716
0x0042d729
0x0042d72d
0x0042d735
0x0042d739
0x0042d73e
0x0042d742
0x0042d742
0x0042d777
0x0042d780
0x0042d78c
0x0042d795
0x0042d799
0x0042d7a4
0x0042d7a8
0x0042d7a8
0x0042d7ad
0x0042d7b2
0x0042d7b7
0x0042d7bd
0x0042d7c2
0x0042d7c7
0x0042d7cc
0x00000000
0x00000000
0x0042d7ce
0x0042d7ce
0x0042d7d1
0x00000000
0x00000000
0x0042d7dc
0x0042d7e7
0x0042d7ef
0x0042d7f2
0x0042d7f6
0x0042d7fe
0x0042d802
0x0042d807
0x0042d80e
0x0042d813
0x0042d816
0x0042d81b
0x0042d824
0x0042d824
0x0042d825
0x0042d829
0x0042d82b
0x0042d831
0x0042d834
0x0042d836
0x0042d838
0x0042d839
0x0042d83b
0x0042d83e
0x0042d843
0x0042d848
0x0042d84b
0x0042d851
0x0042d853
0x0042d856
0x0042d858
0x0042d85b
0x0042d860
0x0042d86a
0x0042d86e
0x0042d876
0x0042d87a
0x0042d87f
0x0042d886
0x0042d88b
0x00000000

APIs

GetTempFileNameW.KERNEL32(?,_is,00000000,?,?,00000104,?,00000000), ref: 0042D6BD
GetTempPathW.KERNEL32(00000104,00000000,?,00000104,00000000,00000001,004675E4), ref: 0042D594

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

__EH_prolog.LIBCMT ref: 0042D551

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

DeleteFileW.KERNEL32(?), ref: 0042D6E2

Strings

|uF, xrefs: 0042D5C2
_is, xrefs: 0042D6B7
.tmp, xrefs: 0042D70A
puF, xrefs: 0042D6DC
tuF, xrefs: 0042D5C7
puF, xrefs: 0042D6AE

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorFileH_prologLastStringTemp$AllocDeleteNamePath
String ID: .tmp$_is$puF$puF$tuF$|uF
API String ID: 4195121471-2027052127
Opcode ID: 5f4d827825f739cf58e937ed82445f6a302430eee4fa99f956feeade39cc743a
Instruction ID: 63c67fbb4757822afaf9a008bfddb3e3ac5e069a2071744d4d27eb69eee4a381
Opcode Fuzzy Hash: 5f4d827825f739cf58e937ed82445f6a302430eee4fa99f956feeade39cc743a
Instruction Fuzzy Hash: 2CA18370D01248EEDF11EBA5C945BED7BB8AF15308F50409EE405732D2EB785B49CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00445282 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00445282(long _a4, long _a8) {
				long _v8;
				long _v12;
				long _v16;
				CHAR* _v20;
				long _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int* _t62;
				signed int _t63;
				signed int _t64;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t73;
				intOrPtr* _t78;
				intOrPtr* _t82;
				struct HINSTANCE__* _t83;
				void* _t86;
				intOrPtr* _t88;
				long _t96;
				long _t97;
				signed int _t99;
				unsigned int _t102;
				intOrPtr _t105;
				void _t108;
				struct HINSTANCE__* _t114;
				long _t115;

				_t97 = _a8;
				_t115 = _a4;
				_t96 = 0;
				_v28 =  *((intOrPtr*)(_t115 + 4));
				_v40 = 0x24;
				_v36 = _t115;
				_v32 = _t97;
				_v24 = 0;
				asm("stosd");
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t114 =  *( *(_t115 + 8));
				_t99 = _t97 -  *((intOrPtr*)(_t115 + 0xc)) >> 2 << 2;
				_t62 =  *((intOrPtr*)(_t115 + 0x10)) + _t99;
				_a4 = _t99;
				_t102 =  !( *_t62) >> 0x1f;
				_v24 = _t102;
				_t63 =  *_t62;
				if(_t102 == 0) {
					_t64 = _t63 & 0x0000ffff;
				} else {
					_t64 = _t63 + 2;
				}
				_v20 = _t64;
				_t65 =  *0x47e904; // 0x0
				if(_t65 == _t96) {
					L5:
					if(_t114 != 0) {
						L17:
						_t66 =  *0x47e904; // 0x0
						_v16 = _t114;
						if(_t66 != 0) {
							_t96 =  *_t66(2,  &_v40);
						}
						if(_t96 != 0) {
							L31:
							 *_a8 = _t96;
							goto L32;
						} else {
							_t112 =  *((intOrPtr*)(_t115 + 0x14));
							if( *((intOrPtr*)(_t115 + 0x14)) == 0) {
								L26:
								_t96 = GetProcAddress(_t114, _v20);
								if(_t96 == 0) {
									_v8 = GetLastError();
									_t73 =  *0x47e900; // 0x0
									if(_t73 != 0) {
										_t96 =  *_t73(4,  &_v40);
									}
									if(_t96 == 0) {
										_a4 =  &_v40;
										RaiseException(0xc06d007f, _t96, 1,  &_a4);
										_t96 = _v12;
									}
								}
								goto L31;
							}
							_t105 =  *((intOrPtr*)(_t115 + 0x1c));
							if(_t105 == 0) {
								goto L26;
							}
							_t78 =  *((intOrPtr*)(_t114 + 0x3c)) + _t114;
							if( *_t78 != 0x4550 ||  *((intOrPtr*)(_t78 + 8)) != _t105 || _t114 !=  *((intOrPtr*)(_t78 + 0x34))) {
								goto L26;
							} else {
								L0044547B( *((intOrPtr*)(_t115 + 0xc)), _t112);
								_t96 =  *(_a4 +  *((intOrPtr*)(_t115 + 0xc)));
								goto L32;
							}
						}
					}
					_t82 =  *0x47e904; // 0x0
					if(_t82 == 0) {
						L8:
						_t83 = LoadLibraryA(_v28); // executed
						_t114 = _t83;
						if(_t114 != 0) {
							L12:
							if(InterlockedExchange( *(_t115 + 8), _t114) == _t114) {
								FreeLibrary(_t114);
							} else {
								if( *((intOrPtr*)(_t115 + 0x18)) != 0) {
									_t86 = LocalAlloc(0x40, 8);
									if(_t86 != 0) {
										 *((intOrPtr*)(_t86 + 4)) = _t115;
										_t108 =  *0x47e8fc; // 0x0
										 *_t86 = _t108;
										 *0x47e8fc = _t86;
									}
								}
							}
							goto L17;
						}
						_v8 = GetLastError();
						_t88 =  *0x47e900; // 0x0
						if(_t88 == 0) {
							L11:
							_a8 =  &_v40;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v12;
						}
						_t114 =  *_t88(3,  &_v40);
						if(_t114 != 0) {
							goto L12;
						}
						goto L11;
					}
					_t114 =  *_t82(1,  &_v40);
					if(_t114 != 0) {
						goto L12;
					}
					goto L8;
				} else {
					_t96 =  *_t65(_t96,  &_v40);
					if(_t96 != 0) {
						L32:
						_t68 =  *0x47e904; // 0x0
						if(_t68 != 0) {
							_v8 = _v8 & 0x00000000;
							_v16 = _t114;
							_v12 = _t96;
							 *_t68(5,  &_v40);
						}
						return _t96;
					}
					goto L5;
				}
			}

0x00445288
0x0044528d
0x00445291
0x00445299
0x0044529e
0x004452a5
0x004452a8
0x004452ab
0x004452ae
0x004452b2
0x004452b5
0x004452b8
0x004452bb
0x004452ca
0x004452cd
0x004452cf
0x004452d6
0x004452d9
0x004452dc
0x004452de
0x004452e4
0x004452e0
0x004452e1
0x004452e1
0x004452e9
0x004452ec
0x004452f3
0x00445306
0x00445308
0x004453b0
0x004453b0
0x004453b5
0x004453ba
0x004453c4
0x004453c4
0x004453c8
0x00445452
0x00445455
0x00000000
0x004453ce
0x004453ce
0x004453d3
0x00445407
0x00445411
0x00445415
0x0044541d
0x00445420
0x00445427
0x00445431
0x00445431
0x00445435
0x0044543a
0x00445449
0x0044544f
0x0044544f
0x00445435
0x00000000
0x00445415
0x004453d5
0x004453da
0x00000000
0x00000000
0x004453df
0x004453e7
0x00000000
0x004453f3
0x004453f7
0x00445402
0x00000000
0x00445402
0x004453e7
0x004453c8
0x0044530e
0x00445315
0x00445325
0x00445328
0x0044532e
0x00445332
0x00445375
0x00445381
0x004453aa
0x00445383
0x00445387
0x0044538d
0x00445395
0x00445397
0x0044539a
0x004453a0
0x004453a2
0x004453a2
0x00445395
0x00445387
0x00000000
0x00445381
0x0044533a
0x0044533d
0x00445344
0x00445354
0x00445357
0x00445367
0x00000000
0x0044536d
0x0044534e
0x00445352
0x00000000
0x00000000
0x00000000
0x00445352
0x0044531f
0x00445323
0x00000000
0x00000000
0x00000000
0x004452f5
0x004452fc
0x00445300
0x00445457
0x00445457
0x0044545e
0x00445460
0x0044546a
0x0044546d
0x00445470
0x00445470
0x00000000
0x00445472
0x00000000
0x00445300

APIs

LoadLibraryA.KERNELBASE(?), ref: 00445328
GetLastError.KERNEL32 ref: 00445334
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00445367
InterlockedExchange.KERNEL32(?,00000000), ref: 00445379
LocalAlloc.KERNEL32(00000040,00000008), ref: 0044538D
FreeLibrary.KERNEL32(00000000), ref: 004453AA
GetProcAddress.KERNEL32(?,?), ref: 0044540B
GetLastError.KERNEL32 ref: 00445417
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00445449

Strings

$, xrefs: 0044529E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 6783fdfda62865b542c431b86d789928e64fd0453d98d3b5f24b5a2d6d3593cc
Instruction ID: e120d9844d2ad837878b684bd9a649deeacc13c184aaa6b344fabb32445a737e
Opcode Fuzzy Hash: 6783fdfda62865b542c431b86d789928e64fd0453d98d3b5f24b5a2d6d3593cc
Instruction Fuzzy Hash: 1C614EB1A00605AFEF14CF99C884AAA77F4FB48741F10846AEA19D7351E7B4ED40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00450B60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00450B60(void* _a4, int _a8, int _a12, long _a16) {
				int _v4;
				int _v8;
				struct tagPOINT _v16;
				long _t21;
				int _t27;
				struct HWND__** _t30;
				int _t33;
				int _t39;
				struct HDC__* _t41;
				struct HWND__* _t42;
				int _t44;

				_t42 = _a4;
				_t30 = GetPropW(_t42, L"PROP_STAT_PSKIN");
				_a4 = GetPropW(_t42, L"PROP_STAT_OLDPROC");
				if(_a8 == 0xc) {
					_t41 = GetDC(_t42);
					GetWindowRect(_t42,  &_v16);
					MapWindowPoints(0,  *_t30,  &_v16, 2);
					_t44 = _v16.y;
					_t33 = _v16.x;
					_t27 = _v8 - _t33;
					_t39 = _v4 - _t44;
					_v8 = _t27;
					_v4 = _t39;
					BitBlt(_t41, 0, 0, _t27, _t39, _t30[0x52], _t33, _t44, 0xcc0020);
					ReleaseDC(_t42, _t41);
				}
				_t21 = CallWindowProcW(_a4, _t42, _a8, _a12, _a16); // executed
				return _t21;
			}

0x00450b65
0x00450b7e
0x00450b82
0x00450b8d
0x00450b97
0x00450b9f
0x00450bb1
0x00450bb7
0x00450bc4
0x00450bcd
0x00450bd6
0x00450be0
0x00450be4
0x00450be8
0x00450bf0
0x00450bf6
0x00450c0c
0x00450c18

APIs

GetPropW.USER32(?,PROP_STAT_PSKIN), ref: 00450B76
GetPropW.USER32(?,PROP_STAT_OLDPROC), ref: 00450B80
GetDC.USER32(?), ref: 00450B91
GetWindowRect.USER32 ref: 00450B9F
MapWindowPoints.USER32 ref: 00450BB1
BitBlt.GDI32(00000000,00000000,00000000,?,00CC0020,?,00000002,00000002,00CC0020), ref: 00450BE8
ReleaseDC.USER32 ref: 00450BF0
CallWindowProcW.USER32(?,?,?,?,?), ref: 00450C0C

Strings

PROP_STAT_PSKIN, xrefs: 00450B70
PROP_STAT_OLDPROC, xrefs: 00450B78

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$Prop$CallPointsProcRectRelease
String ID: PROP_STAT_OLDPROC$PROP_STAT_PSKIN
API String ID: 880400865-2156214881
Opcode ID: 121234aeab870a9f1765a8f059471c507f213373ab993cb3b25926ee9b91fad1
Instruction ID: 1cbf0e87b0395d1dc28d182da4e144bc430bc6ac8c47541ec0c0813c8716f0a7
Opcode Fuzzy Hash: 121234aeab870a9f1765a8f059471c507f213373ab993cb3b25926ee9b91fad1
Instruction Fuzzy Hash: EE113B75208200AFD300DB55DC49E6BBBFDEFC9714F004A2DF54493250DBB4A9058B66

Uniqueness

Uniqueness Score: -1.00%

Function 0042FDD5 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 54
libraryloaderfileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042FDD5(intOrPtr _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, void* _a28) {
				signed int _t19;
				void* _t23;
				WCHAR* _t24;
				WCHAR* _t27;
				signed int _t30;

				_t24 = L"kernel32.dll";
				if(GetProcAddress(GetModuleHandleW(_t24), "CreateFileW") == 0) {
					_t19 = GetProcAddress(GetModuleHandleW(_t24), "CreateFileA");
					_t30 = _t19;
					if(_t30 == 0) {
						return _t19 | 0xffffffff;
					}
					return  *_t30(L0040BC37(_a4), _a8, _a12, _a16, _a20, _a24, _a28);
				}
				_t2 = _a4 + 8; // 0x0
				_t27 =  *_t2;
				if(_t27 == 0) {
					_t27 = 0x467570;
				}
				_t23 = CreateFileW(_t27, _a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t23;
			}

0x0042fde1
0x0042fdf9
0x0042fe2a
0x0042fe2c
0x0042fe30
0x00000000
0x0042fe51
0x00000000
0x0042fe4d
0x0042fdfe
0x0042fdfe
0x0042fe03
0x0042fe05
0x0042fe05
0x0042fe1d
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,?,?,00000001,tuF,00412FA7,|uF,?,?,?,?,tuF,?,?,00000000), ref: 0042FDEC
GetProcAddress.KERNEL32(00000000), ref: 0042FDF5
CreateFileW.KERNELBASE(00000000,004675A0,00000000,?,00000000,?,?,?,00000001,tuF,00412FA7,|uF,?,?,?,?), ref: 0042FE1D
GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00000001,tuF,00412FA7,|uF,?,?,?,?,tuF,?,?,00000000,?), ref: 0042FE27
GetProcAddress.KERNEL32(00000000), ref: 0042FE2A

Strings

puF, xrefs: 0042FE05
CreateFileW, xrefs: 0042FDE6
kernel32.dll, xrefs: 0042FDE1, 0042FDEB, 0042FE26
tuF, xrefs: 0042FDD5
CreateFileA, xrefs: 0042FE21

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressHandleModuleProc$CreateFile
String ID: CreateFileA$CreateFileW$kernel32.dll$puF$tuF
API String ID: 2362759813-2075064360
Opcode ID: f23922e0b90c5010c1ebc8fd0787cf1de706e798673c7a6958b555871b80d7ea
Instruction ID: 134a28fd71da5f5baddc01f38690aef061da407f267bf17f551b5e9e199cd6b6
Opcode Fuzzy Hash: f23922e0b90c5010c1ebc8fd0787cf1de706e798673c7a6958b555871b80d7ea
Instruction Fuzzy Hash: 4901843260421DBBCF125FA4DC40DDF3B29EF487547418526FE1562261C67ADC219B98

Uniqueness

Uniqueness Score: -1.00%

Function 0042FD4E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042FD4E() {
				int _t20;
				WCHAR* _t22;
				WCHAR* _t27;
				intOrPtr* _t33;
				int _t34;
				void* _t36;

				L0043B644(0x463f4c, _t36);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t22 = L"kernel32.dll";
				if(GetProcAddress(GetModuleHandleW(_t22), "CreateDirectoryW") == 0) {
					_t33 = GetProcAddress(GetModuleHandleW(_t22), "CreateDirectoryA");
					if(_t33 == 0) {
						_t34 = 0;
					} else {
						_t20 =  *_t33(L0040BC37(_t36 + 8),  *(_t36 + 0x30));
						goto L4;
					}
				} else {
					_t27 =  *(_t36 + 0x10);
					if(_t27 == 0) {
						_t27 = 0x467570;
					}
					_t20 = CreateDirectoryW(_t27,  *(_t36 + 0x30)); // executed
					L4:
					_t34 = _t20;
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				L0040125C(_t36 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x0042fd53
0x0042fd61
0x0042fd65
0x0042fd7d
0x0042fda0
0x0042fda4
0x0042fdb6
0x0042fda6
0x0042fdb2
0x00000000
0x0042fdb2
0x0042fd7f
0x0042fd7f
0x0042fd84
0x0042fd86
0x0042fd86
0x0042fd8f
0x0042fd91
0x0042fd91
0x0042fd91
0x0042fdb8
0x0042fdbf
0x0042fdcc
0x0042fdd4

APIs

__EH_prolog.LIBCMT ref: 0042FD53
GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00467574,?,0046757C,0042DE66,?,00000001,00000001,?,00000000,00000001,?,00000000,00467570,?), ref: 0042FD70
GetProcAddress.KERNEL32(00000000), ref: 0042FD79
CreateDirectoryW.KERNELBASE(?,00000001,?,00000000), ref: 0042FD8F
GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA,?,00000000), ref: 0042FD9B
GetProcAddress.KERNEL32(00000000), ref: 0042FD9E

Strings

kernel32.dll, xrefs: 0042FD65, 0042FD6F, 0042FD9A
puF, xrefs: 0042FD86
CreateDirectoryW, xrefs: 0042FD6A
CreateDirectoryA, xrefs: 0042FD95

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressHandleModuleProc$CreateDirectoryH_prolog
String ID: CreateDirectoryA$CreateDirectoryW$kernel32.dll$puF
API String ID: 1998818916-158267003
Opcode ID: ced588dd9cdd6ef8d6fb86908c46051dd86af612765719ad3b982d475b8c7d55
Instruction ID: 8711f425e44686cc6ea0aaaade50ddfb98e3010d4f1570c1e01a5ceb4c9f00e9
Opcode Fuzzy Hash: ced588dd9cdd6ef8d6fb86908c46051dd86af612765719ad3b982d475b8c7d55
Instruction Fuzzy Hash: 3601F532B10225B7CB20AF64CC40E9E7668DF40755B80453BF806E3290DB38CD058A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0042FC4C Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042FC4C() {
				long _t18;
				WCHAR* _t20;
				WCHAR* _t25;
				intOrPtr* _t31;
				long _t32;
				void* _t34;

				L0043B644(0x463f24, _t34);
				 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
				_t20 = L"kernel32.dll";
				if(GetProcAddress(GetModuleHandleW(_t20), "GetFileAttributesW") == 0) {
					_t31 = GetProcAddress(GetModuleHandleW(_t20), "GetFileAttributesA");
					if(_t31 == 0) {
						_t32 = 0;
					} else {
						_t18 =  *_t31(L0040BC37(_t34 + 8));
						goto L4;
					}
				} else {
					_t25 =  *(_t34 + 0x10);
					if(_t25 == 0) {
						_t25 = 0x467570;
					}
					_t18 = GetFileAttributesW(_t25); // executed
					L4:
					_t32 = _t18;
				}
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				L0040125C(_t34 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t34 - 0xc));
				return _t32;
			}

0x0042fc51
0x0042fc5f
0x0042fc63
0x0042fc7b
0x0042fc9b
0x0042fc9f
0x0042fcae
0x0042fca1
0x0042fcaa
0x00000000
0x0042fcaa
0x0042fc7d
0x0042fc7d
0x0042fc82
0x0042fc84
0x0042fc84
0x0042fc8a
0x0042fc8c
0x0042fc8c
0x0042fc8c
0x0042fcb0
0x0042fcb7
0x0042fcc4
0x0042fccc

APIs

__EH_prolog.LIBCMT ref: 0042FC51
GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,0046757C,00000000,?,0042D034), ref: 0042FC6E
GetProcAddress.KERNEL32(00000000), ref: 0042FC77
GetFileAttributesW.KERNELBASE(00000000), ref: 0042FC8A
GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA), ref: 0042FC96
GetProcAddress.KERNEL32(00000000), ref: 0042FC99

Strings

GetFileAttributesW, xrefs: 0042FC68
kernel32.dll, xrefs: 0042FC63, 0042FC6D, 0042FC95
GetFileAttributesA, xrefs: 0042FC90
puF, xrefs: 0042FC84

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressHandleModuleProc$AttributesFileH_prolog
String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll$puF
API String ID: 4019590321-2524072684
Opcode ID: a5f3c310b1ecfc79ff4ba06e3b4401ab52f7d66edb4c6b3649746651a2469e1a
Instruction ID: cc5ee77e0407f9b9c7da7e29a3fcfeee709a91d74855095c9783dd75b786739c
Opcode Fuzzy Hash: a5f3c310b1ecfc79ff4ba06e3b4401ab52f7d66edb4c6b3649746651a2469e1a
Instruction Fuzzy Hash: 0F018471B00228A7CB24AF769C41AAFB668EF44765B91453BA806E3280DB7C9D0586DD

Uniqueness

Uniqueness Score: -1.00%

Function 004062DD Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E004062DD(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* _t106;
				signed int _t116;
				signed int _t117;
				signed int _t120;
				signed int _t127;
				void* _t129;
				signed int _t135;
				signed int _t140;
				void* _t149;
				signed int _t150;
				char* _t155;
				void* _t161;
				intOrPtr _t174;
				void* _t182;
				intOrPtr _t183;
				void* _t201;
				void* _t202;
				void* _t204;
				intOrPtr* _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				void* _t211;
				void* _t213;
				void* _t214;
				signed int _t216;
				void* _t218;
				signed int _t225;
				signed int _t226;

				L0043B644(0x45f733, _t211);
				_t214 = _t213 - 0x78;
				_t202 = __ecx;
				 *0x47e1c8 = 0;
				E004066ED(__ecx + 0x104,  *((intOrPtr*)(_t211 + 0xc)));
				_t205 = _t202 + 0xc8;
				 *0x47e1d2 =  *(_t211 + 0x10);
				 *0x47e1d1 =  *((intOrPtr*)( *((intOrPtr*)( *_t205)) + 0x28))(0x10, _t201, _t204, _t161);
				_t106 =  *((intOrPtr*)( *((intOrPtr*)( *_t205)) + 0x1c))(_t211 - 0x34, 7);
				 *(_t211 - 4) = 0;
				_push(_t211 - 0x5c);
				 *(_t211 + 0x10) = L0040B0D5(_t106);
				_t206 = L"EXECUTEMODE=None";
				 *(_t211 - 4) = 1;
				_t218 = L0040B4AD( *(_t211 + 0x10) + 4, _t206, 0, L0043BA1F(_t206)) -  *0x4675e0; // 0xffffffff
				 *(_t211 - 4) = 0;
				 *((char*)(_t211 + 0x13)) = _t218 != 0;
				E004061C1(_t211 - 0x5c);
				_t207 = _t206 | 0xffffffff;
				 *(_t211 - 4) = _t207;
				L0040125C(_t211 - 0x34);
				if( *((intOrPtr*)(_t211 + 0x13)) != 0) {
					 *((char*)(_t202 + 0xf8)) = 1;
				}
				_t174 =  *0x47e1d4; // 0x2380b70
				if( *((intOrPtr*)(_t174 + 1)) != 0 ||  *((intOrPtr*)(_t174 + 2)) != 0) {
					__eflags = 0;
				} else {
					_push(1);
					_pop(0);
				}
				if(0xbadbad == 0) {
					__eflags =  *0x47e1d1; // 0x0
					if(__eflags != 0) {
						L39:
						 *(_t211 + 0x10) = 0;
						 *(_t211 - 4) = 6;
						_t116 = E004075CC(_t202, _t211 + 0x10); // executed
						__eflags =  *(_t211 + 0x10);
						_t208 = _t116;
						if( *(_t211 + 0x10) != 0) {
							_push( *(_t211 + 0x10));
							L0042C8A6();
						}
						goto L41;
					}
					__eflags =  *0x47e1d2; // 0x1
					if(__eflags != 0) {
						__eflags =  *((intOrPtr*)(_t202 + 0xfc)) - 1;
						if( *((intOrPtr*)(_t202 + 0xfc)) == 1) {
							goto L39;
						}
						__eflags =  *(_t202 + 0x101);
						if( *(_t202 + 0x101) == 0) {
							goto L39;
						}
						__eflags =  *0x47df40; // 0x0
						if(__eflags != 0) {
							L34:
							_push(1);
							_push(_t211 + 0x13);
							_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
							E0040A5F5(_t211 - 0x5c);
							_t120 = L"Hidden prerequisites require, but did not receive, elevation. Exiting setup.";
							 *(_t211 - 4) = 4;
							 *((intOrPtr*)(_t211 - 0x34)) = 0x4675d8;
							__eflags = _t120;
							 *((intOrPtr*)(_t211 - 0x14)) = 0x4675d0;
							if(_t120 == 0) {
								_t120 = 0x47e150;
							}
							_push(0);
							_push(_t211 + 0xf);
							_push(_t120);
							L0040B34B(_t211 - 0x34);
							 *(_t211 - 4) = 5;
							L0045D600(_t211 - 0x34, _t211 - 0x5c, 0x7a);
							 *(_t211 - 4) = 4;
							E004061C1(_t211 - 0x34);
							 *(_t211 - 4) = _t207;
							_t182 = _t211 - 0x5c;
							goto L37;
						}
						__eflags =  *0x47e988; // 0x0
						if(__eflags == 0) {
							goto L38;
						}
						goto L34;
					}
					__eflags =  *((intOrPtr*)(_t202 + 0xfc)) - 1;
					if( *((intOrPtr*)(_t202 + 0xfc)) == 1) {
						L25:
						_t65 = _t174 + 0x44; // 0x4
						_t127 =  *_t65;
						__eflags = _t127 - 2;
						if(_t127 == 2) {
							L28:
							_push(1);
							_pop(0);
							L29:
							_t129 = E004066BD(_t174, _t211 - 0x84);
							_t183 =  *0x47e1d4; // 0x2380b70
							 *(_t211 - 4) = 0xc;
							 *((intOrPtr*)(_t211 + 0x14)) = _t183;
							_push(0);
							asm("sbb eax, eax");
							_push(1);
							_push(_t202);
							_push(E004068FF);
							_push(0);
							_push(( ~( *(_t129 + 0xc)) & 0x000007b2) + 0x0000040a & 0x0000ffff);
							 *(_t211 - 4) = 0xd;
							_t135 = L004037C4(0, _t211 + 0x14, _t202);
							 *(_t211 - 4) =  *(_t211 - 4) | 0xffffffff;
							_t208 = _t135;
							L0040125C(_t211 - 0x84);
							goto L41;
						}
						_t127 = _t127 & 0xffffff00 | _t127 == 0x00000000;
						if((_t127 & 0xffffff00 | _t127 == 0x00000000) != 0) {
							goto L28;
						}
						goto L29;
					}
					__eflags =  *(_t202 + 0x101);
					if( *(_t202 + 0x101) == 0) {
						goto L25;
					}
					__eflags =  *0x47df40; // 0x0
					if(__eflags != 0) {
						L20:
						_push(1);
						_push(_t211 + 0x13);
						_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
						E0040A5F5(_t211 - 0x5c);
						_t140 = L"Visible prerequisites require, but did not receive, elevation. Prompting user.";
						 *(_t211 - 4) = 7;
						 *((intOrPtr*)(_t211 - 0x34)) = 0x4675d8;
						__eflags = _t140;
						 *((intOrPtr*)(_t211 - 0x14)) = 0x4675d0;
						if(_t140 == 0) {
							_t140 = 0x47e150;
						}
						_push(0);
						_push(_t211 + 0xf);
						_push(_t140);
						L0040B34B(_t211 - 0x34);
						 *(_t211 - 4) = 8;
						L0045D600(_t211 - 0x34, _t211 - 0x5c, 0x84);
						 *(_t211 - 4) = 7;
						E004061C1(_t211 - 0x34);
						 *(_t211 - 4) = _t207;
						E004061C1(_t211 - 0x5c);
						_t174 =  *0x47e1d4; // 0x2380b70
						L23:
						_push(0);
						_push(2);
						_push(5);
						_t216 = _t214 - 0x28;
						 *(_t211 + 0x10) = _t216;
						_push(0x894);
						_push(_t216);
						E00403E82(_t174, __eflags);
						_t208 = 9;
						 *(_t211 - 4) = _t208;
						_t149 = L004037B9(_t211 + 0xc,  *0x47e1d4);
						_push( *0x47e1c8);
						 *(_t211 - 4) = 0xb;
						_t150 = L00403C38(_t149);
						__eflags = _t150 - 4;
						 *(_t211 - 4) =  *(_t211 - 4) | 0xffffffff;
						__eflags = _t150 & 0xffffff00 | _t150 != 0x00000004;
						if((_t150 & 0xffffff00 | _t150 != 0x00000004) != 0) {
							goto L42;
						}
						_t174 =  *0x47e1d4; // 0x2380b70
						goto L25;
					}
					__eflags =  *0x47e988; // 0x0
					if(__eflags == 0) {
						goto L23;
					}
					goto L20;
				} else {
					if( *(_t202 + 0x101) == 0) {
						_t208 = E004075CC(_t202,  *((intOrPtr*)(_t211 + 0x14)));
						L41:
						 *0x47e1c8 = 0;
						L42:
						_t117 = _t208;
						L43:
						 *[fs:0x0] =  *((intOrPtr*)(_t211 - 0xc));
						return _t117;
					}
					_t225 =  *0x47df40; // 0x0
					if(_t225 != 0) {
						L10:
						_push(1);
						_push(_t211 + 0x13);
						_push("C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp");
						E0040A5F5(_t211 - 0x5c);
						_t155 = L"Administrative privileges are required, but setup is silent. Exiting setup.";
						 *(_t211 - 4) = 2;
						 *((intOrPtr*)(_t211 - 0x34)) = 0x4675d8;
						 *((intOrPtr*)(_t211 - 0x14)) = 0x4675d0;
						if(_t155 == 0) {
							_t155 = 0x47e150;
						}
						_push(0);
						_push(_t211 + 0xf);
						_push(_t155);
						L0040B34B(_t211 - 0x34);
						 *(_t211 - 4) = 3;
						L0045D600(_t211 - 0x34, _t211 - 0x5c, 0x6f);
						 *(_t211 - 4) = 2;
						E004061C1(_t211 - 0x34);
						 *(_t211 - 4) = _t207;
						_t182 = _t211 - 0x5c;
						L37:
						E004061C1(_t182);
						L38:
						_t117 = 9;
						goto L43;
					}
					_t226 =  *0x47e988; // 0x0
					if(_t226 == 0) {
						goto L38;
					}
					goto L10;
				}
			}

0x004062e2
0x004062e7
0x004062ed
0x004062fa
0x00406300
0x00406308
0x0040630e
0x0040631c
0x0040632b
0x00406331
0x00406334
0x0040633c
0x0040633f
0x00406344
0x0040635d
0x00406366
0x00406369
0x0040636d
0x00406372
0x00406378
0x0040637b
0x00406383
0x00406385
0x00406385
0x0040638c
0x00406395
0x004063a1
0x0040639c
0x0040639c
0x0040639e
0x0040639e
0x004063aa
0x00406451
0x00406457
0x00406673
0x00406673
0x0040667c
0x00406683
0x00406688
0x0040668b
0x0040668d
0x0040668f
0x00406692
0x00406692
0x00000000
0x0040668d
0x0040645d
0x00406463
0x004065d5
0x004065dc
0x00000000
0x00000000
0x004065e2
0x004065e8
0x00000000
0x00000000
0x004065ee
0x004065f4
0x004065fe
0x00406601
0x00406603
0x00406604
0x0040660c
0x00406611
0x00406616
0x0040661f
0x00406626
0x00406628
0x0040662f
0x00406631
0x00406631
0x00406639
0x0040663a
0x0040663b
0x0040663f
0x0040664e
0x00406652
0x0040665a
0x0040665e
0x00406663
0x00406666
0x00000000
0x00406666
0x004065f6
0x004065fc
0x00000000
0x00000000
0x00000000
0x004065fc
0x00406469
0x00406470
0x00406560
0x00406560
0x00406560
0x00406563
0x00406566
0x00406575
0x00406575
0x00406577
0x00406578
0x0040657f
0x00406584
0x0040658a
0x00406591
0x00406597
0x0040659a
0x0040659c
0x004065a3
0x004065a9
0x004065b1
0x004065b2
0x004065b6
0x004065ba
0x004065bf
0x004065c9
0x004065cb
0x00000000
0x004065cb
0x0040656d
0x0040656f
0x00000000
0x00000000
0x00000000
0x00406571
0x00406476
0x0040647c
0x00000000
0x00000000
0x00406482
0x00406488
0x00406492
0x00406495
0x00406497
0x00406498
0x004064a0
0x004064a5
0x004064aa
0x004064b3
0x004064ba
0x004064bc
0x004064c3
0x004064c5
0x004064c5
0x004064cd
0x004064ce
0x004064cf
0x004064d3
0x004064e5
0x004064e9
0x004064f1
0x004064f5
0x004064fd
0x00406500
0x00406505
0x0040650b
0x0040650b
0x0040650c
0x0040650e
0x00406510
0x00406515
0x00406518
0x0040651d
0x0040651e
0x00406528
0x0040652f
0x00406532
0x00406537
0x0040653f
0x00406543
0x00406548
0x0040654e
0x00406552
0x00406554
0x00000000
0x00000000
0x0040655a
0x00000000
0x0040655a
0x0040648a
0x00406490
0x00000000
0x00000000
0x00000000
0x004063b0
0x004063b6
0x0040644a
0x00406697
0x00406697
0x0040669d
0x0040669d
0x0040669f
0x004066a4
0x004066ad
0x004066ad
0x004063bc
0x004063c2
0x004063d0
0x004063d3
0x004063d5
0x004063d6
0x004063de
0x004063e3
0x004063e8
0x004063f1
0x004063fa
0x00406401
0x00406403
0x00406403
0x0040640b
0x0040640c
0x0040640d
0x00406411
0x00406420
0x00406424
0x0040642c
0x00406430
0x00406435
0x00406438
0x00406669
0x00406669
0x0040666e
0x00406670
0x00000000
0x00406670
0x004063c4
0x004063ca
0x00000000
0x00000000
0x00000000
0x004063ca

APIs

__EH_prolog.LIBCMT ref: 004062E2

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 004075CC: __EH_prolog.LIBCMT ref: 004075D1
Part of subcall function 004075CC: GetDlgItem.USER32 ref: 004075FB
Part of subcall function 004075CC: GetDlgItem.USER32 ref: 0040760B
Part of subcall function 004075CC: GetModuleFileNameW.KERNEL32(00000000,?,00000400,000000FF,?,00000000,?,EXECUTEMODE=None,00000000), ref: 00407661

Strings

PG, xrefs: 00406631
PG, xrefs: 00406403
EXECUTEMODE=None, xrefs: 0040633F, 00406348, 00406354
Hidden prerequisites require, but did not receive, elevation. Exiting setup., xrefs: 00406611, 0040663B
C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp, xrefs: 004063D6, 00406498, 00406604
Visible prerequisites require, but did not receive, elevation. Prompting user., xrefs: 004064A5, 004064CF
Administrative privileges are required, but setup is silent. Exiting setup., xrefs: 004063E3, 0040640D
PG, xrefs: 004064C5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$FreeItemString$FileModuleName
String ID: Administrative privileges are required, but setup is silent. Exiting setup.$C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp$EXECUTEMODE=None$Hidden prerequisites require, but did not receive, elevation. Exiting setup.$PG$PG$PG$Visible prerequisites require, but did not receive, elevation. Prompting user.
API String ID: 2339393409-1621186256
Opcode ID: a84dc3df36e26b5ed3cc031f60c83d12531a3e44d4aa4633481f5b75c7d7ecba
Instruction ID: 23cf843a69c993cd7399e33d81d2eabe48b09648c3711b496e14a46e3337178c
Opcode Fuzzy Hash: a84dc3df36e26b5ed3cc031f60c83d12531a3e44d4aa4633481f5b75c7d7ecba
Instruction Fuzzy Hash: 25B1E270901248BEDB14DFA4D942AEEBB74EB04304F1181BFF806A72C1EB795E58DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413E2F Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 232
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00413E2F(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				struct HWND__* _t40;
				signed int _t46;
				struct HWND__** _t47;
				void* _t48;
				struct HWND__* _t50;
				struct HWND__* _t87;
				void* _t92;
				struct HWND__* _t93;
				void* _t105;
				signed int _t108;
				void* _t156;
				void* _t157;
				intOrPtr* _t160;
				struct HWND__** _t161;
				struct HWND__* _t164;
				intOrPtr _t166;
				void* _t167;

				_t156 = __edx;
				lstrcpyW(__esi + 0x50, 0x4675e4);
				E004061C1(_t167 - 0x48);
				_t40 = E0043C804(__ebx, _t157, __esi + 0x50, _t167, _t157, 3, 0x43b31a,  *(_t167 - 4), 0x46c7c0);
				if(_t40 != 0) {
					_t164 = _t40;
				} else {
					 *((char*)(_t167 - 0xd)) = 1;
					_t46 = L0043BC14(0x234);
					_pop(_t108);
					 *(_t167 - 0x18) = _t46;
					_t166 =  *((intOrPtr*)(_t167 - 0x14));
					 *(_t167 - 4) = 1;
					_t175 = _t46;
					if(_t46 == 0) {
						_t47 = 0;
						__eflags = 0;
					} else {
						_push(_t166);
						_t108 = _t46; // executed
						_t47 = E0042A90D(_t108, _t175); // executed
					}
					_t176 = _t47;
					 *(_t166 + 0x3a8) = _t47;
					 *((char*)(_t167 - 0x20)) = _t108 & 0xffffff00 | _t47 != 0x00000000;
					 *(_t167 - 0x1c) = _t47;
					_push(0x18b);
					_push(_t167 - 0xd);
					 *(_t167 - 4) = 2;
					_t48 = L00415C3A(_t166, _t156, _t47); // executed
					L00415C13(_t166, _t48, _t47);
					_t50 = GetDlgItem( *(_t166 + 0x26c), 9);
					_t105 = EnableWindow;
					EnableWindow(_t50, 0);
					EnableWindow(GetDlgItem( *(_t166 + 0x26c), 2), 0);
					 *((intOrPtr*)(_t166 + 0x39c)) = GetTickCount();
					E0040E0D9(_t166, 5);
					L00415C13(_t166, L00413D51(_t166, _t176), 0x192);
					E0040E0D9(_t166, 0xa);
					if( *((char*)(_t167 - 0xd)) != 0) {
						L00415C13(_t166, E004142B9(_t166, __eflags), 0x195);
						E0040E0D9(_t166, 0xf);
						E0040E0D9(_t166, 0x14);
						L00415C13(_t166, L00414EB6(_t166, __eflags), 0x198);
						E0040E0D9(_t166, 0x19);
						E0040E0D9(_t166, 0x1e);
						_t160 = _t166 + 4;
						__eflags =  *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t166 + 4)) + 0x2c))() + 0x12));
						if(__eflags != 0) {
							L00415C13(_t166, E00416819(_t166, __eflags), 0x19c);
						}
						E0040E0D9(_t166, 0x23);
						E0040E0D9(_t166, 0x28);
						L00415C13(_t166, L004152B1(_t166), 0x19f);
						E0040E0D9(_t166, 0x2d);
						E0040E0D9(_t166, 0x32);
						L00415C13(_t166, E004143BB(_t166, __eflags), 0x1a2);
						E0040E0D9(_t166, 0x4b);
						E0040E0D9(_t166, 0x50);
						L00415C13(_t166, L00415831(_t166, __eflags), 0x1a5);
						E0040E0D9(_t166, 0x55);
						E0040E0D9(_t166, 0x5a);
						L00415C13(_t166, L0041575B(_t105, _t166, __eflags), 0x1a8);
						E0040E0D9(_t166, 0x5f);
						E0040E0D9(_t166, 0x64);
						_t87 = E0040E119(_t166);
						__eflags = _t87;
						if(_t87 == 0) {
							L00429CE8( *((intOrPtr*)(_t166 + 0x260)), 1);
							L0040DFC9(_t166);
							_t92 =  *((intOrPtr*)( *_t160 + 0x2c))( *( *(_t166 + 0x3a8)));
							__eflags =  *((char*)(_t92 + 1));
							if( *((char*)(_t92 + 1)) != 0) {
								L15:
								_t93 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((char*)(_t92 + 2));
								if( *((char*)(_t92 + 2)) != 0) {
									goto L15;
								} else {
									_t93 = 1;
								}
							}
							__eflags = _t93;
							if(__eflags != 0) {
								_t161 =  *(_t166 + 0x3a8);
								__eflags = DestroyWindow( *_t161);
								if(__eflags != 0) {
									 *_t161 =  *_t161 & 0x00000000;
									__eflags =  *_t161;
								}
							}
							L00415C13(_t166, E00414114(_t105, _t166, __eflags), 0x1b6);
							L00415C13(_t166, E0041476A(_t166, __eflags), 0x1b8);
							 *(_t167 - 4) =  *(_t167 - 4) & 0x00000000;
							E0041A4F2(_t167 - 0x20);
							_t164 = 0;
							__eflags = 0;
						} else {
							_t164 = 0x80042000;
							goto L11;
						}
					} else {
						_t164 = 0;
						L11:
						 *(_t167 - 4) =  *(_t167 - 4) & 0x00000000;
						E0041A4F2(_t167 - 0x20);
					}
				}
				L0043B670( *((intOrPtr*)(_t167 - 0x4c)) + 8, _t167 - 0x8c, 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t167 - 0xc));
				return _t164;
			}

0x00413e2f
0x00413e39
0x00413e42
0x00413e57
0x00413e61
0x00414110
0x00413e67
0x00413e6c
0x00413e70
0x00413e75
0x00413e76
0x00413e79
0x00413e7c
0x00413e80
0x00413e82
0x00413e8e
0x00413e8e
0x00413e84
0x00413e84
0x00413e85
0x00413e87
0x00413e87
0x00413e90
0x00413e95
0x00413e9b
0x00413e9e
0x00413ea4
0x00413ea9
0x00413ead
0x00413eb1
0x00413eb9
0x00413ece
0x00413ed0
0x00413ed7
0x00413ee6
0x00413ef2
0x00413ef8
0x00413f0c
0x00413f15
0x00413f1e
0x00413f36
0x00413f3f
0x00413f48
0x00413f5c
0x00413f65
0x00413f6e
0x00413f76
0x00413f7e
0x00413f82
0x00413f93
0x00413f93
0x00413f9c
0x00413fa5
0x00413fb9
0x00413fc2
0x00413fcb
0x00413fdf
0x00413fe8
0x00413ff1
0x00414005
0x0041400e
0x00414017
0x0041402b
0x00414034
0x0041403d
0x00414044
0x00414049
0x0041404b
0x0041406b
0x0041407a
0x00414083
0x00414086
0x0041408a
0x00414096
0x00414096
0x00414096
0x0041408c
0x0041408c
0x00414090
0x00000000
0x00414092
0x00414092
0x00414092
0x00414090
0x00414098
0x0041409a
0x0041409c
0x004140aa
0x004140ac
0x004140ae
0x004140ae
0x004140ae
0x004140ac
0x004140c0
0x004140d4
0x004140d9
0x004140e0
0x004140e5
0x004140e5
0x0041404d
0x0041404d
0x00000000
0x0041404d
0x00413f20
0x00413f20
0x00414052
0x00414052
0x00414059
0x00414059
0x00413f1e
0x004140f7
0x00414104
0x0041410f

APIs

lstrcpyW.KERNEL32 ref: 00413E39

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

__setjmp3.LIBCMT ref: 00413E57

Part of subcall function 0042A90D: __EH_prolog.LIBCMT ref: 0042A912

GetDlgItem.USER32 ref: 00413ECE
EnableWindow.USER32(00000000), ref: 00413ED7
GetDlgItem.USER32 ref: 00413EE3
EnableWindow.USER32(00000000), ref: 00413EE6
GetTickCount.KERNEL32 ref: 00413EE8

Part of subcall function 0040E0D9: GetDlgItem.USER32 ref: 0040E101
Part of subcall function 0040E0D9: SendMessageW.USER32(00000000), ref: 0040E108

Part of subcall function 00413D51: __EH_prolog.LIBCMT ref: 00413D56
Part of subcall function 00413D51: GetPrivateProfileIntW.KERNEL32(Startup,AllUsers,00000000,?), ref: 00413D95

Part of subcall function 00429CE8: ShowWindow.USER32(00000002,00000000,?,00414070,00000001,00000000,000001A8,00000000,000001A5,00000000,000001A2,00000000,0000019F), ref: 00429CF0

Part of subcall function 0040DFC9: __EH_prolog.LIBCMT ref: 0040DFCE
Part of subcall function 0040DFC9: IsWindow.USER32(?), ref: 0040DFF2
Part of subcall function 0040DFC9: IsWindowVisible.USER32(?), ref: 0040DFFF
Part of subcall function 0040DFC9: DestroyWindow.USER32(?), ref: 0040E07E

DestroyWindow.USER32(?), ref: 004140A4

Strings

uF, xrefs: 00413E2F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$H_prolog$Item$DestroyEnableErrorLast$CountFreeMessagePrivateProfileSendShowStringTickVisible__setjmp3lstrcpy
String ID: uF
API String ID: 3206880432-700906890
Opcode ID: 9cd722f54e25d885b8618a258e7dcdfd89b3e77283620b95267fefa777a9dcdc
Instruction ID: b78790292c14066eccc6a2296665a68c3a65555ebda6cc5f8f4f307c3496c35a
Opcode Fuzzy Hash: 9cd722f54e25d885b8618a258e7dcdfd89b3e77283620b95267fefa777a9dcdc
Instruction Fuzzy Hash: 3D718270744A20ABDA15B7668C56BED26565BD4F08F00046EF206BB2C3DFED4A8187DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040390F Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040390F(intOrPtr __ecx, void* __eflags) {
				void* _t61;
				void* _t62;
				char* _t67;
				signed char _t80;
				intOrPtr* _t92;
				void* _t107;
				void* _t109;
				intOrPtr* _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				void* _t118;

				_t118 = __eflags;
				L0043B644(0x45f0d4, _t107);
				 *(_t107 - 0x18) =  *(_t107 - 0x18) & 0x00000000;
				 *((intOrPtr*)(_t107 - 0x14)) = __ecx;
				_push(0);
				_push(_t107 - 0xe);
				 *((intOrPtr*)(_t107 - 0x4c)) = 0x46757c;
				 *((intOrPtr*)(_t107 - 0x2c)) = 0x467574;
				L00401C68(_t107 - 0x4c);
				_t80 = 1;
				 *(_t107 - 4) = _t80;
				L004057E0(_t107 - 0x4c, L"0x%04x",  *(_t107 + 0xc) & 0x0000ffff);
				_push(L".ini");
				_push(_t107 - 0x4c);
				_push(_t107 - 0xec);
				 *(_t107 + 0xc) = L00405EDE(_t118);
				 *(_t107 - 4) = 2;
				_t61 = L00403C08( *((intOrPtr*)(_t107 - 0x14)), _t107 - 0x9c);
				_push(0);
				_push(0);
				_push(_t107 - 0xc4);
				 *(_t107 - 4) = 3;
				_t62 = L00401840(_t61, _t118);
				_push( *(_t107 + 0xc));
				 *(_t107 - 4) = 4;
				_push(_t107 - 0x74);
				L00405670(_t62, _t118);
				 *(_t107 - 4) = 8;
				L0040125C(_t107 - 0xc4);
				 *(_t107 - 4) = 7;
				L0040125C(_t107 - 0x9c);
				 *(_t107 - 4) = 6;
				L0040125C(_t107 - 0xec);
				_t112 = _t109 - 0xe0 + 0x18 - 0x28;
				_t67 = L"MS Sans Serif";
				_t92 = _t112;
				_t119 = _t67;
				 *((intOrPtr*)(_t107 - 0x14)) = _t112;
				 *_t92 = 0x46757c;
				 *((intOrPtr*)(_t92 + 0x20)) = 0x467574;
				if(_t67 == 0) {
					_t67 = 0x47e150;
				}
				_push(0);
				_push(_t107 + 0xf);
				_push(_t67);
				L0040176A(_t92);
				_t113 = _t112 - 0x28;
				 *((intOrPtr*)(_t107 - 0x24)) = _t113;
				 *(_t107 - 4) = 9;
				L00401732(_t113, L"FontName", _t107 - 0xf, _t80);
				_t114 = _t113 - 0x28;
				 *((intOrPtr*)(_t107 - 0x1c)) = _t114;
				 *(_t107 - 4) = 0xa;
				L00401732(_t114, L"Properties", _t107 - 0xd, _t80);
				 *((intOrPtr*)(_t107 - 0x20)) = _t114 - 0x28;
				 *(_t107 - 4) = 0xb;
				L00401708(_t114 - 0x28, _t107 - 0x74, _t80);
				_push( *((intOrPtr*)(_t107 + 8)));
				 *(_t107 - 4) = 6;
				E0042F67D(_t119); // executed
				 *(_t107 - 0x18) = _t80;
				 *(_t107 - 4) = _t80;
				L0040125C(_t107 - 0x74);
				 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
				L0040125C(_t107 - 0x4c);
				 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
				return  *((intOrPtr*)(_t107 + 8));
			}

0x0040390f
0x00403914
0x0040391f
0x00403926
0x00403936
0x00403938
0x0040393c
0x0040393f
0x00403942
0x0040394d
0x00403958
0x0040395b
0x00403963
0x00403968
0x0040396f
0x00403978
0x00403985
0x00403989
0x0040398e
0x00403996
0x00403998
0x0040399b
0x0040399f
0x004039a4
0x004039aa
0x004039ae
0x004039b1
0x004039bc
0x004039c0
0x004039cb
0x004039cf
0x004039da
0x004039de
0x004039e3
0x004039e6
0x004039eb
0x004039ef
0x004039f1
0x004039f4
0x004039f6
0x004039f9
0x004039fb
0x004039fb
0x00403a03
0x00403a05
0x00403a06
0x00403a07
0x00403a0c
0x00403a14
0x00403a1e
0x00403a22
0x00403a27
0x00403a2f
0x00403a39
0x00403a3d
0x00403a4a
0x00403a4f
0x00403a53
0x00403a58
0x00403a5b
0x00403a5f
0x00403a6a
0x00403a70
0x00403a73
0x00403a78
0x00403a7f
0x00403a8c
0x00403a95

APIs

__EH_prolog.LIBCMT ref: 00403914

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 00401840: __EH_prolog.LIBCMT ref: 00401845

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

Properties, xrefs: 00403A34
FontName, xrefs: 00403A19
tuF, xrefs: 00403931
|uF, xrefs: 0040392C
MS Sans Serif, xrefs: 004039E6, 00403A06
PG, xrefs: 004039FB
.ini, xrefs: 00403963
0x%04x, xrefs: 00403952

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: .ini$0x%04x$FontName$MS Sans Serif$Properties$PG$tuF$|uF
API String ID: 3733137895-955165981
Opcode ID: 7a221de2cf37873e660a39aa619044bf611ee73671368606a8d07899e031cac2
Instruction ID: 9ba457b9b8a31f0aa696f61e3a749532547768523141a5e44529961e0101b941
Opcode Fuzzy Hash: 7a221de2cf37873e660a39aa619044bf611ee73671368606a8d07899e031cac2
Instruction Fuzzy Hash: 76416671D01248EEDB05EBA5C946BDDBBB89F55308F1080AEF409B72C2D7785B08CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00445850 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00445850(void* __ecx, struct HWND__* _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				int _v4;
				intOrPtr _v12;
				struct _WNDCLASSEXW _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				void* _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				struct HWND__* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t70;
				intOrPtr _t71;
				struct HWND__* _t79;
				struct HWND__* _t81;
				int _t83;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t113;
				intOrPtr _t118;
				struct HWND__** _t122;
				void* _t124;
				int _t129;
				intOrPtr _t130;
				void* _t131;

				_push(0xffffffff);
				_push(0x4650fb);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t130;
				_t131 = _t130 - 0x40;
				_t81 = _a4;
				_t124 = __ecx;
				if(IsWindow(_t81) == 0) {
					L20:
					_t55 = 0x80070057;
					L21:
					 *[fs:0x0] = _v12;
					return _t55;
				}
				 *(_t124 + 0xc) = _t81;
				_v76 = 0;
				_v72 = 0;
				 *(_t124 + 0x14) = 0 | _a28 != 0x00000000;
				_t105 =  *0x47db64; // 0xb
				_t88 =  *0x47db70; // 0x0
				_v68 = 0;
				_v64 = 0;
				_t57 =  *0x47db6c; // 0x0
				_v60.cbClsExtra = _t57;
				_t58 =  *0x47db78; // 0x0
				_v60.style = _t105;
				_t106 =  *0x47e26c; // 0x400000
				_v60.hIcon = _t58;
				_t59 =  *0x47db84; // 0x0
				_v60.cbWndExtra = _t88;
				_t89 =  *0x47db7c; // 0x0
				_v60.hInstance = _t106;
				_t107 =  *0x47db80; // 0x6
				_v60.lpszMenuName = _t59;
				_v60.hCursor = _t89;
				_t90 =  *0x47db88; // 0x47db48
				_v60.hbrBackground = _t107;
				_t108 =  *0x47db8c; // 0x0
				_v60.cbSize = 0x30;
				_v60.lpfnWndProc = 0x4478f0;
				_v60.lpszClassName = _t90;
				_v60.hIconSm = _t108;
				RegisterClassExW( &_v60);
				_t109 =  *0x47db88; // 0x47db48
				_t122 = _t124 + 4;
				E00447CD0(_t122, _t109, _t81,  &_v76, 0, 0x40000000, 0x20, 0, _t124);
				if(IsWindow( *_t122) != 0) {
					_t65 = _a8;
					if(_t65 != 0) {
						_push(3);
						if(_a12 != 3) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(_t65);
							_push( *_t122);
						} else {
							_t79 = GetWindow(_t65, ??);
							_push(3);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							if(_t79 == 0) {
								_push(0);
								_push( *_t122);
							} else {
								_push(_t79);
								_push( *_t122);
							}
						}
						SetWindowPos();
					}
					_t66 = L0043BC14(0x7c);
					_t131 = _t131 + 4;
					_a28 = _t66;
					_v4 = 0;
					if(_t66 == 0) {
						_t67 = 0;
					} else {
						_t118 =  *0x47e26c; // 0x400000
						_t67 = L004455C0(_t66,  *_t122, _t118, _a32);
					}
					_v4 = 0xffffffff;
					 *((intOrPtr*)(_t124 + 8)) = _t67;
					if(_t67 != 0) {
						 *((intOrPtr*)(_t67 + 0x6c)) = _a40;
						_t68 = _a16;
						if(_a16 == 0) {
							_t70 = L00445680( *((intOrPtr*)(_t124 + 8)), _a20, _a24);
						} else {
							_t70 = L00445660( *((intOrPtr*)(_t124 + 8)), _t68, _a24);
						}
						if(_t70 == 0) {
							goto L20;
						} else {
							_t71 =  *((intOrPtr*)(_t124 + 8));
							_t129 =  *(_t124 + 0x1c);
							_t83 =  *(_t124 + 0x20);
							 *((intOrPtr*)(_t124 + 0x24)) =  *((intOrPtr*)(_t71 + 0x24)) + _t129;
							_t113 =  *((intOrPtr*)(_t71 + 0x28)) + _t83;
							 *((intOrPtr*)(_t124 + 0x28)) = _t113;
							MoveWindow( *_t122, _t129, _t83,  *((intOrPtr*)(_t124 + 0x24)) - _t129, _t113 - _t83, 0);
							ShowWindow( *_t122, 0); // executed
							 *((intOrPtr*)( *((intOrPtr*)(_t124 + 8)) + 0x5c)) = _a36;
							_t55 = 0;
							goto L21;
						}
					} else {
						_t55 = 0x8007000e;
						goto L21;
					}
				}
				_t55 = 0x80004005;
				goto L21;
			}

0x00445856
0x00445858
0x0044585d
0x0044585e
0x00445865
0x00445869
0x00445876
0x0044587d
0x00445a72
0x00445a72
0x00445a77
0x00445a7f
0x00445a89
0x00445a89
0x0044588c
0x0044588f
0x00445893
0x0044589a
0x0044589d
0x004458a3
0x004458a9
0x004458ad
0x004458b1
0x004458b6
0x004458ba
0x004458bf
0x004458c3
0x004458c9
0x004458cd
0x004458d2
0x004458d6
0x004458dc
0x004458e0
0x004458e6
0x004458ea
0x004458ee
0x004458f4
0x004458f8
0x00445903
0x0044590b
0x00445913
0x00445917
0x0044591b
0x00445921
0x00445937
0x0044593f
0x0044594b
0x00445957
0x0044595d
0x00445963
0x00445968
0x0044598c
0x0044598e
0x00445990
0x00445992
0x00445994
0x00445997
0x0044596a
0x0044596b
0x00445971
0x00445973
0x00445975
0x00445977
0x0044597b
0x0044597d
0x00445987
0x00445989
0x0044597f
0x00445981
0x00445982
0x00445982
0x0044597d
0x00445998
0x00445998
0x004459a0
0x004459a5
0x004459a8
0x004459ae
0x004459b6
0x004459d0
0x004459b8
0x004459bc
0x004459c9
0x004459c9
0x004459d4
0x004459dc
0x004459df
0x004459f2
0x004459f5
0x004459fb
0x00445a1a
0x004459fd
0x00445a06
0x00445a06
0x00445a21
0x00000000
0x00445a23
0x00445a23
0x00445a26
0x00445a29
0x00445a33
0x00445a39
0x00445a3d
0x00445a50
0x00445a5b
0x00445a6b
0x00445a6e
0x00000000
0x00445a6e
0x004459e1
0x004459e1
0x00000000
0x004459e1
0x004459df
0x0044594d
0x00000000

APIs

IsWindow.USER32(?), ref: 00445879
RegisterClassExW.USER32 ref: 0044591B

Part of subcall function 00447CD0: CreateWindowExW.USER32 ref: 00447D16

IsWindow.USER32(00000000), ref: 00445947
GetWindow.USER32(?,00000003), ref: 0044596B
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 00445998

Strings

0, xrefs: 00445903

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$ClassCreateRegister
String ID: 0
API String ID: 1100856013-4108050209
Opcode ID: 3ae4bd54784b573103ca3c0ad7568d7cac8af681f24671838c5c6a5bf8a2bfbe
Instruction ID: 753cc0ef4dabb3c464a4c8c9a8544ccefb63bf5db9d53b7191bccfbd410a0fe7
Opcode Fuzzy Hash: 3ae4bd54784b573103ca3c0ad7568d7cac8af681f24671838c5c6a5bf8a2bfbe
Instruction Fuzzy Hash: 356139B0604701AFE714CF65DC80B2BB7E9AB88710F108A2EF54987391E774E840CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042B284 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042B284(struct HWND__* _a4, int _a8, unsigned int _a12, long _a16) {
				void* __ebp;
				int _t27;
				long _t31;
				void* _t32;
				void* _t34;
				void* _t38;
				signed int _t41;
				void* _t47;
				void* _t50;
				void* _t51;
				long _t55;
				struct HWND__* _t59;
				void* _t64;
				void* _t66;
				intOrPtr* _t73;
				void* _t74;
				WCHAR* _t75;

				_t59 = _a4;
				_t75 = L"This";
				_t73 = GetPropW(_t59, _t75);
				_t27 = _a8;
				if(_t27 == 0) {
					 *((intOrPtr*)( *_t73 + 0x28))();
					RemovePropW(_t59, _t75);
					 *(_t73 + 4) =  *(_t73 + 4) & 0x00000000;
					L24:
					_t31 = DefWindowProcW(_t59, _a8, _a12, _a16); // executed
					return _t31;
				}
				_t32 = _t27 - 0xd;
				if(_t32 == 0) {
					L0042B675(_t73);
					goto L24;
				}
				_t34 = _t32 - 0x101;
				if(_t34 == 0) {
					_t74 = _a16;
					 *(_t74 + 4) = _t59;
					SetPropW(_t59, _t75, _t74); // executed
					return  *((intOrPtr*)( *_t74 + 0xc))();
				}
				_t38 = _t34 - 1;
				if(_t38 == 0) {
					if(_a12 >> 0x10 != 0) {
						goto L24;
					}
					_t41 = _a12 & 0x0000ffff;
					_t64 = _t41 - 1;
					if(_t64 == 0) {
						return  *((intOrPtr*)( *_t73 + 0x18))();
					}
					_t66 = _t64 - 1;
					if(_t66 == 0 || _t66 == 7) {
						return  *((intOrPtr*)( *_t73 + 0x14))();
					} else {
						return  *((intOrPtr*)( *_t73 + 0x1c))(_t41);
					}
				}
				_t47 = _t38 - 1;
				if(_t47 == 0) {
					_push(_a12);
					if( *((intOrPtr*)( *_t73 + 0x2c))() == 0) {
						goto L24;
					}
					_t50 = 1;
					return _t50;
				}
				_t51 = _t47 - 1;
				if(_t51 == 0) {
					 *((intOrPtr*)( *_t73 + 0x10))(_a12);
					goto L24;
				}
				if(_t51 != 0x25) {
					goto L24;
				}
				_t55 = GetWindowLongW(_a16, 0xfffffff4);
				if(_t55 < 0x33 || _t55 > 0x34 && _t55 != 0xd0) {
					goto L24;
				} else {
					SetBkColor(_a12, GetSysColor(5));
					return  *((intOrPtr*)(_t73 + 0x10));
				}
			}

0x0042b288
0x0042b28c
0x0042b29a
0x0042b2a0
0x0042b2a1
0x0042b387
0x0042b38c
0x0042b392
0x0042b396
0x0042b3a0
0x00000000
0x0042b3a0
0x0042b2a7
0x0042b2aa
0x0042b37c
0x00000000
0x0042b37c
0x0042b2b0
0x0042b2b5
0x0042b362
0x0042b368
0x0042b36b
0x00000000
0x0042b375
0x0042b2bb
0x0042b2bc
0x0042b333
0x00000000
0x00000000
0x0042b335
0x0042b33b
0x0042b33c
0x00000000
0x0042b35d
0x0042b33e
0x0042b33f
0x00000000
0x0042b346
0x00000000
0x0042b34b
0x0042b33f
0x0042b2be
0x0042b2bf
0x0042b319
0x0042b323
0x00000000
0x00000000
0x0042b327
0x00000000
0x0042b327
0x0042b2c1
0x0042b2c2
0x0042b312
0x00000000
0x0042b312
0x0042b2c7
0x00000000
0x00000000
0x0042b2d2
0x0042b2db
0x00000000
0x0042b2f1
0x0042b2fd
0x00000000
0x0042b303

APIs

GetPropW.USER32(?,This), ref: 0042B294
GetWindowLongW.USER32(?,000000F4), ref: 0042B2D2
GetSysColor.USER32(00000005), ref: 0042B2F3
SetBkColor.GDI32(?,00000000), ref: 0042B2FD
SetPropW.USER32 ref: 0042B36B
RemovePropW.USER32 ref: 0042B38C
DefWindowProcW.USER32(?,?,?,?), ref: 0042B3A0

Strings

This, xrefs: 0042B28C, 0042B292, 0042B366, 0042B38A

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Prop$ColorWindow$LongProcRemove
String ID: This
API String ID: 1744480154-1591487769
Opcode ID: 97938da65f07f73eeddc0e21a3a3181baf2d2fbeeeb0ea6f2e2161a93df7b000
Instruction ID: d040960d6d8949acdfc64b9425b19b445601525141a8111c814f669de66ffdbf
Opcode Fuzzy Hash: 97938da65f07f73eeddc0e21a3a3181baf2d2fbeeeb0ea6f2e2161a93df7b000
Instruction Fuzzy Hash: 33317930304126ABCB14DF24ED8897E3B65FF88351BA44556F916C73A1EB38DC11DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0042B01F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042B01F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, void* _a16) {
				intOrPtr _t16;
				void* _t19;
				void* _t22;
				intOrPtr _t25;
				void* _t26;
				void* _t33;
				void* _t34;
				struct HWND__* _t36;
				WCHAR* _t37;

				_t36 = _a4;
				_t37 = L"This";
				_t33 = GetPropW(_t36, _t37);
				_t16 = _a8;
				if(_t16 == 0) {
					RemovePropW(_t36, _t37);
					L14:
					return 0;
				}
				_t19 = _t16 - 0x10e;
				if(_t19 == 0) {
					_t34 = _a16;
					 *_t34 = _t36; // executed
					SetPropW(_t36, _t37, _t34); // executed
					return E0042B0EA(_t34);
				}
				_t22 = _t19 - 1;
				if(_t22 == 0) {
					if(_a12 >> 0x10 != 0 || _a12 != 2 && _a12 != 9) {
						goto L14;
					} else {
						_t25 =  *((intOrPtr*)(_t33 + 0x230));
						if(_t25 != 0 && IsWindow( *(_t25 + 4)) != 0) {
							SendMessageW( *( *((intOrPtr*)(_t33 + 0x230)) + 4), 0x111, 2, 0);
						}
						_t26 = 1;
						return _t26;
					}
				}
				if(_t22 == 5) {
					EnableMenuItem(_a12, 0xf030, 3);
					EnableMenuItem(_a12, 0xf000, 3);
				}
				goto L14;
			}

0x0042b025
0x0042b028
0x0042b035
0x0042b03b
0x0042b03c
0x0042b0db
0x0042b0e1
0x00000000
0x0042b0e1
0x0042b042
0x0042b047
0x0042b0c2
0x0042b0c8
0x0042b0ca
0x00000000
0x0042b0d2
0x0042b049
0x0042b04a
0x0042b07e
0x00000000
0x0042b08e
0x0042b08e
0x0042b096
0x0042b0b7
0x0042b0b7
0x0042b0bf
0x00000000
0x0042b0bf
0x0042b07e
0x0042b04f
0x0042b065
0x0042b071
0x0042b071
0x00000000

APIs

GetPropW.USER32(?,This), ref: 0042B02F
EnableMenuItem.USER32 ref: 0042B065
EnableMenuItem.USER32 ref: 0042B071
IsWindow.USER32(?), ref: 0042B09B
SendMessageW.USER32(?,00000111,00000002,00000000), ref: 0042B0B7
SetPropW.USER32 ref: 0042B0CA
RemovePropW.USER32 ref: 0042B0DB

Strings

This, xrefs: 0042B028, 0042B02D, 0042B0C6, 0042B0D9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Prop$EnableItemMenu$MessageRemoveSendWindow
String ID: This
API String ID: 2617454859-1591487769
Opcode ID: e416a5262ef19277973839e641cfd7a40f4df7c5124853867dfe1284b51d5745
Instruction ID: eb9e8098fd055c13f47c81e177a9c0e955d19120f1a54250a030d2d65265da1c
Opcode Fuzzy Hash: e416a5262ef19277973839e641cfd7a40f4df7c5124853867dfe1284b51d5745
Instruction Fuzzy Hash: 9D11E430300225ABDB225F15EC49FAB7F68EF04754F448062F9169A2A2DBB8DD40D7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041784A Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041784A(intOrPtr __ecx) {
				void* _t127;
				void* _t131;
				void* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t138;
				intOrPtr* _t139;
				char* _t151;
				void* _t156;
				void* _t162;
				void* _t176;
				void* _t180;
				void* _t188;
				void* _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				void* _t195;
				intOrPtr* _t196;
				intOrPtr* _t294;
				void* _t296;
				void* _t298;
				void* _t299;
				intOrPtr _t300;
				void* _t301;
				intOrPtr _t302;
				intOrPtr _t303;

				L0043B644(0x4619a9, _t296);
				_t299 = _t298 - 0xe8;
				 *((intOrPtr*)(_t296 - 0x10)) = __ecx;
				 *((char*)(_t296 - 0x2c)) = 0;
				 *((intOrPtr*)(_t296 - 0x28)) = 0;
				_t294 = __ecx + 4;
				 *((intOrPtr*)(_t296 - 4)) = 0;
				_t127 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))();
				_t305 =  *((intOrPtr*)(_t127 + 0x14));
				if( *((intOrPtr*)(_t127 + 0x14)) != 0) {
					_t131 = E004083DD( *((intOrPtr*)( *_t294 + 0x2c))(), _t296 - 0xa4);
					 *((char*)(_t296 - 4)) = 8;
					_t132 = E00402200(_t131, _t296 - 0x7c);
					 *((char*)(_t296 - 4)) = 9;
					_t133 = L00401813(_t132, _t296 - 0x48, 0);
					 *((char*)(_t296 - 4)) = 0xa;
					 *((char*)(_t133 + 4)) = 1;
					_t134 = L00401E6C(_t133,  *_t133);
					_t138 = L00403789( *((intOrPtr*)( *_t294 + 0x2c))(), _t296 - 0xf4);
					 *((char*)(_t296 - 4)) = 0xb;
					_t139 = L00401813(_t138, _t296 - 0x54, 0);
					 *((char*)(_t296 - 4)) = 0xc;
					 *((char*)(_t139 + 4)) = 1;
					E00417C8A(_t296 - 0x2c, __eflags,  *((intOrPtr*)(L00401E6C(_t139,  *_t139))),  *_t134, 0, 0, 1);
					 *((char*)(_t296 - 4)) = 0xb;
					L00401A9C(_t296 - 0x54);
					 *((char*)(_t296 - 4)) = 0xa;
					L0040125C(_t296 - 0xf4);
					 *((char*)(_t296 - 4)) = 9;
					L00401A9C(_t296 - 0x48);
					 *((char*)(_t296 - 4)) = 8;
					L0040125C(_t296 - 0x7c);
					 *((char*)(_t296 - 4)) = 0;
					L0040125C(_t296 - 0xa4);
				} else {
					 *((intOrPtr*)(_t296 - 0x20)) = 0;
					 *((char*)(_t296 - 0x24)) =  *((intOrPtr*)(_t296 + 0xb));
					 *((intOrPtr*)(_t296 - 0x1c)) = 0;
					 *((intOrPtr*)(_t296 - 0x18)) = 0;
					 *((intOrPtr*)(_t296 - 0x38)) = 0;
					 *((char*)(_t296 - 0x3c)) =  *((intOrPtr*)(_t296 + 0xb));
					 *((intOrPtr*)(_t296 - 0x34)) = 0;
					 *((intOrPtr*)(_t296 - 0x30)) = 0;
					 *((char*)(_t296 - 4)) = 2;
					_t188 = E004083DD( *((intOrPtr*)( *_t294 + 0x2c))(), _t296 - 0xf4);
					 *((char*)(_t296 - 4)) = 3;
					_t189 = E00402200(_t188, _t296 - 0xa4);
					 *((char*)(_t296 - 4)) = 4;
					_t190 = L00401813(_t189, _t296 - 0x54, 0);
					 *((char*)(_t296 - 4)) = 5;
					 *((char*)(_t190 + 4)) = 1;
					_t191 = L00401E6C(_t190,  *_t190);
					_t195 = L00403789( *((intOrPtr*)( *_t294 + 0x2c))(), _t296 - 0x7c);
					 *((char*)(_t296 - 4)) = 6;
					_t196 = L00401813(_t195, _t296 - 0x48, 0);
					 *((char*)(_t296 - 4)) = 7;
					 *((char*)(_t196 + 4)) = 1;
					E00417C8A(_t296 - 0x2c, _t305,  *((intOrPtr*)(L00401E6C(_t196,  *_t196))),  *_t191, _t296 - 0x24, _t296 - 0x3c, 0); // executed
					 *((char*)(_t296 - 4)) = 6;
					L00401A9C(_t296 - 0x48);
					 *((char*)(_t296 - 4)) = 5;
					L0040125C(_t296 - 0x7c);
					 *((char*)(_t296 - 4)) = 4;
					L00401A9C(_t296 - 0x54);
					 *((char*)(_t296 - 4)) = 3;
					L0040125C(_t296 - 0xa4);
					 *((char*)(_t296 - 4)) = 2;
					L0040125C(_t296 - 0xf4);
					L00419C1F( *((intOrPtr*)( *((intOrPtr*)(_t296 - 0x10)) + 0x3a4)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t296 - 0x10)) + 0x3a4)) + 8)),  *((intOrPtr*)(_t296 - 0x20)),  *((intOrPtr*)(_t296 - 0x1c)));
					L00417C72( *((intOrPtr*)( *((intOrPtr*)(_t296 - 0x10)) + 0x3a4)), _t296 - 0x3c);
					 *((char*)(_t296 - 4)) = 1;
					L00401C2F(_t296 - 0x3c);
					 *((char*)(_t296 - 4)) = 0;
					L00401C2F(_t296 - 0x24);
				}
				L00405885( *((intOrPtr*)(_t296 + 8)) + 4, L" -package", L0043BA1F(L" -package"));
				_t151 = L"Disk1";
				 *((intOrPtr*)(_t296 - 0xa4)) = 0x46757c;
				 *((intOrPtr*)(_t296 - 0x84)) = 0x467574;
				_t306 = _t151;
				if(_t151 == 0) {
					_t151 = 0x47e150;
				}
				_t88 = _t296 - 0xa4; // 0x46757c
				L0040176A(_t88);
				 *((char*)(_t296 - 4)) = 0xd;
				_t156 = E004083DD( *((intOrPtr*)( *_t294 + 0x2c))(_t151, _t296 + 0xb, 0), _t296 - 0xf4);
				_t92 = _t296 - 0xa4; // 0x46757c
				 *((char*)(_t296 - 4)) = 0xe;
				_push(_t296 - 0xcc);
				L00405670(_t156, _t306);
				 *((char*)(_t296 - 4)) = 0x11;
				L0040125C(_t296 - 0xf4);
				_t97 = _t296 - 0xa4; // 0x46757c
				 *((char*)(_t296 - 4)) = 0x10;
				L0040125C(_t97);
				_push(0xc);
				_t300 = _t299 - 0x28;
				 *((intOrPtr*)(_t296 - 0x10)) = _t300;
				L00401708(_t300, _t296 - 0xcc, 1); // executed
				_t162 = E0042CFBE(); // executed
				_t301 = _t300 + 0x2c;
				_t307 = _t162;
				if(_t162 == 0) {
					_t180 = E004083DD( *((intOrPtr*)( *_t294 + 0x2c))(), _t296 - 0x7c);
					 *((char*)(_t296 - 4)) = 0x12;
					L00401A1E(_t296 - 0xcc, _t180);
					 *((char*)(_t296 - 4)) = 0x10;
					L0040125C(_t296 - 0x7c);
				}
				_t302 = _t301 - 0x28;
				 *((intOrPtr*)(_t296 - 0x10)) = _t302;
				L00401708(_t302, _t296 - 0xcc, 1);
				 *((char*)(_t296 - 4)) = 0x10;
				L00417C04( *((intOrPtr*)( *_t294 + 0x2c))(), _t307);
				L00401732(_t296 - 0x7c, L"setup.exe", _t296 - 0x11, 1);
				_t303 = _t302 - 0x28;
				 *((intOrPtr*)(_t296 - 0x10)) = _t303;
				 *((char*)(_t296 - 4)) = 0x14;
				L00405670(_t296 - 0xcc, _t307);
				 *((char*)(_t296 - 4)) = 0x14;
				L00417C3B( *((intOrPtr*)( *_t294 + 0x2c))(_t303, _t296 - 0x7c), _t307);
				 *((char*)(_t296 - 4)) = 0x10;
				L0040125C(_t296 - 0x7c);
				 *((char*)(_t296 - 4)) = 0;
				_t176 = L0040125C(_t296 - 0xcc);
				 *[fs:0x0] =  *((intOrPtr*)(_t296 - 0xc));
				return _t176;
			}

0x0041784f
0x00417854
0x0041785f
0x00417862
0x00417865
0x0041786b
0x00417870
0x00417873
0x00417876
0x00417879
0x004179c6
0x004179ce
0x004179d5
0x004179e1
0x004179e5
0x004179ec
0x004179f0
0x004179f4
0x00417a0b
0x00417a17
0x00417a1b
0x00417a22
0x00417a26
0x00417a3a
0x00417a42
0x00417a46
0x00417a51
0x00417a55
0x00417a5d
0x00417a61
0x00417a69
0x00417a6d
0x00417a78
0x00417a7b
0x0041787f
0x00417882
0x00417885
0x00417888
0x0041788b
0x00417891
0x00417894
0x00417897
0x0041789a
0x004178a8
0x004178b1
0x004178bc
0x004178c3
0x004178cf
0x004178d3
0x004178da
0x004178de
0x004178e2
0x004178f6
0x00417902
0x00417906
0x0041790d
0x00417911
0x0041792a
0x00417932
0x00417936
0x0041793e
0x00417942
0x0041794a
0x0041794e
0x00417959
0x0041795d
0x00417962
0x0041796c
0x0041798a
0x00417995
0x0041799d
0x004179a1
0x004179a9
0x004179ac
0x004179ac
0x00417a94
0x00417a99
0x00417a9e
0x00417aaa
0x00417ab4
0x00417ab6
0x00417ab8
0x00417ab8
0x00417ac3
0x00417ac9
0x00417ad9
0x00417ae2
0x00417ae7
0x00417aed
0x00417af8
0x00417afb
0x00417b06
0x00417b0a
0x00417b0f
0x00417b15
0x00417b19
0x00417b1e
0x00417b26
0x00417b2b
0x00417b31
0x00417b36
0x00417b3b
0x00417b3e
0x00417b40
0x00417b4f
0x00417b5b
0x00417b5f
0x00417b67
0x00417b6b
0x00417b6b
0x00417b70
0x00417b7b
0x00417b81
0x00417b8a
0x00417b93
0x00417ba6
0x00417bab
0x00417bb3
0x00417bbe
0x00417bc2
0x00417bcb
0x00417bd4
0x00417bdc
0x00417be0
0x00417beb
0x00417bee
0x00417bf8
0x00417c01

APIs

__EH_prolog.LIBCMT ref: 0041784F

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

Part of subcall function 00417C8A: __EH_prolog.LIBCMT ref: 00417C8F
Part of subcall function 00417C8A: FindFirstFileW.KERNELBASE(?,?,?,00000001), ref: 00417CF5

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 0042CFBE: __EH_prolog.LIBCMT ref: 0042CFC3

Strings

setup.exe, xrefs: 00417B9E
Disk1, xrefs: 00417A99, 00417AC2
tuF, xrefs: 00417AAA
|uF, xrefs: 00417AC3
-package, xrefs: 00417A80, 00417A85, 00417A90
PG, xrefs: 00417AB8

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$String$AllocFileFindFirstFree
String ID: -package$Disk1$PG$setup.exe$tuF$|uF
API String ID: 2085581952-2098493489
Opcode ID: 725b4c4862200e10e5be6f39f501f851f45de7f89bd57ebe5ca02d4063004450
Instruction ID: c66d4f8ae5a8e2a7fd7d891e8e966d809d4a3e819467923d37ba2ecf99a9cd9f
Opcode Fuzzy Hash: 725b4c4862200e10e5be6f39f501f851f45de7f89bd57ebe5ca02d4063004450
Instruction Fuzzy Hash: E0C1C334904248DFDB14EBB4C595BEDBBB4AF59304F1080AEE44AB7392DB785B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412088 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00412088(void* __ecx) {
				void* __edi;
				void* _t77;
				void* _t87;
				intOrPtr _t100;
				intOrPtr* _t103;
				void* _t109;
				void* _t125;
				signed char _t126;
				void* _t160;
				void* _t161;
				char* _t166;
				void* _t167;
				void* _t169;
				void* _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;

				L0043B644(0x460d8a, _t167);
				_t170 = _t169 - 0x14c;
				_t160 = __ecx;
				_t177 =  *((intOrPtr*)(__ecx + 0x190));
				_t77 = __ecx + 0x184;
				if( *((intOrPtr*)(__ecx + 0x190)) == 0) {
					_t77 = __ecx + 0x24c;
				}
				_push(0);
				_push(_t77);
				 *((intOrPtr*)(_t167 - 0x90)) = 0x46757c;
				 *((intOrPtr*)(_t167 - 0x70)) = 0x467574;
				L00401CDD(_t167 - 0x90);
				 *(_t167 - 4) =  *(_t167 - 4) & 0x00000000;
				L00419B42(_t167 - 0x90, _t167 - 0x108);
				 *(_t167 - 4) = 2;
				L0040125C(_t167 - 0x90);
				_push(0x20019);
				_t171 = _t170 - 0x28;
				 *((intOrPtr*)(_t167 - 0x2c)) = _t171;
				L00401732(_t171, 0x47e150, _t167 - 0x11, 1);
				_t172 = _t171 - 0x28;
				 *((intOrPtr*)(_t167 - 0x28)) = _t172;
				 *(_t167 - 4) = 3;
				L00401732(_t172, L"UninstallString", _t167 - 0xf, 1);
				 *(_t167 - 4) = 4;
				_t87 = L00401732(_t167 - 0x158, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\", _t167 - 0xd, 1);
				_t173 = _t172 - 0x28;
				 *((intOrPtr*)(_t167 - 0x18)) = _t173;
				_push(_t167 - 0x108);
				_push(_t173);
				 *(_t167 - 4) = 5;
				L00405670(_t87, _t177);
				 *(_t167 - 4) = 6;
				_push((0 |  *((intOrPtr*)(_t160 + 0xe)) != 0x00000000) + 0x80000001);
				_push(_t167 - 0xb8); // executed
				E0042F45D(_t160,  *((intOrPtr*)(_t160 + 0xe))); // executed
				 *(_t167 - 4) = 8;
				L0040125C(_t167 - 0x158);
				_t161 = 0;
				if( *((intOrPtr*)(_t167 - 0xac)) != 0) {
					_push(0);
					_push(_t167 - 0xe);
					 *((intOrPtr*)(_t167 - 0x54)) = 0x46757c;
					 *((intOrPtr*)(_t167 - 0x34)) = 0x467574;
					L00401C68(_t167 - 0x54);
					_t100 =  *((intOrPtr*)(_t167 - 0xb0));
					 *(_t167 - 4) = 9;
					_t180 = _t100;
					if(_t100 == 0) {
						_t100 = 0x467570;
					}
					_push(_t100);
					E00410479(_t167 - 0x68);
					 *(_t167 - 4) = 0xa;
					_t103 = L004197DF(_t167 - 0x54, _t167 - 0x24);
					 *(_t167 - 4) = 0xb;
					 *((char*)(_t103 + 4)) = 1;
					_t125 = E00410501(_t167 - 0x68, _t180, "l", L00401E6C(_t103,  *_t103), _t161, _t161);
					 *(_t167 - 4) = 0xa;
					if( *((char*)(_t167 - 0x20)) != 0) {
						L00401E03( *((intOrPtr*)(_t167 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)(_t167 - 0x24)) + 0x1c)));
					}
					if(_t125 != 0) {
						_t166 = L"0x";
						_t126 = 0;
						_t109 = E0040238F(_t167 - 0x50, _t166, _t161, L0043BA1F(_t166));
						_t183 = _t109 - _t161;
						if(_t109 == _t161) {
							_push(1);
							_push(_t167 - 0x10);
							_push(0x47e150);
							L0040176A(_t167 - 0xe0);
							_push(1);
							_push(_t167 - 0x12);
							_push(_t166);
							 *(_t167 - 4) = 0xc;
							L0040176A(_t167 - 0x130);
							 *(_t167 - 4) = 0xd;
							L00401E2C(_t167 - 0x54, _t183, _t167 - 0x130, _t167 - 0xe0);
							 *(_t167 - 4) = 0xc;
							L0040125C(_t167 - 0x130);
							 *(_t167 - 4) = 0xa;
							L0040125C(_t167 - 0xe0);
							_t126 = 1;
						}
						_t110 =  *((intOrPtr*)(_t167 - 0x4c));
						if( *((intOrPtr*)(_t167 - 0x4c)) == _t161) {
							_t110 = 0x467570;
						}
						asm("sbb ebx, ebx");
						_t161 = E0043C997(_t110, _t161, ( ~_t126 & 0x00000006) + 0xa);
					}
					 *(_t167 - 4) = 9;
					E004104BB(_t167 - 0x68);
					 *(_t167 - 4) = 8;
					L0040125C(_t167 - 0x54);
				}
				 *(_t167 - 4) = 2;
				L0040125C(_t167 - 0xb8);
				 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
				L0040125C(_t167 - 0x108);
				 *[fs:0x0] =  *((intOrPtr*)(_t167 - 0xc));
				return _t161;
			}

0x0041208d
0x00412092
0x0041209b
0x004120a3
0x004120a5
0x004120ab
0x004120ad
0x004120ad
0x004120bd
0x004120bf
0x004120c6
0x004120cc
0x004120cf
0x004120d4
0x004120e5
0x004120f0
0x004120f4
0x004120f9
0x00412101
0x00412106
0x00412111
0x00412116
0x0041211e
0x00412129
0x0041212d
0x00412143
0x00412147
0x0041214c
0x00412157
0x0041215a
0x0041215b
0x0041215e
0x00412162
0x00412169
0x00412178
0x0041217f
0x00412180
0x00412191
0x00412195
0x0041219a
0x004121a2
0x004121ab
0x004121ac
0x004121b0
0x004121b3
0x004121b6
0x004121bb
0x004121c1
0x004121c5
0x004121c7
0x004121c9
0x004121c9
0x004121ce
0x004121d2
0x004121de
0x004121e2
0x004121e9
0x004121ed
0x0041220a
0x0041220c
0x00412210
0x00412218
0x00412218
0x0041221f
0x00412225
0x0041222a
0x00412239
0x0041223e
0x00412240
0x00412245
0x00412247
0x00412248
0x00412253
0x0041225b
0x0041225d
0x0041225e
0x00412265
0x00412269
0x0041227f
0x00412283
0x0041228e
0x00412292
0x0041229d
0x004122a1
0x004122a6
0x004122a6
0x004122a8
0x004122ad
0x004122af
0x004122af
0x004122b6
0x004122c9
0x004122c9
0x004122ce
0x004122d2
0x004122da
0x004122de
0x004122de
0x004122e9
0x004122ed
0x004122f2
0x004122fc
0x00412308
0x00412311

APIs

__EH_prolog.LIBCMT ref: 0041208D

Part of subcall function 0040176A: __EH_prolog.LIBCMT ref: 0040176F
Part of subcall function 0040176A: GetLastError.KERNEL32(0046757C,00467574,ISlogit,?,00431B7C,ISlogit,?,00000000), ref: 00401798
Part of subcall function 0040176A: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,00431B7C,ISlogit,?,00000000), ref: 004017ED

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

|uF, xrefs: 004120B3
UninstallString, xrefs: 00412124
tuF, xrefs: 004120B8
puF, xrefs: 004121C9
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00412138
puF, xrefs: 004122AF

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString$puF$puF$tuF$|uF
API String ID: 3800368667-1341111359
Opcode ID: 2c8dbe284fd816a86dc19f22ca9c36a310f5c9d83182851a7cd9aa48d0295c5c
Instruction ID: ceb776186afb837f0a9a537f787b3392f8d1b1dbe061531e2ba1c348be134de7
Opcode Fuzzy Hash: 2c8dbe284fd816a86dc19f22ca9c36a310f5c9d83182851a7cd9aa48d0295c5c
Instruction Fuzzy Hash: 20719831904248AEDB11EBA5CD85BDDBB78AF55304F5440DEE40AB3281EBB85F48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040F59F Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040F59F(long __ebx, intOrPtr __edi, intOrPtr* __esi) {
				void* _t185;
				WCHAR* _t191;
				void* _t192;
				void* _t196;
				char* _t197;
				void* _t202;
				void* _t210;
				void* _t212;
				void* _t220;
				void* _t225;
				char* _t233;
				void* _t237;
				long _t243;
				long _t245;
				long _t252;
				char* _t259;
				void* _t264;
				void* _t265;
				void* _t274;
				char* _t275;
				void* _t280;
				void* _t294;
				char* _t307;
				void* _t310;
				void* _t318;
				long _t319;
				void* _t342;
				intOrPtr* _t420;
				void* _t426;
				intOrPtr _t430;
				intOrPtr* _t431;
				intOrPtr* _t433;
				long _t434;
				void* _t436;
				void* _t438;
				intOrPtr _t439;
				intOrPtr _t440;
				intOrPtr _t442;

				_t433 = __esi;
				_t430 = __edi;
				_t319 = __ebx;
				if( *((intOrPtr*)( *((intOrPtr*)( *__esi + 0x2c))() + 0x13)) != __ebx) {
					L4:
					_t439 = _t438 - 0x28;
					 *((intOrPtr*)(_t436 - 0x88)) = _t439;
					E004083DD( *((intOrPtr*)( *_t433 + 0x2c))(), _t439);
					_t440 = _t439 - 0x28;
					 *((intOrPtr*)(_t436 - 0x68)) = _t440;
					 *(_t436 - 4) = 0x15;
					E00404705( *((intOrPtr*)( *_t433 + 0x2c))(), _t440);
					 *(_t436 - 4) = 0x13;
					_t185 = E00417132(_t430, _t426); // executed
					L00415C13(_t430, _t185, 0xbd);
					_t191 =  *(L00403759( *((intOrPtr*)( *_t433 + 0x2c))(), _t436 - 0x3c8) + 8);
					__eflags = _t191 - _t319;
					if(_t191 == _t319) {
						_t191 = 0x467570;
					}
					_t192 = CreateMutexW(_t319, _t319, _t191); // executed
					 *(_t436 - 0x40) = _t192;
					 *(_t436 - 0x3c) = _t319;
					 *(_t436 - 4) = 0x16;
					L0040125C(_t436 - 0x3c8);
					__eflags = WaitForSingleObject( *(_t436 - 0x40), _t319) - 0x102;
					if(__eflags != 0) {
						_t196 =  *((intOrPtr*)( *_t433 + 0x2c))();
						__eflags =  *((intOrPtr*)(_t196 + 0x12)) - _t319;
						if( *((intOrPtr*)(_t196 + 0x12)) != _t319) {
							L19:
							_t197 = L"ISSetup.dll";
							 *((intOrPtr*)(_t436 - 0x170)) = 0x46757c;
							 *((intOrPtr*)(_t436 - 0x150)) = 0x467574;
							__eflags = _t197;
							if(_t197 == 0) {
								_t197 = 0x47e150;
							}
							_t81 = _t436 - 0x170; // 0x46757c
							L0040176A(_t81);
							 *(_t436 - 4) = 0x1b;
							_t202 = E004083DD( *((intOrPtr*)( *_t433 + 0x2c))(_t197, _t436 - 0x25, _t319), _t436 - 0x2d8);
							_t441 = _t440 - 0x28;
							_t85 = _t436 - 0x170; // 0x46757c
							_t427 = _t85;
							 *((intOrPtr*)(_t436 - 0x44)) = _t441;
							 *(_t436 - 4) = 0x1c;
							L00405670(_t202, __eflags);
							 *(_t436 - 4) = 0x1c;
							E00412349( *((intOrPtr*)( *_t433 + 0x2c))(_t441, _t85), __eflags);
							 *(_t436 - 4) = 0x1b;
							L0040125C(_t436 - 0x2d8);
							 *(_t436 - 4) = 0x16;
							_t93 = _t436 - 0x170; // 0x46757c
							_t342 = _t93;
						} else {
							_t274 =  *((intOrPtr*)( *_t433 + 0x2c))();
							__eflags =  *((intOrPtr*)(_t274 + 0x13)) - _t319;
							if( *((intOrPtr*)(_t274 + 0x13)) != _t319) {
								goto L19;
							} else {
								_t275 = L"ISSetup.dll";
								 *((intOrPtr*)(_t436 - 0x1e8)) = 0x46757c;
								 *((intOrPtr*)(_t436 - 0x1c8)) = 0x467574;
								__eflags = _t275;
								if(_t275 == 0) {
									_t275 = 0x47e150;
								}
								_t65 = _t436 - 0x1e8; // 0x46757c
								L0040176A(_t65);
								 *(_t436 - 4) = 0x1e;
								_t280 = E00404705( *((intOrPtr*)( *_t433 + 0x2c))(_t275, _t436 - 0x26, _t319), _t436 - 0x378);
								_t441 = _t440 - 0x28;
								_t427 = _t436 - 0x1e8;
								 *((intOrPtr*)(_t436 - 0x48)) = _t441;
								 *(_t436 - 4) = 0x1f;
								L00405670(_t280, __eflags);
								 *(_t436 - 4) = 0x1f;
								E00412349( *((intOrPtr*)( *_t433 + 0x2c))(_t441, _t436 - 0x1e8), __eflags);
								 *(_t436 - 4) = 0x1e;
								L0040125C(_t436 - 0x378);
								 *(_t436 - 4) = 0x16;
								_t342 = _t436 - 0x1e8;
							}
						}
						L0040125C(_t342);
						_t210 =  *((intOrPtr*)( *_t433 + 0x2c))();
						__eflags =  *((intOrPtr*)(_t210 + 3)) - _t319;
						if( *((intOrPtr*)(_t210 + 3)) != _t319) {
							_t259 = L"ISSetup.dll";
							 *((intOrPtr*)(_t436 - 0x198)) = 0x46757c;
							 *((intOrPtr*)(_t436 - 0x178)) = 0x467574;
							__eflags = _t259;
							if(_t259 == 0) {
								_t259 = 0x47e150;
							}
							_t99 = _t436 - 0x198; // 0x46757c
							L0040176A(_t99);
							 *(_t436 - 4) = 0x21;
							_t264 = L00403789( *((intOrPtr*)( *_t433 + 0x2c))(_t259, _t436 - 0x27, _t319), _t436 - 0x350);
							 *(_t436 - 4) = 0x22;
							_t265 = L00401840(_t264, __eflags);
							_t441 = _t441 - 0x28;
							_t427 = _t436 - 0x198;
							 *((intOrPtr*)(_t436 - 0x5c)) = _t441;
							 *(_t436 - 4) = 0x23;
							L00405670(_t265, __eflags);
							 *(_t436 - 4) = 0x23;
							E00412349( *((intOrPtr*)( *_t433 + 0x2c))(_t441, _t436 - 0x198, _t436 - 0x300, _t319, _t319), __eflags);
							 *(_t436 - 4) = 0x22;
							L0040125C(_t436 - 0x300);
							 *(_t436 - 4) = 0x21;
							L0040125C(_t436 - 0x350);
							 *(_t436 - 4) = 0x16;
							L0040125C(_t436 - 0x198);
						}
						_t212 =  *((intOrPtr*)( *_t433 + 0x2c))();
						__eflags =  *((intOrPtr*)(_t212 + 0x12)) - _t319;
						if( *((intOrPtr*)(_t212 + 0x12)) != _t319) {
							L28:
							L00401B15(_t436 - 0x288);
							 *(_t436 - 4) = 0x25;
							L00401B15(_t436 - 0x260);
							 *(_t436 - 4) = 0x26;
							_t220 = E004083DD( *((intOrPtr*)( *_t433 + 0x2c))(0xd8, "ISSetup.dll", _t436 - 0x16, 1, "ISSetup.dll", _t436 - 0x15, 1), _t436 - 0x3f0);
							_t442 = _t441 - 0x28;
							 *((intOrPtr*)(_t436 - 0x64)) = _t442;
							 *(_t436 - 4) = 0x27;
							L00405670(_t220, __eflags);
							 *(_t436 - 4) = 0x28;
							_t225 = E00404705( *((intOrPtr*)( *_t433 + 0x2c))(_t442, _t436 - 0x288), _t436 - 0x3a0);
							_t441 = _t442 - 0x28;
							_t427 = _t436 - 0x260;
							 *((intOrPtr*)(_t436 - 0x6c)) = _t442 - 0x28;
							_push(_t436 - 0x260);
							 *(_t436 - 4) = 0x29;
							L00405670(_t225, __eflags);
							 *(_t436 - 4) = 0x2a;
							L00415C13(_t430, E00416E73(_t430, _t436 - 0x260, __eflags), _t442 - 0x28);
							 *(_t436 - 4) = 0x27;
							L0040125C(_t436 - 0x3a0);
							 *(_t436 - 4) = 0x26;
							L0040125C(_t436 - 0x3f0);
							 *(_t436 - 4) = 0x25;
							L0040125C(_t436 - 0x260);
							 *(_t436 - 4) = 0x16;
							L0040125C(_t436 - 0x288);
						} else {
							__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t433 + 0x2c))() + 0x13)) - _t319;
							if(__eflags != 0) {
								goto L28;
							}
						}
						_t233 = E00412653(_t430, __eflags); // executed
						__eflags = _t233;
						if(__eflags == 0) {
							L00415C13(_t430, 0xffffec75, 0xdc);
						}
						E00412B0A(_t430, __eflags);
						__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t433 + 0x2c))())) - _t319;
						if(__eflags == 0) {
							_push(0xe4);
							_t237 = L00413DE1(_t430, _t427, __eflags); // executed
						} else {
							_push(0xe2);
							_t237 = L00413C06(_t319, _t430, __eflags);
						}
						_push(_t237);
						L00415C13(_t430);
						 *(_t436 - 4) = 0x13;
						E00412614(_t436 - 0x40);
						 *(_t436 - 4) = 0x10;
						L0040125C(_t436 - 0xb4);
						 *(_t436 - 4) = 0xb;
						L0040125C(_t436 - 0xdc);
						 *(_t436 - 4) = 2;
						L0040125C(_t436 - 0x148);
						_t431 =  *((intOrPtr*)(_t430 + 0x28c));
						 *(_t436 - 0x24) = _t319;
						__eflags = _t431 - _t319;
						if(_t431 != _t319) {
							 *((intOrPtr*)( *_t431))(_t431, 0x476f68, _t436 - 0x24);
						}
						_t243 =  *(_t436 - 0x24);
						 *(_t436 - 0x38) = _t319;
						 *(_t436 - 4) = 0x2f;
						 *((intOrPtr*)( *_t243 + 0xe4))(_t243, _t436 - 0x38);
						_t245 =  *(_t436 - 0x24);
						_t434 =  *(_t436 - 0x38);
						__eflags = _t245 - _t319;
						 *(_t436 - 4) = 2;
						if(_t245 != _t319) {
							 *((intOrPtr*)( *_t245 + 8))(_t245);
						}
						goto L38;
					} else {
						E00403E82( *((intOrPtr*)( *_t433 + 0x2c))(_t436 - 0x1c0, 0x7da), __eflags);
						__eflags =  *((intOrPtr*)(_t436 - 0x1b4)) - _t319;
						 *(_t436 - 4) = 0x17;
						if( *((intOrPtr*)(_t436 - 0x1b4)) == _t319) {
							_t307 = L"Another instance of this setup is already running. Please wait for the other instance to finish and then try again.";
							__eflags = _t307;
							if(_t307 == 0) {
								_t307 = 0x47e150;
							}
							L00401E03(_t436 - 0x1c0, _t307);
						}
						 *((intOrPtr*)(_t436 - 0x80)) = _t440 - 0x28;
						L00401708(_t440 - 0x28, _t436 - 0x1c0, 1);
						 *(_t436 - 4) = 0x18;
						_t294 = L004037B9(_t436 - 0x70,  *((intOrPtr*)( *_t433 + 0x2c))(0x40, 1, _t319));
						_push(_t319);
						 *(_t436 - 4) = 0x1a;
						L00403C38(_t294);
						 *(_t436 - 4) = 0x16;
						L0040125C(_t436 - 0x1c0);
						 *(_t436 - 4) = 0x13;
						E00412614(_t436 - 0x40);
						_t45 = _t436 - 0xb4; // 0x46757c
						 *(_t436 - 4) = 0x10;
						L0040125C(_t45);
						 *(_t436 - 4) = 0xb;
						L0040125C(_t436 - 0xdc);
						 *(_t436 - 4) = 2;
						L0040125C(_t436 - 0x148);
						L0043B670( *((intOrPtr*)(_t436 - 0xe0)) + 8, _t436 - 0x120, 0x40);
						 *(_t436 - 4) = _t319;
						L0040125C(_t436 + 0xc);
						 *(_t436 - 4) =  *(_t436 - 4) | 0xffffffff;
						L0040125C(_t436 + 0x34);
						_t252 = 0;
					}
				} else {
					_t310 =  *((intOrPtr*)( *__esi + 0x2c))();
					_t448 =  *((intOrPtr*)(_t310 + 0x10)) - __ebx;
					if( *((intOrPtr*)(_t310 + 0x10)) != __ebx) {
						L3:
						_t441 = _t438 - 0x28;
						 *((intOrPtr*)(_t436 - 0x60)) = _t441;
						_t420 = _t441;
						 *((char*)( *((intOrPtr*)(_t430 + 0x3a4)) + 0x20)) = 1;
						_push(_t319);
						_push(_t436 - 0xb4);
						 *_t420 = 0x46757c;
						 *((intOrPtr*)(_t420 + 0x20)) = 0x467574;
						L00401CDD(_t420);
						_t434 = L0041746C(_t430, _t426, _t449);
						 *(_t436 - 4) = 0x10;
						L0040125C(_t436 - 0xb4);
						 *(_t436 - 4) = 0xb;
						L0040125C(_t436 - 0xdc);
						 *(_t436 - 4) = 2;
						L0040125C(_t436 - 0x148);
						L38:
						L0043B670( *((intOrPtr*)(_t436 - 0xe0)) + 8, _t436 - 0x120, 0x40);
						 *(_t436 - 4) = _t319;
						L0040125C(_t436 + 0xc);
						 *(_t436 - 4) =  *(_t436 - 4) | 0xffffffff;
						L0040125C(_t436 + 0x34);
						_t252 = _t434;
					} else {
						_t318 = E004173CF(__edi, _t448); // executed
						_t449 = _t318;
						if(_t318 == 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t436 - 0xc));
				return _t252;
			}

0x0040f59f
0x0040f59f
0x0040f59f
0x0040f5a9
0x0040f629
0x0040f630
0x0040f635
0x0040f643
0x0040f648
0x0040f64f
0x0040f655
0x0040f65e
0x0040f665
0x0040f669
0x0040f671
0x0040f68b
0x0040f68e
0x0040f690
0x0040f692
0x0040f692
0x0040f69a
0x0040f6a0
0x0040f6a3
0x0040f6ac
0x0040f6b0
0x0040f6bf
0x0040f6c4
0x0040f7cc
0x0040f7cf
0x0040f7d2
0x0040f881
0x0040f881
0x0040f886
0x0040f892
0x0040f89c
0x0040f89e
0x0040f8a0
0x0040f8a0
0x0040f8ab
0x0040f8b1
0x0040f8c1
0x0040f8ca
0x0040f8cf
0x0040f8d2
0x0040f8d2
0x0040f8da
0x0040f8e1
0x0040f8e5
0x0040f8ee
0x0040f8f7
0x0040f902
0x0040f906
0x0040f90b
0x0040f90f
0x0040f90f
0x0040f7d8
0x0040f7dc
0x0040f7df
0x0040f7e2
0x00000000
0x0040f7e8
0x0040f7e8
0x0040f7ed
0x0040f7f9
0x0040f803
0x0040f805
0x0040f807
0x0040f807
0x0040f812
0x0040f818
0x0040f828
0x0040f831
0x0040f836
0x0040f839
0x0040f841
0x0040f848
0x0040f84c
0x0040f855
0x0040f85e
0x0040f869
0x0040f86d
0x0040f872
0x0040f876
0x0040f876
0x0040f7e2
0x0040f915
0x0040f91e
0x0040f921
0x0040f924
0x0040f92a
0x0040f92f
0x0040f93b
0x0040f945
0x0040f947
0x0040f949
0x0040f949
0x0040f954
0x0040f95a
0x0040f96a
0x0040f973
0x0040f983
0x0040f987
0x0040f98c
0x0040f98f
0x0040f997
0x0040f99e
0x0040f9a2
0x0040f9ab
0x0040f9b4
0x0040f9bf
0x0040f9c3
0x0040f9ce
0x0040f9d2
0x0040f9dd
0x0040f9e1
0x0040f9e1
0x0040f9ea
0x0040f9ed
0x0040f9f0
0x0040fa02
0x0040fa13
0x0040fa29
0x0040fa2d
0x0040fa42
0x0040fa4b
0x0040fa50
0x0040fa5b
0x0040fa62
0x0040fa66
0x0040fa76
0x0040fa7f
0x0040fa84
0x0040fa87
0x0040fa8f
0x0040fa92
0x0040fa96
0x0040fa9a
0x0040faa1
0x0040faad
0x0040fab8
0x0040fabc
0x0040fac7
0x0040facb
0x0040fad6
0x0040fada
0x0040fae5
0x0040fae9
0x0040f9f2
0x0040f9f9
0x0040f9fc
0x00000000
0x00000000
0x0040f9fc
0x0040faf0
0x0040faf5
0x0040faf7
0x0040fb05
0x0040fb05
0x0040fb0c
0x0040fb18
0x0040fb1a
0x0040fb2a
0x0040fb31
0x0040fb1c
0x0040fb1c
0x0040fb23
0x0040fb23
0x0040fb36
0x0040fb39
0x0040fb41
0x0040fb45
0x0040fb50
0x0040fb54
0x0040fb5f
0x0040fb63
0x0040fb6e
0x0040fb72
0x0040fb77
0x0040fb7d
0x0040fb80
0x0040fb82
0x0040fb90
0x0040fb90
0x0040fb92
0x0040fb98
0x0040fb9f
0x0040fba3
0x0040fba9
0x0040fbac
0x0040fbaf
0x0040fbb1
0x0040fbb5
0x0040fbba
0x0040fbba
0x00000000
0x0040f6ca
0x0040f6df
0x0040f6e4
0x0040f6ea
0x0040f6ee
0x0040f6f0
0x0040f6f7
0x0040f6f9
0x0040f6fb
0x0040f6fb
0x0040f707
0x0040f707
0x0040f71c
0x0040f722
0x0040f72b
0x0040f736
0x0040f73b
0x0040f73e
0x0040f742
0x0040f74d
0x0040f751
0x0040f759
0x0040f75d
0x0040f762
0x0040f768
0x0040f76c
0x0040f777
0x0040f77b
0x0040f786
0x0040f78a
0x0040f7a2
0x0040f7ad
0x0040f7b0
0x0040f7b5
0x0040f7bc
0x0040f7c1
0x0040f7c1
0x0040f5ab
0x0040f5af
0x0040f5b2
0x0040f5b5
0x0040f5c2
0x0040f5c8
0x0040f5cb
0x0040f5ce
0x0040f5d0
0x0040f5da
0x0040f5db
0x0040f5dc
0x0040f5e2
0x0040f5e9
0x0040f5fb
0x0040f5fd
0x0040f601
0x0040f60c
0x0040f610
0x0040f61b
0x0040f61f
0x0040fbbd
0x0040fbd0
0x0040fbdb
0x0040fbde
0x0040fbe3
0x0040fbea
0x0040fbef
0x0040f5b7
0x0040f5b9
0x0040f5be
0x0040f5c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f5c0
0x0040f5b5
0x0040fbf6
0x0040fbff

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0040F69A
WaitForSingleObject.KERNEL32(?,00000000), ref: 0040F6B9

Part of subcall function 004173CF: __EH_prolog.LIBCMT ref: 004173D4
Part of subcall function 004173CF: GetDriveTypeW.KERNELBASE(?,?,00000000), ref: 00417411

Strings

puF, xrefs: 0040F692
|uF, xrefs: 0040F762
PG, xrefs: 0040F6FB
Another instance of this setup is already running. Please wait for the other instance to finish and then try again., xrefs: 0040F6F0, 0040F700
tuF, xrefs: 0040F5E2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CreateDriveH_prologMutexObjectSingleTypeWait
String ID: Another instance of this setup is already running. Please wait for the other instance to finish and then try again.$PG$puF$tuF$|uF
API String ID: 492021291-3959295596
Opcode ID: 6faae41153642b508b6d0743269aca3917d4ee02400cfa03464e9f01f27e5035
Instruction ID: 31cf5d52673705ad745918644fab8d769135a0446773670dc389828cb10a47f5
Opcode Fuzzy Hash: 6faae41153642b508b6d0743269aca3917d4ee02400cfa03464e9f01f27e5035
Instruction Fuzzy Hash: D9719270A00248DFDB14EB69C955BDCBBB8AF58304F0040EEE446B72D2DB789E48CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00402718 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402718() {
				short* _t62;
				char* _t78;
				int _t80;
				short* _t101;
				unsigned int _t103;
				void* _t107;
				char _t118;

				L0043B644(0x45eee0, _t107);
				if( *(_t107 + 0x14) == 0x4b0 ||  *(_t107 + 0x14) == 0x4b1) {
					_t103 =  *(_t107 + 0x10);
					_t78 =  *(_t107 + 0xc);
					if(_t103 == 0xffffffff) {
						_t103 = L0043BA1F(_t78) << 1;
					}
					if( *(_t107 + 0x14) != 0x4b1) {
						 *((intOrPtr*)(_t107 - 0x3c)) = 0x46757c;
						 *((intOrPtr*)(_t107 - 0x1c)) = 0x467574;
						if(_t78 == 0) {
							_t78 = 0x47e150;
						}
						_push(0);
						_push(_t107 + 0x13);
						_push(_t103 >> 1);
						_push(_t78);
						_t41 = _t107 - 0x3c; // 0x46757c, executed
						E004028AE(_t41); // executed
						_t43 = _t107 - 0x3c; // 0x46757c
						 *(_t107 - 4) = 2;
						L00401A1E( *((intOrPtr*)(_t107 + 8)), _t43);
						 *(_t107 - 4) =  *(_t107 - 4) | 0xffffffff;
						_t47 = _t107 - 0x3c; // 0x46757c
						L0040125C(_t47);
						goto L18;
					} else {
						_t22 = _t103 + 1; // 0x1
						_t101 = L0043BC14(_t22);
						 *((char*)(_t107 - 0x14)) = _t101 != 0;
						 *(_t107 - 0x10) = _t101;
						 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
						L0043BBEA(_t78, _t101, _t103);
						 *((intOrPtr*)(_t107 - 0x3c)) = 0x46757c;
						 *((intOrPtr*)(_t107 - 0x1c)) = 0x467574;
						_t62 = _t101;
						if(_t101 == 0) {
							_t62 = 0x47e150;
						}
						_push(0);
						_push(_t107 + 0x13);
						_push(_t103 >> 1);
						_push(_t62);
						_t30 = _t107 - 0x3c; // 0x46757c
						E004028AE(_t30);
						_t32 = _t107 - 0x3c; // 0x46757c
						 *(_t107 - 4) = 1;
						L00401A1E( *((intOrPtr*)(_t107 + 8)), _t32);
						 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
						_t36 = _t107 - 0x3c; // 0x46757c
						L0040125C(_t36);
						goto L7;
					}
				} else {
					if( *(_t107 + 0x10) == 0xffffffff) {
						 *(_t107 + 0x10) = L0043BC30( *(_t107 + 0xc));
					}
					_t80 = MultiByteToWideChar( *(_t107 + 0x14), 0,  *(_t107 + 0xc),  *(_t107 + 0x10) + 1, 0, 0);
					_t101 = L0043BC14(_t80 + _t80);
					 *((char*)(_t107 - 0x14)) = _t101 != 0;
					 *(_t107 - 0x10) = _t101;
					 *(_t107 - 4) = 3;
					_t103 = MultiByteToWideChar( *(_t107 + 0x14), 0,  *(_t107 + 0xc),  *(_t107 + 0x10), _t101, _t80);
					if(_t103 > 0) {
						_t17 =  *((intOrPtr*)(_t107 + 8)) + 4; // 0x4
						L0040BF1A(_t17, _t101, _t103);
					}
					_t118 =  *((char*)(_t107 - 0x14));
					L7:
					if(_t118 != 0) {
						E0043AE17(_t101);
					}
					L18:
					 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
					return _t103;
				}
			}

0x0040271d
0x00402734
0x004027c3
0x004027c6
0x004027cc
0x004027d7
0x004027d7
0x004027dc
0x00402855
0x0040285c
0x00402863
0x00402865
0x00402865
0x0040286d
0x0040286f
0x00402874
0x00402875
0x00402876
0x00402879
0x00402881
0x00402885
0x0040288c
0x00402891
0x00402895
0x00402898
0x00000000
0x004027de
0x004027de
0x004027e7
0x004027eb
0x004027ef
0x004027f2
0x004027f9
0x00402801
0x0040280a
0x00402811
0x00402813
0x00402815
0x00402815
0x0040281d
0x0040281f
0x00402824
0x00402825
0x00402826
0x00402829
0x00402831
0x00402835
0x00402839
0x0040283e
0x00402842
0x00402845
0x00000000
0x0040284a
0x00402743
0x00402747
0x00402752
0x00402752
0x0040276d
0x00402778
0x0040277d
0x00402781
0x00402789
0x0040279a
0x0040279e
0x004027a5
0x004027a8
0x004027a8
0x004027ad
0x004027b1
0x004027b1
0x004027b8
0x004027bd
0x0040289d
0x004028a5
0x004028ad
0x004028ad

APIs

__EH_prolog.LIBCMT ref: 0040271D
MultiByteToWideChar.KERNEL32(000004B0,00000000,?,00000100,00000000,00000000,00467574,?,0046757C), ref: 0040276B
MultiByteToWideChar.KERNEL32(000004B0,00000000,?,000000FF,00000000,00000000,000004B0,?,0046757C), ref: 00402798

Strings

|uF, xrefs: 00402826
PG, xrefs: 00402865
tuF, xrefs: 0040285C
PG, xrefs: 00402815

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog
String ID: PG$PG$tuF$|uF
API String ID: 2445107564-938772490
Opcode ID: 211b5b0a904c3207a4d938d6b0941cf6edb283abceee71427bc2b0ec605483ef
Instruction ID: 0c4a7c64d7af268a948cd3132c1da8caf458570bec7fa142e4ce7e6989a06d3c
Opcode Fuzzy Hash: 211b5b0a904c3207a4d938d6b0941cf6edb283abceee71427bc2b0ec605483ef
Instruction Fuzzy Hash: 5B41C371900209ABDB15EF55D945BEE7778EF44314F10826EF925B72D1DB788E00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00412F07 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00412F07(void* __ecx, void* __eflags) {
				signed int* _t35;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				long _t44;
				intOrPtr _t48;
				signed int _t52;
				signed int _t53;
				signed int _t70;
				void* _t74;
				void* _t76;

				L0043B644(0x460f52, _t76);
				_t74 = __ecx;
				E004134DD(__ecx);
				_t35 = L0043BC14(4);
				if(_t35 == 0) {
					_t35 = 0;
					__eflags = 0;
				} else {
					 *_t35 = 1;
				}
				_t70 =  *(_t76 + 8);
				 *(_t74 + 0x34) = _t35;
				_t52 = _t70 + 4;
				asm("sbb eax, eax");
				E004024B9(_t74 + 0x10,  ~_t70 & _t52, 0,  *0x467594);
				if(L00404D1A(_t70) != 0 || L004134BB(_t70) != 0) {
					_t41 = L0043BC14(0xa8);
					 *(_t76 + 8) = _t41;
					__eflags = _t41;
					 *(_t76 - 4) = 0;
					if(__eflags == 0) {
						_t42 = 0;
						__eflags = 0;
					} else {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0x7530);
						_push(L"toys::file");
						_t42 = L00413046(_t41, __eflags);
					}
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t74 + 4)) = _t42;
					 *((intOrPtr*)(_t42 + 0x80)) =  *((intOrPtr*)(_t74 + 0x38));
					_t53 =  *(_t52 + 4);
					__eflags = _t53;
					if(_t53 == 0) {
						_t53 = 0x467570;
					}
					_push(0x80400100);
					_push(0);
					_push(_t53);
					_t43 = L00437AB5( *((intOrPtr*)(_t74 + 4)));
					__eflags = _t43;
					if(_t43 == 0) {
						goto L6;
					} else {
						goto L14;
					}
				} else {
					_push(0);
					_push(_t70);
					 *((intOrPtr*)(_t76 - 0x34)) = 0x46757c;
					 *((intOrPtr*)(_t76 - 0x14)) = 0x467574;
					L00401CDD(_t76 - 0x34);
					_t9 = _t76 - 0x34; // 0x46757c
					 *(_t76 - 4) = 1;
					_t11 = _t76 + 0x14; // 0x467574
					_t48 = E0042FDD5(_t9,  *((intOrPtr*)(_t76 + 0xc)),  *((intOrPtr*)(_t76 + 0x10)),  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x18)),  *_t11,  *((intOrPtr*)(_t76 + 0x20))); // executed
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					_t20 = _t76 - 0x34; // 0x46757c
					 *((intOrPtr*)(_t74 + 8)) = _t48;
					L0040125C(_t20);
					if((_t52 & 0xffffff00 | _t48 == 0xffffffff) == 0) {
						E00413655(_t74); // executed
						L14:
						_t44 = 0;
						__eflags = 0;
					} else {
						L6:
						_t44 = GetLastError();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t44;
			}

0x00412f0c
0x00412f17
0x00412f19
0x00412f20
0x00412f28
0x00412f32
0x00412f32
0x00412f2a
0x00412f2a
0x00412f2a
0x00412f34
0x00412f37
0x00412f44
0x00412f49
0x00412f51
0x00412f5f
0x00412fd9
0x00412fdf
0x00412fe4
0x00412fe6
0x00412fe9
0x00413002
0x00413002
0x00412feb
0x00412feb
0x00412fec
0x00412fed
0x00412fee
0x00412fef
0x00412ff4
0x00412ffb
0x00412ffb
0x00413007
0x0041300b
0x0041300e
0x00413014
0x00413017
0x00413019
0x0041301b
0x0041301b
0x00413023
0x00413028
0x00413029
0x0041302a
0x0041302f
0x00413031
0x00000000
0x00000000
0x00000000
0x00000000
0x00412f6c
0x00412f6c
0x00412f6e
0x00412f72
0x00412f79
0x00412f80
0x00412f88
0x00412f8b
0x00412f92
0x00412fa2
0x00412fb0
0x00412fb4
0x00412fb7
0x00412fba
0x00412fc1
0x00412fcd
0x00413033
0x00413033
0x00413033
0x00412fc3
0x00412fc3
0x00412fc3
0x00412fc3
0x00412fc1
0x0041303b
0x00413043

APIs

__EH_prolog.LIBCMT ref: 00412F0C

Part of subcall function 004134DD: InterlockedDecrement.KERNEL32(?), ref: 004134EE
Part of subcall function 004134DD: FindCloseChangeNotification.KERNELBASE(?), ref: 00413516

GetLastError.KERNEL32(?,00000000,80400100,?,00000000,004675A0,00467598,00000000,?,?,?,?,?,?,?,0046757C), ref: 00412FC3

Part of subcall function 00413655: __EH_prolog.LIBCMT ref: 0041365A

Strings

tuF, xrefs: 00412F79
puF, xrefs: 0041301B
|uF, xrefs: 00412F88, 00412FA1
tuF, xrefs: 00412F92
toys::file, xrefs: 00412FF4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ChangeCloseDecrementErrorFindInterlockedLastNotification
String ID: puF$toys::file$tuF$tuF$|uF
API String ID: 4146976500-2624522661
Opcode ID: caef06e1ebe5ed2bf04a3a63218a9b5f1a605579b73a9aa05d7f5b1f7d0ba10c
Instruction ID: 95485d3224621dfb4d8e3e101a99a567622c0a362cafb5440f751caf24588de3
Opcode Fuzzy Hash: caef06e1ebe5ed2bf04a3a63218a9b5f1a605579b73a9aa05d7f5b1f7d0ba10c
Instruction Fuzzy Hash: CB311231600204ABCB21EF65CE41BEE7BB1EF88354F10412FF916A72D1DB788A45DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403A98 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00403A98(void* __ecx, void* __eflags) {
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t60;
				void* _t87;
				void* _t90;
				void* _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				void* _t100;

				_t100 = __eflags;
				L0043B644(0x45f121, _t90);
				_t87 = __ecx;
				_push(0);
				_push(_t90 - 0xd);
				 *((intOrPtr*)(_t90 - 0x44)) = 0x46757c;
				 *((intOrPtr*)(_t90 - 0x24)) = 0x467574;
				L00401C68(_t90 - 0x44);
				 *(_t90 - 4) = 0;
				L004057E0(_t90 - 0x44, L"0x%04x",  *(_t90 + 8) & 0x0000ffff);
				_push(L".ini");
				_push(_t90 - 0x44);
				_push(_t90 - 0xe4);
				_t46 = L00405EDE(_t100);
				 *(_t90 - 4) = 1;
				_t48 = L00403C08(_t87, _t90 - 0x94);
				_push(0);
				_push(0);
				_push(_t90 - 0xbc);
				 *(_t90 - 4) = 2;
				_t49 = L00401840(_t48, _t100);
				_push(_t46);
				_push(_t90 - 0x6c);
				 *(_t90 - 4) = 3;
				L00405670(_t49, _t100);
				 *(_t90 - 4) = 7;
				L0040125C(_t90 - 0xbc);
				 *(_t90 - 4) = 6;
				L0040125C(_t90 - 0x94);
				 *(_t90 - 4) = 5;
				L0040125C(_t90 - 0xe4);
				_push(8);
				_t95 = _t92 - 0xd8 + 0x18 - 0x28;
				 *((intOrPtr*)(_t90 - 0x18)) = _t95;
				L00401732(_t95, L"FontSize", _t90 + 0xb, 1);
				_t96 = _t95 - 0x28;
				 *((intOrPtr*)(_t90 - 0x1c)) = _t96;
				 *(_t90 - 4) = 8;
				L00401732(_t96, L"Properties", _t90 - 0xe, 1);
				 *((intOrPtr*)(_t90 - 0x14)) = _t96 - 0x28;
				 *(_t90 - 4) = 9;
				L00401708(_t96 - 0x28, _t90 - 0x6c, 1);
				 *(_t90 - 4) = 5;
				_t60 = E0042F80F(_t100); // executed
				 *(_t90 - 4) = 0;
				L0040125C(_t90 - 0x6c);
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				L0040125C(_t90 - 0x44);
				 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
				return _t60;
			}

0x00403a98
0x00403a9d
0x00403aad
0x00403ab2
0x00403ab3
0x00403ab7
0x00403abe
0x00403ac5
0x00403ad8
0x00403adb
0x00403ae3
0x00403ae8
0x00403aef
0x00403af0
0x00403b03
0x00403b07
0x00403b0c
0x00403b13
0x00403b14
0x00403b17
0x00403b1b
0x00403b23
0x00403b24
0x00403b27
0x00403b2b
0x00403b36
0x00403b3a
0x00403b45
0x00403b49
0x00403b54
0x00403b58
0x00403b5d
0x00403b62
0x00403b67
0x00403b72
0x00403b77
0x00403b7f
0x00403b8a
0x00403b8e
0x00403b9b
0x00403ba1
0x00403ba5
0x00403baa
0x00403bae
0x00403bbb
0x00403bbe
0x00403bc3
0x00403bca
0x00403bd7
0x00403be0

APIs

__EH_prolog.LIBCMT ref: 00403A9D

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 00401840: __EH_prolog.LIBCMT ref: 00401845

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 0042F80F: __EH_prolog.LIBCMT ref: 0042F814

Strings

Properties, xrefs: 00403B85
tuF, xrefs: 00403ABE
FontSize, xrefs: 00403B6D
|uF, xrefs: 00403AB7
.ini, xrefs: 00403AE3
0x%04x, xrefs: 00403AD2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: .ini$0x%04x$FontSize$Properties$tuF$|uF
API String ID: 3733137895-2024533418
Opcode ID: 43a18bbfe328740db0a0d3e29d0e68b80f4fa7056cbdd8c44aaeb96f23109c27
Instruction ID: 74df62e801df1c0546c9e3aaffa4e61310175719123212e99a6133caa6516bb2
Opcode Fuzzy Hash: 43a18bbfe328740db0a0d3e29d0e68b80f4fa7056cbdd8c44aaeb96f23109c27
Instruction Fuzzy Hash: 00314471D00248EADB04EBE5C986BDDBBBC9B55304F5040AEE509B32C1EB785B08CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE9B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DE9B(void* __ebx, intOrPtr* __ecx, void* __edi) {
				struct HWND__* _t53;
				struct HWND__* _t55;
				char* _t56;
				signed int _t58;
				void* _t60;
				void* _t62;
				signed int _t63;
				intOrPtr _t67;
				void* _t68;
				void* _t85;
				void* _t86;
				intOrPtr* _t89;
				void* _t93;

				_t85 = __edi;
				_t68 = __ebx;
				L0043B644(E0046039C, _t93);
				_t89 = __ecx;
				if(( *(_t93 + 0x18) & 0x00000002) != 0) {
					L4:
					E00402AB2(_t93 - 0x18,  *( *_t89 + 0x20),  *(_t93 + 8), 5);
					 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
					__eflags =  *(_t93 + 0x18) & 0x00000001;
					if(( *(_t93 + 0x18) & 0x00000001) == 0) {
						_t56 = L"MS Sans Serif";
						 *((intOrPtr*)(_t93 - 0x40)) = 0x46757c;
						 *((intOrPtr*)(_t93 - 0x20)) = 0x467574;
						__eflags = _t56;
						if(_t56 == 0) {
							_t56 = 0x47e150;
						}
						_push(_t68);
						_push(_t85);
						_push(0);
						_push(_t93 + 0x1b);
						_push(_t56);
						_t17 = _t93 - 0x40; // 0x46757c
						L0040176A(_t17);
						_t58 =  *(_t93 - 0x38);
						__eflags = _t58;
						 *(_t93 - 4) = 1;
						 *(_t93 + 8) = 0x467570;
						if(__eflags != 0) {
							 *(_t93 + 8) = _t58;
						}
						_t60 = E00403A98( *_t89, __eflags,  *((intOrPtr*)( *_t89 + 0x48))); // executed
						_t86 = _t60;
						_t62 = E004038F3( *_t89, _t93 - 0x68); // executed
						_t63 =  *(_t62 + 8);
						 *(_t93 - 4) = 2;
						__eflags = _t63;
						if(_t63 == 0) {
							_t63 = 0x467570;
						}
						_push(8);
						_push( *(_t93 + 8));
						_push(_t86);
						_push(_t63);
						L00402BB7(_t93 - 0x18);
						 *(_t93 - 4) = 1;
						L0040125C(_t93 - 0x68);
						_t30 = _t93 - 4;
						 *_t30 =  *(_t93 - 4) & 0x00000000;
						__eflags =  *_t30;
						_t32 = _t93 - 0x40; // 0x46757c
						L0040125C(_t32);
					}
					 *(_t93 + 8) = L00403BE3( *_t89,  *((intOrPtr*)( *_t89 + 0x48)));
					_t53 = CreateDialogIndirectParamW( *( *_t89 + 0x20), E00402B41(_t93 - 0x18,  *(_t93 + 8)),  *(_t93 + 0xc),  *(_t93 + 0x10),  *(_t93 + 0x14)); // executed
					_t41 = _t93 - 4;
					 *_t41 =  *(_t93 - 4) | 0xffffffff;
					__eflags =  *_t41;
					E00402B53(_t93 - 0x18);
					_t55 = _t53;
				} else {
					_t67 =  *__ecx;
					if( *((char*)(_t67 + 1)) != 0 ||  *((char*)(_t67 + 2)) != 0) {
						_t55 = 0;
					} else {
						goto L4;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t93 - 0xc));
				return _t55;
			}

0x0040de9b
0x0040de9b
0x0040dea0
0x0040dead
0x0040deaf
0x0040dec6
0x0040ded3
0x0040ded8
0x0040dedc
0x0040dee0
0x0040dee6
0x0040deeb
0x0040def4
0x0040defb
0x0040defd
0x0040deff
0x0040deff
0x0040df04
0x0040df05
0x0040df09
0x0040df0b
0x0040df0c
0x0040df0d
0x0040df10
0x0040df15
0x0040df1d
0x0040df1f
0x0040df23
0x0040df26
0x0040df28
0x0040df28
0x0040df32
0x0040df39
0x0040df3f
0x0040df44
0x0040df47
0x0040df4b
0x0040df4d
0x0040df4f
0x0040df4f
0x0040df51
0x0040df56
0x0040df59
0x0040df5a
0x0040df5b
0x0040df63
0x0040df67
0x0040df6c
0x0040df6c
0x0040df6c
0x0040df70
0x0040df73
0x0040df79
0x0040df89
0x0040dfa4
0x0040dfaa
0x0040dfaa
0x0040dfaa
0x0040dfb3
0x0040dfb8
0x0040deb1
0x0040deb1
0x0040deb7
0x0040debf
0x00000000
0x00000000
0x00000000
0x0040deb7
0x0040dfbe
0x0040dfc6

APIs

__EH_prolog.LIBCMT ref: 0040DEA0
CreateDialogIndirectParamW.USER32 ref: 0040DFA4

Strings

PG, xrefs: 0040DEFF
puF, xrefs: 0040DF18
MS Sans Serif, xrefs: 0040DEE6, 0040DF0C
tuF, xrefs: 0040DEF4
|uF, xrefs: 0040DF0D

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CreateDialogH_prologIndirectParam
String ID: MS Sans Serif$PG$puF$tuF$|uF
API String ID: 253066991-2237739686
Opcode ID: 4ba52d79ebc00c78cd3c3e9336889a37db0f70a1cc210a7c3d5d815412fa51e0
Instruction ID: d6765cd19a336f4c6d878401aa15cc3d426da9840a5a3a9a9c04710f936d4d7a
Opcode Fuzzy Hash: 4ba52d79ebc00c78cd3c3e9336889a37db0f70a1cc210a7c3d5d815412fa51e0
Instruction Fuzzy Hash: 8D419375900249AFDF10DFA4C845BDE7BB4AF18318F10806EF946A72D2E7789A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042F35E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 82
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042F35E(void* __edi, void* __esi) {
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr* _t46;
				long _t49;
				int _t55;
				signed int _t56;
				void* _t67;
				long _t68;
				void* _t70;
				void* _t73;

				_t70 = __esi;
				_t67 = __edi;
				L0043B644(0x463dbc, _t73);
				_t55 = 0;
				 *(_t73 - 4) = 0;
				 *(_t73 - 0x10) = 0;
				_t37 =  *((intOrPtr*)(_t73 + 0x14));
				 *(_t73 - 4) = 1;
				if( *((intOrPtr*)(_t73 + 0x14)) == 0) {
					_t37 = 0x467570;
				}
				_t38 = E0041C3FB(_t73 - 0x10,  *((intOrPtr*)(_t73 + 8)), _t37, 0x20019); // executed
				 *((intOrPtr*)(_t73 - 0x14)) = _t38;
				if(_t38 == _t55) {
					_push(_t70);
					_push(_t67);
					do {
						_push(0);
						_push(_t73 + 0xb);
						 *((intOrPtr*)(_t73 - 0x48)) = 0x46757c;
						 *((intOrPtr*)(_t73 - 0x28)) = 0x467574;
						L00401C68(_t73 - 0x48);
						_t13 = _t73 - 0x48; // 0x46757c
						 *(_t73 - 4) = 2;
						_t46 = L00401813(_t13, _t73 - 0x20, 0x105);
						 *(_t73 - 4) = 3;
						 *((char*)(_t46 + 4)) = 1;
						_t49 = RegEnumKeyW( *(_t73 - 0x10), _t55,  *(L00401E6C(_t46,  *_t46)), 0x105); // executed
						_t68 = _t49;
						 *(_t73 - 4) = 2;
						L00401A9C(_t73 - 0x20); // executed
						if(_t68 == 0) {
							_t21 = _t73 - 0x48; // 0x46757c
							E00419C0E( *((intOrPtr*)(_t73 + 0x34)), _t21);
						}
						_t22 = _t73 - 0x48; // 0x46757c
						 *(_t73 - 4) = 1;
						L0040125C(_t22);
						_t55 = _t55 + 1;
					} while (_t68 == 0);
				}
				_t39 =  *((intOrPtr*)(_t73 - 0x14));
				_t56 = _t55 & 0xffffff00 | _t39 == 0x00000000;
				 *0x47e3d4 = _t39;
				if( *(_t73 - 0x10) != 0) {
					RegCloseKey( *(_t73 - 0x10)); // executed
					 *(_t73 - 0x10) =  *(_t73 - 0x10) & 0x00000000;
				}
				 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
				L0040125C(_t73 + 0xc);
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t56;
			}

0x0042f35e
0x0042f35e
0x0042f363
0x0042f36c
0x0042f36e
0x0042f371
0x0042f374
0x0042f377
0x0042f37d
0x0042f37f
0x0042f37f
0x0042f390
0x0042f397
0x0042f39a
0x0042f3a0
0x0042f3a1
0x0042f3a7
0x0042f3aa
0x0042f3ac
0x0042f3b0
0x0042f3b7
0x0042f3be
0x0042f3c8
0x0042f3cb
0x0042f3cf
0x0042f3d6
0x0042f3da
0x0042f3eb
0x0042f3f4
0x0042f3f6
0x0042f3fa
0x0042f401
0x0042f406
0x0042f40a
0x0042f40a
0x0042f40f
0x0042f412
0x0042f416
0x0042f41b
0x0042f41c
0x0042f421
0x0042f422
0x0042f427
0x0042f42e
0x0042f433
0x0042f438
0x0042f43e
0x0042f43e
0x0042f442
0x0042f449
0x0042f454
0x0042f45c

APIs

__EH_prolog.LIBCMT ref: 0042F363
RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000105), ref: 0042F3EB
RegCloseKey.KERNELBASE(00000000,?,0043D41C,00020019,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\), ref: 0042F438

Strings

|uF, xrefs: 0042F3C8
tuF, xrefs: 0042F3B7
puF, xrefs: 0042F37F
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0042F36B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CloseEnumH_prolog
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$puF$tuF$|uF
API String ID: 1777603892-2147281292
Opcode ID: da5030f8c14a3c4eae68a6d6a8b9a04b550bc1e142004d345e4799f89c65ff09
Instruction ID: 0ad27f4a28fafc3eb61c6ed13e17a8b117a5f17ea06a1a209aff47f9ea910e7c
Opcode Fuzzy Hash: da5030f8c14a3c4eae68a6d6a8b9a04b550bc1e142004d345e4799f89c65ff09
Instruction Fuzzy Hash: BD31A434900219EFCB00EFA5C885BEEBBB8BF14318F50417EE415B3291D7788A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE81 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042AE81(void* __ebx, struct HWND__** __ecx, void* __eflags) {
				void* __edi;
				void* _t25;
				void* _t31;
				int _t32;
				signed int _t33;
				signed int _t35;
				void* _t37;
				void* _t47;
				struct HWND__** _t50;
				void* _t52;

				_t37 = __ebx;
				L0043B644(0x463718, _t52);
				_t50 = __ecx;
				 *((intOrPtr*)(_t52 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 4)) + 0x2c))();
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				_push(0);
				_push(_t52 - 0x38);
				_t25 = E00403CE5(_t52 - 0x10, __eflags); // executed
				 *(_t52 - 4) = 1;
				L00401A1E(__ecx + 8, _t25);
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				L0040125C(_t52 - 0x38);
				_t28 = _t50[4];
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				if(_t50[4] == 0) {
					_t28 = 0x467570;
				}
				E0042AB4A(_t50, _t28);
				_t47 = IsWindow;
				if(IsWindow( *_t50) != 0 && DestroyWindow( *_t50) != 0) {
					 *_t50 =  *_t50 & 0x00000000;
				}
				_t31 = E0042AFD3(_t37, _t50, _t47); // executed
				if(_t31 != 0) {
					_t32 = IsWindow( *_t50);
					__eflags = _t32;
					if(_t32 != 0) {
						SetForegroundWindow( *_t50);
					}
					_t33 = 0;
					__eflags = 0;
				} else {
					_t35 = GetLastError();
					if(_t35 != 0) {
						_t33 = _t35 | 0x80070000;
					} else {
						_t33 = 0x8000ffff;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t33;
			}

0x0042ae81
0x0042ae86
0x0042ae8f
0x0042ae9e
0x0042aea1
0x0042aea8
0x0042aeaa
0x0042aeae
0x0042aeb7
0x0042aebb
0x0042aec0
0x0042aec7
0x0042aecc
0x0042aecf
0x0042aed5
0x0042aed7
0x0042aed7
0x0042aedf
0x0042aee6
0x0042aef0
0x0042aefe
0x0042aefe
0x0042af03
0x0042af0a
0x0042af26
0x0042af28
0x0042af2a
0x0042af2e
0x0042af2e
0x0042af34
0x0042af34
0x0042af0c
0x0042af0c
0x0042af14
0x0042af1d
0x0042af16
0x0042af16
0x0042af16
0x0042af14
0x0042af3b
0x0042af43

APIs

__EH_prolog.LIBCMT ref: 0042AE86

Part of subcall function 00403CE5: __EH_prolog.LIBCMT ref: 00403CEA

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

IsWindow.USER32 ref: 0042AEEC
DestroyWindow.USER32(?,?,?,00000000,?,00000000), ref: 0042AEF4
GetLastError.KERNEL32(?,?,00000000,?,00000000), ref: 0042AF0C

Strings

puF, xrefs: 0042AED7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$Window$DestroyFreeString
String ID: puF
API String ID: 1014262789-1715984468
Opcode ID: c39fa022afd79010163bd32610f96fa25f1068afbcccb8353255c4cb8e365768
Instruction ID: cdee23a1ffcab203c812b295afcb522edf265c050ddde014ac41c326a2f657f5
Opcode Fuzzy Hash: c39fa022afd79010163bd32610f96fa25f1068afbcccb8353255c4cb8e365768
Instruction Fuzzy Hash: 3121F671710111EBDB20AF24D905B9EBBF8AF04309F11417EE846E32A0EB7DD910CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042463E Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 398
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042463E(intOrPtr __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				void* _t180;
				signed int _t193;
				void* _t201;
				WCHAR* _t204;
				signed int _t209;
				WCHAR* _t211;
				WCHAR* _t214;
				struct HINSTANCE__* _t215;
				void* _t217;
				signed int _t221;
				WCHAR* _t223;
				WCHAR* _t229;
				void* _t234;
				void* _t241;
				void* _t244;
				void* _t245;
				WCHAR* _t252;
				int _t253;
				void* _t256;
				signed int _t264;
				void* _t268;
				intOrPtr _t276;
				WCHAR* _t317;
				signed int _t323;
				signed int _t330;
				void* _t333;
				void* _t335;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t339;
				intOrPtr _t340;
				void* _t343;
				signed int _t353;

				L0043B644(0x462fe4, _t333);
				_t336 = _t335 - 0x1fc;
				_push(0);
				 *((intOrPtr*)(_t333 - 0x10)) = __ecx;
				_push( *(_t333 + 0x10));
				 *((intOrPtr*)(_t333 - 0x94)) = 0x4675d8;
				 *((intOrPtr*)(_t333 - 0x74)) = 0x4675d0;
				L0040B2B8(_t333 - 0x94);
				_t342 =  *((intOrPtr*)(_t333 - 0x88));
				_push( *((intOrPtr*)(_t333 + 0x14)));
				 *(_t333 - 4) = 0;
				_t268 = _t333 - 0x94;
				if( *((intOrPtr*)(_t333 - 0x88)) == 0) {
					E004066ED(_t268);
				} else {
					E0040A76F(_t268);
				}
				L004215ED(_t333 - 0xa8);
				_push(_t333 - 0xa8);
				_push(_t333 - 0x94);
				_push(_t333 - 0xfc);
				 *(_t333 - 4) = 1;
				_t180 = L00423CA6( *((intOrPtr*)(_t333 - 0x10)), _t342);
				 *(_t333 - 4) = 2;
				E004066ED(_t333 - 0x94, _t180);
				 *(_t333 - 4) = 1;
				E004061C1(_t333 - 0xfc);
				 *((intOrPtr*)(_t333 - 0x2c)) = 0;
				 *((char*)(_t333 - 0x30)) =  *((intOrPtr*)(_t333 + 0xf));
				 *((intOrPtr*)(_t333 - 0x28)) = 0;
				 *((intOrPtr*)(_t333 - 0x24)) = 0;
				 *(_t333 - 4) = 3;
				_t343 = L0040B4AD(_t333 - 0x90, 0x4764fc, 0, L0043BA1F(0x4764fc)) -  *0x4675e0; // 0xffffffff
				_push(_t333 - 0x94);
				if(_t343 != 0) {
					_push( *((intOrPtr*)(_t333 - 0x28)));
					E004268C0(_t333 - 0x30, __eflags);
				} else {
					_push(_t333 - 0x30);
					L00425039( *((intOrPtr*)(_t333 - 0x10)), _t343);
				}
				 *((intOrPtr*)(_t333 - 0x1c)) = 0;
				 *(_t333 - 0x14) = 0;
				while(1) {
					_t276 =  *((intOrPtr*)(_t333 - 0x2c));
					if(_t276 == 0) {
						break;
					}
					_t193 =  *((intOrPtr*)(_t333 - 0x28)) - _t276;
					_t330 = 0x28;
					asm("cdq");
					_t323 = _t193 % _t330;
					if( *((intOrPtr*)(_t333 - 0x1c)) >= _t193 / _t330) {
						break;
					}
					_push(0);
					_push( *(_t333 - 0x14) + _t276);
					 *((intOrPtr*)(_t333 - 0x6c)) = 0x4675d8;
					 *((intOrPtr*)(_t333 - 0x4c)) = 0x4675d0;
					L0040B2B8(_t333 - 0x6c);
					_push(4);
					_t338 = _t336 - 0x28;
					_t331 = _t338;
					 *((intOrPtr*)(_t333 - 0x44)) = _t338;
					 *(_t333 - 4) = 4;
					L00401732(_t338, E0040A5A5(_t333 - 0x68), _t333 + 0x17, 1); // executed
					_t201 = E0042CFBE(); // executed
					_t336 = _t338 + 0x2c;
					if(_t201 == 0) {
						L32:
						 *(_t333 - 4) = 3;
						E004061C1(_t333 - 0x6c);
						 *((intOrPtr*)(_t333 - 0x1c)) =  *((intOrPtr*)(_t333 - 0x1c)) + 1;
						 *(_t333 - 0x14) =  *(_t333 - 0x14) + 0x28;
						continue;
					}
					if( *((intOrPtr*)(_t333 + 8)) == 4) {
						__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 1;
						_t264 = 0x467500 |  *((intOrPtr*)(_t333 + 0xc)) == 0x00000001;
						L63:
						 *(_t333 - 4) = 3;
						E004061C1(_t333 - 0x6c);
						L72:
						 *(_t333 - 4) = 1;
						L0041D152(_t333 - 0x30);
						 *(_t333 - 4) =  *(_t333 - 4) & 0x00000000;
						L00421635(_t333 - 0xa8);
						_t168 = _t333 - 4;
						 *_t168 =  *(_t333 - 4) | 0xffffffff;
						__eflags =  *_t168;
						E004061C1(_t333 - 0x94);
						 *[fs:0x0] =  *((intOrPtr*)(_t333 - 0xc));
						return _t264;
					}
					if( *((intOrPtr*)(_t333 + 8)) == 8) {
						_t204 =  *(_t333 - 0x64);
						__eflags = _t204;
						if(_t204 == 0) {
							_t204 = 0x4675e4;
						}
						L00424F33(_t204, _t333 + 0x10, _t333 - 0x14);
						_push(_t333 + 8);
						_push(_t333 + 0x14);
						_push( *((intOrPtr*)(_t333 + 0x18)));
						L00424C6A(0, _t331, __eflags);
						_t209 =  *(_t333 + 0x10);
						__eflags =  *((intOrPtr*)(_t333 + 0x14)) - _t209;
						if( *((intOrPtr*)(_t333 + 0x14)) != _t209) {
							L39:
							asm("sbb eax, eax");
							_t211 = (_t209 & 0x00000002) - 1;
							__eflags = _t211;
							goto L40;
						} else {
							_t209 =  *(_t333 - 0x14);
							__eflags =  *((intOrPtr*)(_t333 + 8)) - _t209;
							if( *((intOrPtr*)(_t333 + 8)) != _t209) {
								goto L39;
							}
							_t211 = 0;
							L40:
							__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 1;
							if( *((intOrPtr*)(_t333 + 0xc)) != 1) {
								__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 2;
								if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
									L46:
									_t264 = 0;
									goto L63;
								}
								__eflags = _t211 - 0xffffffff;
								if(_t211 == 0xffffffff) {
									L42:
									_t264 = 1;
									goto L63;
								}
							}
							__eflags = _t211;
							if(_t211 != 0) {
								goto L46;
							}
							goto L42;
						}
					}
					if( *((intOrPtr*)(_t333 + 8)) != 0x10) {
						goto L32;
					}
					_t332 = 1;
					L00425D98(_t333 - 0xd4, _t333 + 0x13, _t332);
					_t214 =  *(_t333 - 0x64);
					 *(_t333 - 4) = 5;
					if(_t214 == 0) {
						_t214 = 0x4675e4;
					}
					_t215 = GetModuleHandleW(_t214); // executed
					_t351 = _t215;
					if(_t215 == 0) {
						L28:
						_t216 =  *(_t333 - 0x64);
						if( *(_t333 - 0x64) == 0) {
							_t216 = 0x4675e4;
						}
						_t217 = E00424F97( *((intOrPtr*)(_t333 - 0x10)), _t216, _t333 - 0x40, _t333 - 0x3c); // executed
						if(_t217 != 0) {
							_push(_t333 - 0x34);
							_push(_t333 - 0x38);
							_push( *((intOrPtr*)(_t333 + 0x18)));
							L00424D67(0, _t332, __eflags);
							_t221 =  *(_t333 - 0x40);
							__eflags =  *((intOrPtr*)(_t333 - 0x38)) - _t221;
							if( *((intOrPtr*)(_t333 - 0x38)) != _t221) {
								L50:
								asm("sbb eax, eax");
								_t223 = (_t221 & 0x00000002) - 1;
								__eflags = _t223;
								L51:
								__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 1;
								if( *((intOrPtr*)(_t333 + 0xc)) != 1) {
									__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 2;
									if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
										__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 4;
										if( *((intOrPtr*)(_t333 + 0xc)) != 4) {
											L61:
											 *(_t333 - 4) = 0x13;
											_t264 = 0;
											__eflags = 0;
											L62:
											L00424BBF(_t333 - 0xd4);
											 *(_t333 - 4) = 4;
											E004061C1(_t333 - 0xd4);
											goto L63;
										}
										__eflags = _t223 - 1;
										if(_t223 != 1) {
											goto L61;
										}
										 *(_t333 - 4) = 0x12;
										L54:
										_t264 = 1;
										goto L62;
									}
									__eflags = _t223 - 0xffffffff;
									if(_t223 != 0xffffffff) {
										goto L61;
									}
									 *(_t333 - 4) = 0x11;
									goto L54;
								}
								__eflags = _t223;
								if(_t223 != 0) {
									goto L61;
								}
								 *(_t333 - 4) = 0x10;
								goto L54;
							}
							_t221 =  *(_t333 - 0x3c);
							__eflags =  *((intOrPtr*)(_t333 - 0x34)) - _t221;
							if( *((intOrPtr*)(_t333 - 0x34)) != _t221) {
								goto L50;
							}
							_t223 = 0;
							goto L51;
						} else {
							 *(_t333 - 4) = 0xf;
							L00424BBF(_t333 - 0xd4);
							 *(_t333 - 4) = 4;
							E004061C1(_t333 - 0xd4);
							goto L32;
						}
					} else {
						L00412E5D(_t333 - 0x140, _t351);
						_t229 =  *(_t333 - 0x64);
						 *(_t333 - 4) = 6;
						_t352 = _t229;
						if(_t229 == 0) {
							_t229 = 0x4675e4;
						}
						_push(0);
						_push(_t333 - 0x15);
						_push(_t229);
						 *((intOrPtr*)(_t333 - 0xfc)) = 0x4675a0;
						 *((intOrPtr*)(_t333 - 0xdc)) = 0x467598;
						L0040176A(_t333 - 0xfc);
						 *(_t333 - 4) = 7;
						E00412F07(_t333 - 0x140, _t352, _t333 - 0xfc, 0x80000000, _t332, 0x80, 3, 0, 0);
						 *(_t333 - 4) = 6;
						L0040125C(_t333 - 0xfc);
						_t234 = L0041EEA2(_t333 - 0x140);
						_t353 = _t323;
						if(_t353 > 0) {
							L27:
							 *((intOrPtr*)(_t333 - 0x140)) = 0x467ef8;
							 *(_t333 - 4) = 0xe;
							E004134DD(_t333 - 0x140);
							 *(_t333 - 4) = 5;
							L0040125C(_t333 - 0x134);
							goto L28;
						} else {
							if(_t353 < 0) {
								L21:
								_push(_t333 - 0x168);
								_t339 = _t336 - 0x28;
								 *((intOrPtr*)(_t333 - 0x44)) = _t339;
								L00401732(_t339, 0x47e150, _t333 - 0x1d, _t332);
								_push(_t333 - 0x1e0);
								 *(_t333 - 4) = 8;
								_t241 = E0040C1C7(_t333 - 0x6c, _t354);
								_t340 = _t339 - 0x28;
								 *(_t333 - 4) = 9;
								 *((intOrPtr*)(_t333 - 0xac)) = _t340;
								_push(_t340);
								E0040A6F4(_t241);
								_push(_t332);
								_push(_t333 - 0x208);
								 *(_t333 - 4) = 0xa;
								_t244 = E0042D54C();
								_t336 = _t340 + 0x58;
								 *(_t333 - 4) = 0xb;
								_t245 = L0040B0D5(_t244);
								 *(_t333 - 4) = 0xc;
								E004066ED(_t333 - 0xd4, _t245);
								 *(_t333 - 4) = 0xb;
								E004061C1(_t333 - 0x168);
								 *(_t333 - 4) = 0xa;
								L0040125C(_t333 - 0x208);
								 *(_t333 - 4) = 6;
								E004061C1(_t333 - 0x1e0);
								_t252 =  *(L00424C40(_t333 - 0xd4, _t333 - 0x190) + 8);
								if(_t252 == 0) {
									_t252 = 0x4675e4;
								}
								_t317 =  *(_t333 - 0x64);
								if(_t317 == 0) {
									_t317 = 0x4675e4;
								}
								_t253 = CopyFileW(_t317, _t252, 0);
								_t332 = _t253;
								E004061C1(_t333 - 0x190);
								if(_t253 != 0) {
									_t256 = L00424C40(_t333 - 0xd4, _t333 - 0x1b8);
									 *(_t333 - 4) = 0xd;
									E004066ED(_t333 - 0x6c, _t256);
									 *(_t333 - 4) = 6;
									E004061C1(_t333 - 0x1b8);
								}
								goto L27;
							}
							_t354 = _t234 - 0xf00000;
							if(_t234 >= 0xf00000) {
								goto L27;
							}
							goto L21;
						}
					}
				}
				__eflags =  *((intOrPtr*)(_t333 + 8)) - 4;
				if( *((intOrPtr*)(_t333 + 8)) != 4) {
					__eflags =  *((intOrPtr*)(_t333 + 8)) - 0x10;
					if( *((intOrPtr*)(_t333 + 8)) != 0x10) {
						L68:
						__eflags =  *((intOrPtr*)(_t333 + 8)) - 8;
						if( *((intOrPtr*)(_t333 + 8)) != 8) {
							L71:
							_t264 = 0;
							__eflags = 0;
							goto L72;
						}
						__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 2;
						if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
							goto L71;
						}
						L70:
						_t264 = 1;
						goto L72;
					}
					__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 2;
					if( *((intOrPtr*)(_t333 + 0xc)) == 2) {
						goto L70;
					}
					goto L68;
				}
				__eflags =  *((intOrPtr*)(_t333 + 0xc)) - 2;
				_t264 = 0x467500 |  *((intOrPtr*)(_t333 + 0xc)) == 0x00000002;
				goto L72;
			}

0x00424643
0x00424648
0x00424653
0x00424654
0x00424657
0x00424660
0x0042466a
0x00424671
0x00424676
0x0042467c
0x0042467f
0x00424682
0x00424688
0x00424691
0x0042468a
0x0042468a
0x0042468a
0x0042469c
0x004246aa
0x004246b1
0x004246b8
0x004246b9
0x004246bd
0x004246c9
0x004246cd
0x004246d8
0x004246dc
0x004246e4
0x004246e7
0x004246ea
0x004246ed
0x004246f5
0x0042470e
0x0042471a
0x0042471b
0x0042472b
0x00424731
0x0042471d
0x00424723
0x00424724
0x00424724
0x00424736
0x00424739
0x00424741
0x00424741
0x00424746
0x00000000
0x00000000
0x00424751
0x00424753
0x00424754
0x00424755
0x0042475a
0x00000000
0x00000000
0x00424763
0x00424769
0x0042476a
0x00424771
0x00424778
0x0042477d
0x00424782
0x00424788
0x0042478a
0x00424790
0x0042479c
0x004247a1
0x004247a6
0x004247ab
0x00424a07
0x00424a0a
0x00424a0e
0x00424a13
0x00424a16
0x00000000
0x00424a16
0x004247b5
0x00424a1f
0x00424a23
0x00424b18
0x00424b1b
0x00424b1f
0x00424b53
0x00424b56
0x00424b5a
0x00424b5f
0x00424b69
0x00424b6e
0x00424b6e
0x00424b6e
0x00424b78
0x00424b84
0x00424b8d
0x00424b8d
0x004247bf
0x00424a2b
0x00424a2e
0x00424a30
0x00424a32
0x00424a32
0x00424a40
0x00424a4b
0x00424a4f
0x00424a50
0x00424a53
0x00424a58
0x00424a5b
0x00424a5e
0x00424a6c
0x00424a6c
0x00424a71
0x00424a71
0x00000000
0x00424a60
0x00424a60
0x00424a63
0x00424a66
0x00000000
0x00000000
0x00424a68
0x00424a72
0x00424a72
0x00424a76
0x00424a83
0x00424a87
0x00424a90
0x00424a90
0x00000000
0x00424a90
0x00424a89
0x00424a8c
0x00424a7c
0x00424a7c
0x00000000
0x00424a7c
0x00424a8e
0x00424a78
0x00424a7a
0x00000000
0x00000000
0x00000000
0x00424a7a
0x00424a5e
0x004247c9
0x00000000
0x00000000
0x004247d4
0x004247dd
0x004247e2
0x004247e5
0x004247eb
0x004247ed
0x004247ed
0x004247f0
0x004247f6
0x004247f8
0x004249c7
0x004249c7
0x004249cc
0x004249ce
0x004249ce
0x004249dc
0x004249e3
0x00424a9d
0x00424aa1
0x00424aa2
0x00424aa5
0x00424aaa
0x00424aad
0x00424ab0
0x00424abe
0x00424abe
0x00424ac3
0x00424ac3
0x00424ac4
0x00424ac4
0x00424ac8
0x00424ad6
0x00424ada
0x00424ae7
0x00424aeb
0x00424af8
0x00424af8
0x00424afc
0x00424afc
0x00424afe
0x00424b04
0x00424b0f
0x00424b13
0x00000000
0x00424b13
0x00424aed
0x00424af0
0x00000000
0x00000000
0x00424af2
0x00424ad2
0x00424ad2
0x00000000
0x00424ad2
0x00424adc
0x00424adf
0x00000000
0x00000000
0x00424ae1
0x00000000
0x00424ae1
0x00424aca
0x00424acc
0x00000000
0x00000000
0x00424ace
0x00000000
0x00424ace
0x00424ab2
0x00424ab5
0x00424ab8
0x00000000
0x00000000
0x00424aba
0x00000000
0x004249e9
0x004249ef
0x004249f3
0x004249fe
0x00424a02
0x00000000
0x00424a02
0x004247fe
0x00424804
0x00424809
0x0042480c
0x00424810
0x00424812
0x00424814
0x00424814
0x00424819
0x0042481a
0x0042481b
0x00424822
0x0042482c
0x00424836
0x00424857
0x0042485b
0x00424866
0x0042486a
0x00424875
0x0042487a
0x0042487c
0x0042499f
0x0042499f
0x004249af
0x004249b3
0x004249be
0x004249c2
0x00000000
0x00424882
0x00424882
0x0042488f
0x00424895
0x00424899
0x0042489e
0x004248a8
0x004248b6
0x004248b7
0x004248bb
0x004248c0
0x004248c3
0x004248c9
0x004248cf
0x004248d2
0x004248dd
0x004248de
0x004248df
0x004248e3
0x004248e8
0x004248ed
0x004248f1
0x004248fd
0x00424901
0x0042490c
0x00424910
0x0042491b
0x0042491f
0x0042492a
0x0042492e
0x00424945
0x0042494a
0x0042494c
0x0042494c
0x0042494e
0x00424953
0x00424955
0x00424955
0x0042495a
0x00424966
0x00424968
0x0042496f
0x0042497e
0x00424987
0x0042498b
0x00424996
0x0042499a
0x0042499a
0x00000000
0x0042496f
0x00424884
0x00424889
0x00000000
0x00000000
0x00000000
0x00424889
0x0042487c
0x004247f8
0x00424b26
0x00424b2a
0x00424b35
0x00424b39
0x00424b41
0x00424b41
0x00424b45
0x00424b51
0x00424b51
0x00424b51
0x00000000
0x00424b51
0x00424b47
0x00424b4b
0x00000000
0x00000000
0x00424b4d
0x00424b4d
0x00000000
0x00424b4d
0x00424b3b
0x00424b3f
0x00000000
0x00000000
0x00000000
0x00424b3f
0x00424b2c
0x00424b30
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00424643

Part of subcall function 0040B2B8: __EH_prolog.LIBCMT ref: 0040B2BD
Part of subcall function 0040B2B8: GetLastError.KERNEL32(004675D0,00000000,004675D8,?,0040C0EE,?,00000000,00000000,?,?,00000000), ref: 0040B2E5
Part of subcall function 0040B2B8: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,0040C0EE,?,00000000,00000000,?,?,00000000), ref: 0040B332

GetModuleHandleW.KERNELBASE(?,?,00000001), ref: 004247F0

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

CopyFileW.KERNEL32(?,?,00000000,?,00000000), ref: 0042495A

Strings

uF, xrefs: 0042473C
_:A, xrefs: 0042499F
(, xrefs: 00424A16

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString$CopyFileHandleModule
String ID: ($_:A$uF
API String ID: 2996456825-959286972
Opcode ID: ac41af61da407afb7f25757455e3fcb2901d5258f4405c6206a63f6e887a4732
Instruction ID: d402e1d3b1705eae72a08e2c9db413af3f7c43ba5007b41ab8162846334dea43
Opcode Fuzzy Hash: ac41af61da407afb7f25757455e3fcb2901d5258f4405c6206a63f6e887a4732
Instruction Fuzzy Hash: DFF19830A00258EACF21DBA5D945BEEBB74EF55304F50409FE419A7281DB785B48CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 004336A5 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004336A5(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				intOrPtr _t138;
				intOrPtr _t142;
				intOrPtr _t147;
				short* _t150;
				short* _t151;
				void* _t166;
				void* _t173;
				void* _t179;
				intOrPtr _t184;
				void* _t188;
				void* _t226;
				void* _t239;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				void* _t250;
				void* _t252;
				intOrPtr _t254;
				intOrPtr _t255;
				void* _t257;

				_t257 = __eflags;
				_t239 = __edx;
				L0043B644(E00464519, _t250);
				_t248 = __ecx;
				 *(_t250 - 4) = 1;
				L004354E4(__ecx + 4);
				L0043586D();
				 *((char*)(__ecx + 0x50)) =  *((intOrPtr*)(_t250 + 0x58));
				L00401A1E(__ecx + 0x54, _t250 + 0x30);
				L00401A1E(_t248 + 0x28, _t250 + 8);
				 *((char*)(_t250 - 0x28)) =  *((intOrPtr*)(_t250 + 0x5b));
				 *((intOrPtr*)(_t250 - 0x24)) = 0;
				 *((intOrPtr*)(_t250 - 0x20)) = 0;
				 *((intOrPtr*)(_t250 - 0x1c)) = 0;
				 *(_t250 - 4) = 2;
				_push(_t248 + 0x84);
				_push(_t248 + 0x80);
				_push(_t250 - 0x28);
				_t254 = _t252 - 0x160;
				 *((intOrPtr*)(_t250 + 0x58)) = _t254;
				L00401708(_t254, _t250 + 8, 1); // executed
				_t138 = E00433A47(_t239, _t257); // executed
				_t255 = _t254 + 0x34;
				 *((intOrPtr*)(_t248 + 0x88)) = _t138;
				if(_t138 == 0) {
					_push(0);
					_push(_t250 + 0x5b);
					 *((intOrPtr*)(_t250 - 0x50)) = 0x46757c;
					 *((intOrPtr*)(_t250 - 0x30)) = 0x467574;
					L00401C68(_t250 - 0x50);
					 *(_t250 - 4) = 3;
					 *((intOrPtr*)(_t250 - 0x10)) =  *((intOrPtr*)(_t248 + 0xc));
					_t142 =  *((intOrPtr*)(_t250 - 0x24));
					 *((intOrPtr*)(_t250 - 0x14)) = _t142;
					while(1) {
						__eflags = _t142 -  *((intOrPtr*)(_t250 - 0x20));
						if(_t142 ==  *((intOrPtr*)(_t250 - 0x20))) {
							break;
						}
						L00401A1E(_t250 - 0x50,  *((intOrPtr*)(_t250 - 0x14)));
						__eflags =  *((intOrPtr*)(_t250 - 0x44));
						if( *((intOrPtr*)(_t250 - 0x44)) == 0) {
							L6:
							__eflags =  *((intOrPtr*)(_t250 - 0x34));
							_t243 =  *0x467594; // 0xffffffff
							if( *((intOrPtr*)(_t250 - 0x34)) != 0) {
								__imp__#6( *((intOrPtr*)(_t250 - 0x34)));
								 *((intOrPtr*)(_t250 - 0x34)) = 0;
							}
							L00401F50(_t250 - 0x4c, _t250, 0, _t243);
							goto L21;
						} else {
							_t150 = L0040CC86(_t250 - 0x4c, 0);
							__eflags =  *_t150 - 0x3b;
							if( *_t150 != 0x3b) {
								_t151 = L0040CC86(_t250 - 0x4c, 0);
								__eflags =  *_t151 - 0x5b;
								if( *_t151 != 0x5b) {
									__eflags =  *((intOrPtr*)(_t248 + 0xc)) -  *((intOrPtr*)(_t250 - 0x10));
									if( *((intOrPtr*)(_t248 + 0xc)) ==  *((intOrPtr*)(_t250 - 0x10))) {
										goto L22;
									} else {
										asm("sbb ecx, ecx");
										_t244 = L0040B6E0( ~(_t248 + 0x54) & _t248 + 0x58, 0);
										__eflags = _t244 - 0xffffffff;
										if(_t244 == 0xffffffff) {
											_t244 =  *((intOrPtr*)(_t250 - 0x44));
										}
										E00401A68(_t250 - 0x50, _t250 - 0xcc, 0, _t244); // executed
										_push(1);
										_t221 = _t250 - 0xa4;
										 *(_t250 - 4) = 8;
										L00439E12(_t250 - 0xa4);
										__eflags = _t244 -  *((intOrPtr*)(_t250 - 0x44));
										 *(_t250 - 4) = 9;
										if(_t244 <  *((intOrPtr*)(_t250 - 0x44))) {
											_t173 = L00435008(_t250 - 0x4c);
											_t255 = _t255 - 0x28;
											 *((intOrPtr*)(_t250 - 0x54)) = _t255;
											__eflags = _t244 + 1;
											E00401A68(_t250 - 0x50, _t255, _t244 + 1, _t173 - _t244 - 1); // executed
											_t221 = _t250 - 0xa4;
											L00433A10(_t250 - 0xa4, __eflags);
										}
										_t166 = E004362DD(_t221, _t250 - 0x194, _t250 - 0xcc, _t250 - 0xa4);
										_t255 = _t255 + 0xc;
										 *(_t250 - 4) = 0xa;
										L0043500C(0,  *((intOrPtr*)(_t250 - 0x10)) + 0x2c, _t166);
										 *(_t250 - 4) = 0xb;
										L00439E3F(_t250 - 0x16c);
										 *(_t250 - 4) = 9;
										L0040125C(_t250 - 0x194);
										 *(_t250 - 4) = 8;
										L00439E3F(_t250 - 0xa4);
										 *(_t250 - 4) = 3;
										_t226 = _t250 - 0xcc;
										goto L20;
									}
								} else {
									 *((intOrPtr*)(_t250 - 0x10)) = 0x5d;
									_t179 = E0040238F(_t250 - 0x4c, _t250 - 0x10, 0, 1);
									__eflags = _t179 -  *0x467594; // 0xffffffff
									if(__eflags == 0) {
										L22:
										 *(_t250 - 4) = 2;
										L0040125C(_t250 - 0x50);
										 *(_t250 - 4) = 1;
										L00401C2F(_t250 - 0x28);
										 *(_t250 - 4) = 0;
										L0040125C(_t250 + 8);
										 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
										L0040125C(_t250 + 0x30);
										_t147 = 0;
									} else {
										_push(0);
										_push(_t250 - 0x15);
										_push(_t179 - 1);
										_push(1);
										_push(_t250 - 0x50);
										 *((intOrPtr*)(_t250 - 0x7c)) = 0x46757c;
										 *((intOrPtr*)(_t250 - 0x5c)) = 0x467574;
										E00401D70(_t250 - 0x7c);
										_t245 = _t248 + 4;
										 *(_t250 - 4) = 4;
										_t184 = E0043A2ED(_t248 + 4, _t250 - 0x7c);
										__eflags =  *((intOrPtr*)(_t248 + 0xc)) - _t184;
										 *((intOrPtr*)(_t250 - 0x10)) = _t184;
										if(__eflags == 0) {
											_push(L00439E65(_t250 - 0xf4));
											_push(_t250 - 0x7c);
											_push(_t250 - 0x144);
											 *(_t250 - 4) = 5;
											_t188 = E00436293(_t250 - 0xf4, __eflags);
											_t255 = _t255 + 0xc;
											 *(_t250 - 4) = 6;
											 *((intOrPtr*)(_t250 - 0x10)) = L00435171(0, _t245, _t188);
											 *(_t250 - 4) = 7;
											L00439F6E(_t250 - 0x11c);
											 *(_t250 - 4) = 5;
											L0040125C(_t250 - 0x144);
											 *(_t250 - 4) = 4;
											L00439F6E(_t250 - 0xf4);
										}
										 *(_t250 - 4) = 3;
										_t226 = _t250 - 0x7c;
										L20:
										L0040125C(_t226);
										L21:
										 *((intOrPtr*)(_t250 - 0x14)) =  *((intOrPtr*)(_t250 - 0x14)) + 0x28;
										_t142 =  *((intOrPtr*)(_t250 - 0x14));
										continue;
									}
								}
							} else {
								goto L6;
							}
						}
						goto L25;
					}
					 *((char*)(_t248 + 0x51)) = 0;
					 *(_t250 - 4) = 2;
					L0040125C(_t250 - 0x50);
					 *((char*)(_t250 + 0x5b)) = 1;
					goto L24;
				} else {
					 *((char*)(_t250 + 0x5b)) = 0;
					L24:
					 *(_t250 - 4) = 1;
					L00401C2F(_t250 - 0x28);
					 *(_t250 - 4) = 0;
					L0040125C(_t250 + 8);
					 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
					L0040125C(_t250 + 0x30);
					_t147 =  *((intOrPtr*)(_t250 + 0x5b));
				}
				L25:
				 *[fs:0x0] =  *((intOrPtr*)(_t250 - 0xc));
				return _t147;
			}

0x004336a5
0x004336a5
0x004336aa
0x004336b8
0x004336bd
0x004336c6
0x004336ce
0x004336d9
0x004336e0
0x004336ec
0x004336f6
0x004336f9
0x004336fc
0x004336ff
0x00433708
0x0043370c
0x00433713
0x00433717
0x0043371b
0x00433720
0x00433726
0x0043372b
0x00433730
0x00433735
0x0043373b
0x00433748
0x00433749
0x0043374d
0x00433754
0x0043375b
0x00433763
0x00433767
0x0043376a
0x0043376d
0x00433770
0x00433770
0x00433773
0x00000000
0x00000000
0x0043377f
0x00433784
0x00433787
0x00433798
0x00433798
0x0043379b
0x004337a1
0x004337a6
0x004337ac
0x004337ac
0x004337b4
0x00000000
0x00433789
0x0043378d
0x00433792
0x00433796
0x004337c2
0x004337c7
0x004337cb
0x0043389e
0x004338a1
0x00000000
0x004338a7
0x004338b2
0x004338bf
0x004338c1
0x004338c4
0x004338c6
0x004338c6
0x004338d5
0x004338da
0x004338dc
0x004338e2
0x004338e6
0x004338eb
0x004338ee
0x004338f2
0x004338f7
0x004338fe
0x00433904
0x00433907
0x0043390e
0x00433913
0x00433919
0x00433919
0x00433933
0x00433938
0x0043393f
0x00433946
0x00433951
0x00433955
0x00433960
0x00433964
0x0043396f
0x00433973
0x00433978
0x0043397c
0x00000000
0x0043397c
0x004337d1
0x004337db
0x004337e2
0x004337e7
0x004337ed
0x00433993
0x00433996
0x0043399a
0x004339a2
0x004339a6
0x004339ae
0x004339b1
0x004339b6
0x004339bd
0x004339c2
0x004337f3
0x004337f6
0x004337f8
0x004337f9
0x004337fd
0x004337ff
0x00433803
0x0043380a
0x00433811
0x00433819
0x0043381f
0x00433823
0x00433828
0x0043382b
0x0043382e
0x0043383b
0x0043383f
0x00433846
0x00433847
0x0043384b
0x00433850
0x00433856
0x0043385f
0x00433868
0x0043386c
0x00433877
0x0043387b
0x00433886
0x0043388a
0x0043388a
0x0043388f
0x00433893
0x00433982
0x00433982
0x00433987
0x00433987
0x0043398b
0x00000000
0x0043398b
0x004337ed
0x00000000
0x00000000
0x00000000
0x00433796
0x00000000
0x00433787
0x004339c9
0x004339cc
0x004339d0
0x004339d5
0x00000000
0x0043373d
0x0043373d
0x004339d9
0x004339dc
0x004339e0
0x004339e8
0x004339eb
0x004339f0
0x004339f7
0x004339fc
0x004339fc
0x004339ff
0x00433a04
0x00433a0d

APIs

__EH_prolog.LIBCMT ref: 004336AA

Part of subcall function 00433A47: __EH_prolog.LIBCMT ref: 00433A4C

SysFreeString.OLEAUT32(?), ref: 004337A6

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 0043380A
tuF, xrefs: 00433754
|uF, xrefs: 00433803
|uF, xrefs: 0043374D

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorFreeLastString
String ID: tuF$tuF$|uF$|uF
API String ID: 3953002420-2778201586
Opcode ID: 9b6a3242e5ace930398f5055164409bcc966402438d98a15b31eee42a4876a47
Instruction ID: aa85c9305b5ba41b075c088db2db3d9bde195d49215e2d99209027db94b3dce4
Opcode Fuzzy Hash: 9b6a3242e5ace930398f5055164409bcc966402438d98a15b31eee42a4876a47
Instruction Fuzzy Hash: C6B19671C00248DFDB15EFE5C981AEEBBB8AF18308F14419EE45673291EB785B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403E82 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403E82(intOrPtr __ecx, void* __eflags) {
				void* _t102;
				void* _t103;
				void* _t115;
				void* _t135;
				intOrPtr* _t157;
				void* _t169;
				void* _t176;
				void* _t178;
				intOrPtr _t182;
				intOrPtr _t186;
				intOrPtr _t187;
				void* _t188;

				_t188 = __eflags;
				L0043B644(0x45f22c, _t176);
				 *((intOrPtr*)(_t176 - 0x14)) = __ecx;
				_push(0);
				_push(_t176 - 0x1d);
				 *((intOrPtr*)(_t176 - 0x24)) = 0;
				 *((intOrPtr*)(_t176 - 0x7c)) = 0x46757c;
				 *((intOrPtr*)(_t176 - 0x5c)) = 0x467574;
				L00401C68(_t176 - 0x7c);
				 *((intOrPtr*)(_t176 - 4)) = 1;
				L004057E0(_t176 - 0x7c, L"0x%04x",  *( *((intOrPtr*)(_t176 - 0x14)) + 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t176 - 0xa4)) = 0x46757c;
				_push(0);
				_push(_t176 - 0x15);
				 *((intOrPtr*)(_t176 - 0x84)) = 0x467574;
				L00401C68(_t176 - 0xa4);
				 *((char*)(_t176 - 4)) = 2;
				L004057E0(_t176 - 0xa4, L"%ld",  *((intOrPtr*)(_t176 + 0xc)));
				_push(L".ini");
				_push(_t176 - 0x7c);
				_push(_t176 - 0x11c);
				 *((intOrPtr*)(_t176 - 0x1c)) = L00405EDE(_t188);
				 *((char*)(_t176 - 4)) = 3;
				_t102 = L00403C08( *((intOrPtr*)(_t176 - 0x14)), _t176 - 0x16c);
				_push(0);
				_push(0);
				_push(_t176 - 0xf4);
				 *((char*)(_t176 - 4)) = 4;
				_t103 = L00401840(_t102, _t188);
				_push( *((intOrPtr*)(_t176 - 0x1c)));
				 *((char*)(_t176 - 4)) = 5;
				_push(_t176 - 0xcc);
				L00405670(_t103, _t188);
				 *((char*)(_t176 - 4)) = 9;
				L0040125C(_t176 - 0xf4);
				 *((char*)(_t176 - 4)) = 8;
				L0040125C(_t176 - 0x16c);
				 *((char*)(_t176 - 4)) = 7;
				L0040125C(_t176 - 0x11c);
				L0043334B(_t176 - 0x220, _t188);
				_push(0);
				_push(_t176 - 0x1e);
				 *((char*)(_t176 - 4)) = 0xa;
				 *((intOrPtr*)(_t176 - 0x54)) = 0x46757c;
				 *((intOrPtr*)(_t176 - 0x34)) = 0x467574;
				L00401C68(_t176 - 0x54);
				_push(0);
				_t182 = _t178 - 0x214 + 0x24 - 0x28;
				 *((char*)(_t176 - 4)) = 0xb;
				 *((intOrPtr*)(_t176 - 0x1c)) = _t182;
				L00401732(_t182, "=", _t176 - 0xd, 1);
				_t183 = _t182 - 0x28;
				 *((intOrPtr*)(_t176 - 0x28)) = _t183;
				 *((char*)(_t176 - 4)) = 0xc;
				L00401708(_t183, _t176 - 0xcc, 1);
				_t156 = _t176 - 0x220;
				 *((char*)(_t176 - 4)) = 0xb;
				_t115 = E004336A5(_t176 - 0x220, _t169, _t188); // executed
				_t189 = _t115;
				if(_t115 != 0) {
					_t186 = _t183 - 0x28;
					 *((intOrPtr*)(_t176 - 0x28)) = _t186;
					_push(1);
					_push(_t176 - 0xd);
					_push(0x47e154);
					L00401B15(_t186);
					_t187 = _t186 - 0x28;
					 *((intOrPtr*)(_t176 - 0x1c)) = _t187;
					 *((char*)(_t176 - 4)) = 0xd;
					L00401708(_t187, _t176 - 0xa4, 1);
					_t183 = _t187 - 0x28;
					 *((intOrPtr*)(_t176 - 0x2c)) = _t187 - 0x28;
					 *((char*)(_t176 - 4)) = 0xe;
					L00401708(_t187 - 0x28, _t176 - 0x7c, 1);
					_push(_t176 - 0x144);
					 *((char*)(_t176 - 4)) = 0xb;
					_t135 = E004342AF(_t176 - 0x220, _t169, _t189);
					 *((char*)(_t176 - 4)) = 0xf;
					L00401A1E(_t176 - 0x54, _t135);
					_t156 = _t176 - 0x144;
					 *((char*)(_t176 - 4)) = 0xb;
					L0040125C(_t176 - 0x144);
				}
				_t190 =  *((intOrPtr*)(_t176 - 0x48));
				if( *((intOrPtr*)(_t176 - 0x48)) == 0) {
					L0042F908(_t156, _t176 - 0x54,  *((intOrPtr*)(_t176 + 0xc)),  *( *((intOrPtr*)(_t176 - 0x14)) + 0x48),  *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x14)) + 0x20)));
				}
				_t157 =  *((intOrPtr*)(_t176 + 8));
				_push(0);
				_push(_t176 - 0x54);
				 *_t157 = 0x46757c;
				 *((intOrPtr*)(_t157 + 0x20)) = 0x467574;
				L00401CDD(_t157);
				 *((intOrPtr*)(_t176 - 0x24)) = 1;
				 *((char*)(_t176 - 4)) = 0xa;
				L0040125C(_t176 - 0x54);
				 *((char*)(_t176 - 4)) = 7;
				L00433631(_t176 - 0x220, _t190);
				 *((char*)(_t176 - 4)) = 2;
				L0040125C(_t176 - 0xcc);
				 *((char*)(_t176 - 4)) = 1;
				L0040125C(_t176 - 0xa4);
				 *((char*)(_t176 - 4)) = 0;
				L0040125C(_t176 - 0x7c);
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return  *((intOrPtr*)(_t176 + 8));
			}

0x00403e82
0x00403e87
0x00403e97
0x00403ea7
0x00403ea8
0x00403eac
0x00403eaf
0x00403eb2
0x00403eb5
0x00403ebd
0x00403ed2
0x00403ee3
0x00403ee9
0x00403eea
0x00403eeb
0x00403ef1
0x00403eff
0x00403f09
0x00403f11
0x00403f16
0x00403f1d
0x00403f26
0x00403f33
0x00403f37
0x00403f3c
0x00403f43
0x00403f44
0x00403f47
0x00403f4b
0x00403f50
0x00403f59
0x00403f5d
0x00403f60
0x00403f6b
0x00403f6f
0x00403f7a
0x00403f7e
0x00403f89
0x00403f8d
0x00403f98
0x00403fa0
0x00403fa1
0x00403fa5
0x00403fa9
0x00403fac
0x00403faf
0x00403fb4
0x00403fb8
0x00403fbb
0x00403fc1
0x00403fcc
0x00403fd1
0x00403fdc
0x00403fe2
0x00403fe6
0x00403feb
0x00403ff1
0x00403ff5
0x00403ffa
0x00403ffc
0x00403ffe
0x00404006
0x00404009
0x0040400b
0x0040400c
0x00404011
0x00404016
0x00404021
0x00404027
0x0040402b
0x00404030
0x00404038
0x0040403e
0x00404042
0x00404053
0x00404054
0x00404058
0x00404061
0x00404065
0x0040406a
0x00404070
0x00404074
0x00404074
0x00404079
0x0040407c
0x00404090
0x00404095
0x00404098
0x0040409e
0x0040409f
0x004040a0
0x004040a2
0x004040a5
0x004040aa
0x004040b4
0x004040b8
0x004040c3
0x004040c7
0x004040d2
0x004040d6
0x004040e1
0x004040e5
0x004040ed
0x004040f0
0x004040fd
0x00404106

APIs

__EH_prolog.LIBCMT ref: 00403E87

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 00401840: __EH_prolog.LIBCMT ref: 00401845

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 0043334B: __EH_prolog.LIBCMT ref: 00433350

Part of subcall function 004336A5: __EH_prolog.LIBCMT ref: 004336AA

Part of subcall function 00401B15: __EH_prolog.LIBCMT ref: 00401B1A
Part of subcall function 00401B15: SetLastError.KERNEL32(?,?,00000000,?,?,00401AE5,?,?,00000001), ref: 00401B80

Part of subcall function 004342AF: __EH_prolog.LIBCMT ref: 004342B4

Strings

|uF, xrefs: 00403E9D
tuF, xrefs: 00403EA2
%ld, xrefs: 00403F03
.ini, xrefs: 00403F11
0x%04x, xrefs: 00403ECC

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: %ld$.ini$0x%04x$tuF$|uF
API String ID: 3733137895-2405060926
Opcode ID: b80af953b2ca56db7fa7ccfc63c880c18ad19f0de49cce472f7248801ed43978
Instruction ID: 9b0db00b45194ab5e7a48d0cb38a7d37fa1c409db268d0e4246d84fe8b54b84f
Opcode Fuzzy Hash: b80af953b2ca56db7fa7ccfc63c880c18ad19f0de49cce472f7248801ed43978
Instruction Fuzzy Hash: 8E712075D01248EEDB11EBE5C985BDDBBB89F19308F10409EE509B3282E7785B48CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0042CFBE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042CFBE() {
				signed char _t76;
				signed int _t79;
				intOrPtr _t86;
				void* _t94;
				long _t95;
				void* _t99;
				signed char _t104;
				signed int _t106;
				signed int _t107;
				long _t126;
				void* _t128;
				void* _t130;
				void* _t131;
				signed int _t132;
				void* _t133;

				L0043B644(0x4639c2, _t128);
				_t131 = _t130 - 0xf4;
				 *(_t128 - 0x10) = 0;
				_t104 =  *(_t128 + 0x30);
				 *(_t128 - 4) = 0;
				_t139 = _t104 & 0x00000010;
				if((_t104 & 0x00000010) == 0) {
					L3:
					_t132 = _t131 - 0x28;
					 *(_t128 - 0x10) = _t132;
					_t107 = _t132;
					_push(0);
					_push(_t128 + 8);
					 *_t107 = 0x46757c;
					 *((intOrPtr*)(_t107 + 0x20)) = 0x467574;
					L00401CDD(_t107); // executed
					_t76 = E0042FC4C(); // executed
					_t133 = _t132 + 0x28;
					__eflags = _t76 - 0xffffffff;
					if(_t76 == 0xffffffff) {
						_t126 = GetLastError();
						__eflags = _t126 - 2;
						if(_t126 == 2) {
							L26:
							 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
							L0040125C(_t128 + 8);
							_t79 = 0;
							__eflags = 0;
							L27:
							 *[fs:0x0] =  *((intOrPtr*)(_t128 - 0xc));
							return _t79;
						}
						__eflags = _t126 - 3;
						if(_t126 == 3) {
							goto L26;
						}
						__eflags = _t126 - 5;
						_t106 = 1;
						if(__eflags != 0) {
							L22:
							__eflags =  *(_t128 + 0x30) & 0x00000020;
							if(( *(_t128 + 0x30) & 0x00000020) != 0) {
								_push(0);
								_push(_t128 + 8);
								 *((intOrPtr*)(_t128 - 0x3c)) = 0x4675a0;
								 *((intOrPtr*)(_t128 - 0x1c)) = 0x467598;
								L00401CDD(_t128 - 0x3c);
								_push(_t126);
								 *(_t128 - 4) = 3;
								 *((intOrPtr*)(_t128 - 0x84)) = 0x467f90;
								L0041387B(_t128 - 0x58, __eflags);
								 *(_t128 - 0x10) = _t106;
								 *(_t128 - 4) = 4;
								L0042D1BA(_t128 - 0x80, _t128 - 0x3c, _t106);
								_t86 =  *((intOrPtr*)(_t128 - 0x84));
								 *(_t128 - 4) = 3;
								_t61 = _t86 + 4; // 0x2c
								 *((intOrPtr*)(_t128 +  *_t61 - 0x84)) = 0x467f88;
								L0043BD6A(_t128 - 0x84, 0x46c528);
							}
							L24:
							_t106 = 0;
							__eflags = 0;
							L25:
							 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
							L0040125C(_t128 + 8);
							_t79 = _t106;
							goto L27;
						}
						L0042D1E4(_t128 - 0x100, __eflags);
						 *(_t128 - 0x10) =  *(_t128 - 0x10) | 0xffffffff;
						 *(_t128 - 4) = 2;
						_push(_t128 - 0x100);
						 *((intOrPtr*)(_t128 - 0x14)) = _t133 - 0x28;
						L00401708(_t133 - 0x28, _t128 + 8, _t106);
						_t94 = L0042FB80();
						__eflags = _t94 - 0xffffffff;
						if(_t94 == 0xffffffff) {
							_t95 = GetLastError();
							_t42 = _t128 - 4;
							 *_t42 =  *(_t128 - 4) & 0x00000000;
							__eflags =  *_t42;
							_t126 = _t95;
							L0042D23D(_t128 - 0x100,  *_t42);
							goto L22;
						}
						__eflags =  *(_t128 + 0x30) & 0x00000004;
						if(( *(_t128 + 0x30) & 0x00000004) == 0) {
							L15:
							__eflags =  *(_t128 + 0x30) & 0x00000008;
							if(( *(_t128 + 0x30) & 0x00000008) == 0) {
								L17:
								_t106 = 0;
								__eflags = 0;
								L18:
								__eflags = FindClose;
								if(__eflags != 0) {
									FindClose(_t94);
								}
								 *(_t128 - 4) =  *(_t128 - 4) & 0x00000000;
								L0042D23D(_t128 - 0x100, __eflags);
								goto L25;
							}
							__eflags =  *(_t128 - 0x100) & 0x00000010;
							if(( *(_t128 - 0x100) & 0x00000010) != 0) {
								goto L18;
							}
							goto L17;
						}
						__eflags =  *(_t128 - 0x100) & 0x00000010;
						if(( *(_t128 - 0x100) & 0x00000010) == 0) {
							goto L18;
						}
						goto L15;
					}
					__eflags = _t104 & 0x00000004;
					if((_t104 & 0x00000004) == 0) {
						L6:
						__eflags = _t104 & 0x00000008;
						if((_t104 & 0x00000008) == 0) {
							goto L24;
						}
						__eflags = _t76 & 0x00000010;
						if((_t76 & 0x00000010) == 0) {
							goto L24;
						}
						L8:
						_t106 = 1;
						goto L25;
					}
					__eflags = _t76 & 0x00000010;
					if((_t76 & 0x00000010) == 0) {
						goto L8;
					}
					goto L6;
				}
				_t99 = L00419852(_t128 + 8, _t139);
				_t140 = _t99;
				if(_t99 == 0) {
					goto L3;
				}
				_push(_t104);
				 *(_t128 + 0x30) = _t131 - 0x28;
				L00401708(_t131 - 0x28, _t128 + 8, 1);
				_t106 = L0042D273(_t140);
				goto L25;
			}

0x0042cfc3
0x0042cfc8
0x0042cfd3
0x0042cfd6
0x0042cfd9
0x0042cfdc
0x0042cfdf
0x0042d010
0x0042d010
0x0042d016
0x0042d019
0x0042d01b
0x0042d01c
0x0042d01d
0x0042d023
0x0042d02a
0x0042d02f
0x0042d034
0x0042d037
0x0042d03a
0x0042d065
0x0042d067
0x0042d06a
0x0042d19d
0x0042d19d
0x0042d1a4
0x0042d1a9
0x0042d1a9
0x0042d1ab
0x0042d1b0
0x0042d1b9
0x0042d1b9
0x0042d070
0x0042d073
0x00000000
0x00000000
0x0042d07b
0x0042d07e
0x0042d07f
0x0042d112
0x0042d112
0x0042d116
0x0042d11b
0x0042d11d
0x0042d121
0x0042d128
0x0042d12f
0x0042d134
0x0042d138
0x0042d13c
0x0042d146
0x0042d14b
0x0042d156
0x0042d15a
0x0042d15f
0x0042d16a
0x0042d171
0x0042d174
0x0042d186
0x0042d186
0x0042d18b
0x0042d18b
0x0042d18b
0x0042d18d
0x0042d18d
0x0042d194
0x0042d199
0x00000000
0x0042d199
0x0042d08b
0x0042d090
0x0042d09a
0x0042d09e
0x0042d0a7
0x0042d0ac
0x0042d0b1
0x0042d0b9
0x0042d0bc
0x0042d0ff
0x0042d101
0x0042d101
0x0042d101
0x0042d10b
0x0042d10d
0x00000000
0x0042d10d
0x0042d0be
0x0042d0c2
0x0042d0cd
0x0042d0cd
0x0042d0d1
0x0042d0dc
0x0042d0dc
0x0042d0dc
0x0042d0de
0x0042d0e4
0x0042d0e6
0x0042d0e9
0x0042d0e9
0x0042d0eb
0x0042d0f5
0x00000000
0x0042d0f5
0x0042d0d3
0x0042d0da
0x00000000
0x00000000
0x00000000
0x0042d0da
0x0042d0c4
0x0042d0cb
0x00000000
0x00000000
0x00000000
0x0042d0cb
0x0042d03c
0x0042d03f
0x0042d045
0x0042d045
0x0042d048
0x00000000
0x00000000
0x0042d04e
0x0042d050
0x00000000
0x00000000
0x0042d056
0x0042d056
0x00000000
0x0042d056
0x0042d041
0x0042d043
0x00000000
0x00000000
0x00000000
0x0042d043
0x0042cfe4
0x0042cfe9
0x0042cfeb
0x00000000
0x00000000
0x0042cfed
0x0042cff6
0x0042cffc
0x0042d009
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042CFC3
GetLastError.KERNEL32 ref: 0042D063

Part of subcall function 0042D273: __EH_prolog.LIBCMT ref: 0042D278

Strings

tuF, xrefs: 0042D023
|uF, xrefs: 0042CFCE
, xrefs: 0042D112

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast
String ID: $tuF$|uF
API String ID: 2901101390-854851401
Opcode ID: e1aca47c25cc2a7b4aefa6ee771ee5c082b9f5870a05f7df9fbb7852de763b4a
Instruction ID: 2e6e0eb14af1fea6eb7d0f2f99a5f3832fc8e900de6f576560a32581802c2c4f
Opcode Fuzzy Hash: e1aca47c25cc2a7b4aefa6ee771ee5c082b9f5870a05f7df9fbb7852de763b4a
Instruction Fuzzy Hash: 98515B70E00228ABDB14EF65D845BED7BB4AF0534CF84419FE851A32E1DB7C4A45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045CB10 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045CB10() {
				int _v4;
				int _v8;
				char _v12;
				void* _v16;
				char _t13;
				signed int _t20;
				signed int _t21;
				void* _t26;

				_v16 = 0;
				_t13 = RegOpenKeyExA(0x80000001, "SOFTWARE\\InstallShield\\19.0\\Professional", 0, 0x20019,  &_v16); // executed
				if(_t13 != 0) {
					L7:
					return 0;
				} else {
					_t26 = _v16;
					_v12 = _t13;
					_v4 = _t13;
					_v8 = 4;
					if(RegQueryValueExA(_t26, "DoVerboseLogging", 0,  &_v4,  &_v12,  &_v8) != 0) {
						if(_t26 != 0) {
							RegCloseKey(_t26);
						}
						goto L7;
					} else {
						_push(_t20);
						_t21 = _t20 & 0xffffff00 | _v12 == 0x00000001;
						if(_t26 != 0) {
							RegCloseKey(_t26);
						}
						return _t21;
					}
				}
			}

0x0045cb2a
0x0045cb32
0x0045cb3a
0x0045cb9a
0x0045cba0
0x0045cb3c
0x0045cb3c
0x0045cb44
0x0045cb48
0x0045cb5f
0x0045cb6f
0x0045cb91
0x0045cb94
0x0045cb94
0x00000000
0x0045cb71
0x0045cb75
0x0045cb79
0x0045cb7e
0x0045cb81
0x0045cb81
0x0045cb8e
0x0045cb8e
0x0045cb6f

APIs

RegOpenKeyExA.KERNELBASE ref: 0045CB32
RegQueryValueExA.ADVAPI32(004675D0,DoVerboseLogging,00000000), ref: 0045CB67
RegCloseKey.ADVAPI32(004675D0,?), ref: 0045CB81
RegCloseKey.ADVAPI32(004675D0), ref: 0045CB94

Strings

SOFTWARE\InstallShield\19.0\Professional, xrefs: 0045CB20
DoVerboseLogging, xrefs: 0045CB59

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: DoVerboseLogging$SOFTWARE\InstallShield\19.0\Professional
API String ID: 1607946009-519593154
Opcode ID: 0195490e9bd655a35e4cf4409ad42dc0d927c8bac1e6763378c77efceebf452f
Instruction ID: 666afcf41a61aaf1bf1ced1f1fd3d85659603b60a35404b86828447fd6144f98
Opcode Fuzzy Hash: 0195490e9bd655a35e4cf4409ad42dc0d927c8bac1e6763378c77efceebf452f
Instruction Fuzzy Hash: 3A01D275508321AFD7009B109C85BEB77A8EF84719F00450EF949A2241E374950C86AA

Uniqueness

Uniqueness Score: -1.00%

Function 00459F80 Relevance: 9.1, APIs: 6, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00459F80() {
				BITMAPINFOHEADER* _t63;
				struct HBITMAP__** _t64;
				void* _t65;

				_t64 =  *(_t65 + 0x10);
				_t63 =  *(_t65 + 0x18);
				 *(_t65 + 8) = 0;
				_t64[9] = _t63->biWidth;
				_t64[0xa] = _t63->biHeight;
				if(0xffffffffffffffff > 0x17) {
					L15:
					return 0;
				} else {
					switch( *((intOrPtr*)(0 +  &M0045A098))) {
						case 0:
							_t54 = _t64[0xd] | 0x00000008;
							goto L8;
						case 1:
							__eax = 0x40;
							__ch = __ch | 0x00000004;
							goto L8;
						case 2:
							__dh = __dh | 0x00000001;
							__eax =  *(__esi + 0x20);
							if(__eax == 0) {
								__eax = 0x400;
							} else {
								__eax = __eax << 2;
							}
							goto L9;
						case 3:
							__eax = 0;
							__ch = __ch | 0x00000002;
							L8:
							_t64[0xd] = _t54;
							L9:
							_push(_t47);
							_push(_t60);
							_t50 = _t63->biSize + 8 + _t63;
							_t61 = GetDC(0);
							_t37 =  *(_t65 + 0x18);
							if(_t37->biPlanes != 0) {
								_t43 = _t37->biClrImportant;
								if(_t43 != 0) {
									 *(_t65 + 0x1c) = 1;
									 *(_t65 + 0x20) = SelectPalette(_t61, _t43, 0);
									 *(_t65 + 0x18)->biClrUsed = 1;
									RealizePalette(_t61);
									 *(_t65 + 0x18)->biClrUsed = 0;
								}
							}
							_t38 = CreateDIBitmap(_t61, _t63, 4, _t50, _t63, 0); // executed
							 *_t64 = _t38;
							if( *(_t65 + 0x10) != 0) {
								SelectPalette(_t61,  *(_t65 + 0x20), 0);
							}
							ReleaseDC(0, _t61);
							return 1;
							goto L16;
						case 4:
							goto L15;
					}
				}
				L16:
			}

0x00459f82
0x00459f87
0x00459f8b
0x00459f96
0x00459f9e
0x00459fa9
0x0045a091
0x0045a095
0x00459faf
0x00459fb7
0x00000000
0x00459fc6
0x00000000
0x00000000
0x00459fcd
0x00459fd2
0x00000000
0x00000000
0x00459fda
0x00459fe0
0x00459fe5
0x00459fec
0x00459fe7
0x00459fe7
0x00459fe7
0x00000000
0x00000000
0x00459ff6
0x00459ff8
0x00459ffb
0x00459ffb
0x00459ffe
0x00459ffe
0x0045a001
0x0045a006
0x0045a00e
0x0045a010
0x0045a019
0x0045a01b
0x0045a020
0x0045a026
0x0045a034
0x0045a03d
0x0045a044
0x0045a04e
0x0045a04e
0x0045a020
0x0045a05d
0x0045a063
0x0045a06c
0x0045a076
0x0045a076
0x0045a07f
0x0045a08f
0x00000000
0x00000000
0x00000000
0x00000000
0x00459fb7
0x00000000

APIs

GetDC.USER32(00000000), ref: 0045A008
SelectPalette.GDI32(00000000,?,00000000), ref: 0045A02E
RealizePalette.GDI32(00000000), ref: 0045A044
CreateDIBitmap.GDI32(00000000,?,00000004,00000000,?,00000000), ref: 0045A05D
SelectPalette.GDI32(00000000,?,00000000), ref: 0045A076
ReleaseDC.USER32 ref: 0045A07F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Palette$Select$BitmapCreateRealizeRelease
String ID:
API String ID: 1213237138-0
Opcode ID: f183d2b51e7c5dfb3bb189de71e6390e9b656ee14354ee7e9a024178590f46b2
Instruction ID: 631fa0d35ff6f30734ea011ab134145a7155ba30ad59fdb78cd79b3002df4928
Opcode Fuzzy Hash: f183d2b51e7c5dfb3bb189de71e6390e9b656ee14354ee7e9a024178590f46b2
Instruction Fuzzy Hash: 09313E712152009FE710CF28D884B6B7BE8FB88715F10451EFA89C7392D775E8458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00445D20 Relevance: 9.1, APIs: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00445D20(void* __ecx) {
				struct tagPAINTSTRUCT _v64;
				struct HDC__* _v68;
				struct tagRECT _v84;
				long _t18;
				void* _t28;
				void* _t45;
				void* _t46;

				_t45 = __ecx;
				BeginPaint( *(__ecx + 4),  &_v64);
				_t18 =  *(_t45 + 0x2c);
				if(_t18 != 0xffffffff) {
					_t46 = 0;
					_t28 = CreateSolidBrush(_t18);
					if(_t28 != 0) {
						_t46 = _t28;
					}
					GetClientRect( *(_t45 + 4),  &_v84);
					FillRect(_v68,  &_v84, _t46);
					if(_t46 != 0 && DeleteObject != 0) {
						DeleteObject(_t46);
					}
				}
				asm("sbb eax, eax");
				L004456A0( *((intOrPtr*)(_t45 + 8)), _v64.hdc,  ~( *(_t45 + 0x14)) & 0x00000020 |  *(_t45 + 0x18));
				EnumChildWindows( *(_t45 + 0xc), 0x445ca0, _t45 + 0x1c); // executed
				EndPaint( *(_t45 + 4),  &(_v84.right));
				return 0;
			}

0x00445d29
0x00445d30
0x00445d36
0x00445d3c
0x00445d3f
0x00445d41
0x00445d49
0x00445d4b
0x00445d4b
0x00445d56
0x00445d67
0x00445d6f
0x00445d7b
0x00445d7b
0x00445d6f
0x00445d85
0x00445d95
0x00445da7
0x00445db6
0x00445dc3

APIs

BeginPaint.USER32(?,?,?,?), ref: 00445D30
CreateSolidBrush.GDI32(?), ref: 00445D41
GetClientRect.USER32 ref: 00445D56
FillRect.USER32 ref: 00445D67
EnumChildWindows.USER32 ref: 00445DA7
EndPaint.USER32(?,?,?,?), ref: 00445DB6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: PaintRect$BeginBrushChildClientCreateEnumFillSolidWindows
String ID:
API String ID: 2395695982-0
Opcode ID: 0b1b99b71f72c94218e9385ff4bfcc8296e0d9641415a051692af14174173d42
Instruction ID: 48ef09778a23c172b8120842b3a4b6582009eaede22cdf10edbe392b517e19f1
Opcode Fuzzy Hash: 0b1b99b71f72c94218e9385ff4bfcc8296e0d9641415a051692af14174173d42
Instruction Fuzzy Hash: 63118BB1214A02BFA710DF68CC88D67BBADFF887587008A19F419C3251EB74E855CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042B3AD Relevance: 9.1, APIs: 6, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042B3AD(struct HWND__* __ecx) {
				void* __edi;
				void* _t27;
				signed int _t28;
				void* _t33;
				intOrPtr* _t35;
				struct HWND__* _t40;

				_t40 = __ecx;
				_t35 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 0x230));
				if(_t35 != 0) {
					 *((intOrPtr*)( *_t35 + 8))();
				}
				( *(_t40 + 0xc))[0x8c] = _t40;
				if(IsWindow( *(_t40 + 4)) != 0) {
					L7:
					 *(_t40 + 0x14) =  *(_t40 + 0x14) & 0x00000000;
					if(IsWindow( *( *(_t40 + 0xc))) != 0) {
						ShowWindow( *( *(_t40 + 0xc)), 1); // executed
						ShowWindow( *( *(_t40 + 0xc)), 1); // executed
					}
					ShowWindow( *(_t40 + 4), 1); // executed
					 *((intOrPtr*)(_t40->i + 0x20))();
					return 0;
				} else {
					_t27 = E0042B242(_t33, _t40, IsWindow); // executed
					if(_t27 != 0) {
						goto L7;
					}
					_t28 = GetLastError();
					if(_t28 != 0) {
						return _t28 | 0x80070000;
					}
					return 0x8000ffff;
				}
			}

0x0042b3ae
0x0042b3b4
0x0042b3bc
0x0042b3c0
0x0042b3c0
0x0042b3cc
0x0042b3d9
0x0042b3fe
0x0042b401
0x0042b411
0x0042b41a
0x0042b423
0x0042b423
0x0042b42a
0x0042b430
0x00000000
0x0042b3db
0x0042b3dd
0x0042b3e4
0x00000000
0x00000000
0x0042b3e6
0x0042b3ee
0x00000000
0x0042b3f7
0x00000000
0x0042b3f0

APIs

IsWindow.USER32(?), ref: 0042B3D5
GetLastError.KERNEL32(?,?,0042B469,?), ref: 0042B3E6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLastWindow
String ID:
API String ID: 3412209079-0
Opcode ID: 76cea9796db9111b7e3aeb7d55963e8bcacb1d2a84d21c7b410fab4eb1605b97
Instruction ID: d35c18587723b15ef1d237d7f7bcea05a28c7fabec228c5f350f8e083ddf66c2
Opcode Fuzzy Hash: 76cea9796db9111b7e3aeb7d55963e8bcacb1d2a84d21c7b410fab4eb1605b97
Instruction Fuzzy Hash: 1F115E303002109FD720EF19D884F2AB7E5EF44714F55846AE84ACB671DBB5EC01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412380 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00412380(void* __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				signed int _t99;
				void* _t106;
				void* _t112;
				intOrPtr _t128;
				signed int _t129;
				void* _t149;
				void* _t151;
				void* _t153;
				signed int _t155;
				void* _t156;
				intOrPtr _t158;
				intOrPtr _t159;
				intOrPtr _t160;
				signed int _t163;

				L0043B644(0x460df2, _t151);
				 *((char*)(_t151 - 0x2c)) =  *((intOrPtr*)(_t151 - 0xd));
				_t149 = __ecx;
				 *((intOrPtr*)(_t151 - 0x28)) = 0;
				 *((intOrPtr*)(_t151 - 0x24)) = 0;
				 *((intOrPtr*)(_t151 - 0x20)) = 0;
				 *(_t151 - 4) = 0;
				_push(_t151 - 0x2c);
				_t155 = _t153 - 0x80;
				_t121 = L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\";
				 *(_t151 - 0x1c) = _t155;
				L00401732(_t155, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\", _t151 - 0xd, 1);
				_push((0 |  *((intOrPtr*)(_t149 + 0xe)) != 0x00000000) + 0x80000001); // executed
				E0042F35E(0x80000001, _t149); // executed
				_t86 =  *((intOrPtr*)(_t151 - 0x28));
				_t156 = _t155 + 0x30;
				 *((intOrPtr*)(_t151 - 0x14)) = _t86;
				if(_t86 ==  *((intOrPtr*)(_t151 - 0x24))) {
					L5:
					if( *((intOrPtr*)(_t149 + 0x2c)) != 4 || ( *(_t149 + 0x28) & 0x00000002) != 0) {
						__eflags = 0;
					} else {
						_push(1);
						_pop(0);
					}
					 *((char*)(_t149 + 0x16)) = 0;
					_t88 = E0041256C(_t149);
					 *((char*)(_t149 + 0x15)) = _t88;
					if(_t88 == 0 &&  *((intOrPtr*)(_t149 + 0x16)) == _t88) {
						_t128 =  *((intOrPtr*)(_t149 + 0x34));
						if(_t128 != 0) {
							_t129 = 0x28;
							asm("cdq");
							if(( *((intOrPtr*)(_t149 + 0x38)) - _t128) / _t129 > 0 &&  *((intOrPtr*)(_t149 + 0x190)) == 0) {
								L00401A1E(_t149 + 0x184,  *((intOrPtr*)(_t149 + 0x34)));
							}
						}
					}
					 *(_t151 - 4) =  *(_t151 - 4) | 0xffffffff;
					_t89 = L00401C2F(_t151 - 0x2c);
					 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0xc));
					return _t89;
				} else {
					asm("sbb eax, eax");
					 *(_t151 - 0x30) =  ~(_t151 - 0x64) & _t151 - 0x00000060;
					asm("sbb eax, eax");
					_t99 =  ~(_t149 + 0x24c) & _t149 + 0x00000250;
					_t163 = _t99;
					 *(_t151 - 0x1c) = _t99;
					do {
						_push(_t151 - 0x64);
						_push(0x20019);
						_t158 = _t156 - 0x28;
						 *((intOrPtr*)(_t151 - 0x34)) = _t158;
						L00401732(_t158, 0x47e150, _t151 - 0xd, 1);
						_t159 = _t158 - 0x28;
						 *((intOrPtr*)(_t151 - 0x3c)) = _t159;
						 *(_t151 - 4) = 1;
						L00401732(_t159, L"ProductGuid", _t151 - 0x15, 1);
						_t29 = _t151 - 0xb4; // 0x46757c
						 *(_t151 - 4) = 2;
						_t106 = L00401732(_t29, _t121, _t151 - 0x16, 1);
						_t160 = _t159 - 0x28;
						 *(_t151 - 4) = 3;
						 *((intOrPtr*)(_t151 - 0x38)) = _t160;
						_push( *((intOrPtr*)(_t151 - 0x14)));
						_push(_t160);
						L00405670(_t106, _t163);
						 *(_t151 - 4) = 4;
						_push((0 |  *((intOrPtr*)(_t149 + 0xe)) != 0x00000000) + 0x80000001);
						_t112 = E0042F45D(0x80000001,  *((intOrPtr*)(_t149 + 0xe))); // executed
						_t156 = _t160 + 0x84;
						 *(_t151 - 4) = 5;
						L00419B9A(_t112, _t151 - 0x8c);
						 *(_t151 - 4) = 8;
						L0040125C(_t151 - 0x8c);
						_t42 = _t151 - 0xb4; // 0x46757c
						 *(_t151 - 4) = 7;
						L0040125C(_t42);
						if(L00402DE6( *(_t151 - 0x1c),  *(_t151 - 0x30)) == 0) {
							E00419C0E(_t149 + 0x30,  *((intOrPtr*)(_t151 - 0x14)));
						}
						 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
						L0040125C(_t151 - 0x64);
						 *((intOrPtr*)(_t151 - 0x14)) =  *((intOrPtr*)(_t151 - 0x14)) + 0x28;
					} while ( *((intOrPtr*)(_t151 - 0x14)) !=  *((intOrPtr*)(_t151 - 0x24)));
					goto L5;
				}
			}

0x00412385
0x00412394
0x0041239b
0x0041239d
0x004123a0
0x004123a3
0x004123a6
0x004123ac
0x004123b0
0x004123b3
0x004123ba
0x004123c1
0x004123d5
0x004123d6
0x004123db
0x004123de
0x004123e4
0x004123e7
0x004124fb
0x004124ff
0x0041250c
0x00412507
0x00412507
0x00412509
0x00412509
0x00412510
0x00412513
0x0041251a
0x0041251d
0x00412524
0x00412529
0x00412532
0x00412533
0x00412538
0x0041254c
0x0041254c
0x00412538
0x00412529
0x00412551
0x00412558
0x00412562
0x0041256b
0x004123ed
0x004123f5
0x004123ff
0x0041240a
0x0041240c
0x0041240c
0x0041240e
0x00412411
0x00412414
0x00412415
0x0041241a
0x00412422
0x0041242d
0x00412432
0x0041243a
0x00412445
0x00412449
0x00412455
0x0041245b
0x0041245f
0x00412464
0x00412467
0x0041246d
0x00412470
0x00412473
0x00412476
0x0041247d
0x00412489
0x00412491
0x00412496
0x0041249e
0x004124a2
0x004124ad
0x004124b1
0x004124b6
0x004124bc
0x004124c0
0x004124d2
0x004124da
0x004124da
0x004124df
0x004124e6
0x004124eb
0x004124f2
0x00000000
0x00412411

APIs

__EH_prolog.LIBCMT ref: 00412385

Part of subcall function 0042F35E: __EH_prolog.LIBCMT ref: 0042F363
Part of subcall function 0042F35E: RegEnumKeyW.ADVAPI32(00000000,00000000,?,00000105), ref: 0042F3EB
Part of subcall function 0042F35E: RegCloseKey.KERNELBASE(00000000,?,0043D41C,00020019,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\), ref: 0042F438

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 0042F45D: __EH_prolog.LIBCMT ref: 0042F462
Part of subcall function 0042F45D: RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,?,00000000,00467574,ISlogit), ref: 0042F4B8
Part of subcall function 0042F45D: RegQueryValueExW.KERNELBASE(0043D41C,?,00000000,?,00000000,?,0046757C), ref: 0042F4FA
Part of subcall function 0042F45D: RegQueryValueExW.ADVAPI32(0043D41C,?,00000000,?,?,?,?,?), ref: 0042F545

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

(, xrefs: 004124EB
|uF, xrefs: 00412455, 004124B6
ProductGuid, xrefs: 00412440
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004123B3, 004123C0, 00412454

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLastQueryValue$CloseEnumFreeOpenString
String ID: ($ProductGuid$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$|uF
API String ID: 3142045599-450522472
Opcode ID: 799d774bef3d0442954a751a588588ea6822a067418c51a62556ffd3dc32b500
Instruction ID: c305fda4e230f05210b4cd9f0801429af3f20c94e2d454f40de382181bbb0ce1
Opcode Fuzzy Hash: 799d774bef3d0442954a751a588588ea6822a067418c51a62556ffd3dc32b500
Instruction Fuzzy Hash: 3551C831D05349AEDF10DBB9C992BDEBBF5AF14304F10446EE445F3282D6789A488B65

Uniqueness

Uniqueness Score: -1.00%

Function 00403CE5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00403CE5(intOrPtr* __ecx, void* __eflags) {
				void* _t55;
				signed int _t61;
				void* _t72;
				intOrPtr _t75;
				void* _t77;
				void* _t87;
				intOrPtr _t105;
				intOrPtr* _t108;
				intOrPtr* _t109;
				void* _t111;
				void* _t122;

				L0043B644(0x45f195, _t111);
				_t108 = __ecx;
				 *((intOrPtr*)(_t111 - 0x14)) = 0;
				L00403659( *__ecx, _t111 - 0x8c);
				_t105 = 1;
				_push(0);
				_push(_t111 - 0xd);
				 *((intOrPtr*)(_t111 - 4)) = _t105;
				 *((intOrPtr*)(_t111 - 0x3c)) = 0x46757c;
				 *((intOrPtr*)(_t111 - 0x1c)) = 0x467574;
				L00401C68(_t111 - 0x3c);
				 *((char*)(_t111 - 4)) = 2;
				if( *((intOrPtr*)(_t111 + 0xc)) != 0 ||  *((intOrPtr*)(_t111 - 0x80)) == 0) {
					_t55 = E00403E82( *_t108, __eflags, _t111 - 0x64, 0x717);
					 *((char*)(_t111 - 4)) = 3;
					L00401A1E(_t111 - 0x3c, _t55);
					 *((char*)(_t111 - 4)) = 2;
					_t87 = _t111 - 0x64;
				} else {
					_t75 =  *((intOrPtr*)(_t111 - 0x84));
					_t120 = _t75;
					if(_t75 == 0) {
						_t75 = 0x467570;
					}
					_push(0);
					_push(0);
					_push(_t75);
					_push(0x75f);
					_push(_t111 - 0x64); // executed
					_t77 = E00404109( *_t108, _t120); // executed
					 *((char*)(_t111 - 4)) = 4;
					L00401A1E(_t111 - 0x3c, _t77);
					 *((char*)(_t111 - 4)) = 2;
					_t87 = _t111 - 0x64;
				}
				L0040125C(_t87);
				if( *((intOrPtr*)(_t111 - 0x30)) == 0) {
					L8:
					_push(_t105);
					_push(_t111 - 0xb4);
					_push(E004042BA());
					_push(" ");
					_push(_t111 - 0x64);
					 *((char*)(_t111 - 4)) = 6;
					_t61 = E00406005();
					 *((char*)(_t111 - 4)) = 7;
					asm("sbb ecx, ecx");
					L004057F3(_t111 - 0x38,  ~_t61 & _t61 + 0x00000004, 0,  *0x467594);
					 *((char*)(_t111 - 4)) = 6;
					L0040125C(_t111 - 0x64);
					 *((char*)(_t111 - 4)) = 2;
					L0040125C(_t111 - 0xb4);
				} else {
					_push(0);
					_push(_t111 - 0x64);
					_t72 = E004042BA();
					 *((char*)(_t111 - 4)) = 5;
					_t122 = E0040248C(_t111 - 0x3c, _t72, 0) -  *0x467594; // 0xffffffff
					 *((char*)(_t111 - 4)) = 2;
					 *((char*)(_t111 + 0xf)) = _t122 == 0;
					L0040125C(_t111 - 0x64);
					if( *((intOrPtr*)(_t111 + 0xf)) != 0) {
						goto L8;
					}
				}
				_t109 =  *((intOrPtr*)(_t111 + 8));
				_push(0);
				_push(_t111 - 0x3c);
				 *_t109 = 0x46757c;
				 *((intOrPtr*)(_t109 + 0x20)) = 0x467574;
				L00401CDD(_t109);
				 *((intOrPtr*)(_t111 - 0x14)) = _t105;
				 *((char*)(_t111 - 4)) = 1;
				L0040125C(_t111 - 0x3c);
				 *((char*)(_t111 - 4)) = 0;
				L0040125C(_t111 - 0x8c);
				 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0xc));
				return _t109;
			}

0x00403cea
0x00403cf7
0x00403d05
0x00403d08
0x00403d12
0x00403d16
0x00403d17
0x00403d18
0x00403d1b
0x00403d22
0x00403d29
0x00403d31
0x00403d35
0x00403d7f
0x00403d88
0x00403d8c
0x00403d91
0x00403d95
0x00403d3c
0x00403d3c
0x00403d42
0x00403d44
0x00403d46
0x00403d46
0x00403d4d
0x00403d4e
0x00403d4f
0x00403d53
0x00403d58
0x00403d59
0x00403d62
0x00403d66
0x00403d6b
0x00403d6f
0x00403d6f
0x00403d98
0x00403da0
0x00403dd7
0x00403ddd
0x00403dde
0x00403de6
0x00403dea
0x00403def
0x00403df0
0x00403df4
0x00403e07
0x00403e0d
0x00403e16
0x00403e1e
0x00403e22
0x00403e2d
0x00403e31
0x00403da2
0x00403da5
0x00403da6
0x00403da9
0x00403db3
0x00403dbc
0x00403dc5
0x00403dc9
0x00403dcd
0x00403dd5
0x00000000
0x00000000
0x00403dd5
0x00403e36
0x00403e3c
0x00403e3d
0x00403e40
0x00403e46
0x00403e4d
0x00403e52
0x00403e58
0x00403e5c
0x00403e67
0x00403e6a
0x00403e77
0x00403e7f

APIs

__EH_prolog.LIBCMT ref: 00403CEA

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

puF, xrefs: 00403D46
tuF, xrefs: 00403E46
|uF, xrefs: 00403D1B
tuF, xrefs: 00403D22

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$tuF$tuF$|uF
API String ID: 1057991267-470079222
Opcode ID: ddf19ad550fc07cc53dbb8e2838cc59216e4cb2da7fdef2fbe9454e07e6bdbed
Instruction ID: bdd4823a6952185813d47986231e3de9a83404cdc5ca9dee45b9df1dbb7ecb22
Opcode Fuzzy Hash: ddf19ad550fc07cc53dbb8e2838cc59216e4cb2da7fdef2fbe9454e07e6bdbed
Instruction Fuzzy Hash: B8519471D04248EEDB15EB94C985ADEBBBCAF14308F1040AFE546B3292DB785F08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00418D25 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00418D25(void* __ecx, void* __eflags) {
				void* _t36;
				signed int _t42;
				signed int _t45;
				void* _t55;
				void* _t58;
				void* _t60;

				L0043B644(0x461bc0, _t60);
				_push(__ecx);
				_t55 = __ecx;
				 *(_t60 - 4) = 0;
				E00418E8D(__ecx);
				_t58 = __ecx + 8;
				E0041A336(_t58, _t60 + 8);
				if(E0041AAA1(_t60 + 8, 0, 7, L"http://", 0) == 0 || E0041AAA1(_t60 + 8, 0, 8, L"https://", 0) == 0) {
					_t42 = 0;
				} else {
					_push(1);
					 *((intOrPtr*)(_t60 - 0x10)) = 0;
					E0041A336(_t58, _t60 + 8);
					_push(0);
					_push(0x80);
					_push( *((intOrPtr*)(_t60 + 0x24)));
					_push(0);
					_push(0);
					_t45 = CreateFileW;
					_push(0x40000000);
					_push( *((intOrPtr*)(_t58 + 0x10))); // executed
					while(1) {
						_t36 = CreateFileW(); // executed
						 *(_t55 + 4) = _t36;
						if(_t36 != 0xffffffff ||  *((intOrPtr*)(_t60 - 0x10)) > 3) {
							break;
						}
						Sleep(0x1f4);
						 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(_t60 - 0x10)) + 1;
						E0041A336(_t58, _t60 + 8);
						_push(0);
						_push(0x80);
						_push( *((intOrPtr*)(_t60 + 0x24)));
						_push(0);
						_push(1);
						_push(0x40000000);
						_push( *((intOrPtr*)(_t58 + 0x10)));
					}
					_t42 = _t45 & 0xffffff00 |  *(_t55 + 4) != 0xffffffff;
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E0041A273(_t60 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t42;
			}

0x00418d2a
0x00418d2f
0x00418d33
0x00418d37
0x00418d3a
0x00418d3f
0x00418d48
0x00418d60
0x00418df3
0x00418d7b
0x00418d7b
0x00418d84
0x00418d87
0x00418d8f
0x00418d91
0x00418d96
0x00418d99
0x00418d9b
0x00418d9c
0x00418da2
0x00418da7
0x00418da8
0x00418da8
0x00418dad
0x00418db0
0x00000000
0x00000000
0x00418dbd
0x00418dc3
0x00418dcc
0x00418dd4
0x00418dd6
0x00418ddb
0x00418dde
0x00418de0
0x00418de2
0x00418de7
0x00418de7
0x00418dee
0x00418dee
0x00418df5
0x00418dfc
0x00418e09
0x00418e11

APIs

__EH_prolog.LIBCMT ref: 00418D2A

Part of subcall function 00418E8D: FindCloseChangeNotification.KERNELBASE(?,?,00418C64,00000000,00000000,?,00417CD9,?,00000001), ref: 00418EA5

Part of subcall function 0041A336: SysFreeString.OLEAUT32(?), ref: 0041A34B
Part of subcall function 0041A336: SysStringLen.OLEAUT32(?), ref: 0041A354
Part of subcall function 0041A336: SysAllocStringLen.OLEAUT32(?,00000000), ref: 0041A35E

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,?,00000080,00000000,?,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000), ref: 00418DA8
Sleep.KERNEL32(000001F4,?,004181DD,?,00000001), ref: 00418DBD

Strings

https://, xrefs: 00418D67
http://, xrefs: 00418D4E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$AllocChangeCloseCreateFileFindFreeH_prologNotificationSleep
String ID: http://$https://
API String ID: 112917688-1916535328
Opcode ID: 429acf6c96ed9223359673860c5e8dbe9af6988557d450db9f7b28afb85323cf
Instruction ID: 13318a470217d60e37f4465d953032a40b8f00e1d671b95e9f74f9c822bc3125
Opcode Fuzzy Hash: 429acf6c96ed9223359673860c5e8dbe9af6988557d450db9f7b28afb85323cf
Instruction Fuzzy Hash: A321B171240306BBDB20DF65CC82FDEB7A8BF14758F10461FB525A61C1DBB4AA81C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041CF58(intOrPtr __ecx) {
				intOrPtr _t40;
				void* _t44;
				signed char _t53;
				void* _t74;

				L0043B644(E004621B5, _t74);
				 *(_t74 - 0x14) =  *(_t74 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t74 - 0x18)) = __ecx;
				_push(0);
				_push(_t74 - 0xd);
				_push(0x47e150);
				 *((intOrPtr*)(_t74 - 0x40)) = 0x4675d8;
				 *((intOrPtr*)(_t74 - 0x20)) = 0x4675d0;
				L0040B34B(_t74 - 0x40);
				_t40 =  *0x46803c; // 0x4765f0
				_t53 = 1;
				 *((intOrPtr*)(_t74 - 0x68)) = 0x4675d8;
				 *(_t74 - 4) = _t53;
				 *((intOrPtr*)(_t74 - 0x48)) = 0x4675d0;
				if(_t40 == 0) {
					_t40 = 0x47e150;
				}
				L0040B34B(_t74 - 0x68);
				 *(_t74 - 4) = 2;
				 *(_t74 - 4) = 3;
				_t44 = E0040CAC4();
				_t18 = _t74 - 0x18; // 0x4675e4
				 *(_t74 - 4) = 4;
				 *((intOrPtr*)( *((intOrPtr*)( *_t18)) + 0x38))( *((intOrPtr*)(_t74 + 8)), _t74 - 0x68, _t44, _t74 - 0x40, _t74 - 0x90, L"PreReqFeatures", L00419761(_t74 - 0xb8),  *((intOrPtr*)(_t74 + 0xc)), 0xa, _t53, _t40, _t74 - 0xe, 0);
				 *(_t74 - 0x14) = _t53;
				 *(_t74 - 4) = 3;
				E004061C1(_t74 - 0x90);
				 *(_t74 - 4) = 2;
				E004061C1(_t74 - 0xb8);
				 *(_t74 - 4) = _t53;
				E004061C1(_t74 - 0x68);
				 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
				E004061C1(_t74 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t74 - 0xc));
				return  *((intOrPtr*)(_t74 + 8));
			}

0x0041cf5d
0x0041cf68
0x0041cf72
0x0041cf75
0x0041cf81
0x0041cf82
0x0041cf8a
0x0041cf8d
0x0041cf90
0x0041cf95
0x0041cf9c
0x0041cf9d
0x0041cfa2
0x0041cfa5
0x0041cfa8
0x0041cfaa
0x0041cfaa
0x0041cfb9
0x0041cfca
0x0041cfe0
0x0041cfe4
0x0041cfec
0x0041cffa
0x0041d001
0x0041d004
0x0041d00d
0x0041d011
0x0041d01c
0x0041d020
0x0041d028
0x0041d02b
0x0041d030
0x0041d037
0x0041d045
0x0041d04d

APIs

__EH_prolog.LIBCMT ref: 0041CF5D

Part of subcall function 0040B34B: __EH_prolog.LIBCMT ref: 0040B350
Part of subcall function 0040B34B: GetLastError.KERNEL32(?,00000001,00000001,?,0044B892,?,?,00000000), ref: 0040B379
Part of subcall function 0040B34B: SetLastError.KERNEL32(?,?,00000000,00000000,?,0044B892,?,?,00000000), ref: 0040B3CE

Strings

tuF, xrefs: 0041CF6D
uF, xrefs: 0041CFEC
PreReqFeatures, xrefs: 0041CFDA
PG, xrefs: 0041CFAA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: PreReqFeatures$PG$tuF$uF
API String ID: 1057991267-3866957575
Opcode ID: 0d43053ddf15e94d81562dfd2f7fc1e409cec69d3ba3a7de95712f6580ad3988
Instruction ID: c90ba536e075ea707302d2401c1eaabadcdb87a4af196b7b9cc17e9000088910
Opcode Fuzzy Hash: 0d43053ddf15e94d81562dfd2f7fc1e409cec69d3ba3a7de95712f6580ad3988
Instruction Fuzzy Hash: 56318071D00218EFDB11DB95C892BEDBB78EF19318F1040AEE509B7282DB785B49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00418C4B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00418C4B(void* __ecx, void* __eflags) {
				void* _t25;
				intOrPtr _t27;
				void* _t32;
				signed int _t35;
				intOrPtr _t41;
				void* _t47;
				void* _t49;

				L0043B644(0x461bae, _t49);
				_push(__ecx);
				_t47 = __ecx;
				 *(_t49 - 4) = 0;
				E00418E8D(__ecx);
				E0041A336(__ecx + 8, _t49 + 8);
				_t25 = E0041AAA1(_t49 + 8, 0, 7, L"http://", 0); // executed
				if(_t25 == 0 || E0041AAA1(_t49 + 8, 0, 8, L"https://", 0) == 0) {
					_t41 = L0043BC14(0xa8);
					 *((intOrPtr*)(_t49 - 0x10)) = _t41;
					__eflags = _t41;
					 *(_t49 - 4) = 1;
					if(__eflags == 0) {
						_t27 = 0;
						__eflags = 0;
					} else {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0x7530);
						_push(L"toys::file_lite");
						_t27 = L00413046(_t41, __eflags);
					}
					_push(0x80400100);
					_push( *((intOrPtr*)(_t49 + 0x24)));
					 *(_t49 - 4) = 0;
					 *((intOrPtr*)(_t47 + 0x24)) = _t27;
					_push( *(_t49 + 0x18));
					_t35 = L00437AB5(_t27);
				} else {
					_t32 = CreateFileW( *(_t49 + 0x18), 0x80000000, 1, 0, 3, 0x80, 0); // executed
					 *(_t47 + 4) = _t32;
					_t35 = 0 | _t32 != 0xffffffff;
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				E0041A273(_t49 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t35;
			}

0x00418c50
0x00418c55
0x00418c58
0x00418c5c
0x00418c5f
0x00418c6b
0x00418c7c
0x00418c83
0x00418cc9
0x00418ccb
0x00418cce
0x00418cd0
0x00418cd4
0x00418ceb
0x00418ceb
0x00418cd6
0x00418cd6
0x00418cd7
0x00418cd8
0x00418cd9
0x00418cda
0x00418cdf
0x00418ce4
0x00418ce4
0x00418ced
0x00418cf4
0x00418cf7
0x00418cfa
0x00418cfd
0x00418d05
0x00418c9a
0x00418cad
0x00418cb6
0x00418cb9
0x00418cb9
0x00418d07
0x00418d0e
0x00418d1a
0x00418d22

APIs

__EH_prolog.LIBCMT ref: 00418C50

Part of subcall function 00418E8D: FindCloseChangeNotification.KERNELBASE(?,?,00418C64,00000000,00000000,?,00417CD9,?,00000001), ref: 00418EA5

Part of subcall function 0041A336: SysFreeString.OLEAUT32(?), ref: 0041A34B
Part of subcall function 0041A336: SysStringLen.OLEAUT32(?), ref: 0041A354
Part of subcall function 0041A336: SysAllocStringLen.OLEAUT32(?,00000000), ref: 0041A35E

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000008,https://,00000000,00000000,00000007,http://,00000000,?), ref: 00418CAD

Strings

toys::file_lite, xrefs: 00418CDF
https://, xrefs: 00418C86
http://, xrefs: 00418C71

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$AllocChangeCloseCreateFileFindFreeH_prologNotification
String ID: http://$https://$toys::file_lite
API String ID: 1952945185-1216559337
Opcode ID: 8a612e813ed1e48ec0c9181b21f6e3d282dfb12e812192cccba599611c5feb8c
Instruction ID: 35a3b195dccf7941f51570e32374de22dc4f7d74ef208c28c5c11433551d4838
Opcode Fuzzy Hash: 8a612e813ed1e48ec0c9181b21f6e3d282dfb12e812192cccba599611c5feb8c
Instruction Fuzzy Hash: E521F970641208BEDB149F65CD92FEE7798EF10788F10812FB415A62D1EF789E84C66C

Uniqueness

Uniqueness Score: -1.00%

Function 0042AAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042AAA8(intOrPtr* __ecx, void* __eflags) {
				struct HBRUSH__* _t26;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr* _t43;
				void* _t45;

				L0043B644(0x463636, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t45 + 8));
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t45 + 0xc));
				_t26 = CreateSolidBrush(GetSysColor(5)); // executed
				 *(_t43 + 0x10) = _t26;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_t36 = _t43 + 0x18;
				_push(0);
				_push(_t45 + 0xb);
				 *_t36 = 0x46757c;
				 *((intOrPtr*)(_t36 + 0x20)) = 0x467574;
				L00401C68(_t36);
				 *(_t43 + 0x40) =  *(_t43 + 0x40) & 0x00000000;
				_t37 = _t43 + 0x44;
				_push(0);
				_push(_t45 + 0xf);
				 *(_t45 - 4) = 1;
				 *_t37 = 0x46757c;
				 *((intOrPtr*)(_t37 + 0x20)) = 0x467574;
				L00401C68(_t37);
				 *_t43 = 0x468164;
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t43;
			}

0x0042aaad
0x0042aab2
0x0042aab8
0x0042aabd
0x0042aac1
0x0042aac7
0x0042aaca
0x0042aad4
0x0042aada
0x0042aadd
0x0042aae1
0x0042aaf1
0x0042aaf3
0x0042aaf4
0x0042aaf6
0x0042aaf9
0x0042aafe
0x0042ab02
0x0042ab08
0x0042ab0a
0x0042ab0b
0x0042ab0f
0x0042ab11
0x0042ab14
0x0042ab1c
0x0042ab27
0x0042ab2f

APIs

__EH_prolog.LIBCMT ref: 0042AAAD
GetSysColor.USER32(00000005), ref: 0042AACD
CreateSolidBrush.GDI32(00000000), ref: 0042AAD4

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

|uF, xrefs: 0042AAE7
tuF, xrefs: 0042AAEC

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$BrushColorCreateSolid
String ID: tuF$|uF
API String ID: 2399096939-3059473046
Opcode ID: 270b70b28dec3879984d450dcf40c72e795ab08f983a60e10d9f5a2e6d976d3b
Instruction ID: c57cc8a277dad5658d5ddcd4faf8f5a6097791e48460fd8e6bf803597712c8f9
Opcode Fuzzy Hash: 270b70b28dec3879984d450dcf40c72e795ab08f983a60e10d9f5a2e6d976d3b
Instruction Fuzzy Hash: 431182B1900304AFD720CF64C884B9AB7F4FB08719F10856EE549D7640D7789505CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEB5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041FEB5(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t22;
				WCHAR* _t26;
				intOrPtr _t37;
				void* _t39;

				L0043B644(E004627A0, _t39);
				_t37 = __ecx;
				 *((intOrPtr*)(_t39 - 0x14)) = __ecx;
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_push(0);
				_push(_t39 - 0xd);
				 *((intOrPtr*)(__ecx)) = 0x46757c;
				 *((intOrPtr*)(__ecx + 0x20)) = 0x467574;
				L00401C68(__ecx);
				 *(_t39 - 4) = 1;
				_t22 = L00401813(__ecx, _t39 - 0x20, 0x105);
				 *(_t39 - 4) = 2;
				 *((char*)(_t22 + 4)) = 1;
				GetCurrentDirectoryW(0x104,  *(L00401E6C(_t22,  *_t22)));
				 *(_t39 - 4) = 1;
				L00401A9C(_t39 - 0x20);
				_t26 =  *(_t39 + 0x10);
				if(_t26 == 0) {
					_t26 = 0x467570;
				}
				SetCurrentDirectoryW(_t26); // executed
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				L0040125C(_t39 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				return _t37;
			}

0x0041feba
0x0041fec3
0x0041fec5
0x0041fec8
0x0041fecf
0x0041fed1
0x0041fed2
0x0041fed8
0x0041fedf
0x0041feef
0x0041fef3
0x0041fefa
0x0041fefe
0x0041ff0e
0x0041ff17
0x0041ff1b
0x0041ff20
0x0041ff25
0x0041ff27
0x0041ff27
0x0041ff2d
0x0041ff33
0x0041ff3a
0x0041ff45
0x0041ff4d

APIs

__EH_prolog.LIBCMT ref: 0041FEBA

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

GetCurrentDirectoryW.KERNEL32(00000104,00000000,00467574,00000105,?,00000000,00000000), ref: 0041FF0E

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004675D0,?), ref: 0041FF2D

Strings

tuF, xrefs: 0041FED8
puF, xrefs: 0041FF27

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$CurrentDirectoryString$Alloc
String ID: puF$tuF
API String ID: 2273848851-1275572029
Opcode ID: f9bcd4d60aadba3d7b548b040b2c3c469ab08925fef49ea450c5c657f65a752b
Instruction ID: 8b6eb00c8f10683e923d00b15ebfc3e70a7881733d6de3b1f887045e7b893bfd
Opcode Fuzzy Hash: f9bcd4d60aadba3d7b548b040b2c3c469ab08925fef49ea450c5c657f65a752b
Instruction Fuzzy Hash: 50116971905244AFDB00EBE8C5457DD7BB4AF09318F1041AEE485A72D2E7B89644CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00418ED1 Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00418ED1() {
				void* _t38;
				void* _t40;
				void* _t50;
				void* _t57;
				void* _t59;
				void* _t60;

				L0043B644(0x461be4, _t60);
				 *(_t60 - 0x18) = 0;
				 *((intOrPtr*)(_t60 - 4)) = 0;
				 *(_t60 - 0x14) = 0;
				 *(_t60 - 0x10) = 0;
				 *((char*)(_t60 - 4)) = 2;
				_push(_t60 + 8);
				_push(_t60 - 0x18);
				_push(_t60 - 0x14);
				_push(_t60 - 0x10);
				_push( *((intOrPtr*)(_t60 + 8)));
				_t38 = E0041919A(); // executed
				if(_t38 == 0) {
					_t50 = L00418FB3( *(_t60 - 0x18),  *(_t60 - 0x10),  *((intOrPtr*)(_t60 + 8)),  *((intOrPtr*)(_t60 + 0xc)));
					if( *(_t60 - 0x10) != 0 && UnmapViewOfFile != 0) {
						UnmapViewOfFile( *(_t60 - 0x10));
						 *(_t60 - 0x10) = 0;
					}
					_t57 = CloseHandle;
					if( *(_t60 - 0x14) != 0 && CloseHandle != 0) {
						FindCloseChangeNotification( *(_t60 - 0x14)); // executed
						 *(_t60 - 0x14) = 0;
					}
					if( *(_t60 - 0x18) != 0 && _t57 != 0) {
						CloseHandle( *(_t60 - 0x18));
					}
					_t40 = _t50;
				} else {
					if( *(_t60 - 0x10) != 0 && UnmapViewOfFile != 0) {
						UnmapViewOfFile( *(_t60 - 0x10));
						 *(_t60 - 0x10) = 0;
					}
					_t59 = CloseHandle;
					if( *(_t60 - 0x14) != 0 && CloseHandle != 0) {
						CloseHandle( *(_t60 - 0x14));
						 *(_t60 - 0x14) = 0;
					}
					if( *(_t60 - 0x18) != 0 && _t59 != 0) {
						CloseHandle( *(_t60 - 0x18));
					}
					_t40 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t40;
			}

0x00418ed6
0x00418ee2
0x00418ee5
0x00418ee8
0x00418eeb
0x00418ef1
0x00418ef5
0x00418ef9
0x00418efd
0x00418f01
0x00418f02
0x00418f05
0x00418f0f
0x00418f68
0x00418f6a
0x00418f78
0x00418f7a
0x00418f7a
0x00418f80
0x00418f86
0x00418f8f
0x00418f91
0x00418f91
0x00418f97
0x00418fa0
0x00418fa0
0x00418fa2
0x00418f11
0x00418f14
0x00418f22
0x00418f24
0x00418f24
0x00418f2a
0x00418f30
0x00418f39
0x00418f3b
0x00418f3b
0x00418f41
0x00418f4a
0x00418f4a
0x00418f4c
0x00418f4c
0x00418faa
0x00418fb2

APIs

__EH_prolog.LIBCMT ref: 00418ED6

Part of subcall function 0041919A: __EH_prolog.LIBCMT ref: 0041919F
Part of subcall function 0041919A: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000), ref: 004191CF
Part of subcall function 0041919A: CreateFileMappingW.KERNELBASE(000000FF,00000000,00000002,00000000,00000000,00000000,?,00000000), ref: 004191F6
Part of subcall function 0041919A: GetSystemInfo.KERNELBASE(?,?,00000000), ref: 00419217
Part of subcall function 0041919A: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,00000000), ref: 0041922B
Part of subcall function 0041919A: GetLastError.KERNEL32(?,00000000), ref: 0041924B

CloseHandle.KERNEL32(0043D41C,?,?,?,?), ref: 00418F39
CloseHandle.KERNEL32(?,?,?,?,?), ref: 00418F4A
FindCloseChangeNotification.KERNELBASE(0043D41C,?,?,?,00000000,?,?,?,?), ref: 00418F8F
CloseHandle.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 00418FA0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Close$FileHandle$CreateH_prolog$ChangeErrorFindInfoLastMappingNotificationSystemView
String ID:
API String ID: 849282148-0
Opcode ID: cf2333ad9100a1532d4acfe3e550f90841fd07b3c534150ea0032ec693d7633a
Instruction ID: f151b31e9c7ba78138bc16daa83c8fa4c888594e0d56c1abd238403b965ea193
Opcode Fuzzy Hash: cf2333ad9100a1532d4acfe3e550f90841fd07b3c534150ea0032ec693d7633a
Instruction Fuzzy Hash: CD31F472D0011AAACF129F99CD419FFFBBABF94344F14052BE514B2220EB754E81DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00433A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00433A47(void* __edx, void* __eflags) {
				intOrPtr _t56;
				signed int _t64;
				signed int _t67;
				void* _t69;
				void* _t74;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t99;
				intOrPtr _t101;
				signed int _t103;
				intOrPtr _t105;
				signed int _t109;
				void* _t110;
				void* _t112;
				void* _t117;
				void* _t120;

				_t117 = __eflags;
				L0043B644(E0046455B, _t110);
				_t103 = 0;
				_push(0);
				_push(_t110 - 0xd);
				 *(_t110 - 4) = 0;
				 *((intOrPtr*)(_t110 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t110 - 0x18)) = 0x467574;
				L00401C68(_t110 - 0x38);
				_push( *((intOrPtr*)(_t110 + 0x38)));
				 *(_t110 - 4) = 1;
				_push( *((intOrPtr*)(_t110 + 0x34)));
				_push(_t110 - 0x38);
				 *((intOrPtr*)(_t110 + 0x38)) = _t112 - 0x54;
				L00401708(_t112 - 0x54, _t110 + 8, 1); // executed
				_t56 = E0041EC40(__edx, _t117); // executed
				 *((intOrPtr*)(_t110 + 0x38)) = _t56;
				if(_t56 != 0) {
					L22:
					 *(_t110 - 4) =  *(_t110 - 4) & 0x00000000;
					L0040125C(_t110 - 0x38);
					_t44 = _t110 - 4;
					 *_t44 =  *(_t110 - 4) | 0xffffffff;
					__eflags =  *_t44;
					L0040125C(_t110 + 8);
					 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
					return  *((intOrPtr*)(_t110 + 0x38));
				} else {
					_t108 = 0;
					while(1) {
						_t109 = L004058E3(_t110 - 0x34, L"\r\n", _t108, L0043BA1F(L"\r\n"));
						_t120 = _t109 -  *0x467594; // 0xffffffff
						if(_t120 == 0) {
							break;
						}
						_t74 = E00401A68(_t110 - 0x38, _t110 - 0x60, _t103, _t61 - _t103); // executed
						 *(_t110 - 4) = 3;
						E00419C0E( *((intOrPtr*)(_t110 + 0x30)), _t74);
						 *(_t110 - 4) = 1;
						L0040125C(_t110 - 0x60);
						_t105 =  *((intOrPtr*)(_t110 - 0x2c));
						_t101 =  *((intOrPtr*)(_t110 - 0x30));
						if(_t105 == 0 || _t109 >= _t105) {
							_t77 = 0;
							__eflags = 0;
							goto L9;
						} else {
							_t80 = 0x467570;
							if(_t101 != 0) {
								_t80 = _t101 + _t109 * 2;
							}
							_t77 = _t80 & 0xffffff00 |  *_t80 == 0x0000000d;
							L9:
							if(_t77 != 0) {
								_t26 = _t109 + 1; // 0x1
								_t99 = _t26;
								if(_t105 == 0 || _t99 >= _t105) {
									_t78 = 0;
									__eflags = 0;
								} else {
									_t79 = 0x467570;
									if(_t101 != 0) {
										_t79 = _t101 + _t99 * 2;
									}
									_t78 = _t79 & 0xffffff00 |  *_t79 == 0x0000000a;
								}
								if(_t78 != 0) {
									_t109 = _t99;
								}
							}
							_t108 = _t109 + 1;
							_t103 = _t109 + 1;
							continue;
						}
					}
					_t64 = E00402A5B(_t110 - 0x38, 0xd,  *((intOrPtr*)(_t110 - 0x2c)) - 1);
					__eflags = _t64;
					if(_t64 == 0) {
						_t67 = E00402A5B(_t110 - 0x38, 0xa,  *((intOrPtr*)(_t110 - 0x2c)) - 1);
						__eflags = _t67;
						if(_t67 == 0) {
							_t69 = E00401A68(_t110 - 0x38, _t110 - 0x88, _t103,  *0x467594);
							 *(_t110 - 4) = 2;
							E00419C0E( *((intOrPtr*)(_t110 + 0x30)), _t69);
							 *(_t110 - 4) = 1;
							L0040125C(_t110 - 0x88);
						}
					}
					goto L22;
				}
			}

0x00433a47
0x00433a4c
0x00433a57
0x00433a5c
0x00433a5d
0x00433a61
0x00433a64
0x00433a6b
0x00433a72
0x00433a77
0x00433a7d
0x00433a81
0x00433a84
0x00433a8d
0x00433a93
0x00433a98
0x00433aa2
0x00433aa5
0x00433baa
0x00433baa
0x00433bb1
0x00433bb6
0x00433bb6
0x00433bb6
0x00433bbd
0x00433bca
0x00433bd3
0x00433aab
0x00433aab
0x00433ab2
0x00433acc
0x00433ace
0x00433ad4
0x00000000
0x00000000
0x00433ae1
0x00433aea
0x00433aee
0x00433af6
0x00433afa
0x00433aff
0x00433b02
0x00433b07
0x00433b1f
0x00433b1f
0x00000000
0x00433b0d
0x00433b0f
0x00433b11
0x00433b13
0x00433b13
0x00433b1a
0x00433b21
0x00433b23
0x00433b27
0x00433b27
0x00433b2a
0x00433b42
0x00433b42
0x00433b30
0x00433b32
0x00433b34
0x00433b36
0x00433b36
0x00433b3d
0x00433b3d
0x00433b46
0x00433b48
0x00433b48
0x00433b46
0x00433b4a
0x00433b4b
0x00000000
0x00433b4b
0x00433b07
0x00433b5c
0x00433b61
0x00433b63
0x00433b6f
0x00433b74
0x00433b76
0x00433b89
0x00433b92
0x00433b96
0x00433ba1
0x00433ba5
0x00433ba5
0x00433b76
0x00000000
0x00433b63

APIs

__EH_prolog.LIBCMT ref: 00433A4C

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 0041EC40: __EH_prolog.LIBCMT ref: 0041EC45

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 00433A6B
|uF, xrefs: 00433A64
puF, xrefs: 00433AAD

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$FreeString
String ID: puF$tuF$|uF
API String ID: 2373906061-2118565386
Opcode ID: 496f649643ca969f7a4a4fd351fd2a925646c2da2d582a8e929968a03fa76250
Instruction ID: b773cb0e854078954d602ef9d0a06ce92c159a647d3da1709d223a09855db970
Opcode Fuzzy Hash: 496f649643ca969f7a4a4fd351fd2a925646c2da2d582a8e929968a03fa76250
Instruction Fuzzy Hash: C541D831904208BACF10EFA5C845AEEFB79AF49314F14515EF806B3282EB786E45C769

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042DD60() {
				intOrPtr _t64;
				signed int _t67;
				void* _t79;
				long _t80;
				intOrPtr* _t105;
				signed int _t114;
				void* _t119;
				void* _t121;
				void* _t122;
				intOrPtr _t124;
				intOrPtr* _t125;

				L0043B644(0x463bc4, _t119);
				_t122 = _t121 - 0x64;
				_t114 = 0;
				 *(_t119 - 4) = 0;
				E00402943(_t119 + 8, _t119 - 0x70);
				L0040125C(_t119 - 0x70);
				 *0x47e3d4 = 0;
				 *((char*)(_t119 - 0xd)) = E00402456(_t119 + 8);
				_push(0);
				_push(_t119 - 0xe);
				 *((intOrPtr*)(_t119 - 0x48)) = 0x46757c;
				 *((intOrPtr*)(_t119 - 0x28)) = 0x467574;
				L00401C68(_t119 - 0x48);
				 *(_t119 - 4) = 1;
				 *((intOrPtr*)(_t119 - 0x14)) = 1;
				do {
					 *((intOrPtr*)(_t119 - 0x1c)) = 0x5c;
					_t64 = E0040238F(_t119 + 0xc, _t119 - 0x1c, _t114, 1);
					 *((intOrPtr*)(_t119 - 0x18)) = _t64;
					if(_t64 == 0xffffffff) {
						goto L12;
					} else {
						E00401A68(_t119 + 8, _t119 - 0x70, _t114, _t64 - _t114 + 1);
						asm("sbb esi, esi");
						_t118 =  ~(_t119 - 0x70) & _t119 - 0x0000006c;
						 *(_t119 - 4) = 2;
						if(L00431AF3( ~(_t119 - 0x70) & _t119 - 0x0000006c, 0x4764fc) == 0) {
							L004057F3(_t119 - 0x44, _t118, 0,  *0x467594);
						} else {
							E0043025D(_t119 - 0x48, _t119 - 0x70);
						}
						_t114 =  *((intOrPtr*)(_t119 - 0x18)) + 1;
						if( *((intOrPtr*)(_t119 - 0x14)) <= 1 ||  *((intOrPtr*)(_t119 - 0x14)) <= 4 &&  *((char*)(_t119 - 0xd)) != 0) {
							L11:
							 *(_t119 - 4) = 1;
							L0040125C(_t119 - 0x70);
							goto L12;
						} else {
							_push(0);
							_t124 = _t122 - 0x28;
							 *((intOrPtr*)(_t119 - 0x20)) = _t124;
							L00401708(_t124, _t119 - 0x48, 1); // executed
							_t79 = E0042FD4E(); // executed
							_t122 = _t124 + 0x2c;
							if(_t79 != 0) {
								goto L11;
							} else {
								_t80 = GetLastError();
								 *0x47e3d4 = _t80;
								if(_t80 != 0xb7) {
									_t125 = _t122 - 0x28;
									 *((intOrPtr*)(_t119 - 0x20)) = _t125;
									_t105 = _t125;
									_push(0);
									_push(_t119 - 0x48);
									 *_t105 = 0x46757c;
									 *((intOrPtr*)(_t105 + 0x20)) = 0x467574;
									L00401CDD(_t105);
									L0042D43D(__eflags);
									 *(_t119 - 4) = 1;
									L0040125C(_t119 - 0x70);
									 *(_t119 - 4) =  *(_t119 - 4) & 0x00000000;
									L0040125C(_t119 - 0x48);
									 *(_t119 - 4) =  *(_t119 - 4) | 0xffffffff;
									L0040125C(_t119 + 8);
									_t67 = 0;
								} else {
									 *0x47e3d4 =  *0x47e3d4 & 0x00000000;
									goto L11;
								}
							}
						}
					}
					L14:
					 *[fs:0x0] =  *((intOrPtr*)(_t119 - 0xc));
					return _t67;
					L12:
					 *((intOrPtr*)(_t119 - 0x14)) =  *((intOrPtr*)(_t119 - 0x14)) + 1;
				} while ( *((intOrPtr*)(_t119 - 0x18)) != 0xffffffff);
				 *(_t119 - 4) =  *(_t119 - 4) & 0x00000000;
				L0040125C(_t119 - 0x48);
				 *(_t119 - 4) =  *(_t119 - 4) | 0xffffffff;
				L0040125C(_t119 + 8);
				_t67 = 1;
				goto L14;
			}

0x0042dd65
0x0042dd6a
0x0042dd73
0x0042dd79
0x0042dd7c
0x0042dd84
0x0042dd8c
0x0042dd97
0x0042dda7
0x0042dda8
0x0042ddac
0x0042ddaf
0x0042ddb2
0x0042ddb7
0x0042ddbb
0x0042ddc2
0x0042ddcc
0x0042ddd3
0x0042dddb
0x0042ddde
0x00000000
0x0042dde4
0x0042ddf0
0x0042ddfd
0x0042de04
0x0042de06
0x0042de13
0x0042de2f
0x0042de15
0x0042de1c
0x0042de1c
0x0042de3b
0x0042de3e
0x0042de86
0x0042de89
0x0042de8d
0x00000000
0x0042de4c
0x0042de4c
0x0042de51
0x0042de56
0x0042de5c
0x0042de61
0x0042de66
0x0042de6b
0x00000000
0x0042de6d
0x0042de6d
0x0042de78
0x0042de7d
0x0042dec8
0x0042dece
0x0042ded1
0x0042ded3
0x0042ded5
0x0042ded6
0x0042ded8
0x0042dedb
0x0042dee0
0x0042deeb
0x0042deef
0x0042def4
0x0042defb
0x0042df00
0x0042df07
0x0042df0c
0x0042de7f
0x0042de7f
0x00000000
0x0042de7f
0x0042de7d
0x0042de6b
0x0042de3e
0x0042deb9
0x0042debe
0x0042dec7
0x0042de92
0x0042de92
0x0042de95
0x0042de9f
0x0042dea6
0x0042deab
0x0042deb2
0x0042deb7
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042DD65

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

GetLastError.KERNEL32 ref: 0042DE6D

Strings

|uF, xrefs: 0042DD9D
tuF, xrefs: 0042DDA2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: tuF$|uF
API String ID: 3800368667-3059473046
Opcode ID: 8aadefa9114b6db53581b8f8754203ef95c0e9b88768a04b944d4f76213a1011
Instruction ID: d99bc5387cd111d2d62d44d8a2c4cc165c2d571eb15777280990f9f49f1e2784
Opcode Fuzzy Hash: 8aadefa9114b6db53581b8f8754203ef95c0e9b88768a04b944d4f76213a1011
Instruction Fuzzy Hash: 37519370D00218DACF10EFA5C9857EEBB78AF14318F50416EE405B71D2EB785746CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417132 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00417132(intOrPtr __ecx, void* __edx) {
				void* _t45;
				intOrPtr _t52;
				void* _t60;
				void* _t79;
				intOrPtr _t81;
				intOrPtr* _t84;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t92;

				_t79 = __edx;
				L0043B644(0x461790, _t86);
				_t89 = _t88 - 0x38;
				_t81 = __ecx;
				_t84 = __ecx + 4;
				 *(_t86 - 4) = 1;
				 *((intOrPtr*)(_t86 - 0x14)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))() + 0x54))));
				while(1) {
					_t45 =  *((intOrPtr*)( *_t84 + 0x2c))() + 0x50;
					_t94 =  *((intOrPtr*)(_t86 - 0x14)) -  *((intOrPtr*)(_t45 + 4));
					if( *((intOrPtr*)(_t86 - 0x14)) ==  *((intOrPtr*)(_t45 + 4))) {
						break;
					}
					_push(0);
					_push(_t86 - 0xd);
					_t11 = _t86 - 0x44; // 0x46757c
					 *((intOrPtr*)(_t86 - 0x44)) = 0x46757c;
					 *((intOrPtr*)(_t86 - 0x24)) = 0x467574;
					L00401C68(_t11);
					_t52 =  *((intOrPtr*)(_t86 - 0x14));
					 *(_t86 - 4) = 2;
					_t16 = _t52 + 0xc; // 0x98b088b
					_t17 = _t86 - 0x44; // 0x46757c
					L004057E0(_t17, L"0x%04lx.ini",  *_t16 & 0x0000ffff);
					_t18 = _t86 - 0x44; // 0x46757c
					_push(0x4c4);
					_t92 = _t89 + 0xc - 0x28;
					 *((intOrPtr*)(_t86 - 0x18)) = _t92;
					_push(_t92);
					L00405670(_t86 + 0x30, _t94);
					_t89 = _t92 - 0x28;
					_t21 = _t86 - 0x44; // 0x46757c
					 *((intOrPtr*)(_t86 - 0x1c)) = _t89;
					 *(_t86 - 4) = 3;
					L00405670(_t86 + 8, _t94);
					 *(_t86 - 4) = 2;
					_t60 = E00416E73(_t81, _t79, _t94); // executed
					L00415C13(_t81, _t60, _t89);
					_t26 = _t86 - 0x44; // 0x46757c
					 *(_t86 - 4) = 1;
					L0040125C(_t26);
					L0040D42B(_t86 - 0x14);
				}
				 *(_t86 - 4) =  *(_t86 - 4) & 0x00000000;
				L0040125C(_t86 + 8);
				 *(_t86 - 4) =  *(_t86 - 4) | 0xffffffff;
				L0040125C(_t86 + 0x30);
				__eflags = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0xc));
				return 0;
			}

0x00417132
0x00417137
0x0041713c
0x00417141
0x00417146
0x0041714b
0x0041715d
0x00417160
0x00417167
0x0041716d
0x00417170
0x00000000
0x00000000
0x00417179
0x0041717b
0x0041717c
0x0041717f
0x00417186
0x0041718d
0x00417192
0x00417195
0x00417199
0x0041719e
0x004171a7
0x004171af
0x004171b2
0x004171b7
0x004171bc
0x004171c0
0x004171c4
0x004171c9
0x004171cc
0x004171d1
0x004171d9
0x004171dd
0x004171e4
0x004171e8
0x004171f0
0x004171f5
0x004171f8
0x004171fc
0x00417204
0x00417204
0x0041720e
0x00417215
0x0041721a
0x00417221
0x0041722a
0x0041722c
0x00417235

APIs

__EH_prolog.LIBCMT ref: 00417137

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 00416E73: __EH_prolog.LIBCMT ref: 00416E78
Part of subcall function 00416E73: lstrcpyW.KERNEL32 ref: 00416ED8
Part of subcall function 00416E73: __setjmp3.LIBCMT ref: 00416EF9

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

|uF, xrefs: 0041717C
tuF, xrefs: 00417186
0x%04lx.ini, xrefs: 004171A1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString__setjmp3lstrcpy
String ID: 0x%04lx.ini$tuF$|uF
API String ID: 894535458-2845481692
Opcode ID: 7980c8a95ca7a567552a6f406372e3710b2433339b7c7f3f19658857f9e0b885
Instruction ID: 47a0715a24f2bc1048747525fd46035f951d1b08817517f73eb036a6b8f266fd
Opcode Fuzzy Hash: 7980c8a95ca7a567552a6f406372e3710b2433339b7c7f3f19658857f9e0b885
Instruction Fuzzy Hash: 68317575900104EFCB04EFA9C946AEDBBB4AF54314F50415EF405B3291DB74AF05CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041CE60(intOrPtr __ecx) {
				intOrPtr _t40;
				void* _t44;
				signed char _t53;
				void* _t74;

				L0043B644(E0046216D, _t74);
				 *(_t74 - 0x14) =  *(_t74 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t74 - 0x18)) = __ecx;
				_push(0);
				_push(_t74 - 0xd);
				_push(0x47e150);
				 *((intOrPtr*)(_t74 - 0x40)) = 0x4675d8;
				 *((intOrPtr*)(_t74 - 0x20)) = 0x4675d0;
				L0040B34B(_t74 - 0x40);
				_t40 =  *0x46803c; // 0x4765f0
				_t53 = 1;
				 *((intOrPtr*)(_t74 - 0x68)) = 0x4675d8;
				 *(_t74 - 4) = _t53;
				 *((intOrPtr*)(_t74 - 0x48)) = 0x4675d0;
				if(_t40 == 0) {
					_t40 = 0x47e150;
				}
				L0040B34B(_t74 - 0x68);
				 *(_t74 - 4) = 2;
				 *(_t74 - 4) = 3;
				_t44 = E0040CAC4();
				_t18 = _t74 - 0x18; // 0x4675e4
				 *(_t74 - 4) = 4;
				 *((intOrPtr*)( *((intOrPtr*)( *_t18)) + 0x38))( *((intOrPtr*)(_t74 + 8)), _t74 - 0x68, _t44, _t74 - 0x40, _t74 - 0x90, L"PreReq", L00419761(_t74 - 0xb8),  *((intOrPtr*)(_t74 + 0xc)), 0xa, _t53, _t40, _t74 - 0xe, 0);
				 *(_t74 - 0x14) = _t53;
				 *(_t74 - 4) = 3;
				E004061C1(_t74 - 0x90);
				 *(_t74 - 4) = 2;
				E004061C1(_t74 - 0xb8);
				 *(_t74 - 4) = _t53;
				E004061C1(_t74 - 0x68);
				 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
				E004061C1(_t74 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t74 - 0xc));
				return  *((intOrPtr*)(_t74 + 8));
			}

0x0041ce65
0x0041ce70
0x0041ce7a
0x0041ce7d
0x0041ce89
0x0041ce8a
0x0041ce92
0x0041ce95
0x0041ce98
0x0041ce9d
0x0041cea4
0x0041cea5
0x0041ceaa
0x0041cead
0x0041ceb0
0x0041ceb2
0x0041ceb2
0x0041cec1
0x0041ced2
0x0041cee8
0x0041ceec
0x0041cef4
0x0041cf02
0x0041cf09
0x0041cf0c
0x0041cf15
0x0041cf19
0x0041cf24
0x0041cf28
0x0041cf30
0x0041cf33
0x0041cf38
0x0041cf3f
0x0041cf4d
0x0041cf55

APIs

__EH_prolog.LIBCMT ref: 0041CE65

Part of subcall function 0040B34B: __EH_prolog.LIBCMT ref: 0040B350
Part of subcall function 0040B34B: GetLastError.KERNEL32(?,00000001,00000001,?,0044B892,?,?,00000000), ref: 0040B379
Part of subcall function 0040B34B: SetLastError.KERNEL32(?,?,00000000,00000000,?,0044B892,?,?,00000000), ref: 0040B3CE

Strings

PG, xrefs: 0041CEB2
PreReq, xrefs: 0041CEE2
uF, xrefs: 0041CEF4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: PreReq$PG$uF
API String ID: 1057991267-3298647507
Opcode ID: bcfbf68552c03fea6a720940e12aeeefbf55966b016740bc19ccdc2726265da7
Instruction ID: 7c0315ed8194e9c629b22fd7e407f08147322f51459bc75ca049189724ca55da
Opcode Fuzzy Hash: bcfbf68552c03fea6a720940e12aeeefbf55966b016740bc19ccdc2726265da7
Instruction Fuzzy Hash: AE31B471D00218EFDB10DB94C892BEDBB78EF14318F1040AEE409B7282DB785B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0042F1F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042F1F4(void* __ecx) {
				intOrPtr _t22;
				signed int _t26;
				intOrPtr _t34;
				void* _t36;

				L0043B644(0x463d7c, _t36);
				_push(__ecx);
				_t21 =  *((intOrPtr*)(_t36 + 0x14));
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				if( *((intOrPtr*)(_t36 + 0x14)) == 0) {
					_t21 = 0x467570;
				}
				 *(_t36 - 0x10) =  *(_t36 - 0x10) & 0x00000000;
				_push(_t26);
				 *(_t36 - 4) = 1;
				_t22 = E0041C3FB(_t36 - 0x10,  *((intOrPtr*)(_t36 + 8)), _t21, 0x20019); // executed
				_t34 = _t22;
				if( *(_t36 - 0x10) != 0) {
					RegCloseKey( *(_t36 - 0x10));
					 *(_t36 - 0x10) =  *(_t36 - 0x10) & 0x00000000;
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				 *0x47e3d4 = _t34;
				L0040125C(_t36 + 0xc);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t26 & 0xffffff00 | _t34 == 0x00000000;
			}

0x0042f1f9
0x0042f1fe
0x0042f1ff
0x0042f202
0x0042f208
0x0042f20a
0x0042f20a
0x0042f20f
0x0042f213
0x0042f221
0x0042f225
0x0042f22e
0x0042f230
0x0042f235
0x0042f23b
0x0042f23b
0x0042f244
0x0042f24b
0x0042f251
0x0042f25d
0x0042f265

APIs

__EH_prolog.LIBCMT ref: 0042F1F9
RegCloseKey.ADVAPI32(00000000,?,0043D41C,00020019,00467574,ISlogit,?,00431B86,80000001,ISlogit,?,00000000), ref: 0042F235

Strings

ISlogit, xrefs: 0042F213
puF, xrefs: 0042F20A

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CloseH_prolog
String ID: ISlogit$puF
API String ID: 1579395594-4241701043
Opcode ID: 449e9d3adfe8a53ab98d4158d4e910483bb2a9c6fb751c1ccf6090ef5a9a5457
Instruction ID: 3b06bdb31f7d3017f88c74d1ee850a189e5d6dc534a2e645401b011d49d03696
Opcode Fuzzy Hash: 449e9d3adfe8a53ab98d4158d4e910483bb2a9c6fb751c1ccf6090ef5a9a5457
Instruction Fuzzy Hash: 43018171900229EFDF11DF90D9457EEB770FB14359F00426AE825B7291D7798A08CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406E5C Relevance: 6.1, APIs: 4, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406E5C(intOrPtr* __ecx, void* __esi) {
				intOrPtr _t36;
				void* _t37;
				void* _t40;
				signed short _t49;
				void* _t52;
				short _t57;
				intOrPtr* _t76;
				void* _t83;

				L0043B644(0x45f7e0, _t83);
				_t76 = __ecx;
				_t36 =  *__ecx;
				 *(_t83 - 4) = 0;
				_t88 =  *((intOrPtr*)(_t36 + 0x8c));
				if( *((intOrPtr*)(_t36 + 0x8c)) != 0) {
					 *((intOrPtr*)(_t83 - 0x174)) =  *((intOrPtr*)(_t83 + 8));
					_push(0);
					_push(_t83 - 0x34);
					 *(_t83 - 0x170) = 0;
					 *(_t83 - 0x10c) = 0;
					 *(_t83 - 0xa8) = 8;
					 *(_t83 - 0xa4) = 0;
					 *((intOrPtr*)(_t83 - 0x40)) = 0;
					 *((intOrPtr*)(_t83 - 0x3c)) = 2;
					 *((short*)(_t83 - 0x38)) = 0;
					_t40 = E004042BA();
					 *(_t83 - 4) = 1;
					lstrcpyA(_t83 - 0xa4, L0040BC37(_t40));
					 *(_t83 - 4) = 0;
					L0040125C(_t83 - 0x34);
					lstrcpyA(_t83 - 0x170, L0040BC37(_t83 + 0xc));
					_t49 = E00403A98( *_t76, _t88,  *((intOrPtr*)( *_t76 + 0x48))); // executed
					 *(_t83 - 0xa8) = _t49 & 0x0000ffff;
					_t52 = E004038F3( *_t76, _t83 - 0x34); // executed
					 *(_t83 - 4) = 2;
					lstrcpyA(_t83 - 0x10c, L0040BC37(_t52));
					 *(_t83 - 4) = 0;
					L0040125C(_t83 - 0x34);
					_t78 =  *_t76;
					_t57 =  *((intOrPtr*)( *_t76 + 0x48));
					_t89 = _t57 - 0x409;
					if(_t57 != 0x409) {
						 *((short*)(_t83 - 0x38)) = _t57;
					}
					E0044A0C0(_t89,  *((intOrPtr*)(_t78 + 0x90)), _t83 - 0x174);
				}
				 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
				_t37 = L0040125C(_t83 + 0xc);
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return _t37;
			}

0x00406e61
0x00406e6e
0x00406e70
0x00406e74
0x00406e77
0x00406e7d
0x00406e87
0x00406e90
0x00406e91
0x00406e92
0x00406e98
0x00406e9e
0x00406ea8
0x00406eae
0x00406eb1
0x00406eb8
0x00406ebc
0x00406ec3
0x00406eda
0x00406edf
0x00406ee2
0x00406ef7
0x00406f00
0x00406f0a
0x00406f14
0x00406f1b
0x00406f2c
0x00406f31
0x00406f34
0x00406f39
0x00406f3c
0x00406f40
0x00406f44
0x00406f46
0x00406f46
0x00406f58
0x00406f5e
0x00406f5f
0x00406f66
0x00406f70
0x00406f78

APIs

__EH_prolog.LIBCMT ref: 00406E61
lstrcpyA.KERNEL32(?,00000000,?,?,00000000), ref: 00406EF7

Part of subcall function 00403A98: __EH_prolog.LIBCMT ref: 00403A9D

lstrcpyA.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 00406F2C
lstrcpyA.KERNEL32(?,00000000,?,00000000,?,?,00000000), ref: 00406EDA

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologlstrcpy$ErrorLast$FreeString
String ID:
API String ID: 3125050175-0
Opcode ID: 40dcaf636c6556c8a853eae9585d5f4708da92a0888ed81ad386398ad880271b
Instruction ID: 708b0b27f3365891cb7c7898a508e94cf4c042a00b4af14a54addc5990d945ff
Opcode Fuzzy Hash: 40dcaf636c6556c8a853eae9585d5f4708da92a0888ed81ad386398ad880271b
Instruction Fuzzy Hash: B431A276901258EECB00EBA5D880ADDBBB8AF55304F5041AFE149B3281DB785E44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2AC Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041B2AC(int __ecx, void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _v16;
				int _t26;
				char* _t31;
				int _t34;
				char* _t41;
				char* _t43;
				int _t47;
				char* _t48;

				_t44 = __ecx;
				_t26 = L0041B429();
				if(_t26 != 1) {
					_t47 = _a12;
					_t43 = 0;
					if(_a4 != 0) {
						_t9 = _t47 + 2; // 0x3
						L0043B9F0(_t47 + _t9 + 0x00000003 & 0x000000fc, __ecx);
						_t31 = _t48;
						_t11 = _t47 + 2; // 0x3
						_t44 = _t47 + _t11;
						_a12 = _t31;
						 *_t31 = 0;
						WideCharToMultiByte(0, 0, _a4, _t47, _t31, _t47 + _t11, 0, 0);
					} else {
						_a12 = 0;
					}
					if(_a8 != _t43) {
						_t18 = _t47 + 2; // 0x3
						L0043B9F0(_t47 + _t18 + 0x00000003 & 0x000000fc, _t44);
						_t41 = _t48;
						_t20 = _t47 + 2; // 0x3
						_a4 = _t41;
						 *_t41 = _t43;
						WideCharToMultiByte(_t43, _t43, _a8, _t47, _t41, _t47 + _t20, _t43, _t43);
						_t43 = _a4;
					}
					_t34 = CompareStringA(0x400, 1, _a12, _t47, _t43, _t47);
				} else {
					_t34 = CompareStringW(0x400, _t26, _a4, _a12, _a8, _a12); // executed
				}
				return _t34;
			}

0x0041b2ac
0x0041b2b2
0x0041b2ba
0x0041b2d9
0x0041b2e2
0x0041b2e7
0x0041b2ee
0x0041b2f7
0x0041b2fc
0x0041b2ff
0x0041b2ff
0x0041b307
0x0041b30d
0x0041b311
0x0041b2e9
0x0041b2e9
0x0041b2e9
0x0041b31c
0x0041b31e
0x0041b327
0x0041b32c
0x0041b32f
0x0041b337
0x0041b33d
0x0041b341
0x0041b343
0x0041b343
0x0041b353
0x0041b2bc
0x0041b2ce
0x0041b2ce
0x0041b362

APIs

Part of subcall function 0041B429: GetVersionExW.KERNEL32(?), ref: 0041B44C

CompareStringW.KERNEL32(00000400,00000000,?,00000001,?,00000001,?,00000001,?,?,0041A96B,00000000,?,?,?,0041AA36), ref: 0041B2CE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000003,00000000,00000000,?,00000003,00000000,00000000,?,00000001,?), ref: 0041B341
CompareStringA.KERNEL32(00000400,00000001,00000001,00000001,00000000,00000001,?,00000003,00000000,00000000,?,00000001,?,?,0041A96B,00000000), ref: 0041B353

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CompareString$ByteCharMultiVersionWide
String ID:
API String ID: 3684582312-0
Opcode ID: 0cb4479359b318af8f162743d836347117147e854c504fd11fcb1472007bfd38
Instruction ID: 0417fa54efcc001bdad72132d07e6c470b2d6308a60863fbddc3ffbd8655e376
Opcode Fuzzy Hash: 0cb4479359b318af8f162743d836347117147e854c504fd11fcb1472007bfd38
Instruction Fuzzy Hash: 4A2138B250024DBFEB119F95CC85DEB7B6CFF09358B00881AFA1686211D371DA64CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00415F23 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00415F23(intOrPtr __ecx, void* __eflags) {
				void* __edi;
				void* _t71;
				void* _t79;
				void* _t87;
				void* _t91;
				void* _t92;
				intOrPtr _t110;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				intOrPtr _t130;
				intOrPtr* _t134;
				void* _t135;
				void* _t137;
				intOrPtr _t138;
				intOrPtr* _t140;
				intOrPtr* _t141;

				L0043B644(0x461470, _t135);
				_t138 = _t137 - 0xd0;
				_t130 = __ecx;
				E004066BD( *((intOrPtr*)(__ecx + 0x25c)), _t135 - 0x3c);
				 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
				_t143 =  *((intOrPtr*)(_t135 - 0x30));
				if( *((intOrPtr*)(_t135 - 0x30)) != 0) {
					_t134 = _t130 + 4;
					 *((intOrPtr*)(_t135 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 + 4)) + 0x2c))();
					 *(_t135 - 4) = 1;
					L00447DA0(_t130, _t65 + 0x90);
					 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
					_t71 = E004083DD( *((intOrPtr*)( *_t134 + 0x2c))(), _t135 - 0xdc);
					 *(_t135 - 4) = 2;
					_push(_t135 - 0x3c);
					_push(_t135 - 0x64);
					L00405670(_t71, _t143);
					 *(_t135 - 4) = 4;
					L0040125C(_t135 - 0xdc);
					_t110 =  *((intOrPtr*)(_t130 + 0x25c));
					_t144 =  *((char*)(_t110 + 3));
					if( *((char*)(_t110 + 3)) == 0) {
						_t140 = _t138 - 0x28;
						 *((intOrPtr*)(_t135 - 0x10)) = _t140;
						_t111 = _t140;
						 *_t111 = 0x46757c;
						 *((intOrPtr*)(_t111 + 0x20)) = 0x467574;
						L00401CDD(_t111);
						 *(_t135 - 4) = 7;
						_t79 = E00404705( *((intOrPtr*)( *_t134 + 0x2c))(_t135 - 0x64, 0), _t135 - 0x8c);
						_t138 = _t140 - 0x28;
						 *((intOrPtr*)(_t135 - 0x14)) = _t138;
						_push(_t135 - 0x3c);
						_push(_t138);
						 *(_t135 - 4) = 8;
						L00405670(_t79, __eflags);
						 *(_t135 - 4) = 9;
						E00416E73(_t130, _t135 - 0x3c, __eflags); // executed
						 *(_t135 - 4) = 4;
						_t117 = _t135 - 0x8c;
					} else {
						_t91 = E00404705(_t110, _t135 - 0x8c);
						 *(_t135 - 4) = 5;
						_push(_t135 - 0x3c);
						_t25 = _t135 - 0xb4; // 0x46757c
						_t92 = L00405670(_t91, _t144);
						 *(_t135 - 4) = 6;
						L00401A1E(_t135 - 0x64, _t92);
						_t28 = _t135 - 0xb4; // 0x46757c
						 *(_t135 - 4) = 5;
						L0040125C(_t28);
						 *(_t135 - 4) = 4;
						_t117 = _t135 - 0x8c;
					}
					L0040125C(_t117);
					_t141 = _t138 - 0x28;
					 *((intOrPtr*)(_t135 - 0x14)) = _t141;
					_t118 = _t141;
					 *_t118 = 0x46757c;
					 *((intOrPtr*)(_t118 + 0x20)) = 0x467574;
					L00401CDD(_t118);
					 *(_t135 - 4) = 0xa;
					_t87 = L004037B9(_t135 - 0x10,  *((intOrPtr*)( *_t134 + 0x2c))(_t135 - 0x64, 0));
					 *(_t135 - 4) = 0xc;
					E004160D4(_t87); // executed
					 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
					L0040125C(_t135 - 0x64);
				}
				 *(_t135 - 4) =  *(_t135 - 4) | 0xffffffff;
				L0040125C(_t135 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t135 - 0xc));
				return 0;
			}

0x00415f28
0x00415f2d
0x00415f36
0x00415f42
0x00415f47
0x00415f4b
0x00415f4f
0x00415f58
0x00415f60
0x00415f68
0x00415f6d
0x00415f72
0x00415f87
0x00415f8f
0x00415f93
0x00415f97
0x00415f9a
0x00415fa5
0x00415fa9
0x00415fae
0x00415fb9
0x00415fbd
0x00416009
0x0041600f
0x00416012
0x00416017
0x0041601d
0x00416020
0x00416030
0x00416039
0x0041603e
0x00416046
0x00416049
0x0041604a
0x0041604d
0x00416051
0x00416058
0x0041605c
0x00416061
0x00416065
0x00415fbf
0x00415fc6
0x00415fce
0x00415fd2
0x00415fd3
0x00415fdc
0x00415fe5
0x00415fe9
0x00415fee
0x00415ff4
0x00415ff8
0x00415ffd
0x00416001
0x00416001
0x0041606b
0x00416070
0x00416076
0x00416079
0x0041607e
0x00416084
0x00416087
0x00416090
0x0041609b
0x004160a2
0x004160a6
0x004160ab
0x004160b2
0x004160b2
0x004160b7
0x004160be
0x004160ca
0x004160d3

APIs

__EH_prolog.LIBCMT ref: 00415F28

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 00415FB4
|uF, xrefs: 00415FD3, 00415FEE, 00415FD9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: tuF$|uF
API String ID: 3733137895-3059473046
Opcode ID: 5a27d26f213892b5daf966cd68a190c8a0a26ee40dc46593f2a023ce91abdf82
Instruction ID: 13f1e4c2682a55ef252444182e60fb83bd2f1aa6585bfbb5a60ace9f9a789a83
Opcode Fuzzy Hash: 5a27d26f213892b5daf966cd68a190c8a0a26ee40dc46593f2a023ce91abdf82
Instruction Fuzzy Hash: 79518470D05248EBDB04EBB5C945BDDBBB4AF58304F10419EE44AB32D2DB785B08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D482 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040D482(intOrPtr __ecx, void* __eflags) {
				void* _t69;
				void* _t71;
				void* _t76;
				void* _t78;
				void* _t83;
				void* _t87;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				char* _t116;
				intOrPtr _t119;
				void* _t121;

				L0043B644(E0046023F, _t121);
				_t119 = __ecx;
				_push(0);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				_t95 = __ecx + 0x24;
				_push(_t121 - 0xd);
				 *((intOrPtr*)(_t121 - 0x14)) = __ecx;
				 *_t95 = 0x46757c;
				 *((intOrPtr*)(_t95 + 0x20)) = 0x467574;
				L00401C68(_t95);
				_t9 = _t121 - 4;
				 *_t9 =  *(_t121 - 4) & 0x00000000;
				_t129 =  *_t9;
				_t96 = __ecx + 0x4c;
				_push(0);
				_push(_t121 - 0xe);
				 *_t96 = 0x46757c;
				 *((intOrPtr*)(_t96 + 0x20)) = 0x467574;
				L00401C68(_t96);
				_t97 = __ecx + 0x74;
				_push(0);
				_push(_t121 - 0xd);
				 *(_t121 - 4) = 1;
				 *_t97 = 0x46757c;
				 *((intOrPtr*)(_t97 + 0x20)) = 0x467574;
				L00401C68(_t97);
				_t98 = __ecx + 0x9c;
				_push(0);
				_push(_t121 - 0xe);
				 *(_t121 - 4) = 2;
				 *_t98 = 0x46757c;
				 *((intOrPtr*)(_t98 + 0x20)) = 0x467574;
				L00401C68(_t98);
				 *(_t121 - 4) = 3;
				 *((intOrPtr*)(__ecx + 0xc4)) =  *((intOrPtr*)(_t121 + 8));
				 *((intOrPtr*)(__ecx)) = 0x4675fc; // executed
				_t69 = E00403E82( *((intOrPtr*)(_t121 + 8)),  *_t9, _t121 - 0x64, 0x64f); // executed
				_t116 = " ";
				 *(_t121 - 4) = 4;
				_push(_t116);
				_push(_t69);
				_push(_t121 - 0x3c);
				_t71 = L00405EDE( *_t9);
				 *(_t121 - 4) = 5;
				L00401A1E(_t119 + 0x24, _t71);
				 *(_t121 - 4) = 4;
				L0040125C(_t121 - 0x3c);
				 *(_t121 - 4) = 3;
				L0040125C(_t121 - 0x64);
				_t76 = E00403E82( *((intOrPtr*)(_t119 + 0xc4)),  *_t9, _t121 - 0x3c, 0x650); // executed
				_push(_t116);
				_push(_t76);
				 *(_t121 - 4) = 6;
				_push(_t121 - 0x64);
				_t78 = L00405EDE(_t129);
				 *(_t121 - 4) = 7;
				L00401A1E(_t119 + 0x4c, _t78);
				 *(_t121 - 4) = 6;
				L0040125C(_t121 - 0x64);
				 *(_t121 - 4) = 3;
				L0040125C(_t121 - 0x3c);
				_t83 = E00403E82( *((intOrPtr*)(_t119 + 0xc4)), _t129, _t121 - 0x64, 0x651); // executed
				 *(_t121 - 4) = 8;
				L00401A1E(_t119 + 0x74, _t83);
				 *(_t121 - 4) = 3;
				L0040125C(_t121 - 0x64);
				_t87 = E00403E82( *((intOrPtr*)(_t119 + 0xc4)), _t129, _t121 - 0x64, 0x656); // executed
				 *(_t121 - 4) = 9;
				L00401A1E(_t119 + 0x9c, _t87);
				 *(_t121 - 4) = 3;
				L0040125C(_t121 - 0x64);
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return _t119;
			}

0x0040d487
0x0040d491
0x0040d496
0x0040d497
0x0040d49a
0x0040d49d
0x0040d4a0
0x0040d4a3
0x0040d4b3
0x0040d4b4
0x0040d4b7
0x0040d4b9
0x0040d4bc
0x0040d4c1
0x0040d4c1
0x0040d4c1
0x0040d4c5
0x0040d4cb
0x0040d4cd
0x0040d4ce
0x0040d4d0
0x0040d4d3
0x0040d4d8
0x0040d4de
0x0040d4e0
0x0040d4e1
0x0040d4e5
0x0040d4e7
0x0040d4ea
0x0040d4ef
0x0040d4f8
0x0040d4fa
0x0040d4fb
0x0040d4ff
0x0040d501
0x0040d504
0x0040d515
0x0040d519
0x0040d51f
0x0040d525
0x0040d52a
0x0040d52f
0x0040d533
0x0040d534
0x0040d538
0x0040d539
0x0040d545
0x0040d549
0x0040d551
0x0040d555
0x0040d55d
0x0040d561
0x0040d575
0x0040d57a
0x0040d57b
0x0040d57f
0x0040d583
0x0040d584
0x0040d590
0x0040d594
0x0040d59c
0x0040d5a0
0x0040d5a8
0x0040d5ac
0x0040d5c0
0x0040d5c9
0x0040d5cd
0x0040d5d5
0x0040d5d9
0x0040d5ed
0x0040d5f9
0x0040d5fd
0x0040d605
0x0040d609
0x0040d616
0x0040d61e

APIs

__EH_prolog.LIBCMT ref: 0040D487

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00403E82: __EH_prolog.LIBCMT ref: 00403E87

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

|uF, xrefs: 0040D4A9
tuF, xrefs: 0040D4AE

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: tuF$|uF
API String ID: 3733137895-3059473046
Opcode ID: 0fcdde0997c0f5321b73072e7c884049a04ae0321b6855c92d7303af04e473d8
Instruction ID: e06b1086e0edd09354d7852d54d618ac7ff038625fca686a6c7c5c531a66c9ec
Opcode Fuzzy Hash: 0fcdde0997c0f5321b73072e7c884049a04ae0321b6855c92d7303af04e473d8
Instruction Fuzzy Hash: AD51A170D01348EED701EFA5C585B8EBBF8AF54308F1045AEE54AB7281DB786708CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042A90D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042A90D(signed int* __ecx, void* __eflags) {
				signed int _t69;
				void* _t78;
				signed int* _t83;
				signed int* _t84;
				signed int* _t85;
				signed int* _t86;
				signed int* _t87;
				void* _t96;
				intOrPtr* _t98;
				void* _t100;
				signed int* _t101;
				void* _t103;

				L0043B644(0x463601, _t103);
				_t101 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				__ecx[1] =  *(_t103 + 8);
				_t83 =  &(__ecx[2]);
				 *((intOrPtr*)(_t103 - 0x14)) = __ecx;
				 *_t83 = 0x46757c;
				_t83[8] = 0x467574;
				L00401C68(_t83);
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				_t84 =  &(__ecx[0xc]);
				 *_t84 = 0x46757c;
				_t84[8] = 0x467574;
				L00401C68(_t84);
				_t85 =  &(__ecx[0x16]);
				 *(_t103 - 4) = 1;
				 *_t85 = 0x46757c;
				_t85[8] = 0x467574;
				L00401C68(_t85);
				_t86 =  &(__ecx[0x20]);
				 *(_t103 - 4) = 2;
				 *_t86 = 0x46757c;
				_t86[8] = 0x467574;
				L00401C68(_t86);
				_t87 =  &(__ecx[0x2a]);
				 *(_t103 - 4) = 3;
				 *_t87 = 0x46757c;
				_t87[8] = 0x467574;
				L00401C68(_t87);
				__ecx[0x36] = __ecx[0x36] & 0;
				 *(_t103 - 4) = 4;
				_t98 =  *(_t103 + 8) + 4;
				 *(_t103 + 8) =  *(E004066BD( *((intOrPtr*)( *_t98 + 0x2c))(_t103 - 0xd, 0, _t103 - 0xe, 0, _t103 - 0xd, 0, _t103 - 0xe, 0, _t103 - 0xd, 0, _t96, _t100, _t78), _t103 - 0x3c) + 0xc);
				_t69 = L0040125C(_t103 - 0x3c);
				_t36 =  *(_t103 + 8) != 0;
				 *((char*)(_t101 + 0xd9)) = _t69 & 0xffffff00 |  *(_t103 + 8) != 0x00000000;
				 *((intOrPtr*)(_t101 + 0xdc)) = 0;
				 *((intOrPtr*)(_t101 + 0xe0)) = 0;
				 *(_t103 - 4) = 6;
				E0042AA47(_t101 + 0xe4, _t36); // executed
				 *(_t103 - 4) = 7;
				_push( *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0x2c))(_t101) + 0x16)));
				_push(_t101);
				E0042AB7A(_t101 + 0x154);
				_push(_t101);
				 *(_t103 - 4) = 8;
				L0042ABF3(_t101 + 0x1c4, _t36);
				 *((intOrPtr*)(_t101 + 0x230)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
				return _t101;
			}

0x0042a912
0x0042a91f
0x0042a927
0x0042a92a
0x0042a92d
0x0042a93b
0x0042a93e
0x0042a940
0x0042a943
0x0042a948
0x0042a94c
0x0042a955
0x0042a957
0x0042a95a
0x0042a95f
0x0042a968
0x0042a96c
0x0042a96e
0x0042a971
0x0042a976
0x0042a982
0x0042a986
0x0042a988
0x0042a98b
0x0042a990
0x0042a999
0x0042a99d
0x0042a9a3
0x0042a9a6
0x0042a9ae
0x0042a9b4
0x0042a9b8
0x0042a9d3
0x0042a9d6
0x0042a9de
0x0042a9e1
0x0042a9e7
0x0042a9ed
0x0042a9fa
0x0042a9fe
0x0042aa07
0x0042aa17
0x0042aa18
0x0042aa19
0x0042aa1e
0x0042aa25
0x0042aa29
0x0042aa31
0x0042aa3c
0x0042aa44

APIs

__EH_prolog.LIBCMT ref: 0042A912

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 0042AA47: __EH_prolog.LIBCMT ref: 0042AA4C

Part of subcall function 0042AB7A: __EH_prolog.LIBCMT ref: 0042AB7F

Part of subcall function 0042ABF3: __EH_prolog.LIBCMT ref: 0042ABF8

Strings

|uF, xrefs: 0042A922
tuF, xrefs: 0042A933

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: tuF$|uF
API String ID: 3733137895-3059473046
Opcode ID: 634066d6cb29ec5f05fb16ea930d9ff33cfe42f2c6e16417e559f606d756abbc
Instruction ID: f8b0c0304cdfdf50f10b2e779b4a2d3f18c82cc062b1f32fd2f400dc6db9bd23
Opcode Fuzzy Hash: 634066d6cb29ec5f05fb16ea930d9ff33cfe42f2c6e16417e559f606d756abbc
Instruction Fuzzy Hash: DB4160B1901244EFD711DF69C484BDDBBF8BF19308F1084AEE44AAB291D774A609CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004195E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004195E7(void* __ecx, void* __eflags) {
				void* _t49;
				signed int _t61;
				void* _t62;
				signed int _t67;
				void* _t70;
				void* _t92;
				intOrPtr* _t94;
				void* _t96;

				_t101 = __eflags;
				L0043B644(0x461c99, _t96);
				L00412E5D(_t96 - 0x5c, __eflags);
				_t94 = __ecx + 4;
				 *(_t96 - 4) = 0;
				_t49 = L00403789( *((intOrPtr*)( *_t94 + 0x2c))(_t92, _t70), _t96 - 0xac);
				_push(0);
				_push(_t49);
				 *(_t96 - 4) = 1;
				 *((intOrPtr*)(_t96 - 0x84)) = 0x4675a0;
				 *((intOrPtr*)(_t96 - 0x64)) = 0x467598;
				L00401CDD(_t96 - 0x84);
				 *(_t96 - 4) = 2;
				E00412F07(_t96 - 0x5c, _t101, _t96 - 0x84, 0x80000000, 1, 0x80, 3, 0, 0); // executed
				 *(_t96 - 4) = 1;
				L0040125C(_t96 - 0x84);
				 *(_t96 - 4) = 0;
				L0040125C(_t96 - 0xac);
				 *((intOrPtr*)(_t96 - 0x14)) = 0;
				 *((intOrPtr*)(_t96 - 0x18)) = L004139D8(_t96 - 0x5c, _t96 - 0x14);
				if( *((intOrPtr*)(_t96 - 0x14)) == 0) {
					_t61 =  *(L00403789( *((intOrPtr*)( *_t94 + 0x2c))(), _t96 - 0xac) + 8);
					 *(_t96 - 4) = 4;
					__eflags = _t61;
					if(_t61 == 0) {
						_t61 = 0x467570;
					}
					_push(1);
					_push(_t61); // executed
					_t62 = E00418ED1(); // executed
					__eflags =  *((intOrPtr*)(_t96 - 0x18)) - _t62 + 0xc800;
					 *(_t96 - 4) = 0;
					 *((char*)(_t96 - 0xd)) =  *((intOrPtr*)(_t96 - 0x18)) - _t62 + 0xc800 > 0;
					L0040125C(_t96 - 0xac);
					 *((intOrPtr*)(_t96 - 0x5c)) = 0x467ef8;
					 *(_t96 - 4) = 5;
					E004134DD(_t96 - 0x5c);
					_t38 = _t96 - 4;
					 *_t38 =  *(_t96 - 4) | 0xffffffff;
					__eflags =  *_t38;
					L0040125C(_t96 - 0x50);
					_t67 =  *((intOrPtr*)(_t96 - 0xd));
				} else {
					 *((intOrPtr*)(_t96 - 0x5c)) = 0x467ef8;
					 *(_t96 - 4) = 3;
					E004134DD(_t96 - 0x5c);
					 *(_t96 - 4) =  *(_t96 - 4) | 0xffffffff;
					L0040125C(_t96 - 0x50);
					_t67 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t96 - 0xc));
				return _t67;
			}

0x004195e7
0x004195ec
0x004195fe
0x00419603
0x00419613
0x0041961b
0x00419620
0x00419621
0x00419628
0x0041962c
0x00419636
0x0041963d
0x0041965c
0x00419660
0x0041966b
0x0041966f
0x0041967a
0x0041967d
0x00419689
0x00419694
0x00419697
0x004196d4
0x004196d7
0x004196db
0x004196dd
0x004196df
0x004196df
0x004196e4
0x004196e6
0x004196e7
0x004196f2
0x004196fc
0x004196ff
0x00419703
0x00419708
0x00419712
0x00419719
0x0041971e
0x0041971e
0x0041971e
0x00419725
0x0041972a
0x00419699
0x00419699
0x004196a3
0x004196aa
0x004196af
0x004196b6
0x004196bb
0x004196bb
0x00419732
0x0041973a

APIs

__EH_prolog.LIBCMT ref: 004195EC

Part of subcall function 00412E5D: __EH_prolog.LIBCMT ref: 00412E62

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00412F07: __EH_prolog.LIBCMT ref: 00412F0C
Part of subcall function 00412F07: GetLastError.KERNEL32(?,00000000,80400100,?,00000000,004675A0,00467598,00000000,?,?,?,?,?,?,?,0046757C), ref: 00412FC3

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 004139D8: GetFileSize.KERNEL32(?,?,?), ref: 00413A23
Part of subcall function 004139D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,tuF,00413675), ref: 00413A30

Part of subcall function 004134DD: InterlockedDecrement.KERNEL32(?), ref: 004134EE
Part of subcall function 004134DD: FindCloseChangeNotification.KERNELBASE(?), ref: 00413516

Strings

puF, xrefs: 004196DF
_:A, xrefs: 00419699, 00419708

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$ChangeCloseDecrementFileFindFreeInterlockedNotificationSizeString
String ID: _:A$puF
API String ID: 588754536-1054157373
Opcode ID: bec6abff5d15d1e871d7b05194b092c7dd6f06034be92a854bf45baaf2b492c8
Instruction ID: d68397c9cecf56ec7281c5ae3b07c5b7ad270464e67ade52fcdefaf5b7cce1f8
Opcode Fuzzy Hash: bec6abff5d15d1e871d7b05194b092c7dd6f06034be92a854bf45baaf2b492c8
Instruction Fuzzy Hash: DC419F74D00248DEDB10EFA4C981BDDBBB8AF14308F1080AFE456B7291EB785B48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408647 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408647(void* __ecx, void* __eflags) {
				intOrPtr _t26;
				char _t29;
				struct HWND__* _t32;
				long _t33;
				void* _t50;
				void* _t55;
				void* _t57;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;

				L0043B644(0x45f9e4, _t55);
				_t50 = __ecx;
				 *((intOrPtr*)(_t55 - 0x10)) = _t57 - 0x10;
				 *((intOrPtr*)(_t55 - 0x18)) = __ecx;
				 *((char*)(_t55 - 0x11)) = 1;
				if(E00408729( *((intOrPtr*)(_t55 + 8))) == 0) {
					E004087CC(__ecx, 1);
				}
				_t26 =  *0x47e1d4; // 0x2380b70
				 *(_t55 - 4) = 0;
				 *((intOrPtr*)(_t55 - 0x1c)) = _t26;
				 *(_t55 - 4) = 1;
				if( *((intOrPtr*)(_t26 + 1)) != 0 ||  *((intOrPtr*)(_t26 + 2)) != 0) {
					__eflags = 0;
				} else {
					_push(1);
					_pop(0);
				}
				_t28 =  *((intOrPtr*)( *((intOrPtr*)(_t55 + 0xc)) + 8));
				if( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0xc)) + 8)) == 0) {
					_t28 = 0x4675e4;
				}
				_t29 = E0041F2B3( *((intOrPtr*)(_t55 + 8)), _t28, 0xbadbad);
				_t66 =  *0x47e1d1; // 0x0
				 *((char*)(_t55 - 0x11)) = _t29;
				 *(_t55 - 4) = 0;
				if(_t66 == 0) {
					L12:
					_t69 =  *0x47e1d0; // 0x0
					if(_t69 == 0) {
						goto L14;
					}
					goto L13;
				} else {
					_t67 =  *0x47e1d0; // 0x0
					if(_t67 != 0) {
						L13:
						 *((char*)(_t55 - 0x11)) = 0;
						L14:
						 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
						E004087CC( *((intOrPtr*)(_t55 - 0x18)), 0);
						 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
						return  *((intOrPtr*)(_t55 - 0x11));
					}
					_t32 = E0040A374(_t50);
					_t54 = _t32;
					_t33 = SendMessageW(_t32, 0x111, 5, 0);
					_t68 = _t33 - 2;
					if(_t33 == 2) {
						E0040A4B6(_t50, _t68, _t54);
					}
					goto L12;
				}
			}

0x0040864c
0x00408657
0x0040865c
0x0040865f
0x00408662
0x0040866d
0x00408673
0x00408673
0x00408678
0x0040867f
0x00408682
0x00408688
0x0040868c
0x00408698
0x00408693
0x00408693
0x00408695
0x00408695
0x0040869d
0x004086a2
0x004086a4
0x004086a4
0x004086b3
0x004086b8
0x004086be
0x004086c1
0x004086c4
0x004086f3
0x004086f3
0x004086f9
0x00000000
0x00000000
0x00000000
0x004086c6
0x004086c6
0x004086cc
0x004086fb
0x004086fb
0x00408708
0x0040870b
0x00408710
0x0040871d
0x00408726
0x00408726
0x004086d0
0x004086d6
0x004086e0
0x004086e6
0x004086e9
0x004086ee
0x004086ee
0x00000000
0x004086e9

APIs

__EH_prolog.LIBCMT ref: 0040864C
SendMessageW.USER32(00000000,00000111,00000005,00000000), ref: 004086E0

Part of subcall function 004087CC: __EH_prolog.LIBCMT ref: 004087D1
Part of subcall function 004087CC: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00408809

Strings

uF, xrefs: 004086A4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$MessageSendVersion
String ID: uF
API String ID: 1256566577-700906890
Opcode ID: c89de3c9ebfe07ecd4188e5ffdd7743a5639751925580d5fac33425d59f55155
Instruction ID: 06bd5bc2f7af27da3f9b9159a276ec370900d0ffea61fd77cd678a16b7c316f6
Opcode Fuzzy Hash: c89de3c9ebfe07ecd4188e5ffdd7743a5639751925580d5fac33425d59f55155
Instruction Fuzzy Hash: 5B216870A44380AECB10DB698D52ABEBFA49B55304F1444BFE4C5B73C2CF794945870E

Uniqueness

Uniqueness Score: -1.00%

Function 00413763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00413763(void* __ecx, long _a4, long _a8, LONG* _a12) {
				char _v76;
				char _v80;
				void* __ebp;
				long _t16;
				long _t18;
				intOrPtr* _t31;
				long _t35;

				_t36 = __ecx;
				_t31 =  *((intOrPtr*)(__ecx + 4));
				if(_t31 == 0) {
					L3:
					_t16 = SetFilePointer( *(_t36 + 8), _a4, _a12, _a8); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						if(_a12 == 0) {
							_t36 = _t36 + 0xc;
							_push(1);
							_push(_t36);
							L00413593( &_v76);
							L0043BD6A( &_v76, 0x46c528);
						}
						_t18 = GetLastError();
						if(_t18 != 0) {
							_push(1);
							_push(_t18);
							_push(_t36 + 0xc);
							L0041380C( &_v76);
							L0043BD6A( &_v76, 0x46c528);
						}
					}
					L8:
					return _t35;
				}
				_t35 =  *((intOrPtr*)( *_t31 + 0x14))(_a4, _a8);
				if(_t35 != 0xffffffff) {
					goto L8;
				} else {
					_t36 = __ecx + 0xc;
					_push(1);
					_push(_t36);
					L004138D3( &_v80);
					L0043BD6A( &_v80, 0x46c660);
					goto L3;
				}
			}

0x0041376a
0x0041376d
0x00413772
0x004137a2
0x004137ae
0x004137b4
0x004137b9
0x004137bf
0x004137c1
0x004137c4
0x004137c6
0x004137ca
0x004137d8
0x004137d8
0x004137dd
0x004137e5
0x004137e7
0x004137ec
0x004137ed
0x004137f1
0x004137ff
0x004137ff
0x004137e5
0x00413804
0x00413809
0x00413809
0x0041377f
0x00413784
0x00000000
0x00413786
0x00413786
0x00413789
0x0041378b
0x0041378f
0x0041379d
0x00000000
0x0041379d

APIs

SetFilePointer.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,tuF), ref: 004137AE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,tuF,00413754,00000000,00000000,00000000,00000000), ref: 004137DD

Part of subcall function 004138D3: __EH_prolog.LIBCMT ref: 004138D8

Part of subcall function 0043BD6A: RaiseException.KERNEL32(0043B0A7,00000000,?,00468364,?,invalid string position,0043B0A7,00000000,00471E90,?,invalid string position), ref: 0043BD98

Strings

tuF, xrefs: 00413763

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorExceptionFileH_prologLastPointerRaise
String ID: tuF
API String ID: 2059662543-1632530568
Opcode ID: b96702390daf82ea2c26fc59f34b4ceb7c11144680396c8de86b431f5913a202
Instruction ID: 6e3088acd9cfe592abb8921c69d4ee08d6655cdbd155eb5f473bd032db56a6af
Opcode Fuzzy Hash: b96702390daf82ea2c26fc59f34b4ceb7c11144680396c8de86b431f5913a202
Instruction Fuzzy Hash: AE11E672A001046BDF10AFA5CC45FDE7BA9EF54715F04402BFD16A31E0E7749A818665

Uniqueness

Uniqueness Score: -1.00%

Function 004173CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004173CF(void* __ecx, void* __eflags) {
				void* _t18;
				WCHAR* _t20;
				int _t21;
				signed int _t24;
				void* _t25;
				int _t38;
				void* _t41;
				void* _t43;
				void* _t48;

				_t48 = __eflags;
				L0043B644(0x4617fc, _t43);
				_t41 = __ecx;
				_t18 = L00403789( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))(), _t43 - 0x5c);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t20 =  *(E00402243(_t18, _t48, _t43 - 0x34, 0) + 8);
				if(_t20 == 0) {
					_t20 = 0x467570;
				}
				_t21 = GetDriveTypeW(_t20); // executed
				_t38 = _t21;
				L0040125C(_t43 - 0x34);
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				L0040125C(_t43 - 0x5c);
				if(_t38 == 2 || _t38 == 5) {
					_t24 = 1;
				} else {
					if(_t38 == 3 || _t38 == 4) {
						L8:
						_t24 = 0;
					} else {
						_t54 = _t38 - 6;
						if(_t38 == 6) {
							goto L8;
						} else {
							_t25 = L00417238(_t41, _t54);
							asm("sbb eax, eax");
							_t24 =  ~( ~(_t25 - 1));
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t24;
			}

0x004173cf
0x004173d4
0x004173dd
0x004173ee
0x004173f3
0x00417404
0x00417409
0x0041740b
0x0041740b
0x00417411
0x0041741a
0x0041741c
0x00417421
0x00417428
0x00417430
0x0041745c
0x00417437
0x0041743a
0x00417458
0x00417458
0x00417441
0x00417441
0x00417444
0x00000000
0x00417446
0x00417448
0x00417452
0x00417454
0x00417454
0x00417444
0x0041743a
0x00417463
0x0041746b

APIs

__EH_prolog.LIBCMT ref: 004173D4

Part of subcall function 00402243: __EH_prolog.LIBCMT ref: 00402248

GetDriveTypeW.KERNELBASE(?,?,00000000), ref: 00417411

Strings

puF, xrefs: 0041740B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$DriveType
String ID: puF
API String ID: 3998577009-1715984468
Opcode ID: fd815b2b0eb4f0e9223667e024f14dd22f29a0ff1c1d9b188d07eafb99f83276
Instruction ID: 6877b0ffcbbf646577cf0538b5cbacfdb4200890829125707292727a42a47d54
Opcode Fuzzy Hash: fd815b2b0eb4f0e9223667e024f14dd22f29a0ff1c1d9b188d07eafb99f83276
Instruction Fuzzy Hash: 9111E536B0410197CF24EBB8C445AED77B99B45304F10426FE417E72A0EF389A49C71D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB9B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041EB9B(void* __eflags) {
				void* _t46;
				signed char _t51;
				intOrPtr* _t52;
				void* _t54;
				void* _t56;
				void* _t61;

				_t61 = __eflags;
				L0043B644(E0046252F, _t54);
				 *(_t54 - 0x14) =  *(_t54 - 0x14) & 0x00000000;
				_t51 = 1;
				_push(0);
				_push(_t54 - 0xd);
				 *(_t54 - 4) = _t51;
				 *((intOrPtr*)(_t54 - 0x40)) = 0x46757c;
				 *((intOrPtr*)(_t54 - 0x20)) = 0x467574;
				L00401C68(_t54 - 0x40);
				_push(0);
				_push(_t54 + 0x34);
				_push(_t54 - 0x40);
				 *(_t54 - 4) = 2;
				 *((intOrPtr*)(_t54 - 0x18)) = _t56 - 0xc;
				L00401708(_t56 - 0xc, _t54 + 0xc, _t51); // executed
				E0041EC40(_t46, _t61); // executed
				_t52 =  *((intOrPtr*)(_t54 + 8));
				_push(0);
				_push(_t54 - 0x40);
				 *_t52 = 0x46757c;
				 *((intOrPtr*)(_t52 + 0x20)) = 0x467574;
				L00401CDD(_t52);
				 *(_t54 - 0x14) = 1;
				 *(_t54 - 4) = 1;
				L0040125C(_t54 - 0x40);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				L0040125C(_t54 + 0xc);
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

0x0041eb9b
0x0041eba0
0x0041eba8
0x0041ebb4
0x0041ebbf
0x0041ebc1
0x0041ebc5
0x0041ebc8
0x0041ebcb
0x0041ebce
0x0041ebd6
0x0041ebd8
0x0041ebdc
0x0041ebe3
0x0041ebe9
0x0041ebee
0x0041ebf3
0x0041ebf8
0x0041ec03
0x0041ec05
0x0041ec06
0x0041ec08
0x0041ec0b
0x0041ec10
0x0041ec1a
0x0041ec1e
0x0041ec23
0x0041ec2a
0x0041ec36
0x0041ec3f

APIs

__EH_prolog.LIBCMT ref: 0041EBA0

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 0041EC40: __EH_prolog.LIBCMT ref: 0041EC45

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 0041EBBA
|uF, xrefs: 0041EBB5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: tuF$|uF
API String ID: 3800368667-3059473046
Opcode ID: 7c2cc123853a12bf7b4e783a08f46225aff7a267caa594c18a0d4d03b690c242
Instruction ID: 7f830375a1ea1c2505aa3f8868d9aea217099cdbfeb942298271e32a974d2857
Opcode Fuzzy Hash: 7c2cc123853a12bf7b4e783a08f46225aff7a267caa594c18a0d4d03b690c242
Instruction Fuzzy Hash: 03113071D01258EBDB11EF99C886BDEBBB8EB48314F10416FE506B7281D7789A04C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA47 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042AA47(intOrPtr* __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t25;
				void* _t27;

				L0043B644(0x463614, _t27);
				_push(__ecx);
				_t10 =  *((intOrPtr*)(_t27 + 8));
				_t25 = __ecx;
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				asm("sbb ecx, ecx");
				E0042AAA8(__ecx, __eflags, ( ~( *( *((intOrPtr*)(_t27 + 8)) + 0xd9)) & 0x00000018) + 0x67, _t10); // executed
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t12 = L"language";
				 *__ecx = 0x468130;
				_t21 = __ecx + 0x18;
				if(L"language" == 0) {
					_t12 = 0x47e150;
				}
				L00401E03(_t21, _t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t25;
			}

0x0042aa4c
0x0042aa51
0x0042aa52
0x0042aa56
0x0042aa5f
0x0042aa64
0x0042aa6f
0x0042aa74
0x0042aa78
0x0042aa7f
0x0042aa87
0x0042aa8a
0x0042aa8c
0x0042aa8c
0x0042aa92
0x0042aa9d
0x0042aaa5

APIs

__EH_prolog.LIBCMT ref: 0042AA4C

Part of subcall function 0042AAA8: __EH_prolog.LIBCMT ref: 0042AAAD
Part of subcall function 0042AAA8: GetSysColor.USER32(00000005), ref: 0042AACD
Part of subcall function 0042AAA8: CreateSolidBrush.GDI32(00000000), ref: 0042AAD4

Strings

language, xrefs: 0042AA78, 0042AA91
PG, xrefs: 0042AA8C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$BrushColorCreateSolid
String ID: PG$language
API String ID: 853808455-4290645149
Opcode ID: 371e5629a194e6e21953e6f0d4faea58905929c759959e3fa817fec097bfa480
Instruction ID: ad211d64e6e5c4b75c6cf99979aeccd2d92626d7a355c1444dab9469b7a6752a
Opcode Fuzzy Hash: 371e5629a194e6e21953e6f0d4faea58905929c759959e3fa817fec097bfa480
Instruction Fuzzy Hash: 2DF05EB1B10120ABC7199B58D411BEE73E4EB59704F44866FF846E7741DB7C990087ED

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042AB4A(struct HWND__** __ecx, WCHAR* _a4) {
				int _t3;
				WCHAR* _t4;
				int _t5;
				struct HWND__** _t7;

				_t7 = __ecx;
				_t3 = IsWindow( *__ecx);
				if(_t3 == 0) {
					return _t3;
				}
				_t4 = _a4;
				if(_t4 == 0) {
					_t4 = _t7[4];
					if(_t4 == 0) {
						_t4 = 0x467570;
					}
				}
				_t5 = SetWindowTextW( *_t7, _t4); // executed
				return _t5;
			}

0x0042ab4b
0x0042ab4f
0x0042ab57
0x0042ab77
0x0042ab77
0x0042ab59
0x0042ab5f
0x0042ab61
0x0042ab66
0x0042ab68
0x0042ab68
0x0042ab66
0x0042ab70
0x00000000

APIs

IsWindow.USER32 ref: 0042AB4F
SetWindowTextW.USER32(?,?), ref: 0042AB70

Strings

puF, xrefs: 0042AB68

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$Text
String ID: puF
API String ID: 848690642-1715984468
Opcode ID: aba15b3bfa97c591f544712ade65b45b268d7cc21e12ce254f9b6bce2dd964b3
Instruction ID: 9060c62acceaa764df7bf61b379fd11d0d8b8ac81d0a5523bc410f0a5ca04497
Opcode Fuzzy Hash: aba15b3bfa97c591f544712ade65b45b268d7cc21e12ce254f9b6bce2dd964b3
Instruction Fuzzy Hash: 0AD01231704221ABE7208F35EC04A577BE9EF10B84704887AF942C2624F765EC10CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA1 Relevance: 4.6, APIs: 3, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4824d607283e3f967bb7b131fac2cdfcce948c47035b3c1a87c1058445bcde9
Instruction ID: 1c9f32277443dea7a5a5765e88857a71ef050ff367c98dc8f3abf67fdc1a00fb
Opcode Fuzzy Hash: f4824d607283e3f967bb7b131fac2cdfcce948c47035b3c1a87c1058445bcde9
Instruction Fuzzy Hash: 02315E70A0524A9FCF14DF68C9849AE73B9FF14354B104A2AE815C7240E778EDE5C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00445720 Relevance: 4.6, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00445720(void* __ecx, int _a4, int _a8, long _a12, intOrPtr* _a16) {
				int _t12;
				long _t20;
				long _t21;
				long _t22;
				intOrPtr* _t31;
				int _t32;
				int _t33;

				_t12 = _a4;
				_t31 = _a16;
				 *_t31 = 1;
				if(_t12 == 0xf) {
					_t21 = _a12;
					_t32 = _a8;
					 *_t31 = 1;
					E00445D20(__ecx, 0xf, _t32, _t21, _t31);
					if( *_t31 == 0) {
						return DefWindowProcW( *(__ecx + 4), 0xf, _t32, _t21);
					} else {
						return 0;
					}
				} else {
					if(_t12 == 0x14) {
						_t22 = _a12;
						_t33 = _a8;
						_push(_t31);
						_push(_t22);
						_push(_t33);
						_push(0x14);
						 *_t31 = 1;
						L00445DD0();
						if( *_t31 == 0) {
							return DefWindowProcW( *(__ecx + 4), 0x14, _t33, _t22);
						} else {
							return 0;
						}
					} else {
						_t20 = DefWindowProcW( *(__ecx + 4), _t12, _a8, _a12); // executed
						return _t20;
					}
				}
			}

0x00445720
0x00445727
0x00445731
0x00445737
0x00445797
0x0044579b
0x004457a6
0x004457ac
0x004457b4
0x004457d1
0x004457b9
0x004457bc
0x004457bc
0x00445739
0x0044573c
0x0044575a
0x0044575e
0x00445762
0x00445763
0x00445764
0x00445765
0x00445769
0x0044576f
0x00445777
0x00445794
0x0044577c
0x0044577f
0x0044577f
0x0044573e
0x0044574d
0x00445757
0x00445757
0x0044573c

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0044574D

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: d116a2f51a2853be0290bda1fd741c061c6eaa80528f05546e85c21b4be139da
Instruction ID: 2b151098b28747a1c295f04733285a07a6b26f21fffc12f4ca883f7402fe8c5a
Opcode Fuzzy Hash: d116a2f51a2853be0290bda1fd741c061c6eaa80528f05546e85c21b4be139da
Instruction Fuzzy Hash: 47119673304109AFE210DE59E884FABF79CDBC4366F10882BF24087282D7B29851D771

Uniqueness

Uniqueness Score: -1.00%

Function 0041940C Relevance: 4.6, APIs: 3, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041940C(void* __eflags) {
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t54;
				void* _t59;
				void* _t62;

				_t59 = __eflags;
				L0043B644(0x461c30, _t54);
				_push(1);
				E0041A3DB(_t54 - 0x48);
				_push(0);
				_push(_t54 - 0x2c);
				 *(_t54 - 4) = 0;
				_t28 =  *((intOrPtr*)(L004194CC( *((intOrPtr*)(_t54 + 8)), _t59) + 0x10));
				if(_t28 != 0) {
					__imp__#7(_t28);
					_t51 = _t28;
				} else {
					_t51 = 0;
				}
				E0041A273(_t54 - 0x2c);
				_t52 = _t51 + 1;
				_t48 = 0x5c;
				 *((intOrPtr*)(_t54 - 0x10)) = _t48;
				while(1) {
					_t31 = E0041A924( *((intOrPtr*)(_t54 + 8)), _t54 - 0x10, 1, _t52);
					_t62 =  *0x467fe8 - _t31; // 0xffffffff
					if(_t62 == 0) {
						break;
					}
					_t10 = _t31 + 1; // 0x1
					_t52 = _t10;
					 *((intOrPtr*)(_t54 - 0x20)) = 0x467fd8;
					 *((intOrPtr*)(_t54 - 0x18)) = 0x467fd0;
					E0041A04F(_t54 - 0x2c,  *((intOrPtr*)(_t54 + 8)), 0, _t10, 0);
					 *((intOrPtr*)(_t54 - 0x2c)) = 0x467fcc;
					CreateDirectoryW( *(_t54 - 0x1c), 0); // executed
					E0041A273(_t54 - 0x2c);
					 *((intOrPtr*)(_t54 - 0x10)) = _t48;
				}
				_t19 = _t54 - 4;
				 *_t19 =  *(_t54 - 4) | 0xffffffff;
				__eflags =  *_t19;
				_t32 = E0041A460(_t54 - 0x48);
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t32;
			}

0x0041940c
0x00419411
0x0041941c
0x00419421
0x0041942e
0x0041942f
0x00419430
0x00419438
0x0041943d
0x00419444
0x0041944a
0x0041943f
0x0041943f
0x0041943f
0x0041944f
0x00419456
0x00419457
0x00419458
0x0041945b
0x00419465
0x0041946a
0x00419470
0x00000000
0x00000000
0x00419472
0x00419472
0x0041947e
0x00419485
0x0041948c
0x00419492
0x0041949c
0x004194a5
0x004194aa
0x004194aa
0x004194af
0x004194af
0x004194af
0x004194b6
0x004194c1
0x004194c9

APIs

__EH_prolog.LIBCMT ref: 00419411

Part of subcall function 0041A3DB: __EH_prolog.LIBCMT ref: 0041A3E0
Part of subcall function 0041A3DB: GetLastError.KERNEL32(?,?,?,0043929E,00000001,?,?,00438EF0,?,?,00000002,00000002,uF), ref: 0041A40C
Part of subcall function 0041A3DB: SetLastError.KERNEL32(?,?,?,?,0043929E,00000001,?,?,00438EF0,?,?,00000002,00000002,uF), ref: 0041A442

Part of subcall function 004194CC: __EH_prolog.LIBCMT ref: 004194D1

SysStringLen.OLEAUT32(?), ref: 00419444
CreateDirectoryW.KERNELBASE(?,00000000,?,00000000,00000001,00000000,?,00000001,00000001), ref: 0041949C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$CreateDirectoryString
String ID:
API String ID: 2092678385-0
Opcode ID: f1405c02846c0cf248b9369d4917a177b69e675f5519b1b257e59700c60573df
Instruction ID: 1294eb979cbbb7a49b45ccf9bd72dec09854f87fd893b2a170b39c8b439e0d42
Opcode Fuzzy Hash: f1405c02846c0cf248b9369d4917a177b69e675f5519b1b257e59700c60573df
Instruction Fuzzy Hash: 0C219F71D04108ABCB04EFA5CC85DEEBB78FF48358F00812BE512A2191D7784A85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00421686 Relevance: 4.6, APIs: 3, Instructions: 55registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042168B

Part of subcall function 0041C3FB: RegOpenKeyExW.KERNELBASE(?,?,00000000,80000001,00000000,00467574,00000000,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86), ref: 0041C415
Part of subcall function 0041C3FB: RegCloseKey.ADVAPI32(?,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86,80000001,ISlogit,?), ref: 0041C426

RegEnumValueW.KERNELBASE(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 004216DA
RegCloseKey.ADVAPI32(?,00000000,00020019,?), ref: 0042170B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Close$EnumH_prologOpenValue
String ID:
API String ID: 605519526-0
Opcode ID: db8323a21bc4c90e4e4309c4225cc2fcc7df3eb46e2dcebde894af7e108ec467
Instruction ID: 49db5be3c800c3ec080e54a0b2fc18c46933b3bd2b87422f86ec0b0f0721b1b6
Opcode Fuzzy Hash: db8323a21bc4c90e4e4309c4225cc2fcc7df3eb46e2dcebde894af7e108ec467
Instruction Fuzzy Hash: 741106B2901129ABCB21DF81DD48EEFBF78FF95764F108026F919A2250D3759A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401D70 Relevance: 4.6, APIs: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401D70(intOrPtr* __ecx) {
				intOrPtr* _t48;
				void* _t50;

				L0043B644(0x45ee4c, _t50);
				_push(__ecx);
				_t48 = __ecx;
				 *((intOrPtr*)(_t50 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t50 + 0x18)) != 0) {
					 *__ecx = 0x46758c;
					 *((intOrPtr*)(__ecx + 0x20)) = 0x467584;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t48 + 4)) + _t48)) = GetLastError();
				 *((intOrPtr*)(_t50 - 4)) = 0;
				 *((char*)(_t48 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x14))));
				E0040213C(_t48 + 4, 0);
				asm("sbb ecx, ecx");
				E004024B9(_t48 + 4,  ~( *(_t50 + 8)) &  *(_t50 + 8) + 0x00000004,  *((intOrPtr*)(_t50 + 0xc)),  *((intOrPtr*)(_t50 + 0x10))); // executed
				 *((intOrPtr*)(_t48 + 0x14)) = 0;
				 *((intOrPtr*)(_t48 + 0x18)) = 0;
				 *((intOrPtr*)(_t48 + 0x1c)) = 0;
				_t15 =  *((intOrPtr*)(_t48 + 0x20)) + 4; // 0x4
				SetLastError( *( *_t15 + _t48 + 0x20));
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
				return _t48;
			}

0x00401d75
0x00401d7a
0x00401d7f
0x00401d85
0x00401d88
0x00401d8a
0x00401d90
0x00401d90
0x00401da4
0x00401db1
0x00401db4
0x00401db6
0x00401dcb
0x00401dd2
0x00401dd7
0x00401dda
0x00401ddd
0x00401de3
0x00401dea
0x00401df8
0x00401e00

APIs

__EH_prolog.LIBCMT ref: 00401D75
GetLastError.KERNEL32(00000001,00000001,00000000,?,00401A95,?,00467574,00000000,?,00000000,?,?,?,0040231D,?,00000000), ref: 00401D9E
SetLastError.KERNEL32(?,00000001,00467574,00000000,00000000,?,00401A95,?,00467574,00000000,?,00000000,?,?,?,0040231D), ref: 00401DEA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog
String ID:
API String ID: 2881783280-0
Opcode ID: 089238a5240719db2320f029a591070f90b02bd31995142b70440406b51ef9e5
Instruction ID: a95a8cc6bec5edf38e91dd96dc997be50e6092acc7ad0d42b8bb6c06aa8a1956
Opcode Fuzzy Hash: 089238a5240719db2320f029a591070f90b02bd31995142b70440406b51ef9e5
Instruction Fuzzy Hash: 7811AC756006059FCB148F69C88189AFBF1FF48308704456EE58AD7711D778E900CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0042ACC6 Relevance: 4.5, APIs: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0042ACE3
TranslateMessage.USER32(?), ref: 0042ACF6
DispatchMessageW.USER32 ref: 0042AD01

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: dc6682c979f998ba6ee160cc9478013279c44f6001c360688995d6cbf39e91aa
Instruction ID: 740f00f7ae8c3539b7059e320ce5e2a07617002c2155f4bf95b63335ad3cfde1
Opcode Fuzzy Hash: dc6682c979f998ba6ee160cc9478013279c44f6001c360688995d6cbf39e91aa
Instruction Fuzzy Hash: B7F0FC766042057BC710DE96AC8CE677BACE7C6714F40045EFA01C3040D6A5E005C772

Uniqueness

Uniqueness Score: -1.00%

Function 0042F67D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042F67D(void* __eflags) {
				void* _t61;
				intOrPtr* _t74;
				signed char _t83;
				intOrPtr* _t89;
				void* _t105;
				intOrPtr* _t108;
				void* _t109;
				void* _t111;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr* _t115;
				intOrPtr _t116;

				_t119 = __eflags;
				L0043B644(0x463e8d, _t109);
				 *(_t109 - 0x14) =  *(_t109 - 0x14) & 0x00000000;
				 *(_t109 - 4) = 4;
				L0043334B(_t109 - 0xd4, __eflags);
				_push(0);
				_t113 = _t111 - 0xa0;
				 *(_t109 - 4) = 5;
				 *((intOrPtr*)(_t109 - 0x18)) = _t113;
				_t83 = 1;
				L00401732(_t113, "=", _t109 - 0xd, _t83);
				_t114 = _t113 - 0x28;
				 *((intOrPtr*)(_t109 - 0x1c)) = _t114;
				 *(_t109 - 4) = 6;
				L00401708(_t114, _t109 + 0xc, _t83);
				 *(_t109 - 4) = 5;
				_t61 = E004336A5(_t109 - 0xd4, _t105, _t119); // executed
				_t120 = _t61;
				if(_t61 != 0) {
					_t115 = _t114 - 0x28;
					 *((intOrPtr*)(_t109 - 0x1c)) = _t115;
					_t89 = _t115;
					_push(0);
					_push(_t109 + 0x84);
					 *_t89 = 0x46757c;
					 *((intOrPtr*)(_t89 + 0x20)) = 0x467574;
					L00401CDD(_t89);
					_t116 = _t115 - 0x28;
					 *((intOrPtr*)(_t109 - 0x18)) = _t116;
					 *(_t109 - 4) = 7;
					L00401708(_t116, _t109 + 0x5c, _t83);
					_t117 = _t116 - 0x28;
					 *((intOrPtr*)(_t109 - 0x20)) = _t116 - 0x28;
					 *(_t109 - 4) = 8;
					L00401708(_t117, _t109 + 0x34, _t83);
					_push( *((intOrPtr*)(_t109 + 8)));
					 *(_t109 - 4) = 5;
					E004342AF(_t109 - 0xd4, _t105, __eflags);
					 *(_t109 - 0x14) = _t83;
					 *(_t109 - 4) = 4;
					L00433631(_t109 - 0xd4, __eflags);
					 *(_t109 - 4) = 3;
					L0040125C(_t109 + 0xc);
					 *(_t109 - 4) = 2;
					L0040125C(_t109 + 0x34);
					 *(_t109 - 4) = _t83;
					L0040125C(_t109 + 0x5c);
					_t49 = _t109 - 4;
					 *_t49 =  *(_t109 - 4) & 0x00000000;
					__eflags =  *_t49;
					L0040125C(_t109 + 0x84);
					_t74 =  *((intOrPtr*)(_t109 + 8));
				} else {
					_t108 =  *((intOrPtr*)(_t109 + 8));
					_push(0);
					_push(_t109 + 0x84);
					 *_t108 = 0x46757c;
					 *((intOrPtr*)(_t108 + 0x20)) = 0x467574;
					L00401CDD(_t108);
					 *(_t109 - 0x14) = _t83;
					 *(_t109 - 4) = 4;
					L00433631(_t109 - 0xd4, _t120);
					 *(_t109 - 4) = 3;
					L0040125C(_t109 + 0xc);
					 *(_t109 - 4) = 2;
					L0040125C(_t109 + 0x34);
					 *(_t109 - 4) = _t83;
					L0040125C(_t109 + 0x5c);
					 *(_t109 - 4) =  *(_t109 - 4) & 0x00000000;
					L0040125C(_t109 + 0x84);
					_t74 = _t108;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return _t74;
			}

0x0042f67d
0x0042f682
0x0042f68d
0x0042f699
0x0042f6a0
0x0042f6a5
0x0042f6aa
0x0042f6ad
0x0042f6b3
0x0042f6b8
0x0042f6c0
0x0042f6c5
0x0042f6cd
0x0042f6d2
0x0042f6d6
0x0042f6e1
0x0042f6e5
0x0042f6ea
0x0042f6ec
0x0042f759
0x0042f762
0x0042f765
0x0042f767
0x0042f769
0x0042f76a
0x0042f770
0x0042f777
0x0042f77c
0x0042f784
0x0042f789
0x0042f78d
0x0042f792
0x0042f79a
0x0042f79f
0x0042f7a3
0x0042f7a8
0x0042f7b1
0x0042f7b5
0x0042f7c0
0x0042f7c3
0x0042f7c7
0x0042f7cf
0x0042f7d3
0x0042f7db
0x0042f7df
0x0042f7e7
0x0042f7ea
0x0042f7ef
0x0042f7ef
0x0042f7ef
0x0042f7f9
0x0042f7fe
0x0042f6ee
0x0042f6ee
0x0042f6f7
0x0042f6f9
0x0042f6fc
0x0042f702
0x0042f709
0x0042f70e
0x0042f717
0x0042f71b
0x0042f723
0x0042f727
0x0042f72f
0x0042f733
0x0042f73b
0x0042f73e
0x0042f743
0x0042f74d
0x0042f752
0x0042f752
0x0042f805
0x0042f80e

APIs

__EH_prolog.LIBCMT ref: 0042F682

Part of subcall function 0043334B: __EH_prolog.LIBCMT ref: 00433350

Part of subcall function 004336A5: __EH_prolog.LIBCMT ref: 004336AA

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00433631: __EH_prolog.LIBCMT ref: 00433636

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 0042F770

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID: tuF
API String ID: 3733137895-1632530568
Opcode ID: 3b273cb08742d445e4f023614a3c3feac73e3d035445bd09c762e7a398c4e515
Instruction ID: ab82d05de8f33e3613c81a77ed17ee9f2937b2e99f537878635b43bee3089545
Opcode Fuzzy Hash: 3b273cb08742d445e4f023614a3c3feac73e3d035445bd09c762e7a398c4e515
Instruction Fuzzy Hash: D7418774805248EFDB01EFA5C5567DDBBB8AF18308F50409EE845732C1DB785B08CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFBC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EFC1

Part of subcall function 0042F67D: __EH_prolog.LIBCMT ref: 0042F682

Strings

PG, xrefs: 0040EFE1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG
API String ID: 3519838083-134009939
Opcode ID: af2b8831348cf6015c8879e5ea7e189d52a65c0a557892af01e0dc47432cb00f
Instruction ID: 5561dcd60a6d484126869623b124825d744cc6a2c324c4bd9c341b183071074a
Opcode Fuzzy Hash: af2b8831348cf6015c8879e5ea7e189d52a65c0a557892af01e0dc47432cb00f
Instruction Fuzzy Hash: 06318871A00204AFD704EF59C986BEE7FB8EF59314F04406AF405B7281E7789B05C796

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EC45

Part of subcall function 00412E5D: __EH_prolog.LIBCMT ref: 00412E62

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00412F07: __EH_prolog.LIBCMT ref: 00412F0C
Part of subcall function 00412F07: GetLastError.KERNEL32(?,00000000,80400100,?,00000000,004675A0,00467598,00000000,?,?,?,?,?,?,?,0046757C), ref: 00412FC3

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

_:A, xrefs: 0041ECAD, 0041ED0B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$FreeString
String ID: _:A
API String ID: 2373906061-3167952864
Opcode ID: a67dca69ac41e9dfa1be4ed75f828440abb406116f0c825ffbf82ecebabe1803
Instruction ID: a1ff1c05ac9d535004a3a1a155e2656031a2d4f235f8c170b00d5fdbaac2c693
Opcode Fuzzy Hash: a67dca69ac41e9dfa1be4ed75f828440abb406116f0c825ffbf82ecebabe1803
Instruction Fuzzy Hash: 5831C175905248EADB24EFA5D4846EDBBB4AF00308F24415FF852B3291E7784E88CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004060C1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004060C6

Part of subcall function 0040D482: __EH_prolog.LIBCMT ref: 0040D487

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

tuF, xrefs: 00406169

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: tuF
API String ID: 1057991267-1632530568
Opcode ID: e26f9c37b0ca6cfc4be5ee1cd1c6932fd0f2e7e1d084154753be07e4c052f19a
Instruction ID: b356aaf847ee6c189bbcef0d8c843f8ac5532ed791094fff7f9ace2ce7c947cb
Opcode Fuzzy Hash: e26f9c37b0ca6cfc4be5ee1cd1c6932fd0f2e7e1d084154753be07e4c052f19a
Instruction Fuzzy Hash: 21314AB1505784EFC711CF698844BCAFBE8AF69308F5085AFE09E97201D7746609CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B498 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,tuF,00413716,?), ref: 0041B4ED

Strings

tuF, xrefs: 0041B498

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileRead
String ID: tuF
API String ID: 2738559852-1632530568
Opcode ID: a09603397859f884dd207ded778c3cb2f61fcf7c010e6c2d657a4e5a82720e4b
Instruction ID: 17a961ac432ca46471d98ba619934463b1cc4e8529e8db0c1598ad7e9209ef99
Opcode Fuzzy Hash: a09603397859f884dd207ded778c3cb2f61fcf7c010e6c2d657a4e5a82720e4b
Instruction Fuzzy Hash: A0018872600208BBDF20EF51CC91FEF7B6DDF14758F00812AFD55A6191E778AA818798

Uniqueness

Uniqueness Score: -1.00%

Function 004160D4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004160D9

Part of subcall function 00404765: __EH_prolog.LIBCMT ref: 0040476A
Part of subcall function 00404765: GetTempPathW.KERNEL32(00000104,?,0046757C,00467574,00000000), ref: 00404789
Part of subcall function 00404765: GetVersionExW.KERNEL32(?), ref: 004047C7
Part of subcall function 00404765: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,123.tmp,?,?,00000000), ref: 00404836

Strings

puF, xrefs: 004160F9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$CreateFilePathTempVersion
String ID: puF
API String ID: 3324668838-1715984468
Opcode ID: 3727fc4f7a009a95b7e012619c9f0ba97f94720480c2f29015ba2ebe349b3558
Instruction ID: 84cce435253c6dd17b79181d3d06f137bb827ffacae592879186b63fc2546783
Opcode Fuzzy Hash: 3727fc4f7a009a95b7e012619c9f0ba97f94720480c2f29015ba2ebe349b3558
Instruction Fuzzy Hash: FC11A175A01244AFD704EFA8D881AE977F8EB48304F2485AEF495D7392DB389E44CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00412653 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,0040FAF5,00000000,?,?), ref: 0041267D

Strings

puF, xrefs: 00412677

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: LibraryLoad
String ID: puF
API String ID: 1029625771-1715984468
Opcode ID: 39249aa354c5d592593a7c918c8bc458ae2d7dcda4260eb5ee1e39769e0614e0
Instruction ID: 7c2546c70ae209d3dbf755e84f50a664debefecbb49b75bcca23893efc74f951
Opcode Fuzzy Hash: 39249aa354c5d592593a7c918c8bc458ae2d7dcda4260eb5ee1e39769e0614e0
Instruction Fuzzy Hash: 060181757002009FCB28AB78D954BDB73E8AF48354F04096EE88AD7294E778ED90CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406E05 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406E0A

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00406E5C: __EH_prolog.LIBCMT ref: 00406E61
Part of subcall function 00406E5C: lstrcpyA.KERNEL32(?,00000000,?,00000000,?,?,00000000), ref: 00406EDA
Part of subcall function 00406E5C: lstrcpyA.KERNEL32(?,00000000,?,?,00000000), ref: 00406EF7
Part of subcall function 00406E5C: lstrcpyA.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 00406F2C

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 00406E2B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$lstrcpy$FreeString
String ID: tuF
API String ID: 222118499-1632530568
Opcode ID: 70607b8402acfbfe6da5fa89191a850d81aaf3867a10cdf055575fd20c95c77e
Instruction ID: 743cfac6a7c24726d1d8c434b3030af2c76fbc017cad17c5a499ee3ada5f3f1d
Opcode Fuzzy Hash: 70607b8402acfbfe6da5fa89191a850d81aaf3867a10cdf055575fd20c95c77e
Instruction Fuzzy Hash: 8AF08271910204ABC704EF55C802B9C7768EB49718F10835EA416A66D1D77857148B8D

Uniqueness

Uniqueness Score: -1.00%

Function 004388C5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004386E9), ref: 004388DC

Strings

puF, xrefs: 004388D6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AttributesFile
String ID: puF
API String ID: 3188754299-1715984468
Opcode ID: f0f30eaa65ecd8de32ac276cfe39e05ad44b4d4d1fc3d2046dfa31e4bc13f2f5
Instruction ID: 84aaaed059562704c2a22ae7513e73115d20d760b5ccf3611acd2e1695351cfc
Opcode Fuzzy Hash: f0f30eaa65ecd8de32ac276cfe39e05ad44b4d4d1fc3d2046dfa31e4bc13f2f5
Instruction Fuzzy Hash: 69E04871900314B6CE106A759C45BDA77DC9F15718F504117F952E32D0E668E9814699

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,?,0041FDC3), ref: 0041FF66

Strings

puF, xrefs: 0041FF60

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CurrentDirectory
String ID: puF
API String ID: 1611563598-1715984468
Opcode ID: 24e7a028084fef22e401a7d19f392f5690b954febd8ed1333c94b095364a83b8
Instruction ID: 28c3ae327c1ca031ca7e9a6cf3718361dbeec5c084cf2dc22847adecff2c4ea1
Opcode Fuzzy Hash: 24e7a028084fef22e401a7d19f392f5690b954febd8ed1333c94b095364a83b8
Instruction Fuzzy Hash: 0AD0C9306146214BC7246A29A448B9726985B45B29F04847FF446E67A0EBBCDCC68A8D

Uniqueness

Uniqueness Score: -1.00%

Function 00411EFD Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef2d1029e8c02f14ceefd520a6e39d639a383e5904e69cacd1d14eb28667888
Instruction ID: 6df7fe2cf6a40185513720c807cf4ed7f32ef9d4c174ba5b0da7b07dd55b9b3e
Opcode Fuzzy Hash: 1ef2d1029e8c02f14ceefd520a6e39d639a383e5904e69cacd1d14eb28667888
Instruction Fuzzy Hash: DC11BF3952839199CB206B6694103EAA3A49F9574CB00484FFA8253771C7B99887C36F

Uniqueness

Uniqueness Score: -1.00%

Function 0043D3A0 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0043D469: ExitProcess.KERNEL32 ref: 0043D486

Part of subcall function 0043E34C: TlsAlloc.KERNEL32(?,0043D3AD), ref: 0043E352
Part of subcall function 0043E34C: TlsSetValue.KERNEL32(00000000,?,0043D3AD), ref: 0043E37A
Part of subcall function 0043E34C: GetCurrentThreadId.KERNEL32 ref: 0043E38B

GetStartupInfoW.KERNEL32(?), ref: 0043D3ED
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0043D410

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AllocCurrentExitHandleInfoModuleProcessStartupThreadValue
String ID:
API String ID: 2682494680-0
Opcode ID: bb8ed85fe08700dc6d49bf070938d12133501a5cc379d47fc5cdb82dba86b9f8
Instruction ID: e9c62b4ba0a25fc96a94dab7e1b1c5a4f2fa0cccbedea5a951cb386a4637ac5d
Opcode Fuzzy Hash: bb8ed85fe08700dc6d49bf070938d12133501a5cc379d47fc5cdb82dba86b9f8
Instruction Fuzzy Hash: 740121B1C003149AEB14BFF2E84A99D7778BF08308F10151FF905AB262DB7C9881DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004134DD Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 004134EE
FindCloseChangeNotification.KERNELBASE(?), ref: 00413516

Part of subcall function 0041354B: InterlockedDecrement.KERNEL32(0047E450), ref: 00413570

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: DecrementInterlocked$ChangeCloseFindNotification
String ID:
API String ID: 3252779363-0
Opcode ID: 8cc116c0883422af079f6ce9165c87c24ff9033301404afd6fa463c2630a2869
Instruction ID: 8c640be76975b1db57694f67f34b565d20f7ba0781a4c27847eff5ef32cb8f1a
Opcode Fuzzy Hash: 8cc116c0883422af079f6ce9165c87c24ff9033301404afd6fa463c2630a2869
Instruction Fuzzy Hash: D6F0F97160170067CB346F66EE49B9777DDAF10F16F40051EF456D35D1E768EA808E08

Uniqueness

Uniqueness Score: -1.00%

Function 00421722 Relevance: 3.0, APIs: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C3FB: RegOpenKeyExW.KERNELBASE(?,?,00000000,80000001,00000000,00467574,00000000,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86), ref: 0041C415
Part of subcall function 0041C3FB: RegCloseKey.ADVAPI32(?,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86,80000001,ISlogit,?), ref: 0041C426

RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00020019), ref: 00421753
RegCloseKey.ADVAPI32(00000000,?,?,00020019), ref: 0042176F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: a19398d68a46f782fa6f56b30a9baae1f709c1fd50afaa4989c02f835dfc810e
Instruction ID: 92e93c5c323ebd05479e9747d45ac973adc72f9ca86176d799be4cb3c2d40e71
Opcode Fuzzy Hash: a19398d68a46f782fa6f56b30a9baae1f709c1fd50afaa4989c02f835dfc810e
Instruction Fuzzy Hash: BFF04976600208FBCF119F51DD08DDF7BB9EBD5319F40802AF804A6120E3349B44DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00418833 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00418838

Part of subcall function 00418779: __EH_prolog.LIBCMT ref: 0041877E
Part of subcall function 00418779: SysStringLen.OLEAUT32(?), ref: 004187E6

SysStringLen.OLEAUT32(?), ref: 0041885F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologString
String ID:
API String ID: 4195672975-0
Opcode ID: 2e7ebb24e7ece776f251257ec72ec132086ae6dbc42638387e4f2d459a37d6ed
Instruction ID: 394d3965d010e9f7dba5e3fcef6c2d729a813d49d66cb8aa3199546f5d2c3903
Opcode Fuzzy Hash: 2e7ebb24e7ece776f251257ec72ec132086ae6dbc42638387e4f2d459a37d6ed
Instruction Fuzzy Hash: EEF06D72901214EBCB04EBA5D845FEEBB78EF48754F00402FF90197251DBB8AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043FDB9 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0043D39B,00000001), ref: 0043FDCA

Part of subcall function 0043FC71: GetVersionExA.KERNEL32 ref: 0043FC90

HeapDestroy.KERNEL32 ref: 0043FE09

Part of subcall function 0043FE16: HeapAlloc.KERNEL32(00000000,00000140,0043FDF2,000003F8), ref: 0043FE23

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 08c81163260e949e0be90f46bda51626203ddbc585e1c43ac2ed94527b41eb7f
Instruction ID: 5232f1b517e0b0be3c68f3cae2c5525e92765b4db237356e649132d8c8ca4919
Opcode Fuzzy Hash: 08c81163260e949e0be90f46bda51626203ddbc585e1c43ac2ed94527b41eb7f
Instruction Fuzzy Hash: 33F06570D543029AEB301772AC0A7363A949708745F10243BFC06C92B1EBA884D8A50A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3FB Relevance: 3.0, APIs: 2, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,80000001,00000000,00467574,00000000,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86), ref: 0041C415
RegCloseKey.ADVAPI32(?,?,0042F22A,?,0043D41C,00020019,00467574,ISlogit,?,00431B86,80000001,ISlogit,?), ref: 0041C426

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f1671b2b7657954c770d33485df46889582aac2ee4c3d022bc105af21fbf3e7e
Instruction ID: fb2fd73f3b40b53d2f14863fae20ddcd0d073026dee4d970def35dcbc9f56374
Opcode Fuzzy Hash: f1671b2b7657954c770d33485df46889582aac2ee4c3d022bc105af21fbf3e7e
Instruction Fuzzy Hash: CAF03976204209FBDB248F40CC65BEE7BA8EF00355F10402DE94166250E7B5AA50DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00445BA0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000001,?,?,?,00446B23,00000000), ref: 00445BC3
InvalidateRect.USER32(00000001,00000000,00000001), ref: 00445BD6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: InvalidateRectShowWindow
String ID:
API String ID: 518433929-0
Opcode ID: 023a1ae28a626423db15f5363a95b1a71e8bc8e17d738dd29017b10fb2a21f48
Instruction ID: ded8544b8eebfb8640a6850884ad4afb6eddee809d540723adacf3d012c28375
Opcode Fuzzy Hash: 023a1ae28a626423db15f5363a95b1a71e8bc8e17d738dd29017b10fb2a21f48
Instruction Fuzzy Hash: 71E09A3A260B00AFE330CF30DD44F97B3B4EB44F10B068A1EE45683640E7B5E8018299

Uniqueness

Uniqueness Score: -1.00%

Function 00413655 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041365A

Part of subcall function 004139D8: GetFileSize.KERNEL32(?,?,?), ref: 00413A23
Part of subcall function 004139D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,tuF,00413675), ref: 00413A30

Part of subcall function 00413763: SetFilePointer.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,tuF), ref: 004137AE
Part of subcall function 00413763: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,tuF,00413754,00000000,00000000,00000000,00000000), ref: 004137DD

Part of subcall function 0041B498: ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,tuF,00413716,?), ref: 0041B4ED

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: File$ErrorLast$H_prologPointerReadSize
String ID:
API String ID: 1849429583-0
Opcode ID: 507fec362177818ec181ca87f0c6233102d488a804f041fb1090f6284fa6f776
Instruction ID: 31e73a4e589a3190f514cfc5ab9f51df3683da3d23af40c189ec8da23cc331f0
Opcode Fuzzy Hash: 507fec362177818ec181ca87f0c6233102d488a804f041fb1090f6284fa6f776
Instruction Fuzzy Hash: C731E8F0A0474AAEEF319B7988556EFBE78AB01738F00474FD161522D2C7786B448795

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED47 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 733e96217a1190180618cdb2053c9213f3008e0f7ba9114a4ca220fb8d102933
Instruction ID: c3f3dfa027bb75890b01130deb722d2412e1f32a2477048692afb794cea56ce5
Opcode Fuzzy Hash: 733e96217a1190180618cdb2053c9213f3008e0f7ba9114a4ca220fb8d102933
Instruction Fuzzy Hash: 6B210879E002165BDB249A6AE9957FFB7B2EB80314F24443FE901A3781D67C9DC08249

Uniqueness

Uniqueness Score: -1.00%

Function 0043CE23 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0043CF0A

Part of subcall function 0043E4FA: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00441F3B,00000009,00000000,00000000,00000001,0043E3D8,00000001,00000074,?,?,00000000,00000001), ref: 0043E537
Part of subcall function 0043E4FA: EnterCriticalSection.KERNEL32(?,?,?,00441F3B,00000009,00000000,00000000,00000001,0043E3D8,00000001,00000074,?,?,00000000,00000001), ref: 0043E552

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 017b93a143afcae2a5f1b4946abf0e284081cc18d96f783c142e573017425368
Instruction ID: 0f8d0fe642f9e5a0c6b3e18fc153d07a10985c2e0dd655818f4b794d0a8b2183
Opcode Fuzzy Hash: 017b93a143afcae2a5f1b4946abf0e284081cc18d96f783c142e573017425368
Instruction Fuzzy Hash: E8219531A04215EBDB10EB69DC83B9A77A4FB08B64F10552BF825FB2C1C77CA9418B59

Uniqueness

Uniqueness Score: -1.00%

Function 004108D1 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004108D6

Part of subcall function 0041112E: __EH_prolog.LIBCMT ref: 00411133

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6f4595003a68fd6366f83ce03c2f4063efd80bff597778e222ec38780fcd82ce
Instruction ID: 58a4130d7e5976185acc2f52eac15d1ccb5e8a4e1c249baab9a3dc1f691d4446
Opcode Fuzzy Hash: 6f4595003a68fd6366f83ce03c2f4063efd80bff597778e222ec38780fcd82ce
Instruction Fuzzy Hash: 1021D671A01244A6DB05F7B1C852BDEB7689F50318F10416FF416A32D2EB7C5A44C769

Uniqueness

Uniqueness Score: -1.00%

Function 0043CCFC Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00441F3B,00000009,00000000,00000000,00000001,0043E3D8,00000001,00000074), ref: 0043CDD0

Part of subcall function 0043E4FA: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00441F3B,00000009,00000000,00000000,00000001,0043E3D8,00000001,00000074,?,?,00000000,00000001), ref: 0043E537
Part of subcall function 0043E4FA: EnterCriticalSection.KERNEL32(?,?,?,00441F3B,00000009,00000000,00000000,00000001,0043E3D8,00000001,00000074,?,?,00000000,00000001), ref: 0043E552

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 85b0b7bc1aeaeec67d7e25fd138faf0f505cda18b72657db342d1b83d0ea5f14
Instruction ID: 84eb36b91d58a3b4a39bf1d5a2d3972415894297461f752e70074a6cbc720d15
Opcode Fuzzy Hash: 85b0b7bc1aeaeec67d7e25fd138faf0f505cda18b72657db342d1b83d0ea5f14
Instruction Fuzzy Hash: C121F532C01214ABDB20AB95DC46BDE7B78EB09724F20123BF405B22D0D77C99408BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0042F80F Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042F814

Part of subcall function 0043334B: __EH_prolog.LIBCMT ref: 00433350

Part of subcall function 004336A5: __EH_prolog.LIBCMT ref: 004336AA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0692ab484d76f55083320a6a3e6dd2625269bb266de1074a940cbcde4787a85f
Instruction ID: 99ff74b7c0de5a21d53144bea32c628f86f618ddbe9a7699606c9a96223372b5
Opcode Fuzzy Hash: 0692ab484d76f55083320a6a3e6dd2625269bb266de1074a940cbcde4787a85f
Instruction Fuzzy Hash: 31218230901288EAEF14EFA5C956BDCBB74AF15304F50419EF845B32C1DB781B48C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040C588 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,00000002), ref: 0040C5A7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6cc07d10b1fbf37014b5ce3835e2bd6027d14cdbdeb35b2aa660e865da5dc12
Instruction ID: eaad7fdd71b954acb209ea883f8350d91ef8664cbd5cf7862f9e1e82b79c7e00
Opcode Fuzzy Hash: c6cc07d10b1fbf37014b5ce3835e2bd6027d14cdbdeb35b2aa660e865da5dc12
Instruction Fuzzy Hash: 6F11BF36600705EBC720DF15C48069BBBE9EF84754B15C03BE95ADB390E7B4F8418B84

Uniqueness

Uniqueness Score: -1.00%

Function 00418ADD Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00418AE2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 13a4e6a545c5ac14d7c11b600f04615ebeeefb4a6ff2e2cf34ed423efae224bd
Instruction ID: ff7262088ba5431ccbfb59d39a6e36525089242bc767c14ac0d447e9022317be
Opcode Fuzzy Hash: 13a4e6a545c5ac14d7c11b600f04615ebeeefb4a6ff2e2cf34ed423efae224bd
Instruction Fuzzy Hash: AB019EB19046089BCB24DF59C401BDEB7F4AF08708F10C11FE455A3341DBB8AA44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00447CD0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00447D16

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7279cc4c75e4119334470100b46e247e2c5b858bd4e766a2020e86db5cf60386
Instruction ID: 9bd6db7dd369d50cea6e61b20b84b1d56e295a520f8e4a06f694f1bc1fc5cbb8
Opcode Fuzzy Hash: 7279cc4c75e4119334470100b46e247e2c5b858bd4e766a2020e86db5cf60386
Instruction Fuzzy Hash: ECF07476218200AF9304CB99D984C2BF7FDEBDD710B15865EF58893221C670EC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00404109 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040410E

Part of subcall function 00403E82: __EH_prolog.LIBCMT ref: 00403E87

Part of subcall function 00404166: __EH_prolog.LIBCMT ref: 0040416B

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID:
API String ID: 3733137895-0
Opcode ID: f7c68ea4be0130bc73ddfc9318a34822c241d6756ecb2388fd499458ee820689
Instruction ID: 4e57c387e99df1e2426dd63c5ec3092a060698719a2e5c564d287205ea8d2488
Opcode Fuzzy Hash: f7c68ea4be0130bc73ddfc9318a34822c241d6756ecb2388fd499458ee820689
Instruction Fuzzy Hash: 6BF09076900118BBCF01EF95D805BDE7F35EF88324F00402EF905A6191CBB59A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004317E3 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,000000FF,000000FF,00000000,00000000,00433138,00000000,?,?,00000004,?,004675A0,40000000,00000001,00000080), ref: 00431808

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1f761fa15a702f9943f444938fe7513a636b3e784a2fb17178325c2410112b31
Instruction ID: 50ffbc25191567aa7a7023e3372f066b2537ed8ed3da844d3f7f14c40a697ac8
Opcode Fuzzy Hash: 1f761fa15a702f9943f444938fe7513a636b3e784a2fb17178325c2410112b31
Instruction Fuzzy Hash: 24F08276500208BBCF10AF95CC45FCA37ACEF18724F00C126F925961A0E7B8DA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00418E14 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00418E2C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a2d48e297e7aa0bd4c7c4f0d30bd3a334db96e7feb94a4d06ed264255a8dc44b
Instruction ID: 2b0f9f51d6bb0243a9e2634da7a9ec564578e569a3292dac780cab716e567095
Opcode Fuzzy Hash: a2d48e297e7aa0bd4c7c4f0d30bd3a334db96e7feb94a4d06ed264255a8dc44b
Instruction Fuzzy Hash: 25F03075104208BBCF108F64CD44EE93B69AF08734F10C609FD2DCA1E0DB35E9569B54

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF10 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042DF15

Part of subcall function 00401840: __EH_prolog.LIBCMT ref: 00401845

Part of subcall function 0042DD60: __EH_prolog.LIBCMT ref: 0042DD65
Part of subcall function 0042DD60: GetLastError.KERNEL32 ref: 0042DE6D

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeString
String ID:
API String ID: 3733137895-0
Opcode ID: 1b540ed2a72efcc70758a7b95df5009ca5f73fd4c9b3043cdaa2330adae7a01b
Instruction ID: 39267fbf769c62150a14297deda305fd765eb05e8bdc5bd3517373ceee28a0b5
Opcode Fuzzy Hash: 1b540ed2a72efcc70758a7b95df5009ca5f73fd4c9b3043cdaa2330adae7a01b
Instruction Fuzzy Hash: 04E065B1D11208AFCB08EF65C8535AD7764DB55354F10465EF822A3281EB3457048699

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFD3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042AFD8

Part of subcall function 0040DE9B: __EH_prolog.LIBCMT ref: 0040DEA0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 15733c32a93f47e7d5752539f07b5b1a03b7136661e98445a8370e04ecf4048b
Instruction ID: e876e1e207838c09ee3ec697065961f2fd0de14e3becc23db142074cb1e6526f
Opcode Fuzzy Hash: 15733c32a93f47e7d5752539f07b5b1a03b7136661e98445a8370e04ecf4048b
Instruction Fuzzy Hash: 99E06DB1A10940AFCB05CF64CC46ABAB7A4EB15205F1485AEF852DB342E738C9018668

Uniqueness

Uniqueness Score: -1.00%

Function 0042B242 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042B247

Part of subcall function 0040DE9B: __EH_prolog.LIBCMT ref: 0040DEA0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef021d7168c225169356db2eb0494adb569b6dd2f9d61bbf34f5a9745de80d9a
Instruction ID: f76262c15c42f406509b1b0ac466a6d7155e9856754c5402ce23cbee7312ae68
Opcode Fuzzy Hash: ef021d7168c225169356db2eb0494adb569b6dd2f9d61bbf34f5a9745de80d9a
Instruction Fuzzy Hash: 0FE0ED746006049FC715CF44C846F69B3B4EB48709F24859AF415AB291D778A905CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E58 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 00418E73

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 63eae64c5cd163e3a7cecf744489d9847fb160f36aa031f1d012f75735e5afa6
Instruction ID: 58ac79bb23ef236e31ee306bcf09c1f6f3c42b1b97897648ecf17187ce805644
Opcode Fuzzy Hash: 63eae64c5cd163e3a7cecf744489d9847fb160f36aa031f1d012f75735e5afa6
Instruction Fuzzy Hash: 82E09A30000209FFCF04CFA4D848D9E7B78FF05328F208289F5198A2A0D732EA62DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418E8D Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00418C64,00000000,00000000,?,00417CD9,?,00000001), ref: 00418EA5

Part of subcall function 0041354B: InterlockedDecrement.KERNEL32(0047E450), ref: 00413570

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ChangeCloseDecrementFindInterlockedNotification
String ID:
API String ID: 148996130-0
Opcode ID: a4f70680e66339e82b8e5bf0911b9110fb2c7172dde30e3bfa3368bacd3769df
Instruction ID: 1be95b7f6a418f997379ce3821d75da1d61e3865bd2eeaed7ba57d4565f29057
Opcode Fuzzy Hash: a4f70680e66339e82b8e5bf0911b9110fb2c7172dde30e3bfa3368bacd3769df
Instruction Fuzzy Hash: 53D05E30502B104BC7389B29E95969772D56F05F35B140B0EE0BBC26D0CB68E8818608

Uniqueness

Uniqueness Score: -1.00%

Function 00450520 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00450542

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: c8bbb5c3fd11b06d512ee6de67e5cba18ce4a07e76c85ae0500ef0c3f7c92b96
Instruction ID: 1f381abcf51a61524ac6eed20c2b2508e7ede80c436365f7773653e6379cf609
Opcode Fuzzy Hash: c8bbb5c3fd11b06d512ee6de67e5cba18ce4a07e76c85ae0500ef0c3f7c92b96
Instruction Fuzzy Hash: 9FD06774508342AFC344DF18E54591ABBE4BBC4704F008D2EF58893200E770DA1CCBAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0BC Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 0040F0CB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: a2aff125384d1ba9220773b7df5ed159736cc434fb894d32bd1831ceda017325
Instruction ID: 12b3799432aa48e86bae99bc6814367b51b938fd78a58d69264ed707e4bfe6e8
Opcode Fuzzy Hash: a2aff125384d1ba9220773b7df5ed159736cc434fb894d32bd1831ceda017325
Instruction Fuzzy Hash: 8CB01231488101BBCA024B40CD0CF157B21EB54704F004174F30548071CA731462EB0B

Uniqueness

Uniqueness Score: -1.00%

Function 004375F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,0043768E,00000001,00000000,?,?,?,?,?,004377AA,00000001,00000001,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?), ref: 004375F5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: dccc84d2ed36876519a3c4e897ed4ac58689007d9a3b07571434dcb74ddb1aae
Instruction ID: dfb528b52f8ced12ea05bcfcab33299d88276947c114906d83269c762b04cfb8
Opcode Fuzzy Hash: dccc84d2ed36876519a3c4e897ed4ac58689007d9a3b07571434dcb74ddb1aae
Instruction Fuzzy Hash: 8DA0113800C280AACF020B20CA0888ABFA0AA82200F0088A8E0C880230E2308800EA02

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF5 Relevance: 1.3, APIs: 1, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0042AE81: __EH_prolog.LIBCMT ref: 0042AE86
Part of subcall function 0042AE81: IsWindow.USER32 ref: 0042AEEC
Part of subcall function 0042AE81: DestroyWindow.USER32(?,?,?,00000000,?,00000000), ref: 0042AEF4
Part of subcall function 0042AE81: GetLastError.KERNEL32(?,?,00000000,?,00000000), ref: 0042AF0C

Sleep.KERNEL32(?), ref: 00415EB3

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$DestroyErrorH_prologLastSleep
String ID:
API String ID: 579293246-0
Opcode ID: 190372ff3d8237b88d41f8c4671e6b5df50bbc6b1e7888bc0e0c84328b940edb
Instruction ID: f480c4d39ccad813c3d2351780fbd7f0c22a50efb78acf9ad9b5892a61f8a983
Opcode Fuzzy Hash: 190372ff3d8237b88d41f8c4671e6b5df50bbc6b1e7888bc0e0c84328b940edb
Instruction Fuzzy Hash: 09317471700610DFCB15BB66D896AED77AAAF88709F00401EF5069B292CF7C9D818B99

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004440F4 Relevance: 26.7, Strings: 21, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E004440F4(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M00444595))) {
						case 0:
							if(_t141 < 0x31 || _t141 > 0x39) {
								if(_t141 !=  *0x47b118) {
									_t137 = _t141 - 0x2b;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							} else {
								goto L11;
							}
						case 1:
							_v20 = __edx;
							if(__bl < 0x31 || __bl > 0x39) {
								if(__bl ==  *0x47b118) {
									goto L47;
								}
								if(__bl == 0x2b || __bl == 0x2d) {
									goto L31;
								} else {
									if(__bl == 0x30) {
										goto L36;
									}
									goto L26;
								}
							} else {
								goto L11;
							}
						case 2:
							if(__bl < 0x31 || __bl > 0x39) {
								if(__bl ==  *0x47b118) {
									L13:
									_push(5);
									goto L90;
								}
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							} else {
								L11:
								_push(3);
								goto L81;
							}
						case 3:
							_v20 = __edx;
							L38:
							L38:
							if( *0x47b114 <= __edx) {
								__ecx =  *0x47ae48; // 0x47ae52
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = L0043FB6A(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							if(__eax == 0) {
								goto L46;
							}
							if(_v8 >= 0x19) {
								_v12 = _v12 + 1;
							} else {
								__eax = _v16;
								_v8 = _v8 + 1;
								__bl = __bl - 0x30;
								_v16 =  &(_v16[1]);
								 *_v16 = __bl;
							}
							__bl =  *__edi;
							__edi = __edi + 1;
							goto L38;
							L46:
							if(__bl !=  *0x47b118) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								L51:
								L51:
								if( *0x47b114 <= __edx) {
									__ecx =  *0x47ae48; // 0x47ae52
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = L0043FB6A(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								if(__eax == 0) {
									goto L58;
								}
								if(_v8 < 0x19) {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									_v12 = _v12 - 1;
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
								goto L51;
								L58:
								if(__bl == 0x2b || __bl == 0x2d) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								} else {
									L26:
									if(__bl <= 0x43 || __bl > 0x45 && (__bl <= 0x63 || __bl > 0x65)) {
										goto L109;
									} else {
										_push(6);
										goto L90;
									}
								}
							}
							while(__bl == 0x30) {
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							_v40 = __edx;
							if( *0x47b114 <= __edx) {
								__ecx =  *0x47ae48; // 0x47ae52
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = L0043FB6A(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							_a12 = __ecx;
							if(__bl < 0x31 || __bl > 0x39) {
								__eax = __bl;
								__eax = __bl - 0x2b;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								if(__eax == 0) {
									goto L88;
								}
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							} else {
								goto L80;
							}
						case 7:
							if(__bl < 0x31 || __bl > 0x39) {
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							} else {
								goto L80;
							}
						case 8:
							_v36 = __edx;
							while(__bl == 0x30) {
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							if(__bl < 0x31 || __bl > 0x39) {
								goto L109;
							} else {
								L80:
								_push(9);
								L81:
								_pop(_t121);
								L82:
								_t148 = _t148 - 1;
								goto L7;
							}
						case 9:
							_v36 = 1;
							__esi = 0;
							L96:
							L96:
							if( *0x47b114 <= 1) {
								__ecx =  *0x47ae48; // 0x47ae52
								__eax = __bl & 0x000000ff;
								__eax = __bl & 4;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = L0043FB6A(__ecx, __esi, __bl & 0x000000ff, 4);
								_pop(__ecx);
								_pop(__ecx);
							}
							if(__eax == 0) {
								goto L103;
							}
							__ecx = __bl;
							_t66 = (__esi + __esi * 4) * 2; // -44
							__esi = __ecx + _t66 - 0x30;
							if(__esi > 0x1450) {
								__esi = 0x1451;
								goto L103;
							}
							__bl =  *__edi;
							__edi = __edi + 1;
							goto L96;
							L103:
							_v32 = __esi;
							L104:
							L104:
							if( *0x47b114 <= 1) {
								__ecx =  *0x47ae48; // 0x47ae52
								__eax = __bl & 0x000000ff;
								__eax = __bl & 4;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = L0043FB6A(__ecx, __esi, __bl & 0x000000ff, 4);
								_pop(__ecx);
								_pop(__ecx);
							}
							if(__eax == 0) {
								goto L109;
							}
							__bl =  *__edi;
							__edi = __edi + 1;
							goto L104;
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t123 | _v44;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									if(_v73 >= 5) {
										_v73 = _v73 + 1;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E0044402D(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
									}
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
									}
									if(_t132 <= 0x1450) {
										if(_t132 >= 0xffffebb0) {
											L00444B88( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										if(_v48 == 0) {
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}

0x004440fd
0x00444105
0x00444108
0x0044410a
0x0044410b
0x0044410e
0x00444111
0x00444114
0x00444117
0x0044411a
0x0044411d
0x00444120
0x00444123
0x00444126
0x00444129
0x0044412c
0x0044412f
0x0044412f
0x00444134
0x00444145
0x00000000
0x00444145
0x00444148
0x0044414b
0x0044414b
0x0044414b
0x0044414d
0x00444151
0x00000000
0x00000000
0x00444157
0x00000000
0x00444161
0x00444175
0x00444181
0x00444184
0x004441a4
0x004441a8
0x004441aa
0x00000000
0x004441aa
0x00444187
0x00444188
0x00444198
0x0044419a
0x004441a1
0x00000000
0x004441a1
0x0044418d
0x00000000
0x00000000
0x00000000
0x00444193
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004441b0
0x004441b3
0x004441c0
0x00000000
0x00000000
0x004441c9
0x00000000
0x004441d0
0x004441d3
0x00000000
0x00000000
0x00000000
0x004441d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00444207
0x00444218
0x00444177
0x00444177
0x00000000
0x00444177
0x00444221
0x00000000
0x00000000
0x00444227
0x00444227
0x00000000
0x00444168
0x00444168
0x00444168
0x00000000
0x00444168
0x00000000
0x0044422e
0x00000000
0x00444231
0x00444237
0x0044424a
0x00444250
0x00444256
0x00444239
0x00444239
0x0044423e
0x00444243
0x00444244
0x00444245
0x00444247
0x00444247
0x0044425a
0x00000000
0x00000000
0x00444260
0x00444272
0x00444262
0x00444262
0x00444265
0x00444268
0x0044426b
0x0044426e
0x0044426e
0x00444275
0x00444277
0x00000000
0x0044427a
0x00444280
0x00000000
0x00000000
0x00444282
0x00444282
0x00000000
0x00000000
0x0044428d
0x00444290
0x00444293
0x00000000
0x004442a2
0x004442a8
0x004442bb
0x004442c1
0x004442c7
0x004442aa
0x004442aa
0x004442af
0x004442b4
0x004442b5
0x004442b6
0x004442b8
0x004442b8
0x004442cb
0x00000000
0x00000000
0x004442d1
0x004442d3
0x004442d6
0x004442d9
0x004442dc
0x004442df
0x004442e2
0x004442e2
0x004442e4
0x004442e6
0x00000000
0x004442e9
0x004442ec
0x004441fc
0x004441fc
0x004441fd
0x00000000
0x004442fb
0x004441d5
0x004441d8
0x00000000
0x004441f5
0x004441f5
0x00000000
0x004441f5
0x004441d8
0x004442ec
0x00444295
0x0044429a
0x0044429d
0x0044429f
0x0044429f
0x00000000
0x00000000
0x00444306
0x00444309
0x0044431c
0x00444322
0x00444328
0x0044430b
0x0044430b
0x00444310
0x00444315
0x00444316
0x00444317
0x00444319
0x00444319
0x0044432c
0x00000000
0x00444332
0x00444332
0x00000000
0x00444332
0x00000000
0x00444336
0x00444336
0x0044433c
0x0044433f
0x00444346
0x00444349
0x0044434c
0x00000000
0x00000000
0x0044434e
0x0044434f
0x00444350
0x00000000
0x00000000
0x00444355
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00444383
0x00444396
0x004443dc
0x004443dc
0x00000000
0x004443dc
0x0044435b
0x0044435b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044435f
0x00444362
0x00444367
0x00444369
0x00444369
0x0044436f
0x00000000
0x0044437e
0x0044438a
0x0044438a
0x0044438c
0x0044438c
0x0044438d
0x0044438d
0x00000000
0x0044438d
0x00000000
0x004443e4
0x004443eb
0x00000000
0x004443ed
0x004443f4
0x00444405
0x0044440b
0x00444411
0x004443f6
0x004443f6
0x004443fc
0x00444401
0x00444402
0x00444402
0x00444416
0x00000000
0x00000000
0x00444418
0x0044441e
0x0044441e
0x00444428
0x0044442f
0x00000000
0x0044442f
0x0044442a
0x0044442c
0x00000000
0x00444434
0x00444434
0x00000000
0x00444437
0x0044443e
0x0044444f
0x00444455
0x0044445b
0x00444440
0x00444440
0x00444446
0x0044444b
0x0044444c
0x0044444c
0x00444460
0x00000000
0x00000000
0x00444462
0x00444464
0x00000000
0x00444467
0x00444467
0x00000000
0x00000000
0x00000000
0x00000000
0x0044439e
0x004443ca
0x004443cc
0x004443cd
0x00000000
0x004443cd
0x004443a0
0x004443a3
0x004443a3
0x004443a6
0x004443a9
0x004443ac
0x004443c2
0x004443c2
0x004443c4
0x004443c4
0x00000000
0x004443c4
0x004443ae
0x004443b0
0x0044446a
0x0044446a
0x0044446c
0x00444473
0x00444475
0x00444554
0x00444556
0x00444558
0x0044455a
0x0044455c
0x0044457a
0x0044457a
0x00444581
0x00444584
0x00444587
0x0044458f
0x00444594
0x00444594
0x0044447b
0x0044447d
0x00444481
0x00444498
0x00444483
0x00444487
0x00444489
0x00444489
0x0044448c
0x00444492
0x00444493
0x00444493
0x0044449f
0x0044454a
0x0044454c
0x0044454e
0x00444550
0x00000000
0x004444a5
0x004444a5
0x004444a5
0x004444a9
0x00000000
0x00000000
0x004444ab
0x004444ae
0x004444ae
0x004444be
0x004444c3
0x004444ce
0x004444d0
0x004444d0
0x004444d2
0x004444d8
0x004444da
0x004444da
0x004444e0
0x004444e2
0x004444e2
0x004444ea
0x00444521
0x00444534
0x00444539
0x0044453c
0x0044453f
0x00444542
0x00000000
0x00444545
0x00444523
0x00000000
0x004444ec
0x004444ec
0x004444f3
0x004444f3
0x004444f6
0x004444f9
0x004444fc
0x004444ff
0x00444503
0x00444569
0x0044456b
0x0044456d
0x0044456f
0x00444571
0x00444573
0x00444573
0x00444505
0x00444505
0x00444507
0x0044450c
0x00444511
0x00444513
0x00444513
0x00000000
0x00444503
0x004444ea
0x0044449f
0x004443b6
0x004443b6
0x004443ba
0x004443bc
0x00000000
0x00000000
0x00444157
0x004443ce
0x004443d1
0x00000000
0x00000000
0x00000000

Strings

-, xrefs: 004442F2
0, xrefs: 00444295
e, xrefs: 004441EC
0, xrefs: 00444393
c, xrefs: 004441E3
9, xrefs: 00444375
0, xrefs: 00444362
0, xrefs: 004441D0
+, xrefs: 004442E9
9, xrefs: 00444163
-, xrefs: 004441CB
1, xrefs: 00444339
9, xrefs: 00444209
E, xrefs: 004441DE
9, xrefs: 004441B5
9, xrefs: 00444385
0, xrefs: 0044421E
+, xrefs: 004441C6
9, xrefs: 00444341
1, xrefs: 0044436C
C, xrefs: 004441D5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 0bbb0f54c55434fe078d3b51347a4f0b77ead528a3d45affcc4aca7fa93d5e5d
Instruction ID: 2ec520d69e0ad577a5a02299e17c35d58155d1c7a8b0ba7c57dfdbcca282df32
Opcode Fuzzy Hash: 0bbb0f54c55434fe078d3b51347a4f0b77ead528a3d45affcc4aca7fa93d5e5d
Instruction Fuzzy Hash: 18E1C031E44219DEFB25CE94C8167BEBBB1FBD4751F684067E801A6282C37C8982CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402AB2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402AB2(void** __ecx, struct HINSTANCE__* _a4, WCHAR* _a8, WCHAR* _a12) {
				void* _t12;
				long _t13;
				void* _t14;
				struct HRSRC__* _t23;
				void** _t24;

				_t24 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_t23 = FindResourceW(_a4, _a8, _a12);
				if(_t23 == 0) {
					L0043BD6A(0, 0);
				}
				_t12 = LoadResource(_a4, _t23);
				_a12 = _t12;
				if(_t12 == 0) {
					L0043BD6A(0, 0);
				}
				_t13 = SizeofResource(_a4, _t23);
				_t24[1] = _t13;
				if(_t13 == 0) {
					_t13 = L0043BD6A(0, 0);
				}
				_t14 = GlobalAlloc(0x40, _t13);
				 *_t24 = _t14;
				if(_t14 == 0) {
					L0043BD6A(0, 0);
				}
				L0043B670( *_t24, LockResource(_a12), _t24[1]);
				return _t24;
			}

0x00402ab8
0x00402abf
0x00402ace
0x00402ad2
0x00402ad6
0x00402ad6
0x00402adf
0x00402ae7
0x00402aea
0x00402aee
0x00402aee
0x00402af7
0x00402aff
0x00402b02
0x00402b06
0x00402b06
0x00402b0e
0x00402b16
0x00402b18
0x00402b1c
0x00402b1c
0x00402b30
0x00402b3e

APIs

FindResourceW.KERNEL32(00000005,?,?,-00000004,?,00000000,puF,00403802,?,?,00000005,?), ref: 00402AC8
LoadResource.KERNEL32(00000005,00000000,?,00000000,puF,00403802,?,?,00000005,?), ref: 00402ADF
SizeofResource.KERNEL32(00000005,00000000,?,00000000,puF,00403802,?,?,00000005,?), ref: 00402AF7
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,puF,00403802,?,?,00000005,?), ref: 00402B0E
LockResource.KERNEL32(?,?,?,00000000,puF,00403802,?,?,00000005,?), ref: 00402B27

Part of subcall function 0043BD6A: RaiseException.KERNEL32(0043B0A7,00000000,?,00468364,?,invalid string position,0043B0A7,00000000,00471E90,?,invalid string position), ref: 0043BD98

Strings

puF, xrefs: 00402AB2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Resource$AllocExceptionFindGlobalLoadLockRaiseSizeof
String ID: puF
API String ID: 808658091-1715984468
Opcode ID: 015b9aee961ed3311c945d37132cf77e83b262f23c1e2e64b20ca66fec7a2ce6
Instruction ID: e0fb676ac3f82d52ea8f38c38b124a29706553ce5c65978661f60f7d18683566
Opcode Fuzzy Hash: 015b9aee961ed3311c945d37132cf77e83b262f23c1e2e64b20ca66fec7a2ce6
Instruction Fuzzy Hash: A70184B1200205BFDB212F65DC89D5F7F6DFB54389B40483AF546D1171D7B58C509B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E346 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040E346(long _a4, union _ULARGE_INTEGER* _a8, union _ULARGE_INTEGER* _a12, union _ULARGE_INTEGER* _a16, signed int* _a20) {
				long _v8;
				long _v12;
				long _v16;
				void _v534;
				short _v536;
				signed short _v1050;
				short _v1052;
				short _v1054;
				char _v1056;
				WCHAR* _t33;
				WCHAR* _t35;
				WCHAR* _t37;
				int _t38;
				void* _t40;
				short _t47;
				int _t58;

				_v536 = _v536 & 0x00000000;
				memset( &_v534, 0, 0x81 << 2);
				asm("stosw");
				_t33 = _a4;
				_t47 =  *_t33;
				if(_t47 != 0x5c || _t33[1] != _t47) {
					_v1050 = _v1050 & 0x00000000;
					_v1056 = _t47;
					_v1054 = _t33[1];
					_v1052 = 0x5c;
				} else {
					lstrcpyW( &_v536, _t33);
					lstrcatW( &_v536, 0x4764fc);
				}
				_t35 =  &_v536;
				if(_v536 == 0) {
					_t35 =  &_v1056;
				}
				_t58 = GetDiskFreeSpaceExW(_t35, _a8, _a12, _a16);
				_t37 =  &_v536;
				if(_v536 == 0) {
					_t37 =  &_v1056;
				}
				_t38 = GetDiskFreeSpaceW(_t37,  &_a4,  &_v8,  &_v12,  &_v16);
				if(_t38 != 0) {
					 *_a20 = _a4 * _v8;
				}
				if(_t58 == 0 || _t38 == 0) {
					return 0;
				} else {
					_t40 = 1;
					return _t40;
				}
			}

0x0040e34f
0x0040e365
0x0040e367
0x0040e369
0x0040e36c
0x0040e373
0x0040e3a1
0x0040e3a9
0x0040e3b0
0x0040e3b7
0x0040e37b
0x0040e383
0x0040e395
0x0040e395
0x0040e3c8
0x0040e3ce
0x0040e3d0
0x0040e3d0
0x0040e3ee
0x0040e3f0
0x0040e3f6
0x0040e3f8
0x0040e3f8
0x0040e40f
0x0040e417
0x0040e423
0x0040e423
0x0040e428
0x0040e436
0x0040e42e
0x0040e430
0x0040e432
0x0040e432

APIs

lstrcpyW.KERNEL32 ref: 0040E383
lstrcatW.KERNEL32(00000000,004764FC), ref: 0040E395
GetDiskFreeSpaceExW.KERNEL32(00000000,?,00000000,00000000), ref: 0040E3E0
GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?), ref: 0040E40F

Strings

\, xrefs: 0040E3B7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: DiskFreeSpace$lstrcatlstrcpy
String ID: \
API String ID: 2422268474-2967466578
Opcode ID: 1ef5bab4a2792b020b071cc72bdb95e3dcb824886920a405cd7d38d30f259d36
Instruction ID: b102ff9f7d8b82a0c0ff286431a035ce0138cca89f588378b93f999a3587f022
Opcode Fuzzy Hash: 1ef5bab4a2792b020b071cc72bdb95e3dcb824886920a405cd7d38d30f259d36
Instruction Fuzzy Hash: AF21517290020DDACF14DF50CC58ADB7779AF14300F0084EAE909A7290E7749B98CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00440667 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

D@, xrefs: 00440667

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID:
String ID: D@
API String ID: 0-116940557
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 88ee11017e25bdd96def09ff2f504f04c390873418854124ed72776d04a3835a
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: E5B17B7590020ADFEB15CF04C5D0AA9BBA1BF48318F24C1AEC94A5B342C735FA56CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA61 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0043EA66

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 882e32fdb24c96964450438d930015c8e548e17db076d601df4bb9eead956dfe
Instruction ID: 15823b2751769b2788e16018a95d787dbf752b88469af08e62f7c7298d047ee3
Opcode Fuzzy Hash: 882e32fdb24c96964450438d930015c8e548e17db076d601df4bb9eead956dfe
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004068FF Relevance: 58.1, APIs: 26, Strings: 7, Instructions: 315
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004068FF() {
				intOrPtr _t73;
				void* _t76;
				WCHAR* _t77;
				struct HWND__* _t83;
				WCHAR* _t84;
				WCHAR* _t87;
				WCHAR* _t95;
				int _t100;
				int _t116;
				WCHAR* _t119;
				WCHAR* _t124;
				WCHAR* _t128;
				void* _t135;
				WCHAR* _t140;
				void* _t143;
				WCHAR* _t144;
				int _t156;
				struct HWND__* _t165;
				struct HWND__* _t166;
				WCHAR* _t169;
				int* _t170;
				int* _t172;
				WCHAR* _t173;
				WCHAR* _t174;
				WCHAR* _t178;
				struct HWND__* _t183;
				int _t187;
				void* _t191;
				void* _t192;
				void* _t194;
				void* _t195;
				int _t197;

				L0043B644(0x45f76e, _t192);
				_t195 = _t194 - 0xa4;
				_t73 =  *((intOrPtr*)(_t192 + 0xc));
				if(_t73 == 0) {
					DeleteObject( *0x47e1c4);
					__eflags = 0;
					 *0x47e1c8 = 0;
					 *0x47e1cc = 0;
					L38:
					__eflags = 0;
					L39:
					 *[fs:0x0] =  *((intOrPtr*)(_t192 - 0xc));
					return 0;
				}
				_t76 = _t73 - 0x10e;
				if(_t76 == 0) {
					_t77 =  *(_t192 + 0x14);
					_t183 =  *(_t192 + 8);
					 *0x47e1d8 = _t77;
					 *((intOrPtr*)( *(_t77[0x64]) + 0x5c))(GetDlgItem(_t183, 0x3e9), GetDlgItem(_t183, 0x3eb));
					_t83 =  *0x47e1d4; // 0x2380b70
					 *0x47e1c8 = _t183;
					 *(_t192 + 8) = _t83;
					_t197 = _t195 - 0x28;
					_t84 = L"PrereqDialog";
					_t156 = _t197;
					 *(_t192 - 0x10) = _t197;
					__eflags = _t84;
					 *((intOrPtr*)(_t192 - 4)) = 0;
					 *_t156 = 0x46757c;
					 *((intOrPtr*)(_t156 + 0x20)) = 0x467574;
					if(_t84 == 0) {
						_t84 = 0x47e150;
					}
					_push(0);
					_push(_t192 + 0xf);
					_push(_t84);
					L0040176A(_t156);
					_push(_t183);
					E00406E05(_t192 + 8, __eflags);
					_t87 =  *0x47e1d8; // 0x0
					L00406F7B(_t183,  &(_t87[0xac]));
					L00406FE1(_t192 + 8, _t183,  *( *(_t192 + 8) + 0x48) & 0x0000ffff, 0x47e1c4);
					_push(0);
					_push(_t192 - 0x60);
					_t95 =  *(E00403CE5(_t192 + 8, __eflags) + 8);
					__eflags = _t95;
					if(_t95 == 0) {
						_t95 = 0x467570;
					}
					SetWindowTextW(_t183, _t95);
					L0040125C(_t192 - 0x60);
					_t187 =  *0x47e1c4; // 0x0
					L004070AD(_t192 + 8, __eflags, _t183, 9, 0x46b);
					SendDlgItemMessageW(_t183, 9, 0x30, _t187, 0);
					_t100 =  *0x47e1c4; // 0x0
					 *(_t192 - 0x10) = _t100;
					L004070AD(_t192 + 8, __eflags, _t183, 1, 0x46d);
					SendDlgItemMessageW(_t183, 1, 0x30,  *(_t192 - 0x10), 0);
					SendDlgItemMessageW(_t183, 0x3eb, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x3e9, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x3ed, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x3ec, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x40a, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x3ee, 0x30,  *0x47e1c4, 0);
					SendDlgItemMessageW(_t183, 0x40b, 0x30,  *0x47e1c4, 0);
					ShowWindow(GetDlgItem(_t183, 0x12d), 0);
					 *((intOrPtr*)(_t192 - 0x38)) = 0x4675d8;
					_push(0);
					_push(_t192 + 0x13);
					 *((intOrPtr*)(_t192 - 0x18)) = 0x4675d0;
					L0040B243(_t192 - 0x38);
					_t165 =  *0x47e1d4; // 0x2380b70
					_push(_t192 - 0xb0);
					 *((char*)(_t192 - 4)) = 1;
					_t116 =  *(L00406D18(_t165) + 8);
					 *((char*)(_t192 - 4)) = 2;
					__eflags = _t116;
					 *(_t192 - 0x10) = 0x467570;
					if(__eflags != 0) {
						 *(_t192 - 0x10) = _t116;
					}
					_t166 =  *0x47e1d4; // 0x2380b70
					_push(0x674);
					_push(_t192 - 0x88);
					_t119 =  *(E00403E82(_t166, __eflags) + 8);
					 *((char*)(_t192 - 4)) = 3;
					__eflags = _t119;
					if(_t119 == 0) {
						_t119 = 0x467570;
					}
					_t53 = _t192 - 0x10; // 0x467570
					L0040AF38(_t192 - 0x38, _t119,  *_t53);
					 *((char*)(_t192 - 4)) = 2;
					L0040125C(_t192 - 0x88);
					 *((char*)(_t192 - 4)) = 1;
					L0040125C(_t192 - 0xb0);
					_t124 =  *(_t192 - 0x30);
					__eflags = _t124;
					if(__eflags == 0) {
						_t124 = 0x4675e4;
					}
					SetWindowTextW(GetDlgItem(_t183, 0x3ee), _t124);
					_t169 =  *0x47e1d8; // 0x0
					_push(_t183);
					L004070EA(_t169, __eflags);
					_t128 =  *0x47e1d8; // 0x0
					__eflags = _t128[0x80];
					if(_t128[0x80] != 0) {
						__eflags = _t128[0x7e] - 2;
						_t62 =  &(_t128[0x7e]); // 0xfc
						_t172 = _t62;
						if(_t128[0x7e] == 2) {
							 *_t172 = 1;
							_t128 =  *0x47e1d8; // 0x0
						}
					}
					_t64 =  &(_t128[0x7e]); // 0xfc
					_t170 = _t64;
					_t178 = _t128[0x7e];
					__eflags = _t178;
					if(_t178 == 0) {
						L33:
						PostMessageW(_t183, 0x111, 1, 0);
						_t128 =  *0x47e1d8; // 0x0
						goto L34;
					} else {
						__eflags = _t178 != 0;
						if(_t178 != 0) {
							L34:
							__eflags = _t128[0x80];
							if(_t128[0x80] != 0) {
								SendMessageW(GetDlgItem(_t183, 1), 0x160c, 0, 1);
							}
							 *((char*)(_t192 - 4)) = 0;
							E004061C1(_t192 - 0x38);
							L16:
							_push(1);
							_pop(0);
							goto L39;
						}
						 *_t170 = 1;
						goto L33;
					}
				}
				if(_t76 != 1) {
					goto L38;
				}
				_t135 = ( *(_t192 + 0x10) & 0x0000ffff) - 1;
				if(_t135 == 0) {
					EnableWindow(GetDlgItem( *(_t192 + 8), 1), 0);
					ShowWindow(GetDlgItem( *(_t192 + 8), 0x12d), 5);
					_t140 =  *0x47e1d8; // 0x0
					_t191 = 6;
					__eflags = _t140[0x7c];
					if(_t140[0x7c] == 0) {
						_t140[0x66] = 1;
						 *(_t192 + 0x14) = 0;
						_t173 =  *0x47e1d8; // 0x0
						 *((intOrPtr*)(_t192 - 4)) = 4;
						_t143 = E004075CC(_t173, _t192 + 0x14);
						__eflags =  *(_t192 + 0x14);
						_t191 = _t143;
						if( *(_t192 + 0x14) != 0) {
							_push( *(_t192 + 0x14));
							L0042C8A6();
						}
						_t144 =  *0x47e1d8; // 0x0
						_t144[0x66] = 0;
					}
					_push(_t191);
					L15:
					EndDialog( *(_t192 + 8), ??);
					goto L16;
				}
				if(_t135 != 8) {
					goto L38;
				}
				_t174 =  *0x47e1d8; // 0x0
				if(_t174[0x66] == 0) {
					_push(9);
					goto L15;
				} else {
					if(_t174[0x66] == 0) {
						_push( *(_t192 + 8));
						E0040A4B6(_t174, __eflags);
					} else {
						 *0x47e1d0 = 1;
					}
					goto L16;
				}
			}

0x00406904
0x00406909
0x00406915
0x00406917
0x00406cf1
0x00406cf7
0x00406cf9
0x00406cff
0x00406d05
0x00406d05
0x00406d07
0x00406d0c
0x00406d15
0x00406d15
0x0040691d
0x00406922
0x004069fa
0x004069fd
0x00406a06
0x00406a30
0x00406a33
0x00406a38
0x00406a3e
0x00406a41
0x00406a44
0x00406a49
0x00406a4f
0x00406a52
0x00406a54
0x00406a57
0x00406a5d
0x00406a64
0x00406a66
0x00406a66
0x00406a6e
0x00406a6f
0x00406a70
0x00406a71
0x00406a76
0x00406a7a
0x00406a7f
0x00406a8e
0x00406aa4
0x00406aac
0x00406aad
0x00406ab6
0x00406ab9
0x00406abb
0x00406abd
0x00406abd
0x00406ac4
0x00406acd
0x00406ad2
0x00406ae3
0x00406af5
0x00406af7
0x00406b07
0x00406b0a
0x00406b18
0x00406b29
0x00406b3a
0x00406b4b
0x00406b5c
0x00406b6d
0x00406b7e
0x00406b8f
0x00406ba1
0x00406ba7
0x00406bb1
0x00406bb2
0x00406bb6
0x00406bbd
0x00406bc2
0x00406bce
0x00406bcf
0x00406bd8
0x00406bdb
0x00406bdf
0x00406be1
0x00406be8
0x00406bea
0x00406bea
0x00406bed
0x00406bf9
0x00406bfe
0x00406c04
0x00406c07
0x00406c0b
0x00406c0d
0x00406c0f
0x00406c0f
0x00406c14
0x00406c1c
0x00406c2a
0x00406c2e
0x00406c39
0x00406c3d
0x00406c42
0x00406c45
0x00406c47
0x00406c49
0x00406c49
0x00406c58
0x00406c5e
0x00406c64
0x00406c65
0x00406c6a
0x00406c6f
0x00406c75
0x00406c77
0x00406c7e
0x00406c7e
0x00406c84
0x00406c86
0x00406c8c
0x00406c8c
0x00406c84
0x00406c97
0x00406c97
0x00406c9d
0x00406c9d
0x00406c9f
0x00406cab
0x00406cb4
0x00406cba
0x00000000
0x00406ca1
0x00406ca2
0x00406ca3
0x00406cbf
0x00406cbf
0x00406cc5
0x00406cd5
0x00406cd5
0x00406cde
0x00406ce1
0x004069f2
0x004069f2
0x004069f4
0x00000000
0x004069f4
0x00406ca5
0x00000000
0x00406ca5
0x00406c9f
0x00406929
0x00000000
0x00000000
0x00406933
0x00406934
0x00406985
0x00406998
0x0040699e
0x004069a5
0x004069a6
0x004069ac
0x004069ae
0x004069b5
0x004069b8
0x004069c2
0x004069c9
0x004069ce
0x004069d1
0x004069d3
0x004069d5
0x004069d8
0x004069d8
0x004069dd
0x004069e2
0x004069e2
0x004069e8
0x004069e9
0x004069ec
0x00000000
0x004069ec
0x00406939
0x00000000
0x00000000
0x0040693f
0x0040694d
0x00406970
0x00000000
0x0040694f
0x00406955
0x00406963
0x00406966
0x00406957
0x00406957
0x00406957
0x00000000
0x00406955

APIs

__EH_prolog.LIBCMT ref: 00406904
GetDlgItem.USER32 ref: 00406982
EnableWindow.USER32(00000000), ref: 00406985
GetDlgItem.USER32 ref: 00406995
ShowWindow.USER32(00000000), ref: 00406998
EndDialog.USER32(?,00000006), ref: 004069EC
GetDlgItem.USER32 ref: 00406A19
GetDlgItem.USER32 ref: 00406A22
SetWindowTextW.USER32(?,?), ref: 00406AC4
SendDlgItemMessageW.USER32 ref: 00406AF5
SendDlgItemMessageW.USER32 ref: 00406B18
SendDlgItemMessageW.USER32 ref: 00406B29
SendDlgItemMessageW.USER32 ref: 00406B3A
SendDlgItemMessageW.USER32 ref: 00406B4B
SendDlgItemMessageW.USER32 ref: 00406B5C
SendDlgItemMessageW.USER32 ref: 00406B6D
SendDlgItemMessageW.USER32 ref: 00406B7E
SendDlgItemMessageW.USER32 ref: 00406B8F
GetDlgItem.USER32 ref: 00406B9E
ShowWindow.USER32(00000000), ref: 00406BA1
GetDlgItem.USER32 ref: 00406C55
SetWindowTextW.USER32(00000000), ref: 00406C58
PostMessageW.USER32(?,00000111,00000001,00000000), ref: 00406CB4
GetDlgItem.USER32 ref: 00406CD2
SendMessageW.USER32(00000000), ref: 00406CD5
DeleteObject.GDI32 ref: 00406CF1

Strings

PG, xrefs: 00406A66
tuF, xrefs: 00406A5D
puF, xrefs: 00406C0F
PrereqDialog, xrefs: 00406A44, 00406A70
puF, xrefs: 00406C14
uF, xrefs: 00406C49
puF, xrefs: 00406ABD

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Item$Message$Send$Window$ShowText$DeleteDialogEnableH_prologObjectPost
String ID: PrereqDialog$PG$puF$puF$puF$tuF$uF
API String ID: 706423871-2956009368
Opcode ID: dbd84b1f636e293379719c9779c9d9cd015d7b69db3fed5d795ab33d2d982476
Instruction ID: d9561defcba5d4faabc57547103d5e861bc673a18999ec3eafc9e73c9b888f9d
Opcode Fuzzy Hash: dbd84b1f636e293379719c9779c9d9cd015d7b69db3fed5d795ab33d2d982476
Instruction Fuzzy Hash: 2DB1D670604204BFEB11DF55DC86FAE3B78EB08704F0141BAF509AB2E1D7795984CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00438A6C Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 227
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00438A6C() {
				void* _t93;
				void* _t97;
				void* _t101;
				int _t106;
				intOrPtr* _t117;
				char** _t118;
				WCHAR* _t127;
				int _t128;
				WCHAR* _t130;
				intOrPtr* _t133;
				char** _t134;
				long _t138;
				void* _t140;
				signed int _t142;
				void* _t149;
				void* _t151;
				WCHAR* _t161;
				int* _t167;
				signed int _t172;
				void* _t175;
				void* _t177;
				void* _t178;

				L0043B644(0x464c61, _t175);
				_t178 = _t177 - 0x110;
				_t167 = 0;
				_t142 = 0;
				 *(_t175 - 0x20) = 0;
				 *(_t175 - 0x30) = 0;
				 *((intOrPtr*)(_t175 - 4)) = 0;
				if(E00437791() != 0) {
					L2:
					_t93 = 0x80000002;
					L3:
					 *(_t175 - 0x14) = _t167;
					if(RegOpenKeyExW(_t93, L"Software", _t167, 0x20019, _t175 - 0x14) != _t167) {
						L33:
						_t172 = _t142;
						if( *(_t175 - 0x20) != _t167) {
							RegCloseKey( *(_t175 - 0x20));
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t175 - 0xc));
						return _t172;
					}
					_t97 = L00409079(_t175 - 0x20);
					_t149 =  *(_t175 - 0x14);
					 *(_t175 - 0x20) = _t149;
					if(_t97 != _t167) {
						goto L33;
					}
					 *(_t175 - 0x1c) = _t167;
					 *((char*)(_t175 - 4)) = 1;
					 *(_t175 - 0x14) = _t167;
					if(RegOpenKeyExW(_t149, L"InstallShieldPendingOperation", _t167, 0xf003f, _t175 - 0x14) != _t167) {
						L29:
						if( *(_t175 - 0x1c) != _t167) {
							RegCloseKey( *(_t175 - 0x1c));
						}
						if(_t142 > _t167) {
							_t142 = _t142 & 0x0000ffff | 0x80070000;
						}
						goto L33;
					}
					_t101 = L00409079(_t175 - 0x1c);
					_t151 =  *(_t175 - 0x14);
					 *(_t175 - 0x1c) = _t151;
					if(_t101 != _t167) {
						goto L29;
					} else {
						 *(_t175 - 0x24) = _t167;
						 *(_t175 - 0x18) = 4;
						if(RegQueryValueExW(_t151, L"Count", _t167, _t175 - 0x24, _t175 - 0x14, _t175 - 0x18) != _t167) {
							 *(_t175 - 0x14) = _t167;
						}
						_t106 = 1;
						 *(_t175 - 0x18) = _t106;
						if( *(_t175 - 0x14) < _t106) {
							L28:
							_push(L"InstallShieldPendingOperation");
							L0042F266(_t175 - 0x20, 0);
							goto L29;
						}
						do {
							_push(0);
							_push(_t175 - 0x29);
							 *((intOrPtr*)(_t175 - 0x5c)) = 0x4675a0;
							 *((intOrPtr*)(_t175 - 0x3c)) = 0x467598;
							L00401C68(_t175 - 0x5c);
							_push(0);
							_push(_t175 - 0x2a);
							 *((char*)(_t175 - 4)) = 2;
							 *((intOrPtr*)(_t175 - 0x84)) = 0x4675a0;
							 *((intOrPtr*)(_t175 - 0x64)) = 0x467598;
							L00401C68(_t175 - 0x84);
							 *((char*)(_t175 - 4)) = 3;
							 *(_t175 - 0x34) = 0x104;
							 *(_t175 - 0x24) = 0x104;
							wsprintfW(_t175 - 0xdc, L"dest%d",  *(_t175 - 0x18));
							wsprintfW(_t175 - 0x11c, L"source%d",  *(_t175 - 0x18));
							_t178 = _t178 + 0x18;
							_t117 = L0042CD98(_t175 - 0x84, _t175 - 0x9c, 0x104);
							 *((char*)(_t175 - 4)) = 4;
							 *((char*)(_t117 + 4)) = 1;
							_t118 = L00401E6C(_t117,  *_t117);
							 *(_t175 - 0x28) =  *(_t175 - 0x28) & 0x00000000;
							if(RegQueryValueExW( *(_t175 - 0x1c), _t175 - 0xdc, 0, _t175 - 0x28,  *_t118, _t175 - 0x24) != 0) {
								L14:
								_t65 = _t175 - 0xd;
								 *_t65 =  *(_t175 - 0xd) & 0x00000000;
								__eflags =  *_t65;
								goto L15;
							}
							_t133 = L0042CD98(_t175 - 0x5c, _t175 - 0x90, 0x104);
							 *((char*)(_t175 - 4)) = 5;
							 *((char*)(_t133 + 4)) = 1;
							_t134 = L00401E6C(_t133,  *_t133);
							 *(_t175 - 0x28) =  *(_t175 - 0x28) & 0x00000000;
							_t138 = RegQueryValueExW( *(_t175 - 0x1c), _t175 - 0x11c, 0, _t175 - 0x28,  *_t134, _t175 - 0x34);
							 *((char*)(_t175 - 4)) = 4;
							 *(_t175 - 0xd) = _t138 == 0;
							L00438D56(_t175 - 0x90);
							if( *(_t175 - 0xd) == 0) {
								goto L14;
							}
							 *(_t175 - 0xd) = 1;
							L15:
							 *((char*)(_t175 - 4)) = 3;
							L00438D56(_t175 - 0x9c);
							if( *(_t175 - 0xd) != 0) {
								if( *((intOrPtr*)(_t175 - 0x78)) != 0) {
									_t161 =  *(_t175 - 0x7c);
									__eflags = _t161;
									if(_t161 == 0) {
										_t161 = 0x467570;
									}
									_t127 =  *(_t175 - 0x54);
									__eflags = _t127;
									if(_t127 == 0) {
										_t127 = 0x467570;
									}
									_t128 = MoveFileExW(_t127, _t161, 1);
									__eflags = _t128;
									if(_t128 == 0) {
										 *(_t175 - 0x30) = GetLastError();
									}
								} else {
									_t130 =  *(_t175 - 0x54);
									if(_t130 == 0) {
										_t130 = 0x467570;
									}
									DeleteFileW(_t130);
								}
							}
							 *((char*)(_t175 - 4)) = 2;
							L0040125C(_t175 - 0x84);
							 *((char*)(_t175 - 4)) = 1;
							L0040125C(_t175 - 0x5c);
							 *(_t175 - 0x18) =  *(_t175 - 0x18) + 1;
						} while ( *(_t175 - 0x18) <=  *(_t175 - 0x14));
						_t142 =  *(_t175 - 0x30);
						_t167 = 0;
						goto L28;
					}
				}
				_t140 = L004377AD();
				_t93 = 0x80000001;
				if(_t140 == 0) {
					goto L3;
				}
				goto L2;
			}

0x00438a71
0x00438a76
0x00438a7f
0x00438a81
0x00438a83
0x00438a86
0x00438a89
0x00438a93
0x00438aa3
0x00438aa3
0x00438aa8
0x00438abe
0x00438ac5
0x00438d35
0x00438d38
0x00438d3a
0x00438d3f
0x00438d3f
0x00438d4d
0x00438d55
0x00438d55
0x00438ace
0x00438ad3
0x00438ad8
0x00438adb
0x00000000
0x00000000
0x00438ae1
0x00438ae7
0x00438af8
0x00438aff
0x00438d17
0x00438d1a
0x00438d1f
0x00438d1f
0x00438d27
0x00438d2f
0x00438d2f
0x00000000
0x00438d27
0x00438b08
0x00438b0d
0x00438b12
0x00438b15
0x00000000
0x00438b1b
0x00438b1e
0x00438b31
0x00438b40
0x00438b42
0x00438b42
0x00438b47
0x00438b4b
0x00438b4e
0x00438d0a
0x00438d0a
0x00438d12
0x00000000
0x00438d12
0x00438b64
0x00438b67
0x00438b69
0x00438b6d
0x00438b74
0x00438b77
0x00438b7f
0x00438b81
0x00438b88
0x00438b8c
0x00438b96
0x00438b99
0x00438ba7
0x00438bab
0x00438bb4
0x00438bb7
0x00438bcb
0x00438bcd
0x00438bde
0x00438be5
0x00438be9
0x00438bed
0x00438bfc
0x00438c15
0x00438c78
0x00438c78
0x00438c78
0x00438c78
0x00000000
0x00438c78
0x00438c22
0x00438c29
0x00438c2d
0x00438c31
0x00438c40
0x00438c51
0x00438c5f
0x00438c63
0x00438c67
0x00438c70
0x00000000
0x00000000
0x00438c72
0x00438c7c
0x00438c82
0x00438c86
0x00438c8f
0x00438c95
0x00438cac
0x00438caf
0x00438cb1
0x00438cb3
0x00438cb3
0x00438cb8
0x00438cbb
0x00438cbd
0x00438cbf
0x00438cbf
0x00438cc8
0x00438cce
0x00438cd0
0x00438cd8
0x00438cd8
0x00438c97
0x00438c97
0x00438c9c
0x00438c9e
0x00438c9e
0x00438ca4
0x00438ca4
0x00438c95
0x00438ce1
0x00438ce5
0x00438ced
0x00438cf1
0x00438cf6
0x00438cfc
0x00438d05
0x00438d08
0x00000000
0x00438d08
0x00438b15
0x00438a95
0x00438a9c
0x00438aa1
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00438A71

Part of subcall function 00437791: GetVersion.KERNEL32(004377CE,0040F1B3,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 00437791

RegOpenKeyExW.ADVAPI32(80000002,Software,00000000,00020019,?,?), ref: 00438AC1
RegOpenKeyExW.ADVAPI32(?,InstallShieldPendingOperation,00000000,000F003F,?), ref: 00438AFB
RegQueryValueExW.ADVAPI32(?,Count,00000000,?,?,?), ref: 00438B38
wsprintfW.USER32 ref: 00438BB7
wsprintfW.USER32 ref: 00438BCB

Part of subcall function 004377AD: GetVersion.KERNEL32(004377D7,0040F1B3,?,?,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 004377AD

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00000104), ref: 00438C0D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000104), ref: 00438C51
DeleteFileW.KERNEL32(?), ref: 00438CA4
MoveFileExW.KERNEL32(?,?,00000001), ref: 00438CC8
GetLastError.KERNEL32 ref: 00438CD2
RegCloseKey.ADVAPI32(?), ref: 00438D1F
RegCloseKey.ADVAPI32(?), ref: 00438D3F

Strings

dest%d, xrefs: 00438BAE
source%d, xrefs: 00438BC5
puF, xrefs: 00438CB3
Count, xrefs: 00438B2B
InstallShieldPendingOperation, xrefs: 00438AF2, 00438D0A
puF, xrefs: 00438C9E
Software, xrefs: 00438AB8
puF, xrefs: 00438CBF

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: QueryValue$CloseFileOpenVersionwsprintf$DeleteErrorH_prologLastMove
String ID: Count$InstallShieldPendingOperation$Software$dest%d$puF$puF$puF$source%d
API String ID: 134854471-3397105757
Opcode ID: d891cffe774f47ebd00f05a4e7ca069f77db32458df1fd6632401ff74089b73d
Instruction ID: be25b272438b37a4a2aee4e71f156aab1125f5f27a6d89d0dea4fa3ee5c0804a
Opcode Fuzzy Hash: d891cffe774f47ebd00f05a4e7ca069f77db32458df1fd6632401ff74089b73d
Instruction Fuzzy Hash: 87917170D00249AEDF11DB95C885BEEFBB8AF59304F2040AFF505B7291EB785A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045A7D2 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045A7D2(void* __esi) {
				struct HDC__* __edi;
				int _t61;
				int _t66;
				struct HDC__* _t76;
				void* _t78;
				void* _t81;

				_t78 = __esi;
				if( *((intOrPtr*)(__esi + 0x18)) != 0) {
					if( *((intOrPtr*)(_t81 + 0x10)) == 0) {
						goto L17;
					} else {
						_t66 =  *(__esi + 0x24);
						if( *(_t81 + 0x1c) != _t66) {
							L22:
							SetStretchBltMode(_t76, 3);
							StretchBlt(_t76,  *(_t81 + 0x4c),  *(_t81 + 0x4c),  *(_t81 + 0x28),  *(_t81 + 0x1c),  *(_t81 + 0x48), 0, 0,  *(_t78 + 0x24),  *(_t78 + 0x28), 0xcc0020);
						} else {
							_t61 =  *(__esi + 0x28);
							if( *((intOrPtr*)(_t81 + 0x14)) != _t61) {
								goto L22;
							} else {
								BitBlt(_t76,  *(_t81 + 0x48),  *(_t81 + 0x48), _t66, _t61,  *(_t81 + 0x48), 0, 0, 0xcc0020);
							}
						}
					}
				} else {
					__eax =  *(__esp + 0x10);
					if( *(__esp + 0x10) == 0) {
						L17:
						_push( *((intOrPtr*)(_t78 + 4)));
						PlayMetaFile(_t76, ??);
					} else {
						__ebp = 1;
						 *(__esi + 0x18) = 1;
						__ebx = CreateCompatibleDC(__edi);
						 *(__esp + 0x58) = __ebx;
						__eax = CreateCompatibleBitmap(__edi, 8, 8);
						 *(__esp + 0x28) = __eax;
						PatBlt(__ebx, 0, 0, 8, 8, 0x42) = GetTickCount();
						__eax = L0045DA72(__eax);
						while(1) {
							__eax = 0x66666667;
							__edx = 0x66666667 * __ebp >> 0x20;
							__eax = 0x66666667 * __ebp;
							__edx = 0x66666667 * __ebp >> 0x20 >> 1;
							__eax = __edx;
							__eax = __edx >> 0x1f;
							__edx = __edx + (__edx >> 0x1f) + 3;
							if(__edx <= 0) {
								goto L15;
							}
							 *(__esp + 0x44) = __edx;
							do {
								__eax = L0045DA7F();
								__eax = __eax & 0x8000003f;
								if(__eax < 0) {
									__eax = __eax - 1;
									__eax = __eax | 0xffffffc0;
									__eax = __eax + 1;
								}
								__ecx = __eax;
								_push(0xffffff);
								__ecx = __eax & 0x80000007;
								if(__ecx < 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx | 0xfffffff8;
									__ecx = __ecx + 1;
								}
								asm("cdq");
								__edx = __edx & 0x00000007;
								__eax = __eax + __edx;
								__eax =  *(__esp + 0x44);
								__eax =  *(__esp + 0x44) - 1;
								 *(__esp + 0x44) = __eax;
							} while (__eax != 0);
							L15:
							__edx =  *(__esp + 0x20);
							__ebx = CreatePatternBrush( *(__esp + 0x20));
							__eax = SelectObject(__edi, __ebx);
							__ecx =  *(__esi + 0x28);
							__edx =  *(__esi + 0x24);
							 *(__esp + 0x44) = __eax;
							__eax =  *(__esp + 0x48);
							__eax =  *(__esp + 0x44);
							__ecx =  *(__esp + 0x44);
							__eax = BitBlt(__edi,  *(__esp + 0x44),  *(__esp + 0x44),  *(__esi + 0x24),  *(__esi + 0x28),  *(__esp + 0x44), 0, 0, 0xca0749);
							__edx =  *(__esp + 0x44);
							SelectObject(__edi,  *(__esp + 0x44)) = DeleteObject(__ebx);
							__ebp = __ebp + 1;
							if(__ebp < 0x14) {
								__ebx =  *(__esp + 0x4c);
								continue;
							}
							 *(__esp + 0x4c) = DeleteDC( *(__esp + 0x4c));
							__ecx =  *(__esp + 0x20);
							__eax = DeleteObject( *(__esp + 0x20));
							__edx =  *(__esp + 0x48);
							__eax =  *(__esi + 0x28);
							__ecx =  *(__esi + 0x24);
							__edx =  *(__esp + 0x44);
							 *(__esp + 0x44) = BitBlt(__edi,  *(__esp + 0x44),  *(__esp + 0x44),  *(__esi + 0x24),  *(__esi + 0x28),  *(__esp + 0x44), 0, 0, 0xcc0020);
							goto L19;
						}
					}
				}
				L19:
				DeleteDC( *(_t81 + 0x48));
				RestoreDC(_t76,  *(_t81 + 0x2c));
				return 1;
			}

0x0045a7d2
0x0045a7d7
0x0045a6b2
0x00000000
0x0045a6b8
0x0045a6b8
0x0045a6c1
0x0045b0b3
0x0045b0b6
0x0045b0e7
0x0045a6c7
0x0045a6c7
0x0045a6d0
0x00000000
0x0045a6d6
0x0045a6f1
0x0045a6f1
0x0045a6d0
0x0045a6c1
0x0045a7dd
0x0045a7dd
0x0045a7e3
0x0045aa79
0x0045aa7c
0x0045aa7e
0x0045a7e9
0x0045a7e9
0x0045a7ef
0x0045a7fa
0x0045a7ff
0x0045a803
0x0045a80b
0x0045a826
0x0045a82d
0x0045a83b
0x0045a83b
0x0045a840
0x0045a840
0x0045a842
0x0045a844
0x0045a846
0x0045a849
0x0045a84f
0x00000000
0x00000000
0x0045a851
0x0045a855
0x0045a855
0x0045a85a
0x0045a85f
0x0045a861
0x0045a862
0x0045a865
0x0045a865
0x0045a866
0x0045a868
0x0045a86d
0x0045a873
0x0045a875
0x0045a876
0x0045a879
0x0045a879
0x0045a87a
0x0045a87b
0x0045a87f
0x0045a88c
0x0045a890
0x0045a891
0x0045a891
0x0045a897
0x0045a897
0x0045a8a2
0x0045a8a6
0x0045a8ac
0x0045a8af
0x0045a8b2
0x0045a8b6
0x0045a8c4
0x0045a8c9
0x0045a8d1
0x0045a8d7
0x0045a8e4
0x0045a8ea
0x0045a8ee
0x0045a837
0x00000000
0x0045a837
0x0045a8f9
0x0045a8ff
0x0045a904
0x0045abab
0x0045abaf
0x0045abb2
0x0045abbf
0x0045abcc
0x00000000
0x0045abcc
0x0045a83b
0x0045a7e3
0x0045aa84
0x0045aa89
0x0045aa95
0x0045aaa7

APIs

BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045A6F1
CreateCompatibleDC.GDI32 ref: 0045A7F2
CreateCompatibleBitmap.GDI32(?,00000008,00000008), ref: 0045A803
SelectObject.GDI32(00000000,00000000), ref: 0045A80F
PatBlt.GDI32(00000000,00000000,00000000,00000008,00000008,00000042), ref: 0045A820
GetTickCount.KERNEL32 ref: 0045A826
_rand.LIBCMT ref: 0045A855
SetPixel.GDI32(?,00000000,00000000,00FFFFFF), ref: 0045A886
CreatePatternBrush.GDI32(?), ref: 0045A89C
SelectObject.GDI32(?,00000000), ref: 0045A8A6
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CA0749), ref: 0045A8D1
SelectObject.GDI32(?,?), ref: 0045A8DD
DeleteObject.GDI32(00000000), ref: 0045A8E4
DeleteDC.GDI32(?), ref: 0045A8F9
DeleteObject.GDI32(?), ref: 0045A904
PlayMetaFile.GDI32(?,00000002), ref: 0045AA7E
DeleteDC.GDI32(?), ref: 0045AA89
RestoreDC.GDI32(?,?), ref: 0045AA95
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0045ABCC

Strings

gfff, xrefs: 0045A83B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Object$Delete$CreateSelect$Compatible$BitmapBrushCountFileMetaPatternPixelPlayRestoreTick_rand
String ID: gfff
API String ID: 3212705312-1553575800
Opcode ID: eaa86b31c9604e71066b55791b40cee1ae856a4c10493e26c46a2e776c20318e
Instruction ID: 0d71362f44e683720702ea013e4560fcfa566ae5cd7e33b0bfefb86646d3f647
Opcode Fuzzy Hash: eaa86b31c9604e71066b55791b40cee1ae856a4c10493e26c46a2e776c20318e
Instruction Fuzzy Hash: EB513D71208300AFD214DB64DD85F2BB7F9EB89B05F104A1DFA46C6291D675EC058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00420B4D Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 454
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00420B4D() {
				int _t160;
				signed int _t162;
				struct HWND__* _t167;
				long _t168;
				WCHAR* _t170;
				WCHAR* _t172;
				long _t181;
				long _t192;
				long _t203;
				int _t211;
				long _t225;
				int _t227;
				int _t231;
				long _t234;
				long _t235;
				long _t246;
				struct HWND__* _t250;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed char _t256;
				long _t262;
				int _t269;
				long _t274;
				void* _t275;
				int _t301;
				signed int _t306;
				signed int _t308;
				signed char _t309;
				int _t320;
				long _t322;
				void* _t323;

				L0043B644(E004628B0, _t323);
				_t320 =  *(_t323 + 8);
				if(_t320 == 0) {
					L72:
					_t160 = 0;
					L102:
					 *[fs:0x0] =  *((intOrPtr*)(_t323 - 0xc));
					return _t160;
				}
				_t250 =  *(_t320 + 8);
				if(_t250 !=  *(_t320 + 4)) {
					_t308 =  *(_t323 + 0xc);
					_t162 = _t308 & 0xff000000;
					__eflags = _t162 - 0x1000000;
					if(_t162 == 0x1000000) {
						L92:
						_t309 = _t308 & 0x00ffffff;
						__eflags = _t309 & 0x000000f0;
						 *(_t323 + 0xc) = _t309;
						if((_t309 & 0x000000f0) == 0) {
							__eflags = _t162 - 0x1000000;
							if(_t162 == 0x1000000) {
								_t144 = _t323 + 0xc;
								 *_t144 =  *(_t323 + 0xc) | 0x00000010;
								__eflags =  *_t144;
							} else {
								__eflags = _t162 - 0x2000000;
								if(_t162 == 0x2000000) {
									 *(_t323 + 0xc) =  *(_t323 + 0xc) | 0x00000030;
								} else {
									__eflags = _t162 - 0x3000000;
									if(_t162 == 0x3000000) {
										 *(_t323 + 0xc) =  *(_t323 + 0xc) | 0x00000040;
									}
								}
							}
						}
						GetWindowTextW(GetParent( *(_t320 + 4)), _t323 - 0x224, 0x104);
						 *(_t323 + 8) =  *(_t323 + 0xc);
						_t167 = GetParent( *(_t320 + 4));
						__eflags =  *(_t320 + 0x48);
						if( *(_t320 + 0x48) != 0) {
							_t269 =  *(_t323 + 0xc) | 0x00180000;
							__eflags = _t269;
							 *(_t323 + 8) = _t269;
						}
						_t160 = MessageBoxW(_t167,  *(_t323 + 0x10), _t323 - 0x224,  *(_t323 + 8));
						goto L102;
					}
					__eflags = _t162 - 0x2000000;
					if(_t162 == 0x2000000) {
						goto L92;
					}
					__eflags = _t162 - 0x3000000;
					if(_t162 == 0x3000000) {
						goto L92;
					}
					__eflags = _t162 - 0x8000000;
					if(_t162 == 0x8000000) {
						_t168 = L0043B22A( *(_t323 + 0x10), 0x2e);
						__eflags = _t168;
						if(_t168 != 0) {
							_t170 = _t168 + 4;
							__eflags = _t170;
							SetWindowTextW( *(_t320 + 8), _t170);
						}
						 *(_t320 + 0x49) =  *(_t320 + 0x49) & 0x00000000;
						L87:
						L004211F6();
						L88:
						_t160 =  *(_t320 + 0x4c);
						goto L102;
					}
					__eflags = _t162 - 0x9000000;
					if(_t162 == 0x9000000) {
						__eflags =  *(_t320 + 0x44);
						if( *(_t320 + 0x44) == 0) {
							goto L88;
						}
						_t172 =  *(_t323 + 0x10);
						__eflags = _t172;
						if(_t172 != 0) {
							__eflags =  *_t172;
							if( *_t172 != 0) {
								SetWindowTextW(_t250, _t172);
							}
						}
						__eflags =  *(_t320 + 0x49);
						if( *(_t320 + 0x49) != 0) {
							_t129 = _t320 + 0x3c;
							 *_t129 =  *(_t320 + 0x3c) +  *(_t320 + 0x38);
							__eflags =  *_t129;
							SendMessageW( *(_t320 + 4), 0x405, 0, 0);
						}
						goto L87;
					}
					__eflags = _t162 - 0xa000000;
					if(_t162 != 0xa000000) {
						L71:
						L004211F6();
						goto L72;
					}
					 *(_t323 - 0x18) = 0;
					 *((char*)(_t323 - 0x1c)) =  *((intOrPtr*)(_t323 + 0x13));
					 *((intOrPtr*)(_t323 - 0x14)) = 0;
					 *((intOrPtr*)(_t323 - 0x10)) = 0;
					 *(_t323 - 4) = 1;
					_push(_t323 - 0x1c);
					_push( *(_t323 + 0x10));
					L0042107A();
					_t274 =  *(_t323 - 0x18);
					__eflags = _t274;
					if(_t274 == 0) {
						L75:
						L004211F6();
						_t181 =  *(_t320 + 0xc);
						__eflags = _t181;
						if(_t181 == 0) {
							L78:
							_t322 =  *(_t320 + 0x4c);
							L79:
							_t122 = _t323 - 4;
							 *_t122 =  *(_t323 - 4) | 0xffffffff;
							__eflags =  *_t122;
							_t275 = _t323 - 0x1c;
							L80:
							L0041D152(_t275);
							_t160 = _t322;
							goto L102;
						}
						__eflags =  *_t181;
						if( *_t181 == 0) {
							goto L78;
						}
						_t322 = 2;
						goto L79;
					}
					_t252 = 0x28;
					asm("cdq");
					__eflags = ( *((intOrPtr*)(_t323 - 0x14)) - _t274) / _t252 - 4;
					if(__eflags < 0) {
						L59:
						__eflags = _t274;
						if(_t274 == 0) {
							goto L75;
						}
						_t253 = 0x28;
						asm("cdq");
						__eflags = ( *((intOrPtr*)(_t323 - 0x14)) - _t274) / _t253 - 3;
						if(__eflags < 0) {
							L66:
							__eflags = _t274;
							if(_t274 == 0) {
								goto L75;
							}
							_t254 = 0x28;
							asm("cdq");
							__eflags = ( *((intOrPtr*)(_t323 - 0x14)) - _t274) / _t254 - 2;
							if(__eflags < 0) {
								goto L75;
							}
							_t192 = L00429816(__eflags, "2", _t274 + 4);
							__eflags = _t192;
							if(_t192 == 0) {
								goto L75;
							}
							__eflags =  *(_t320 + 0x44);
							if( *(_t320 + 0x44) != 0) {
								E004266CE( *(_t323 - 0x18) + 0x28, _t323 + 0x10, 0);
								_t114 = _t320 + 0x3c;
								 *_t114 =  *(_t320 + 0x3c) +  *(_t320 + 0x40) *  *(_t323 + 0x10);
								__eflags =  *_t114;
								SendMessageW( *(_t320 + 4), 0x402,  *(_t320 + 0x3c), 0);
								L74:
								 *((intOrPtr*)( *_t320))( *(_t320 + 0x3c),  *(_t320 + 0x44));
								goto L75;
							}
							_t106 = _t323 - 4;
							 *_t106 =  *(_t323 - 4) | 0xffffffff;
							__eflags =  *_t106;
							L0041D152(_t323 - 0x1c);
							goto L71;
						}
						_t203 = L00429816(__eflags, 0x477b1c, _t274 + 4);
						__eflags = _t203;
						if(_t203 == 0) {
							_t274 =  *(_t323 - 0x18);
							goto L66;
						}
						E004266CE( *(_t323 - 0x18) + 0x50, _t323 + 0x10, 0);
						__eflags =  *(_t323 + 0x10);
						if( *(_t323 + 0x10) == 0) {
							 *(_t320 + 0x49) =  *(_t320 + 0x49) & 0x00000000;
						} else {
							 *(_t320 + 0x49) = 1;
							E004266CE( *(_t323 - 0x18) + 0x28, _t323 + 0x10, 0);
							_t211 =  *(_t320 + 0x40) *  *(_t323 + 0x10);
							 *(_t320 + 0x38) = _t211;
							SendMessageW( *(_t320 + 4), 0x404, _t211, 0);
						}
						goto L75;
					}
					__eflags = L00429816(__eflags, 0x477b18, _t274 + 4);
					if(__eflags == 0) {
						_t274 =  *(_t323 - 0x18);
						goto L59;
					}
					asm("sbb ecx, ecx");
					_t256 = L00429816(__eflags, 0x477b18,  ~( *(_t323 - 0x18) + 0x50) &  *(_t323 - 0x18) + 0x54);
					asm("sbb ecx, ecx");
					 *((char*)(_t323 + 0x13)) = L00429816(__eflags, 0x477b1c,  ~( *(_t323 - 0x18) + 0x78) &  *(_t323 - 0x18) + 0x7c);
					E004266CE( *(_t323 - 0x18) + 0x28, _t323 + 0xc, 0);
					_t225 =  *(_t323 + 0xc);
					asm("sbb ecx, ecx");
					 *(_t320 + 0x44) = _t225;
					asm("sbb ebx, ebx");
					 *(_t320 + 0x40) = ( ~_t256 & 0x00000002) - 1;
					 *(_t320 + 0x3c) =  !( ~_t256) & _t225;
					SendMessageW( *(_t320 + 4), 0x406, 0, _t225);
					__eflags =  *((char*)(_t323 + 0x13));
					if( *((char*)(_t323 + 0x13)) == 0) {
						_t227 =  *(_t320 + 0x3c);
					} else {
						_t227 =  *(_t320 + 0x44);
					}
					SendMessageW( *(_t320 + 4), 0x402, _t227, 0);
					goto L74;
				}
				 *(_t323 - 0x18) = 0;
				 *((char*)(_t323 - 0x1c)) =  *((intOrPtr*)(_t323 + 0x13));
				 *((intOrPtr*)(_t323 - 0x14)) = 0;
				 *((intOrPtr*)(_t323 - 0x10)) = 0;
				 *(_t323 - 4) = 0;
				_t231 =  *(_t323 + 0xc) & 0xff000000;
				 *(_t323 + 8) = _t231;
				if(_t231 != 0xa000000) {
					__eflags = _t231 - 0x8000000;
					if(_t231 != 0x8000000) {
						SendMessageW(_t250, 0xc, 0,  *(_t323 + 0x10));
					} else {
						_t262 =  *(_t323 + 0x10);
						_t235 = L0043CCBB(_t262, L". ");
						__eflags = _t235;
						if(_t235 == 0) {
							 *(_t323 + 0x10) = _t262;
						} else {
							 *(_t323 + 0x10) = _t235 + 4;
						}
						SendMessageW( *(_t320 + 8), 0xc, 0,  *(_t323 + 0x10));
						SendMessageW( *(_t320 + 8), 0xc, 0,  *(_t323 + 0x10));
						SendMessageW( *(_t320 + 8), 0xc, 0,  *(_t323 + 0x10));
					}
					L16:
					_t301 =  *(_t323 + 8);
					__eflags = _t301 - 0x6000000;
					if(__eflags > 0) {
						__eflags = _t301 - 0x7000000;
						if(_t301 == 0x7000000) {
							_push(0x11);
							L43:
							_pop(0);
							L44:
							_t234 = SendMessageW( *(_t320 + 8), 0x111, 0, 0);
							 *(_t323 - 4) =  *(_t323 - 4) | 0xffffffff;
							_t322 = _t234;
							_t275 = _t323 - 0x1c;
							goto L80;
						}
						__eflags = _t301 - 0x8000000;
						if(_t301 == 0x8000000) {
							_push(0x12);
							goto L43;
						}
						__eflags = _t301 - 0x9000000;
						if(_t301 == 0x9000000) {
							_push(0x13);
							goto L43;
						}
						__eflags = _t301 - 0xa000000;
						if(_t301 == 0xa000000) {
							_push(0x14);
							goto L43;
						}
						__eflags = _t301 - 0xb000000;
						if(_t301 == 0xb000000) {
							_push(0x15);
							goto L43;
						}
						__eflags = _t301 - 0x19000000;
						if(_t301 != 0x19000000) {
							goto L44;
						}
						_push(0x10);
						goto L43;
					}
					if(__eflags == 0) {
						_push(0xf);
						goto L43;
					}
					__eflags = _t301;
					if(_t301 == 0) {
						_push(9);
						goto L43;
					}
					__eflags = _t301 - 0x1000000;
					if(_t301 == 0x1000000) {
						_push(0xa);
						goto L43;
					}
					__eflags = _t301 - 0x2000000;
					if(_t301 == 0x2000000) {
						_push(0xb);
						goto L43;
					}
					__eflags = _t301 - 0x3000000;
					if(_t301 == 0x3000000) {
						_push(0xc);
						goto L43;
					}
					__eflags = _t301 - 0x4000000;
					if(_t301 == 0x4000000) {
						_push(0xd);
						goto L43;
					}
					__eflags = _t301 - 0x5000000;
					if(_t301 != 0x5000000) {
						goto L44;
					}
					_push(0xe);
					goto L43;
				} else {
					_push(_t323 - 0x1c);
					_push( *(_t323 + 0x10));
					L0042107A();
					 *(_t323 + 0x10) = 0;
					 *(_t323 + 0xc) = 0;
					while( *(_t323 - 0x18) != 0) {
						_t306 = 0x28;
						asm("cdq");
						if( *(_t323 + 0x10) >= ( *((intOrPtr*)(_t323 - 0x14)) -  *(_t323 - 0x18)) / _t306) {
							goto L16;
						} else {
							_t246 =  *( *(_t323 - 0x18) +  *(_t323 + 0xc) + 4 + 4);
							if(_t246 == 0) {
								_t246 = 0x4675e4;
							}
							SendMessageW( *(_t320 + 8), 0xc, 0, _t246);
							 *(_t323 + 0x10) =  *(_t323 + 0x10) + 1;
							 *(_t323 + 0xc) =  *(_t323 + 0xc) + 0x28;
							continue;
						}
					}
					goto L16;
				}
			}

0x00420b52
0x00420b5f
0x00420b67
0x00420f18
0x00420f18
0x00421069
0x0042106f
0x00421077
0x00421077
0x00420b6d
0x00420b73
0x00420d12
0x00420d1c
0x00420d21
0x00420d23
0x00420fe9
0x00420fe9
0x00420fef
0x00420ff2
0x00420ff5
0x00420ff7
0x00420ff9
0x00421015
0x00421015
0x00421015
0x00420ffb
0x00420ffb
0x00421000
0x0042100f
0x00421002
0x00421002
0x00421007
0x00421009
0x00421009
0x00421007
0x00421000
0x00420ff9
0x00421031
0x00421040
0x00421043
0x00421045
0x00421047
0x0042104c
0x0042104c
0x00421052
0x00421052
0x00421063
0x00000000
0x00421063
0x00420d29
0x00420d2e
0x00000000
0x00000000
0x00420d34
0x00420d39
0x00000000
0x00000000
0x00420d3f
0x00420d44
0x00420fcb
0x00420fd1
0x00420fd4
0x00420fd6
0x00420fd6
0x00420fdd
0x00420fdd
0x00420fe3
0x00420fb9
0x00420fb9
0x00420fbe
0x00420fbe
0x00000000
0x00420fbe
0x00420d4a
0x00420d4f
0x00420f84
0x00420f87
0x00000000
0x00000000
0x00420f89
0x00420f8c
0x00420f8e
0x00420f90
0x00420f93
0x00420f97
0x00420f97
0x00420f93
0x00420f9d
0x00420fa1
0x00420fa7
0x00420fa7
0x00420fa7
0x00420fb3
0x00420fb3
0x00000000
0x00420fa1
0x00420d55
0x00420d5a
0x00420f13
0x00420f13
0x00000000
0x00420f13
0x00420d63
0x00420d66
0x00420d69
0x00420d6c
0x00420d72
0x00420d79
0x00420d7a
0x00420d7d
0x00420d84
0x00420d87
0x00420d89
0x00420f58
0x00420f58
0x00420f5d
0x00420f60
0x00420f62
0x00420f6e
0x00420f6e
0x00420f71
0x00420f71
0x00420f71
0x00420f71
0x00420f75
0x00420f78
0x00420f78
0x00420f7d
0x00000000
0x00420f7d
0x00420f64
0x00420f67
0x00000000
0x00000000
0x00420f6b
0x00000000
0x00420f6b
0x00420d96
0x00420d97
0x00420d9a
0x00420d9d
0x00420e5a
0x00420e5a
0x00420e5c
0x00000000
0x00000000
0x00420e69
0x00420e6a
0x00420e6d
0x00420e70
0x00420eda
0x00420eda
0x00420edc
0x00000000
0x00000000
0x00420ee5
0x00420ee6
0x00420ee9
0x00420eec
0x00000000
0x00000000
0x00420ef7
0x00420efd
0x00420f00
0x00000000
0x00000000
0x00420f02
0x00420f05
0x00420f2a
0x00420f37
0x00420f37
0x00420f37
0x00420f46
0x00420f4c
0x00420f56
0x00000000
0x00420f56
0x00420f07
0x00420f07
0x00420f07
0x00420f0e
0x00000000
0x00420f0e
0x00420e7b
0x00420e81
0x00420e84
0x00420ed7
0x00000000
0x00420ed7
0x00420e91
0x00420e96
0x00420e99
0x00420ece
0x00420e9b
0x00420ea3
0x00420eaa
0x00420eb3
0x00420ec0
0x00420ec3
0x00420ec3
0x00000000
0x00420e99
0x00420db3
0x00420db6
0x00420e57
0x00000000
0x00420e57
0x00420dc9
0x00420dd4
0x00420de3
0x00420df5
0x00420e03
0x00420e0a
0x00420e0f
0x00420e21
0x00420e24
0x00420e26
0x00420e2d
0x00420e36
0x00420e38
0x00420e3c
0x00420e43
0x00420e3e
0x00420e3e
0x00420e3e
0x00420e50
0x00000000
0x00420e50
0x00420b7c
0x00420b7f
0x00420b82
0x00420b85
0x00420b8b
0x00420b8e
0x00420b98
0x00420b9b
0x00420bfd
0x00420c02
0x00420c57
0x00420c04
0x00420c04
0x00420c0d
0x00420c13
0x00420c16
0x00420c20
0x00420c18
0x00420c1b
0x00420c1b
0x00420c32
0x00420c3d
0x00420c57
0x00420c57
0x00420c59
0x00420c59
0x00420c63
0x00420c65
0x00420cb1
0x00420cb7
0x00420cf5
0x00420cf7
0x00420cf7
0x00420cf8
0x00420d02
0x00420d04
0x00420d08
0x00420d0a
0x00000000
0x00420d0a
0x00420cb9
0x00420cbf
0x00420cf1
0x00000000
0x00420cf1
0x00420cc1
0x00420cc7
0x00420ced
0x00000000
0x00420ced
0x00420cc9
0x00420ccf
0x00420ce9
0x00000000
0x00420ce9
0x00420cd1
0x00420cd7
0x00420ce5
0x00000000
0x00420ce5
0x00420cd9
0x00420cdf
0x00000000
0x00000000
0x00420ce1
0x00000000
0x00420ce1
0x00420c67
0x00420cad
0x00000000
0x00420cad
0x00420c69
0x00420c6b
0x00420ca9
0x00000000
0x00420ca9
0x00420c6d
0x00420c73
0x00420ca5
0x00000000
0x00420ca5
0x00420c75
0x00420c7b
0x00420ca1
0x00000000
0x00420ca1
0x00420c7d
0x00420c83
0x00420c9d
0x00000000
0x00420c9d
0x00420c85
0x00420c8b
0x00420c99
0x00000000
0x00420c99
0x00420c8d
0x00420c93
0x00000000
0x00000000
0x00420c95
0x00000000
0x00420b9d
0x00420ba0
0x00420ba1
0x00420ba4
0x00420bb1
0x00420bb4
0x00420bb7
0x00420bc8
0x00420bc9
0x00420bcf
0x00000000
0x00420bd5
0x00420bdf
0x00420be4
0x00420be6
0x00420be6
0x00420bf2
0x00420bf4
0x00420bf7
0x00000000
0x00420bf7
0x00420bcf
0x00000000
0x00420bb7

APIs

__EH_prolog.LIBCMT ref: 00420B52
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00420BF2
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00420C32
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00420C3D
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00420C57
SendMessageW.USER32(?,00000111,00000011,00000000), ref: 00420D02

Part of subcall function 0042107A: __EH_prolog.LIBCMT ref: 0042107F

SendMessageW.USER32(00000001,00000406,00000000,?), ref: 00420E36
SendMessageW.USER32(00000001,00000402,?,00000000), ref: 00420E50
SendMessageW.USER32(00000001,00000404,?,00000000), ref: 00420EC3
SendMessageW.USER32(00000001,00000402,?,00000000), ref: 00420F46

Part of subcall function 004211F6: PeekMessageW.USER32 ref: 00421213
Part of subcall function 004211F6: PeekMessageW.USER32 ref: 00421225
Part of subcall function 004211F6: TranslateMessage.USER32(?), ref: 0042122F
Part of subcall function 004211F6: DispatchMessageW.USER32 ref: 00421239

SetWindowTextW.USER32(?,?), ref: 00420F97
SendMessageW.USER32(?,00000405,00000000,00000000), ref: 00420FB3
SetWindowTextW.USER32(?,-00000004), ref: 00420FDD
GetParent.USER32(?), ref: 0042102E
GetWindowTextW.USER32 ref: 00421031
GetParent.USER32(?), ref: 00421043
MessageBoxW.USER32(00000000,?,?,?), ref: 00421063

Strings

uF, xrefs: 00420BE6
0, xrefs: 0042100F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Message$Send$TextWindow$H_prologParentPeek$DispatchTranslate
String ID: 0$uF
API String ID: 2346189871-1188444059
Opcode ID: 117ad31103ca2b583b85ae438c6f92987ec34fd575204a9eab29b3ec982a2f6f
Instruction ID: 9a4977c9605eaa671fa543afb6bf9e54c65acfababd85364a0a8118aba4bcde9
Opcode Fuzzy Hash: 117ad31103ca2b583b85ae438c6f92987ec34fd575204a9eab29b3ec982a2f6f
Instruction Fuzzy Hash: D2F1E170740225AFDB28CF55ED85BBF7BF0EB04304FA4451FF552966A2D6B8A880CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004087CC Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 236
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004087CC(void* __ecx) {
				void* __ebx;
				long _t77;
				signed char _t83;
				char* _t88;
				long _t98;
				char* _t109;
				intOrPtr _t122;
				void* _t144;
				long* _t146;
				char* _t150;
				void* _t152;
				struct HWND__* _t158;
				void* _t160;

				_t77 = L0043B644(0x45fa37, _t152);
				_t158 =  *0x47e1cc; // 0x0
				_t144 = __ecx;
				if(_t158 != 0 ||  *0x47e1d1 != 0) {
					 *(_t152 - 0x1a8) = 0x114;
					GetVersionExW(_t152 - 0x1a8);
					L00408B99(_t144);
					 *(_t152 - 0xd) =  *(_t152 - 0xd) & 0x00000000;
					_t160 =  *((intOrPtr*)(_t152 - 0x1a4)) - 5;
					if(_t160 > 0 || _t160 == 0 &&  *((intOrPtr*)(_t152 - 0x1a0)) > 0) {
						if( *((intOrPtr*)(_t152 - 0x198)) == 2) {
							 *(_t152 - 0xd) = 1;
						}
					}
					if( *0x47e1d1 == 0) {
						__eflags =  *(_t152 + 8);
						if( *(_t152 + 8) == 0) {
							__eflags =  *(_t152 - 0xd);
							if( *(_t152 - 0xd) == 0) {
								L38:
								_push(0);
								_push(0);
								_push(0x402);
								L39:
								_t77 = SendMessageW( *0x47e1cc, ??, ??, ??);
								goto L40;
							}
							_t146 = _t144 + 0x164;
							__eflags =  *_t146;
							if( *_t146 == 0) {
								goto L38;
							}
							SendMessageW( *0x47e1cc, 0x40a, 0, 0);
							_t77 = SetWindowLongW( *0x47e1cc, 0xfffffff0,  *_t146);
							goto L40;
						}
						__eflags =  *(_t152 - 0xd);
						if( *(_t152 - 0xd) == 0) {
							_t77 = CreateThread(0, 0, E00408B15, _t144, 0, _t144 + 0x160);
							 *(_t144 + 0x15c) = _t77;
							goto L40;
						}
						_t83 = GetWindowLongW( *0x47e1cc, 0xfffffff0);
						 *(_t144 + 0x164) = _t83;
						SetWindowLongW( *0x47e1cc, 0xfffffff0, _t83 | 0x00000008);
						_push(0x64);
						_push(1);
						_push(0x40a);
						goto L39;
					} else {
						_t150 = "C:\\CodeBases\\isdev\\src\\Runtime\\Shared\\Setup\\IsPreReqDlg.cpp";
						if( *0x47df40 != 0 ||  *0x47e988 != 0) {
							_push(1);
							_push(_t152 - 0xe);
							_push(_t150);
							E0040A5F5(_t152 - 0x6c);
							 *(_t152 - 4) =  *(_t152 - 4) & 0x00000000;
							_t88 = L"StartStopProgress - Embedded";
							 *((intOrPtr*)(_t152 - 0x44)) = 0x4675d8;
							 *((intOrPtr*)(_t152 - 0x24)) = 0x4675d0;
							if(_t88 == 0) {
								_t88 = 0x47e150;
							}
							_push(0);
							_push(_t152 - 0xf);
							_push(_t88);
							L0040B34B(_t152 - 0x44);
							 *(_t152 - 4) = 1;
							L0045D600(_t152 - 0x44, _t152 - 0x6c, 0x334);
							 *(_t152 - 4) =  *(_t152 - 4) & 0x00000000;
							E004061C1(_t152 - 0x44);
							 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
							E004061C1(_t152 - 0x6c);
						}
						if( *((intOrPtr*)(_t152 - 0x1a4)) >= 6) {
							 *(_t152 - 0xd) =  *(_t152 - 0xd) & 0x00000000;
						}
						_t77 = E0040A374(_t144);
						 *(_t152 - 0x14) = _t77;
						if(_t77 == 0) {
							goto L40;
						} else {
							if( *(_t152 - 0xd) == 0) {
								__eflags =  *(_t152 + 8);
								if( *(_t152 + 8) == 0) {
									goto L40;
								}
								_push(1);
								_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t144 + 0xc8)) + 0x14));
								_push(_t152 + 0xb);
								_push(_t150);
								_t98 =  *(E0040A5F5(_t152 - 0x94) + 8);
								 *(_t152 - 4) = 4;
								__eflags = _t98;
								if(_t98 == 0) {
									_t98 = 0x4675e4;
								}
								_push(_t122);
								 *(_t152 - 0x1c) = _t98;
								_push( *(_t144 + 0x16c));
								 *((intOrPtr*)(_t152 - 0x18)) = 0x344;
								_push(L"StartStopProgress - Fallback - %d of %d");
								_push(_t152 - 0x1c);
								E0040840D(_t122);
								 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
								E004061C1(_t152 - 0x94);
								__eflags = SendMessageW( *(_t152 - 0x14), 0x406, 1,  *((intOrPtr*)( *((intOrPtr*)(_t144 + 0xc8)) + 0x14)) + 1) - 2;
								if(__eflags == 0) {
									L24:
									_push( *(_t152 - 0x14));
									_t77 = E0040A4B6(_t144, _t177);
									goto L40;
								} else {
									__eflags = SendMessageW( *(_t152 - 0x14), 0x402, 0, 0) - 2;
									if(__eflags == 0) {
										goto L24;
									}
									_t77 = SendMessageW( *(_t152 - 0x14), 0x402,  *(_t144 + 0x16c), 0);
									L23:
									_t177 = _t77 - 2;
									if(_t77 != 2) {
										goto L40;
									}
									goto L24;
								}
							}
							if( *0x47df40 != 0 ||  *0x47e988 != 0) {
								_push(1);
								_push(_t152 - 0xf);
								_push(_t150);
								E0040A5F5(_t152 - 0x6c);
								_t109 = L"StartStopProgress - Embedded Looping";
								 *(_t152 - 4) = 2;
								 *((intOrPtr*)(_t152 - 0x44)) = 0x4675d8;
								 *((intOrPtr*)(_t152 - 0x24)) = 0x4675d0;
								if(_t109 == 0) {
									_t109 = 0x47e150;
								}
								_push(0);
								_push(_t152 - 0xe);
								_push(_t109);
								L0040B34B(_t152 - 0x44);
								 *(_t152 - 4) = 3;
								L0045D600(_t152 - 0x44, _t152 - 0x6c, 0x33c);
								 *(_t152 - 4) = 2;
								E004061C1(_t152 - 0x44);
								 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
								E004061C1(_t152 - 0x6c);
							}
							asm("sbb eax, eax");
							_t77 = SendMessageW( *(_t152 - 0x14), 0x111,  ~( *(_t152 + 8)) + 4, 0);
							goto L23;
						}
					}
				} else {
					L40:
					 *[fs:0x0] =  *((intOrPtr*)(_t152 - 0xc));
					return _t77;
				}
			}

0x004087d1
0x004087e1
0x004087e7
0x004087e9
0x004087fe
0x00408809
0x00408811
0x00408816
0x0040881a
0x00408821
0x00408834
0x00408836
0x00408836
0x00408834
0x00408841
0x00408a62
0x00408a66
0x00408abc
0x00408ac0
0x00408af1
0x00408af1
0x00408af2
0x00408af3
0x00408af8
0x00408afe
0x00000000
0x00408afe
0x00408ac2
0x00408ac8
0x00408aca
0x00000000
0x00000000
0x00408ad9
0x00408ae9
0x00000000
0x00408ae9
0x00408a68
0x00408a6c
0x00408aae
0x00408ab4
0x00000000
0x00408ab4
0x00408a76
0x00408a7c
0x00408a8d
0x00408a93
0x00408a95
0x00408a97
0x00000000
0x00408847
0x0040884e
0x00408858
0x00408866
0x00408868
0x00408869
0x0040886d
0x00408872
0x00408876
0x0040887d
0x00408886
0x00408889
0x0040888b
0x0040888b
0x00408893
0x00408895
0x00408896
0x0040889a
0x004088ac
0x004088b0
0x004088b5
0x004088bc
0x004088c1
0x004088c8
0x004088c8
0x004088d4
0x004088d6
0x004088d6
0x004088dc
0x004088e3
0x004088e6
0x00000000
0x004088ec
0x004088f0
0x004089a8
0x004089ac
0x00000000
0x00000000
0x004089b8
0x004089c0
0x004089c6
0x004089c7
0x004089cd
0x004089d0
0x004089d7
0x004089d9
0x004089db
0x004089db
0x004089e0
0x004089e1
0x004089e4
0x004089ed
0x004089f4
0x004089f9
0x004089fa
0x004089ff
0x00408a0c
0x00408a2e
0x00408a31
0x00408999
0x00408999
0x0040899e
0x00000000
0x00408a37
0x00408a46
0x00408a49
0x00000000
0x00000000
0x00408a5b
0x00408990
0x00408990
0x00408993
0x00000000
0x00000000
0x00000000
0x00408993
0x00408a31
0x004088fd
0x0040890b
0x0040890d
0x0040890e
0x00408912
0x00408917
0x0040891c
0x00408925
0x0040892e
0x00408931
0x00408933
0x00408933
0x0040893b
0x0040893d
0x0040893e
0x00408942
0x00408954
0x00408958
0x00408960
0x00408964
0x00408969
0x00408970
0x00408970
0x0040897c
0x0040898a
0x00000000
0x0040898a
0x004088e6
0x00408b04
0x00408b04
0x00408b0a
0x00408b12
0x00408b12

APIs

__EH_prolog.LIBCMT ref: 004087D1
GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00408809

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

SendMessageW.USER32(?,00000111,?,00000000), ref: 0040898A

Part of subcall function 0040A4B6: __EH_prolog.LIBCMT ref: 0040A4BB

Strings

StartStopProgress - Embedded Looping, xrefs: 00408917, 0040893E
StartStopProgress - Fallback - %d of %d, xrefs: 004089F4
C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp, xrefs: 0040884E, 00408869, 0040890E, 004089C7
StartStopProgress - Embedded, xrefs: 00408876, 00408896
PG, xrefs: 00408933
uF, xrefs: 004089DB
PG, xrefs: 0040888B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$FreeMessageSendStringVersion
String ID: C:\CodeBases\isdev\src\Runtime\Shared\Setup\IsPreReqDlg.cpp$PG$PG$StartStopProgress - Embedded$StartStopProgress - Embedded Looping$StartStopProgress - Fallback - %d of %d$uF
API String ID: 1720556526-3329415812
Opcode ID: f01d05fa61a651d521978e0ed8af614075f434f45c64db2ebf078daa1b6f6cdd
Instruction ID: 46cdc1a0047a2fa329e55992af0b5e316b9c31e46d6b7ab94c29356009b378be
Opcode Fuzzy Hash: f01d05fa61a651d521978e0ed8af614075f434f45c64db2ebf078daa1b6f6cdd
Instruction Fuzzy Hash: 0C91C3B0900204BEEB25DB54CD45BEEBB78EB05318F1041BEF149B62E1DBB81E45CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00450290 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 221
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00450290(struct HWND__* _a4, intOrPtr* _a8) {
				struct HWND__* _v32;
				void _v2066;
				struct tagRECT _v2072;
				short _v2076;
				intOrPtr _v2080;
				int _v2084;
				struct tagRECT _v2100;
				int _v2104;
				struct tagSIZE _v2112;
				int _v2116;
				struct HDC__* _v2120;
				intOrPtr _v2124;
				intOrPtr _v2128;
				void* _t89;
				void* _t90;
				struct HDC__* _t93;
				intOrPtr _t103;
				intOrPtr* _t104;
				int _t108;
				intOrPtr* _t131;
				signed char _t134;
				void* _t144;
				WCHAR* _t176;
				void* _t195;
				long _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr* _t201;
				RECT* _t203;

				_t89 = GetPropW(_a4, L"PROP_PSKIN");
				_t201 = _a8;
				_t144 = _t89;
				if( *_t201 == 4) {
					_t90 = SendMessageW( *(_t201 + 0x14), 0x31, 0, 0);
					_t203 = _t201 + 0x1c;
					CopyRect( &_v2072, _t203);
					_v2076 =  *(_t201 + 0x18);
					_t93 = GetWindowDC( *(_t201 + 0x14));
					 *(_t201 + 0x18) = _t93;
					_v2084 = SaveDC(_t93);
					SelectObject( *(_t201 + 0x18), _t90);
					SetBkMode( *(_t201 + 0x18), 1);
					_v2072.top = 0;
					memset( &_v2066, 0, 0x1ff << 2);
					asm("stosw");
					GetWindowTextW( *(_t201 + 0x14),  &(_v2072.top), 0x400);
					_v2104 =  *(_t201 + 4);
					_t195 = L00451440(_t144);
					_t103 = L00457A10(_t195,  &_v2104);
					_t196 =  *(_t195 + 4);
					_v2080 = _t103;
					if(_t103 == _t196 || _v2104 <  *((intOrPtr*)(_t103 + 0xc))) {
						_v2112.cx = _t196;
						_t104 =  &_v2112;
					} else {
						_t104 =  &_v2076;
					}
					_t197 =  *_t104;
					if(_t197 !=  *((intOrPtr*)(L00451440(_t144) + 4))) {
						_t198 =  *((intOrPtr*)(_t197 + 0x10));
					} else {
						L00451440(_t144);
						_v2112.cx = 0;
						_v2112.cy.left = 0;
						_push( &_v2112);
						_push( &_v2076);
						L00454E50();
						_t198 =  *((intOrPtr*)(_v2084 + 0x10));
					}
					if(( *(_t201 + 0xc) & 0xfffffffb) != 0) {
						if(( *(_t201 + 0x10) & 0x00000001) == 0) {
							_t131 =  *((intOrPtr*)(_t198 + 0x6c));
						} else {
							_t131 =  *((intOrPtr*)(_t198 + 0x70));
						}
						_push( *((intOrPtr*)(_t131 + 4)));
						_push( *(_t201 + 0x18));
						_push( *_t131);
						E0045A0D0();
						_t134 =  *(_t201 + 0x10);
						if((_t134 & 0x00000001) != 0) {
							 *((intOrPtr*)(_t201 + 0x20)) =  *((intOrPtr*)(_t201 + 0x20)) + 2;
							_t203->left = _t203->left + 2;
						}
						if((_t134 & 0x00000004) == 0) {
							SetTextColor( *(_t201 + 0x18),  *(_t198 + 0x60));
						} else {
							SetTextColor( *(_t201 + 0x18),  *(_t198 + 0x64));
						}
						DrawTextW( *(_t201 + 0x18),  &_v2076, lstrlenW( &_v2076),  &_v2100, 0x25);
					}
					if(( *(_t201 + 0xc) & 0x00000004) != 0 || ( *(_t201 + 0x10) & 0x00000010) != 0) {
						_t108 = lstrlenW( &(_v2072.top));
						_t176 =  &(_v2072.top);
						GetTextExtentPoint32W( *(_t201 + 0x18), _t176, _t108,  &_v2112);
						asm("cdq");
						asm("cdq");
						InflateRect( &(_v2112.cy), 2 - (_v2100.left - _v2128 - _v2112.cy.left - _v2112.cy.left >> 1), 2 - (_v2100.top - _v2124 - _v2104 - _t176 >> 1));
						DrawFocusRect( *(_t201 + 0x18),  &(_v2112.cy));
						SendMessageW(_v32, 0x401,  *(_t201 + 4), 0);
					}
					RestoreDC( *(_t201 + 0x18), _v2116);
					ReleaseDC( *(_t201 + 0x14),  *(_t201 + 0x18));
					 *(_t201 + 0x18) = _v2120;
					return 1;
				} else {
					return 0;
				}
			}

0x004502a2
0x004502a8
0x004502af
0x004502b4
0x004502cf
0x004502d5
0x004502e0
0x004502ed
0x004502f1
0x004502f8
0x00450306
0x0045030a
0x00450316
0x0045032a
0x00450336
0x0045033e
0x00450340
0x0045034b
0x00450358
0x0045035d
0x00450362
0x00450365
0x0045036b
0x0045037e
0x00450382
0x00450378
0x00450378
0x00450378
0x00450386
0x00450392
0x004503bf
0x00450394
0x00450396
0x004503a1
0x004503a5
0x004503ad
0x004503ae
0x004503b1
0x004503ba
0x004503ba
0x004503d0
0x004503d6
0x004503dd
0x004503d8
0x004503d8
0x004503d8
0x004503e8
0x004503e9
0x004503ea
0x004503eb
0x004503f0
0x004503f8
0x00450406
0x00450409
0x00450409
0x0045040e
0x00450422
0x00450410
0x00450422
0x00450422
0x00450440
0x00450440
0x0045044a
0x00450460
0x00450466
0x0045046c
0x00450486
0x0045049f
0x004504b1
0x004504c0
0x004504d9
0x004504d9
0x004504e8
0x004504f6
0x00450501
0x0045050f
0x004502b7
0x004502c0
0x004502c0

APIs

GetPropW.USER32(?,PROP_PSKIN), ref: 004502A2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 004502CF
CopyRect.USER32 ref: 004502E0
GetWindowDC.USER32(?), ref: 004502F1
SaveDC.GDI32(00000000), ref: 004502FB
SelectObject.GDI32(?,00000000), ref: 0045030A
SetBkMode.GDI32(?,00000001), ref: 00450316
GetWindowTextW.USER32 ref: 00450340

Strings

PROP_PSKIN, xrefs: 0045029C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$CopyMessageModeObjectPropRectSaveSelectSendText
String ID: PROP_PSKIN
API String ID: 1071262598-87134567
Opcode ID: 4551ec21fcff69cfd509df97fd92ff22e33de7d2c95c8a0ac5fb4ae7a633b1bc
Instruction ID: cc46258a9b349f8493ea05bb77a3f731fe766291fec40fba4257c401f8a5a041
Opcode Fuzzy Hash: 4551ec21fcff69cfd509df97fd92ff22e33de7d2c95c8a0ac5fb4ae7a633b1bc
Instruction Fuzzy Hash: D5812B75204701AFD324DF24C988A6BB7F9FB88704F048A1DF98683351E774E909CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042A26A Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 215
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042A26A(void* __ecx) {
				signed int _t96;
				signed int _t102;
				intOrPtr _t132;
				intOrPtr _t146;
				intOrPtr _t152;
				void* _t156;
				signed int _t162;
				signed int _t164;
				signed int _t171;
				signed int _t179;
				signed int _t181;
				signed int _t192;
				signed char _t194;
				WCHAR* _t204;
				intOrPtr* _t210;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t218;

				L0043B644(0x463527, _t213);
				_t216 = _t215 - 0x4a4;
				_t156 = __ecx;
				_t210 = __ecx + 4;
				_t96 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))();
				if( *((char*)(_t96 + 0x12)) != 0) {
					_t96 = (GetTickCount() -  *((intOrPtr*)(_t156 + 0x39c))) / 0x3e8;
					 *(_t213 - 0x10) = _t96;
					if(_t96 != 0) {
						_t162 =  *(_t156 + 0x278);
						_t96 =  *(_t156 + 0x27c);
						_t224 = _t162 | _t96;
						if((_t162 | _t96) != 0) {
							 *(_t213 - 0x10) = E0043C750(_t162, _t96,  *(_t213 - 0x10), 0);
							asm("sbb ecx, [ebx+0x27c]");
							_t102 = E0043C750( *((intOrPtr*)(_t156 + 0x270)) -  *(_t156 + 0x278),  *((intOrPtr*)(_t156 + 0x274)),  *(_t213 - 0x10), 0);
							_t164 = 0x3c;
							 *(_t213 - 0x14) = _t102;
							 *(_t213 - 0x18) = _t102 / _t164;
							_t192 =  *(_t213 - 0x14) % _t164;
							 *(_t213 - 0x14) = _t192;
							E00403E82( *((intOrPtr*)( *_t210 + 0x2c))(_t213 - 0x88, 0x650), _t224);
							 *(_t213 - 4) = 0;
							E00403E82( *((intOrPtr*)( *_t210 + 0x2c))(_t213 - 0x60, 0x651), _t224);
							 *(_t213 - 4) = 1;
							E00403E82( *((intOrPtr*)( *_t210 + 0x2c))(_t213 - 0xb0, 0x758), _t224);
							 *(_t213 - 0x2b0) = 0;
							_t171 = 0x7f;
							memset(_t213 - 0x2ae, 0, _t171 << 2);
							_t218 = _t216 + 0xc;
							asm("stosw");
							_t204 = L"%ld %s";
							if( *(_t213 - 0x18) > 0) {
								_t152 =  *((intOrPtr*)(_t213 - 0x80));
								if(_t152 == 0) {
									_t152 = 0x467570;
								}
								wsprintfW(_t213 - 0x2b0, _t204,  *(_t213 - 0x18), _t152);
								_t218 = _t218 + 0x10;
							}
							if( *(_t213 - 0x14) > 0) {
								_t146 =  *((intOrPtr*)(_t213 - 0x58));
								if( *(_t213 - 0x18) <= 0) {
									__eflags = _t146;
									if(_t146 == 0) {
										_t146 = 0x467570;
									}
									wsprintfW(_t213 - 0x2b0, _t204,  *(_t213 - 0x14), _t146);
									_t218 = _t218 + 0x10;
								} else {
									if(_t146 == 0) {
										_t146 = 0x467570;
									}
									wsprintfW(_t213 - 0x2b0, L"%s %ld %s", _t213 - 0x2b0,  *(_t213 - 0x14), _t146);
									_t218 = _t218 + 0x14;
								}
							}
							if(lstrlenW(_t213 - 0x2b0) != 0) {
								SetDlgItemTextW( *(_t156 + 0x26c), 0x136, _t213 - 0x2b0);
							}
							_push(7);
							asm("sbb edx, edx");
							 *(_t213 - 0x38) =  *(_t213 - 0x38) & 0x00000000;
							_t194 = (_t192 & 0x0000000a) + 0xa;
							 *(_t213 - 0x10) =  *(_t213 - 0x10) +  *(_t213 - 0x10) * 4 << 1 >> _t194;
							memset(_t213 - 0x36, 0, 0x100000 << 2);
							asm("stosw");
							if(_t194 != 0x14) {
								_push(L"KB");
							} else {
								_push(L"MB");
							}
							wsprintfW(_t213 - 0x38, ??);
							 *(_t213 - 0x4b0) =  *(_t213 - 0x4b0) & 0x00000000;
							_t179 = 0x7f;
							memset(_t213 - 0x4ae, 0, _t179 << 2);
							asm("stosw");
							_t132 =  *((intOrPtr*)(_t213 - 0xa8));
							if(_t132 == 0) {
								_t132 = 0x467570;
							}
							_push(_t132);
							_push(_t213 - 0x38);
							_t181 = 0xa;
							_push( *(_t213 - 0x10) % _t181);
							_push( *(_t213 - 0x10) / _t181);
							wsprintfW(_t213 - 0x4b0, L"%01d.%01d %s%s");
							SetDlgItemTextW( *(_t156 + 0x26c), 0x134, _t213 - 0x4b0);
							L0040125C(_t213 - 0xb0);
							 *(_t213 - 4) =  *(_t213 - 4) & 0x00000000;
							L0040125C(_t213 - 0x60);
							 *(_t213 - 4) =  *(_t213 - 4) | 0xffffffff;
							_t96 = L0040125C(_t213 - 0x88);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t213 - 0xc));
				return _t96;
			}

0x0042a26f
0x0042a274
0x0042a27b
0x0042a282
0x0042a287
0x0042a28e
0x0042a2a9
0x0042a2ad
0x0042a2b0
0x0042a2b6
0x0042a2bc
0x0042a2c4
0x0042a2c6
0x0042a2dd
0x0042a2f0
0x0042a2f8
0x0042a301
0x0042a302
0x0042a30e
0x0042a314
0x0042a321
0x0042a329
0x0042a33b
0x0042a343
0x0042a358
0x0042a361
0x0042a368
0x0042a36f
0x0042a37c
0x0042a37c
0x0042a384
0x0042a386
0x0042a38b
0x0042a38d
0x0042a392
0x0042a394
0x0042a394
0x0042a3a5
0x0042a3a7
0x0042a3a7
0x0042a3ae
0x0042a3b4
0x0042a3b7
0x0042a3e0
0x0042a3e2
0x0042a3e4
0x0042a3e4
0x0042a3f5
0x0042a3f7
0x0042a3b9
0x0042a3bb
0x0042a3bd
0x0042a3bd
0x0042a3d9
0x0042a3db
0x0042a3db
0x0042a3b7
0x0042a409
0x0042a41d
0x0042a41d
0x0042a42d
0x0042a42f
0x0042a437
0x0042a43c
0x0042a449
0x0042a44e
0x0042a454
0x0042a456
0x0042a45f
0x0042a458
0x0042a458
0x0042a458
0x0042a468
0x0042a46a
0x0042a47e
0x0042a47f
0x0042a481
0x0042a483
0x0042a48b
0x0042a48d
0x0042a48d
0x0042a492
0x0042a496
0x0042a49e
0x0042a4a4
0x0042a4a9
0x0042a4b6
0x0042a4cd
0x0042a4d9
0x0042a4de
0x0042a4e5
0x0042a4ea
0x0042a4f4
0x0042a4f4
0x0042a2c6
0x0042a2b0
0x0042a4ff
0x0042a507

APIs

__EH_prolog.LIBCMT ref: 0042A26F
GetTickCount.KERNEL32 ref: 0042A294
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A2D2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A2F8

Part of subcall function 00403E82: __EH_prolog.LIBCMT ref: 00403E87

wsprintfW.USER32 ref: 0042A3A5
wsprintfW.USER32 ref: 0042A3D9
wsprintfW.USER32 ref: 0042A3F5
lstrlenW.KERNEL32(?), ref: 0042A401
SetDlgItemTextW.USER32 ref: 0042A41D
wsprintfW.USER32 ref: 0042A468
wsprintfW.USER32 ref: 0042A4B6
SetDlgItemTextW.USER32 ref: 0042A4CD

Strings

puF, xrefs: 0042A394
%ld %s, xrefs: 0042A386, 0042A3A3, 0042A3F3
%01d.%01d %s%s, xrefs: 0042A4B0
%s %ld %s, xrefs: 0042A3D3
puF, xrefs: 0042A48D
puF, xrefs: 0042A3BD
puF, xrefs: 0042A3E4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: wsprintf$H_prologItemTextUnothrow_t@std@@@__ehfuncinfo$??2@$CountTicklstrlen
String ID: %01d.%01d %s%s$%ld %s$%s %ld %s$puF$puF$puF$puF
API String ID: 4235049045-3779373900
Opcode ID: 73ed7401d005e28e766cbe78d14cc63239520b413741fea4af7b0edeadbad784
Instruction ID: 97b2686273820492dde93d22d895487911accac65f803cc1f3d6fee274512a29
Opcode Fuzzy Hash: 73ed7401d005e28e766cbe78d14cc63239520b413741fea4af7b0edeadbad784
Instruction Fuzzy Hash: 3771A571A002199BDF14DFA8CC88BEF77B9FF48304F1441AAE909E7241EB749A44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0045A90F Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 172
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0045A90F(void* __esi, int _a4, int _a12, intOrPtr _a16, int _a20, int _a24, int _a28, int _a32, int _a36, int _a40, int _a44, int _a48, int _a52, struct HDC__* _a64, signed int _a68, struct HDC__* _a72, int _a76) {
				int _v0;
				void* _v4;
				int _v8;
				int _v32;
				struct HDC__* __edi;
				int _t72;
				int _t77;
				struct HDC__* _t87;
				void* _t89;

				_t89 = __esi;
				if( *((intOrPtr*)(__esi + 0x18)) != 0) {
					L1:
					if(_a16 == 0) {
						goto L17;
					} else {
						_t77 =  *(_t89 + 0x24);
						if(_a28 != _t77) {
							L21:
							SetStretchBltMode(_t87, 3);
							StretchBlt(_t87, _a40, _a44, _a20, _a12, _a64, 0, 0,  *(_t89 + 0x24),  *(_t89 + 0x28), 0xcc0020);
						} else {
							_t72 =  *(_t89 + 0x28);
							if(_a20 != _t72) {
								goto L21;
							} else {
								BitBlt(_t87, _a48, _a52, _t77, _t72, _a72, 0, 0, 0xcc0020);
							}
						}
					}
				} else {
					__ebx = GetTickCount;
					__eax = 1;
					 *(__esi + 0x18) = 1;
					_a68 = 1;
					do {
						__eax = GetTickCount();
						__ecx =  *(__esi + 0x28);
						_a36 = __eax;
						__eax = 0x66666667;
						__ebx =  *(__esi + 0x24);
						__edx = 0x66666667 * __ecx >> 0x20;
						__eax = 0x66666667 * __ecx;
						__edx = 0x66666667 * __ecx >> 0x20 >> 4;
						__edx = __edx >> 0x1f;
						__edx = __edx + (__edx >> 0x1f);
						__eax = __ecx;
						__ebp = __edx;
						asm("cdq");
						__ebp = __edx * _a68;
						__eax = __ecx - __edx;
						__ecx = __ecx - __edx;
						__eax = 0x66666667;
						__edx = 0x66666667 * __ebx >> 0x20;
						__eax = 0x66666667 * __ebx;
						__edx = 0x66666667 * __ebx >> 0x20 >> 4;
						__edx = __edx >> 0x1f;
						__edx = __edx + (__edx >> 0x1f);
						__eax = __ebx;
						__edx = __edx * _a68;
						__ebx = _a52;
						_a76 = __edx;
						asm("cdq");
						__ecx = __ecx >> 1;
						__eax = __eax - __edx;
						__edx = __ebp + __ecx;
						__ecx = __ecx - __ebp;
						__edx = __edx + _a52;
						__ebp = _a52;
						__edx = _a76;
						__eax = __eax >> 1;
						__ecx = __ecx + _a52;
						__ebx = __eax + _a76;
						__edx = _a48;
						__ebx = __eax + _a76 + __edx;
						__eax = __eax - _a76;
						__eax = __eax + __edx;
						__ebx = __eax;
						__ebp = SelectClipRgn(__edi, __ebx);
						__eax = _v8;
						if(_v8 == 0) {
							__edx =  *(__esi + 4);
							__eax = PlayMetaFile(__edi,  *(__esi + 4));
						} else {
							__eax = _a48;
							__ecx =  *(__esi + 0x28);
							__edx =  *(__esi + 0x24);
							__eax = _a28;
							__ecx = _a24;
							__eax = BitBlt(__edi, _a24, _a28,  *(__esi + 0x24),  *(__esi + 0x28), _a48, 0, 0, 0xcc0020);
						}
						__eax = SelectObject(__edi, __ebp);
						if(__ebx != 0) {
							__eax = DeleteObject(__ebx);
						}
						__ebx = GetTickCount;
						__eax = GetTickCount();
						__ebp = _v4;
						while(__eax < 0x19) {
							__eax = GetTickCount();
						}
						__eax = _a28;
						__eax = _a28 + 1;
						_a28 = __eax;
					} while (__eax < 0x14);
					SelectClipRgn(__edi, 0) = _v32;
					if(_v32 == 0) {
						__edx =  *(__esi + 4);
						__eax = PlayMetaFile(__edi,  *(__esi + 4));
						L17:
						_push( *((intOrPtr*)(_t89 + 4)));
						PlayMetaFile(_t87, ??);
					} else {
						__eax = _a24;
						__ecx =  *(__esi + 0x28);
						__edx =  *(__esi + 0x24);
						__eax = _a4;
						__ecx = _v0;
						__eax = BitBlt(__edi, _v0, _a4,  *(__esi + 0x24),  *(__esi + 0x28), _a24, 0, 0, 0xcc0020);
						goto L1;
					}
				}
				DeleteDC(_a64);
				RestoreDC(_t87, _a32);
				return 1;
			}

0x0045a90f
0x0045a914
0x0045a6ac
0x0045a6b2
0x00000000
0x0045a6b8
0x0045a6b8
0x0045a6c1
0x0045b0b3
0x0045b0b6
0x0045b0e7
0x0045a6c7
0x0045a6c7
0x0045a6d0
0x00000000
0x0045a6d6
0x0045a6f1
0x0045a6f1
0x0045a6d0
0x0045a6c1
0x0045a91a
0x0045a91a
0x0045a920
0x0045a925
0x0045a928
0x0045a92c
0x0045a92c
0x0045a92e
0x0045a931
0x0045a935
0x0045a93a
0x0045a93d
0x0045a93d
0x0045a93f
0x0045a944
0x0045a947
0x0045a949
0x0045a94b
0x0045a94d
0x0045a94e
0x0045a953
0x0045a955
0x0045a957
0x0045a95c
0x0045a95c
0x0045a95e
0x0045a963
0x0045a966
0x0045a968
0x0045a96a
0x0045a96f
0x0045a973
0x0045a977
0x0045a978
0x0045a97a
0x0045a97c
0x0045a97f
0x0045a981
0x0045a983
0x0045a988
0x0045a98c
0x0045a98e
0x0045a990
0x0045a993
0x0045a997
0x0045a99b
0x0045a99f
0x0045a9a8
0x0045a9b2
0x0045a9b4
0x0045a9ba
0x0045a9e5
0x0045a9ea
0x0045a9bc
0x0045a9bc
0x0045a9c0
0x0045a9c3
0x0045a9d0
0x0045a9d5
0x0045a9dd
0x0045a9dd
0x0045a9f2
0x0045a9fa
0x0045a9fd
0x0045a9fd
0x0045aa03
0x0045aa09
0x0045aa0b
0x0045aa14
0x0045aa16
0x0045aa1a
0x0045aa1f
0x0045aa23
0x0045aa27
0x0045aa27
0x0045aa3a
0x0045aa40
0x0045aa6e
0x0045aa73
0x0045aa79
0x0045aa7c
0x0045aa7e
0x0045aa42
0x0045aa42
0x0045aa46
0x0045aa49
0x0045aa56
0x0045aa5b
0x0045aa63
0x00000000
0x0045aa63
0x0045aa40
0x0045aa89
0x0045aa95
0x0045aaa7

APIs

BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045A6F1
GetTickCount.KERNEL32 ref: 0045A92C
CreateRectRgn.GDI32(?,?,?,?), ref: 0045A9A2
SelectClipRgn.GDI32(?,00000000), ref: 0045A9AC
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045A9DD
PlayMetaFile.GDI32(?,?), ref: 0045A9EA
SelectObject.GDI32(?,00000000), ref: 0045A9F2
DeleteObject.GDI32(00000000), ref: 0045A9FD
GetTickCount.KERNEL32 ref: 0045AA09
GetTickCount.KERNEL32 ref: 0045AA16
SelectClipRgn.GDI32(?,00000000), ref: 0045AA34
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045AA63
PlayMetaFile.GDI32(?,?), ref: 0045AA73
PlayMetaFile.GDI32(?,00000002), ref: 0045AA7E
DeleteDC.GDI32(?), ref: 0045AA89
RestoreDC.GDI32(?,?), ref: 0045AA95

Strings

gfff, xrefs: 0045A957
gfff, xrefs: 0045A935

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CountFileMetaPlaySelectTick$ClipDeleteObject$CreateRectRestore
String ID: gfff$gfff
API String ID: 810619228-3084402119
Opcode ID: 2a9b5260db887c915ff9bc1d5b919f19ce4aa7face89f030a06f5a7eab4a8504
Instruction ID: e348f09a24d05c20dc7e26330d63cb0753aa065f6dddb53b5d0631eaf846c1bc
Opcode Fuzzy Hash: 2a9b5260db887c915ff9bc1d5b919f19ce4aa7face89f030a06f5a7eab4a8504
Instruction Fuzzy Hash: 2D510871208300AFD314CF69DD84A2BB7F9EBC9B05F144A2DFA85C7251E664EC458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00404339 Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 299
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00404339(intOrPtr __ecx) {
				void* _t123;
				char* _t134;
				char* _t141;
				char* _t169;
				void* _t175;
				void* _t176;
				char* _t181;
				void* _t184;
				void* _t188;
				intOrPtr* _t205;
				intOrPtr* _t209;
				intOrPtr* _t216;
				void* _t236;
				void* _t248;
				intOrPtr* _t257;
				void* _t260;
				void* _t261;
				void* _t263;
				void* _t264;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr* _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr* _t271;
				intOrPtr _t272;
				intOrPtr _t273;
				intOrPtr _t274;
				intOrPtr _t275;
				intOrPtr* _t276;
				intOrPtr _t277;
				intOrPtr _t278;

				L0043B644(0x45f32a, _t261);
				_t264 = _t263 - 0x190;
				_t257 = __ecx + 4;
				 *((intOrPtr*)(_t261 - 0x18)) = __ecx;
				_t123 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))();
				if( *((intOrPtr*)(_t123 + 1)) != 0) {
					E00404735( *((intOrPtr*)( *_t257 + 0x2c))(), _t261 - 0x70);
					 *(_t261 - 4) = 0;
					if( *((intOrPtr*)(_t261 - 0x64)) == 0) {
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t261 - 0x18)) + 4)) + 0x2c))() + 0x12)) == 0) {
							_t169 = L"setup.log";
							 *((intOrPtr*)(_t261 - 0x48)) = 0x46757c;
							 *((intOrPtr*)(_t261 - 0x28)) = 0x467574;
							__eflags = _t169;
							if(_t169 == 0) {
								_t169 = 0x47e150;
							}
							L0040176A(_t261 - 0x48);
							 *(_t261 - 4) = 5;
							_t175 = E00404705( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t261 - 0x18)) + 4)) + 0x2c))(_t169, _t261 - 0xd, 0), _t261 - 0xe8);
							 *(_t261 - 4) = 6;
							_push(_t261 - 0x48);
							_push(_t261 - 0xc0);
							_t176 = L00405670(_t175, __eflags);
							 *(_t261 - 4) = 7;
							L00401A1E(_t261 - 0x70, _t176);
							 *(_t261 - 4) = 6;
							L0040125C(_t261 - 0xc0);
							 *(_t261 - 4) = 5;
							L0040125C(_t261 - 0xe8);
							 *(_t261 - 4) = 0;
							_t236 = _t261 - 0x48;
						} else {
							_t181 = L"setup.log";
							 *((intOrPtr*)(_t261 - 0x48)) = 0x46757c;
							 *((intOrPtr*)(_t261 - 0x28)) = 0x467574;
							_t283 = _t181;
							if(_t181 == 0) {
								_t181 = 0x47e150;
							}
							_push(0);
							_push(_t261 - 0xd);
							_push(_t181);
							L0040176A(_t261 - 0x48);
							_push(0);
							_push(_t261 - 0xc0);
							 *(_t261 - 4) = 1;
							_t184 = E00404765();
							_push(0);
							_push(_t184);
							 *(_t261 - 4) = 2;
							 *((intOrPtr*)(_t261 - 0x98)) = 0x46757c;
							 *((intOrPtr*)(_t261 - 0x78)) = 0x467574;
							L00401CDD(_t261 - 0x98);
							_push(_t261 - 0x48);
							_push(_t261 - 0xe8);
							 *(_t261 - 4) = 3;
							_t188 = L00405670(_t261 - 0x98, _t283);
							 *(_t261 - 4) = 4;
							L00401A1E(_t261 - 0x70, _t188);
							 *(_t261 - 4) = 3;
							L0040125C(_t261 - 0xe8);
							 *(_t261 - 4) = 2;
							L0040125C(_t261 - 0x98);
							 *(_t261 - 4) = 1;
							L0040125C(_t261 - 0xc0);
							 *(_t261 - 4) = 0;
							_t236 = _t261 - 0x48;
						}
						L0040125C(_t236);
					}
					L0043334B(_t261 - 0x19c, _t283);
					_push(0);
					_t266 = _t264 - 0x28;
					 *(_t261 - 4) = 8;
					 *((intOrPtr*)(_t261 - 0x20)) = _t266;
					L00401732(_t266, "=", _t261 - 0xd, 1);
					_t267 = _t266 - 0x28;
					 *((intOrPtr*)(_t261 - 0x1c)) = _t267;
					 *(_t261 - 4) = 9;
					L00401708(_t267, _t261 - 0x70, 1);
					 *(_t261 - 4) = 8;
					E004336A5(_t261 - 0x19c, _t248, _t283);
					_t268 = _t267 - 0x28;
					_t134 = L"Log File";
					_t205 = _t268;
					_t284 = _t134;
					 *((intOrPtr*)(_t261 - 0x1c)) = _t268;
					 *_t205 = 0x46757c;
					 *((intOrPtr*)(_t205 + 0x20)) = 0x467574;
					if(_t134 == 0) {
						_t134 = 0x47e150;
					}
					_push(0);
					_push(_t261 - 0xd);
					_push(_t134);
					L0040176A(_t205);
					_t269 = _t268 - 0x28;
					 *((intOrPtr*)(_t261 - 0x20)) = _t269;
					 *(_t261 - 4) = 0xa;
					L00401732(_t269, L"File", _t261 - 0xe, 1);
					_t270 = _t269 - 0x28;
					 *((intOrPtr*)(_t261 - 0x14)) = _t270;
					 *(_t261 - 4) = 0xb;
					L00401732(_t270, L"InstallShield Silent", _t261 - 0xf, 1);
					 *(_t261 - 4) = 8;
					E00434662(_t261 - 0x19c, _t261 - 0xd, _t284);
					_t271 = _t270 - 0x28;
					_t141 = L"v7.00";
					_t209 = _t271;
					_t285 = _t141;
					 *((intOrPtr*)(_t261 - 0x14)) = _t271;
					 *_t209 = 0x46757c;
					 *((intOrPtr*)(_t209 + 0x20)) = 0x467574;
					if(_t141 == 0) {
						_t141 = 0x47e150;
					}
					_t252 = _t261 - 0xf;
					_push(0);
					_push(_t261 - 0xf);
					_push(_t141);
					L0040176A(_t209);
					_t272 = _t271 - 0x28;
					 *((intOrPtr*)(_t261 - 0x1c)) = _t272;
					 *(_t261 - 4) = 0xc;
					L00401732(_t272, L"Version", _t261 - 0xe, 1);
					_t273 = _t272 - 0x28;
					 *((intOrPtr*)(_t261 - 0x20)) = _t273;
					 *(_t261 - 4) = 0xd;
					L00401732(_t273, L"InstallShield Silent", _t261 - 0xd, 1);
					 *(_t261 - 4) = 8;
					E00434662(_t261 - 0x19c, _t261 - 0xf, _t285);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t261 - 0x18)) + 0x390)));
					_t274 = _t273 - 0x28;
					 *((intOrPtr*)(_t261 - 0x14)) = _t274;
					L00401732(_t274, L"ResultCode", _t261 - 0xf, 1);
					_t275 = _t274 - 0x28;
					 *((intOrPtr*)(_t261 - 0x1c)) = _t275;
					 *(_t261 - 4) = 0xe;
					L00401732(_t275, L"ResponseResult", _t261 - 0xe, 1);
					 *(_t261 - 4) = 8;
					E004346F8(_t261 - 0x19c, _t261 - 0xf, _t285);
					_t276 = _t275 - 0x28;
					 *((intOrPtr*)(_t261 - 0x14)) = _t276;
					_t216 = _t276;
					_push(0);
					_push( *((intOrPtr*)(_t261 - 0x18)) + 0x2c4);
					 *_t216 = 0x46757c;
					 *((intOrPtr*)(_t216 + 0x20)) = 0x467574;
					L00401CDD(_t216);
					_t277 = _t276 - 0x28;
					 *((intOrPtr*)(_t261 - 0x1c)) = _t277;
					 *(_t261 - 4) = 0xf;
					_t260 = 1;
					L00401732(_t277, L"ErrorInfo", _t261 - 0xf, _t260);
					_t278 = _t277 - 0x28;
					 *((intOrPtr*)(_t261 - 0x20)) = _t278;
					 *(_t261 - 4) = 0x10;
					L00401732(_t278, L"ExtendedError", _t261 - 0xe, _t260);
					 *(_t261 - 4) = 8;
					E00434662(_t261 - 0x19c, _t261 - 0xf, _t285);
					_push(_t260);
					_push(0);
					_push(0);
					 *((intOrPtr*)(_t261 - 0x14)) = _t278 - 0x28;
					L00401708(_t278 - 0x28, _t261 - 0x70, _t260);
					L00433C3E(_t261 - 0x19c, _t252);
					 *(_t261 - 4) = 0;
					L00433631(_t261 - 0x19c, _t285);
					 *(_t261 - 4) =  *(_t261 - 4) | 0xffffffff;
					_t123 = L0040125C(_t261 - 0x70);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t261 - 0xc));
				return _t123;
			}

0x0040433e
0x00404343
0x0040434e
0x00404351
0x00404357
0x0040435f
0x00404372
0x0040437a
0x00404387
0x0040439c
0x00404452
0x00404457
0x0040445c
0x0040445f
0x00404461
0x00404463
0x00404463
0x00404471
0x0040447c
0x0040448f
0x00404497
0x0040449b
0x004044a2
0x004044a5
0x004044ae
0x004044b2
0x004044bd
0x004044c1
0x004044cc
0x004044d0
0x004044d5
0x004044d8
0x004043a2
0x004043a2
0x004043a7
0x004043ac
0x004043af
0x004043b1
0x004043b3
0x004043b3
0x004043bb
0x004043bc
0x004043bd
0x004043c1
0x004043cc
0x004043cd
0x004043ce
0x004043d2
0x004043d9
0x004043da
0x004043e1
0x004043e5
0x004043eb
0x004043ee
0x004043fc
0x00404403
0x00404404
0x00404408
0x00404411
0x00404415
0x00404420
0x00404424
0x0040442f
0x00404433
0x0040443e
0x00404442
0x00404447
0x0040444a
0x0040444a
0x004044db
0x004044db
0x004044e6
0x004044eb
0x004044ef
0x004044f2
0x004044f8
0x00404503
0x00404508
0x00404510
0x00404516
0x0040451a
0x00404525
0x00404529
0x0040452e
0x00404531
0x00404536
0x0040453a
0x0040453c
0x0040453f
0x00404541
0x00404544
0x00404546
0x00404546
0x0040454e
0x0040454f
0x00404550
0x00404551
0x00404556
0x0040455e
0x00404569
0x0040456d
0x00404572
0x0040457a
0x00404585
0x00404589
0x00404594
0x00404598
0x0040459d
0x004045a0
0x004045a5
0x004045a9
0x004045ab
0x004045ae
0x004045b0
0x004045b3
0x004045b5
0x004045b5
0x004045ba
0x004045bd
0x004045be
0x004045bf
0x004045c0
0x004045c5
0x004045cd
0x004045d8
0x004045dc
0x004045e1
0x004045e9
0x004045f4
0x004045f8
0x00404603
0x00404607
0x0040460f
0x00404618
0x0040461d
0x00404628
0x0040462d
0x00404635
0x00404640
0x00404644
0x0040464f
0x00404653
0x0040465b
0x0040465e
0x00404661
0x00404668
0x00404669
0x0040466a
0x0040466c
0x0040466f
0x00404674
0x0040467c
0x00404681
0x00404685
0x0040468d
0x00404692
0x0040469a
0x0040469e
0x004046a8
0x004046b3
0x004046b7
0x004046bc
0x004046bd
0x004046be
0x004046c7
0x004046cc
0x004046d7
0x004046e2
0x004046e5
0x004046ea
0x004046f1
0x004046f1
0x004046fb
0x00404704

APIs

__EH_prolog.LIBCMT ref: 0040433E

Strings

ExtendedError, xrefs: 004046A3
PG, xrefs: 004043B3
PG, xrefs: 00404546
PG, xrefs: 004045B5
v7.00, xrefs: 004045A0, 004045BF
|uF, xrefs: 0040437D
Log File, xrefs: 00404531, 00404550
PG, xrefs: 00404463
Version, xrefs: 004045D3
ErrorInfo, xrefs: 00404688
ResultCode, xrefs: 00404623
setup.log, xrefs: 004043A2, 004043BD, 00404452, 0040446D
InstallShield Silent, xrefs: 00404580, 004045EF
tuF, xrefs: 00404382
ResponseResult, xrefs: 0040463B
File, xrefs: 00404564

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: ErrorInfo$ExtendedError$File$InstallShield Silent$Log File$PG$PG$PG$PG$ResponseResult$ResultCode$Version$setup.log$tuF$v7.00$|uF
API String ID: 3519838083-55713287
Opcode ID: 3953d0e1e557fa30396655d6d3a683f65d9979ba23db35bda1fc852ec39e4b64
Instruction ID: 69df9049987981d53d622eaabcac4e0594b4232046d63e28a0513474bd2a6575
Opcode Fuzzy Hash: 3953d0e1e557fa30396655d6d3a683f65d9979ba23db35bda1fc852ec39e4b64
Instruction Fuzzy Hash: E3C1E870D01248EFDB14EBA9C956BEDBBB8AF45304F10809EE40977282DB785B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045AAA8 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 150
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045AAA8(void* __esi, int _a4, int _a12, intOrPtr _a16, int _a20, int _a24, int _a28, int _a32, int _a40, void* _a44, struct HDC__* _a48, int _a52, struct HDC__* _a64, signed int _a68, struct HDC__* _a72) {
				int _v0;
				int _v8;
				int _v32;
				struct HDC__* __edi;
				int _t63;
				int _t68;
				struct HDC__* _t78;
				void* _t80;

				_t80 = __esi;
				if( *((intOrPtr*)(__esi + 0x18)) == 0) {
					__eax = 1;
					 *(__esi + 0x18) = 1;
					_a68 = 1;
					do {
						__eax = GetTickCount();
						__ebx =  *(__esi + 0x24);
						__eax = 0x66666667;
						__edx = 0x66666667 * __ebx >> 0x20;
						__eax = 0x66666667 * __ebx;
						__edx = 0x66666667 * __ebx >> 0x20 >> 4;
						__edx = __edx >> 0x1f;
						__edx = __edx + (__edx >> 0x1f);
						__eax = __ebx;
						__ecx = __edx;
						__ecx = __edx * _a68;
						asm("cdq");
						__eax = __ebx - __edx;
						__edx = _a52;
						__edx = __edx +  *(__esi + 0x28);
						__eax = __eax >> 1;
						__ebx = __eax + __ecx;
						__eax = __eax - __ecx;
						__ebx = __ebx + _a48;
						__ecx = _a48;
						__eax = _a48 + __eax;
						__ebx = __eax;
						_a52 = SelectClipRgn(__edi, __ebx);
						__eax = _v8;
						if(_v8 == 0) {
							 *(__esi + 4) = PlayMetaFile(__edi,  *(__esi + 4));
						} else {
							__ecx = _a48;
							__edx =  *(__esi + 0x28);
							__eax =  *(__esi + 0x24);
							__ecx = _a28;
							__edx = _a24;
							__eax = BitBlt(__edi, _a24, _a28,  *(__esi + 0x24),  *(__esi + 0x28), _a48, 0, 0, 0xcc0020);
						}
						__ecx = _a44;
						__eax = SelectObject(__edi, _a44);
						if(__ebx != 0) {
							__eax = DeleteObject(__ebx);
						}
						__ebx = GetTickCount;
						__eax = GetTickCount();
						if(__eax >= 0x19) {
							goto L18;
						} else {
							goto L17;
						}
						do {
							L17:
							__eax = GetTickCount();
						} while (__eax < 0x19);
						L18:
						__eax = _a28;
						__eax = _a28 + 1;
						_a28 = __eax;
					} while (__eax < 0x14);
					SelectClipRgn(__edi, 0) = _v32;
					if(_v32 == 0) {
						__ecx =  *(__esi + 4);
						_push( *(__esi + 4));
						L7:
						PlayMetaFile(_t78, ??);
						L8:
						DeleteDC(_a64);
						RestoreDC(_t78, _a32);
						return 1;
					}
					__edx = _a24;
					__eax =  *(__esi + 0x28);
					__ecx =  *(__esi + 0x24);
					__edx = _a4;
					_v0 = BitBlt(__edi, _v0, _a4,  *(__esi + 0x24),  *(__esi + 0x28), _a24, 0, 0, 0xcc0020);
					goto L8;
				}
				if(_a16 == 0) {
					_push( *((intOrPtr*)(__esi + 4)));
					goto L7;
				}
				_t68 =  *(__esi + 0x24);
				if(_a28 != _t68) {
					L21:
					SetStretchBltMode(_t78, 3);
					StretchBlt(_t78, _a40, _a44, _a20, _a12, _a64, 0, 0,  *(_t80 + 0x24),  *(_t80 + 0x28), 0xcc0020);
					goto L8;
				}
				_t63 =  *(__esi + 0x28);
				if(_a20 != _t63) {
					goto L21;
				}
				BitBlt(_t78, _a48, _a52, _t68, _t63, _a72, 0, 0, 0xcc0020);
				goto L8;
			}

0x0045aaa8
0x0045aaad
0x0045aab3
0x0045aab8
0x0045aabb
0x0045aabf
0x0045aabf
0x0045aac5
0x0045aaca
0x0045aacf
0x0045aacf
0x0045aad1
0x0045aad6
0x0045aad9
0x0045aadb
0x0045aadd
0x0045aadf
0x0045aae4
0x0045aae5
0x0045aae7
0x0045aaed
0x0045aaf0
0x0045aaf3
0x0045aaf6
0x0045aaf8
0x0045aafc
0x0045ab00
0x0045ab0b
0x0045ab15
0x0045ab19
0x0045ab1f
0x0045ab4f
0x0045ab21
0x0045ab21
0x0045ab25
0x0045ab28
0x0045ab35
0x0045ab3a
0x0045ab42
0x0045ab42
0x0045ab55
0x0045ab5b
0x0045ab63
0x0045ab66
0x0045ab66
0x0045ab6c
0x0045ab72
0x0045ab79
0x00000000
0x00000000
0x00000000
0x00000000
0x0045ab7b
0x0045ab7b
0x0045ab7b
0x0045ab7f
0x0045ab84
0x0045ab84
0x0045ab88
0x0045ab8c
0x0045ab8c
0x0045ab9f
0x0045aba5
0x0045a7c9
0x0045a7cc
0x0045aa7d
0x0045aa7e
0x0045aa84
0x0045aa89
0x0045aa95
0x0045aaa7
0x0045aaa7
0x0045abab
0x0045abaf
0x0045abb2
0x0045abbf
0x0045abcc
0x00000000
0x0045abcc
0x0045a6b2
0x0045aa7c
0x00000000
0x0045aa7c
0x0045a6b8
0x0045a6c1
0x0045b0b3
0x0045b0b6
0x0045b0e7
0x00000000
0x0045b0e7
0x0045a6c7
0x0045a6d0
0x00000000
0x00000000
0x0045a6f1
0x00000000

APIs

BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045A6F1
DeleteDC.GDI32(?), ref: 0045AA89
RestoreDC.GDI32(?,?), ref: 0045AA95
GetTickCount.KERNEL32 ref: 0045AABF
CreateRectRgn.GDI32(?,?,?,?), ref: 0045AB05
SelectClipRgn.GDI32(?,00000000), ref: 0045AB0F
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045AB42
PlayMetaFile.GDI32(?,?), ref: 0045AB4F
SelectObject.GDI32(?,?), ref: 0045AB5B
DeleteObject.GDI32(00000000), ref: 0045AB66
GetTickCount.KERNEL32 ref: 0045AB72
GetTickCount.KERNEL32 ref: 0045AB7B
SelectClipRgn.GDI32(?,00000000), ref: 0045AB99
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0045ABCC

Strings

gfff, xrefs: 0045AACA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CountSelectTick$ClipDeleteObject$CreateFileMetaPlayRectRestore
String ID: gfff
API String ID: 199450011-1553575800
Opcode ID: bf6c7b22d7d2d40a16f4dbcab0e9203f29752ae213d262cbd6c6f2db350ba64e
Instruction ID: 697086a72c3be43f3f9307e5d3bcd2985b8bb5c6eea17750a9ae523c7e99c66e
Opcode Fuzzy Hash: bf6c7b22d7d2d40a16f4dbcab0e9203f29752ae213d262cbd6c6f2db350ba64e
Instruction Fuzzy Hash: 3D512E74208301AFD314CB69DD84F2BB7F9EB89B05F104A2DFA46C7251D664FC458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E31C Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 299
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041E31C(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t151;
				intOrPtr* _t152;
				intOrPtr _t171;
				struct _OSVERSIONINFOW* _t179;
				struct _OSVERSIONINFOW* _t181;
				char* _t183;
				char* _t188;
				char* _t193;
				char* _t198;
				char* _t203;
				intOrPtr* _t225;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr* _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				intOrPtr* _t234;
				intOrPtr _t274;
				void* _t276;

				L0043B644(E00462407, _t276);
				_t274 = __ecx;
				_t225 = __ecx + 4;
				_push(0);
				 *((intOrPtr*)(__ecx)) = 0x4680cc;
				_push(_t276 - 0xd);
				 *((intOrPtr*)(_t276 - 0x14)) = __ecx;
				 *_t225 = 0x4675d8;
				 *((intOrPtr*)(_t225 + 0x20)) = 0x4675d0;
				L0040B243(_t225);
				_t151 = __ecx + 0x264;
				 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0;
				 *(__ecx + 0x25d) =  *(__ecx + 0x25d) & 0;
				 *(__ecx + 0x25e) =  *(__ecx + 0x25e) & 0;
				 *(__ecx + 0x25f) =  *(__ecx + 0x25f) & 0;
				 *(__ecx + 0x261) =  *(__ecx + 0x261) & 0;
				 *(__ecx + 0x262) =  *(__ecx + 0x262) & 0;
				 *((char*)(__ecx + 0x260)) = 1;
				 *((intOrPtr*)(_t276 - 4)) = 0;
				 *_t151 = 0;
				 *((intOrPtr*)(_t151 + 4)) = 0;
				 *((intOrPtr*)(_t151 + 8)) = 0;
				_t152 = __ecx + 0x270;
				 *_t152 = 0;
				 *((intOrPtr*)(_t152 + 4)) = 0;
				 *((intOrPtr*)(_t152 + 8)) = 0;
				_t226 = __ecx + 0x27c;
				_push(0);
				_push(_t276 - 0xd);
				 *((char*)(_t276 - 4)) = 2;
				 *_t226 = 0x4675d8;
				 *((intOrPtr*)(_t226 + 0x20)) = 0x4675d0;
				L0040B243(_t226);
				_t227 = __ecx + 0x2a4;
				_push(0);
				_push(_t276 - 0xe);
				 *((char*)(_t276 - 4)) = 3;
				 *_t227 = 0x4675d8;
				 *((intOrPtr*)(_t227 + 0x20)) = 0x4675d0;
				L0040B243(_t227);
				_t228 = __ecx + 0x2cc;
				_push(0);
				_push(_t276 - 0xd);
				 *((char*)(_t276 - 4)) = 4;
				 *_t228 = 0x4675d8;
				 *((intOrPtr*)(_t228 + 0x20)) = 0x4675d0;
				L0040B243(_t228);
				_t229 = __ecx + 0x2f4;
				_push(0);
				_push(_t276 - 0xe);
				 *((char*)(_t276 - 4)) = 5;
				 *_t229 = 0x4675d8;
				 *((intOrPtr*)(_t229 + 0x20)) = 0x4675d0;
				L0040B243(_t229);
				_t230 = __ecx + 0x31c;
				_push(0);
				_push(_t276 - 0xd);
				 *((char*)(_t276 - 4)) = 6;
				 *_t230 = 0x4675d8;
				 *((intOrPtr*)(_t230 + 0x20)) = 0x4675d0;
				L0040B243(_t230);
				 *((char*)(_t276 - 4)) = 7;
				_t231 = __ecx + 0x344;
				_push(0);
				_push(_t276 - 0xe);
				 *_t231 = 0x4675d8;
				 *((intOrPtr*)(_t231 + 0x20)) = 0x4675d0;
				L0040B243(_t231);
				_t232 = __ecx + 0x36c;
				_push(0);
				_push(_t276 - 0xd);
				 *((char*)(_t276 - 4)) = 8;
				 *_t232 = 0x4675d8;
				 *((intOrPtr*)(_t232 + 0x20)) = 0x4675d0;
				L0040B243(_t232);
				_t233 = __ecx + 0x394;
				_push(0);
				_push(_t276 - 0xe);
				 *((char*)(_t276 - 4)) = 9;
				 *_t233 = 0x4675d8;
				 *((intOrPtr*)(_t233 + 0x20)) = 0x4675d0;
				L0040B243(_t233);
				 *(__ecx + 0x3bc) =  *(__ecx + 0x3bc) & 0x00000000;
				_t234 = __ecx + 0x3c0;
				_push(0);
				_push(_t276 - 0xd);
				 *((char*)(_t276 - 4)) = 0xa;
				 *_t234 = 0x4675d8;
				 *((intOrPtr*)(_t234 + 0x20)) = 0x4675d0;
				L0040B243(_t234);
				 *(__ecx + 0x3e8) =  *(__ecx + 0x3e8) & 0x00000000;
				_t171 = 1;
				 *(__ecx + 0x3ee) =  *(__ecx + 0x3ee) & 0x00000000;
				 *(__ecx + 0x40c) =  *(__ecx + 0x40c) & 0x00000000;
				 *(__ecx + 0x40d) =  *(__ecx + 0x40d) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x404)) = _t171;
				 *((intOrPtr*)(__ecx + 0x408)) = _t171;
				 *((char*)(_t276 - 4)) = 0xb;
				E004267CC(__ecx + 0x410, _t276 - 0xf, 0, _t276 - 0xe);
				 *((char*)(_t276 - 4)) = 0xc;
				 *((intOrPtr*)(__ecx + 0x420)) =  *((intOrPtr*)(_t276 + 8));
				 *((intOrPtr*)(__ecx + 0x424)) =  *((intOrPtr*)(_t276 + 0xc));
				 *((intOrPtr*)(__ecx + 0x428)) =  *((intOrPtr*)(_t276 + 0x14));
				 *((intOrPtr*)(__ecx + 0x42c)) =  *((intOrPtr*)(_t276 + 0x10));
				_t179 = __ecx + 0x2c;
				 *((intOrPtr*)(__ecx)) = 0x4680ac;
				_t179->dwOSVersionInfoSize = 0x114;
				GetVersionExW(_t179);
				_t181 = _t274 + 0x140;
				_t181->dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW(_t181) == 0) {
					E0043C5B0(_t274 + 0x140, _t182, 0x11c);
				}
				_t183 = L"HKEY_CLASSES_ROOT";
				 *((intOrPtr*)(_t276 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t276 - 0x1c)) = 0x4675d0;
				_t284 = _t183;
				if(_t183 == 0) {
					_t183 = 0x47e150;
				}
				_push(0);
				_push(_t276 + 0xb);
				_push(_t183);
				L0040B34B(_t276 - 0x3c);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0xd;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t284))) = 0x80000000;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				_t188 = L"HKEY_CURRENT_USER";
				 *((intOrPtr*)(_t276 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t276 - 0x1c)) = 0x4675d0;
				_t285 = _t188;
				if(_t188 == 0) {
					_t188 = 0x47e150;
				}
				_push(0);
				_push(_t276 + 0xb);
				_push(_t188);
				L0040B34B(_t276 - 0x3c);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0xe;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t285))) = 0x80000001;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				_t193 = L"HKEY_LOCAL_MACHINE";
				 *((intOrPtr*)(_t276 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t276 - 0x1c)) = 0x4675d0;
				_t286 = _t193;
				if(_t193 == 0) {
					_t193 = 0x47e150;
				}
				_push(0);
				_push(_t276 + 0xb);
				_push(_t193);
				L0040B34B(_t276 - 0x3c);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0xf;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t286))) = 0x80000002;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				_t198 = L"HKEY_USERS";
				 *((intOrPtr*)(_t276 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t276 - 0x1c)) = 0x4675d0;
				_t287 = _t198;
				if(_t198 == 0) {
					_t198 = 0x47e150;
				}
				_push(0);
				_push(_t276 + 0xb);
				_push(_t198);
				L0040B34B(_t276 - 0x3c);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0x10;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t287))) = 0x80000003;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				_t203 = L"HKEY_PERFORMANCE_DATA";
				 *((intOrPtr*)(_t276 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t276 - 0x1c)) = 0x4675d0;
				_t288 = _t203;
				if(_t203 == 0) {
					_t203 = 0x47e150;
				}
				_push(0);
				_push(_t276 + 0xb);
				_push(_t203);
				L0040B34B(_t276 - 0x3c);
				_t271 = _t274 + 0x410;
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0x11;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t288))) = 0x80000004;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				E0040A9B2(_t276 - 0x3c, L"HKEY_CURRENT_CONFIG", _t276 + 0xb, 1);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0x12;
				 *((intOrPtr*)(L00425FF7(_t274 + 0x410, _t288))) = 0x80000005;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				E0040A9B2(_t276 - 0x3c, L"HKEY_DYN_DATA", _t276 + 0xb, 1);
				_push(_t276 - 0x3c);
				 *((char*)(_t276 - 4)) = 0x13;
				 *((intOrPtr*)(L00425FF7(_t271, _t288))) = 0x80000006;
				 *((char*)(_t276 - 4)) = 0xc;
				E004061C1(_t276 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t276 - 0xc));
				return _t274;
			}

0x0041e321
0x0041e32b
0x0041e336
0x0041e33e
0x0041e340
0x0041e346
0x0041e347
0x0041e34a
0x0041e34c
0x0041e34f
0x0041e356
0x0041e35c
0x0041e362
0x0041e368
0x0041e36e
0x0041e374
0x0041e37a
0x0041e380
0x0041e387
0x0041e38a
0x0041e38c
0x0041e38f
0x0041e392
0x0041e398
0x0041e39a
0x0041e39d
0x0041e3a0
0x0041e3a9
0x0041e3aa
0x0041e3ab
0x0041e3af
0x0041e3b1
0x0041e3b4
0x0041e3b9
0x0041e3c2
0x0041e3c4
0x0041e3c5
0x0041e3c9
0x0041e3cb
0x0041e3ce
0x0041e3d3
0x0041e3dc
0x0041e3de
0x0041e3df
0x0041e3e3
0x0041e3e5
0x0041e3e8
0x0041e3ed
0x0041e3f6
0x0041e3f8
0x0041e3f9
0x0041e3fd
0x0041e3ff
0x0041e402
0x0041e407
0x0041e410
0x0041e412
0x0041e413
0x0041e417
0x0041e419
0x0041e41c
0x0041e421
0x0041e425
0x0041e42e
0x0041e430
0x0041e431
0x0041e433
0x0041e436
0x0041e43b
0x0041e444
0x0041e446
0x0041e447
0x0041e44b
0x0041e44d
0x0041e450
0x0041e455
0x0041e45e
0x0041e460
0x0041e461
0x0041e465
0x0041e467
0x0041e46a
0x0041e46f
0x0041e476
0x0041e47f
0x0041e481
0x0041e482
0x0041e486
0x0041e488
0x0041e48b
0x0041e492
0x0041e499
0x0041e49a
0x0041e4a1
0x0041e4a8
0x0041e4af
0x0041e4b5
0x0041e4cb
0x0041e4cf
0x0041e4d7
0x0041e4db
0x0041e4e4
0x0041e4ed
0x0041e4f6
0x0041e4fc
0x0041e500
0x0041e506
0x0041e50c
0x0041e512
0x0041e519
0x0041e527
0x0041e536
0x0041e53b
0x0041e53e
0x0041e543
0x0041e548
0x0041e54b
0x0041e54d
0x0041e54f
0x0041e54f
0x0041e557
0x0041e559
0x0041e55a
0x0041e55e
0x0041e56c
0x0041e56d
0x0041e579
0x0041e57f
0x0041e583
0x0041e588
0x0041e58d
0x0041e592
0x0041e595
0x0041e597
0x0041e599
0x0041e599
0x0041e5a1
0x0041e5a3
0x0041e5a4
0x0041e5a8
0x0041e5b6
0x0041e5b7
0x0041e5c3
0x0041e5c9
0x0041e5cd
0x0041e5d2
0x0041e5d7
0x0041e5dc
0x0041e5df
0x0041e5e1
0x0041e5e3
0x0041e5e3
0x0041e5eb
0x0041e5ed
0x0041e5ee
0x0041e5f2
0x0041e600
0x0041e601
0x0041e60d
0x0041e613
0x0041e617
0x0041e61c
0x0041e621
0x0041e626
0x0041e629
0x0041e62b
0x0041e62d
0x0041e62d
0x0041e635
0x0041e637
0x0041e638
0x0041e63c
0x0041e64a
0x0041e64b
0x0041e657
0x0041e65d
0x0041e661
0x0041e666
0x0041e66b
0x0041e670
0x0041e673
0x0041e675
0x0041e677
0x0041e677
0x0041e67f
0x0041e681
0x0041e682
0x0041e686
0x0041e68e
0x0041e694
0x0041e697
0x0041e6a3
0x0041e6a9
0x0041e6ad
0x0041e6c0
0x0041e6ca
0x0041e6cb
0x0041e6d7
0x0041e6dd
0x0041e6e1
0x0041e6f4
0x0041e6fe
0x0041e6ff
0x0041e70b
0x0041e711
0x0041e715
0x0041e722
0x0041e72a

APIs

__EH_prolog.LIBCMT ref: 0041E321

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

GetVersionExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041E50C
GetVersionExW.KERNEL32(?), ref: 0041E51F

Part of subcall function 0040B34B: __EH_prolog.LIBCMT ref: 0040B350
Part of subcall function 0040B34B: GetLastError.KERNEL32(?,00000001,00000001,?,0044B892,?,?,00000000), ref: 0040B379
Part of subcall function 0040B34B: SetLastError.KERNEL32(?,?,00000000,00000000,?,0044B892,?,?,00000000), ref: 0040B3CE

Part of subcall function 00425FF7: __EH_prolog.LIBCMT ref: 00425FFC

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Strings

HKEY_CURRENT_CONFIG, xrefs: 0041E6B8
HKEY_DYN_DATA, xrefs: 0041E6EC
HKEY_USERS, xrefs: 0041E61C, 0041E638
PG, xrefs: 0041E5E3
HKEY_LOCAL_MACHINE, xrefs: 0041E5D2, 0041E5EE
PG, xrefs: 0041E677
HKEY_CURRENT_USER, xrefs: 0041E588, 0041E5A4
PG, xrefs: 0041E54F
HKEY_CLASSES_ROOT, xrefs: 0041E53E, 0041E55A
PG, xrefs: 0041E62D
HKEY_PERFORMANCE_DATA, xrefs: 0041E666, 0041E682
PG, xrefs: 0041E599

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$Version$FreeString
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS$PG$PG$PG$PG$PG
API String ID: 2986675962-2507498041
Opcode ID: be3dd6285b182e3386336f14c06ec7d02cce269b77053c778aa4f0b057a6a3bd
Instruction ID: 7214c658a071201edfc746e1a8e791da6888ea720e1b3ea7d60c12b02f9edb95
Opcode Fuzzy Hash: be3dd6285b182e3386336f14c06ec7d02cce269b77053c778aa4f0b057a6a3bd
Instruction Fuzzy Hash: 50D1C6B0900348EFDB15DFA5C445BDEBBF8EF18308F5084AEE559AB281DBB46605CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406737 Relevance: 25.7, APIs: 17, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406737(void* __ecx) {
				int _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				struct tagPOINT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct HWND__* _t60;
				struct HWND__* _t64;
				void* _t69;
				long _t70;
				struct HWND__* _t77;
				void* _t84;
				long _t85;
				struct HWND__* _t92;
				void* _t97;
				long _t98;
				int _t105;
				int _t107;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t116;
				int _t120;
				void* _t122;
				int _t126;

				_t122 = __ecx;
				if( *((char*)(__ecx + 0xce)) == 0) {
					_t60 =  *0x47e1c8; // 0x0
					if(_t60 != 0) {
						_t60 = IsWindow(_t60);
						if(_t60 != 0) {
							 *((char*)(_t122 + 0xce)) = 1;
							GetWindowRect(GetDlgItem( *0x47e1c8, 0x3ec),  &_v40);
							_t64 = GetDlgItem( *0x47e1c8, 0x12d);
							_v12 = _t64;
							GetWindowRect(_t64,  &_v56);
							_t112 =  *0x47e1d4; // 0x2380b70
							_t105 = _v56.bottom - _v56.top;
							_v8 = _v56.right - _v56.left;
							_t11 = _t112 + 0x48; // 0x409
							_t69 = L00403BE3(_t112,  *_t11);
							_t70 = _v40.right;
							if(_t69 == 0) {
								_t70 = _v40.left;
							}
							_v24.x = _t70;
							_v24.y = _v40.top - _t105 - 0xa;
							ScreenToClient( *0x47e1c8,  &_v24);
							SetWindowPos(_v12, 0, _v24.x, _v24.y, _v8, _t105, 4);
							_t77 = GetDlgItem( *0x47e1c8, 0x3eb);
							_v16 = _t77;
							GetWindowRect(_t77,  &_v72);
							_t107 = _v72.bottom - _v72.top;
							_v8 = _v72.right - _v72.left;
							GetWindowRect(_v12,  &_v56);
							_t114 =  *0x47e1d4; // 0x2380b70
							_t31 = _t114 + 0x48; // 0x409
							_t84 = L00403BE3(_t114,  *_t31);
							_t85 = _v40.right;
							if(_t84 == 0) {
								_t85 = _v40.left;
							}
							_v24.x = _t85;
							_v24.y = _v56.top - _t107 - 0xa;
							ScreenToClient( *0x47e1c8,  &_v24);
							SetWindowPos(_v16, 0, _v24.x, _v24.y, _v8, _t107, 4);
							_t92 = GetDlgItem( *0x47e1c8, 0x40b);
							_v12 = _t92;
							GetWindowRect(_t92,  &_v88);
							GetWindowRect(_v16,  &_v72);
							_t116 =  *0x47e1d4; // 0x2380b70
							_t49 = _t116 + 0x48; // 0x409
							_t120 = _v88.right - _v88.left;
							_t126 = _v72.top - _v88.top - 0xa;
							_t97 = L00403BE3(_t116,  *_t49);
							_t98 = _v40.right;
							if(_t97 == 0) {
								_t98 = _v40.left;
							}
							_v24.x = _t98;
							_v24.y = _v88.top;
							ScreenToClient( *0x47e1c8,  &_v24);
							return SetWindowPos(_v12, 0, _v24, _v24.y, _t120, _t126, 4);
						}
					}
				}
				return _t60;
			}

0x0040673e
0x00406747
0x0040674d
0x00406754
0x0040675b
0x00406763
0x0040677a
0x00406790
0x0040679d
0x004067a2
0x004067a7
0x004067ac
0x004067b8
0x004067bb
0x004067be
0x004067c3
0x004067ca
0x004067cd
0x004067cf
0x004067cf
0x004067d2
0x004067dd
0x004067ea
0x00406801
0x00406812
0x00406817
0x0040681c
0x00406827
0x0040682a
0x00406834
0x00406836
0x0040683c
0x00406841
0x00406848
0x0040684b
0x0040684d
0x0040684d
0x00406850
0x0040685b
0x00406868
0x00406885
0x00406892
0x00406897
0x0040689c
0x004068a5
0x004068a7
0x004068b6
0x004068ba
0x004068be
0x004068c1
0x004068c8
0x004068cb
0x004068cd
0x004068cd
0x004068d0
0x004068d6
0x004068e3
0x00000000
0x004068fb
0x00406763
0x00406754
0x004068fe

APIs

IsWindow.USER32(00000000), ref: 0040675B
GetDlgItem.USER32 ref: 00406787
GetWindowRect.USER32 ref: 00406790
GetDlgItem.USER32 ref: 0040679D
GetWindowRect.USER32 ref: 004067A7
ScreenToClient.USER32 ref: 004067EA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406801
GetDlgItem.USER32 ref: 00406812
GetWindowRect.USER32 ref: 0040681C
GetWindowRect.USER32 ref: 00406834
ScreenToClient.USER32 ref: 00406868
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406885
GetDlgItem.USER32 ref: 00406892
GetWindowRect.USER32 ref: 0040689C
GetWindowRect.USER32 ref: 004068A5
ScreenToClient.USER32 ref: 004068E3
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004068F8

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Window$Rect$Item$ClientScreen
String ID:
API String ID: 1521148189-0
Opcode ID: 513460564171d0fbba7a3fb6e77f898ac6f73b8eb34244815720f6b242f31c85
Instruction ID: da889022872e38ddbdb91aa86c985a3a4caae8a3b65046fa0f8adf5f303b3787
Opcode Fuzzy Hash: 513460564171d0fbba7a3fb6e77f898ac6f73b8eb34244815720f6b242f31c85
Instruction Fuzzy Hash: 7551E476900219AFDF01DFE9DD84AAEBBB9EB08304F1001A5E901B7260D775AE45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00416819 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 474
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00416819(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t187;
				char _t190;
				char* _t196;
				char* _t198;
				void* _t203;
				void* _t208;
				void* _t219;
				void* _t224;
				void* _t238;
				void* _t239;
				void* _t245;
				void* _t250;
				void* _t251;
				void* _t257;
				void* _t258;
				void* _t274;
				void* _t279;
				void* _t297;
				void* _t302;
				void* _t312;
				void* _t317;
				char _t324;
				intOrPtr _t442;
				intOrPtr _t444;
				char* _t447;
				intOrPtr* _t448;
				void* _t449;
				void* _t451;
				void* _t453;
				intOrPtr _t454;
				intOrPtr _t457;
				intOrPtr _t458;
				intOrPtr _t459;
				intOrPtr _t460;
				intOrPtr _t462;
				intOrPtr _t464;
				intOrPtr _t465;
				intOrPtr _t466;
				intOrPtr _t467;
				intOrPtr _t468;

				L0043B644(0x46171e, _t449);
				_t444 = __ecx;
				_t439 = __ecx + 8;
				 *((intOrPtr*)(_t449 - 0x1c)) = __ecx;
				 *((intOrPtr*)(_t449 - 0xe8)) = __ecx;
				L0043B670(_t449 - 0x128, __ecx + 8, 0x40);
				_t453 = _t451 - 0x4b4 + 0xc;
				_push(1);
				_t324 = 0;
				_push(_t449 - 0x15);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				 *((intOrPtr*)(_t449 - 4)) = 0;
				_t187 =  *(E0040A5F5(_t449 - 0x4c0) + 8);
				if(_t187 == 0) {
					_t187 = 0x4675e4;
				}
				lstrcpyW(_t444 + 0x50, _t187);
				E004061C1(_t449 - 0x4c0);
				_t190 = E0043C804(_t324, _t439, _t444 + 0x50, _t449, _t439, 3, 0x43b31a,  *((intOrPtr*)(_t449 - 4)), 0x46cda8);
				_t454 = _t453 + 0x14;
				if(_t190 != _t324) {
					_t324 = _t190;
				} else {
					_t447 = L"layout.bin";
					_t196 = _t447;
					 *((intOrPtr*)(_t449 - 0x94)) = 0x46757c;
					 *((intOrPtr*)(_t449 - 0x74)) = 0x467574;
					if(_t196 == 0) {
						_t196 = 0x47e150;
					}
					_push(_t324);
					_push(_t449 - 0x14);
					_push(_t196);
					_t14 = _t449 - 0x94; // 0x46757c
					L0040176A(_t14);
					_t198 = _t447;
					 *((char*)(_t449 - 4)) = 1;
					_t473 = _t198;
					 *((intOrPtr*)(_t449 - 0x6c)) = 0x46757c;
					 *((intOrPtr*)(_t449 - 0x4c)) = 0x467574;
					if(_t198 == 0) {
						_t198 = 0x47e150;
					}
					_t19 = _t449 - 0x6c; // 0x46757c
					L0040176A(_t19);
					_t442 =  *((intOrPtr*)(_t449 - 0x1c));
					_t448 = _t442 + 4;
					 *((char*)(_t449 - 4)) = 2;
					_t203 = E004083DD( *((intOrPtr*)( *((intOrPtr*)(_t442 + 4)) + 0x2c))(0x477, _t198, _t449 - 0x13, _t324), _t449 - 0x3f8);
					_t457 = _t454 - 0x28;
					_t26 = _t449 - 0x94; // 0x46757c
					 *((intOrPtr*)(_t449 - 0x10)) = _t457;
					 *((char*)(_t449 - 4)) = 3;
					L00405670(_t203, _t473);
					 *((char*)(_t449 - 4)) = 4;
					_t208 = E00404705( *((intOrPtr*)( *_t448 + 0x2c))(_t457, _t26), _t449 - 0x150);
					_t458 = _t457 - 0x28;
					_t32 = _t449 - 0x6c; // 0x46757c
					_t435 = _t32;
					 *((intOrPtr*)(_t449 - 0x40)) = _t458;
					 *((char*)(_t449 - 4)) = 5;
					L00405670(_t208, _t473);
					 *((char*)(_t449 - 4)) = 6;
					L00415C13(_t442, E00416E73(_t442, _t32, _t473), _t458);
					 *((char*)(_t449 - 4)) = 3;
					L0040125C(_t449 - 0x150);
					 *((char*)(_t449 - 4)) = 2;
					L0040125C(_t449 - 0x3f8);
					_t40 = _t449 - 0x6c; // 0x46757c
					 *((char*)(_t449 - 4)) = 1;
					L0040125C(_t40);
					_t42 = _t449 - 0x94; // 0x46757c
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t42);
					_t219 = L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))(_t32));
					 *((char*)(_t449 - 4)) = 7;
					 *((intOrPtr*)(_t449 - 0x10)) = L004056FB(_t219, _t448, _t473);
					 *((char*)(_t449 - 4)) = 8;
					_t224 = E004083DD( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x1c8);
					_t459 = _t458 - 0x28;
					 *((char*)(_t449 - 4)) = 9;
					 *((intOrPtr*)(_t449 - 0x38)) = _t459;
					L00405670(_t224, _t473);
					_t460 = _t459 - 0x28;
					 *((intOrPtr*)(_t449 - 0x2c)) = _t460;
					 *((char*)(_t449 - 4)) = 0xa;
					L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))());
					 *((char*)(_t449 - 4)) = 9;
					L00415C13(_t442, E00416E73(_t442, _t32, _t473), _t460);
					 *((char*)(_t449 - 4)) = 8;
					L0040125C(_t449 - 0x1c8);
					 *((char*)(_t449 - 4)) = 7;
					L0040125C(_t449 - 0x358);
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t449 - 0x218);
					_t238 = L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))());
					 *((char*)(_t449 - 4)) = 0xb;
					_t239 = L004056FB(_t238, _t448, _t473);
					 *((char*)(_t449 - 4)) = 0xc;
					 *((intOrPtr*)(_t449 - 0x10)) = L00405EDE(_t473);
					 *((char*)(_t449 - 4)) = 0xd;
					_t245 = E004083DD( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x308);
					 *((char*)(_t449 - 4)) = 0xe;
					_t462 = _t460 + 0xc - 0x28;
					 *((intOrPtr*)(_t449 - 0x20)) = _t462;
					L00405670(_t245, _t473);
					 *((char*)(_t449 - 4)) = 0xf;
					_t250 = L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))());
					 *((char*)(_t449 - 4)) = 0x10;
					_t251 = L004056FB(_t250, _t448, _t473);
					 *((char*)(_t449 - 4)) = 0x11;
					 *((intOrPtr*)(_t449 - 0x10)) = L00405EDE(_t473);
					 *((char*)(_t449 - 4)) = 0x12;
					_t257 = L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))());
					 *((char*)(_t449 - 4)) = 0x13;
					_t258 = L00401840(_t257, _t473);
					_t464 = _t462 + 0xc - 0x28;
					 *((char*)(_t449 - 4)) = 0x14;
					 *((intOrPtr*)(_t449 - 0x34)) = _t464;
					L00405670(_t258, _t473);
					 *((char*)(_t449 - 4)) = 0x19;
					L00415C13(_t442, E00416E73(_t442, _t435, _t473, _t464,  *((intOrPtr*)(_t449 - 0x10)), _t449 - 0x498, _t324, _t324, _t449 - 0x268, _t449 - 0x3a8, _t251, L".cab", _t449 - 0x2b8, 1, _t449 - 0x448, _t462,  *((intOrPtr*)(_t449 - 0x10)), _t449 - 0x178, _t239, L".cab", _t449 - 0x1a0, 1, _t449 - 0x1f0), 0x479);
					 *((char*)(_t449 - 4)) = 0x18;
					L0040125C(_t449 - 0x498);
					 *((char*)(_t449 - 4)) = 0x17;
					L0040125C(_t449 - 0x268);
					 *((char*)(_t449 - 4)) = 0x16;
					L0040125C(_t449 - 0x3a8);
					 *((char*)(_t449 - 4)) = 0x15;
					L0040125C(_t449 - 0x2b8);
					 *((char*)(_t449 - 4)) = 0xe;
					L0040125C(_t449 - 0x448);
					 *((char*)(_t449 - 4)) = 0xd;
					L0040125C(_t449 - 0x308);
					 *((char*)(_t449 - 4)) = 0xc;
					L0040125C(_t449 - 0x178);
					 *((char*)(_t449 - 4)) = 0xb;
					L0040125C(_t449 - 0x1a0);
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t449 - 0x1f0);
					_t274 = L00403789( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x2e0);
					 *((char*)(_t449 - 4)) = 0x1a;
					 *((intOrPtr*)(_t449 - 0x10)) = L004056FB(_t274, _t448, _t473);
					 *((char*)(_t449 - 4)) = 0x1b;
					_t279 = E004083DD( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x240);
					_t465 = _t464 - 0x28;
					 *((char*)(_t449 - 4)) = 0x1c;
					 *((intOrPtr*)(_t449 - 0x3c)) = _t465;
					L00405670(_t279, _t473);
					_t466 = _t465 - 0x28;
					 *((intOrPtr*)(_t449 - 0x44)) = _t466;
					 *((char*)(_t449 - 4)) = 0x1d;
					L00403789( *((intOrPtr*)( *_t448 + 0x2c))(), _t466);
					 *((char*)(_t449 - 4)) = 0x1c;
					L00415C13(_t442, E00416E73(_t442, _t435, _t473), _t465);
					 *((char*)(_t449 - 4)) = 0x1b;
					L0040125C(_t449 - 0x240);
					 *((char*)(_t449 - 4)) = 0x1a;
					L0040125C(_t449 - 0x290);
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t449 - 0x2e0);
					L00401B15(_t449 - 0xe4);
					 *((char*)(_t449 - 4)) = 0x1e;
					L00401B15(_t449 - 0xbc);
					 *((char*)(_t449 - 4)) = 0x1f;
					_t297 = E004083DD( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x380);
					_t467 = _t466 - 0x28;
					 *((intOrPtr*)(_t449 - 0x24)) = _t467;
					 *((char*)(_t449 - 4)) = 0x20;
					L00405670(_t297, _t473);
					 *((char*)(_t449 - 4)) = 0x21;
					_t302 = E00404705( *((intOrPtr*)( *_t448 + 0x2c))(), _t449 - 0x330);
					_t468 = _t467 - 0x28;
					 *((intOrPtr*)(_t449 - 0x28)) = _t468;
					 *((char*)(_t449 - 4)) = 0x22;
					L00405670(_t302, _t473);
					 *((char*)(_t449 - 4)) = 0x23;
					E00416E73(_t442, _t449 - 0xbc, _t473, _t468, _t449 - 0xbc, _t467, _t449 - 0xe4, "setup.inx", _t449 - 0x12, 1, "setup.inx", _t449 - 0x11, 1,  *((intOrPtr*)(_t449 - 0x10)), _t449 - 0x290, _t324, 0x47a, _t459,  *((intOrPtr*)(_t449 - 0x10)), _t449 - 0x358, _t324, _t449 - 0x218, 0x478);
					 *((char*)(_t449 - 4)) = 0x20;
					L0040125C(_t449 - 0x330);
					 *((char*)(_t449 - 4)) = 0x1f;
					L0040125C(_t449 - 0x380);
					 *((char*)(_t449 - 4)) = 0x1e;
					L0040125C(_t449 - 0xbc);
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t449 - 0xe4);
					_t312 = L00412DE1( *((intOrPtr*)( *_t448 + 0x2c))(_t449 - 0x470));
					 *((char*)(_t449 - 4)) = 0x24;
					 *((intOrPtr*)(_t449 - 0x10)) = L004056FB(_t312, _t448, _t473);
					 *((char*)(_t449 - 4)) = 0x25;
					_t317 = E004083DD( *((intOrPtr*)( *_t448 + 0x2c))(_t449 - 0x420, _t324), _t449 - 0x3d0);
					_t454 = _t468 - 0x28;
					 *((char*)(_t449 - 4)) = 0x26;
					 *((intOrPtr*)(_t449 - 0x30)) = _t454;
					_push( *((intOrPtr*)(_t449 - 0x10)));
					_push(_t454);
					L00405670(_t317, _t473);
					L0040EF21( *((intOrPtr*)(_t442 + 0x3a4)));
					 *((char*)(_t449 - 4)) = 0x25;
					L0040125C(_t449 - 0x3d0);
					 *((char*)(_t449 - 4)) = 0x24;
					L0040125C(_t449 - 0x420);
					 *((char*)(_t449 - 4)) = _t324;
					L0040125C(_t449 - 0x470);
				}
				L0043B670( *((intOrPtr*)(_t449 - 0xe8)) + 8, _t449 - 0x128, 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t449 - 0xc));
				return _t324;
			}

0x0041681e
0x0041682b
0x00416836
0x00416839
0x0041683e
0x00416844
0x00416849
0x0041684f
0x00416851
0x00416853
0x00416854
0x0041685f
0x00416867
0x0041686c
0x0041686e
0x0041686e
0x00416878
0x00416884
0x00416899
0x0041689e
0x004168a3
0x00416e45
0x004168a9
0x004168a9
0x004168b3
0x004168b5
0x004168c1
0x004168c4
0x004168c6
0x004168c6
0x004168ce
0x004168cf
0x004168d0
0x004168d1
0x004168d7
0x004168dc
0x004168de
0x004168e2
0x004168e4
0x004168eb
0x004168ee
0x004168f0
0x004168f0
0x004168fb
0x004168fe
0x00416903
0x00416915
0x0041691a
0x00416923
0x00416928
0x0041692b
0x00416933
0x0041693a
0x0041693e
0x0041694e
0x00416957
0x0041695c
0x0041695f
0x0041695f
0x00416964
0x0041696b
0x0041696f
0x00416976
0x00416982
0x0041698d
0x00416991
0x0041699c
0x004169a0
0x004169a5
0x004169a8
0x004169ac
0x004169b1
0x004169b7
0x004169ba
0x004169d4
0x004169e3
0x004169ec
0x004169fa
0x00416a03
0x00416a08
0x00416a0b
0x00416a11
0x00416a1a
0x00416a1f
0x00416a26
0x00416a2c
0x00416a35
0x00416a3c
0x00416a48
0x00416a53
0x00416a57
0x00416a62
0x00416a66
0x00416a71
0x00416a74
0x00416a8e
0x00416a9e
0x00416aa2
0x00416ab3
0x00416ac0
0x00416ace
0x00416ad7
0x00416adc
0x00416ae0
0x00416ae5
0x00416aee
0x00416afe
0x00416b07
0x00416b17
0x00416b1b
0x00416b2c
0x00416b39
0x00416b47
0x00416b50
0x00416b60
0x00416b64
0x00416b69
0x00416b6c
0x00416b72
0x00416b7b
0x00416b82
0x00416b8e
0x00416b99
0x00416b9d
0x00416ba8
0x00416bac
0x00416bb7
0x00416bbb
0x00416bc6
0x00416bca
0x00416bcf
0x00416bd9
0x00416be4
0x00416be8
0x00416bf3
0x00416bf7
0x00416c02
0x00416c06
0x00416c11
0x00416c14
0x00416c2e
0x00416c3d
0x00416c46
0x00416c54
0x00416c5d
0x00416c62
0x00416c65
0x00416c6b
0x00416c74
0x00416c79
0x00416c80
0x00416c86
0x00416c8f
0x00416c96
0x00416ca2
0x00416cad
0x00416cb1
0x00416cbc
0x00416cc0
0x00416ccb
0x00416cce
0x00416ce4
0x00416cfa
0x00416cfe
0x00416d0e
0x00416d17
0x00416d1c
0x00416d27
0x00416d2e
0x00416d32
0x00416d42
0x00416d4b
0x00416d50
0x00416d5b
0x00416d62
0x00416d66
0x00416d6d
0x00416d71
0x00416d7c
0x00416d80
0x00416d8b
0x00416d8f
0x00416d9a
0x00416d9e
0x00416da9
0x00416dac
0x00416dc1
0x00416dd0
0x00416dd9
0x00416de2
0x00416df0
0x00416df5
0x00416df8
0x00416dfe
0x00416e01
0x00416e04
0x00416e07
0x00416e12
0x00416e1d
0x00416e21
0x00416e2c
0x00416e30
0x00416e3b
0x00416e3e
0x00416e3e
0x00416e5a
0x00416e67
0x00416e72

APIs

__EH_prolog.LIBCMT ref: 0041681E

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 00416878
__setjmp3.LIBCMT ref: 00416899

Part of subcall function 00412DE1: __EH_prolog.LIBCMT ref: 00412DE6

Part of subcall function 004056FB: __EH_prolog.LIBCMT ref: 00405700

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Part of subcall function 00416E73: __EH_prolog.LIBCMT ref: 00416E78
Part of subcall function 00416E73: lstrcpyW.KERNEL32 ref: 00416ED8
Part of subcall function 00416E73: __setjmp3.LIBCMT ref: 00416EF9

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 00401840: __EH_prolog.LIBCMT ref: 00401845

Part of subcall function 00401B15: __EH_prolog.LIBCMT ref: 00401B1A
Part of subcall function 00401B15: SetLastError.KERNEL32(?,?,00000000,?,?,00401AE5,?,?,00000001), ref: 00401B80

Part of subcall function 0040EF21: __EH_prolog.LIBCMT ref: 0040EF26

Strings

|uF, xrefs: 004168FB
.cab, xrefs: 00416AA7, 00416B20
PG, xrefs: 004168F0
tuF, xrefs: 004168AE
setup.inx, xrefs: 00416CD9, 00416CEF
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 00416854
PG, xrefs: 004168C6
uF, xrefs: 0041686E
$, xrefs: 00416E2C
|uF, xrefs: 004168D1
layout.bin, xrefs: 004168A9, 004168D0, 004168FA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$__setjmp3lstrcpy$FreeString
String ID: $$.cab$C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$PG$PG$layout.bin$setup.inx$tuF$|uF$|uF$uF
API String ID: 3796342028-1251504560
Opcode ID: 38cbc7dd51e63e4ce324f641212b56372809f3d0d4c4c669882c420b11e6fc6c
Instruction ID: a31243041c2a9a46f3527245d4c10e5469361d58698e0e4ae50472fbb6979460
Opcode Fuzzy Hash: 38cbc7dd51e63e4ce324f641212b56372809f3d0d4c4c669882c420b11e6fc6c
Instruction Fuzzy Hash: C8128270A00258EFDF15EBB9C959BEDBBB89F58304F0040DEE449B3282DB785B448B65

Uniqueness

Uniqueness Score: -1.00%

Function 0045CBE0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 247
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0045CBE0(void* __ebx, void* __ebp, intOrPtr* _a4) {
				void* _v4;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v60;
				char _v68;
				char _v80;
				char _v84;
				void* _v88;
				char _v92;
				char _v100;
				intOrPtr _v108;
				char _v112;
				char _v116;
				char _v120;
				int _v136;
				char _v140;
				char _v148;
				void* _v152;
				int _v156;
				int _v160;
				char _v162;
				void* _v164;
				char _v168;
				char _v169;
				char _v171;
				int _v172;
				void* _v176;
				char _v179;
				intOrPtr _v180;
				void* _v188;
				intOrPtr _t89;
				void* _t93;
				void* _t98;
				CHAR* _t104;
				void* _t108;
				void* _t110;
				void* _t111;
				char* _t120;
				void* _t125;
				void* _t132;
				void* _t134;
				char _t135;
				void* _t156;
				char _t176;
				intOrPtr _t177;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr* _t193;
				long _t194;
				intOrPtr* _t195;
				long _t196;
				void* _t197;
				intOrPtr _t200;
				void* _t201;

				_t197 = __ebp;
				_t134 = __ebx;
				_push(0xffffffff);
				_push(E00466AD4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t200;
				_t201 = _t200 - 0x98;
				_t89 =  *0x47e96c; // 0x0
				_v136 = 0;
				if(_t89 == 0) {
					_v160 = 0;
					_v4 = 1;
					_v156 = 0;
					_t190 = RegOpenKeyExA(0x80000001, "SOFTWARE\\InstallShield\\19.0\\Professional", 0, 0x20019,  &_v156);
					__eflags = _t190;
					if(_t190 == 0) {
						_t190 = L00409079( &_v160);
						_v160 = _v156;
					}
					_push(_t134);
					_push(_t197);
					_push(0);
					_t135 = 0x4675d8;
					_push( &_v162);
					_v92 = 0x4675d8;
					_v60 = 0x4675d0;
					L0040B243( &_v92);
					__eflags = _t190;
					_v12 = 2;
					if(_t190 == 0) {
						_v164 = 0x104;
						_t195 = L0040B799( &_v100,  &_v160, 0x104);
						_v20 = 3;
						_t120 = L00453100( *_t195);
						 *(_t195 + 8) = _t120;
						_v156 = 0;
						RegQueryValueExA(_v176, "VerboseLogPath", 0,  &_v156, _t120,  &_v172);
						_v20 = 2;
						_t196 = GetLastError();
						__eflags = _v164;
						if(_v164 != 0) {
							L00425DC2(_v160,  *((intOrPtr*)(_v160 + 0x1c)));
						}
						_t125 = _v152;
						__eflags = _t125;
						if(_t125 != 0) {
							_push(1);
							_push( &_v169);
							_push(_t125);
							E0040A5F5( &_v140);
							_v24 = 4;
							E004066ED(_v172,  &_v152);
							_v28 = 2;
							E004061C1( &_v156);
						}
						SetLastError(_t196);
					}
					__eflags = _v88;
					if(_v88 == 0) {
						_push(0);
						_push( &_v169);
						_v140 = _t135;
						_v108 = 0x4675d0;
						L0040B243( &_v140);
						_v20 = 5;
						_t193 = L0040B799( &_v148,  &_v168, 0x104);
						_v28 = 6;
						_t104 = L00453100( *_t193);
						 *(_t193 + 8) = _t104;
						GetModuleFileNameA(0, _t104, 0x104);
						_v28 = 5;
						_t194 = GetLastError();
						__eflags = _v172;
						if(_v172 != 0) {
							L00425DC2(_v168,  *((intOrPtr*)(_v168 + 0x1c)));
						}
						_t108 = _v160;
						__eflags = _t108;
						if(__eflags != 0) {
							_push(1);
							_push( &_v179);
							_push(_t108);
							E0040A5F5( &_v68);
							_v32 = 7;
							E004066ED(_v180,  &_v80);
							_v36 = 5;
							E004061C1( &_v84);
						}
						SetLastError(_t194);
						_push(0);
						_push(0);
						_push( &_v68);
						_t110 = E0040A9EA( &_v148, __eflags);
						_t176 = _v120;
						_v32 = 8;
						__eflags = _t176 - 0x4675d8;
						if(_t176 == 0x4675d8) {
							__eflags = _t110;
							if(_t110 != 0) {
								_t156 =  *((intOrPtr*)( *_t110 + 4)) + _t110;
								__eflags = _t156;
							} else {
								_t156 = 0;
							}
							_t65 = _t176 + 4; // 0x4
							 *(_t201 +  *_t65 + 0x58) =  *_t156;
						}
						__eflags = _t110;
						if(_t110 == 0) {
							_t111 = 0;
							__eflags = 0;
						} else {
							_t111 = _t110 + 4;
						}
						_t177 =  *0x4675e0; // 0xffffffff
						E0040C484( &_v116, _t111, 0, _t177);
						_v44 = 5;
						E004061C1( &_v92);
						_v44 = 2;
						E004061C1( &_v172);
						_t135 = 0x4675d8;
					}
					_t93 = L"InstallShield.log";
					_v140 = _t135;
					_v108 = 0x4675d0;
					__eflags = _t93;
					if(_t93 == 0) {
						_t93 = 0x47e150;
					}
					_push(0);
					_push( &_v171);
					_push(_t93);
					L0040B34B( &_v140);
					_t191 = _v16;
					_push( &_v152);
					_push(_t191);
					_v24 = 9;
					E0040C112( &_v112, __eflags);
					_v164 = 1;
					_v32 = 2;
					E004061C1( &_v160);
					_v32 = 1;
					E004061C1( &_v120);
					_t98 = _v188;
					__eflags = _t98;
					if(_t98 != 0) {
						RegCloseKey(_t98);
					}
				} else {
					_t132 =  *0x47e968; // 0x0
					if(_t132 == 0) {
						_t132 = 0x467570;
					}
					_t191 = _a4;
					 *_t191 = 0x4675d8;
					 *((intOrPtr*)(_t191 + 0x20)) = 0x4675d0;
					if(_t132 == 0) {
						_t132 = 0x47e150;
					}
					_push(0);
					_push( &_v162);
					_push(_t132);
					L0040B34B(_t191);
				}
				 *[fs:0x0] = _v40;
				return _t191;
			}

0x0045cbe0
0x0045cbe0
0x0045cbe0
0x0045cbe2
0x0045cbed
0x0045cbee
0x0045cbf5
0x0045cbfb
0x0045cc06
0x0045cc0a
0x0045cc4a
0x0045cc52
0x0045cc6e
0x0045cc78
0x0045cc7a
0x0045cc7c
0x0045cc87
0x0045cc8d
0x0045cc8d
0x0045cc91
0x0045cc92
0x0045cc97
0x0045cc98
0x0045cc9d
0x0045cca2
0x0045cca6
0x0045ccb1
0x0045ccbc
0x0045ccc4
0x0045cccc
0x0045cce0
0x0045cced
0x0045ccf1
0x0045ccf9
0x0045cd08
0x0045cd18
0x0045cd20
0x0045cd26
0x0045cd30
0x0045cd36
0x0045cd38
0x0045cd42
0x0045cd42
0x0045cd47
0x0045cd4b
0x0045cd4d
0x0045cd53
0x0045cd55
0x0045cd56
0x0045cd5b
0x0045cd69
0x0045cd71
0x0045cd7a
0x0045cd82
0x0045cd82
0x0045cd88
0x0045cd88
0x0045cd8e
0x0045cd90
0x0045cd9a
0x0045cd9c
0x0045cda1
0x0045cda5
0x0045cdad
0x0045cdc2
0x0045cdce
0x0045cdd2
0x0045cdda
0x0045cde7
0x0045cdea
0x0045cdf0
0x0045cdf9
0x0045cdff
0x0045ce01
0x0045ce0b
0x0045ce0b
0x0045ce10
0x0045ce14
0x0045ce16
0x0045ce1c
0x0045ce1e
0x0045ce1f
0x0045ce27
0x0045ce38
0x0045ce40
0x0045ce4c
0x0045ce53
0x0045ce53
0x0045ce59
0x0045ce5b
0x0045ce64
0x0045ce66
0x0045ce6b
0x0045ce70
0x0045ce74
0x0045ce7c
0x0045ce82
0x0045ce84
0x0045ce86
0x0045ce91
0x0045ce91
0x0045ce88
0x0045ce88
0x0045ce88
0x0045ce93
0x0045ce98
0x0045ce98
0x0045ce9c
0x0045ce9e
0x0045cea5
0x0045cea5
0x0045cea0
0x0045cea0
0x0045cea0
0x0045cea7
0x0045ceb5
0x0045cec1
0x0045cec8
0x0045ced1
0x0045ced9
0x0045cede
0x0045cede
0x0045cee3
0x0045cee8
0x0045ceed
0x0045cef5
0x0045cef8
0x0045cefa
0x0045cefa
0x0045cf03
0x0045cf05
0x0045cf06
0x0045cf0b
0x0045cf10
0x0045cf1b
0x0045cf1c
0x0045cf21
0x0045cf29
0x0045cf32
0x0045cf3a
0x0045cf42
0x0045cf4b
0x0045cf53
0x0045cf58
0x0045cf5c
0x0045cf5e
0x0045cf61
0x0045cf61
0x0045cc0c
0x0045cc0c
0x0045cc13
0x0045cc15
0x0045cc15
0x0045cc1a
0x0045cc23
0x0045cc29
0x0045cc30
0x0045cc32
0x0045cc32
0x0045cc3b
0x0045cc3c
0x0045cc3d
0x0045cc40
0x0045cc40
0x0045cf72
0x0045cf7f

APIs

RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\InstallShield\19.0\Professional,00000000,00020019,?), ref: 0045CC72
RegQueryValueExA.ADVAPI32(?,VerboseLogPath,00000000,?,00000000,?,?,00000104,?,00000000,?,00000000), ref: 0045CD20
GetLastError.KERNEL32 ref: 0045CD2E
SetLastError.KERNEL32(00000000), ref: 0045CD88

Part of subcall function 00453100: WideCharToMultiByte.KERNEL32(00000000,00000000,FFFFFFFF,00000001,00000004,00000000,00000000,00000000,?,00000000), ref: 0045315A

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000104,?,00000000,?,00000000,?,00000000), ref: 0045CDEA
GetLastError.KERNEL32 ref: 0045CDF7
SetLastError.KERNEL32(00000000), ref: 0045CE59
RegCloseKey.ADVAPI32(?,00000002,?,InstallShield.log,?,00000000,?,00000000), ref: 0045CF61

Strings

PG, xrefs: 0045CC32
SOFTWARE\InstallShield\19.0\Professional, xrefs: 0045CC64
InstallShield.log, xrefs: 0045CEE3, 0045CF06
VerboseLogPath, xrefs: 0045CD12
PG, xrefs: 0045CEFA
puF, xrefs: 0045CC15

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$ByteCharCloseFileModuleMultiNameOpenQueryValueWide
String ID: InstallShield.log$PG$PG$SOFTWARE\InstallShield\19.0\Professional$VerboseLogPath$puF
API String ID: 2965239668-1926988228
Opcode ID: 594674b9faf869ec9d0b53e5da1349c2eafc70c231d687e7755e0522fdce1d94
Instruction ID: 75d40ec296c65789d3889a3dcd8da44a20d878383561f2b0fc0ac5075a854fa9
Opcode Fuzzy Hash: 594674b9faf869ec9d0b53e5da1349c2eafc70c231d687e7755e0522fdce1d94
Instruction Fuzzy Hash: 77A16171108380AFD320DF15C885B9BB7E5BF95718F10895EF58A97382EB789908C75B

Uniqueness

Uniqueness Score: -1.00%

Function 0042E3CF Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042E3CF() {
				void* _v8;
				void* _v12;
				int _v16;
				char _v28;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t39;
				int* _t42;
				long _t44;
				void* _t45;
				void* _t47;

				_t21 = GetModuleHandleW(L"Kernel32.dll");
				if(_t21 == 0) {
					L3:
					_v8 = _v8 & 0x00000000;
					_v16 = 0xa;
					if(RegOpenKeyExW(0x80000003, L".Default\\Control Panel\\desktop\\ResourceLocale", 0, 0xf003f,  &_v8) != 0 || RegQueryValueExW(_v8, 0x47e150, 0, 0,  &_v28,  &_v16) != 0) {
						_v12 = _v12 & 0x00000000;
						_t44 = RegOpenKeyExW(0x80000003, L".DEFAULT\\Control Panel\\International", 0, 0xf003f,  &_v12);
						_t42 = 0;
						if(_t44 == 0) {
							_t44 = RegQueryValueExW(_v12, L"Locale", 0, 0,  &_v28,  &_v16);
						}
						_t47 = RegCloseKey;
						if(_v12 != _t42 && RegCloseKey != _t42) {
							RegCloseKey(_v12);
						}
						if(_t44 == _t42) {
							goto L16;
						} else {
							if(_v8 != _t42 && _t47 != _t42) {
								RegCloseKey(_v8);
							}
							return 0x409;
						}
					} else {
						_t47 = RegCloseKey;
						_t42 = 0;
						L16:
						_t45 = L0043D4C8( &_v28, _t42, 0x10);
						if(_v8 != _t42 && _t47 != _t42) {
							RegCloseKey(_v8);
						}
						return _t45;
					}
				}
				_t39 = GetProcAddress(_t21, "GetSystemDefaultUILanguage");
				if(_t39 == 0) {
					goto L3;
				}
				return  *_t39();
			}

0x0042e3dd
0x0042e3e5
0x0042e3fe
0x0042e404
0x0042e41f
0x0042e42a
0x0042e44a
0x0042e45d
0x0042e45f
0x0042e463
0x0042e47d
0x0042e47d
0x0042e482
0x0042e488
0x0042e491
0x0042e491
0x0042e495
0x00000000
0x0042e497
0x0042e49a
0x0042e4a3
0x0042e4a3
0x00000000
0x0042e4a5
0x0042e4ab
0x0042e4ab
0x0042e4b1
0x0042e4b3
0x0042e4c5
0x0042e4c7
0x0042e4d0
0x0042e4d0
0x00000000
0x0042e4d2
0x0042e42a
0x0042e3ed
0x0042e3f5
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,?,?,?,00410997,00000000,?,?,00000001,00000000), ref: 0042E3DD
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 0042E3ED
RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,00000000,?,?,00410997,00000000,?), ref: 0042E426
RegQueryValueExW.ADVAPI32(00000000,0047E150,00000000,00000000,00410997,0000000A,?,?,00410997,00000000,?), ref: 0042E440
RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,00000000,?,?,00410997,00000000,?), ref: 0042E45B
RegQueryValueExW.ADVAPI32(00000000,Locale,00000000,00000000,00410997,0000000A,?,?,00410997,00000000,?), ref: 0042E477
RegCloseKey.ADVAPI32(00000000,?,?,00410997,00000000,?), ref: 0042E491
RegCloseKey.ADVAPI32(00000000,?,?,00410997,00000000,?), ref: 0042E4A3
RegCloseKey.ADVAPI32(00000000,?,?,?,00410997,00000000,?), ref: 0042E4D0

Strings

.DEFAULT\Control Panel\International, xrefs: 0042E455
Kernel32.dll, xrefs: 0042E3D8
GetSystemDefaultUILanguage, xrefs: 0042E3E7
.Default\Control Panel\desktop\ResourceLocale, xrefs: 0042E419
Locale, xrefs: 0042E46F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Close$OpenQueryValue$AddressHandleModuleProc
String ID: .DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
API String ID: 3246654768-3798069133
Opcode ID: 926ba97ec38595db869f4c79c286d6777f1d9d73391e27eddbf7b8993fcdfbfc
Instruction ID: f9933424bf8e7a6a8cd4014166a85b18de87e7cdd4cc248b28e07c70d06ab6c3
Opcode Fuzzy Hash: 926ba97ec38595db869f4c79c286d6777f1d9d73391e27eddbf7b8993fcdfbfc
Instruction Fuzzy Hash: 3E317272B00229BBDF10EE92DC81BEF77BCDB04355F544077E604B3280E6B89E419A69

Uniqueness

Uniqueness Score: -1.00%

Function 0042E212 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0042E212() {
				char* _t26;
				intOrPtr _t39;
				void* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr* _t57;
				void* _t59;
				void* _t66;

				L0043B644(0x463c37, _t59);
				 *(_t59 - 0x14) = 0;
				if( *((intOrPtr*)(_t59 + 0x10)) == 0 &&  *((intOrPtr*)(_t59 + 0xc)) == 0) {
					E0042E123(_t59 + 0xc, _t59 + 0x10);
				}
				_push(0);
				_push(_t59 - 0xd);
				 *((intOrPtr*)(_t59 - 0x3c)) = 0x46757c;
				 *((intOrPtr*)(_t59 - 0x1c)) = 0x467574;
				L00401C68(_t59 - 0x3c);
				_t39 =  *((intOrPtr*)(_t59 + 0x10));
				_t66 = _t39 - 0x400000;
				 *(_t59 - 4) = 1;
				if(_t66 > 0) {
					if(_t39 == 0x800000) {
						_t26 = L"Windows Server 2003";
						goto L25;
					} else {
						if(_t39 == 0x1000000) {
							_t26 = L"Windows Vista / Server 2008";
							goto L25;
						} else {
							if(_t39 == 0x2000000) {
								_t26 = L"Windows 7 / Server 2008 R2";
								goto L25;
							} else {
								if(_t39 == 0x4000000) {
									_t26 = L"Windows 8 / Server 2012";
									goto L25;
								} else {
									goto L20;
								}
							}
						}
					}
				} else {
					if(_t66 == 0) {
						_t26 = L"Windows XP";
						goto L25;
					} else {
						_t45 = _t39 - 0x10;
						if(_t45 == 0) {
							_t26 = L"Windows 95";
							goto L25;
						} else {
							_t46 = _t45 - 0x30;
							if(_t46 == 0) {
								_t26 = L"Windows 98";
								goto L25;
							} else {
								_t47 = _t46 - 0x40;
								if(_t47 == 0) {
									_t26 = L"Windows Me";
									goto L25;
								} else {
									_t48 = _t47 - 0xff80;
									if(_t48 == 0) {
										_t26 = L"Windows NT 4.0";
										goto L25;
									} else {
										if(_t48 != 0xf0000) {
											L20:
											_push(0x47e150);
										} else {
											_t26 = L"Windows 2000";
											L25:
											if(_t26 == 0) {
												_t26 = 0x47e150;
											}
											_push(_t26);
										}
									}
								}
							}
						}
					}
				}
				L00401E03(_t59 - 0x3c);
				_t57 =  *((intOrPtr*)(_t59 + 8));
				_push(0);
				_push(_t59 - 0x3c);
				 *_t57 = 0x46757c;
				 *((intOrPtr*)(_t57 + 0x20)) = 0x467574;
				L00401CDD(_t57);
				 *(_t59 - 0x14) = 1;
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				L0040125C(_t59 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				return _t57;
			}

0x0042e217
0x0042e227
0x0042e22a
0x0042e239
0x0042e23f
0x0042e24d
0x0042e24e
0x0042e252
0x0042e255
0x0042e258
0x0042e25d
0x0042e265
0x0042e267
0x0042e26e
0x0042e2c1
0x0042e2f7
0x00000000
0x0042e2c3
0x0042e2c9
0x0042e2f0
0x00000000
0x0042e2cb
0x0042e2d1
0x0042e2e9
0x00000000
0x0042e2d3
0x0042e2d9
0x0042e2e2
0x00000000
0x00000000
0x00000000
0x00000000
0x0042e2d9
0x0042e2d1
0x0042e2c9
0x0042e270
0x0042e270
0x0042e2b4
0x00000000
0x0042e272
0x0042e272
0x0042e275
0x0042e2ad
0x00000000
0x0042e277
0x0042e277
0x0042e27a
0x0042e2a6
0x00000000
0x0042e27c
0x0042e27c
0x0042e27f
0x0042e29f
0x00000000
0x0042e281
0x0042e281
0x0042e287
0x0042e298
0x00000000
0x0042e289
0x0042e28f
0x0042e2db
0x0042e2db
0x0042e291
0x0042e291
0x0042e2fc
0x0042e300
0x0042e302
0x0042e302
0x0042e307
0x0042e307
0x0042e28f
0x0042e287
0x0042e27f
0x0042e27a
0x0042e275
0x0042e270
0x0042e30b
0x0042e310
0x0042e316
0x0042e318
0x0042e31b
0x0042e31d
0x0042e320
0x0042e325
0x0042e32c
0x0042e333
0x0042e340
0x0042e348

APIs

__EH_prolog.LIBCMT ref: 0042E217

Part of subcall function 0042E123: GetVersionExW.KERNEL32(00000114,00000000), ref: 0042E14A

Strings

|uF, xrefs: 0042E243
Windows Server 2003, xrefs: 0042E2F7, 0042E307
Windows 7 / Server 2008 R2, xrefs: 0042E2E9
Windows Vista / Server 2008, xrefs: 0042E2F0
PG, xrefs: 0042E302
Windows XP, xrefs: 0042E2B4
Windows NT 4.0, xrefs: 0042E298
Windows 2000, xrefs: 0042E291
Windows 95, xrefs: 0042E2AD
Windows 8 / Server 2012, xrefs: 0042E2E2
tuF, xrefs: 0042E248
Windows Me, xrefs: 0042E29F
Windows 98, xrefs: 0042E2A6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologVersion
String ID: PG$Windows 2000$Windows 7 / Server 2008 R2$Windows 8 / Server 2012$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista / Server 2008$Windows XP$tuF$|uF
API String ID: 1836448879-3337479923
Opcode ID: 53e268302e6e7402f593eabb70ef24997f29f961c508e9e34b15b681241bacd3
Instruction ID: d38093d7ec99ff732690d8fb02f91a471c32273bd0382eb92cbb7d9a3b61b88c
Opcode Fuzzy Hash: 53e268302e6e7402f593eabb70ef24997f29f961c508e9e34b15b681241bacd3
Instruction Fuzzy Hash: 9231AD31B00128D6DB299AAAE4557FE7768EB00304FA0C4ABB507A6790CB7C8D00976E

Uniqueness

Uniqueness Score: -1.00%

Function 004148DF Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 279
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004148DF(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t113;
				intOrPtr* _t121;
				void* _t122;
				void* _t125;
				unsigned int _t133;
				intOrPtr* _t137;
				intOrPtr* _t140;
				intOrPtr* _t144;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t159;
				intOrPtr _t169;
				signed int _t192;
				intOrPtr _t204;
				unsigned int _t220;
				unsigned int _t221;
				signed int _t227;
				intOrPtr _t230;
				void* _t232;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				void* _t239;
				void* _t240;
				void* _t243;
				void* _t250;

				L0043B644(0x4611f5, _t235);
				_t230 = __ecx;
				 *((intOrPtr*)(_t235 - 0x34)) = __ecx;
				 *((intOrPtr*)(_t235 - 0x10)) = 0;
				_t225 = __ecx + 8;
				 *(_t235 - 4) = 0;
				 *((intOrPtr*)(_t235 - 0x80)) = __ecx;
				L0043B670(_t235 - 0xc0, __ecx + 8, 0x40);
				_t239 = _t237 - 0x12c + 0xc;
				_push(1);
				_push(_t235 - 0x19);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				 *(_t235 - 4) = 1;
				_t113 =  *(E0040A5F5(_t235 - 0x110) + 8);
				if(_t113 == 0) {
					_t113 = 0x4675e4;
				}
				lstrcpyW(_t230 + 0x50, _t113);
				E004061C1(_t235 - 0x110);
				_t232 = E0043C804(0, _t225, _t230 + 0x50, _t235, _t225, 3, 0x43b31a,  *(_t235 - 4), 0x46c8e8);
				_t240 = _t239 + 0x14;
				if(_t232 != 0) {
					L0043B670( *((intOrPtr*)(_t235 - 0x80)) + 8, _t235 - 0xc0, 0x40);
					_t121 =  *((intOrPtr*)(_t235 - 0x10));
					 *(_t235 - 4) =  *(_t235 - 4) | 0xffffffff;
					__eflags = _t121;
					if(_t121 != 0) {
						 *((intOrPtr*)( *_t121 + 8))(_t121);
					}
					_t122 = _t232;
					goto L22;
				} else {
					_t125 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 + 8)))) + 0xa4))(_t235 - 0x10, 0x292);
					_t234 =  *((intOrPtr*)(_t235 - 0x34));
					L00415C13(_t234, _t125,  *((intOrPtr*)(_t235 + 8)));
					L00415C13(_t234,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 - 0x10)))) + 0xc))(_t235 - 0x20, 0x295),  *((intOrPtr*)(_t235 - 0x10)));
					L00415C13(_t234,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 - 0x10)))) + 0x10))(_t235 - 0x24, 0x296),  *((intOrPtr*)(_t235 - 0x10)));
					_t220 =  *(_t235 - 0x24);
					_t133 =  *(_t235 - 0x20);
					 *(_t234 + 0x270) = _t133;
					 *(_t234 + 0x274) = 0;
					_t192 = _t220 << 0x00000016 | _t133 >> 0x0000000a;
					 *(_t234 + 0x274) = _t220;
					_t227 = _t192;
					_t221 = _t220 >> 0xa;
					 *(_t235 - 0x38) = 0;
					 *(_t235 - 0x20) = _t192;
					 *(_t235 - 0x24) = _t221;
					 *(_t235 - 0x3c) = _t227;
					 *(_t235 - 0x38) = _t221;
					 *((intOrPtr*)(_t235 - 0x18)) = 0;
					 *((intOrPtr*)(_t235 - 0x14)) = 0;
					 *(_t235 - 4) = 3;
					 *((intOrPtr*)(_t235 - 0x7c)) = 0x46757c;
					 *((intOrPtr*)(_t235 - 0x5c)) = 0x467574;
					L00401C68(_t235 - 0x7c);
					_t137 =  *((intOrPtr*)(_t234 + 0x280));
					 *(_t235 - 4) = 4;
					L00415C13(_t234,  *((intOrPtr*)( *_t137))(_t137, 0x476e10, _t235 - 0x18, _t235 - 0x1a, 0), 0x2a5);
					_t140 =  *((intOrPtr*)(_t235 - 0x18));
					L00415C13(_t234,  *((intOrPtr*)( *_t140 + 0xc))(_t140, 0x467bf0, 0x477b08, _t235 - 0x14), 0x2a6);
					_t47 = _t235 - 0x7c; // 0x46757c
					_t144 = L004197DF(_t47, _t235 - 0x54);
					 *(_t235 - 4) = 5;
					 *((char*)(_t144 + 4)) = 1;
					_t145 = L00401E6C(_t144,  *_t144);
					 *((intOrPtr*)(_t235 - 0x2c)) = _t145;
					__imp__#2(L"SUPPORTDIR");
					 *((intOrPtr*)(_t235 - 0x28)) = _t145;
					 *(_t235 - 4) = 6;
					L00415C13(_t234,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 - 0x14)))) + 0x1c))( *((intOrPtr*)(_t235 - 0x28)),  *((intOrPtr*)(_t235 - 0x2c)), 0x2a7),  *((intOrPtr*)(_t235 - 0x14)));
					__imp__#6( *((intOrPtr*)(_t235 - 0x28)));
					 *(_t235 - 4) = 4;
					if( *((intOrPtr*)(_t235 - 0x50)) != 0) {
						L00401E03( *((intOrPtr*)(_t235 - 0x54)),  *((intOrPtr*)( *((intOrPtr*)(_t235 - 0x54)) + 0x1c)));
					}
					_t149 =  *((intOrPtr*)(_t235 - 0x74));
					if( *((intOrPtr*)(_t235 - 0x74)) == 0) {
						_t149 = 0x467570;
					}
					E0040E22E(_t235 - 0x30, _t149, _t235 - 0x30, _t235 - 0x40, 0xa, 1);
					_t151 =  *((intOrPtr*)(_t235 - 0x30));
					_t204 =  *((intOrPtr*)(_t235 - 0x40));
					_t243 = _t240 + 0x14;
					_t250 = _t151 -  *(_t235 - 0x38);
					 *((intOrPtr*)(_t235 - 0x44)) = 0;
					 *((intOrPtr*)(_t235 - 0x48)) = _t204;
					 *((intOrPtr*)(_t235 - 0x44)) = _t151;
					if(_t250 > 0) {
						L15:
						_t86 = _t235 - 0x7c; // 0x46757c
						 *(_t235 - 4) = 3;
						L0040125C(_t86);
						_t153 =  *((intOrPtr*)(_t235 - 0x14));
						 *(_t235 - 4) = 2;
						if(_t153 != 0) {
							 *((intOrPtr*)( *_t153 + 8))(_t153);
						}
						_t154 =  *((intOrPtr*)(_t235 - 0x18));
						 *(_t235 - 4) = 1;
						if(_t154 != 0) {
							 *((intOrPtr*)( *_t154 + 8))(_t154);
						}
						L0043B670( *((intOrPtr*)(_t235 - 0x80)) + 8, _t235 - 0xc0, 0x40);
						_t159 =  *((intOrPtr*)(_t235 - 0x10));
						 *(_t235 - 4) =  *(_t235 - 4) | 0xffffffff;
						if(_t159 != 0) {
							 *((intOrPtr*)( *_t159 + 8))(_t159);
						}
						_t122 = 0;
						L22:
						 *[fs:0x0] =  *((intOrPtr*)(_t235 - 0xc));
						return _t122;
					} else {
						if(_t250 < 0) {
							L10:
							E00403E82( *((intOrPtr*)( *((intOrPtr*)(_t234 + 4)) + 0x2c))(_t235 - 0xe8, 0x7d8), _t251);
							_push(0);
							_push(_t235 - 0x138);
							_t75 = _t235 - 0x7c; // 0x46757c
							 *(_t235 - 4) = 7;
							_t169 =  *((intOrPtr*)(E00402243(_t75, _t251) + 8));
							 *(_t235 - 4) = 8;
							if(_t169 == 0) {
								_t169 = 0x467570;
							}
							_t212 =  *((intOrPtr*)(_t235 - 0xe0));
							if( *((intOrPtr*)(_t235 - 0xe0)) == 0) {
								_t212 = 0x467570;
							}
							_push(_t169);
							L004057E0(_t234 + 0x29c, _t212, _t227 -  *((intOrPtr*)(_t235 - 0x48)));
							_t243 = _t243 + 0x10;
							 *(_t235 - 4) = 7;
							L0040125C(_t235 - 0x138);
							L00415C13(_t234, 0x8004232b, 0x2b3);
							 *(_t235 - 4) = 4;
							L0040125C(_t235 - 0xe8);
							goto L15;
						}
						_t251 = _t204 - _t227;
						if(_t204 >= _t227) {
							goto L15;
						}
						goto L10;
					}
				}
			}

0x004148e4
0x004148f1
0x004148f6
0x004148f9
0x004148fc
0x00414909
0x0041490c
0x0041490f
0x00414914
0x0041491a
0x0041491c
0x0041491d
0x00414928
0x00414931
0x00414936
0x00414938
0x00414938
0x00414942
0x0041494e
0x00414968
0x0041496a
0x0041496f
0x00414c25
0x00414c2a
0x00414c2d
0x00414c34
0x00414c36
0x00414c3b
0x00414c3b
0x00414c3e
0x00000000
0x00414975
0x00414984
0x0041498a
0x00414990
0x004149aa
0x004149c4
0x004149c9
0x004149cc
0x004149d1
0x004149dd
0x004149e3
0x004149e5
0x004149eb
0x004149ed
0x004149f0
0x004149f3
0x004149f6
0x004149f9
0x004149fc
0x004149ff
0x00414a02
0x00414a0d
0x00414a11
0x00414a18
0x00414a1f
0x00414a24
0x00414a36
0x00414a44
0x00414a49
0x00414a68
0x00414a70
0x00414a74
0x00414a7b
0x00414a7f
0x00414a83
0x00414a8d
0x00414a90
0x00414a96
0x00414aa4
0x00414ab4
0x00414abc
0x00414ac5
0x00414ac9
0x00414ad1
0x00414ad1
0x00414ad6
0x00414adb
0x00414add
0x00414add
0x00414aef
0x00414af4
0x00414af7
0x00414afa
0x00414afd
0x00414b00
0x00414b03
0x00414b06
0x00414b09
0x00414bab
0x00414bab
0x00414bae
0x00414bb2
0x00414bb7
0x00414bba
0x00414bc0
0x00414bc5
0x00414bc5
0x00414bc8
0x00414bcb
0x00414bd1
0x00414bd6
0x00414bd6
0x00414be9
0x00414bee
0x00414bf1
0x00414bfa
0x00414bff
0x00414bff
0x00414c02
0x00414c04
0x00414c09
0x00414c12
0x00414b0f
0x00414b0f
0x00414b19
0x00414b2f
0x00414b3a
0x00414b3b
0x00414b3c
0x00414b3f
0x00414b48
0x00414b4b
0x00414b51
0x00414b53
0x00414b53
0x00414b58
0x00414b60
0x00414b62
0x00414b62
0x00414b6a
0x00414b74
0x00414b79
0x00414b82
0x00414b86
0x00414b97
0x00414ba2
0x00414ba6
0x00000000
0x00414ba6
0x00414b11
0x00414b13
0x00000000
0x00000000
0x00000000
0x00414b13
0x00414b09

APIs

__EH_prolog.LIBCMT ref: 004148E4

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 00414942
__setjmp3.LIBCMT ref: 00414963

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

SysAllocString.OLEAUT32(SUPPORTDIR), ref: 00414A90
SysFreeString.OLEAUT32(?), ref: 00414ABC

Strings

|uF, xrefs: 00414A70
uF, xrefs: 00414938
SUPPORTDIR, xrefs: 00414A88
tuF, xrefs: 00414A18
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 0041491D
puF, xrefs: 00414B53
puF, xrefs: 00414ADD
puF, xrefs: 00414B62

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$AllocH_prolog$ErrorFreeLast__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$SUPPORTDIR$puF$puF$puF$tuF$|uF$uF
API String ID: 2602270796-1709289212
Opcode ID: bc52b3eabc4c37f0dc565c810276be013f6c4914044a8e8e03aebb5370c7be49
Instruction ID: eb6bf67725573572c9fcc64d9ce03e46d86176c7548ed178184d54f0d48989bc
Opcode Fuzzy Hash: bc52b3eabc4c37f0dc565c810276be013f6c4914044a8e8e03aebb5370c7be49
Instruction Fuzzy Hash: CAB15271E00208EFCB14DFA4C885BDEB7B9AF48708F1444AEE50AF7291D7789A45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420489 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00420489() {
				intOrPtr _t78;
				intOrPtr _t79;
				void* _t87;
				void* _t88;
				intOrPtr _t92;
				signed int _t107;
				intOrPtr _t114;
				intOrPtr _t123;
				intOrPtr _t126;
				intOrPtr _t135;
				void* _t165;
				void* _t168;
				void* _t172;
				signed int _t174;
				intOrPtr _t179;
				intOrPtr _t180;
				void* _t181;
				void* _t190;
				void* _t197;
				void* _t212;
				void* _t214;
				void* _t216;

				L0043B644(E00462864, _t181);
				_t123 =  *((intOrPtr*)(_t181 + 8));
				 *(_t181 - 0x10) =  *(_t181 + 0xc);
				_t4 = _t123 + 0xc; // 0x0
				_t126 =  *_t4;
				_t5 = _t123 + 4; // 0x4675e8
				_t78 = _t5;
				 *((intOrPtr*)(_t181 - 0x14)) = _t78;
				_t7 = _t78 + 4; // 0x4
				_t79 =  *_t7;
				if(_t79 == 0) {
					_t79 = 0x4675e4;
				}
				 *((intOrPtr*)(_t181 - 0x3c)) = 0x46757c;
				 *((intOrPtr*)(_t181 - 0x1c)) = 0x467574;
				if(_t79 == 0) {
					_t79 = 0x47e150;
				}
				_push(0);
				_push(_t181 + 0xf);
				_push(_t126);
				_push(_t79);
				E004028AE(_t181 - 0x3c);
				 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
				if(( *0x47e998 & 0x00000001) == 0) {
					_push(0);
					_push(_t181 + 0xb);
					L0040176A(0x47e9a0);
					L0043BD29(_t189, 0x421245);
				}
				_t165 = E0040248C(_t181 - 0x3c, 0x47e9a0, 0);
				_t190 = _t165 -  *0x467594; // 0xffffffff
				if(_t190 == 0) {
					L16:
					_t172 = E0040238F(_t181 - 0x38, L"/q", 0, L0043BA1F(L"/q"));
					_t197 = _t172 -  *0x467594; // 0xffffffff
					if(_t197 == 0) {
						L44:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						L0040125C(_t181 - 0x3c);
						 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
						return  *(_t181 - 0x10);
					}
					if(_t172 == 0) {
						L19:
						_t87 = E0040238F(_t181 - 0x38, " ", _t172, L0043BA1F(" "));
						_t135 =  *0x467594; // 0xffffffff
						if(_t87 != _t135) {
							_t87 = _t87 - _t172;
						}
						_t168 = _t87;
						_t36 = _t168 - 2; // -2
						_t88 = _t36;
						if(_t168 == _t135) {
							_t88 = _t168;
						}
						_t37 = _t172 + 2; // 0x2
						E00401A68(_t181 - 0x3c, _t181 - 0x64, _t37, _t88);
						_t40 = _t123 + 0x1c; // 0x802d3c72
						_t92 =  *_t40;
						 *(_t181 - 4) = 1;
						if(_t92 != 0) {
							__imp__#6(_t92);
							 *(_t123 + 0x1c) =  *(_t123 + 0x1c) & 0x00000000;
						}
						E0040C91A( *((intOrPtr*)(_t181 - 0x14)), _t181, _t172, _t168);
						if( *(_t181 - 0x20) != 0) {
							__imp__#6( *(_t181 - 0x20));
							 *(_t181 - 0x20) = 0;
						}
						L00401F50(_t181 - 0x38, _t181, _t172, _t168);
						_t206 =  *((intOrPtr*)(_t181 - 0x58));
						_t174 = 2;
						 *(_t181 - 0x10) = _t174;
						if( *((intOrPtr*)(_t181 - 0x58)) > 0) {
							asm("sbb eax, eax");
							if(L0041B475(_t206,  ~(_t181 - 0x64) & _t181 - 0x00000060, L"uiet") == 0) {
								_t107 =  *(L00429839(_t181 - 0x64, 0)) & 0x0000ffff;
								if(_t107 == 0x62) {
									 *(_t181 - 0x10) = 3;
								} else {
									if(_t107 == 0x66) {
										 *(_t181 - 0x10) = 5;
									} else {
										if(_t107 == 0x6e) {
											 *(_t181 - 0x10) = _t174;
										} else {
											if(_t107 == 0x72) {
												 *(_t181 - 0x10) = 4;
											}
										}
									}
								}
							}
						}
						_t212 = E0040238F(_t181 - 0x60, 0x478fd0, 0, L0043BA1F(0x478fd0)) -  *0x4675e0; // 0xffffffff
						if(_t212 != 0) {
							 *(_t181 - 0x10) =  *(_t181 - 0x10) | 0x00000080;
						}
						_t214 = E0040238F(_t181 - 0x60, "!", 0, L0043BA1F("!")) -  *0x4675e0; // 0xffffffff
						if(_t214 != 0) {
							 *(_t181 - 0x10) =  *(_t181 - 0x10) | 0x00000020;
						}
						_t216 = E0040238F(_t181 - 0x60, 0x478fcc, 0, L0043BA1F(0x478fcc)) -  *0x4675e0; // 0xffffffff
						if(_t216 != 0) {
							 *(_t181 - 0x10) =  *(_t181 - 0x10) | 0x00000040;
						}
						 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
						L0040125C(_t181 - 0x64);
						goto L44;
					}
					_t33 = _t172 - 1; // -1
					if( *((short*)(L00429839(_t181 - 0x3c, _t33))) != 0x20) {
						goto L44;
					}
					goto L19;
				} else {
					if(_t165 == 0) {
						L11:
						_t178 = L" REBOOTPROMPT=S";
						 *(_t181 - 0x10) = 0x23;
						L0040CCDC(L0043BA1F(L" REBOOTPROMPT=S"),  *((intOrPtr*)(_t181 - 0x14)), L" REBOOTPROMPT=S", _t110);
						L00405885(_t181 - 0x38, _t178, L0043BA1F(L" REBOOTPROMPT=S"));
						_t23 = _t123 + 0x1c; // 0x802d3c72
						_t114 =  *_t23;
						_t179 =  *0x47e9ac; // 0x0
						if(_t114 != 0) {
							__imp__#6(_t114);
							 *(_t123 + 0x1c) =  *(_t123 + 0x1c) & 0x00000000;
						}
						E0040C91A( *((intOrPtr*)(_t181 - 0x14)), _t181, _t165, _t179);
						_t180 =  *0x47e9ac; // 0x0
						if( *(_t181 - 0x20) != 0) {
							__imp__#6( *(_t181 - 0x20));
							 *(_t181 - 0x20) =  *(_t181 - 0x20) & 0x00000000;
						}
						L00401F50(_t181 - 0x38, _t181, _t165, _t180);
						goto L16;
					}
					_t18 = _t165 - 1; // -1
					if( *((short*)(L0040CC86(_t181 - 0x38, _t18))) != 0x20) {
						goto L16;
					}
					goto L11;
				}
			}

0x0042048e
0x0042049a
0x0042049d
0x004204a2
0x004204a2
0x004204a5
0x004204a5
0x004204a8
0x004204ab
0x004204ab
0x004204b0
0x004204b2
0x004204b2
0x004204c3
0x004204c6
0x004204c9
0x004204cb
0x004204cb
0x004204d3
0x004204d5
0x004204d6
0x004204d7
0x004204db
0x004204e0
0x004204eb
0x00420513
0x00420515
0x0042051c
0x00420526
0x0042052b
0x0042053b
0x0042053d
0x00420543
0x004205d2
0x004205ea
0x004205ec
0x004205f2
0x00420769
0x00420769
0x00420770
0x0042077e
0x00420786
0x00420786
0x004205fa
0x00420612
0x00420624
0x00420629
0x00420631
0x00420633
0x00420633
0x00420635
0x00420639
0x00420639
0x0042063c
0x0042063e
0x0042063e
0x00420641
0x0042064c
0x00420651
0x00420651
0x00420654
0x0042065a
0x0042065d
0x00420663
0x00420663
0x0042066c
0x00420676
0x0042067b
0x00420681
0x00420681
0x00420689
0x0042068e
0x00420693
0x00420694
0x00420697
0x004206a1
0x004206b4
0x004206bf
0x004206c5
0x004206ed
0x004206c7
0x004206ca
0x004206e4
0x004206cc
0x004206cf
0x004206df
0x004206d1
0x004206d4
0x004206d6
0x004206d6
0x004206d4
0x004206cf
0x004206ca
0x004206c5
0x004206b4
0x0042070b
0x00420711
0x00420713
0x00420713
0x0042072e
0x00420734
0x00420736
0x00420736
0x00420751
0x00420757
0x00420759
0x00420759
0x0042075d
0x00420764
0x00000000
0x00420764
0x004205fc
0x0042060c
0x00000000
0x00000000
0x00000000
0x00420549
0x0042054b
0x0042055f
0x0042055f
0x00420564
0x00420577
0x00420588
0x0042058d
0x0042058d
0x00420590
0x00420598
0x0042059b
0x004205a1
0x004205a1
0x004205aa
0x004205b3
0x004205b9
0x004205be
0x004205c4
0x004205c4
0x004205cd
0x00000000
0x004205cd
0x0042054d
0x0042055d
0x00000000
0x00000000
0x00000000
0x0042055d

APIs

__EH_prolog.LIBCMT ref: 0042048E
SysFreeString.OLEAUT32(802D3C72), ref: 0042059B
SysFreeString.OLEAUT32(00000000), ref: 004205BE
SysFreeString.OLEAUT32(802D3C72), ref: 0042065D
SysFreeString.OLEAUT32(?), ref: 0042067B

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

uiet, xrefs: 004206A3
PG, xrefs: 0042050B
PG, xrefs: 004204CB
REBOOTPROMPT=S, xrefs: 0042055F, 0042056B, 00420576, 0042057C, 00420584
tuF, xrefs: 004204BC
/passive, xrefs: 004204F4, 00420516
|uF, xrefs: 004204B7
uF, xrefs: 004204B2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FreeString$ErrorH_prologLast
String ID: REBOOTPROMPT=S$/passive$PG$PG$tuF$uiet$|uF$uF
API String ID: 179955378-1651205902
Opcode ID: f6b228c02df32358f505c5b7d479bbd8b3649da425d6ba361e6cc15b19d1a436
Instruction ID: 3f3e7d35b69e7bec215d79ea2140cd2d78191b1ffe92a0252de160a493a03e7c
Opcode Fuzzy Hash: f6b228c02df32358f505c5b7d479bbd8b3649da425d6ba361e6cc15b19d1a436
Instruction Fuzzy Hash: 6291B372A00225AFDB14EB51EC45AEF77B8EF44318F50416FF906A7292DB785E40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004381E0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 159
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004381E0(void* __ecx, void* __eflags) {
				void* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int _t83;
				signed int _t85;
				WCHAR* _t90;
				int _t92;
				void* _t95;
				void* _t96;
				long _t105;
				WCHAR* _t123;
				void* _t126;
				signed int _t127;
				void* _t129;

				L0043B644(0x464ba4, _t129);
				_t126 = __ecx;
				_t105 = 1;
				 *((intOrPtr*)(_t129 - 0x50)) = 0x3c;
				E004383BA(_t129 - 0x50, _t105);
				 *(_t129 - 4) = 0;
				if(E00438443(_t129 - 0x50,  *((intOrPtr*)(_t129 + 0xc)), 0) != 0) {
					 *0x47e0d8( *((intOrPtr*)(_t129 + 0xc)), 0, 0, _t129 - 0x50);
				}
				_t71 =  *((intOrPtr*)(_t129 - 0x44)) - 1;
				if(_t71 == 0) {
					 *(_t129 - 0x10) = _t105;
					L11:
					__eflags =  *(_t129 + 0x18) & 0x00800000;
					if(( *(_t129 + 0x18) & 0x00800000) != 0) {
						_t72 =  *((intOrPtr*)(_t126 + 0x94));
						__eflags =  *(_t72 + 4);
						if( *(_t72 + 4) != 0) {
							_t92 = lstrcmpiW( *(_t126 + 0x98),  *(_t129 - 0x40));
							__eflags = _t92;
							if(_t92 != 0) {
								L00413417(_t126);
							}
						}
						_t73 =  *((intOrPtr*)(_t126 + 0x94));
						__eflags =  *(_t73 + 4);
						if( *(_t73 + 4) == 0) {
							 *0x47e0d0( *((intOrPtr*)(_t129 + 8)),  *(_t129 - 0x40),  *((intOrPtr*)(_t129 - 0x38)),  *((intOrPtr*)(_t129 - 0x34)),  *((intOrPtr*)(_t129 - 0x2c)),  *(_t129 - 0x10), 0, _t73);
							_t90 = L0043BC14(lstrlenW( *(_t129 - 0x40)) + _t88 + 2);
							 *(_t126 + 0x98) = _t90;
							lstrcpyW(_t90,  *(_t129 - 0x40));
						}
						_t123 = L0043BC14(lstrlenW( *(_t129 - 0x24)) +  *(_t129 - 0x18) + lstrlenW( *(_t129 - 0x24)) +  *(_t129 - 0x18) + 2);
						lstrcpyW(_t123,  *(_t129 - 0x24));
						__eflags =  *(_t129 - 0x18);
						if( *(_t129 - 0x18) != 0) {
							lstrcatW(_t123,  *(_t129 - 0x1c));
						}
						_t127 =  *0x47e0e8( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x94)) + 4)), L"GET", _t123, 0, 0, 0,  *(_t129 + 0x18),  *((intOrPtr*)(_t129 + 0x1c)));
						E0043AE17(_t123);
						_t83 =  *0x47e0f4(_t127,  *((intOrPtr*)(_t129 + 0x10)),  *((intOrPtr*)(_t129 + 0x14)), 0, 0);
						__eflags = _t83;
						if(_t83 == 0) {
							_t127 = 0;
							__eflags = 0;
						}
					} else {
						_t127 =  *0x47e0d4( *((intOrPtr*)(_t129 + 8)),  *((intOrPtr*)(_t129 + 0xc)),  *((intOrPtr*)(_t129 + 0x10)),  *((intOrPtr*)(_t129 + 0x14)),  *(_t129 + 0x18),  *((intOrPtr*)(_t129 + 0x1c)));
					}
					_t62 = _t129 - 4;
					 *_t62 =  *(_t129 - 4) | 0xffffffff;
					__eflags =  *_t62;
					E004383EF(_t129 - 0x50,  *_t62);
					_t85 = _t127;
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
					return _t85;
				}
				_t95 = _t71 - 1;
				if(_t95 == 0) {
					 *(_t129 - 0x10) = 2;
					goto L11;
				}
				_t96 = _t95 - 1;
				if(_t96 == 0) {
					 *(_t129 - 0x10) = 3;
					goto L11;
				}
				_t139 = _t96 == 1;
				if(_t96 == 1) {
					 *(_t129 + 0x18) =  *(_t129 + 0x18) | 0x00800000;
					 *(_t129 - 0x10) = 3;
					goto L11;
				}
				 *((intOrPtr*)(_t129 - 0x14)) = 0;
				 *(_t129 - 0x10) = 0x2ee6;
				SetLastError(0x2ee6);
				_push(8);
				L00437A0C( *((intOrPtr*)(_t129 + 8)),  *((intOrPtr*)(_t129 + 0x1c)), 0x64, _t129 - 0x14);
				 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
				E004383EF(_t129 - 0x50, _t139);
				_t85 = 0;
				goto L23;
			}

0x004381e5
0x004381f2
0x004381f4
0x004381f9
0x00438200
0x0043820b
0x00438218
0x00438223
0x00438223
0x00438231
0x00438232
0x00438293
0x00438296
0x00438296
0x00438299
0x004382ba
0x004382c0
0x004382c3
0x004382ce
0x004382d4
0x004382d6
0x004382da
0x004382da
0x004382d6
0x004382df
0x004382eb
0x004382f4
0x0043830b
0x0043831b
0x00438321
0x0043832b
0x0043832b
0x00438340
0x00438346
0x0043834a
0x0043834d
0x00438353
0x00438353
0x00438379
0x0043837b
0x0043838a
0x00438390
0x00438392
0x00438394
0x00438394
0x00438394
0x0043829b
0x004382b3
0x004382b3
0x00438396
0x00438396
0x00438396
0x0043839d
0x004383a2
0x004383a4
0x004383aa
0x004383b2
0x004383b2
0x00438234
0x00438235
0x0043828a
0x00000000
0x0043828a
0x00438237
0x00438238
0x00438281
0x00000000
0x00438281
0x0043823a
0x0043823b
0x00438275
0x00438278
0x00000000
0x00438278
0x00438242
0x00438246
0x00438249
0x00438252
0x0043825d
0x00438262
0x00438269
0x0043826e
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004381E5
SetLastError.KERNEL32(00002EE6,?,00000000,00000001), ref: 00438249
lstrcmpiW.KERNEL32(?,?,?,00000000,00000001), ref: 004382CE
lstrlenW.KERNEL32(?), ref: 00438314
lstrcpyW.KERNEL32 ref: 0043832B
lstrlenW.KERNEL32(?,?,00000000,00000001), ref: 00438330
lstrcpyW.KERNEL32 ref: 00438346
lstrcatW.KERNEL32(00000000,?), ref: 00438353

Strings

:RD, xrefs: 00438223
GET, xrefs: 0043836C
<, xrefs: 004381F9
(RD, xrefs: 004382AD

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: lstrcpylstrlen$ErrorH_prologLastlstrcatlstrcmpi
String ID: (RD$:RD$<$GET
API String ID: 1928812224-1230480373
Opcode ID: 399f26229fddfb69a80f91740f328beb53d654645c628e1ff7e46b5526950ee6
Instruction ID: e06bea45a46f3bb9c66d41d98a6c49209d47a580ed6d830d7aa9deb99e5d756f
Opcode Fuzzy Hash: 399f26229fddfb69a80f91740f328beb53d654645c628e1ff7e46b5526950ee6
Instruction Fuzzy Hash: C6518932800209EFDF119FA0DC45EAFBBB9FF48344F10406EFA15A2260DB758A11DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004143BB Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 331
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004143BB(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t85;
				intOrPtr* _t94;
				intOrPtr* _t95;
				void* _t96;
				intOrPtr* _t102;
				signed char _t108;
				signed char _t112;
				signed char _t115;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				struct HWND__* _t158;
				intOrPtr* _t168;
				intOrPtr* _t173;
				intOrPtr* _t174;
				signed int _t189;
				intOrPtr* _t242;
				intOrPtr _t245;
				void* _t247;
				intOrPtr _t249;
				void* _t250;

				L0043B644(0x461170, _t250);
				_t245 = __ecx;
				 *((intOrPtr*)(_t250 - 0x1c)) = __ecx;
				 *((intOrPtr*)(_t250 - 0x20)) = 0;
				 *(_t250 - 4) = 0;
				 *((intOrPtr*)(_t250 - 0x14)) = 0;
				_t184 = __ecx + 8;
				 *((intOrPtr*)(_t250 - 0x28)) = __ecx;
				L0043B670(_t250 - 0x68, __ecx + 8, 0x40);
				_push(1);
				_push(_t250 - 0x15);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				 *(_t250 - 4) = 2;
				_t85 =  *(E0040A5F5(_t250 - 0x90) + 8);
				if(_t85 == 0) {
					_t85 = 0x4675e4;
				}
				lstrcpyW(_t245 + 0x50, _t85);
				E004061C1(_t250 - 0x90);
				_t247 = E0043C804(_t184, 0, _t245 + 0x50, _t250, _t184, 3, 0x43b31a,  *(_t250 - 4), 0x46c870);
				_t261 = _t247;
				if(_t247 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)(_t250 - 0x1c)) + 0x390)) = 0xffffec72;
					L0043B670( *((intOrPtr*)(_t250 - 0x28)) + 8, _t250 - 0x68, 0x40);
					_t94 =  *((intOrPtr*)(_t250 - 0x14));
					 *(_t250 - 4) =  *(_t250 - 4) & 0x00000000;
					__eflags = _t94;
					if(_t94 != 0) {
						 *((intOrPtr*)( *_t94 + 8))(_t94);
					}
					_t95 =  *((intOrPtr*)(_t250 - 0x20));
					 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
					__eflags = _t95;
					if(_t95 != 0) {
						 *((intOrPtr*)( *_t95 + 8))(_t95);
					}
					_t96 = _t247;
					goto L14;
				} else {
					_t249 =  *((intOrPtr*)(_t250 - 0x1c));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + 0x28c)))) + 0x2c))(0, 0, 0x206),  *((intOrPtr*)(_t249 + 0x28c)));
					_t102 =  *((intOrPtr*)(_t249 + 0x28c));
					 *((intOrPtr*)(_t250 - 0x24)) = _t102;
					L00415C13(_t249,  *((intOrPtr*)( *_t102 + 0x2c))( *( *((intOrPtr*)( *((intOrPtr*)(_t249 + 4)) + 0x2c))(0xffffffff, 0x207) + 0x48) & 0x0000ffff),  *((intOrPtr*)(_t250 - 0x24)));
					_t108 = E0042E67F(_t261);
					asm("sbb eax, eax");
					_t112 = E0042E698();
					asm("sbb eax, eax");
					_t115 = E0042E6B4();
					asm("sbb eax, eax");
					 *((intOrPtr*)(_t250 - 0x10)) = 0;
					_t189 = ( ~_t108 & 0x0000f000) + 0x00001000 |  ~_t112 & 0x00000400 |  ~_t115 & 0x00000800;
					_t118 =  *((intOrPtr*)(_t249 + 0x28c));
					_t262 = _t118;
					if(_t118 != 0) {
						 *((intOrPtr*)( *_t118))(_t118, 0x477ad0, _t250 - 0x10);
					}
					_t119 =  *((intOrPtr*)(_t250 - 0x10));
					 *(_t250 - 4) = 3;
					 *((intOrPtr*)( *_t119 + 0x90))(_t119, 0, 0, 0);
					_t121 =  *((intOrPtr*)(_t250 - 0x10));
					 *((intOrPtr*)( *_t121 + 0x90))(_t121, _t189, 0, 0xffffffff);
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + 0x28c)))) + 0x1c))(_t249 + 0x284, 0x21d),  *((intOrPtr*)(_t249 + 0x28c)));
					_t242 = _t249 + 0x288;
					L00415C13(_t249, L00414C42(_t249, _t262),  *((intOrPtr*)(_t249 + 0x284)));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0x3c))(2, 0x222, L"<Support>", _t242, 0x21f),  *_t242);
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0xb0))(0x225),  *_t242);
					L00415C13(_t249, E004148DF(_t249, _t262,  *_t242), 0x230);
					L00415C13(_t249, L00414C42(_t249, _t262),  *((intOrPtr*)(_t249 + 0x284)));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t250 - 0x14)))) + 0xac))(_t249, 0x234, L"<Support>\\Engine\\Log", _t250 - 0x14, 0x233),  *((intOrPtr*)(_t250 - 0x14)));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0x3c))(0, 0x237),  *_t242);
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + 0x28c)))) + 0x44))(0, 0x23a),  *((intOrPtr*)(_t249 + 0x28c)));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0x3c))(0, 0x23d),  *_t242);
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0x3c))(2, 0x240),  *_t242);
					L00415C13(_t249, L00414FDC(_t249, _t262), 0x24c);
					_t158 =  *(_t249 + 0x26c);
					if(_t158 != 0) {
						EnableWindow(GetDlgItem(_t158, 9), 1);
						EnableWindow(GetDlgItem( *(_t249 + 0x26c), 2), 1);
					}
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 0xac))(_t249, 0x255),  *_t242);
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + 0x28c)))) + 0x2c))(0, 0xffffffff, 0x258),  *((intOrPtr*)(_t249 + 0x28c)));
					L00415C13(_t249,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t250 - 0x10)))) + 0x90))(0, 0, 0xffffffff, 0x25b),  *((intOrPtr*)(_t250 - 0x10)));
					_t168 =  *((intOrPtr*)(_t250 - 0x10));
					 *(_t250 - 4) = 2;
					if(_t168 != 0) {
						 *((intOrPtr*)( *_t168 + 8))(_t168);
					}
					L0043B670( *((intOrPtr*)(_t250 - 0x28)) + 8, _t250 - 0x68, 0x40);
					_t173 =  *((intOrPtr*)(_t250 - 0x14));
					 *(_t250 - 4) =  *(_t250 - 4) & 0x00000000;
					if(_t173 != 0) {
						 *((intOrPtr*)( *_t173 + 8))(_t173);
					}
					_t174 =  *((intOrPtr*)(_t250 - 0x20));
					 *(_t250 - 4) =  *(_t250 - 4) | 0xffffffff;
					if(_t174 != 0) {
						 *((intOrPtr*)( *_t174 + 8))(_t174);
					}
					_t96 = 0;
					L14:
					 *[fs:0x0] =  *((intOrPtr*)(_t250 - 0xc));
					return _t96;
				}
			}

0x004143c0
0x004143ce
0x004143d2
0x004143d5
0x004143d8
0x004143db
0x004143de
0x004143e8
0x004143eb
0x004143f6
0x004143f8
0x004143f9
0x00414404
0x0041440d
0x00414412
0x00414414
0x00414414
0x0041441e
0x0041442a
0x00414444
0x00414449
0x0041444b
0x00414727
0x0041473c
0x00414741
0x00414744
0x0041474b
0x0041474d
0x00414752
0x00414752
0x00414755
0x00414758
0x0041475c
0x0041475e
0x00414763
0x00414763
0x00414766
0x00000000
0x00414451
0x00414451
0x0041446a
0x0041446f
0x00414478
0x00414497
0x0041449c
0x004144a3
0x004144b0
0x004144b7
0x004144c0
0x004144c7
0x004144c9
0x004144d1
0x004144d3
0x004144d9
0x004144db
0x004144e9
0x004144e9
0x004144eb
0x004144f4
0x004144f8
0x004144fe
0x00414508
0x00414529
0x00414530
0x0041454c
0x00414563
0x0041457b
0x00414592
0x004145b2
0x004145cc
0x004145e4
0x004145fe
0x00414614
0x0041462b
0x0041463f
0x00414644
0x0041464c
0x0041465a
0x00414671
0x00414671
0x0041468b
0x004146a7
0x004146c4
0x004146c9
0x004146cc
0x004146d2
0x004146d7
0x004146d7
0x004146e7
0x004146ec
0x004146ef
0x004146f8
0x004146fd
0x004146fd
0x00414700
0x00414703
0x00414709
0x0041470e
0x0041470e
0x00414711
0x00414713
0x00414718
0x00414721
0x00414721

APIs

__EH_prolog.LIBCMT ref: 004143C0

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 0041441E
__setjmp3.LIBCMT ref: 0041443F

Part of subcall function 00414C42: __EH_prolog.LIBCMT ref: 00414C47
Part of subcall function 00414C42: lstrcpyW.KERNEL32 ref: 00414CBC
Part of subcall function 00414C42: __setjmp3.LIBCMT ref: 00414CDD
Part of subcall function 00414C42: VariantClear.OLEAUT32(?), ref: 00414D42

Part of subcall function 004148DF: __EH_prolog.LIBCMT ref: 004148E4
Part of subcall function 004148DF: lstrcpyW.KERNEL32 ref: 00414942
Part of subcall function 004148DF: __setjmp3.LIBCMT ref: 00414963

Part of subcall function 00414FDC: __EH_prolog.LIBCMT ref: 00414FE1
Part of subcall function 00414FDC: SysAllocString.OLEAUT32(ENGINECOMMONDIR), ref: 0041506B
Part of subcall function 00414FDC: SysAllocString.OLEAUT32(ENGINEDIR), ref: 004150F0

GetDlgItem.USER32 ref: 00414653
EnableWindow.USER32(00000000), ref: 0041465A
GetDlgItem.USER32 ref: 0041466A
EnableWindow.USER32(00000000), ref: 00414671

Strings

<Support>\Engine\Log, xrefs: 004145A2
uF, xrefs: 00414414
<Support>, xrefs: 0041453C
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 004143F9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$__setjmp3lstrcpy$AllocEnableItemStringWindow$ClearErrorLastVariant
String ID: <Support>$<Support>\Engine\Log$C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$uF
API String ID: 1304325070-990527144
Opcode ID: 7758185b28505b544e5713531550a86f345c82583e0873fee4f2072a298970e8
Instruction ID: 5a8fd908553dc3096bc21f49fda491bbac7551347ef708388ac0887e736b829f
Opcode Fuzzy Hash: 7758185b28505b544e5713531550a86f345c82583e0873fee4f2072a298970e8
Instruction Fuzzy Hash: 14B17271600614EFDB10EBA8CC89FAE77A9EF89708F104059F219EB2D1DB789D41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00420787 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00420787() {
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t122;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t138;
				void* _t140;
				intOrPtr _t146;
				signed int _t157;
				signed char _t158;
				signed char* _t159;
				signed char _t160;
				signed char _t163;
				signed char _t165;
				signed char _t167;
				signed char _t169;
				signed int* _t173;
				signed char _t174;
				signed int* _t175;
				signed char _t176;
				signed char _t178;
				signed char _t179;
				signed char _t182;
				signed char _t185;
				void* _t193;
				void* _t199;
				intOrPtr _t205;
				void* _t207;
				void* _t209;
				intOrPtr _t211;
				intOrPtr _t219;
				intOrPtr _t250;
				intOrPtr _t256;
				signed int _t257;
				void* _t259;
				void* _t267;
				void* _t277;
				void* _t279;
				void* _t280;
				void* _t287;

				L0043B644(E00462896, _t259);
				 *( *(_t259 + 0x10)) = 0;
				_t250 =  *((intOrPtr*)(_t259 + 0x14));
				 *( *(_t259 + 0xc)) = 0;
				_t4 = _t250 + 0x1c; // 0x802d3c72
				_t118 =  *_t4;
				_t5 = _t250 + 0xc; // 0x0
				_t205 =  *_t5;
				if(_t118 != 0) {
					__imp__#6(_t118);
					 *((intOrPtr*)(_t250 + 0x1c)) = 0;
				}
				_t7 = _t250 + 4; // 0x4675e8
				L00401F50(_t7, _t259, 0, _t205);
				_t9 =  *((intOrPtr*)(_t259 + 8)) + 0xc; // 0x0
				_t211 =  *_t9;
				_t121 =  *((intOrPtr*)(_t259 + 8)) + 4;
				 *((intOrPtr*)(_t259 - 0x18)) = _t121;
				_t11 = _t121 + 4; // 0x0
				_t122 =  *_t11;
				if(_t122 == 0) {
					_t122 = 0x4675e4;
				}
				 *((intOrPtr*)(_t259 - 0x40)) = 0x46757c;
				 *((intOrPtr*)(_t259 - 0x20)) = 0x467574;
				if(_t122 == 0) {
					_t122 = 0x47e150;
				}
				_push(0);
				_push(_t259 + 0x17);
				_push(_t211);
				_push(_t122);
				E004028AE(_t259 - 0x40);
				 *(_t259 - 4) = 0;
				_t207 = E0040238F(_t259 - 0x3c, L"/l", 0, L0043BA1F(L"/l"));
				_t267 = _t207 -  *0x467594; // 0xffffffff
				if(_t267 == 0) {
					L71:
					 *(_t259 - 4) =  *(_t259 - 4) | 0xffffffff;
					_t126 = L0040125C(_t259 - 0x40);
					 *[fs:0x0] =  *((intOrPtr*)(_t259 - 0xc));
					return _t126;
				}
				if(_t207 == 0) {
					L9:
					_t255 = " ";
					_t128 = E0040238F(_t259 - 0x3c, " ", _t207, L0043BA1F(" "));
					_t219 =  *0x467594; // 0xffffffff
					 *((intOrPtr*)(_t259 - 0x14)) = _t128;
					if(_t128 == _t219) {
						 *((intOrPtr*)(_t259 - 0x10)) = _t128;
					} else {
						_t128 = _t128 - _t207;
						 *((intOrPtr*)(_t259 - 0x10)) = _t128;
					}
					if(_t128 != _t219) {
						_t128 = _t128 + 0xfffffffe;
					}
					_t24 = _t207 + 2; // 0x2
					E00401A68(_t259 - 0x40, _t259 - 0x68, _t24, _t128);
					_t132 =  *((intOrPtr*)(_t259 + 8));
					 *(_t259 - 4) = 1;
					_t29 = _t132 + 0x1c; // 0x802d3c72
					_t133 =  *_t29;
					if(_t133 != 0) {
						__imp__#6(_t133);
						 *( *((intOrPtr*)(_t259 + 8)) + 0x1c) =  *( *((intOrPtr*)(_t259 + 8)) + 0x1c) & 0x00000000;
					}
					E0040C91A( *((intOrPtr*)(_t259 - 0x18)), _t259, _t207,  *((intOrPtr*)(_t259 - 0x10)));
					if( *(_t259 - 0x24) != 0) {
						__imp__#6( *(_t259 - 0x24));
						 *(_t259 - 0x24) =  *(_t259 - 0x24) & 0x00000000;
					}
					L00401F50(_t259 - 0x3c, _t259, _t207,  *((intOrPtr*)(_t259 - 0x10)));
					_t209 = E0040C610(_t259 - 0x3c, _t255, _t207, L0043BA1F(_t255));
					_t277 = _t209 -  *0x467594; // 0xffffffff
					if(_t277 == 0) {
						L23:
						_t138 =  *((intOrPtr*)(_t259 - 0x14));
						L24:
						_t280 = _t138 -  *0x467594; // 0xffffffff
						if(_t280 != 0) {
							_t138 = _t138 - _t209;
						}
						 *((intOrPtr*)(_t259 - 0x10)) = _t138;
						_t140 = E00401A68(_t259 - 0x40, _t259 - 0x90, _t209, _t138);
						 *(_t259 - 4) = 2;
						L00401A1E(_t250, _t140);
						 *(_t259 - 4) = 1;
						L0040125C(_t259 - 0x90);
						L004197FA(_t250, _t259 - 0x90);
						L0040125C(_t259 - 0x90);
						_t256 =  *((intOrPtr*)(_t259 + 8));
						_t57 = _t256 + 0x1c; // 0x802d3c72
						_t146 =  *_t57;
						if(_t146 != 0) {
							__imp__#6(_t146);
							 *(_t256 + 0x1c) =  *(_t256 + 0x1c) & 0x00000000;
						}
						E0040C91A( *((intOrPtr*)(_t259 - 0x18)), _t259, _t209,  *((intOrPtr*)(_t259 - 0x10)));
						_t257 = 0;
						if( *(_t259 - 0x24) != 0) {
							__imp__#6( *(_t259 - 0x24));
							 *(_t259 - 0x24) = 0;
						}
						L00401F50(_t259 - 0x3c, _t259, _t209,  *((intOrPtr*)(_t259 - 0x10)));
						_t67 = _t250 + 0xc; // 0x0
						if( *_t67 != _t257 &&  *((short*)(L00429839(_t250, _t257))) == 0x22) {
							_t68 = _t250 + 0xc; // 0x0
							_t287 =  *_t68 + 0xfffffffe;
							_t193 = E00401A68(_t250, _t259 - 0x90, 1,  *_t68 + 0xfffffffe);
							 *(_t259 - 4) = 3;
							L00401A1E(_t250, _t193);
							 *(_t259 - 4) = 1;
							L0040125C(_t259 - 0x90);
						}
						asm("sbb eax, eax");
						if(L0041B475(_t287,  ~(_t259 - 0x68) & _t259 - 0x00000064, L"og") == 0) {
							L00425E79(_t259 - 0x68);
							__eflags =  *((intOrPtr*)(_t259 - 0x5c)) - _t257;
							if( *((intOrPtr*)(_t259 - 0x5c)) <= _t257) {
								goto L70;
							} else {
								goto L36;
							}
							do {
								L36:
								_t157 =  *(L00429839(_t259 - 0x68, _t257)) & 0x0000ffff;
								__eflags = _t157 - 0x6d;
								if(__eflags > 0) {
									_t158 = _t157 - 0x6f;
									__eflags = _t158;
									if(_t158 == 0) {
										_t159 =  *(_t259 + 0xc);
										 *_t159 =  *_t159 | 0x00000080;
										__eflags =  *_t159;
									} else {
										_t160 = _t158 - 1;
										__eflags = _t160;
										if(_t160 == 0) {
											( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000004;
										} else {
											_t163 = _t160;
											__eflags = _t163;
											if(_t163 == 0) {
												( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000002;
											} else {
												_t165 = _t163 - 3;
												__eflags = _t165;
												if(_t165 == 0) {
													 *( *(_t259 + 0xc)) =  *( *(_t259 + 0xc)) | 0x00000008;
												} else {
													_t167 = _t165 - 1;
													__eflags = _t167;
													if(_t167 == 0) {
														( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000010;
													} else {
														_t169 = _t167 - 1;
														__eflags = _t169;
														if(_t169 == 0) {
															 *( *(_t259 + 0xc)) =  *( *(_t259 + 0xc)) | 0x00000004;
														} else {
															__eflags = _t169 == 1;
															if(_t169 == 1) {
																( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000020;
															}
														}
													}
												}
											}
										}
									}
									goto L69;
								}
								if(__eflags == 0) {
									_t173 =  *(_t259 + 0xc);
									L50:
									 *_t173 =  *_t173 | 0x00000001;
									goto L69;
								}
								_t174 = _t157 - 0x21;
								__eflags = _t174;
								if(_t174 == 0) {
									_t175 =  *(_t259 + 0x10);
									L53:
									 *_t175 =  *_t175 | 0x00000002;
									goto L69;
								}
								_t176 = _t174 - 9;
								__eflags = _t176;
								if(_t176 == 0) {
									 *( *(_t259 + 0xc)) =  *( *(_t259 + 0xc)) | 0x00000fdf;
									goto L69;
								}
								_t178 = _t176 - 1;
								__eflags = _t178;
								if(_t178 == 0) {
									_t173 =  *(_t259 + 0x10);
									goto L50;
								}
								_t179 = _t178 - 0x36;
								__eflags = _t179;
								if(_t179 == 0) {
									( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000001;
									goto L69;
								}
								_t182 = _t179;
								__eflags = _t182;
								if(_t182 == 0) {
									( *(_t259 + 0xc))[0] = ( *(_t259 + 0xc))[0] | 0x00000008;
									goto L69;
								}
								_t185 = _t182;
								__eflags = _t185;
								if(_t185 == 0) {
									_t175 =  *(_t259 + 0xc);
									goto L53;
								}
								__eflags = _t185 == 4;
								if(_t185 == 4) {
									 *( *(_t259 + 0xc)) =  *( *(_t259 + 0xc)) | 0x00000010;
								}
								L69:
								_t257 = _t257 + 1;
								__eflags = _t257 -  *((intOrPtr*)(_t259 - 0x5c));
							} while (_t257 <  *((intOrPtr*)(_t259 - 0x5c)));
							goto L70;
						} else {
							 *( *(_t259 + 0xc)) = 0xfdf;
							L70:
							 *(_t259 - 4) =  *(_t259 - 4) & 0x00000000;
							L0040125C(_t259 - 0x68);
							goto L71;
						}
					}
					if( *((short*)(L0040CC86(_t259 - 0x3c, _t209))) != 0x22) {
						 *((intOrPtr*)(_t259 - 0x14)) = E0040238F(_t259 - 0x3c, _t255, _t209, L0043BA1F(_t255));
						goto L23;
					}
					_t199 = L0043BA1F("\"");
					_t43 = _t209 + 1; // 0x1
					_t138 = E0040238F(_t259 - 0x3c, "\"", _t43, _t199);
					_t279 = _t138 -  *0x4675e0; // 0xffffffff
					if(_t279 != 0) {
						_t138 = _t138 + 1;
					}
					goto L24;
				}
				_t18 = _t207 - 1; // -1
				if( *((short*)(L0040CC86(_t259 - 0x3c, _t18))) != 0x20) {
					goto L71;
				}
				goto L9;
			}

0x0042078c
0x0042079e
0x004207a4
0x004207a7
0x004207a9
0x004207a9
0x004207ac
0x004207ac
0x004207b1
0x004207b4
0x004207ba
0x004207ba
0x004207bf
0x004207c2
0x004207ca
0x004207ca
0x004207cd
0x004207d0
0x004207d3
0x004207d3
0x004207d8
0x004207da
0x004207da
0x004207e1
0x004207e8
0x004207ef
0x004207f1
0x004207f1
0x004207f9
0x004207fa
0x004207fb
0x004207fc
0x00420800
0x0042080a
0x0042081f
0x00420821
0x00420827
0x00420b32
0x00420b32
0x00420b39
0x00420b44
0x00420b4c
0x00420b4c
0x0042082f
0x00420847
0x00420847
0x00420859
0x0042085e
0x00420864
0x00420869
0x00420872
0x0042086b
0x0042086b
0x0042086d
0x0042086d
0x00420877
0x00420879
0x00420879
0x0042087d
0x00420888
0x0042088d
0x00420890
0x00420894
0x00420894
0x00420899
0x0042089c
0x004208a5
0x004208a5
0x004208b0
0x004208b9
0x004208be
0x004208c4
0x004208c4
0x004208cf
0x004208e6
0x004208e8
0x004208ee
0x00420939
0x00420939
0x0042093c
0x0042093c
0x00420942
0x00420944
0x00420944
0x00420946
0x00420955
0x0042095d
0x00420961
0x0042096c
0x00420970
0x0042097e
0x00420989
0x0042098e
0x00420991
0x00420991
0x00420996
0x00420999
0x0042099f
0x0042099f
0x004209aa
0x004209af
0x004209b4
0x004209b9
0x004209bf
0x004209bf
0x004209c9
0x004209ce
0x004209d3
0x004209e3
0x004209e8
0x004209f5
0x004209fd
0x00420a01
0x00420a0c
0x00420a10
0x00420a10
0x00420a1d
0x00420a30
0x00420a43
0x00420a48
0x00420a4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00420a51
0x00420a51
0x00420a5a
0x00420a5d
0x00420a60
0x00420ac8
0x00420ac8
0x00420acb
0x00420b16
0x00420b19
0x00420b19
0x00420acd
0x00420acd
0x00420acd
0x00420ace
0x00420b10
0x00420ad0
0x00420ad1
0x00420ad1
0x00420ad2
0x00420b07
0x00420ad4
0x00420ad4
0x00420ad4
0x00420ad7
0x00420aff
0x00420ad9
0x00420ad9
0x00420ad9
0x00420ada
0x00420af6
0x00420adc
0x00420adc
0x00420adc
0x00420add
0x00420aee
0x00420adf
0x00420adf
0x00420ae0
0x00420ae5
0x00420ae5
0x00420ae0
0x00420add
0x00420ada
0x00420ad7
0x00420ad2
0x00420ace
0x00000000
0x00420acb
0x00420a62
0x00420ac3
0x00420aac
0x00420aac
0x00000000
0x00420aac
0x00420a64
0x00420a64
0x00420a67
0x00420abb
0x00420abe
0x00420abe
0x00000000
0x00420abe
0x00420a69
0x00420a69
0x00420a6c
0x00420ab4
0x00000000
0x00420ab4
0x00420a6e
0x00420a6e
0x00420a6f
0x00420aa9
0x00000000
0x00420aa9
0x00420a71
0x00420a71
0x00420a74
0x00420aa3
0x00000000
0x00420aa3
0x00420a77
0x00420a77
0x00420a78
0x00420a9a
0x00000000
0x00420a9a
0x00420a7b
0x00420a7b
0x00420a7c
0x00420a92
0x00000000
0x00420a92
0x00420a7e
0x00420a81
0x00420a8a
0x00420a8a
0x00420b1c
0x00420b1c
0x00420b1d
0x00420b1d
0x00000000
0x00420a32
0x00420a35
0x00420b26
0x00420b26
0x00420b2d
0x00000000
0x00420b2d
0x00420a30
0x004208fd
0x00420936
0x00000000
0x00420936
0x00420905
0x0042090c
0x00420914
0x00420919
0x0042091f
0x00420921
0x00420921
0x00000000
0x0042091f
0x00420831
0x00420841
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042078C
SysFreeString.OLEAUT32(802D3C72), ref: 004207B4
SysFreeString.OLEAUT32(802D3C72), ref: 0042089C
SysFreeString.OLEAUT32(00000000), ref: 004208BE
SysFreeString.OLEAUT32(802D3C72), ref: 00420999
SysFreeString.OLEAUT32(00000000), ref: 004209B9

Strings

|uF, xrefs: 004207E1
tuF, xrefs: 004207E8
uF, xrefs: 004207DA
PG, xrefs: 004207F1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FreeString$H_prolog
String ID: PG$tuF$|uF$uF
API String ID: 1529728701-1194761365
Opcode ID: 41c5efe7f86606492e98f911b4cd033427a244e797ee736f567c31c87aec3fc1
Instruction ID: fa115c5de907edce3a27d55fb8456be7e892517bc1d6d2877d93eee81ff77b7f
Opcode Fuzzy Hash: 41c5efe7f86606492e98f911b4cd033427a244e797ee736f567c31c87aec3fc1
Instruction Fuzzy Hash: 5CC1C571B00229EFDB14EF64D885AAEB7F8EF04304F54405BF416A7292DB78AD44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E737 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042E737() {
				WCHAR* _t118;
				intOrPtr* _t120;
				intOrPtr* _t125;
				intOrPtr* _t131;
				signed int _t136;
				intOrPtr _t138;
				signed int _t140;
				signed int _t145;
				intOrPtr _t153;
				void* _t156;
				intOrPtr* _t167;
				int _t170;
				void* _t184;
				void* _t186;
				signed int _t193;
				long _t211;
				signed int _t217;
				long _t225;
				signed int _t237;
				void* _t242;
				WCHAR* _t245;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				long _t254;
				long _t256;
				long _t259;

				L0043B644(0x463cf5, _t247);
				_t250 = _t249 - 0xa0;
				 *(_t247 - 4) = 2;
				 *0x47e3d4 = 0;
				if(( *(_t247 + 0x80) & 0x00000008) != 0) {
					_t193 = 0xe;
					memset(_t247 - 0x50, 0, _t193 << 2);
					_t251 = _t250 + 0xc;
					 *(_t247 - 0x54) = 0x3c;
					 *(_t247 - 0x48) = 0x467570;
					 *(_t247 - 0x50) =  *(_t247 + 0x8c) | 0x00000040;
					_t118 =  *( *((intOrPtr*)(_t247 + 0x90)) + 8);
					__eflags = _t118;
					if(_t118 != 0) {
						 *(_t247 - 0x48) = _t118;
					}
					_t120 = L00401813(_t247 + 8, _t247 - 0x18, 0);
					 *(_t247 - 4) = 6;
					 *((char*)(_t120 + 4)) = 1;
					 *((intOrPtr*)(_t247 - 0x44)) =  *((intOrPtr*)(L00401E6C(_t120,  *_t120)));
					 *(_t247 - 4) = 2;
					L00401A9C(_t247 - 0x18);
					_t125 = L00401813(_t247 + 0x30, _t247 - 0x18, 0);
					 *(_t247 - 4) = 7;
					 *((char*)(_t125 + 4)) = 1;
					 *((intOrPtr*)(_t247 - 0x40)) =  *((intOrPtr*)(L00401E6C(_t125,  *_t125)));
					 *(_t247 - 4) = 2;
					L00401A9C(_t247 - 0x18);
					 *((intOrPtr*)(_t247 - 0x38)) =  *((intOrPtr*)(_t247 + 0x88));
					_t131 = L00401813(_t247 + 0x58, _t247 - 0x18, 0);
					 *(_t247 - 4) = 8;
					 *((char*)(_t131 + 4)) = 1;
					 *((intOrPtr*)(_t247 - 0x3c)) =  *((intOrPtr*)(L00401E6C(_t131,  *_t131)));
					 *(_t247 - 4) = 2;
					L00401A9C(_t247 - 0x18);
					_t136 = ShellExecuteExW(_t247 - 0x54);
					_t136 = _t136 & 0xffffff00 | _t136 != 0x00000000;
					if((_t136 & 0xffffff00 | _t136 != 0x00000000) != 0) {
						L17:
						_t242 =  *(_t247 - 0x1c);
						0x47e3e0->hProcess = _t242;
						_t138 = E0042EB07(_t242);
						_t236 = _t138;
						 *0x47e3e8 = _t138;
						L18:
						WaitForInputIdle(_t242, 0x3e8);
						_t140 = E0042EB2C(_t236, _t242,  *(_t247 + 0x80),  *((intOrPtr*)(_t247 + 0x84)));
						_t252 = _t251 + 0x10;
						_t237 = _t140;
						GetExitCodeProcess(_t242, 0x47e3d8);
						__eflags = _t237;
						if(_t237 == 0) {
							__eflags = 0;
						} else {
							 *0x47e3d4 = GetLastError();
							L004197FA(_t247 + 0x30, _t247 - 0x84);
							L0040125C(_t247 - 0x84);
							_t254 = _t252 - 0x28;
							 *(_t247 + 0x8c) = _t254;
							_t211 = _t254;
							_push(0);
							_push(_t247 + 0x30);
							 *_t211 = 0x46757c;
							 *((intOrPtr*)(_t211 + 0x20)) = 0x467574;
							L00401CDD(_t211);
							L0042D43D(__eflags);
							__eflags = _t237 - 0x102;
							if(_t237 != 0x102) {
								_push(0xfffffffe);
							} else {
								_push(0xfffffffd);
							}
							_pop(0);
						}
						 *(_t247 - 4) = 1;
						L0040125C(_t247 + 8);
						 *(_t247 - 4) = 0;
						L0040125C(_t247 + 0x30);
						_t107 = _t247 - 4;
						 *_t107 =  *(_t247 - 4) | 0xffffffff;
						__eflags =  *_t107;
						L0040125C(_t247 + 0x58);
						_t145 = 0;
						goto L25;
					} else {
						_t153 =  *((intOrPtr*)(_t247 - 0x34));
						__eflags = _t153 - 0x20;
						if(__eflags >= 0) {
							goto L17;
						}
						 *0x47e3d4 = _t153;
						_push(" ");
						_push(_t247 + 8);
						_push(_t247 - 0xac);
						_t156 = L00405EDE(__eflags);
						_t256 = _t251 - 0x1c;
						 *(_t247 + 0x8c) = _t256;
						_push(_t247 + 0x30);
						_push(_t156);
						_push(_t256);
						 *(_t247 - 4) = 9;
						L0040DBA8(__eflags);
						L0042D43D(__eflags);
						 *(_t247 - 4) = 2;
						L0040125C(_t247 - 0xac);
						L16:
						 *(_t247 - 4) = 1;
						L0040125C(_t247 + 8);
						 *(_t247 - 4) = 0;
						L0040125C(_t247 + 0x30);
						 *(_t247 - 4) =  *(_t247 - 4) | 0xffffffff;
						_t145 = L0040125C(_t247 + 0x58) | 0xffffffff;
						L25:
						 *[fs:0x0] =  *((intOrPtr*)(_t247 - 0xc));
						return _t145;
					}
				}
				if( *((intOrPtr*)(_t247 + 0x14)) != 0) {
					_push(1);
					_push(_t247 - 0x84);
					E004303D9(_t247 + 8);
					L0040125C(_t247 - 0x84);
					_t263 =  *((intOrPtr*)(_t247 + 0x14));
					if( *((intOrPtr*)(_t247 + 0x14)) != 0) {
						_push(" ");
						_push(_t247 + 8);
						_push(_t247 - 0xac);
						_t184 = L00405EDE(_t263);
						 *(_t247 - 4) = 3;
						_push(_t247 + 0x30);
						_push(_t184);
						_push(_t247 - 0x84);
						_t186 = L0040DBA8(_t263);
						_t250 = _t250 + 0x18;
						 *(_t247 - 4) = 4;
						L00401A1E(_t247 + 0x30, _t186);
						 *(_t247 - 4) = 3;
						L0040125C(_t247 - 0x84);
						 *(_t247 - 4) = 2;
						L0040125C(_t247 - 0xac);
					}
				}
				_t217 = 0x10;
				memset(_t247 - 0x58, 0, _t217 << 2);
				_t251 = _t250 + 0xc;
				 *(_t247 - 0x30) =  *(_t247 - 0x30) | 0x00000001;
				 *(_t247 - 0x5c) = 0x44;
				 *((short*)(_t247 - 0x2c)) =  *((intOrPtr*)(_t247 + 0x88));
				if( *((intOrPtr*)(_t247 + 0x64)) == 0) {
					_t245 = 0;
					__eflags = 0;
				} else {
					_t245 =  *(_t247 + 0x60);
					if(_t245 == 0) {
						_t245 = 0x467570;
					}
				}
				_t167 = L00401813(_t247 + 0x30, _t247 - 0x18, 0);
				 *(_t247 - 4) = 5;
				 *((char*)(_t167 + 4)) = 1;
				_t170 = CreateProcessW(0,  *(L00401E6C(_t167,  *_t167)), 0, 0, 0,  *(_t247 + 0x8c), 0, _t245, _t247 - 0x5c, 0x47e3e0);
				 *(_t247 - 4) = 2;
				L00401A9C(_t247 - 0x18);
				_t266 = _t170;
				if(_t170 != 0) {
					_t242 = 0x47e3e0->hProcess; // 0x0
					_t236 =  *0x47e3e8; // 0x0
					goto L18;
				} else {
					 *0x47e3d4 = GetLastError();
					L004197FA(_t247 + 0x30, _t247 - 0xac);
					L0040125C(_t247 - 0xac);
					_t259 = _t251 - 0x28;
					 *(_t247 + 0x8c) = _t259;
					_t225 = _t259;
					_push(0);
					_push(_t247 + 0x30);
					 *_t225 = 0x46757c;
					 *((intOrPtr*)(_t225 + 0x20)) = 0x467574;
					L00401CDD(_t225);
					L0042D43D(_t266);
					goto L16;
				}
			}

0x0042e73c
0x0042e741
0x0042e74c
0x0042e75a
0x0042e760
0x0042e8ce
0x0042e8d2
0x0042e8d2
0x0042e8da
0x0042e8e3
0x0042e8ea
0x0042e8f3
0x0042e8f6
0x0042e8f8
0x0042e8fa
0x0042e8fa
0x0042e905
0x0042e90c
0x0042e910
0x0042e91e
0x0042e921
0x0042e925
0x0042e932
0x0042e939
0x0042e93d
0x0042e94b
0x0042e94e
0x0042e952
0x0042e95e
0x0042e968
0x0042e96f
0x0042e973
0x0042e981
0x0042e984
0x0042e988
0x0042e991
0x0042e99c
0x0042e99e
0x0042ea25
0x0042ea25
0x0042ea29
0x0042ea2f
0x0042ea34
0x0042ea37
0x0042ea3d
0x0042ea43
0x0042ea57
0x0042ea5c
0x0042ea5f
0x0042ea67
0x0042ea6d
0x0042ea6f
0x0042ead1
0x0042ea71
0x0042ea77
0x0042ea86
0x0042ea91
0x0042ea96
0x0042ea9c
0x0042eaa2
0x0042eaa4
0x0042eaa5
0x0042eaa6
0x0042eaac
0x0042eab3
0x0042eab8
0x0042eac0
0x0042eac6
0x0042eacd
0x0042eac8
0x0042eac8
0x0042eac8
0x0042eaca
0x0042eaca
0x0042ead6
0x0042eada
0x0042eae2
0x0042eae5
0x0042eaea
0x0042eaea
0x0042eaea
0x0042eaf1
0x0042eaf6
0x00000000
0x0042e9a4
0x0042e9a4
0x0042e9a7
0x0042e9aa
0x00000000
0x00000000
0x0042e9ac
0x0042e9b4
0x0042e9b9
0x0042e9c0
0x0042e9c1
0x0042e9c6
0x0042e9ce
0x0042e9d4
0x0042e9d5
0x0042e9d6
0x0042e9d7
0x0042e9db
0x0042e9e3
0x0042e9f1
0x0042e9f5
0x0042e9fa
0x0042e9fd
0x0042ea01
0x0042ea09
0x0042ea0c
0x0042ea11
0x0042ea1d
0x0042eaf8
0x0042eafd
0x0042eb06
0x0042eb06
0x0042e99e
0x0042e769
0x0042e771
0x0042e773
0x0042e777
0x0042e782
0x0042e787
0x0042e78a
0x0042e78f
0x0042e794
0x0042e79b
0x0042e79c
0x0042e7a4
0x0042e7a8
0x0042e7a9
0x0042e7b0
0x0042e7b1
0x0042e7b6
0x0042e7bd
0x0042e7c1
0x0042e7cc
0x0042e7d0
0x0042e7db
0x0042e7df
0x0042e7df
0x0042e78a
0x0042e7e8
0x0042e7ec
0x0042e7ec
0x0042e7ee
0x0042e7fc
0x0042e803
0x0042e807
0x0042e817
0x0042e817
0x0042e809
0x0042e809
0x0042e80e
0x0042e810
0x0042e810
0x0042e80e
0x0042e821
0x0042e828
0x0042e82c
0x0042e84d
0x0042e858
0x0042e85c
0x0042e861
0x0042e863
0x0042e8b9
0x0042e8bf
0x00000000
0x0042e865
0x0042e86b
0x0042e87a
0x0042e885
0x0042e88a
0x0042e890
0x0042e896
0x0042e898
0x0042e899
0x0042e89a
0x0042e8a0
0x0042e8a7
0x0042e8ac
0x00000000
0x0042e8b1

APIs

__EH_prolog.LIBCMT ref: 0042E73C
CreateProcessW.KERNEL32 ref: 0042E84D
GetLastError.KERNEL32 ref: 0042E865

Part of subcall function 004303D9: __EH_prolog.LIBCMT ref: 004303DE

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

ShellExecuteExW.SHELL32(0000003C), ref: 0042E991
WaitForInputIdle.USER32 ref: 0042EA43
GetExitCodeProcess.KERNEL32 ref: 0042EA67
GetLastError.KERNEL32 ref: 0042EA71

Part of subcall function 00405EDE: __EH_prolog.LIBCMT ref: 00405EE3

Part of subcall function 0040DBA8: __EH_prolog.LIBCMT ref: 0040DBAD

Part of subcall function 0042EB07: GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,0042EA34,?), ref: 0042EB11
Part of subcall function 0042EB07: GetProcAddress.KERNEL32(00000000), ref: 0042EB18

Strings

puF, xrefs: 0042E8E3
tuF, xrefs: 0042EAAC
puF, xrefs: 0042E810

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$Process$AddressCodeCreateExecuteExitFreeHandleIdleInputModuleProcShellStringWait
String ID: puF$puF$tuF
API String ID: 2307212272-2216348577
Opcode ID: 35116a3d31b8ddadc8de4d4d38c613e77f3b4f285773a5bf156dfae3dbc4080a
Instruction ID: 9ce2951f485469c9294b532c6338bd42c968ceddb2deaa9aa207dfa1ef209d96
Opcode Fuzzy Hash: 35116a3d31b8ddadc8de4d4d38c613e77f3b4f285773a5bf156dfae3dbc4080a
Instruction Fuzzy Hash: CBB1FA71900248EFDB10EFA5D885BDD7BB8BF05308F5041AFF846A7291EB785A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004164A7 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004164A7(intOrPtr __ecx, void* __eflags) {
				char* _t123;
				void* _t127;
				void* _t133;
				char* _t134;
				void* _t138;
				void* _t139;
				char* _t146;
				char* _t147;
				void* _t151;
				char* _t157;
				char* _t164;
				void* _t168;
				char* _t174;
				void* _t179;
				signed char _t180;
				intOrPtr* _t184;
				intOrPtr* _t217;
				intOrPtr* _t230;
				void* _t231;
				void* _t234;
				void* _t237;
				void* _t239;
				void* _t241;
				intOrPtr _t242;
				void* _t243;
				intOrPtr _t244;
				void* _t245;
				intOrPtr _t246;
				void* _t247;

				L0043B644(0x4615c3, _t237);
				 *(_t237 - 0x18) =  *(_t237 - 0x18) & 0x00000000;
				 *((intOrPtr*)(_t237 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t237 - 0x94)) = 0x46757c;
				 *((intOrPtr*)(_t237 - 0x74)) = 0x467574;
				L00401C68(_t237 - 0x94);
				_t180 = 1;
				_t184 =  *((intOrPtr*)(_t237 - 0x14)) + 4;
				 *(_t237 - 4) = _t180;
				 *((intOrPtr*)(_t237 - 0x14)) = _t184;
				L004057E0(_t237 - 0x94, L"setupdir\\%04x",  *( *((intOrPtr*)( *_t184 + 0x2c))(_t237 - 0x1a, 0, _t231, _t234, _t179) + 0x48) & 0x0000ffff);
				_t241 = _t239 - 0x150 + 0xc;
				E00404705( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x14)))) + 0x2c))(), _t237 - 0xbc);
				_t123 = L"setup.bmp";
				 *(_t237 - 4) = 2;
				 *((intOrPtr*)(_t237 - 0x10c)) = 0x46757c;
				_t252 = _t123;
				 *((intOrPtr*)(_t237 - 0xec)) = 0x467574;
				if(_t123 == 0) {
					_t123 = 0x47e150;
				}
				_push(0);
				_push(_t237 - 0x19);
				_push(_t123);
				L0040176A(_t237 - 0x10c);
				_push(_t237 - 0x94);
				_push(_t237 - 0x134);
				 *(_t237 - 4) = 3;
				_t127 = L00405670(_t237 - 0xbc, _t252);
				 *(_t237 - 4) = 4;
				_push(_t237 - 0x10c);
				_push(_t237 - 0x44);
				L00405670(_t127, _t252);
				 *(_t237 - 4) = 7;
				L0040125C(_t237 - 0x134);
				 *(_t237 - 4) = 6;
				L0040125C(_t237 - 0x10c);
				_push(0xc);
				_t242 = _t241 - 0x28;
				 *((intOrPtr*)(_t237 - 0x14)) = _t242;
				L00401708(_t242, _t237 - 0x44, _t180);
				_t133 = E0042CFBE();
				_t243 = _t242 + 0x2c;
				if(_t133 == 0) {
					_t134 = L"setup.gif";
					 *((intOrPtr*)(_t237 - 0x6c)) = 0x46757c;
					 *((intOrPtr*)(_t237 - 0x4c)) = 0x467574;
					__eflags = _t134;
					if(_t134 == 0) {
						_t134 = 0x47e150;
					}
					_push(0);
					_push(_t237 - 0xd);
					_push(_t134);
					L0040176A(_t237 - 0x6c);
					_push(_t237 - 0x94);
					_push(_t237 - 0xe4);
					 *(_t237 - 4) = 8;
					_t138 = L00405670(_t237 - 0xbc, __eflags);
					 *(_t237 - 4) = 9;
					_push(_t237 - 0x6c);
					_push(_t237 - 0x15c);
					_t139 = L00405670(_t138, __eflags);
					 *(_t237 - 4) = 0xa;
					L00401A1E(_t237 - 0x44, _t139);
					 *(_t237 - 4) = 9;
					L0040125C(_t237 - 0x15c);
					 *(_t237 - 4) = 8;
					L0040125C(_t237 - 0xe4);
					 *(_t237 - 4) = 6;
					L0040125C(_t237 - 0x6c);
					_push(0xc);
					_t244 = _t243 - 0x28;
					 *((intOrPtr*)(_t237 - 0x14)) = _t244;
					L00401708(_t244, _t237 - 0x44, _t180);
					_t146 = E0042CFBE();
					_t245 = _t244 + 0x2c;
					__eflags = _t146;
					if(_t146 == 0) {
						_t147 = L"setup.bmp";
						 *((intOrPtr*)(_t237 - 0x6c)) = 0x46757c;
						 *((intOrPtr*)(_t237 - 0x4c)) = 0x467574;
						__eflags = _t147;
						if(_t147 == 0) {
							_t147 = 0x47e150;
						}
						_push(0);
						_push(_t237 - 0xd);
						_push(_t147);
						L0040176A(_t237 - 0x6c);
						_push(_t237 - 0x6c);
						_push(_t237 - 0xe4);
						 *(_t237 - 4) = 0xb;
						_t151 = L00405670(_t237 - 0xbc, __eflags);
						 *(_t237 - 4) = 0xc;
						L00401A1E(_t237 - 0x44, _t151);
						 *(_t237 - 4) = 0xb;
						L0040125C(_t237 - 0xe4);
						 *(_t237 - 4) = 6;
						L0040125C(_t237 - 0x6c);
						_push(0xc);
						_t246 = _t245 - 0x28;
						 *((intOrPtr*)(_t237 - 0x14)) = _t246;
						L00401708(_t246, _t237 - 0x44, _t180);
						_t157 = E0042CFBE();
						_t247 = _t246 + 0x2c;
						__eflags = _t157;
						if(_t157 != 0) {
							goto L7;
						} else {
							_t164 = L"setup.gif";
							 *((intOrPtr*)(_t237 - 0x6c)) = 0x46757c;
							 *((intOrPtr*)(_t237 - 0x4c)) = 0x467574;
							__eflags = _t164;
							if(_t164 == 0) {
								_t164 = 0x47e150;
							}
							_push(0);
							_push(_t237 - 0xd);
							_push(_t164);
							L0040176A(_t237 - 0x6c);
							_push(_t237 - 0x6c);
							_push(_t237 - 0xe4);
							 *(_t237 - 4) = 0xd;
							_t168 = L00405670(_t237 - 0xbc, __eflags);
							 *(_t237 - 4) = 0xe;
							L00401A1E(_t237 - 0x44, _t168);
							 *(_t237 - 4) = 0xd;
							L0040125C(_t237 - 0xe4);
							 *(_t237 - 4) = 6;
							L0040125C(_t237 - 0x6c);
							_push(0xc);
							 *((intOrPtr*)(_t237 - 0x14)) = _t247 - 0x28;
							L00401708(_t247 - 0x28, _t237 - 0x44, _t180);
							_t174 = E0042CFBE();
							_t217 =  *((intOrPtr*)(_t237 + 8));
							__eflags = _t174;
							 *_t217 = 0x46757c;
							 *((intOrPtr*)(_t217 + 0x20)) = 0x467574;
							_push(0);
							if(_t174 == 0) {
								_push(_t237 - 0xd);
								_push(0x47e150);
								L0040176A(_t217);
							} else {
								goto L14;
							}
						}
					} else {
						L7:
						_t217 =  *((intOrPtr*)(_t237 + 8));
						_push(0);
						 *_t217 = 0x46757c;
						 *((intOrPtr*)(_t217 + 0x20)) = 0x467574;
						L14:
						_push(_t237 - 0x44);
						L00401CDD(_t217);
					}
					 *(_t237 - 0x18) = _t180;
				} else {
					_t230 =  *((intOrPtr*)(_t237 + 8));
					_push(0);
					_push(_t237 - 0x44);
					 *_t230 = 0x46757c;
					 *((intOrPtr*)(_t230 + 0x20)) = 0x467574;
					L00401CDD(_t230);
					 *(_t237 - 0x18) = _t180;
				}
				 *(_t237 - 4) = 2;
				L0040125C(_t237 - 0x44);
				 *(_t237 - 4) = _t180;
				L0040125C(_t237 - 0xbc);
				 *(_t237 - 4) =  *(_t237 - 4) & 0x00000000;
				L0040125C(_t237 - 0x94);
				 *[fs:0x0] =  *((intOrPtr*)(_t237 - 0xc));
				return  *((intOrPtr*)(_t237 + 8));
			}

0x004164ac
0x004164b7
0x004164be
0x004164d7
0x004164dd
0x004164e0
0x004164ea
0x004164eb
0x004164ee
0x004164f1
0x0041650a
0x00416512
0x00416523
0x00416528
0x0041652d
0x00416533
0x00416539
0x0041653b
0x00416541
0x00416543
0x00416543
0x0041654b
0x0041654d
0x0041654e
0x00416555
0x00416566
0x0041656d
0x0041656e
0x00416572
0x0041657d
0x00416581
0x00416585
0x00416588
0x00416593
0x00416597
0x004165a2
0x004165a6
0x004165ab
0x004165b0
0x004165b5
0x004165ba
0x004165bf
0x004165c4
0x004165c9
0x004165e6
0x004165eb
0x004165f0
0x004165f3
0x004165f5
0x004165f7
0x004165f7
0x004165ff
0x00416601
0x00416602
0x00416606
0x00416617
0x0041661e
0x0041661f
0x00416623
0x0041662b
0x0041662f
0x00416636
0x00416639
0x00416642
0x00416646
0x00416651
0x00416655
0x00416660
0x00416664
0x0041666c
0x00416670
0x00416675
0x0041667a
0x0041667f
0x00416684
0x00416689
0x0041668e
0x00416691
0x00416693
0x004166a4
0x004166a9
0x004166ae
0x004166b1
0x004166b3
0x004166b5
0x004166b5
0x004166bd
0x004166bf
0x004166c0
0x004166c4
0x004166d2
0x004166d9
0x004166da
0x004166de
0x004166e7
0x004166eb
0x004166f6
0x004166fa
0x00416702
0x00416706
0x0041670b
0x00416710
0x00416715
0x0041671a
0x0041671f
0x00416724
0x00416727
0x00416729
0x00000000
0x0041672f
0x0041672f
0x00416734
0x00416739
0x0041673c
0x0041673e
0x00416740
0x00416740
0x00416748
0x0041674a
0x0041674b
0x0041674f
0x0041675d
0x00416764
0x00416765
0x00416769
0x00416772
0x00416776
0x00416781
0x00416785
0x0041678d
0x00416791
0x00416796
0x004167a0
0x004167a5
0x004167aa
0x004167af
0x004167b5
0x004167b7
0x004167b9
0x004167bc
0x004167be
0x004167ce
0x004167cf
0x004167d4
0x00000000
0x00000000
0x00000000
0x004167be
0x00416695
0x00416695
0x00416695
0x00416698
0x0041669a
0x0041669c
0x004167c0
0x004167c3
0x004167c4
0x004167c4
0x004167d9
0x004165cb
0x004165cb
0x004165d1
0x004165d3
0x004165d4
0x004165d6
0x004165d9
0x004165de
0x004165de
0x004167df
0x004167e3
0x004167ee
0x004167f1
0x004167f6
0x00416800
0x0041680d
0x00416816

APIs

__EH_prolog.LIBCMT ref: 004164AC

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

setup.gif, xrefs: 004165E6, 00416602, 0041672F, 0041674B
PG, xrefs: 00416543
tuF, xrefs: 004164C9
PG, xrefs: 00416740
PG, xrefs: 004165F7
PG, xrefs: 004166B5
|uF, xrefs: 004164C4
setupdir\%04x, xrefs: 00416504
setup.bmp, xrefs: 00416528, 0041654E, 004166A4, 004166C0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: PG$PG$PG$PG$setup.bmp$setup.gif$setupdir\%04x$tuF$|uF
API String ID: 1057991267-1792564199
Opcode ID: 99d578c3e2e7215ccb2482de3ad2d0bd065ac97d4bd8c99963a7d7d2d09a2e72
Instruction ID: 5e043af77eb341d1710815018cd6d9e7040ad9808212e8d27e6f147625ee7460
Opcode Fuzzy Hash: 99d578c3e2e7215ccb2482de3ad2d0bd065ac97d4bd8c99963a7d7d2d09a2e72
Instruction Fuzzy Hash: 2FB17171D00248DADB05EBA5C955BDEBBB89F14308F50409FE50AB72C1EB785B48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB52 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042CB52(void* __ebx, void* __edi) {
				intOrPtr* _t68;
				signed int _t71;
				intOrPtr* _t82;
				signed int _t85;
				char* _t87;
				intOrPtr* _t96;
				signed int _t99;
				char* _t101;
				intOrPtr* _t127;
				void* _t136;
				signed int _t147;
				intOrPtr* _t152;
				void* _t155;
				void* _t157;
				void* _t158;

				L0043B644(0x46390b, _t155);
				_t158 = _t157 - 0x64;
				 *(_t155 - 0x14) =  *(_t155 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t155 - 0x70)) = 0x4680fc;
				 *((intOrPtr*)(_t155 - 0x50)) = 0x4680f4;
				L0040B0AB(_t155 - 0x70, _t155 - 0xd, 0);
				_t147 = 1;
				 *(_t155 - 4) = _t147;
				if( *((intOrPtr*)(_t155 + 0xc)) != _t147) {
					__eflags =  *((intOrPtr*)(_t155 + 0xc)) - 2;
					_push(0x104);
					if( *((intOrPtr*)(_t155 + 0xc)) != 2) {
						_push(_t155 - 0x20);
						_t68 = L0042CD98(_t155 - 0x70);
						 *(_t155 - 4) = 6;
						 *((char*)(_t68 + 4)) = 1;
						_t71 = GetSystemDirectoryW( *(L00401E6C(_t68,  *_t68)), 0x104);
						asm("sbb bl, bl");
						 *(_t155 - 4) = 1;
						L00401A9C(_t155 - 0x20);
						__eflags =  ~_t71 + 1;
						if(__eflags == 0) {
							goto L7;
						} else {
							_t127 = _t155 - 0x3c;
							E00404959(_t127, __eflags);
							L0043BD6A(_t155 - 0x3c, 0x46a390);
							__eflags =  *(_t158 + 8);
							_push(0x104);
							_t152 = _t127;
							if( *(_t158 + 8) != 0) {
								 *_t152 = 0x4680fc;
								 *((intOrPtr*)(_t152 + 0x20)) = 0x4680f4;
							}
							_push(0);
							_push( *((intOrPtr*)(_t158 + 0xc)));
							L00401CDD(_t152);
							return _t152;
						}
					} else {
						_push(_t155 - 0x20);
						_t82 = L0042CD98(_t155 - 0x70);
						 *(_t155 - 4) = 4;
						 *((char*)(_t82 + 4)) = 1;
						_t85 = GetWindowsDirectoryW( *(L00401E6C(_t82,  *_t82)), 0x104);
						asm("sbb bl, bl");
						 *(_t155 - 4) = 1;
						L00401A9C(_t155 - 0x20);
						__eflags =  ~_t85 + 1;
						if(__eflags != 0) {
							E00404959(_t155 - 0x3c, __eflags);
							L0043BD6A(_t155 - 0x3c, 0x46a390);
						}
						_t87 = L"syswow64";
						 *((intOrPtr*)(_t155 - 0x48)) = 0x46757c;
						 *((intOrPtr*)(_t155 - 0x28)) = 0x467574;
						__eflags = _t87;
						if(_t87 == 0) {
							_t87 = 0x47e150;
						}
						_push(0);
						_push(_t155 + 0xf);
						_push(_t87);
						L0040176A(_t155 - 0x48);
						 *(_t155 - 4) = 5;
						E0043025D(_t155 - 0x70, _t155 - 0x48);
						 *(_t155 - 4) = 1;
						_t136 = _t155 - 0x48;
						goto L6;
					}
				} else {
					_t96 = L0042CD98(_t155 - 0x70, _t155 - 0x20, 0x104);
					 *(_t155 - 4) = 2;
					 *((char*)(_t96 + 4)) = 1;
					_t99 = GetWindowsDirectoryW( *(L00401E6C(_t96,  *_t96)), 0x104);
					asm("sbb bl, bl");
					 *(_t155 - 4) = 1;
					L00401A9C(_t155 - 0x20);
					_t161 =  ~_t99 + 1;
					if( ~_t99 + 1 != 0) {
						E00404959(_t155 - 0x3c, _t161);
						L0043BD6A(_t155 - 0x3c, 0x46a390);
					}
					_t101 = L"sysnative";
					 *((intOrPtr*)(_t155 - 0x48)) = 0x46757c;
					 *((intOrPtr*)(_t155 - 0x28)) = 0x467574;
					if(_t101 == 0) {
						_t101 = 0x47e150;
					}
					_push(0);
					_push(_t155 + 0xf);
					_push(_t101);
					L0040176A(_t155 - 0x48);
					 *(_t155 - 4) = 3;
					E0043025D(_t155 - 0x70, _t155 - 0x48);
					 *(_t155 - 4) = 1;
					_t136 = _t155 - 0x48;
					L6:
					L0040125C(_t136);
					L7:
					_push(_t147);
					_push(E004245CE(_t155 - 0x70, _t155, 0x4764fc));
					L16();
					 *(_t155 - 0x14) = _t147;
					 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
					L0040125C(_t155 - 0x70);
					 *[fs:0x0] =  *((intOrPtr*)(_t155 - 0xc));
					return  *((intOrPtr*)(_t155 + 8));
				}
			}

0x0042cb57
0x0042cb5c
0x0042cb5f
0x0042cb6f
0x0042cb76
0x0042cb7d
0x0042cb84
0x0042cb88
0x0042cb8b
0x0042cc6b
0x0042cc74
0x0042cc75
0x0042cd1d
0x0042cd1e
0x0042cd25
0x0042cd29
0x0042cd36
0x0042cd43
0x0042cd45
0x0042cd4b
0x0042cd50
0x0042cd52
0x00000000
0x0042cd58
0x0042cd58
0x0042cd5b
0x0042cd69
0x0042cd6e
0x0042cd73
0x0042cd74
0x0042cd76
0x0042cd78
0x0042cd7e
0x0042cd7e
0x0042cd85
0x0042cd89
0x0042cd8d
0x0042cd95
0x0042cd95
0x0042cc7b
0x0042cc81
0x0042cc82
0x0042cc89
0x0042cc8d
0x0042cc9a
0x0042cca7
0x0042cca9
0x0042ccaf
0x0042ccb4
0x0042ccb6
0x0042ccbb
0x0042ccc9
0x0042ccc9
0x0042ccce
0x0042ccd3
0x0042ccdc
0x0042cce3
0x0042cce5
0x0042cce7
0x0042cce7
0x0042ccef
0x0042ccf1
0x0042ccf2
0x0042ccf6
0x0042cd02
0x0042cd06
0x0042cd0b
0x0042cd0f
0x00000000
0x0042cd0f
0x0042cb91
0x0042cb9e
0x0042cba5
0x0042cba9
0x0042cbb6
0x0042cbc3
0x0042cbc5
0x0042cbcb
0x0042cbd0
0x0042cbd2
0x0042cbd7
0x0042cbe5
0x0042cbe5
0x0042cbea
0x0042cbef
0x0042cbf8
0x0042cc01
0x0042cc03
0x0042cc03
0x0042cc0b
0x0042cc0d
0x0042cc0e
0x0042cc12
0x0042cc1e
0x0042cc22
0x0042cc27
0x0042cc2b
0x0042cc2e
0x0042cc2e
0x0042cc33
0x0042cc33
0x0042cc44
0x0042cc45
0x0042cc4a
0x0042cc4d
0x0042cc54
0x0042cc62
0x0042cc6a
0x0042cc6a

APIs

__EH_prolog.LIBCMT ref: 0042CB57
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0042CD36

Part of subcall function 00404959: __EH_prolog.LIBCMT ref: 0040495E
Part of subcall function 00404959: GetLastError.KERNEL32(?,?,004135BD,?,?,?,0041352E,?,00000001), ref: 00404973

Part of subcall function 0043BD6A: RaiseException.KERNEL32(0043B0A7,00000000,?,00468364,?,invalid string position,0043B0A7,00000000,00471E90,?,invalid string position), ref: 0043BD98

GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000104,?,00000000,?,00000000,00000000), ref: 0042CBB6

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000104,?,00000000,?,00000000,00000000), ref: 0042CC9A

Part of subcall function 00401E6C: SysStringLen.OLEAUT32(?), ref: 00401E7A
Part of subcall function 00401E6C: SysReAllocStringLen.OLEAUT32(?,?,?), ref: 00401E96

Strings

PG, xrefs: 0042CC03
syswow64, xrefs: 0042CCCE, 0042CCF2
tuF, xrefs: 0042CCDC
PG, xrefs: 0042CCE7
|uF, xrefs: 0042CCD3
sysnative, xrefs: 0042CBEA, 0042CC0E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: DirectoryErrorH_prologLast$StringWindows$AllocExceptionRaiseSystem
String ID: PG$PG$sysnative$syswow64$tuF$|uF
API String ID: 2070711291-840557290
Opcode ID: d69d3829a497ac9129278710a6933b5550ef6d83901188b291d2786283403f6f
Instruction ID: d113ca320b090f20f680917c5259f395062e2bb96d27d74f83a9fb03d71ddb8e
Opcode Fuzzy Hash: d69d3829a497ac9129278710a6933b5550ef6d83901188b291d2786283403f6f
Instruction Fuzzy Hash: 7B61D870A00258EECB10EBA5C895BDE7BB8EF15308F54806EF545B7292EB7C5908CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00452AA0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00452AA0() {
				void* __ebp;
				intOrPtr _t49;
				intOrPtr _t51;
				signed int _t52;
				short* _t56;
				signed int _t58;
				short* _t73;
				short* _t74;
				short* _t75;
				signed int _t80;
				short* _t81;
				intOrPtr _t82;
				short* _t92;
				signed int _t93;
				intOrPtr _t94;
				short* _t96;
				intOrPtr _t97;
				intOrPtr* _t103;
				signed int _t105;
				signed int _t108;
				signed int _t113;
				signed int _t115;
				intOrPtr _t119;
				intOrPtr _t121;
				void* _t122;
				void* _t123;

				_push(0xffffffff);
				_push(E004667F7);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t121;
				_t122 = _t121 - 0x2c;
				_t49 =  *0x4675a4; // 0x24
				 *((intOrPtr*)(_t122 + 0xc)) = 0;
				 *(_t122 + 0x10) = 0x4675a0;
				 *(_t122 + 0x30) = 0x467598;
				 *((intOrPtr*)(_t122 + _t49 + 0x10)) = GetLastError();
				_t51 =  *((intOrPtr*)(_t122 + 0x4c));
				 *((intOrPtr*)(_t122 + 0x40)) = 1;
				if(_t51 == 0) {
					_t52 = 0;
				} else {
					_t52 = _t51 + 4;
				}
				L00452FC0(_t122 + 0x18, _t52);
				L00447D30(_t122 + 0x24);
				L00447D70(_t122 + 0x34, 0);
				_t119 =  *((intOrPtr*)(_t122 + 0x1c));
				 *((intOrPtr*)(_t122 + 0x40)) = 2;
				if(_t119 == 0) {
					_t80 = 0;
				} else {
					_t80 = _t119 - 1;
				}
				_t96 =  *((intOrPtr*)(_t122 + 0x18));
				_t56 = 0x467570;
				if(_t96 != 0) {
					_t56 = _t96;
				}
				if( *((intOrPtr*)(_t56 + _t80 * 2)) == 0x5c) {
					L24:
					_t58 =  *(_t122 + 0x50);
					_t81 =  *((intOrPtr*)(_t58 + 8));
					_t108 = _t58 + 4;
					if(_t81 == 0) {
						_t81 = 0x467570;
					}
					if( *_t81 == 0x5c) {
						L31:
						_t97 = 1;
						goto L32;
					} else {
						_t92 =  *((intOrPtr*)(_t108 + 4));
						if(_t92 == 0) {
							_t92 = 0x467570;
						}
						if( *_t92 == 0x2f) {
							goto L31;
						} else {
							_t97 = 0;
							L32:
							_t82 =  *0x467594; // 0xffffffff
							asm("sbb eax, eax");
							_push(_t82);
							_push(_t97);
							_push( ~_t58 & _t108);
							goto L33;
						}
					}
				} else {
					if(_t119 == 0) {
						_t93 = 0;
					} else {
						_t93 = _t119 - 1;
					}
					_t73 = 0x467570;
					if(_t96 != 0) {
						_t73 = _t96;
					}
					if( *((short*)(_t73 + _t93 * 2)) == 0x2f) {
						goto L24;
					} else {
						_t115 =  *(_t122 + 0x50);
						_t74 =  *((intOrPtr*)(_t115 + 8));
						_t105 = _t115 + 4;
						if(_t74 == 0) {
							_t74 = 0x467570;
						}
						if( *_t74 != 0x5c) {
							_t75 =  *((intOrPtr*)(_t105 + 4));
							if(_t75 == 0) {
								_t75 = 0x467570;
							}
							if( *_t75 != 0x2f && _t119 != 0) {
								L00401EE7(_t122 + 0x1c, _t119, 1, 0x5c);
							}
						}
						_t94 =  *0x467594; // 0xffffffff
						asm("sbb esi, esi");
						_push(_t94);
						_push(0);
						_push( ~_t115 & _t105);
						L33:
						L004057F3(_t122 + 0x20);
						_t103 =  *((intOrPtr*)(_t122 + 0x48));
						 *_t103 = 0x4675a0;
						 *((intOrPtr*)(_t103 + 0x20)) = 0x467598;
						L00401CDD(_t103);
						 *((intOrPtr*)(_t122 + 0xc)) = 1;
						asm("sbb eax, eax");
						 *((char*)(_t122 + 0x40)) = 0;
						_t65 =  ~(_t122 + 0x10) & _t122 + 0x00000030;
						 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t122 + 0x10) & _t122 + 0x00000030) + 4)) + _t65)) = GetLastError();
						asm("sbb esi, esi");
						_t113 =  ~(_t122 + 0x10) & _t122 + 0x00000024;
						E0043AE17( *_t113);
						_t40 = _t113 + 8; // 0x468dd0
						_t123 = _t122 + 4;
						__imp__#6( *_t40, _t122 + 0x10, 0);
						asm("sbb ecx, ecx");
						E0040213C( ~(_t123 + 0x10) & _t123 + 0x00000014, 1);
						SetLastError( *(_t123 +  *((intOrPtr*)( *(_t123 + 0x10) + 4)) + 0x10));
						 *[fs:0x0] =  *((intOrPtr*)(_t123 + 0x38));
						return _t103;
					}
				}
			}

0x00452aa0
0x00452aa2
0x00452aad
0x00452aae
0x00452ab5
0x00452ab8
0x00452ac0
0x00452ac8
0x00452ad0
0x00452ae2
0x00452ae4
0x00452ae8
0x00452af2
0x00452af9
0x00452af4
0x00452af4
0x00452af4
0x00452b00
0x00452b09
0x00452b14
0x00452b19
0x00452b1d
0x00452b27
0x00452b2e
0x00452b29
0x00452b29
0x00452b29
0x00452b30
0x00452b34
0x00452b3b
0x00452b3d
0x00452b3d
0x00452b47
0x00452bb4
0x00452bb4
0x00452bb8
0x00452bbb
0x00452bc0
0x00452bc2
0x00452bc2
0x00452bcb
0x00452be3
0x00452be3
0x00000000
0x00452bcd
0x00452bcd
0x00452bd2
0x00452bd4
0x00452bd4
0x00452bdd
0x00000000
0x00452bdf
0x00452bdf
0x00452be8
0x00452be8
0x00452bf0
0x00452bf2
0x00452bf5
0x00452bf6
0x00000000
0x00452bf6
0x00452bdd
0x00452b49
0x00452b4b
0x00452b52
0x00452b4d
0x00452b4d
0x00452b4d
0x00452b56
0x00452b5b
0x00452b5d
0x00452b5d
0x00452b64
0x00000000
0x00452b66
0x00452b66
0x00452b6a
0x00452b6d
0x00452b72
0x00452b74
0x00452b74
0x00452b7d
0x00452b7f
0x00452b84
0x00452b86
0x00452b86
0x00452b8f
0x00452b9d
0x00452b9d
0x00452b8f
0x00452ba2
0x00452baa
0x00452bac
0x00452baf
0x00452bb1
0x00452bf7
0x00452bfb
0x00452c00
0x00452c0d
0x00452c13
0x00452c1a
0x00452c1f
0x00452c31
0x00452c33
0x00452c38
0x00452c47
0x00452c4f
0x00452c55
0x00452c5a
0x00452c5f
0x00452c62
0x00452c66
0x00452c76
0x00452c7c
0x00452c8d
0x00452c9c
0x00452ca6
0x00452ca6
0x00452b64

APIs

GetLastError.KERNEL32 ref: 00452ADC
GetLastError.KERNEL32(004675A0,00000000,?,00000001,FFFFFFFF,00000000,00000000), ref: 00452C41
SysFreeString.OLEAUT32(00468DD0), ref: 00452C66
SetLastError.KERNEL32(?,00000001,?,000000FF,004484CF,?,?,?,0047DC5C,?,00000000,?,?,00000000), ref: 00452C8D

Strings

puF, xrefs: 00452B74
puF, xrefs: 00452B86
puF, xrefs: 00452BC2
puF, xrefs: 00452B56
puF, xrefs: 00452B34
puF, xrefs: 00452BD4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: puF$puF$puF$puF$puF$puF
API String ID: 2425351278-1759806011
Opcode ID: cc98876c134c8f76a7f25a5705638d6891de8296cf99716accbbecd6c8a33996
Instruction ID: 8d771378b9a2c05006e31bd4fec463a7095915ddbfbd8a29552fc9f082f0825b
Opcode Fuzzy Hash: cc98876c134c8f76a7f25a5705638d6891de8296cf99716accbbecd6c8a33996
Instruction Fuzzy Hash: 3451C1706183419FD718DF15C951B6BB7E0FB81709F00496FE84697292E7B8EC09CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00404765 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 148
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404765() {
				long _t56;
				void* _t64;
				WCHAR* _t72;
				void* _t73;
				WCHAR* _t75;
				void* _t79;
				signed int _t80;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				void* _t126;

				L0043B644(0x45f36e, _t126);
				 *(_t126 - 0x14) = 0;
				_t56 = GetTempPathW(0x104, _t126 - 0x3b4);
				_t132 = _t56;
				if(_t56 == 0) {
					E00404959(_t126 - 0x58, _t132);
					L0043BD6A(_t126 - 0x58, 0x46a390);
				}
				_t95 = 0x44;
				memset(_t126 - 0x1a8, 0, _t95 << 2);
				 *(_t126 - 0x1ac) = 0x114;
				if(GetVersionExW(_t126 - 0x1ac) == 0 ||  *((intOrPtr*)(_t126 - 0x19c)) != 1) {
					L11:
					_push(0);
					_push(_t126 - 0xd);
					_push(_t126 - 0x3b4);
					 *((intOrPtr*)(_t126 - 0x64)) = 0x4675a0;
					 *((intOrPtr*)(_t126 - 0x44)) = 0x467598;
					L0040176A(_t126 - 0x64);
					 *(_t126 - 4) = 4;
					_t64 = L00404D3C(_t126 - 0x64, _t126, 0x4764fc);
					_t93 =  *((intOrPtr*)(_t126 + 8));
					_push(0);
					_push(_t64);
					 *_t93 = 0x4675a0;
					 *((intOrPtr*)(_t93 + 0x20)) = 0x467598;
					L00401CDD(_t93);
					_t48 = _t126 - 4;
					 *_t48 =  *(_t126 - 4) & 0x00000000;
					__eflags =  *_t48;
					 *(_t126 - 0x14) = 1;
					_t100 = _t126 - 0x64;
				} else {
					_push(0);
					_push(_t126 - 0xe);
					_push(_t126 - 0x3b4);
					 *((intOrPtr*)(_t126 - 0x3c)) = 0x4675a0;
					 *((intOrPtr*)(_t126 - 0x1c)) = 0x467598;
					L0040176A(_t126 - 0x3c);
					 *(_t126 - 4) = 1;
					L00404D3C(_t126 - 0x3c, _t126, L"123.tmp");
					_t72 =  *(_t126 - 0x34);
					if(_t72 == 0) {
						_t72 = 0x467570;
					}
					_t73 = CreateFileW(_t72, 0x40000000, 0, 0, 2, 0x80, 0);
					_t136 = _t73 - 0xffffffff;
					if(_t73 != 0xffffffff) {
						CloseHandle(_t73);
						_t75 =  *(_t126 - 0x34);
						__eflags = _t75;
						if(_t75 == 0) {
							_t75 = 0x467570;
						}
						DeleteFileW(_t75);
						_t36 = _t126 - 4;
						 *_t36 =  *(_t126 - 4) & 0x00000000;
						__eflags =  *_t36;
						L0040125C(_t126 - 0x3c);
						goto L11;
					} else {
						_push(0);
						_push(_t126 - 0x64);
						_t79 = E00404ADB();
						 *(_t126 - 4) = 2;
						_t80 = L00404C18(_t79, _t136, _t126 - 0x98);
						 *(_t126 - 4) = 3;
						asm("sbb ecx, ecx");
						E004024B9(_t126 - 0x38,  ~_t80 & _t80 + 0x00000004, 0,  *0x467594);
						 *(_t126 - 4) = 2;
						L0040125C(_t126 - 0x98);
						 *(_t126 - 4) = 1;
						L0040125C(_t126 - 0x64);
						L00404D3C(_t126 - 0x3c, _t126, L"temp");
						_t93 =  *((intOrPtr*)(_t126 + 8));
						_push(0);
						_push(_t126 - 0x3c);
						 *_t93 = 0x4675a0;
						 *((intOrPtr*)(_t93 + 0x20)) = 0x467598;
						L00401CDD(_t93);
						 *(_t126 - 0x14) = 1;
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						_t100 = _t126 - 0x3c;
					}
				}
				L0040125C(_t100);
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t93;
			}

0x0040476a
0x00404786
0x00404789
0x0040478f
0x00404791
0x00404796
0x004047a4
0x004047a4
0x004047ad
0x004047b4
0x004047bc
0x004047d9
0x004048f5
0x004048f8
0x004048f9
0x00404900
0x00404904
0x00404907
0x0040490a
0x00404917
0x0040491e
0x00404923
0x00404926
0x00404928
0x0040492b
0x0040492d
0x00404930
0x00404935
0x00404935
0x00404935
0x00404939
0x00404940
0x004047ec
0x004047ef
0x004047f0
0x004047f7
0x004047fb
0x004047fe
0x00404801
0x0040480e
0x00404815
0x0040481a
0x0040481f
0x00404821
0x00404821
0x00404836
0x0040483c
0x0040483f
0x004048d0
0x004048d6
0x004048d9
0x004048db
0x004048dd
0x004048dd
0x004048e3
0x004048e9
0x004048e9
0x004048e9
0x004048f0
0x00000000
0x00404845
0x00404848
0x00404849
0x0040484a
0x00404857
0x0040485e
0x0040486e
0x00404874
0x0040487d
0x00404888
0x0040488c
0x00404894
0x00404898
0x004048a5
0x004048aa
0x004048b0
0x004048b2
0x004048b5
0x004048b7
0x004048ba
0x004048bf
0x004048c6
0x004048ca
0x004048ca
0x0040483f
0x00404943
0x00404950
0x00404958

APIs

__EH_prolog.LIBCMT ref: 0040476A
GetTempPathW.KERNEL32(00000104,?,0046757C,00467574,00000000), ref: 00404789
GetVersionExW.KERNEL32(?), ref: 004047C7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,123.tmp,?,?,00000000), ref: 00404836

Part of subcall function 00404959: __EH_prolog.LIBCMT ref: 0040495E
Part of subcall function 00404959: GetLastError.KERNEL32(?,?,004135BD,?,?,?,0041352E,?,00000001), ref: 00404973

Part of subcall function 0043BD6A: RaiseException.KERNEL32(0043B0A7,00000000,?,00468364,?,invalid string position,0043B0A7,00000000,00471E90,?,invalid string position), ref: 0043BD98

CloseHandle.KERNEL32(00000000), ref: 004048D0
DeleteFileW.KERNEL32(?), ref: 004048E3

Strings

temp, xrefs: 0040489D
puF, xrefs: 004048DD
puF, xrefs: 00404821
123.tmp, xrefs: 00404806

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileH_prolog$CloseCreateDeleteErrorExceptionHandleLastPathRaiseTempVersion
String ID: 123.tmp$puF$puF$temp
API String ID: 2454535614-956315145
Opcode ID: 1d44638715f291e895e6ff85a4d67417b7c7b9c7ad09ce4a7d21e67d127b1e8e
Instruction ID: d7ac78f3f0a1a0d13740fa5500abbf2f3b0ee567ce34a7a3940de3f9d892bf58
Opcode Fuzzy Hash: 1d44638715f291e895e6ff85a4d67417b7c7b9c7ad09ce4a7d21e67d127b1e8e
Instruction Fuzzy Hash: 0F5161B1D00208AADB14EBA1D985BDDB7B8AF55308F1040AEF605B72D1EB785B48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A697 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042A697() {
				long _t58;
				WCHAR* _t65;
				WCHAR* _t73;
				WCHAR* _t82;
				signed char _t94;
				void* _t98;
				signed int _t105;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t121;
				void* _t122;
				void* _t130;

				L0043B644(0x46356b, _t122);
				_t114 =  *((intOrPtr*)(_t122 + 8)) + 4;
				if( *((char*)( *((intOrPtr*)( *_t114 + 0x2c))() + 0x12)) != 0) {
					_t118 =  *(_t122 + 0xc);
					if(_t118 != 0) {
						_t130 =  *0x47e2b8 - _t118; // 0x0
						if(_t130 != 0) {
							 *0x47e2b8 = _t118;
							if(( *0x47e2b4 & 0x00000001) == 0) {
								 *0x47e2b4 =  *0x47e2b4 | 0x00000001;
								 *0x47e2b0 = GetTickCount();
							}
							_t58 = GetTickCount();
							_t98 = _t58 -  *0x47e2b0;
							 *0x47e2b0 = _t58;
							if( *0x479a64 != 0 || _t98 >= 0x64) {
								 *0x479a64 =  *0x479a64 & 0x00000000;
								_t94 = ((0 | _t118 - 0x00100000 <= 0x00000000) - 0x00000001 & 0x0000000a) + 0xa;
								 *((intOrPtr*)(_t122 - 0x38)) = 0x46757c;
								_t121 = _t118 + _t118 * 4 << 1 >> _t94;
								_t14 = _t122 - 0x38; // 0x46757c
								 *((intOrPtr*)(_t122 - 0x18)) = 0x467574;
								L00401C68(_t14);
								 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
								_t65 =  *(E00403E82( *((intOrPtr*)( *_t114 + 0x2c))(_t122 - 0x88, 0x758, _t122 + 0xf, 0), _t118 - 0x100000) + 8);
								 *(_t122 - 4) = 1;
								 *(_t122 - 0x10) = 0x467570;
								if(_t65 != 0) {
									 *(_t122 - 0x10) = _t65;
								}
								_t73 =  *(E00403E82( *((intOrPtr*)( *_t114 + 0x2c))(_t122 - 0x60, (0 | _t94 != 0x00000014) + 0x652), _t94 - 0x14) + 8);
								 *(_t122 - 4) = 2;
								if(_t73 == 0) {
									_t73 = 0x467570;
								}
								_t30 = _t122 - 0x10; // 0x467570
								_push( *_t30);
								_push(_t73);
								_t105 = 0xa;
								_push(_t121 % _t105);
								L004057E0(_t122 - 0x38, L"%01d.%01d %s%s", _t121 / _t105);
								 *(_t122 - 4) = 1;
								L0040125C(_t122 - 0x60);
								 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
								L0040125C(_t122 - 0x88);
								_t82 =  *(_t122 - 0x30);
								if(_t82 == 0) {
									_t82 = 0x467570;
								}
								SetDlgItemTextW( *( *((intOrPtr*)(_t122 + 8)) + 0x26c), 0x134, _t82);
								 *(_t122 - 4) =  *(_t122 - 4) | 0xffffffff;
								L0040125C(_t122 - 0x38);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0xc));
				return 0;
			}

0x0042a69c
0x0042a6aa
0x0042a6b8
0x0042a6be
0x0042a6c3
0x0042a6c9
0x0042a6cf
0x0042a6e2
0x0042a6e8
0x0042a6ea
0x0042a6f3
0x0042a6f3
0x0042a6f8
0x0042a6fc
0x0042a709
0x0042a70e
0x0042a719
0x0042a737
0x0042a73f
0x0042a746
0x0042a748
0x0042a74b
0x0042a752
0x0042a757
0x0042a775
0x0042a778
0x0042a77e
0x0042a785
0x0042a787
0x0042a787
0x0042a7ab
0x0042a7ae
0x0042a7b4
0x0042a7b6
0x0042a7b6
0x0042a7bb
0x0042a7bb
0x0042a7c0
0x0042a7c5
0x0042a7ca
0x0042a7d9
0x0042a7e4
0x0042a7e8
0x0042a7ed
0x0042a7f7
0x0042a7fc
0x0042a801
0x0042a803
0x0042a803
0x0042a817
0x0042a81d
0x0042a824
0x0042a824
0x0042a70e
0x0042a6cf
0x0042a6c3
0x0042a831
0x0042a839

APIs

__EH_prolog.LIBCMT ref: 0042A69C
GetTickCount.KERNEL32 ref: 0042A6F1
GetTickCount.KERNEL32 ref: 0042A6F8
SetDlgItemTextW.USER32 ref: 0042A817

Strings

tuF, xrefs: 0042A74B
puF, xrefs: 0042A803
%01d.%01d %s%s, xrefs: 0042A7D3
puF, xrefs: 0042A7BB
puF, xrefs: 0042A7B6
|uF, xrefs: 0042A748

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CountTick$H_prologItemText
String ID: %01d.%01d %s%s$puF$puF$puF$tuF$|uF
API String ID: 2504462769-2669082390
Opcode ID: 3e4060217434de948618af2d42424a01ae050012d24d8f5c9823039cad0f65a4
Instruction ID: 550e5e3cc02379d2fdf7a8f9d8972ea1377f8fb1b568a4b00dc8a39c1446ffec
Opcode Fuzzy Hash: 3e4060217434de948618af2d42424a01ae050012d24d8f5c9823039cad0f65a4
Instruction Fuzzy Hash: 7441E871E042549FDB00DF65DC88BDD7BF8EB44308F4441AAE84AE7291EB789E44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043808B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0043808B(intOrPtr* __ecx, intOrPtr _a4) {
				signed char _v8;
				intOrPtr _t48;
				WCHAR* _t49;
				void* _t50;
				void* _t53;
				intOrPtr _t54;
				signed char _t61;
				signed char _t62;
				short _t70;
				void* _t85;
				intOrPtr* _t89;

				_push(__ecx);
				_t70 = 0;
				_push(0);
				_t89 = __ecx;
				_push( &_v8);
				_v8 = 0;
				if( *0x47e0ec() != 0 || (_v8 & 0x00000041) == 0) {
					L4:
					 *( *(_t89 + 0x44)) = _t70;
					_t48 =  *((intOrPtr*)(_t89 + 0x48));
					if(_t48 != _t70) {
						_push(_t48);
						if( *(_t89 + 0x40) == _t70) {
							_push(L"Range: bytes=%d-");
						} else {
							_push(L"Range: bytes=%d-\r\n");
						}
						wsprintfW( *(_t89 + 0x44), ??);
					}
					_t49 =  *(_t89 + 0x40);
					if(_t49 != _t70) {
						lstrcatW( *(_t89 + 0x44), _t49);
					}
					if( *((intOrPtr*)(_t89 + 4)) != _t70) {
						if(_a4 == _t70) {
							_t50 = 1;
						} else {
							_t38 = _t89 + 0xc; // 0xe
							_t85 = _t38;
							ResetEvent( *(_t89 + 0xc));
							_t53 =  *0x47e0f4( *((intOrPtr*)(_t89 + 4)),  *(_t89 + 0x44), L0043BA1F( *(_t89 + 0x44)), _t70, _t70);
							_t54 =  *_t89;
							if(_t53 == 0) {
								_t50 =  *((intOrPtr*)(_t54 + 8))( *((intOrPtr*)(_t89 + 0x28)), _t85, _t70);
							} else {
								goto L22;
							}
						}
					} else {
						ResetEvent( *(_t89 + 0xc));
						_push(_t89);
						_a4 =  *((intOrPtr*)(_t89 + 0x30));
						_push( *(_t89 + 0x50));
						_push(L0043BA1F( *(_t89 + 0x44)));
						_push( *(_t89 + 0x44));
						_push( *((intOrPtr*)(_t89 + 0x3c)));
						_push(_a4);
						if( *((intOrPtr*)( *_t89 + 0x2c))() != 0) {
							L18:
							_t54 =  *_t89;
							L22:
							_t50 =  *((intOrPtr*)(_t54 + 0x28))();
						} else {
							while(GetLastError() == 0x57) {
								_t61 =  *(_t89 + 0x50);
								if((_t61 & 0x00000001) == 0) {
									break;
								} else {
									_t62 = _t61 & 0x000000fe;
									_push(_t89);
									_push(_t62);
									 *(_t89 + 0x50) = _t62;
									_push(L0043BA1F( *(_t89 + 0x44)));
									_push( *(_t89 + 0x44));
									_push( *((intOrPtr*)(_t89 + 0x3c)));
									_push( *((intOrPtr*)(_t89 + 0x30)));
									if( *((intOrPtr*)( *_t89 + 0x2c))() == 0) {
										_t70 = 0;
										continue;
									} else {
										goto L18;
									}
								}
								goto L25;
							}
							_t33 = _t89 + 0xc; // 0xe
							_t50 =  *((intOrPtr*)( *_t89 + 8))( *((intOrPtr*)(_t89 + 0x28)), _t33, _t70);
						}
					}
				} else {
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x78)));
					if( *0x47e0f0() != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t89 + 8)) = GetLastError();
						_t50 = 0;
					}
				}
				L25:
				return _t50;
			}

0x0043808e
0x00438091
0x00438097
0x00438098
0x0043809a
0x0043809b
0x004380a6
0x004380cc
0x004380cf
0x004380d2
0x004380d7
0x004380dc
0x004380dd
0x004380e6
0x004380df
0x004380df
0x004380df
0x004380ee
0x004380f4
0x004380f7
0x004380fc
0x00438102
0x00438102
0x0043810b
0x00438198
0x004381d7
0x0043819a
0x0043819d
0x0043819d
0x004381a0
0x004381b8
0x004381c0
0x004381c2
0x004381d2
0x00000000
0x00000000
0x00000000
0x004381c2
0x00438111
0x00438114
0x0043811f
0x00438120
0x00438123
0x0043812f
0x00438132
0x00438135
0x00438138
0x00438140
0x00438180
0x00438180
0x004381c4
0x004381c6
0x00438142
0x00438146
0x00438151
0x00438157
0x00000000
0x00438159
0x0043815b
0x0043815e
0x0043815f
0x00438163
0x0043816f
0x00438172
0x00438175
0x00438178
0x0043817e
0x00438144
0x00000000
0x00000000
0x00000000
0x00000000
0x0043817e
0x00000000
0x00438157
0x00438186
0x00438190
0x00438190
0x00438140
0x004380ae
0x004380ae
0x004380af
0x004380ba
0x00000000
0x004380bc
0x004380c2
0x004380c5
0x004380c5
0x004380ba
0x004381d9
0x004381dd

APIs

GetLastError.KERNEL32(?,00437D4B,00000000,?,?,00000000,?,0041B4C0,?,?,?), ref: 004380BC
wsprintfW.USER32 ref: 004380EE
lstrcatW.KERNEL32(?,?), ref: 00438102
ResetEvent.KERNEL32(?,?,00437D4B,00000000,?,?,00000000,?,0041B4C0,?,?,?), ref: 00438114
GetLastError.KERNEL32(?,00437D4B,00000000,?,?,00000000,?,0041B4C0,?,?,?), ref: 00438146
ResetEvent.KERNEL32(?,?,00437D4B,00000000,?,?,00000000,?,0041B4C0,?,?,?), ref: 004381A0

Strings

Range: bytes=%d-, xrefs: 004380E6
Range: bytes=%d-, xrefs: 004380DF
QD, xrefs: 004380B2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorEventLastReset$lstrcatwsprintf
String ID: Range: bytes=%d-$Range: bytes=%d-$QD
API String ID: 2894917480-2971879671
Opcode ID: 2dcefef0141d342105f1c4aa0857b7dbc296c70855f15fb5db9c30c857ad4ace
Instruction ID: b1066c7d9b83b24968f1d938737c3f2c3b1cbf5ed9be0caf2b8451a0ad5bea1d
Opcode Fuzzy Hash: 2dcefef0141d342105f1c4aa0857b7dbc296c70855f15fb5db9c30c857ad4ace
Instruction Fuzzy Hash: 88418E71100714EFDB219F61CC8492BBBF9FF08704B10992EF65682A60DB75EC41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410501 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 128
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00410501(intOrPtr __ecx, void* __eflags) {
				signed int _t55;
				signed int _t56;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				signed int _t69;
				intOrPtr _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr* _t98;
				intOrPtr* _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				void* _t111;

				L0043B644(E00460A48, _t111);
				_t77 = __ecx;
				 *((intOrPtr*)(_t111 - 0x1c)) = __ecx;
				_t55 = L0043BA1F( *((intOrPtr*)(_t111 + 8)));
				 *(_t111 - 0x14) =  *(_t111 - 0x14) & 0x00000000;
				 *(_t111 - 0x18) = _t55;
				if( *((intOrPtr*)(_t77 + 0xc)) <= 0) {
					L20:
					_t56 = 0;
				} else {
					while(1) {
						_t107 =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 4)) +  *(_t111 - 0x14) * 4));
						_t58 =  *_t107;
						if(_t58 == 0x2d || _t58 == 0x2f) {
							goto L4;
						}
						L15:
						 *(_t111 - 0x14) =  *(_t111 - 0x14) + 1;
						if( *(_t111 - 0x14) >=  *((intOrPtr*)(_t77 + 0xc))) {
							goto L20;
						} else {
							continue;
						}
						goto L21;
						L4:
						_t109 = _t107 + 2;
						if(L0043BA1F(_t109) <  *(_t111 - 0x18)) {
							goto L15;
						} else {
							_t61 =  *((intOrPtr*)(_t111 + 8));
							 *(_t111 - 0x6c) = 0x46757c;
							 *((intOrPtr*)(_t111 - 0x4c)) = 0x467574;
							if(_t61 == 0) {
								_t61 = 0x47e150;
							}
							_push(0);
							_push(_t111 - 0xd);
							_push( *(_t111 - 0x18));
							_push(_t61);
							E004028AE(_t111 - 0x6c);
							 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
							 *(_t111 - 0x44) = 0x46757c;
							 *((intOrPtr*)(_t111 - 0x24)) = 0x467574;
							_t63 = _t109;
							if(_t109 == 0) {
								_t63 = 0x47e150;
							}
							_push(0);
							_push(_t111 - 0xe);
							_push( *(_t111 - 0x18));
							_push(_t63);
							E004028AE(_t111 - 0x44);
							asm("sbb eax, eax");
							 *(_t111 - 4) = 1;
							asm("sbb ecx, ecx");
							_t69 = L00402DE6( ~(_t111 - 0x44) & _t111 - 0x00000040,  ~(_t111 - 0x6c) & _t111 - 0x00000068);
							asm("sbb bl, bl");
							 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
							L0040125C(_t111 - 0x44);
							 *(_t111 - 4) =  *(_t111 - 4) | 0xffffffff;
							L0040125C(_t111 - 0x6c);
							if( ~_t69 + 1 == 0) {
								L14:
								_t77 =  *((intOrPtr*)(_t111 - 0x1c));
								goto L15;
							} else {
								_t73 = _t109 +  *(_t111 - 0x18) * 2;
								__imp__#2(_t73);
								_t110 = _t73;
								if( *((char*)(_t111 + 0x10)) == 0 || _t110 == 0) {
									L17:
									_t98 =  *((intOrPtr*)(_t111 + 0xc));
									if(_t98 != 0) {
										_t75 = _t110;
										_t110 = 0;
										 *_t98 = _t75;
									}
									 *( *((intOrPtr*)( *((intOrPtr*)(_t111 - 0x1c)) + 8)) +  *(_t111 - 0x14) * 4) =  *(_t111 + 0x14) & 0x000000ff;
									__imp__#6(_t110);
									_t56 = 1;
								} else {
									__imp__#7(_t110);
									if(_t73 == 0) {
										goto L17;
									} else {
										__imp__#6(_t110);
										goto L14;
									}
								}
							}
						}
						goto L21;
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0xc));
				return _t56;
			}

0x00410506
0x00410511
0x00410516
0x00410519
0x0041051e
0x00410527
0x0041052a
0x0041065f
0x0041065f
0x00410530
0x00410535
0x0041053b
0x0041053e
0x00410545
0x00000000
0x00000000
0x00410627
0x00410627
0x00410630
0x00000000
0x00410632
0x00000000
0x00410632
0x00000000
0x00410551
0x00410552
0x0041055d
0x00000000
0x00410563
0x00410563
0x0041056d
0x00410570
0x00410573
0x00410575
0x00410575
0x0041057d
0x0041057f
0x00410583
0x00410586
0x00410587
0x0041058c
0x00410590
0x00410595
0x00410598
0x0041059a
0x0041059c
0x0041059c
0x004105a4
0x004105a6
0x004105aa
0x004105ad
0x004105ae
0x004105bb
0x004105bd
0x004105cc
0x004105d0
0x004105dc
0x004105de
0x004105e4
0x004105e9
0x004105f0
0x004105f7
0x00410624
0x00410624
0x00000000
0x004105f9
0x004105fc
0x00410600
0x0041060a
0x0041060c
0x00410637
0x00410637
0x0041063c
0x0041063e
0x00410640
0x00410642
0x00410642
0x00410652
0x00410655
0x0041065b
0x00410612
0x00410613
0x0041061b
0x00000000
0x0041061d
0x0041061e
0x00000000
0x0041061e
0x0041061b
0x0041060c
0x004105f7
0x00000000
0x0041055d
0x00410535
0x00410661
0x00410667
0x0041066f

APIs

__EH_prolog.LIBCMT ref: 00410506
SysAllocString.OLEAUT32(?), ref: 00410600
SysStringLen.OLEAUT32(00000000), ref: 00410613
SysFreeString.OLEAUT32(00000000), ref: 0041061E
SysFreeString.OLEAUT32(00000000), ref: 00410655

Strings

PG, xrefs: 0041059C
PG, xrefs: 00410575
|uF, xrefs: 00410566
tuF, xrefs: 00410530

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$Free$AllocH_prolog
String ID: PG$PG$tuF$|uF
API String ID: 1127608971-938772490
Opcode ID: b77fca341ace7ffa66d9b341753237a21422a312803919de66a3910d7800d0bf
Instruction ID: 907080f13648bf983c3aa11108c1c0ce25a7ca1c875da0d203dd2d022ec7485e
Opcode Fuzzy Hash: b77fca341ace7ffa66d9b341753237a21422a312803919de66a3910d7800d0bf
Instruction Fuzzy Hash: 7441C331E00209DBCF14DFA4C545BEEB7B4EF54344F10406EE806A7281D7B89E86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043018C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043018C(intOrPtr* __ecx) {
				char* _t54;
				short* _t55;
				intOrPtr* _t58;
				void* _t60;

				L0043B644(E00464035, _t60);
				_push(__ecx);
				_t58 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) = __ecx;
				if( *(_t60 + 0x14) != 0) {
					 *__ecx = 0x46758c;
					 *((intOrPtr*)(__ecx + 0x20)) = 0x467584;
				}
				 *( *((intOrPtr*)( *_t58 + 4)) + _t58) = GetLastError();
				_t54 = _t58 + 4;
				 *((intOrPtr*)(_t60 - 4)) = 0;
				 *_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x10))));
				E0040213C(_t54, 0);
				 *((intOrPtr*)(_t58 + 0x14)) = 0;
				 *((intOrPtr*)(_t58 + 0x18)) = 0;
				 *((intOrPtr*)(_t58 + 0x1c)) = 0;
				_t13 =  *((intOrPtr*)(_t58 + 0x20)) + 4; // 0x4
				SetLastError( *( *_t13 + _t58 + 0x20));
				 *((char*)(_t60 - 4)) = 3;
				if( *(_t60 + 8) == 0) {
					 *(_t60 + 8) = 0x47e154;
				}
				 *(_t60 + 0x14) = MultiByteToWideChar(0, 0,  *(_t60 + 8),  *(_t60 + 0xc), 0, 0);
				L00401EC1(_t54, _t37);
				_t55 =  *(_t54 + 4);
				if(_t55 == 0) {
					_t55 = 0x467570;
				}
				MultiByteToWideChar(0, 0,  *(_t60 + 8),  *(_t60 + 0xc), _t55,  *(_t60 + 0x14));
				SetLastError( *( *((intOrPtr*)( *_t58 + 4)) + _t58));
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t58;
			}

0x00430191
0x00430196
0x0043019b
0x004301a1
0x004301a4
0x004301a6
0x004301ac
0x004301ac
0x004301c0
0x004301c5
0x004301cd
0x004301d0
0x004301d2
0x004301d7
0x004301da
0x004301dd
0x004301e6
0x004301ed
0x004301f6
0x004301fa
0x004301fc
0x004301fc
0x00430216
0x00430219
0x0043021e
0x00430223
0x00430225
0x00430225
0x00430236
0x00430244
0x00430252
0x0043025a

APIs

__EH_prolog.LIBCMT ref: 00430191
GetLastError.KERNEL32(761B4C30,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001,00000000), ref: 004301BA
SetLastError.KERNEL32(00000001,00000000,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001), ref: 004301ED
MultiByteToWideChar.KERNEL32(00000000,00000000,?,0000002B,00000000,00000000,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E), ref: 0043020D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,0000002B,?,0043D41C,00000000,?,00000000,?,00430147,?,00000000,?,00000001), ref: 00430236
SetLastError.KERNEL32(?,?,00000000,?,00430147,?,00000000,?,00000001,?,0043247E,Fonts,?,00000001,00000001,00000000), ref: 00430244

Strings

TG, xrefs: 004301FC
puF, xrefs: 00430225

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$H_prolog
String ID: TG$puF
API String ID: 2853668335-3215700365
Opcode ID: 0c941483a4508d497a5cf639753836134cd547e7fdf31f8e43a79927bb2f7b9a
Instruction ID: 06f098f33e53d29f5bb4335c2b61dab389d73c18c29b62a812db4161b039c651
Opcode Fuzzy Hash: 0c941483a4508d497a5cf639753836134cd547e7fdf31f8e43a79927bb2f7b9a
Instruction Fuzzy Hash: 622178B5500209EFCB118F59C88499ABBF9FF48308B14856EF68A97321D7B4ED10CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004127B8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004127B8(intOrPtr* __ecx) {
				char* _t26;
				char* _t31;
				intOrPtr* _t58;
				void* _t60;

				L0043B644(0x460e28, _t60);
				_t58 = __ecx;
				if( *((intOrPtr*)(_t60 + 0xc)) != 0 ||  *((intOrPtr*)( *__ecx + 0x18)) != 0) {
					_t26 = L" This setup was created with a BETA VERSION of %s";
					 *((intOrPtr*)(_t60 - 0x34)) = 0x46757c;
					 *((intOrPtr*)(_t60 - 0x14)) = 0x467574;
					if(_t26 == 0) {
						_t26 = 0x47e150;
					}
					_push(0);
					_push(_t60 + 0xf);
					_push(_t26);
					_t6 = _t60 - 0x34; // 0x46757c
					L0040176A(_t6);
					_t7 = _t60 - 0x34; // 0x46757c
					_push(0);
					_push(0x86a);
					 *(_t60 - 4) = 0;
					E00412890(_t58);
					 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
					_t11 = _t60 - 0x34; // 0x46757c
					L0040125C(_t11);
				}
				if( *((intOrPtr*)(_t60 + 8)) != 0 ||  *((intOrPtr*)( *_t58 + 0x17)) != 0) {
					_t31 = L" This setup was created with a EVALUATION VERSION of %s";
					 *((intOrPtr*)(_t60 - 0x5c)) = 0x46757c;
					 *((intOrPtr*)(_t60 - 0x3c)) = 0x467574;
					if(_t31 == 0) {
						_t31 = 0x47e150;
					}
					_push(0);
					_push(_t60 + 0xb);
					_push(_t31);
					_t17 = _t60 - 0x5c; // 0x46757c
					L0040176A(_t17);
					_t18 = _t60 - 0x5c; // 0x46757c
					_push(0);
					_push(0x86b);
					 *(_t60 - 4) = 1;
					E00412890(_t58);
					 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
					_t22 = _t60 - 0x5c; // 0x46757c
					L0040125C(_t22);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return 0;
			}

0x004127bd
0x004127cd
0x004127d4
0x004127dd
0x004127e2
0x004127eb
0x004127f0
0x004127f2
0x004127f2
0x004127fa
0x004127fb
0x004127fc
0x004127fd
0x00412800
0x00412805
0x00412808
0x0041280a
0x00412811
0x00412814
0x00412819
0x0041281d
0x00412820
0x00412820
0x00412828
0x00412831
0x00412836
0x0041283f
0x00412844
0x00412846
0x00412846
0x0041284e
0x0041284f
0x00412850
0x00412851
0x00412854
0x00412859
0x0041285c
0x0041285e
0x00412865
0x0041286c
0x00412871
0x00412875
0x00412878
0x00412878
0x00412885
0x0041288d

APIs

__EH_prolog.LIBCMT ref: 004127BD

Strings

This setup was created with a EVALUATION VERSION of %s, xrefs: 00412831, 00412850
|uF, xrefs: 00412851
tuF, xrefs: 004127CF
PG, xrefs: 004127F2
PG, xrefs: 00412846
This setup was created with a BETA VERSION of %s, xrefs: 004127DD, 004127FC
|uF, xrefs: 004127FD

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: This setup was created with a BETA VERSION of %s$ This setup was created with a EVALUATION VERSION of %s$PG$PG$tuF$|uF$|uF
API String ID: 3519838083-3533002141
Opcode ID: 609fd7c3ee6f0bc956c64a4d687c9024be93021805ae38dfcb0fe7d0cb7cfedf
Instruction ID: c717cd76cf0de801172dc74119ee3edadaf74e6253f2cc39b921659d446b203f
Opcode Fuzzy Hash: 609fd7c3ee6f0bc956c64a4d687c9024be93021805ae38dfcb0fe7d0cb7cfedf
Instruction Fuzzy Hash: A421D871D01148AFDB08EFA5C5919EEBB78EB44314F10826FB016E7291EB788E45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045ABD7 Relevance: 13.6, APIs: 9, Instructions: 133
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0045ABD7(void* __ecx, void* __edx, void* __esi) {
				struct HDC__* __edi;
				int _t54;
				int _t60;
				struct HDC__* _t71;
				void* _t73;
				void* _t76;

				_t73 = __esi;
				if( *((intOrPtr*)(__esi + 0x18)) == 0) {
					__eax =  *(__esp + 0x10);
					__eflags =  *(__esp + 0x10);
					if( *(__esp + 0x10) == 0) {
						L5:
						_push( *((intOrPtr*)(_t73 + 4)));
						PlayMetaFile(_t71, ??);
						L7:
						DeleteDC( *(_t76 + 0x48));
						RestoreDC(_t71,  *(_t76 + 0x2c));
						return 1;
					}
					__eax = __ecx;
					 *((intOrPtr*)(__esi + 0x18)) = 1;
					asm("cdq");
					__eax = __ecx + __edx;
					__edx = __ecx;
					__eax = __eax >> 2;
					__edx = __ecx & 0x80000003;
					__eflags = __edx;
					if(__eflags < 0) {
						__edx = __edx - 1;
						__edx = __edx | 0xfffffffc;
						__eflags = __edx;
					}
					if(__eflags == 0) {
						__eax = __eax & 0x80000001;
						__eflags = __eax;
						if(__eflags < 0) {
							__eax = __eax - 1;
							__eax = __eax | 0xfffffffe;
							__eflags = __eax;
						}
						__ebp = __ecx - 8;
						if(__eflags == 0) {
							__ebp = __ecx - 4;
						}
						goto L22;
					} else {
						__ecx = __eax;
						__ecx = __eax & 0x80000001;
						__eflags = __ecx;
						if(__eflags < 0) {
							__ecx = __ecx - 1;
							__ecx = __ecx | 0xfffffffe;
							__eflags = __ecx;
						}
						if(__eflags == 0) {
							__ebp = __eax * 4 - 4;
						} else {
							__ebp = __eax * 4;
						}
						L22:
						__ebx = 0;
						__eflags = 0;
						__eax = GetTickCount();
						while(1) {
							__eax = __eax + 0xf;
							__eflags = __ebp;
							 *(__esp + 0x44) = __eax;
							if(__ebp > 0) {
								goto L25;
							}
							__eflags = __ebx -  *((intOrPtr*)(__esp + 0x24));
							if(__ebx >=  *((intOrPtr*)(__esp + 0x24))) {
								goto L7;
							}
							L25:
							__edx =  *(__esp + 0x48);
							__eax =  *(__esi + 0x28);
							__ecx =  *(__esp + 0x34);
							__edx =  *(__esp + 0x40);
							__eax = __edx + __ebx;
							__eax = BitBlt(__edi, __edx + __ebx,  *(__esp + 0x34), 4,  *(__esi + 0x28), __edx, __ebx, 0, 0xcc0020);
							__eflags = __eax;
							if(__eax == 0) {
								goto L7;
							}
							__ecx =  *(__esp + 0x48);
							__edx =  *(__esi + 0x28);
							__eax =  *(__esp + 0x34);
							__ecx =  *(__esp + 0x40);
							__edx = __ecx + __ebp;
							__eax = BitBlt(__edi, __ecx + __ebp,  *(__esp + 0x34), 4,  *(__esi + 0x28), __ecx, __ebp, 0, 0xcc0020);
							__eflags = __eax;
							if(__eax == 0) {
								goto L7;
							}
							__ebx = __ebx + 8;
							__ebp = __ebp - 8;
							__eax = GetTickCount();
							__eflags = __eax -  *(__esp + 0x44);
							if(__eax >=  *(__esp + 0x44)) {
								L29:
								__eax =  *(__esp + 0x44);
								continue;
							} else {
								goto L28;
							}
							do {
								L28:
								__eax = GetTickCount();
								__eflags = __eax -  *(__esp + 0x44);
							} while (__eax <  *(__esp + 0x44));
							goto L29;
						}
					}
				}
				if( *((intOrPtr*)(_t76 + 0x10)) == 0) {
					goto L5;
				}
				_t60 =  *(__esi + 0x24);
				if( *(_t76 + 0x1c) != _t60) {
					L30:
					SetStretchBltMode(_t71, 3);
					StretchBlt(_t71,  *(_t76 + 0x4c),  *(_t76 + 0x4c),  *(_t76 + 0x28),  *(_t76 + 0x1c),  *(_t76 + 0x48), 0, 0,  *(_t73 + 0x24),  *(_t73 + 0x28), 0xcc0020);
					goto L7;
				}
				_t54 =  *(__esi + 0x28);
				if( *((intOrPtr*)(_t76 + 0x14)) != _t54) {
					goto L30;
				}
				BitBlt(_t71,  *(_t76 + 0x48),  *(_t76 + 0x48), _t60, _t54,  *(_t76 + 0x48), 0, 0, 0xcc0020);
				goto L7;
			}

0x0045abd7
0x0045abdc
0x0045abe2
0x0045abe6
0x0045abe8
0x0045aa79
0x0045aa7c
0x0045aa7e
0x0045aa84
0x0045aa89
0x0045aa95
0x0045aaa7
0x0045aaa7
0x0045abee
0x0045abf0
0x0045abf7
0x0045abfb
0x0045abfd
0x0045abff
0x0045ac02
0x0045ac02
0x0045ac08
0x0045ac0a
0x0045ac0b
0x0045ac0e
0x0045ac0e
0x0045ac0f
0x0045ac34
0x0045ac34
0x0045ac39
0x0045ac3b
0x0045ac3c
0x0045ac3f
0x0045ac3f
0x0045ac40
0x0045ac43
0x0045ac45
0x0045ac45
0x00000000
0x0045ac11
0x0045ac11
0x0045ac13
0x0045ac13
0x0045ac19
0x0045ac1b
0x0045ac1c
0x0045ac1f
0x0045ac1f
0x0045ac20
0x0045ac2b
0x0045ac22
0x0045ac22
0x0045ac22
0x0045ac48
0x0045ac48
0x0045ac48
0x0045ac4a
0x0045ac50
0x0045ac50
0x0045ac53
0x0045ac55
0x0045ac59
0x00000000
0x00000000
0x0045ac5b
0x0045ac5f
0x00000000
0x00000000
0x0045ac65
0x0045ac65
0x0045ac69
0x0045ac6c
0x0045ac79
0x0045ac80
0x0045ac86
0x0045ac8c
0x0045ac8e
0x00000000
0x00000000
0x0045ac94
0x0045ac98
0x0045ac9b
0x0045aca8
0x0045acaf
0x0045acb5
0x0045acbb
0x0045acbd
0x00000000
0x00000000
0x0045acc3
0x0045acc6
0x0045acc9
0x0045accf
0x0045acd3
0x0045ace1
0x0045ace1
0x00000000
0x00000000
0x00000000
0x00000000
0x0045acd5
0x0045acd5
0x0045acd5
0x0045acdb
0x0045acdb
0x00000000
0x0045acd5
0x0045ac50
0x0045ac0f
0x0045a6b2
0x00000000
0x00000000
0x0045a6b8
0x0045a6c1
0x0045b0b3
0x0045b0b6
0x0045b0e7
0x00000000
0x0045b0e7
0x0045a6c7
0x0045a6d0
0x00000000
0x00000000
0x0045a6f1
0x00000000

APIs

BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0045A6F1
PlayMetaFile.GDI32(?,00000002), ref: 0045AA7E
DeleteDC.GDI32(?), ref: 0045AA89
RestoreDC.GDI32(?,?), ref: 0045AA95
GetTickCount.KERNEL32 ref: 0045AC4A
BitBlt.GDI32(?,?,?,00000004,?,?,00000000,00000000,00CC0020), ref: 0045AC86
BitBlt.GDI32(?,?,?,00000004,?,?,?,00000000,00CC0020), ref: 0045ACB5
GetTickCount.KERNEL32 ref: 0045ACC9
GetTickCount.KERNEL32 ref: 0045ACD5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CountTick$DeleteFileMetaPlayRestore
String ID:
API String ID: 718445662-0
Opcode ID: f7c35f60a5f58ae4db064fdfa499da09e45bcedbcc295600f057caca97a686a7
Instruction ID: 08ab18bdf8471257fb3c9ff1199ed2c9af16ec72b318ff806771288a0c71adb1
Opcode Fuzzy Hash: f7c35f60a5f58ae4db064fdfa499da09e45bcedbcc295600f057caca97a686a7
Instruction Fuzzy Hash: 214180702083009BD725CB28CD80B2BB3F9EB85716F104A1DFA51C6291E769EC59CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00412B0A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00412B0A(intOrPtr __ecx, void* __eflags) {
				void* _t96;
				signed int _t103;
				signed int _t105;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				void* _t111;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t122;
				long _t125;
				void* _t130;
				long _t133;
				intOrPtr _t137;
				long _t140;
				intOrPtr _t144;
				signed int _t149;
				signed int _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				signed int _t184;
				intOrPtr _t185;
				signed int _t189;
				intOrPtr _t190;
				void* _t197;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				intOrPtr* _t204;
				void* _t206;
				void* _t208;
				void* _t211;

				_t211 = __eflags;
				L0043B644(0x460eda, _t206);
				 *((intOrPtr*)(_t206 - 0x18)) = __ecx;
				_push(_t149);
				_t197 = 0;
				 *((intOrPtr*)(_t206 - 0x10)) = _t208 - 0xac;
				 *(_t206 - 4) = 0;
				_t96 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))();
				_push(_t206 - 0x90);
				L00412DE1(_t96);
				 *(_t206 - 4) = 1;
				if(L00419852(_t206 - 0x90, _t211) != 0) {
					L00412E5D(_t206 - 0x68, __eflags);
					_push(0);
					_push(_t206 - 0x90);
					 *(_t206 - 4) = 2;
					 *((intOrPtr*)(_t206 - 0xb8)) = 0x4675a0;
					 *((intOrPtr*)(_t206 - 0x98)) = 0x467598;
					L00401CDD(_t206 - 0xb8);
					_push(0);
					_push(0);
					_push(3);
					_push(0x80);
					_push(1);
					_push(0x80000000);
					_push(_t206 - 0xb8);
					 *(_t206 - 4) = 3;
					_t103 = E00412F07(_t206 - 0x68, __eflags);
					__eflags = _t103;
					_t150 = _t149 & 0xffffff00 | _t103 != 0x00000000;
					 *(_t206 - 4) = 2;
					L0040125C(_t206 - 0xb8);
					__eflags = _t150;
					if(_t150 == 0) {
						_t105 =  *((intOrPtr*)(_t206 - 0x64));
						 *((intOrPtr*)(_t206 - 0x14)) = 0;
						__eflags = _t105;
						if(_t105 == 0) {
							_t106 =  *((intOrPtr*)(_t206 - 0x60));
						} else {
							_t106 =  *((intOrPtr*)(_t105 + 4));
						}
						_t204 =  *0x47e110; // 0x445130
						_t107 =  *_t204(_t106, 0x1c, _t197, _t206 - 0x14);
						__eflags = _t107;
						if(_t107 == 0) {
							_t140 = GetLastError();
							__eflags = _t140 - 0x7a;
							if(_t140 == 0x7a) {
								_t202 = L00401813( *((intOrPtr*)(_t206 - 0x18)) + 0x2ec, _t206 - 0x24,  *((intOrPtr*)(_t206 - 0x14)));
								 *(_t206 - 4) = 5;
								_t144 = L0040BC37( *_t202);
								 *((intOrPtr*)(_t202 + 8)) = _t144;
								_t189 =  *((intOrPtr*)(_t206 - 0x64));
								__eflags = _t189;
								if(_t189 == 0) {
									_t190 =  *((intOrPtr*)(_t206 - 0x60));
								} else {
									_t190 =  *((intOrPtr*)(_t189 + 4));
								}
								 *_t204(_t190, 0x1c, _t144, _t206 - 0x14);
								 *(_t206 - 4) = 2;
								L00401A9C(_t206 - 0x24);
								_t197 = 0;
								__eflags = 0;
							}
						}
						_t108 =  *((intOrPtr*)(_t206 - 0x64));
						 *((intOrPtr*)(_t206 - 0x14)) = _t197;
						__eflags = _t108 - _t197;
						if(_t108 == _t197) {
							_t109 =  *((intOrPtr*)(_t206 - 0x60));
						} else {
							_t109 =  *((intOrPtr*)(_t108 + 4));
						}
						_t110 =  *_t204(_t109, 0x1d, _t197, _t206 - 0x14);
						__eflags = _t110;
						if(_t110 == 0) {
							_t133 = GetLastError();
							__eflags = _t133 - 0x7a;
							if(_t133 == 0x7a) {
								_t201 = L00401813( *((intOrPtr*)(_t206 - 0x18)) + 0x314, _t206 - 0x24,  *((intOrPtr*)(_t206 - 0x14)));
								 *(_t206 - 4) = 6;
								_t137 = L0040BC37( *_t201);
								 *((intOrPtr*)(_t201 + 8)) = _t137;
								_t184 =  *((intOrPtr*)(_t206 - 0x64));
								__eflags = _t184;
								if(_t184 == 0) {
									_t185 =  *((intOrPtr*)(_t206 - 0x60));
								} else {
									_t185 =  *((intOrPtr*)(_t184 + 4));
								}
								 *_t204(_t185, 0x1d, _t137, _t206 - 0x14);
								 *(_t206 - 4) = 2;
								L00401A9C(_t206 - 0x24);
								_t197 = 0;
								__eflags = 0;
							}
						}
						 *((intOrPtr*)(_t206 - 0x14)) = _t197;
						_t111 = L00413646(_t206 - 0x68);
						_t112 =  *_t204(_t111, 0x2b, _t197, _t206 - 0x14);
						__eflags = _t112;
						if(_t112 == 0) {
							_t125 = GetLastError();
							__eflags = _t125 - 0x7a;
							if(_t125 == 0x7a) {
								_t200 = L00401813( *((intOrPtr*)(_t206 - 0x18)) + 0x33c, _t206 - 0x24,  *((intOrPtr*)(_t206 - 0x14)));
								 *(_t206 - 4) = 7;
								_t153 = L0040BC37( *_t200);
								 *((intOrPtr*)(_t200 + 8)) = _t153;
								_t130 = L00413646(_t206 - 0x68);
								 *_t204(_t130, 0x2b, _t153, _t206 - 0x14);
								 *(_t206 - 4) = 2;
								L00401A9C(_t206 - 0x24);
								_t197 = 0;
								__eflags = 0;
							}
						}
						 *((intOrPtr*)(_t206 - 0x14)) = _t197;
						_t113 = L00413646(_t206 - 0x68);
						__eflags =  *_t204(_t113, 0x2c, _t197, _t206 - 0x14);
						if(__eflags == 0) {
							__eflags = GetLastError() - 0x7a;
							if(__eflags == 0) {
								_t199 = L00401813( *((intOrPtr*)(_t206 - 0x18)) + 0x364, _t206 - 0x24,  *((intOrPtr*)(_t206 - 0x14)));
								 *(_t206 - 4) = 8;
								_t152 = L0040BC37( *_t199);
								 *((intOrPtr*)(_t199 + 8)) = _t152;
								_t122 = L00413646(_t206 - 0x68);
								 *_t204(_t122, 0x2c, _t152, _t206 - 0x14);
								 *(_t206 - 4) = 2;
								L00401A9C(_t206 - 0x24);
							}
						}
						 *(_t206 - 4) = 1;
						L00412ECE(_t206 - 0x68, __eflags);
					} else {
						 *((intOrPtr*)(_t206 - 0x68)) = 0x467ef8;
						 *(_t206 - 4) = 4;
						E004134DD(_t206 - 0x68);
						 *(_t206 - 4) = 1;
						L0040125C(_t206 - 0x5c);
					}
				}
				 *(_t206 - 4) =  *(_t206 - 4) & 0x00000000;
				_t116 = L0040125C(_t206 - 0x90);
				 *[fs:0x0] =  *((intOrPtr*)(_t206 - 0xc));
				return _t116;
			}

0x00412b0a
0x00412b0f
0x00412b1d
0x00412b20
0x00412b26
0x00412b28
0x00412b2b
0x00412b2e
0x00412b37
0x00412b3a
0x00412b45
0x00412b50
0x00412b73
0x00412b7e
0x00412b7f
0x00412b86
0x00412b8a
0x00412b94
0x00412b9e
0x00412ba3
0x00412ba4
0x00412ba5
0x00412ba7
0x00412bac
0x00412bb4
0x00412bb9
0x00412bbd
0x00412bc1
0x00412bc6
0x00412bce
0x00412bd1
0x00412bd5
0x00412bda
0x00412bdc
0x00412c02
0x00412c05
0x00412c08
0x00412c0a
0x00412c11
0x00412c0c
0x00412c0c
0x00412c0c
0x00412c14
0x00412c22
0x00412c24
0x00412c26
0x00412c28
0x00412c2e
0x00412c31
0x00412c48
0x00412c4c
0x00412c50
0x00412c55
0x00412c58
0x00412c5b
0x00412c5d
0x00412c64
0x00412c5f
0x00412c5f
0x00412c5f
0x00412c6f
0x00412c74
0x00412c78
0x00412c7d
0x00412c7d
0x00412c7d
0x00412c31
0x00412c7f
0x00412c82
0x00412c85
0x00412c87
0x00412c8e
0x00412c89
0x00412c89
0x00412c89
0x00412c99
0x00412c9b
0x00412c9d
0x00412c9f
0x00412ca5
0x00412ca8
0x00412cbf
0x00412cc3
0x00412cc7
0x00412ccc
0x00412ccf
0x00412cd2
0x00412cd4
0x00412cdb
0x00412cd6
0x00412cd6
0x00412cd6
0x00412ce6
0x00412ceb
0x00412cef
0x00412cf4
0x00412cf4
0x00412cf4
0x00412ca8
0x00412cf9
0x00412cfc
0x00412d09
0x00412d0b
0x00412d0d
0x00412d0f
0x00412d15
0x00412d18
0x00412d2f
0x00412d33
0x00412d3c
0x00412d41
0x00412d44
0x00412d51
0x00412d56
0x00412d5a
0x00412d5f
0x00412d5f
0x00412d5f
0x00412d18
0x00412d64
0x00412d67
0x00412d76
0x00412d78
0x00412d80
0x00412d83
0x00412d9a
0x00412d9e
0x00412da7
0x00412dac
0x00412daf
0x00412dbc
0x00412dc1
0x00412dc5
0x00412dc5
0x00412d83
0x00412dcd
0x00412dd1
0x00412bde
0x00412bde
0x00412be8
0x00412bec
0x00412bf4
0x00412bf8
0x00412bf8
0x00412bdc
0x00412b52
0x00412b5c
0x00412b66
0x00412b6f

APIs

__EH_prolog.LIBCMT ref: 00412B0F

Part of subcall function 00412DE1: __EH_prolog.LIBCMT ref: 00412DE6

GetLastError.KERNEL32 ref: 00412C28
GetLastError.KERNEL32 ref: 00412C9F
GetLastError.KERNEL32 ref: 00412D7A
GetLastError.KERNEL32 ref: 00412D0F

Part of subcall function 00401A9C: __EH_prolog.LIBCMT ref: 00401AA1
Part of subcall function 00401A9C: GetLastError.KERNEL32(00467574,00000000), ref: 00401AAD
Part of subcall function 00401A9C: SetLastError.KERNEL32(00000000), ref: 00401B01

Strings

_:A, xrefs: 00412BDE
0QD, xrefs: 00412C14

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog
String ID: 0QD$_:A
API String ID: 2881783280-862757228
Opcode ID: 32b20568ce08058406c7594e30409ab792e06e12769a05cffa1f1c9b3fa7192d
Instruction ID: 07c07ea37a6d5beea63cea12c747daa90200ff9d1045ba022e6254c7789588b8
Opcode Fuzzy Hash: 32b20568ce08058406c7594e30409ab792e06e12769a05cffa1f1c9b3fa7192d
Instruction Fuzzy Hash: 9491A570900249DEDB14DBA0CA85FEEBBB9EF55304F20405EE509B7281EB786F45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0044AB60 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0044AB60(intOrPtr* __ecx, void* __eflags, signed int* _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int* _v0;
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				void* _v52;
				void* _v64;
				char _v68;
				void* _v80;
				void* _v84;
				void* _v88;
				void* _v100;
				void* _v120;
				void* _v124;
				intOrPtr _v128;
				signed int _v138;
				intOrPtr _v140;
				signed int _v147;
				intOrPtr _v148;
				void* _t82;
				void* _t83;
				long _t88;
				void* _t94;
				signed int _t95;
				signed int _t97;
				signed int _t107;
				signed int _t118;
				intOrPtr _t123;
				signed int _t127;
				signed int _t129;
				signed int _t130;
				signed int _t146;
				intOrPtr* _t188;
				signed int _t191;
				signed int _t194;
				signed int _t199;
				signed int _t202;
				signed int _t203;
				intOrPtr _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t214;

				_push(0xffffffff);
				_push(0x465c2e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t205;
				_t206 = _t205 - 0x7c;
				_push(_t127);
				_t188 = __ecx;
				_t82 = E00452030(_a12, __eflags,  &_v68);
				_t202 = 0;
				_v8 = 0;
				if(_t82 == 0) {
					_t191 = 0;
					__eflags = 0;
				} else {
					_t4 = _t82 + 4; // 0x4
					_t191 = _t4;
				}
				_t83 = L0043BA1F(L".gif");
				_t207 = _t206 + 4;
				_t214 = L00402E08(_t191, _t202,  *((intOrPtr*)(_t191 + 8)), L".gif", _t83) - _t202;
				asm("sbb eax, eax");
				_v20 = 2;
				_t87 =  ~( &_v84) &  &_v52;
				_t88 = GetLastError();
				asm("sbb ecx, ecx");
				 *( *((intOrPtr*)( *( ~( &_v84) &  &_v52) + 4)) + _t87) = _t88;
				E00430164( ~( &_v84) &  &_v64);
				asm("sbb ecx, ecx");
				_v20 = 1;
				E0040213C( ~( &_v84) &  &_v80, 1);
				_v24 = 0xffffffff;
				SetLastError( *(_t207 +  *((intOrPtr*)(_v88 + 4)) + 0x54));
				_t215 = _t127 & 0xffffff00 | _t214 == 0x00000000;
				if((_t127 & 0xffffff00 | _t214 == 0x00000000) == 0) {
					_t94 = E00452030(_a12, __eflags,  &_v120);
					__eflags = _t94 - _t202;
					if(_t94 == _t202) {
						_t194 = 0;
						__eflags = 0;
					} else {
						_t39 = _t94 + 4; // 0x4
						_t194 = _t39;
					}
					_t95 = L0043BA1F(L".bmp");
					_t203 =  *(_t194 + 8);
					_t129 = _t95;
					_t208 = _t207 + 4;
					__eflags = _t203 - _t129;
					_t146 = _t203;
					if(_t203 >= _t129) {
						_t146 = _t129;
					}
					_t97 = E0043C2DF(_t146,  *((intOrPtr*)(_t194 + 4)), L".bmp", _t146);
					_t209 = _t208 + 0xc;
					__eflags = _t97;
					if(__eflags == 0) {
						__eflags = _t203 - _t129;
						if(_t203 >= _t129) {
							__eflags = _t203 - _t129;
							_t43 = _t203 != _t129;
							__eflags = _t43;
							_t118 = 0 | _t43;
						} else {
							_t118 = _t97 | 0xffffffff;
						}
						__eflags = _t118;
					}
					_t130 = _t129 & 0xffffff00 | __eflags == 0x00000000;
					asm("sbb eax, eax");
					_v4 = 4;
					_t100 =  ~( &_v120) &  &_v88;
					 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v120) &  &_v88) + 4)) + _t100)) = GetLastError();
					asm("sbb esi, esi");
					_t199 =  ~( &_v120) &  &_v100;
					E0043AE17( *_t199);
					_t210 = _t209 + 4;
					__imp__#6( *((intOrPtr*)(_t199 + 8)));
					asm("sbb ecx, ecx");
					E0040213C( ~( &_v124) &  &_v120, 1);
					_v12 = 0xffffffff;
					SetLastError( *(_t210 +  *((intOrPtr*)(_v128 + 4)) + 0x20));
					__eflags = _t130;
					if(_t130 == 0) {
						_t107 = 0;
						__eflags = 0;
					} else {
						L00459DE0( *_t188,  *((intOrPtr*)(_t188 + 4)), _a12);
						_t210 = _t210 + 0xc;
						_t202 = 0;
						__eflags = 0;
						 *( *_t188 + 0x10) =  *_v0;
						goto L17;
					}
				} else {
					_push(_t202);
					_push(_a20);
					_push(_a16);
					L00459550( *((intOrPtr*)(_t188 + 8)), _t215);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t188 + 8)) + 0x14)));
					_push( *((intOrPtr*)(_t188 + 4)));
					_push( *_t188);
					E00459F80();
					_t210 = _t207 + 0xc;
					_t123 =  *((intOrPtr*)( *((intOrPtr*)(_t188 + 8)) + 4));
					_v140 = _t123;
					_v148 = _t123;
					 *( *_t188 + 0x10) = (_v147 & 0x000000ff) << 0x00000008 | _v138 & 0x000000ff;
					L17:
					 *((intOrPtr*)( *_t188 + 8)) = 1;
					 *((intOrPtr*)( *_t188 + 0x14)) = _t202;
					 *((intOrPtr*)( *_t188 + 0x18)) = 0x64;
					 *((intOrPtr*)( *_t188 + 0x1c)) = 0x64;
					 *((intOrPtr*)( *_t188 + 0x20)) = _t202;
					 *((intOrPtr*)( *((intOrPtr*)(_t188 + 4)) + 0x18)) = _t202;
					 *((intOrPtr*)( *((intOrPtr*)(_t188 + 4)) + 0x1c)) = 1;
					 *( *((intOrPtr*)(_t188 + 4)) + 0x30) =  *( *_t188 + 0x10);
					 *( *((intOrPtr*)(_t188 + 4)) + 0x34) =  *_a4 & 0x0010002f;
					_t107 = 1;
				}
				 *[fs:0x0] = _v16;
				return _t107;
			}

0x0044ab60
0x0044ab62
0x0044ab6d
0x0044ab6e
0x0044ab75
0x0044ab78
0x0044ab7c
0x0044ab8a
0x0044ab8f
0x0044ab93
0x0044ab9a
0x0044aba1
0x0044aba1
0x0044ab9c
0x0044ab9c
0x0044ab9c
0x0044ab9c
0x0044aba8
0x0044abb0
0x0044abc2
0x0044abd1
0x0044abd3
0x0044abde
0x0044abe7
0x0044abf7
0x0044abf9
0x0044abfd
0x0044ac0c
0x0044ac12
0x0044ac1a
0x0044ac23
0x0044ac3a
0x0044ac40
0x0044ac42
0x0044acb5
0x0044acba
0x0044acbc
0x0044acc3
0x0044acc3
0x0044acbe
0x0044acbe
0x0044acbe
0x0044acbe
0x0044acca
0x0044accf
0x0044acd2
0x0044acd4
0x0044acd7
0x0044acd9
0x0044acdb
0x0044acdd
0x0044acdd
0x0044ace9
0x0044acee
0x0044acf1
0x0044acf3
0x0044acf5
0x0044acf7
0x0044ad00
0x0044ad02
0x0044ad02
0x0044ad02
0x0044acf9
0x0044acf9
0x0044acf9
0x0044ad05
0x0044ad05
0x0044ad07
0x0044ad14
0x0044ad16
0x0044ad21
0x0044ad30
0x0044ad38
0x0044ad3e
0x0044ad43
0x0044ad4b
0x0044ad4f
0x0044ad5f
0x0044ad65
0x0044ad6e
0x0044ad81
0x0044ad87
0x0044ad89
0x0044ae05
0x0044ae05
0x0044ad8b
0x0044ad9a
0x0044ada8
0x0044adab
0x0044adab
0x0044adaf
0x00000000
0x0044adaf
0x0044ac44
0x0044ac52
0x0044ac53
0x0044ac57
0x0044ac58
0x0044ac68
0x0044ac69
0x0044ac6a
0x0044ac6b
0x0044ac75
0x0044ac78
0x0044ac7b
0x0044ac83
0x0044aca1
0x0044adb2
0x0044adb9
0x0044adc3
0x0044adc8
0x0044adcd
0x0044add2
0x0044add8
0x0044adde
0x0044adf0
0x0044adfe
0x0044ae01
0x0044ae01
0x0044ae12
0x0044ae1f

APIs

Part of subcall function 00452030: GetLastError.KERNEL32(?,?,0046758C,00000000,00000038,?,?,?,?,?,?,?,?,?,?,?), ref: 0045207A
Part of subcall function 00452030: SysFreeString.OLEAUT32(?), ref: 0045209F
Part of subcall function 00452030: SetLastError.KERNEL32(?), ref: 004520D2

GetLastError.KERNEL32 ref: 0044ABE7
SetLastError.KERNEL32(?,00000001), ref: 0044AC3A
GetLastError.KERNEL32 ref: 0044AD2A
SysFreeString.OLEAUT32(?), ref: 0044AD4F
SetLastError.KERNEL32(?), ref: 0044AD81

Strings

.bmp, xrefs: 0044ACC5, 0044ACE3
.gif, xrefs: 0044ABA3, 0044ABB4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: .bmp$.gif
API String ID: 2425351278-4134359634
Opcode ID: 41ebba159b42abfa6bb241e50e94ad8e975d2d20146858c2e7e1fecf11e38447
Instruction ID: 01aefdf835fb7d53ec18838253cadb6b29c73e0f2b5cda978eda058b25e6d995
Opcode Fuzzy Hash: 41ebba159b42abfa6bb241e50e94ad8e975d2d20146858c2e7e1fecf11e38447
Instruction Fuzzy Hash: C381B0716483029FD728DF24C981E6BB7E1FF88704F108A2EE59987381D778E815CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00404166 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00404166() {
				intOrPtr _t41;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr* _t70;
				void* _t75;
				void* _t77;

				L0043B644(0x45f283, _t75);
				_t69 =  *((intOrPtr*)(_t75 + 0xc));
				 *((intOrPtr*)(_t75 - 0x14)) = 0;
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x30;
				if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
					_push(0);
					_push(_t75 + 0xf);
					 *((intOrPtr*)(_t75 - 0x3c)) = 0x46757c;
					 *((intOrPtr*)(_t75 - 0x1c)) = 0x467574;
					L00401C68(_t75 - 0x3c);
					_t59 =  *((intOrPtr*)(_t75 + 0x10));
					_t66 = 1;
					 *((intOrPtr*)(_t75 - 4)) = _t66;
					 *((char*)(_t75 - 4)) = 2;
					if( *((intOrPtr*)(_t75 + 0x10)) != 0) {
						_t41 =  *((intOrPtr*)(_t75 + 0x14));
						if(_t41 != 0) {
							L12:
							if( *((intOrPtr*)(_t75 + 0x18)) != 0) {
								if(_t41 != 0 &&  *((intOrPtr*)(_t75 + 0x18)) != 0) {
									_t72 =  *((intOrPtr*)(_t69 + 8));
									if( *((intOrPtr*)(_t69 + 8)) == 0) {
										_t72 = 0x467570;
									}
									_push( *((intOrPtr*)(_t75 + 0x18)));
									_push(_t41);
									L004057E0(_t75 - 0x3c, _t72, _t59);
								}
							} else {
								_t73 =  *((intOrPtr*)(_t69 + 8));
								if( *((intOrPtr*)(_t69 + 8)) == 0) {
									_t73 = 0x467570;
								}
								_push(_t41);
								L004057E0(_t75 - 0x3c, _t73, _t59);
							}
							goto L21;
						}
						if( *((intOrPtr*)(_t75 + 0x18)) != 0) {
							if(_t41 == 0) {
								goto L21;
							}
							goto L12;
						}
						_t74 =  *((intOrPtr*)(_t69 + 8));
						if( *((intOrPtr*)(_t69 + 8)) == 0) {
							_t74 = 0x467570;
						}
						L004057E0(_t75 - 0x3c, _t74, _t59);
						goto L21;
					} else {
						if( *((intOrPtr*)(_t75 + 0x14)) == 0 &&  *((intOrPtr*)(_t75 + 0x18)) == 0) {
							L00401A1E(_t75 - 0x3c, _t69);
						}
						L21:
						_t70 =  *((intOrPtr*)(_t75 + 8));
						_push(0);
						_push(_t75 - 0x3c);
						 *((intOrPtr*)(_t75 - 4)) = _t66;
						 *_t70 = 0x46757c;
						 *((intOrPtr*)(_t70 + 0x20)) = 0x467574;
						L00401CDD(_t70);
						 *((intOrPtr*)(_t75 - 0x14)) = _t66;
						 *((char*)(_t75 - 4)) = 0;
						L0040125C(_t75 - 0x3c);
						goto L22;
					}
				} else {
					_t70 =  *((intOrPtr*)(_t75 + 8));
					_push(0);
					_push(_t75 + 0x1b);
					_push(0x47e150);
					 *_t70 = 0x46757c;
					 *((intOrPtr*)(_t70 + 0x20)) = 0x467574;
					L0040176A(_t70);
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
					return _t70;
				}
			}

0x0040416b
0x00404175
0x0040417b
0x00404181
0x00404184
0x004041af
0x004041b0
0x004041b4
0x004041bb
0x004041c2
0x004041c7
0x004041cc
0x004041cf
0x004041d2
0x004041d6
0x004041f8
0x004041fd
0x00404224
0x00404227
0x00404248
0x0040424f
0x00404254
0x00404256
0x00404256
0x0040425b
0x0040425e
0x00404265
0x0040426a
0x00404229
0x00404229
0x0040422e
0x00404230
0x00404230
0x00404235
0x0040423c
0x00404241
0x00000000
0x00404227
0x00404202
0x00404222
0x00000000
0x00000000
0x00000000
0x00404222
0x00404204
0x00404209
0x0040420b
0x0040420b
0x00404216
0x00000000
0x004041d8
0x004041db
0x004041ee
0x004041ee
0x0040427a
0x0040427a
0x00404280
0x00404281
0x00404284
0x00404287
0x0040428d
0x00404294
0x0040429c
0x0040429f
0x004042a2
0x00000000
0x004042a2
0x00404186
0x00404186
0x0040418c
0x0040418d
0x0040418e
0x00404195
0x0040419b
0x004041a2
0x004042a7
0x004042ae
0x004042b7
0x004042b7

APIs

__EH_prolog.LIBCMT ref: 0040416B

Part of subcall function 0040176A: __EH_prolog.LIBCMT ref: 0040176F
Part of subcall function 0040176A: GetLastError.KERNEL32(0046757C,00467574,ISlogit,?,00431B7C,ISlogit,?,00000000), ref: 00401798
Part of subcall function 0040176A: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,00431B7C,ISlogit,?,00000000), ref: 004017ED

Strings

tuF, xrefs: 0040428D
puF, xrefs: 0040420B
puF, xrefs: 00404230
|uF, xrefs: 004041B4
tuF, xrefs: 004041BB
puF, xrefs: 00404256

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$puF$puF$tuF$tuF$|uF
API String ID: 1057991267-627584206
Opcode ID: 5ca6cd0f6d0d5834dfbdcf70c10d8b12134f6e7d13aaaf63bca0f904b2c37a64
Instruction ID: 7a6969f08a8ea200614a0b90726c249e4c28368bb7a4413395ea914fd8fedc56
Opcode Fuzzy Hash: 5ca6cd0f6d0d5834dfbdcf70c10d8b12134f6e7d13aaaf63bca0f904b2c37a64
Instruction Fuzzy Hash: 564166F1D00109EBCF10DF95D8819AFB7A8EB54358B1041BFF51573650E7785D448B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042C5EE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042C5EE(void* __ecx) {
				intOrPtr _t40;
				struct HWND__* _t41;
				long _t42;
				void* _t51;
				struct HWND__* _t58;
				struct HWND__* _t65;
				void* _t71;
				void* _t73;
				void* _t75;
				void* _t76;
				struct HWND__* _t77;
				void* _t79;
				struct HWND__* _t80;

				L0043B644(0x463864, _t73);
				_t76 = _t75 - 0x3c;
				_t71 = __ecx;
				if(SendMessageW(GetDlgItem( *(__ecx + 4), 0x3f2), 0xf0, 0, 0) != 1) {
					_t77 = _t76 - 0x28;
					 *(_t73 - 0x14) = _t77;
					_t58 = _t77;
					_push(0);
					_push(_t73 - 0xd);
					_push(0x47e150);
					_t58->i = 0x46757c;
					 *((intOrPtr*)(_t58 + 0x20)) = 0x467574;
					L0040176A(_t58);
				} else {
					_t41 = GetDlgItem( *(_t71 + 4), 0x3ed);
					 *(_t73 - 0x14) = _t41;
					_t42 = SendMessageW(_t41, 0x100c, 0xffffffff, 2);
					E0043C5B0(_t73 - 0x48, 0, 0x34);
					_t79 = _t76 + 0xc;
					 *(_t73 - 0x44) = _t42;
					 *(_t73 - 0x48) = 4;
					SendMessageW( *(_t73 - 0x14), 0x104b, 0, _t73 - 0x48);
					_t66 =  *((intOrPtr*)(_t73 - 0x28));
					if( *((intOrPtr*)(_t73 - 0x28)) < 0) {
						_t66 = 0;
					}
					_t51 = E0042C7CC( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 0xc)) + 4)) + 4)) + 0x2c))() + 0x30, _t66);
					_t80 = _t79 - 0x28;
					 *(_t73 - 0x14) = _t80;
					_t65 = _t80;
					_push(0);
					_push(_t51);
					_t65->i = 0x46757c;
					 *((intOrPtr*)(_t65 + 0x20)) = 0x467574;
					L00401CDD(_t65);
				}
				 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
				E0042C706( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t71 + 0xc)) + 4)) + 4)) + 0x2c))(),  *(_t73 - 4));
				_t40 = 1;
				 *((intOrPtr*)(_t71 + 0x14)) = _t40;
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t40;
			}

0x0042c5f3
0x0042c5f8
0x0042c604
0x0042c625
0x0042c6b2
0x0042c6b8
0x0042c6bb
0x0042c6bd
0x0042c6bf
0x0042c6c0
0x0042c6c5
0x0042c6cb
0x0042c6d2
0x0042c62b
0x0042c633
0x0042c63f
0x0042c642
0x0042c64e
0x0042c653
0x0042c659
0x0042c65c
0x0042c66e
0x0042c670
0x0042c675
0x0042c677
0x0042c677
0x0042c68e
0x0042c693
0x0042c696
0x0042c699
0x0042c69b
0x0042c69d
0x0042c69e
0x0042c6a4
0x0042c6ab
0x0042c6ab
0x0042c6da
0x0042c6ec
0x0042c6f6
0x0042c6f8
0x0042c6fc
0x0042c705

APIs

__EH_prolog.LIBCMT ref: 0042C5F3
GetDlgItem.USER32 ref: 0042C60E
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0042C620
GetDlgItem.USER32 ref: 0042C633
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 0042C642
SendMessageW.USER32(?,0000104B,00000000,?), ref: 0042C66E

Strings

tuF, xrefs: 0042C6CB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: MessageSend$Item$H_prolog
String ID: tuF
API String ID: 1513258016-1632530568
Opcode ID: d8549e12ba4a41d173235579add27c3e07c88c19fa51d64fe935f18c8aff49fd
Instruction ID: f0153f2d223c15f786859c1d51e5f3795ed6c16c8c6af10891035a20b44b2c05
Opcode Fuzzy Hash: d8549e12ba4a41d173235579add27c3e07c88c19fa51d64fe935f18c8aff49fd
Instruction Fuzzy Hash: 20319070B40205AFD710EFA9CD86F5DBBF8EF48714F10815AF505AB2E1E7B4A9018B59

Uniqueness

Uniqueness Score: -1.00%

Function 004244AC Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 91
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004244AC() {
				int _t38;
				void* _t41;
				void* _t43;
				short* _t49;
				intOrPtr _t68;
				intOrPtr* _t73;
				void* _t75;

				L0043B644(0x462f0f, _t75);
				 *(_t75 - 0x248) = 0;
				 *((intOrPtr*)(_t75 - 0x14)) = 0;
				memset(_t75 - 0x246, 0, 0x81 << 2);
				asm("stosw");
				 *(_t75 - 0x10) = 0;
				_t38 = 0x20019;
				_t68 = 1;
				 *((intOrPtr*)(_t75 - 4)) = _t68;
				if(( *(_t75 + 0xf) & 0x00000080) != 0) {
					 *(_t75 + 0xf) =  *(_t75 + 0xf) & 0x0000007f;
					_t38 = 0x20119;
				}
				if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion", 0, _t38, _t75 - 0x10) == 0) {
					 *(_t75 - 0x18) = 0x208;
					_t49 = L"CommonFilesDir";
					if( *((intOrPtr*)(_t75 + 0xc)) != _t68) {
						_t49 = L"ProgramFilesDir";
					}
					RegQueryValueExW( *(_t75 - 0x10), _t49, 0, 0, _t75 - 0x248, _t75 - 0x18);
				}
				 *((intOrPtr*)(_t75 - 0x40)) = 0x4680fc;
				 *((intOrPtr*)(_t75 - 0x20)) = 0x4680f4;
				_t41 = _t75 - 0x248;
				if(_t75 == 0x248) {
					_t41 = 0x47e150;
				}
				_push(0);
				_push(_t75 + 0xf);
				_push(_t41);
				L0040176A(_t75 - 0x40);
				 *((char*)(_t75 - 4)) = 2;
				_t43 = E004245CE(_t75 - 0x40, _t75, 0x4764fc);
				_t73 =  *((intOrPtr*)(_t75 + 8));
				_push(0);
				_push(_t43);
				 *_t73 = 0x4680fc;
				 *((intOrPtr*)(_t73 + 0x20)) = 0x4680f4;
				L00401CDD(_t73);
				 *((intOrPtr*)(_t75 - 0x14)) = 1;
				 *((char*)(_t75 - 4)) = 1;
				L0040125C(_t75 - 0x40);
				if( *(_t75 - 0x10) != 0 && RegCloseKey != 0) {
					RegCloseKey( *(_t75 - 0x10));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return _t73;
			}

0x004244b1
0x004244cd
0x004244d4
0x004244d7
0x004244d9
0x004244db
0x004244e4
0x004244e9
0x004244ea
0x004244ed
0x004244ef
0x004244f3
0x004244f3
0x00424510
0x00424515
0x0042451c
0x00424521
0x00424523
0x00424523
0x00424539
0x00424539
0x00424552
0x00424555
0x00424558
0x0042455e
0x00424560
0x00424560
0x00424568
0x00424569
0x0042456a
0x0042456e
0x0042457b
0x0042457f
0x00424584
0x00424587
0x00424589
0x0042458c
0x0042458e
0x00424591
0x00424596
0x004245a0
0x004245a4
0x004245ae
0x004245bc
0x004245bc
0x004245c5
0x004245cd

APIs

__EH_prolog.LIBCMT ref: 004244B1
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00000000,00020019,?,004675D0,0047E150), ref: 00424508
RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,00000208), ref: 00424539

Strings

ProgramFilesDir, xrefs: 00424523, 00424535
PG, xrefs: 00424560
CommonFilesDir, xrefs: 0042451C
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 004244FE

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologOpenQueryValue
String ID: CommonFilesDir$ProgramFilesDir$PG$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1417423480-2684266171
Opcode ID: a8665801f907deca958c4f4b752ffee4c1c7ca92c3ab1877fcc7c55879655027
Instruction ID: 655dbd02553b8872c1467857c1e3f49068076840b7fde9f6d42c8614ee0802c6
Opcode Fuzzy Hash: a8665801f907deca958c4f4b752ffee4c1c7ca92c3ab1877fcc7c55879655027
Instruction Fuzzy Hash: 5531A571A10228EBDB20DF95DC45BEEBBB8FF54304F00416EE909B3291DB785A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004142B9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004142B9(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t29;
				void* _t32;
				void* _t46;
				intOrPtr* _t48;
				intOrPtr _t62;
				void* _t64;
				intOrPtr _t66;
				void* _t67;

				L0043B644(0x461144, _t67);
				_push(_t46);
				_t62 = __ecx;
				_t58 = __ecx + 8;
				 *((intOrPtr*)(_t67 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t67 - 0x40)) = __ecx;
				L0043B670(_t67 - 0x80, __ecx + 8, 0x40);
				 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
				_push(1);
				_push(_t67 - 0xd);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				_t29 =  *(E0040A5F5(_t67 - 0x3c) + 8);
				if(_t29 == 0) {
					_t29 = 0x4675e4;
				}
				lstrcpyW(_t62 + 0x50, _t29);
				E004061C1(_t67 - 0x3c);
				_t32 = E0043C804(_t46, _t58, _t62 + 0x50, _t67, _t58, 3, 0x43b31a,  *(_t67 - 4), 0x46c848);
				if(_t32 != 0) {
					_t64 = _t32;
					 *((intOrPtr*)( *((intOrPtr*)(_t67 - 0x14)) + 0x390)) = 0xffffec75;
				} else {
					_t66 =  *((intOrPtr*)(_t67 - 0x14));
					_t48 = GetProcAddress( *(_t66 + 0x3a0), "InstallEngineTypelib");
					if(_t48 == 0) {
						L00415C13(_t66, 0xffffec75, 0x1ec);
					}
					_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t66 + 4)) + 0x2c))() + 3)));
					if( *_t48() == 0) {
						L00415C13(_t66, 0xffffec75, 0x1f0);
					}
					_t64 = 0;
				}
				L0043B670( *((intOrPtr*)(_t67 - 0x40)) + 8, _t67 - 0x80, 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t64;
			}

0x004142be
0x004142c6
0x004142c8
0x004142d0
0x004142d3
0x004142d8
0x004142db
0x004142e3
0x004142ea
0x004142ec
0x004142ed
0x004142fa
0x004142ff
0x00414301
0x00414301
0x0041430b
0x00414314
0x00414329
0x00414333
0x004143ad
0x004143af
0x00414335
0x00414335
0x0041434a
0x00414353
0x0041435d
0x0041435d
0x0041436e
0x00414373
0x0041437d
0x0041437d
0x00414382
0x00414382
0x00414391
0x0041439e
0x004143a9

APIs

__EH_prolog.LIBCMT ref: 004142BE

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 0041430B
__setjmp3.LIBCMT ref: 00414329
GetProcAddress.KERNEL32(?,InstallEngineTypelib), ref: 00414344

Strings

InstallEngineTypelib, xrefs: 00414338
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 004142ED
uF, xrefs: 00414301

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$AddressErrorLastProc__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$InstallEngineTypelib$uF
API String ID: 1516252886-4181388478
Opcode ID: c0d60ef795c092831e13d4d4de223bd6875ff7e48a9b8e8086d283b1682a6b1f
Instruction ID: ca5c0180428eb5e0da471363233860eef1d725308275607dcdf2dca3d5b7df0f
Opcode Fuzzy Hash: c0d60ef795c092831e13d4d4de223bd6875ff7e48a9b8e8086d283b1682a6b1f
Instruction Fuzzy Hash: DF21D971B40615ABDB10EB68CC46FDE777CEF84B08F10016AFA05B7291E7789E018799

Uniqueness

Uniqueness Score: -1.00%

Function 0042E02F Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0042E02F(void* __eflags) {
				void* __edi;
				void* __esi;
				void* _t33;
				intOrPtr* _t39;
				void* _t57;
				intOrPtr* _t60;
				intOrPtr* _t63;
				void* _t65;

				L0043B644(0x463c0b, _t65);
				_push(_t57);
				 *((intOrPtr*)(_t65 - 0x10)) = 0;
				L0042DF6C(_t65 - 0x80);
				 *((intOrPtr*)(_t65 - 4)) = 1;
				_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t65 + 0xc)) + 8));
				if( *((intOrPtr*)( *((intOrPtr*)(_t65 + 0xc)) + 8)) == 0) {
					_t31 = 0x467570;
				}
				if(L00439BD1(_t65 - 0x80, _t57, 0, _t31) != 0) {
					_t33 = L00439C8D(_t65 - 0x80, L"ISInternalVersion");
					 *((intOrPtr*)(_t65 - 0x38)) = 0x46757c;
					 *((intOrPtr*)(_t65 - 0x18)) = 0x467574;
					if(_t33 == 0) {
						_t33 = 0x47e150;
					}
					_push(0);
					_push(_t65 + 0xf);
					_push(_t33);
					L0040176A(_t65 - 0x38);
					_t63 =  *((intOrPtr*)(_t65 + 8));
					_push(0);
					_push(_t65 - 0x38);
					 *((char*)(_t65 - 4)) = 2;
					 *_t63 = 0x46757c;
					 *((intOrPtr*)(_t63 + 0x20)) = 0x467574;
					L00401CDD(_t63);
					 *((intOrPtr*)(_t65 - 0x10)) = 1;
					 *((char*)(_t65 - 4)) = 1;
					L0040125C(_t65 - 0x38);
					 *((intOrPtr*)(_t65 - 0x80)) = 0x46825c;
					L0042DFD4(_t65 - 0x80);
					_t39 = _t63;
				} else {
					_t60 =  *((intOrPtr*)(_t65 + 8));
					_push(0);
					_push(_t65 + 0xf);
					_push(0x47e150);
					 *_t60 = 0x46757c;
					 *((intOrPtr*)(_t60 + 0x20)) = 0x467574;
					L0040176A(_t60);
					 *((intOrPtr*)(_t65 - 0x80)) = 0x46825c;
					L0042DFD4(_t65 - 0x80);
					_t39 = _t60;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t39;
			}

0x0042e034
0x0042e03f
0x0042e043
0x0042e046
0x0042e04e
0x0042e055
0x0042e05a
0x0042e05c
0x0042e05c
0x0042e06c
0x0042e0ab
0x0042e0bc
0x0042e0bf
0x0042e0c2
0x0042e0c4
0x0042e0c4
0x0042e0cc
0x0042e0cd
0x0042e0ce
0x0042e0d2
0x0042e0d7
0x0042e0dd
0x0042e0df
0x0042e0e2
0x0042e0e6
0x0042e0e8
0x0042e0eb
0x0042e0f3
0x0042e0fa
0x0042e0fe
0x0042e106
0x0042e10d
0x0042e112
0x0042e06e
0x0042e06e
0x0042e074
0x0042e075
0x0042e076
0x0042e07d
0x0042e083
0x0042e08a
0x0042e092
0x0042e099
0x0042e09e
0x0042e09e
0x0042e11a
0x0042e122

APIs

__EH_prolog.LIBCMT ref: 0042E034

Part of subcall function 00439C8D: wsprintfW.USER32 ref: 00439CDE
Part of subcall function 00439C8D: lstrlenW.KERNEL32(?,?,-00000004,-00000004,00000000), ref: 00439CEE

Strings

tuF, xrefs: 0042E083
|uF, xrefs: 0042E0B0
ISInternalVersion, xrefs: 0042E0A3
puF, xrefs: 0042E05C
PG, xrefs: 0042E0C4
tuF, xrefs: 0042E0B5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologlstrlenwsprintf
String ID: ISInternalVersion$PG$puF$tuF$tuF$|uF
API String ID: 2237127700-3415886506
Opcode ID: 5dacc58976b0073bdf836eb9eac817ecc1b862a4095e3f656f33812150278631
Instruction ID: 3a72b8dabaed681f13857b2a706e55ec2617fd4b8bd997a7874710a7a68cee49
Opcode Fuzzy Hash: 5dacc58976b0073bdf836eb9eac817ecc1b862a4095e3f656f33812150278631
Instruction Fuzzy Hash: CD215671A00128ABCB04DF99D895ADDBBB4FF5470CF50415FF406A7241EBB85A44CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E570 Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043E570(int _a4, int _a8, signed char _a9, short* _a12, int _a16, short* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				char* _v28;
				char* _v32;
				int _v36;
				char* _v40;
				int _v48;
				void* _v60;
				int _t55;
				int _t56;
				int _t57;
				int _t69;
				int _t71;
				int _t72;
				char* _t77;
				int _t78;
				void* _t79;
				int _t84;
				intOrPtr _t89;
				char* _t90;
				int _t93;

				_push(0xffffffff);
				_push(0x468668);
				_push(E0043EA78);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t89;
				_t90 = _t89 - 0x1c;
				_v28 = _t90;
				_t93 =  *0x47e518; // 0x0
				if(_t93 != 0) {
					L5:
					if(_a16 > 0) {
						_t72 = E0043E779(_a12, _a16);
						_pop(_t79);
						_a16 = _t72;
					}
					_t55 =  *0x47e518; // 0x0
					if(_t55 != 1) {
						if(_t55 != 2) {
							goto L30;
						} else {
							if(_a28 == 0) {
								_t71 =  *0x47e510; // 0x0
								_a28 = _t71;
							}
							_t57 = WideCharToMultiByte(_a28, 0x220, _a12, _a16, 0, 0, 0, 0);
							_v36 = _t57;
							if(_t57 == 0) {
								goto L30;
							} else {
								_v8 = 0;
								L0043B9F0(_t57 + 0x00000003 & 0x000000fc, _t79);
								_v28 = _t90;
								_v32 = _t90;
								_v8 = _v8 | 0xffffffff;
								if(_v32 == 0 || WideCharToMultiByte(_a28, 0x220, _a12, _a16, _v32, _v36, 0, 0) == 0) {
									goto L30;
								} else {
									_t84 = LCMapStringA(_a4, _a8, _v32, _v36, 0, 0);
									_v48 = _t84;
									if(_t84 == 0) {
										goto L30;
									} else {
										_v8 = 1;
										L0043B9F0(_t63 + 0x00000003 & 0x000000fc, _t79);
										_v28 = _t90;
										_t77 = _t90;
										_v40 = _t77;
										_v8 = _v8 | 0xffffffff;
										if(_t77 == 0 || LCMapStringA(_a4, _a8, _v32, _v36, _t77, _t84) == 0) {
											goto L30;
										} else {
											if((_a9 & 0x00000004) == 0) {
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t84 = MultiByteToWideChar(_a28, 1, _t77, _t84, ??, ??);
												if(_t84 == 0) {
													goto L30;
												} else {
													goto L29;
												}
											} else {
												_t69 = _a24;
												if(_t69 != 0) {
													if(_t69 >= _t84) {
														_t69 = _t84;
													}
													L0043D810(_a20, _t77, _t69);
												}
												L29:
												_t56 = _t84;
											}
										}
									}
								}
							}
						}
					} else {
						_t56 = LCMapStringW(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t78 = 1;
					if(LCMapStringW(0, 0x100, 0x468664, _t78, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x468660, _t78, 0, 0) == 0) {
							L30:
							_t56 = 0;
						} else {
							 *0x47e518 = 2;
							goto L5;
						}
					} else {
						 *0x47e518 = _t78;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t56;
			}

0x0043e573
0x0043e575
0x0043e57a
0x0043e585
0x0043e586
0x0043e58d
0x0043e593
0x0043e598
0x0043e59e
0x0043e5e6
0x0043e5e9
0x0043e5f1
0x0043e5f7
0x0043e5f8
0x0043e5f8
0x0043e5fb
0x0043e603
0x0043e625
0x00000000
0x0043e62b
0x0043e62e
0x0043e630
0x0043e635
0x0043e635
0x0043e64a
0x0043e650
0x0043e655
0x00000000
0x0043e65b
0x0043e65b
0x0043e663
0x0043e668
0x0043e66d
0x0043e67e
0x0043e685
0x00000000
0x0043e6af
0x0043e6c3
0x0043e6c5
0x0043e6ca
0x00000000
0x0043e6d0
0x0043e6d0
0x0043e6dc
0x0043e6e1
0x0043e6e4
0x0043e6e6
0x0043e6e9
0x0043e703
0x00000000
0x0043e71d
0x0043e721
0x0043e742
0x0043e748
0x0043e74b
0x0043e744
0x0043e744
0x0043e745
0x0043e745
0x0043e75b
0x0043e75f
0x00000000
0x00000000
0x00000000
0x00000000
0x0043e723
0x0043e723
0x0043e728
0x0043e72c
0x0043e72e
0x0043e72e
0x0043e735
0x0043e73a
0x0043e761
0x0043e761
0x0043e761
0x0043e721
0x0043e703
0x0043e6ca
0x0043e685
0x0043e655
0x0043e605
0x0043e617
0x0043e617
0x0043e5a0
0x0043e5a0
0x0043e5a1
0x0043e5a4
0x0043e5ba
0x0043e5d6
0x0043e765
0x0043e765
0x0043e5dc
0x0043e5dc
0x00000000
0x0043e5dc
0x0043e5bc
0x0043e5bc
0x00000000
0x0043e5bc
0x0043e5ba
0x0043e76d
0x0043e778

APIs

LCMapStringW.KERNEL32(00000000,00000100,00468664,00000001,00000000,00000000,761B70F0,0047FD5C,00000000,|uF,00000000,http://), ref: 0043E5B2
LCMapStringA.KERNEL32(00000000,00000100,00468660,00000001,00000000,00000000), ref: 0043E5CE
LCMapStringW.KERNEL32(?,00000000,00000000,?,00000000,?,761B70F0,0047FD5C,00000000,|uF,00000000,http://), ref: 0043E617
WideCharToMultiByte.KERNEL32(00000000,00000220,00000000,?,00000000,00000000,00000000,00000000,761B70F0,0047FD5C,00000000,|uF,00000000,http://), ref: 0043E64A
WideCharToMultiByte.KERNEL32(?,00000220,00000000,00000000,?,?,00000000,00000000), ref: 0043E6A1
LCMapStringA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0043E6BD
LCMapStringA.KERNEL32(?,00000000,?,?,?,00000000), ref: 0043E713

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: e1598366ca6553a5d6eb547c1cd990060739d66fe1dd0f914d2c4d76f169410f
Instruction ID: b12877698a560f311c55c06d83cf97959f3efec2f2d57d46d6131053ebf01af9
Opcode Fuzzy Hash: e1598366ca6553a5d6eb547c1cd990060739d66fe1dd0f914d2c4d76f169410f
Instruction Fuzzy Hash: 9E516C31902219FFDF229F92CC45ADF7F75FB08B98F10451AF904A12A0D7398951DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004328C6 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004328C6(intOrPtr __ecx, void* __esi) {
				intOrPtr* _t68;
				signed int _t79;
				intOrPtr* _t80;
				signed int _t83;
				intOrPtr* _t86;
				void* _t93;
				intOrPtr _t97;
				void* _t99;
				signed int _t121;
				signed int _t123;
				void* _t124;
				intOrPtr _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				void* _t130;

				_t124 = __esi;
				L0043B644(E004642D2, _t130);
				 *(_t130 - 0x20) =  *(_t130 - 0x20) & 0x00000000;
				_t97 = __ecx;
				 *((intOrPtr*)(_t130 - 0x24)) = __ecx;
				 *((intOrPtr*)(_t130 - 0x1c)) =  *((intOrPtr*)(__ecx + 0xc));
				_t68 =  *((intOrPtr*)(__ecx + 8));
				if(_t68 == 0) {
					_t68 = 0x467570;
				}
				__imp__#2(_t68, _t124);
				 *(_t130 - 0xd) =  *(_t130 - 0xd) & 0x00000000;
				 *((intOrPtr*)(_t130 - 0x28)) = _t68;
				 *((intOrPtr*)(_t130 - 0x14)) = _t97;
				if( *((char*)(_t130 + 0x10)) == 0) {
					L12:
					_t121 = 0;
					if( *((intOrPtr*)(_t130 - 0x1c)) <= 0) {
						L31:
						_t125 =  *((intOrPtr*)(_t130 - 0x28));
						 *(_t125 +  *(_t130 - 0x20) * 2) =  *(_t125 +  *(_t130 - 0x20) * 2) & 0x00000000;
						L00401E03(_t97, _t125);
						_t155 =  *(_t130 - 0xd);
						if( *(_t130 - 0xd) != 0) {
							_push(_t130 - 0x78);
							E00432AB6(_t97, _t155);
							L0040125C(_t130 - 0x78);
						}
						__imp__#6(_t125);
						if( *((char*)(_t130 + 0x10)) != 0 &&  *((intOrPtr*)(_t130 - 0x14)) != 0) {
							L0040125C( *((intOrPtr*)(_t130 - 0x14)));
							E0043AE17( *((intOrPtr*)(_t130 - 0x14)));
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t130 - 0xc));
						return _t97;
					}
					 *((intOrPtr*)(_t130 - 0x18)) =  *((intOrPtr*)(_t130 - 0x28));
					while( *((short*)(L00429839( *((intOrPtr*)(_t130 - 0x14)), _t121))) != 0) {
						_t99 = 0;
						_t79 = 0;
						if( *((intOrPtr*)(_t130 + 0xc)) <= 0) {
							L29:
							_t80 = L00429839( *((intOrPtr*)(_t130 - 0x14)), _t121);
							 *(_t130 - 0x20) =  *(_t130 - 0x20) + 1;
							 *((intOrPtr*)(_t130 - 0x18)) =  *((intOrPtr*)(_t130 - 0x18)) + 2;
							 *((short*)( *((intOrPtr*)(_t130 - 0x18)))) =  *_t80;
							L30:
							_t97 =  *((intOrPtr*)(_t130 - 0x24));
							_t121 = _t121 + 1;
							if(_t121 <  *((intOrPtr*)(_t130 - 0x1c))) {
								continue;
							}
							goto L31;
						}
						_t127 =  *((intOrPtr*)(_t130 + 8));
						while(_t79 == 0) {
							if( *((intOrPtr*)(_t130 + 0x10)) == _t79 ||  *_t127 != 0x3a ||  *((short*)(L00429839( *((intOrPtr*)(_t130 - 0x14)), _t121))) != 0x3a) {
								_t83 =  *((intOrPtr*)(L00429839( *((intOrPtr*)(_t130 - 0x14)), _t121)));
								__eflags = _t83 -  *_t127;
								_t41 = _t83 ==  *_t127;
								__eflags = _t41;
								_t79 = _t83 & 0xffffff00 | _t41;
							} else {
								if(_t121 <= 1 || _t121 >=  *((intOrPtr*)(_t130 - 0x1c))) {
									_t79 = 0;
								} else {
									_t79 = 1;
								}
							}
							_t99 = _t99 + 1;
							_t127 = _t127 + 2;
							if(_t99 <  *((intOrPtr*)(_t130 + 0xc))) {
								continue;
							} else {
								if(_t79 != 0) {
									goto L30;
								}
								goto L29;
							}
						}
						goto L30;
					}
					goto L31;
				} else {
					_t129 = L0043BC14(0x28);
					 *((intOrPtr*)(_t130 - 0x18)) = _t129;
					 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
					if(_t129 == 0) {
						_t129 = 0;
						__eflags = 0;
					} else {
						_push(0);
						_push(_t97);
						 *_t129 = 0x4675a0;
						 *((intOrPtr*)(_t129 + 0x20)) = 0x467598;
						L00401CDD(_t129);
					}
					_t86 =  *((intOrPtr*)(_t129 + 8));
					 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t130 - 0x14)) = _t129;
					if(_t86 == 0) {
						_t86 = 0x467570;
					}
					if( *_t86 != 0x22) {
						L24:
						 *(_t130 - 0xd) =  *(_t130 - 0xd) & 0x00000000;
						goto L11;
					} else {
						_t93 = L00405618(_t129);
						_t140 = _t93 - 0x22;
						if(_t93 != 0x22) {
							goto L24;
						}
						 *(_t130 - 0xd) = 1;
						E00432B74(_t129);
						L11:
						_t123 = 1;
						_push(_t123);
						_push(_t130 - 0xe);
						_push(L"\n\t ");
						L0040176A(_t130 - 0x50);
						 *(_t130 - 4) = _t123;
						E0040A5B2(_t129, _t130, _t140, _t130 - 0x50);
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						L0040125C(_t130 - 0x50);
						goto L12;
					}
				}
			}

0x004328c6
0x004328cb
0x004328d4
0x004328d8
0x004328db
0x004328e6
0x004328e9
0x004328ee
0x004328f0
0x004328f0
0x004328f4
0x004328fa
0x00432902
0x00432905
0x00432908
0x004329a6
0x004329a6
0x004329ab
0x00432a53
0x00432a53
0x00432a5c
0x00432a61
0x00432a66
0x00432a6a
0x00432a71
0x00432a72
0x00432a7a
0x00432a7a
0x00432a80
0x00432a8b
0x00432a96
0x00432a9e
0x00432aa3
0x00432aab
0x00432ab3
0x00432ab3
0x004329b4
0x004329b7
0x004329ca
0x004329cc
0x004329d1
0x00432a2d
0x00432a31
0x00432a3c
0x00432a3f
0x00432a43
0x00432a46
0x00432a46
0x00432a49
0x00432a4d
0x00000000
0x00000000
0x00000000
0x00432a4d
0x004329d3
0x004329d6
0x004329dd
0x00432a18
0x00432a1b
0x00432a1e
0x00432a1e
0x00432a1e
0x004329f4
0x004329f7
0x00432a0b
0x004329fe
0x004329fe
0x004329fe
0x004329f7
0x00432a21
0x00432a23
0x00432a27
0x00000000
0x00432a29
0x00432a2b
0x00000000
0x00000000
0x00000000
0x00432a2b
0x00432a27
0x00000000
0x004329d6
0x00000000
0x0043290e
0x00432915
0x00432918
0x0043291b
0x00432921
0x0043293c
0x0043293c
0x00432923
0x00432923
0x00432925
0x00432928
0x0043292e
0x00432935
0x00432935
0x0043293e
0x00432941
0x00432947
0x0043294a
0x0043294c
0x0043294c
0x00432955
0x00432a02
0x00432a02
0x00000000
0x0043295b
0x0043295d
0x00432962
0x00432966
0x00000000
0x00000000
0x0043296e
0x00432972
0x00432977
0x0043297c
0x00432980
0x00432981
0x00432982
0x00432987
0x00432992
0x00432995
0x0043299a
0x004329a1
0x00000000
0x004329a1
0x00432955

APIs

__EH_prolog.LIBCMT ref: 004328CB
SysAllocString.OLEAUT32(?), ref: 004328F4
SysFreeString.OLEAUT32(?), ref: 00432A80

Strings

:*?"<>|, xrefs: 004328F2
puF, xrefs: 004328DE
, xrefs: 00432982

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$AllocFreeH_prolog
String ID: $:*?"<>|$puF
API String ID: 1061292655-3043319152
Opcode ID: 772cad83505cc7c6c608efab7b8c32cb59787cc5b1418da7ac69a670211b4104
Instruction ID: bdc3ea3b981b4bcc241983d99027032b3e38583c76c41153b3041be09a859f64
Opcode Fuzzy Hash: 772cad83505cc7c6c608efab7b8c32cb59787cc5b1418da7ac69a670211b4104
Instruction Fuzzy Hash: 17518A71E00255ABCF21EF98CA817AEB7B4BF49314F10505FE845B7281D7B85D41CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00458A20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00458A20() {
				void* __ebp;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t94;
				void* _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr* _t118;
				signed int _t120;
				intOrPtr* _t123;
				intOrPtr _t124;
				signed int _t133;
				intOrPtr* _t136;
				intOrPtr _t139;
				void* _t140;
				void* _t141;

				_push(0xffffffff);
				_push(E00466888);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t139;
				_t140 = _t139 - 0x2c;
				_t55 =  *0x467590; // 0x24
				 *((intOrPtr*)(_t140 + 0x10)) = 0;
				 *(_t140 + 0x14) = 0x46758c;
				 *(_t140 + 0x34) = 0x467584;
				 *((intOrPtr*)(_t140 + _t55 + 0x14)) = GetLastError();
				_t57 =  *((intOrPtr*)(_t140 + 0x50));
				 *((intOrPtr*)(_t140 + 0x44)) = 0;
				if(_t57 == 0) {
					_t123 = 0;
					__eflags = 0;
				} else {
					_t123 = _t57 + 4;
				}
				 *((char*)(_t140 + 0x1c)) =  *_t123;
				E0040213C(_t140 + 0x1c, 0);
				_t110 =  *0x467594; // 0xffffffff
				E004024B9(_t140 + 0x18, _t123, 0, _t110);
				 *(_t140 + 0x2c) = 0;
				 *((intOrPtr*)(_t140 + 0x30)) = 0;
				 *(_t140 + 0x34) = 0;
				L00447D70(_t140 + 0x38, 0);
				_t61 =  *((intOrPtr*)(_t140 + 0x54));
				 *((intOrPtr*)(_t140 + 0x44)) = 1;
				if(_t61 == 0) {
					_t136 = 0;
					__eflags = 0;
				} else {
					_t136 = _t61 + 4;
				}
				_t62 =  *0x467594; // 0xffffffff
				_t94 =  *((intOrPtr*)(_t136 + 8));
				_t124 = _t62;
				if(_t94 < _t124) {
					_t124 = _t94;
				}
				_t146 = _t62 -  *(_t140 + 0x20) - _t124;
				if(_t62 -  *(_t140 + 0x20) <= _t124) {
					L0043AE22(_t146);
				}
				if(_t124 > 0) {
					_t120 =  *(_t140 + 0x20) + _t124;
					if(E004020B3(_t140 + 0x1c, _t136, _t120, 0) != 0) {
						_t108 =  *((intOrPtr*)(_t136 + 4));
						if( *((intOrPtr*)(_t136 + 4)) == 0) {
							_t108 = 0x467570;
						}
						L00447180( *((intOrPtr*)(_t140 + 0x1c)) +  *(_t140 + 0x20) * 2, _t108, _t124);
						_t109 =  *(_t140 + 0x28);
						 *(_t140 + 0x2c) = _t120;
						_t140 = _t140 + 0xc;
						 *((short*)(_t109 + _t120 * 2)) = 0;
					}
				}
				_t118 =  *((intOrPtr*)(_t140 + 0x4c));
				 *_t118 = 0x46758c;
				 *((intOrPtr*)(_t118 + 0x20)) = 0x467584;
				_t111 =  *0x467590; // 0x24
				 *((intOrPtr*)(_t111 + _t118)) = GetLastError();
				asm("sbb esi, esi");
				 *((char*)(_t140 + 0x48)) = 2;
				 *((char*)(_t118 + 4)) =  *( ~(_t140 + 0x14) & _t140 + 0x00000018);
				E0040213C(_t118 + 4, 0);
				_t112 =  *0x467594; // 0xffffffff
				E004024B9(_t118 + 4,  ~(_t140 + 0x14) & _t140 + 0x00000018, 0, _t112);
				L00447D30(_t118 + 0x14);
				L00447D70(_t118 + 0x20, 0);
				asm("sbb eax, eax");
				 *((intOrPtr*)( *((intOrPtr*)( *( ~(_t140 + 0x14) & _t140 + 0x00000034) + 4)) + ( ~(_t140 + 0x14) & _t140 + 0x00000034))) = GetLastError();
				asm("sbb esi, esi");
				_t133 =  ~(_t140 + 0x14) & _t140 + 0x00000028;
				E0043AE17( *_t133);
				_t46 = _t133 + 8; // 0xffffffff
				_t141 = _t140 + 4;
				__imp__#6( *_t46);
				asm("sbb ecx, ecx");
				E0040213C( ~(_t141 + 0x14) & _t141 + 0x00000018, 1);
				SetLastError( *(_t141 +  *((intOrPtr*)( *(_t141 + 0x14) + 4)) + 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t141 + 0x3c));
				return _t118;
			}

0x00458a20
0x00458a22
0x00458a2d
0x00458a2e
0x00458a35
0x00458a38
0x00458a43
0x00458a47
0x00458a4f
0x00458a61
0x00458a63
0x00458a67
0x00458a6d
0x00458a74
0x00458a74
0x00458a6f
0x00458a6f
0x00458a6f
0x00458a79
0x00458a81
0x00458a86
0x00458a93
0x00458a9d
0x00458aa1
0x00458aa5
0x00458aa9
0x00458aae
0x00458ab2
0x00458abc
0x00458ac3
0x00458ac3
0x00458abe
0x00458abe
0x00458abe
0x00458ac5
0x00458aca
0x00458acd
0x00458ad1
0x00458ad3
0x00458ad3
0x00458ad9
0x00458adb
0x00458add
0x00458add
0x00458ae4
0x00458aef
0x00458afa
0x00458afc
0x00458b01
0x00458b03
0x00458b03
0x00458b16
0x00458b1b
0x00458b1f
0x00458b23
0x00458b26
0x00458b26
0x00458afa
0x00458b2a
0x00458b31
0x00458b37
0x00458b3e
0x00458b4d
0x00458b59
0x00458b62
0x00458b69
0x00458b6d
0x00458b72
0x00458b7e
0x00458b86
0x00458b8f
0x00458b9e
0x00458baf
0x00458bb7
0x00458bbd
0x00458bc2
0x00458bc7
0x00458bca
0x00458bce
0x00458bde
0x00458be4
0x00458bf5
0x00458c05
0x00458c0f

APIs

GetLastError.KERNEL32 ref: 00458A5B
GetLastError.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000), ref: 00458B47
GetLastError.KERNEL32(00000000,0046758C,00000000,FFFFFFFF,?,?,?,?,00000000), ref: 00458BA9
SysFreeString.OLEAUT32(FFFFFFFF), ref: 00458BCE
SetLastError.KERNEL32(?,00000001), ref: 00458BF5

Strings

puF, xrefs: 00458B03

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: puF
API String ID: 2425351278-1715984468
Opcode ID: d8b8b6e174d3a1e642e147f9380a520c34cf5dcc5d52f425d1e600582e2a4f66
Instruction ID: 7fa4728629c01f13b97fc580e9f66572df039ee493f9cd44b4e7f62d8df5b5a7
Opcode Fuzzy Hash: d8b8b6e174d3a1e642e147f9380a520c34cf5dcc5d52f425d1e600582e2a4f66
Instruction Fuzzy Hash: 4C5193716082519FC714DF24C98095BB7E4FF84708F10496EF986A7341EB78ED09CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404ADB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00404ADB() {
				void* _t43;
				struct HINSTANCE__* _t50;
				_Unknown_base(*)()* _t51;
				void* _t56;
				signed int _t59;
				intOrPtr* _t63;
				void* _t64;
				intOrPtr* _t70;
				void* _t80;

				L0043B644(0x45f3db, _t80);
				 *(_t80 - 0x14) =  *(_t80 - 0x14) & 0x00000000;
				_t59 = 1;
				if( *((intOrPtr*)(_t80 + 0xc)) != _t59) {
					L5:
					__eflags = GetWindowsDirectoryW(_t80 - 0x26c, 0x104);
					if(__eflags == 0) {
						E00404959(_t80 - 0x30, __eflags);
						L0043BD6A(_t80 - 0x30, 0x46a390);
					}
					_push(0);
					_push(_t80 - 0xd);
					_push(_t80 - 0x26c);
					 *((intOrPtr*)(_t80 - 0x3c)) = 0x4675a0;
					 *((intOrPtr*)(_t80 - 0x1c)) = 0x467598;
					L0040176A(_t80 - 0x3c);
					 *(_t80 - 4) = 2;
					_t43 = L00404D3C(_t80 - 0x3c, _t80, 0x4764fc);
					_t63 =  *((intOrPtr*)(_t80 + 8));
					_push(0);
					_push(_t43);
					 *_t63 = 0x4675a0;
					 *((intOrPtr*)(_t63 + 0x20)) = 0x467598;
					L00401CDD(_t63);
					_t30 = _t80 - 4;
					 *_t30 =  *(_t80 - 4) & 0x00000000;
					__eflags =  *_t30;
					 *(_t80 - 0x14) = _t59;
					_t64 = _t80 - 0x3c;
				} else {
					_t50 = GetModuleHandleW(L"KERNEL32.DLL");
					if(_t50 == 0) {
						goto L5;
					} else {
						_t51 = GetProcAddress(_t50, "GetSystemWindowsDirectoryW");
						 *0x47651c = _t51;
						if(_t51 == 0) {
							goto L5;
						} else {
							_push(0x104);
							_push(_t80 - 0x26c);
							if( *_t51() == 0) {
								goto L5;
							} else {
								_push(0);
								_push(_t80 + 0xf);
								_push(_t80 - 0x26c);
								 *((intOrPtr*)(_t80 - 0x64)) = 0x4675a0;
								 *((intOrPtr*)(_t80 - 0x44)) = 0x467598;
								L0040176A(_t80 - 0x64);
								 *(_t80 - 4) = _t59;
								_t56 = L00404D3C(_t80 - 0x64, _t80, 0x4764fc);
								_t70 =  *((intOrPtr*)(_t80 + 8));
								_push(0);
								_push(_t56);
								 *_t70 = 0x4675a0;
								 *((intOrPtr*)(_t70 + 0x20)) = 0x467598;
								L00401CDD(_t70);
								 *(_t80 - 0x14) = _t59;
								 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
								_t64 = _t80 - 0x64;
							}
						}
					}
				}
				L0040125C(_t64);
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return  *((intOrPtr*)(_t80 + 8));
			}

0x00404ae0
0x00404aeb
0x00404af9
0x00404afd
0x00404b86
0x00404b94
0x00404b96
0x00404b9b
0x00404ba9
0x00404ba9
0x00404bb1
0x00404bb3
0x00404bc4
0x00404bc8
0x00404bcb
0x00404bce
0x00404bdb
0x00404be2
0x00404be7
0x00404bea
0x00404bec
0x00404bed
0x00404bef
0x00404bf2
0x00404bf7
0x00404bf7
0x00404bf7
0x00404bfb
0x00404bfe
0x00404b03
0x00404b08
0x00404b10
0x00000000
0x00404b12
0x00404b18
0x00404b20
0x00404b25
0x00000000
0x00404b27
0x00404b2d
0x00404b2e
0x00404b33
0x00000000
0x00404b35
0x00404b38
0x00404b3a
0x00404b4b
0x00404b4f
0x00404b52
0x00404b55
0x00404b62
0x00404b65
0x00404b6a
0x00404b6d
0x00404b6f
0x00404b70
0x00404b72
0x00404b75
0x00404b7a
0x00404b7d
0x00404b81
0x00404b81
0x00404b33
0x00404b25
0x00404b10
0x00404c01
0x00404c0f
0x00404c17

APIs

__EH_prolog.LIBCMT ref: 00404AE0
GetModuleHandleW.KERNEL32(KERNEL32.DLL,004675A0,00467598,00000000), ref: 00404B08
GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 00404B18

Part of subcall function 0040176A: __EH_prolog.LIBCMT ref: 0040176F
Part of subcall function 0040176A: GetLastError.KERNEL32(0046757C,00467574,ISlogit,?,00431B7C,ISlogit,?,00000000), ref: 00401798
Part of subcall function 0040176A: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,00431B7C,ISlogit,?,00000000), ref: 004017ED

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

GetWindowsDirectoryW.KERNEL32(?,00000104,004675A0,00467598,00000000), ref: 00404B8E

Strings

KERNEL32.DLL, xrefs: 00404B03
GetSystemWindowsDirectoryW, xrefs: 00404B12

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$AddressDirectoryHandleModuleProcWindows
String ID: GetSystemWindowsDirectoryW$KERNEL32.DLL
API String ID: 2924604265-1259663462
Opcode ID: 6675b4d95a3e391d64bc5d684259bf850958cddcfff4a560b564c869c6e3ed7a
Instruction ID: 8d9058c2a68a93a63702d35f4bc34adc4d3560b31de895733e665967f7c410c9
Opcode Fuzzy Hash: 6675b4d95a3e391d64bc5d684259bf850958cddcfff4a560b564c869c6e3ed7a
Instruction Fuzzy Hash: 5B316FB1D05208ABDB10EFA1D845BDEB7B8AF44714F20406FE509B7291EB78AA04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A556 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042A556() {
				void* __esi;
				signed int _t39;
				signed int _t42;
				signed int _t44;
				intOrPtr _t46;
				signed int _t47;
				signed int _t52;
				intOrPtr* _t67;
				intOrPtr _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;

				L0043B644(0x463544, _t80);
				_t83 = _t82 - 0x54;
				if( *((intOrPtr*)(_t80 + 0x10)) != 0) {
					_t39 =  *(_t80 + 0xc);
					__eflags = _t39;
					 *((intOrPtr*)(_t80 - 0x38)) = 0x46757c;
					 *((intOrPtr*)(_t80 - 0x18)) = 0x467574;
					if(_t39 == 0) {
						_t39 = 0x47e150;
					}
					_push(0);
					_push(_t80 - 0xd);
					_push(_t39);
					L0040176A(_t80 - 0x38);
					_push(0);
					_push(_t80 - 0x60);
					 *(_t80 - 4) = 0;
					_t42 = L004056FB(_t80 - 0x38, 0, __eflags);
					asm("sbb ecx, ecx");
					 *(_t80 - 4) = 1;
					_t44 = L0041B475(__eflags,  ~_t42 & _t42 + 0x00000004, L"ISBEW64.exe");
					_t78 =  *((intOrPtr*)(_t80 + 8));
					__eflags = _t44;
					if(_t44 == 0) {
						L7:
						_t16 = _t80 + 0xb;
						 *_t16 =  *(_t80 + 0xb) & 0x00000000;
						__eflags =  *_t16;
					} else {
						__eflags =  *(_t78 + 0x3ac) - 0xa;
						__eflags = _t44 & 0xffffff00 |  *(_t78 + 0x3ac) - 0x0000000a < 0x00000000;
						if((_t44 & 0xffffff00 |  *(_t78 + 0x3ac) - 0x0000000a < 0x00000000) == 0) {
							goto L7;
						} else {
							 *(_t80 + 0xb) = 1;
						}
					}
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					L0040125C(_t80 - 0x60);
					__eflags =  *(_t80 + 0xb);
					if( *(_t80 + 0xb) != 0) {
						_t23 = _t78 + 0x3ac;
						 *_t23 =  *(_t78 + 0x3ac) + 1;
						__eflags =  *_t23;
						 *((intOrPtr*)( *((intOrPtr*)(_t80 + 0x10)))) = 4;
					}
					_t46 =  *((intOrPtr*)(_t78 + 0x298));
					__eflags = _t46 - 5;
					if(_t46 == 5) {
						L12:
						_t47 =  *(_t80 + 0xc);
						_t84 = _t83 - 0x28;
						_t67 = _t84;
						 *((intOrPtr*)(_t80 + 8)) = _t84;
						__eflags = _t47;
						 *_t67 = 0x46757c;
						 *((intOrPtr*)(_t67 + 0x20)) = 0x467574;
						if(_t47 == 0) {
							_t47 = 0x47e150;
						}
						_push(0);
						_push(_t80 + 0xb);
						_push(_t47);
						L0040176A(_t67);
						L0040EF21( *((intOrPtr*)(_t78 + 0x3a4)));
					} else {
						__eflags = _t46 - 0x64;
						if(_t46 == 0x64) {
							goto L12;
						}
					}
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					 *((intOrPtr*)( *((intOrPtr*)(_t80 + 0x10)))) =  *((intOrPtr*)(_t78 + 0x298));
					L0040125C(_t80 - 0x38);
					_t52 = 0;
					__eflags = 0;
				} else {
					_t52 = 0x80004003;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t52;
			}

0x0042a55b
0x0042a560
0x0042a56b
0x0042a577
0x0042a584
0x0042a586
0x0042a589
0x0042a58c
0x0042a58e
0x0042a58e
0x0042a596
0x0042a597
0x0042a598
0x0042a59c
0x0042a5a4
0x0042a5a5
0x0042a5a9
0x0042a5ac
0x0042a5b8
0x0042a5c1
0x0042a5c6
0x0042a5cb
0x0042a5cf
0x0042a5d2
0x0042a5e8
0x0042a5e8
0x0042a5e8
0x0042a5e8
0x0042a5d4
0x0042a5d4
0x0042a5de
0x0042a5e0
0x00000000
0x0042a5e2
0x0042a5e2
0x0042a5e2
0x0042a5e0
0x0042a5ec
0x0042a5f3
0x0042a5f8
0x0042a5fc
0x0042a601
0x0042a601
0x0042a601
0x0042a607
0x0042a607
0x0042a60d
0x0042a613
0x0042a616
0x0042a61d
0x0042a61d
0x0042a620
0x0042a623
0x0042a625
0x0042a628
0x0042a62a
0x0042a62c
0x0042a62f
0x0042a631
0x0042a631
0x0042a639
0x0042a63b
0x0042a63c
0x0042a63d
0x0042a648
0x0042a618
0x0042a618
0x0042a61b
0x00000000
0x00000000
0x0042a61b
0x0042a656
0x0042a65a
0x0042a65f
0x0042a664
0x0042a664
0x0042a56d
0x0042a56d
0x0042a56d
0x0042a66b
0x0042a674

APIs

__EH_prolog.LIBCMT ref: 0042A55B

Strings

ISBEW64.exe, xrefs: 0042A5BA
|uF, xrefs: 0042A57A
tuF, xrefs: 0042A57F
PG, xrefs: 0042A58E
PG, xrefs: 0042A631

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: ISBEW64.exe$PG$PG$tuF$|uF
API String ID: 3519838083-3411886652
Opcode ID: 20084f015ab84b970a63eafb3894105fbae94c096ae675ec64f95b130fc73df9
Instruction ID: c11d68d4a8b6babe37134e79f5b1f6d48618352d81d3a5f433b200455ab2d00c
Opcode Fuzzy Hash: 20084f015ab84b970a63eafb3894105fbae94c096ae675ec64f95b130fc73df9
Instruction Fuzzy Hash: 7231D271A00254EFCB15DF68D841BDE7BA4EF05314F50856FF84AAB281D7789A41CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A14A Relevance: 10.6, APIs: 7, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042A14A(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				struct tagMSG _v32;
				void* __ebp;
				int _t31;
				intOrPtr* _t32;
				signed int _t37;
				void* _t52;
				void* _t55;
				signed int _t57;
				void* _t61;
				int _t66;
				intOrPtr _t67;

				_t61 = __edx;
				_t52 = __ebx;
				_t31 = PeekMessageW( &_v32, 0, 0, 0, 1);
				_t67 = _a4;
				if(_t31 != 0 && IsDialogMessageW( *(_t67 + 0x26c),  &_v32) == 0) {
					TranslateMessage( &_v32);
					DispatchMessageW( &_v32);
				}
				_t32 =  *((intOrPtr*)(_t67 + 0x264));
				if(_t32 == 0) {
					 *((intOrPtr*)(_t67 + 0x278)) =  *((intOrPtr*)(_t67 + 0x278)) + _a8;
					asm("adc [esi+0x27c], edi");
					if( *(_t67 + 0x26c) != 0) {
						_push(_t52);
						_t53 =  *((intOrPtr*)(_t67 + 0x394));
						_t37 = E0043C750(E0043CB70( *((intOrPtr*)(_t67 + 0x278)),  *((intOrPtr*)(_t67 + 0x27c)), 0x64, 0), _t61,  *((intOrPtr*)(_t67 + 0x270)),  *((intOrPtr*)(_t67 + 0x274)));
						_t55 = 0x5f;
						_t57 = 0x64;
						_t66 = _t37 * (_t55 -  *((intOrPtr*)(_t67 + 0x394))) / _t57 + _t53;
						if( *(_t67 + 0x398) != _t66) {
							SendMessageW(GetDlgItem( *(_t67 + 0x26c), 0x12d), 0x402, _t66, 0);
							 *(_t67 + 0x398) = _t66;
							if( *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 4)) + 0x2c))() + 0x12)) != 0) {
								E0042A26A(_t67);
							}
						}
					}
					if( *0x47e1e0 == 0) {
						return 0;
					} else {
						 *0x47e1e0 =  *0x47e1e0 & 0x00000000;
						return 0x80042000;
					}
				}
				return  *((intOrPtr*)( *_t32 + 0x1c))(_t32, _a8);
			}

0x0042a14a
0x0042a14a
0x0042a15d
0x0042a163
0x0042a168
0x0042a182
0x0042a18c
0x0042a18c
0x0042a192
0x0042a19a
0x0042a1ad
0x0042a1b3
0x0042a1bf
0x0042a1c5
0x0042a1c6
0x0042a1ee
0x0042a1f7
0x0042a1ff
0x0042a204
0x0042a20d
0x0042a229
0x0042a235
0x0042a242
0x0042a246
0x0042a246
0x0042a242
0x0042a20d
0x0042a252
0x00000000
0x0042a254
0x0042a254
0x00000000
0x0042a25b
0x0042a252
0x00000000

APIs

PeekMessageW.USER32 ref: 0042A15D
IsDialogMessageW.USER32(?,?), ref: 0042A174
TranslateMessage.USER32(?), ref: 0042A182
DispatchMessageW.USER32 ref: 0042A18C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A1EE
GetDlgItem.USER32 ref: 0042A222
SendMessageW.USER32(00000000,?,?,?), ref: 0042A229

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslateUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3948106488-0
Opcode ID: 83899a892b683dc0eadbf6eaff9bbac9d0781c8783a6f2ecfd58532b8e265da9
Instruction ID: 8df5d801e70c81b3cccd6d9cc8faba48f658a8d6c6a01885ba217d94e809191c
Opcode Fuzzy Hash: 83899a892b683dc0eadbf6eaff9bbac9d0781c8783a6f2ecfd58532b8e265da9
Instruction Fuzzy Hash: 5B31F531608701ABDB219F70EC4CFA77BB9FB84704F50846EF55A82191DB7AA811CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0042035D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042035D(void* __eflags) {
				intOrPtr _t38;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr _t51;
				void* _t59;
				void* _t62;
				void* _t64;
				intOrPtr _t69;

				L0043B644(E00462848, _t62);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64 - 0x3c;
				_push(2);
				_push(_t62 + 0xc);
				 *(_t62 - 4) = 0;
				_t59 = E00420489();
				_push(0);
				_push(_t62 - 0x11);
				 *((intOrPtr*)(_t62 - 0x44)) = 0x46757c;
				 *((intOrPtr*)(_t62 - 0x24)) = 0x467574;
				L00401C68(_t62 - 0x44);
				 *(_t62 - 4) = 1;
				_push(_t62 - 0x44);
				_push(_t62 - 0x18);
				_push(_t62 - 0x1c);
				_push(_t62 + 0xc);
				 *((intOrPtr*)(_t62 - 0x1c)) = 0;
				 *((intOrPtr*)(_t62 - 0x18)) = 0;
				E00420787();
				_t69 =  *0x47e284; // 0x0
				if(_t69 == 0) {
					 *0x47e284 = L0043CCA2(E0042025A);
				}
				_push(0);
				_push(_t59);
				L0042C8CA();
				_t38 =  *((intOrPtr*)(_t62 - 0x3c));
				if(_t38 == 0) {
					_t38 = 0x467570;
				}
				_push( *((intOrPtr*)(_t62 - 0x18)));
				_push(_t38);
				_push( *((intOrPtr*)(_t62 - 0x1c)));
				L0042C8DC();
				_t51 =  *((intOrPtr*)(_t62 + 0x14));
				if(_t51 == 0) {
					_t51 = 0x4675e4;
				}
				_t20 =  *((intOrPtr*)(_t62 + 8)) + 8; // 0x4
				_t40 =  *_t20;
				if(_t40 == 0) {
					_t40 = 0x4675e4;
				}
				_push(_t51);
				_push(_t40);
				L0042C8EE();
				 *(_t62 - 4) = 0;
				L0040125C(_t62 - 0x44);
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				E004061C1(_t62 + 0xc);
				_t43 = _t40;
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t43;
			}

0x00420362
0x0042036d
0x00420375
0x00420377
0x00420378
0x00420381
0x00420387
0x00420388
0x0042038c
0x00420393
0x0042039a
0x004203a2
0x004203a6
0x004203aa
0x004203ae
0x004203b2
0x004203b3
0x004203b6
0x004203b9
0x004203c1
0x004203c7
0x004203d4
0x004203d4
0x004203d9
0x004203da
0x004203db
0x004203e0
0x004203e5
0x004203e7
0x004203e7
0x004203ec
0x004203ef
0x004203f0
0x004203f3
0x004203f8
0x004203fd
0x004203ff
0x004203ff
0x00420407
0x00420407
0x0042040c
0x0042040e
0x0042040e
0x00420413
0x00420414
0x00420415
0x0042041f
0x00420422
0x00420427
0x0042042e
0x00420433
0x0042047d
0x00420486

APIs

__EH_prolog.LIBCMT ref: 00420362

Part of subcall function 00420489: __EH_prolog.LIBCMT ref: 0042048E
Part of subcall function 00420489: SysFreeString.OLEAUT32(802D3C72), ref: 0042059B
Part of subcall function 00420489: SysFreeString.OLEAUT32(00000000), ref: 004205BE

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00420787: __EH_prolog.LIBCMT ref: 0042078C
Part of subcall function 00420787: SysFreeString.OLEAUT32(802D3C72), ref: 004207B4
Part of subcall function 00420787: SysFreeString.OLEAUT32(802D3C72), ref: 0042089C

Strings

|uF, xrefs: 0042038C
uF, xrefs: 0042040E
uF, xrefs: 004203FF
tuF, xrefs: 00420393
puF, xrefs: 004203E7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FreeH_prologString$ErrorLast
String ID: puF$tuF$|uF$uF$uF
API String ID: 1007404185-3997484723
Opcode ID: 9d5e95a0e61812f4cbb1a79022a9d7adb23cec9d31ef5bb9fb141ffcc005dd7d
Instruction ID: e852d45eda65f67edbf7254fb5de9d08713f9160d8449552de0d5ad0c2a9548e
Opcode Fuzzy Hash: 9d5e95a0e61812f4cbb1a79022a9d7adb23cec9d31ef5bb9fb141ffcc005dd7d
Instruction Fuzzy Hash: 50215371A00119AFCB04EF95E8819EEB7B8EF44318F50816FF506E7252EB389E05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004084D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004084D4(intOrPtr __ecx) {
				void* _t25;
				struct HWND__* _t28;
				long _t32;
				struct HWND__* _t52;
				void* _t55;
				void* _t57;
				void* _t58;
				intOrPtr _t61;

				L0043B644(0x45f9d0, _t55);
				_t58 = _t57 - 0x2c;
				_t61 =  *0x47e1d1; // 0x0
				_t52 =  *(_t55 + 0x10);
				 *((intOrPtr*)(_t55 - 0x10)) = __ecx;
				if(_t61 == 0) {
					_push(0);
					_push(_t52);
					_push( *((intOrPtr*)(_t55 + 0xc)));
					 *((intOrPtr*)(_t55 + 0xc)) = _t58 - 0x28;
					L00401732(_t58 - 0x28,  *(_t55 + 8), _t55 + 0xf, 1);
					_t25 = L004037B9(_t55 + 8,  *0x47e1d4);
					_push( *0x47e1c8);
					 *((intOrPtr*)(_t55 - 4)) = 0;
					_t52 = L00403C38(_t25);
				} else {
					_t28 = E0040A374(__ecx);
					 *(_t55 + 0x10) = _t28;
					if(_t28 != 0) {
						SendMessageW(_t28, 0x111, 0, 0);
						SendMessageW( *(_t55 + 0x10), 0xc, 0,  *(_t55 + 8));
						_push(1);
						_push( *((intOrPtr*)(_t55 + 0xc)));
						_t32 =  *(E0040A677(_t55 - 0x38) + 8);
						if(_t32 == 0) {
							_t32 = 0x4675e4;
						}
						SendMessageW( *(_t55 + 0x10), 0xc, 0, _t32);
						E004061C1(_t55 - 0x38);
						_t52 = SendMessageW( *(_t55 + 0x10), 0x111, 1, 0);
						_t64 = _t52 - 2;
						if(_t52 == 2) {
							_push( *(_t55 + 0x10));
							E0040A4B6( *((intOrPtr*)(_t55 - 0x10)), _t64);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t52;
			}

0x004084d9
0x004084de
0x004084e4
0x004084eb
0x004084ef
0x004084f2
0x00408567
0x00408568
0x00408569
0x00408574
0x0040857d
0x0040858b
0x00408590
0x00408598
0x004085a0
0x004084f4
0x004084f4
0x004084fb
0x004084fe
0x00408513
0x0040851e
0x00408520
0x00408525
0x0040852d
0x00408532
0x00408534
0x00408534
0x00408540
0x00408545
0x00408553
0x00408555
0x00408558
0x0040855a
0x00408560
0x00408560
0x00408558
0x004084fe
0x004085a9
0x004085b2

APIs

__EH_prolog.LIBCMT ref: 004084D9

Part of subcall function 0040A374: FindWindowExW.USER32 ref: 0040A3B6

SendMessageW.USER32(00000000,00000111,00000000,00000000), ref: 00408513
SendMessageW.USER32(?,0000000C,00000000,?), ref: 0040851E

Part of subcall function 0040A677: __EH_prolog.LIBCMT ref: 0040A67C
Part of subcall function 0040A677: SetLastError.KERNEL32(?,?,00000000,?,?,00000000,746ABB20), ref: 0040A6DD

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00408540
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00408551

Strings

uF, xrefs: 00408534

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: MessageSend$H_prolog$ErrorFindLastWindow
String ID: uF
API String ID: 2929592357-700906890
Opcode ID: 5afd30fcfcfc67e2924a04515aadd9d30162d14bd7572ca52c2e285a86e7ee27
Instruction ID: 191a4509ef9f80cba5048fdc7b13de5bec117c849a37d9591c468afa0b9f30bf
Opcode Fuzzy Hash: 5afd30fcfcfc67e2924a04515aadd9d30162d14bd7572ca52c2e285a86e7ee27
Instruction Fuzzy Hash: 0B21AE71A00218BFDF10AF66CC82EAE7F69EB04358F00403AF905B72A1CA798D54CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0043410E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043410E(intOrPtr __ecx) {
				void* _t44;
				void* _t49;
				intOrPtr _t61;
				signed int _t68;
				void* _t84;
				void* _t87;
				void* _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t94;

				L0043B644(E00464670, _t87);
				_t90 = _t89 - 0x38;
				 *((intOrPtr*)(_t87 - 0x18)) = __ecx;
				_t61 =  *((intOrPtr*)(_t87 + 8));
				 *(_t87 - 4) = 1;
				_t84 =  *(_t61 + 8);
				 *(_t87 - 0x10) = _t84;
				if(_t84 !=  *((intOrPtr*)(_t61 + 0xc))) {
					 *((intOrPtr*)(_t87 - 0x14)) = _t84 + 0x28;
					while(1) {
						_push(0);
						_push(_t87 + 0xb);
						 *((intOrPtr*)(_t87 - 0x44)) = 0x46757c;
						 *((intOrPtr*)(_t87 - 0x24)) = 0x467574;
						L00401C68(_t87 - 0x44);
						 *(_t87 - 4) = 2;
						if( *((intOrPtr*)(_t87 + 0x3c)) == 0) {
						}
						_t92 = _t90 - 0x28;
						_t68 = 0xa;
						_t49 = memcpy(_t92, _t84, _t68 << 2);
						_t94 = _t92 - 0x28 + 0xc;
						L004057E0(memcpy(_t94, _t87 + 0xc, 0 << 2), _t49, 0xa);
						_t90 = _t94 + 0x64 - 0x28;
						 *((intOrPtr*)(_t87 - 0x1c)) = _t90;
						L00401708(_t90, _t87 - 0x44, 1);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t87 - 0x18)))) + 0x1c))( *((intOrPtr*)(_t87 - 0x14)));
						 *(_t87 - 4) = 1;
						L0040125C(_t87 - 0x44);
						 *(_t87 - 0x10) =  *(_t87 - 0x10) + 0x50;
						 *((intOrPtr*)(_t87 - 0x14)) =  *((intOrPtr*)(_t87 - 0x14)) + 0x50;
						if( *(_t87 - 0x10) ==  *((intOrPtr*)(_t61 + 0xc))) {
							goto L6;
						}
						_t84 =  *(_t87 - 0x10);
					}
				}
				L6:
				 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
				L0040125C(_t87 + 0xc);
				 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
				_t44 = L0040125C(_t87 + 0x34);
				 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
				return _t44;
			}

0x00434113
0x00434118
0x0043411e
0x00434121
0x00434124
0x0043412b
0x00434133
0x00434136
0x0043413f
0x00434147
0x0043414a
0x0043414c
0x00434150
0x00434157
0x0043415e
0x00434166
0x0043416c
0x0043416c
0x00434173
0x00434178
0x0043417e
0x0043417e
0x0043418f
0x0043419d
0x004341a2
0x004341a8
0x004341b2
0x004341b8
0x004341bc
0x004341c1
0x004341c5
0x004341cf
0x00000000
0x00000000
0x00434144
0x00434144
0x00434147
0x004341d5
0x004341d5
0x004341dc
0x004341e1
0x004341e8
0x004341f2
0x004341fb

APIs

__EH_prolog.LIBCMT ref: 00434113

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

P, xrefs: 004341C1
puF, xrefs: 0043416E
P, xrefs: 004341C5
|uF, xrefs: 00434189, 0043418E
tuF, xrefs: 00434157

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: P$P$puF$tuF$|uF
API String ID: 1057991267-2331953158
Opcode ID: c4602647ab5475b7609aed65be576348f90ce1a2d2676f58f87ee5d703679531
Instruction ID: c6058f03cc4799c6b3c1387626ce916295c856a28a34e692b90710955e401c59
Opcode Fuzzy Hash: c4602647ab5475b7609aed65be576348f90ce1a2d2676f58f87ee5d703679531
Instruction Fuzzy Hash: A031B175D00208EBCF00EF95C986ADEBBB4EF19324F20415AE805B7281E774AF45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0042C4F5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C4F5(void* __ecx, void* __eflags) {
				void* _t53;
				intOrPtr _t56;
				void* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t80;

				L0043B644(0x463847, _t80);
				_t61 = __ecx;
				 *(_t80 - 0x4c) = 7;
				E00403E82( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)) + 4)) + 0x2c))(), __eflags, _t80 - 0x74, 0x775);
				_t66 =  *((intOrPtr*)(_t80 - 0x6c));
				_t86 = _t66;
				 *(_t80 - 4) = 0;
				 *((intOrPtr*)(_t80 - 0x40)) = 0x467570;
				if(_t66 != 0) {
					 *((intOrPtr*)(_t80 - 0x40)) = _t66;
				}
				 *((intOrPtr*)(_t80 - 0x44)) = 0x64;
				 *((intOrPtr*)(_t80 - 0x48)) = 0;
				SendMessageW( *(_t80 + 8), 0x1061, 0, _t80 - 0x4c);
				 *(_t80 - 0x2c) = 7;
				_t53 = E00403E82( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 0xc)) + 4)) + 4)) + 0x2c))(), _t86, _t80 - 0x9c, 0x776);
				 *(_t80 - 4) = 1;
				L00401A1E(_t80 - 0x74, _t53);
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				L0040125C(_t80 - 0x9c);
				_t56 =  *((intOrPtr*)(_t80 - 0x6c));
				 *((intOrPtr*)(_t80 - 0x20)) = 0x467570;
				if(_t56 != 0) {
					 *((intOrPtr*)(_t80 - 0x20)) = _t56;
				}
				 *(_t80 - 0x28) =  *(_t80 - 0x28) & 0x00000000;
				 *((intOrPtr*)(_t80 - 0x24)) = 0x1c0;
				SendMessageW( *(_t80 + 8), 0x1061, 1, _t80 - 0x2c);
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				_t59 = L0040125C(_t80 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t59;
			}

0x0042c4fa
0x0042c506
0x0042c508
0x0042c52a
0x0042c52f
0x0042c534
0x0042c536
0x0042c539
0x0042c540
0x0042c542
0x0042c542
0x0042c559
0x0042c560
0x0042c563
0x0042c568
0x0042c588
0x0042c591
0x0042c595
0x0042c59a
0x0042c5a4
0x0042c5a9
0x0042c5ac
0x0042c5b5
0x0042c5b7
0x0042c5b7
0x0042c5ba
0x0042c5c5
0x0042c5cf
0x0042c5d1
0x0042c5d8
0x0042c5e3
0x0042c5eb

APIs

__EH_prolog.LIBCMT ref: 0042C4FA

Part of subcall function 00403E82: __EH_prolog.LIBCMT ref: 00403E87

SendMessageW.USER32(?,00001061,00000000,00000007), ref: 0042C563
SendMessageW.USER32(?,00001061,00000001,00000007), ref: 0042C5CF

Strings

d, xrefs: 0042C559
puF, xrefs: 0042C539
puF, xrefs: 0042C5AC

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologMessageSend
String ID: d$puF$puF
API String ID: 2337391251-1289252917
Opcode ID: 8bf2b191ab404f0437438e06ac29502af160fef365319cfffb3c727ff1995666
Instruction ID: b869198e7b88ce8c4e3ee491ab5fade545e31e7c4196f17f2d02b2c71201dda7
Opcode Fuzzy Hash: 8bf2b191ab404f0437438e06ac29502af160fef365319cfffb3c727ff1995666
Instruction Fuzzy Hash: F5310A71E00218DFDB14DFA9C985ADDBBF8AF48318F10816EE509A7291E7789A05CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0045A6FC Relevance: 10.6, APIs: 7, Instructions: 57
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0045A6FC(void* __esi) {
				struct HDC__* _t36;
				void* _t40;
				void* _t42;

				GetClientRect( *(_t40 + 4), _t42 + 0x30);
				if( *((intOrPtr*)(_t42 + 0x10)) == 0) {
					SetViewportOrgEx(_t36, 0, 0, 0);
					SetViewportExtEx(_t36,  *(_t42 + 0x38),  *(_t42 + 0x3c), 0);
					_push( *((intOrPtr*)(__esi + 4)));
					PlayMetaFile(_t36, ??);
				} else {
					StretchBlt(_t36, 0, 0,  *(_t42 + 0x44),  *(_t42 + 0x44),  *(_t42 + 0x48), 0, 0,  *(__esi + 0x24),  *(__esi + 0x28), 0xcc0020);
				}
				DeleteDC( *(_t42 + 0x48));
				RestoreDC(_t36,  *(_t42 + 0x2c));
				return 1;
			}

0x0045a705
0x0045a711
0x0045a74a
0x0045a75d
0x0045a766
0x0045aa7e
0x0045a713
0x0045a738
0x0045a738
0x0045aa89
0x0045aa95
0x0045aaa7

APIs

GetClientRect.USER32 ref: 0045A705
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0045A738
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0045A74A
SetViewportExtEx.GDI32(?,?,?,00000000), ref: 0045A75D
PlayMetaFile.GDI32(?,00000002), ref: 0045AA7E
DeleteDC.GDI32(?), ref: 0045AA89
RestoreDC.GDI32(?,?), ref: 0045AA95

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Viewport$ClientDeleteFileMetaPlayRectRestoreStretch
String ID:
API String ID: 2402272484-0
Opcode ID: ee57d1e5d5093d7747d5a968f483e122fd789399e854a81633343141319a3b4b
Instruction ID: 502269b274b56775c1e71dab2eae1805fc8887ac941d6d79e09980b5b9f5a064
Opcode Fuzzy Hash: ee57d1e5d5093d7747d5a968f483e122fd789399e854a81633343141319a3b4b
Instruction Fuzzy Hash: 1A111C75208300AFE210CB14DD85F7B77B9EBC9B15F104A1DFA4596290D6B4E8018B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C5 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041A1C5(intOrPtr* __ecx) {
				intOrPtr _t30;
				signed int _t35;
				signed int _t36;
				intOrPtr* _t41;
				intOrPtr _t49;
				intOrPtr* _t53;
				void* _t55;

				L0043B644(0x461dd6, _t55);
				_push(__ecx);
				_t53 = __ecx;
				 *((intOrPtr*)(_t55 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t55 + 0xc)) != 0) {
					 *((intOrPtr*)(__ecx + 0xc)) = 0x46801c;
					 *((intOrPtr*)(__ecx + 0x14)) = 0x468014;
				}
				_t30 =  *((intOrPtr*)(_t53 + 0xc));
				_t41 = _t53 + 0xc;
				_t7 = _t30 + 4; // 0xc
				 *((intOrPtr*)( *_t7 + _t41)) = GetLastError();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				 *(_t53 + 0x10) =  *(_t53 + 0x10) & 0x00000000;
				 *(_t55 - 4) = 1;
				_t49 = 1;
				 *((intOrPtr*)(_t53 + 4)) = L0043BC14(_t49);
				 *((intOrPtr*)(_t53 + 8)) = _t49;
				 *_t53 = 0x468010;
				_t16 =  *((intOrPtr*)(_t53 + 0x14)) + 4; // 0x4
				SetLastError( *( *_t16 + _t53 + 0x14));
				_t35 =  *(_t55 + 8);
				 *_t53 = 0x468008;
				__imp__#7( *((intOrPtr*)(_t35 + 0x10)));
				_t36 =  *(_t55 + 8);
				__imp__#4( *((intOrPtr*)(_t36 + 0x10)), _t35);
				 *(_t53 + 0x10) = _t36;
				SetLastError( *( *((intOrPtr*)( *_t41 + 4)) + _t53 + 0xc));
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t53;
			}

0x0041a1ca
0x0041a1cf
0x0041a1d6
0x0041a1d9
0x0041a1dc
0x0041a1de
0x0041a1e5
0x0041a1e5
0x0041a1ec
0x0041a1ef
0x0041a1f2
0x0041a1fd
0x0041a1ff
0x0041a203
0x0041a209
0x0041a20d
0x0041a214
0x0041a217
0x0041a21a
0x0041a22a
0x0041a231
0x0041a233
0x0041a236
0x0041a23f
0x0041a246
0x0041a24c
0x0041a252
0x0041a25e
0x0041a268
0x0041a270

APIs

__EH_prolog.LIBCMT ref: 0041A1CA
GetLastError.KERNEL32(?,?,00000000,?,00418BA0,?,00000000,00000000,00000001,00418811,?,00000001,?,00000000,00000000,FFFFFFFF), ref: 0041A1F7
SetLastError.KERNEL32(?,?,00418BA0,?,00000000,00000000,00000001,00418811,?,00000001,?,00000000,00000000,FFFFFFFF,00476558,00000001), ref: 0041A231
SysStringLen.OLEAUT32(00000000), ref: 0041A23F
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0041A24C
SetLastError.KERNEL32(00000000,?,00418BA0,?,00000000,00000000,00000001,00418811,?,00000001,?,00000000,00000000,FFFFFFFF,00476558,00000001), ref: 0041A25E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$String$AllocH_prolog
String ID:
API String ID: 1014970518-0
Opcode ID: 75583460316c3e664fd691ff2175298be9d82b0c01d859039dd4aa1e9162f3ae
Instruction ID: ddb5e6692f344b2cbdaf3b1a8f1b661c1f1c9976a74c45c076d6e24d87d4d056
Opcode Fuzzy Hash: 75583460316c3e664fd691ff2175298be9d82b0c01d859039dd4aa1e9162f3ae
Instruction Fuzzy Hash: 3A213371500600EFC720CF58D844A8ABBF4FF48729F11896EE59597721DBB8E948CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041A273 Relevance: 9.1, APIs: 6, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041A273(signed int __ecx) {
				long _t17;
				intOrPtr _t29;
				signed int _t30;
				long* _t35;
				signed int _t38;
				signed int _t40;
				signed int _t41;

				_t38 = __ecx;
				_t30 = __ecx + 0xc;
				 *((intOrPtr*)(__ecx)) = 0x468008;
				_t35 =  *((intOrPtr*)( *(__ecx + 0xc) + 4)) + __ecx + 0xc;
				_t17 = GetLastError();
				_t41 = _t38 + 0x10;
				 *_t35 = _t17;
				__imp__#6( *_t41);
				 *_t41 =  *_t41 & 0x00000000;
				SetLastError( *( *((intOrPtr*)( *_t30 + 4)) + _t38 + 0xc));
				asm("sbb eax, eax");
				_t22 =  ~_t38 & _t38 + 0x00000014;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~_t38 & _t38 + 0x00000014) + 4)) + _t22)) = GetLastError();
				 *_t38 = 0x468010;
				E0043AE17( *((intOrPtr*)(_t38 + 4)));
				asm("sbb eax, eax");
				__imp__#6( *( ~_t38 & _t41));
				asm("sbb esi, esi");
				_t40 =  ~_t38 & _t30;
				_t29 =  *((intOrPtr*)( *_t40 + 4));
				SetLastError( *(_t29 + _t40));
				return _t29;
			}

0x0041a276
0x0041a27c
0x0041a27f
0x0041a288
0x0041a28c
0x0041a292
0x0041a295
0x0041a29a
0x0041a2a2
0x0041a2ad
0x0041a2ba
0x0041a2bc
0x0041a2cb
0x0041a2d0
0x0041a2d6
0x0041a2e0
0x0041a2e6
0x0041a2ee
0x0041a2f0
0x0041a2f4
0x0041a2fa
0x0041a304

APIs

GetLastError.KERNEL32(00000000,00000001,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A28C
SysFreeString.OLEAUT32(?), ref: 0041A29A
SetLastError.KERNEL32(?,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2AD
GetLastError.KERNEL32(?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2C5
SysFreeString.OLEAUT32(?), ref: 0041A2E6
SetLastError.KERNEL32(?,?,00000000,004187C2,00000000,FFFFFFFF,00476558,00000001,?,?,00000000), ref: 0041A2FA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 122165b11b8a9276888c4ccb0c05cb3d577113568807dfc46a3f76c9b28d9fc0
Instruction ID: 6c14ea7e3826cc04cbbefdd3e78a3c59077b53703e2aab87fbe1bcf3fe635083
Opcode Fuzzy Hash: 122165b11b8a9276888c4ccb0c05cb3d577113568807dfc46a3f76c9b28d9fc0
Instruction Fuzzy Hash: 4D115A36250616CFC7108F68DD48C51BBF0FF09719311856DE99ACB321EB75E819CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0041A460 Relevance: 9.1, APIs: 6, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 47%

			E0041A460(signed int __ecx) {
				intOrPtr _t16;
				long _t17;
				intOrPtr _t29;
				signed int _t30;
				signed int _t38;
				signed int _t40;
				signed int _t41;

				_t38 = __ecx;
				_t30 = __ecx + 0xc;
				 *((intOrPtr*)(__ecx)) = 0x468028;
				_t16 =  *((intOrPtr*)( *(__ecx + 0xc) + 4));
				_t5 = _t38 + 0xc; // 0xd
				_t17 = GetLastError();
				_t41 = _t38 + 0x10;
				 *(_t16 + _t5) = _t17;
				__imp__#6( *_t41);
				 *_t41 =  *_t41 & 0x00000000;
				SetLastError( *( *((intOrPtr*)( *_t30 + 4)) + _t38 + 0xc));
				asm("sbb eax, eax");
				_t22 =  ~_t38 & _t38 + 0x00000014;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~_t38 & _t38 + 0x00000014) + 4)) + _t22)) = GetLastError();
				 *_t38 = 0x468010;
				E0043AE17( *((intOrPtr*)(_t38 + 4)));
				asm("sbb eax, eax");
				__imp__#6( *( ~_t38 & _t41));
				asm("sbb esi, esi");
				_t40 =  ~_t38 & _t30;
				_t29 =  *((intOrPtr*)( *_t40 + 4));
				SetLastError( *(_t29 + _t40));
				return _t29;
			}

0x0041a463
0x0041a469
0x0041a46c
0x0041a472
0x0041a475
0x0041a479
0x0041a47f
0x0041a482
0x0041a487
0x0041a48f
0x0041a49a
0x0041a4a7
0x0041a4a9
0x0041a4b8
0x0041a4bd
0x0041a4c3
0x0041a4cd
0x0041a4d3
0x0041a4db
0x0041a4dd
0x0041a4e1
0x0041a4e7
0x0041a4f1

APIs

GetLastError.KERNEL32(00000001,?,?,?,0043944C,00000000,00000001,00000001,00000001,?,?,?), ref: 0041A479
SysFreeString.OLEAUT32(?), ref: 0041A487
SetLastError.KERNEL32(?,?,?,0043944C,00000000,00000001,00000001,00000001,?,?,?), ref: 0041A49A
GetLastError.KERNEL32(?,?,0043944C,00000000,00000001,00000001,00000001,?,?,?), ref: 0041A4B2
SysFreeString.OLEAUT32(?), ref: 0041A4D3
SetLastError.KERNEL32(?,?,?,0043944C,00000000,00000001,00000001,00000001,?,?,?), ref: 0041A4E7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 2c4674f90fe0809d16968108a9dfa8cf1223d3670106c720b04e4c22d2c60b60
Instruction ID: 27a9abb32f1cbe3daaf07653dc1804918922d1de10f7a7c92eeb28f4c6c885ab
Opcode Fuzzy Hash: 2c4674f90fe0809d16968108a9dfa8cf1223d3670106c720b04e4c22d2c60b60
Instruction Fuzzy Hash: BE115A36250616CFC7108F68DD48C51BBF0FF09719311896DE99ACB321EB75E819CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0042C49D Relevance: 9.0, APIs: 6, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C49D(void* __ecx, intOrPtr _a4) {
				void* _t6;
				void* _t16;

				_t16 = __ecx;
				if(_a4 == 0x3f3) {
					EnableWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
				}
				if(_a4 == 0x3f2) {
					EnableWindow(GetDlgItem( *(_t16 + 4), 0x3ed), 1);
					SetFocus(GetDlgItem( *(_t16 + 4), 0x3ed));
				}
				_t6 = 1;
				return _t6;
			}

0x0042c4b5
0x0042c4bc
0x0042c4c7
0x0042c4c7
0x0042c4d1
0x0042c4dc
0x0042c4e5
0x0042c4e5
0x0042c4ed
0x0042c4f2

APIs

GetDlgItem.USER32 ref: 0042C4C2
EnableWindow.USER32(00000000,00000000), ref: 0042C4C7
GetDlgItem.USER32 ref: 0042C4D7
EnableWindow.USER32(00000000,00000001), ref: 0042C4DC
GetDlgItem.USER32 ref: 0042C4E2
SetFocus.USER32(00000000), ref: 0042C4E5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Item$EnableWindow$Focus
String ID:
API String ID: 864471436-0
Opcode ID: 3c6c098bbcbaab1cdedc9343d84ad944d4f3ad1a36437bb522d51ca7c1d1ba02
Instruction ID: 78f260486b5203015d19fea9b844b8090569a2047f14917d566e0d74c1434ef5
Opcode Fuzzy Hash: 3c6c098bbcbaab1cdedc9343d84ad944d4f3ad1a36437bb522d51ca7c1d1ba02
Instruction Fuzzy Hash: F5F02772500308BBE6206751ED89F2BBB9CDB90724F004436F205920A0CBB59D00CA79

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0F7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
fileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040A0F7(void* __ecx, void* __eflags) {
				WCHAR* _t60;
				long _t104;
				void* _t108;
				void* _t116;
				intOrPtr* _t117;
				void* _t120;
				void* _t122;

				L0043B644(0x45fcb7, _t120);
				L0043B9F0(0x10a0, __ecx);
				_push(0);
				_push(_t120 - 0x21);
				 *((intOrPtr*)(_t120 - 0x28)) = 0;
				 *((intOrPtr*)(_t120 - 0x54)) = 0x4675d8;
				 *((intOrPtr*)(_t120 - 0x34)) = 0x4675d0;
				L0040B243(_t120 - 0x54);
				 *(_t120 - 0x20) =  *(_t120 - 0x20) | 0xffffffff;
				_t104 = 1;
				 *(_t120 - 4) = _t104;
				 *(_t120 - 4) = 2;
				_t60 =  *( *((intOrPtr*)(_t120 + 0xc)) + 8);
				if(_t60 == 0) {
					_t60 = 0x4675e4;
				}
				_t116 = CreateFileW(_t60, 0x80000000, _t104, 0, 3, 0x80, 0);
				 *(_t120 - 0x2c) = _t116;
				if(_t116 != 0xffffffff) {
					 *(_t120 - 0x20) = _t116;
					E00436B48(_t120 - 0xac);
					_pop(_t108);
					_push(0);
					_push(_t120 + 0xc);
					_push(0x1000);
					_push(_t120 - 0x10ac);
					_push(_t116);
					while(ReadFile() != 0) {
						E00436B70(_t120 - 0xac, _t120 - 0x10ac,  *((intOrPtr*)(_t120 + 0xc)));
						_t122 = _t122 + 0xc;
						if( *((intOrPtr*)(_t120 + 0xc)) > 0) {
							_push(0);
							_push(_t120 + 0xc);
							_push(0x1000);
							_push(_t120 - 0x10ac);
							_push( *(_t120 - 0x2c));
							continue;
						}
						break;
					}
					L00436C0E(_t108, _t120 - 0x1c, _t120 - 0xac);
					_push( *(_t120 - 0xd) & 0x000000ff);
					_push( *(_t120 - 0xe) & 0x000000ff);
					_push( *(_t120 - 0xf) & 0x000000ff);
					_push( *(_t120 - 0x10) & 0x000000ff);
					_push( *(_t120 - 0x11) & 0x000000ff);
					_push( *(_t120 - 0x12) & 0x000000ff);
					_push( *(_t120 - 0x13) & 0x000000ff);
					_push( *(_t120 - 0x14) & 0x000000ff);
					_push( *(_t120 - 0x15) & 0x000000ff);
					_push( *(_t120 - 0x16) & 0x000000ff);
					_push( *(_t120 - 0x17) & 0x000000ff);
					_push( *(_t120 - 0x18) & 0x000000ff);
					_push( *(_t120 - 0x19) & 0x000000ff);
					_push( *(_t120 - 0x1a) & 0x000000ff);
					_push( *(_t120 - 0x1b) & 0x000000ff);
					L0040AF38(_t120 - 0x54, L"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",  *(_t120 - 0x1c) & 0x000000ff);
				}
				_t117 =  *((intOrPtr*)(_t120 + 8));
				_push(0);
				_push(_t120 - 0x54);
				 *_t117 = 0x4675d8;
				 *((intOrPtr*)(_t117 + 0x20)) = 0x4675d0;
				L0040B2B8(_t117);
				 *((intOrPtr*)(_t120 - 0x28)) = 1;
				if( *(_t120 - 0x20) != 0xffffffff && CloseHandle != 0) {
					CloseHandle( *(_t120 - 0x20));
				}
				 *(_t120 - 4) =  *(_t120 - 4) & 0x00000000;
				E004061C1(_t120 - 0x54);
				 *[fs:0x0] =  *((intOrPtr*)(_t120 - 0xc));
				return _t117;
			}

0x0040a0fc
0x0040a106
0x0040a11d
0x0040a11e
0x0040a122
0x0040a125
0x0040a128
0x0040a12b
0x0040a130
0x0040a136
0x0040a137
0x0040a13d
0x0040a141
0x0040a146
0x0040a148
0x0040a148
0x0040a163
0x0040a168
0x0040a16b
0x0040a177
0x0040a17b
0x0040a180
0x0040a184
0x0040a186
0x0040a18d
0x0040a192
0x0040a193
0x0040a19a
0x0040a1b1
0x0040a1b6
0x0040a1bd
0x0040a1c2
0x0040a1c4
0x0040a1cb
0x0040a1d0
0x0040a1d1
0x00000000
0x0040a1d1
0x00000000
0x0040a1bd
0x0040a1e1
0x0040a1ec
0x0040a1f1
0x0040a1f6
0x0040a1fb
0x0040a200
0x0040a205
0x0040a20a
0x0040a20f
0x0040a214
0x0040a219
0x0040a21e
0x0040a223
0x0040a228
0x0040a22d
0x0040a232
0x0040a241
0x0040a246
0x0040a249
0x0040a24f
0x0040a251
0x0040a254
0x0040a256
0x0040a259
0x0040a25e
0x0040a269
0x0040a277
0x0040a277
0x0040a279
0x0040a280
0x0040a28d
0x0040a295

APIs

__EH_prolog.LIBCMT ref: 0040A0FC

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,004675D8,004675D0,00000000,00409AB9,?,?,?), ref: 0040A15D
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 0040A19A

Strings

%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 0040A23B
uF, xrefs: 0040A148

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorFileH_prologLast$CreateRead
String ID: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X$uF
API String ID: 700090200-4147216722
Opcode ID: 7884843692ea5f439732e1c953c6f29899cf4ef28e6547d8ada4c270d0f74de6
Instruction ID: af9d06c66442e853da258d2ab92266a958ce061316c3c15d881ac7266b5b9612
Opcode Fuzzy Hash: 7884843692ea5f439732e1c953c6f29899cf4ef28e6547d8ada4c270d0f74de6
Instruction Fuzzy Hash: BD518EB2904269AECF21CBD58C01FEEBBBCAB09314F1081A7F595F6181D67C9A448B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040C6A9() {
				short* _t62;
				char* _t78;
				int _t80;
				short* _t101;
				unsigned int _t103;
				void* _t107;
				char _t118;

				L0043B644(E00460048, _t107);
				if( *(_t107 + 0x14) == 0x4b0 ||  *(_t107 + 0x14) == 0x4b1) {
					_t103 =  *(_t107 + 0x10);
					_t78 =  *(_t107 + 0xc);
					if(_t103 == 0xffffffff) {
						_t103 = L0043BA1F(_t78) << 1;
					}
					if( *(_t107 + 0x14) != 0x4b1) {
						 *((intOrPtr*)(_t107 - 0x3c)) = 0x4675d8;
						 *((intOrPtr*)(_t107 - 0x1c)) = 0x4675d0;
						if(_t78 == 0) {
							_t78 = 0x47e150;
						}
						_push(0);
						_push(_t107 + 0x13);
						_push(_t103 >> 1);
						_push(_t78);
						L0040BD48(_t107 - 0x3c);
						 *(_t107 - 4) = 2;
						E004066ED( *((intOrPtr*)(_t107 + 8)), _t107 - 0x3c);
						 *(_t107 - 4) =  *(_t107 - 4) | 0xffffffff;
						E004061C1(_t107 - 0x3c);
						goto L18;
					} else {
						_t22 = _t103 + 1; // 0x1
						_t101 = L0043BC14(_t22);
						 *((char*)(_t107 - 0x14)) = _t101 != 0;
						 *(_t107 - 0x10) = _t101;
						 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
						L0043BBEA(_t78, _t101, _t103);
						 *((intOrPtr*)(_t107 - 0x3c)) = 0x4675d8;
						 *((intOrPtr*)(_t107 - 0x1c)) = 0x4675d0;
						_t62 = _t101;
						if(_t101 == 0) {
							_t62 = 0x47e150;
						}
						_push(0);
						_push(_t107 + 0x13);
						_push(_t103 >> 1);
						_push(_t62);
						L0040BD48(_t107 - 0x3c);
						 *(_t107 - 4) = 1;
						E004066ED( *((intOrPtr*)(_t107 + 8)), _t107 - 0x3c);
						 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
						E004061C1(_t107 - 0x3c);
						goto L7;
					}
				} else {
					if( *(_t107 + 0x10) == 0xffffffff) {
						 *(_t107 + 0x10) = L0043BC30( *(_t107 + 0xc));
					}
					_t80 = MultiByteToWideChar( *(_t107 + 0x14), 0,  *(_t107 + 0xc),  *(_t107 + 0x10) + 1, 0, 0);
					_t101 = L0043BC14(_t80 + _t80);
					 *((char*)(_t107 - 0x14)) = _t101 != 0;
					 *(_t107 - 0x10) = _t101;
					 *(_t107 - 4) = 3;
					_t103 = MultiByteToWideChar( *(_t107 + 0x14), 0,  *(_t107 + 0xc),  *(_t107 + 0x10), _t101, _t80);
					if(_t103 > 0) {
						_t17 =  *((intOrPtr*)(_t107 + 8)) + 4; // 0x4
						L0040BF1A(_t17, _t101, _t103);
					}
					_t118 =  *((char*)(_t107 - 0x14));
					L7:
					if(_t118 != 0) {
						E0043AE17(_t101);
					}
					L18:
					 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
					return _t103;
				}
			}

0x0040c6ae
0x0040c6c5
0x0040c754
0x0040c757
0x0040c75d
0x0040c768
0x0040c768
0x0040c76d
0x0040c7e6
0x0040c7ed
0x0040c7f4
0x0040c7f6
0x0040c7f6
0x0040c7fe
0x0040c800
0x0040c805
0x0040c806
0x0040c80a
0x0040c816
0x0040c81d
0x0040c822
0x0040c829
0x00000000
0x0040c76f
0x0040c76f
0x0040c778
0x0040c77c
0x0040c780
0x0040c783
0x0040c78a
0x0040c792
0x0040c79b
0x0040c7a2
0x0040c7a4
0x0040c7a6
0x0040c7a6
0x0040c7ae
0x0040c7b0
0x0040c7b5
0x0040c7b6
0x0040c7ba
0x0040c7c6
0x0040c7ca
0x0040c7cf
0x0040c7d6
0x00000000
0x0040c7db
0x0040c6d4
0x0040c6d8
0x0040c6e3
0x0040c6e3
0x0040c6fe
0x0040c709
0x0040c70e
0x0040c712
0x0040c71a
0x0040c72b
0x0040c72f
0x0040c736
0x0040c739
0x0040c739
0x0040c73e
0x0040c742
0x0040c742
0x0040c749
0x0040c74e
0x0040c82e
0x0040c836
0x0040c83e
0x0040c83e

APIs

__EH_prolog.LIBCMT ref: 0040C6AE
MultiByteToWideChar.KERNEL32(000004B0,00000000,?,00000100,00000000,00000000,004675D0,?,004675D8), ref: 0040C6FC
MultiByteToWideChar.KERNEL32(000004B0,00000000,?,000000FF,00000000,00000000,000004B0,?,004675D8), ref: 0040C729

Strings

PG, xrefs: 0040C7A6
PG, xrefs: 0040C7F6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog
String ID: PG$PG
API String ID: 2445107564-3551648151
Opcode ID: 0fed08893b069585bc853a46ac4859111f59518f5a5137741e501c1f77d9a008
Instruction ID: 49e27f076e1d16462b9dffecee3be55e8008d2cac4a5cb7b28c73c339d44b261
Opcode Fuzzy Hash: 0fed08893b069585bc853a46ac4859111f59518f5a5137741e501c1f77d9a008
Instruction Fuzzy Hash: 73419071900209ABCB14DF55D885BEF77A8EF44314F10822BF925B72D1DB789E14CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004422DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004422DB(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x47fc20 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E00442203(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(L0043CC90())) = 0x1c;
								_t73 = L0043CC99();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = L0043CC1D(_a4);
						} else {
							 *((intOrPtr*)(L0043CC90())) = 9;
							_t73 = L0043CC99();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x004422e7
0x004422ec
0x004422ef
0x004422f2
0x00442301
0x00442313
0x00442316
0x0044231b
0x00442323
0x00442328
0x0044232d
0x0044232f
0x00442333
0x00442407
0x0044240d
0x0044240f
0x00442422
0x00442411
0x00442414
0x00442417
0x00442417
0x004423c3
0x004423c3
0x004423c6
0x004423c8
0x0044245e
0x0044245e
0x00000000
0x0044245e
0x004423ce
0x004423d1
0x00442435
0x00442435
0x00442437
0x0044243c
0x0044244a
0x0044244f
0x00442455
0x0044245a
0x00442430
0x00000000
0x00442430
0x00442441
0x00442444
0x00000000
0x00000000
0x00000000
0x00442444
0x004423d5
0x004423d6
0x004423d9
0x0044242a
0x004423db
0x004423e0
0x004423e6
0x004423eb
0x004423eb
0x00000000
0x004423d9
0x0044233c
0x0044233f
0x00442342
0x00442345
0x00000000
0x00000000
0x00000000
0x00000000
0x0044234b
0x0044234b
0x0044234b
0x00442351
0x00442357
0x0044235a
0x00000000
0x00000000
0x0044235f
0x00442362
0x00442364
0x00442367
0x00442369
0x0044236c
0x0044236f
0x0044236f
0x0044236f
0x00442370
0x00442372
0x0044237d
0x0044237d
0x0044238d
0x004423a2
0x004423a8
0x004423aa
0x004423f5
0x00000000
0x004423f5
0x004423ac
0x004423af
0x004423b2
0x004423b4
0x00000000
0x00000000
0x004423bc
0x004423bc
0x004423c1
0x004423c1
0x00000000
0x004423c1
0x004422f4
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000108,00000000,00000002,?,?), ref: 004423A2

Strings

tuF, xrefs: 004422DB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FileWrite
String ID: tuF
API String ID: 3934441357-1632530568
Opcode ID: e024c3eff65c72f6b799a888244942dc869493d024c230c962df9d9910489da8
Instruction ID: 9043ef1ec6ad99200a703f5cdb9479b5e5b7b34d0a7b6e3128e3c015d22b0391
Opcode Fuzzy Hash: e024c3eff65c72f6b799a888244942dc869493d024c230c962df9d9910489da8
Instruction Fuzzy Hash: 0A51B331900108EFEB11CF69CA84A9E7BB0FF45344F5081A6F9199B251D7B8DA41DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041476A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122
stringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041476A(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t47;
				char _t50;
				intOrPtr* _t56;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr* _t67;
				char _t70;
				intOrPtr _t91;
				intOrPtr _t94;
				void* _t95;

				L0043B644(0x461197, _t95);
				_t91 = __ecx;
				_t88 = __ecx + 8;
				 *((intOrPtr*)(_t95 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t95 - 0x4c)) = __ecx;
				L0043B670(_t95 - 0x8c, __ecx + 8, 0x40);
				_push(1);
				_t70 = 0;
				_push(_t95 - 0xd);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				 *((intOrPtr*)(_t95 - 4)) = 0;
				_t47 =  *(E0040A5F5(_t95 - 0x48) + 8);
				if(_t47 == 0) {
					_t47 = 0x4675e4;
				}
				lstrcpyW(_t91 + 0x50, _t47);
				E004061C1(_t95 - 0x48);
				_t50 = E0043C804(_t70, _t88, _t91 + 0x50, _t95, _t88, 3, 0x43b31a,  *((intOrPtr*)(_t95 - 4)), 0x46c8b0);
				if(_t50 != _t70) {
					_t70 = _t50;
					 *((intOrPtr*)( *((intOrPtr*)(_t95 - 0x20)) + 0x390)) = 0xffffec6c;
					L13:
					L0043B670( *((intOrPtr*)(_t95 - 0x4c)) + 8, _t95 - 0x8c, 0x40);
					 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
					return _t70;
				}
				_t94 =  *((intOrPtr*)(_t95 - 0x20));
				if( *((intOrPtr*)(_t94 + 0x288)) == _t70) {
					goto L13;
				}
				 *((intOrPtr*)(_t95 - 0x18)) = _t70;
				 *((intOrPtr*)(_t95 - 0x14)) = _t70;
				_t56 =  *((intOrPtr*)(_t94 + 0x280));
				 *((intOrPtr*)(_t95 - 0x1c)) = _t70;
				 *((intOrPtr*)(_t94 + 0x298)) = 5;
				_push(_t95 - 0x18);
				_push(0x476e10);
				_push(_t56);
				 *((char*)(_t95 - 4)) = 2;
				if( *((intOrPtr*)( *_t56))() >= _t70) {
					_t65 =  *((intOrPtr*)(_t95 - 0x18));
					_push(_t95 - 0x14);
					_push(0x477ae0);
					_push(0x46820c);
					_push(_t65);
					if( *((intOrPtr*)( *_t65 + 0xc))() >= _t70) {
						_t67 =  *((intOrPtr*)(_t95 - 0x14));
						 *((intOrPtr*)( *_t67 + 0x1c))(_t67, _t95 - 0x1c);
						if( *((intOrPtr*)(_t95 - 0x1c)) != _t70) {
							 *((intOrPtr*)(_t94 + 0x298)) = 0x64;
						}
					}
				}
				L00415C13(_t94,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0x288)))) + 0xa8))(_t94, 0x27f),  *((intOrPtr*)(_t94 + 0x288)));
				_t61 =  *((intOrPtr*)(_t95 - 0x14));
				 *((char*)(_t95 - 4)) = 1;
				if(_t61 != _t70) {
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				_t62 =  *((intOrPtr*)(_t95 - 0x18));
				 *((char*)(_t95 - 4)) = _t70;
				if(_t62 != _t70) {
					 *((intOrPtr*)( *_t62 + 8))(_t62);
				}
				goto L13;
			}

0x0041476f
0x0041477c
0x00414787
0x0041478a
0x0041478f
0x00414792
0x0041479d
0x0041479f
0x004147a1
0x004147a2
0x004147aa
0x004147b2
0x004147b7
0x004147b9
0x004147b9
0x004147c3
0x004147cc
0x004147e1
0x004147eb
0x004148aa
0x004148ac
0x004148b6
0x004148c6
0x004148d3
0x004148de
0x004148de
0x004147f1
0x004147fa
0x00000000
0x00000000
0x00414800
0x00414803
0x00414806
0x0041480f
0x00414812
0x0041481e
0x0041481f
0x00414824
0x00414825
0x0041482d
0x0041482f
0x00414835
0x00414836
0x0041483d
0x00414842
0x00414848
0x0041484a
0x00414854
0x0041485b
0x0041485d
0x0041485d
0x0041485b
0x00414848
0x0041487f
0x00414884
0x00414887
0x0041488d
0x00414892
0x00414892
0x00414895
0x00414898
0x0041489d
0x004148a2
0x004148a2
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041476F

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 004147C3
__setjmp3.LIBCMT ref: 004147E1

Strings

uF, xrefs: 004147B9
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 004147A2

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$uF
API String ID: 746370007-983517006
Opcode ID: ce47f6837e26df93bff6a76087af60a804b7a0cbeac1b2364c0c0571691669c0
Instruction ID: 27d4d0a78503f87034f3469ffc7768ae20f1c5e25c4c16eff61491a5f3a278d4
Opcode Fuzzy Hash: ce47f6837e26df93bff6a76087af60a804b7a0cbeac1b2364c0c0571691669c0
Instruction Fuzzy Hash: 45419070A00245AFDB50EF94C885FEE77B8EF84708F10446EF209E7241DB785A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402243 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402243(void* __ecx, void* __eflags) {
				intOrPtr _t43;
				signed int _t44;
				void* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed char _t87;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				void* _t94;
				void* _t101;

				L0043B644(0x45eeb3, _t94);
				_t91 = __ecx;
				_push(0);
				_push(_t94 - 0xd);
				 *(_t94 - 0x18) = 0;
				 *((intOrPtr*)(_t94 - 0x40)) = 0x46757c;
				 *((intOrPtr*)(_t94 - 0x20)) = 0x467574;
				L00401C68(_t94 - 0x40);
				_t87 = 1;
				 *(_t94 - 4) = _t87;
				if(E00402456(__ecx) == 0) {
					_t43 =  *((intOrPtr*)(__ecx + 0xc));
					if(_t43 == 0 || _t43 <= _t87) {
						_t44 = 0;
					} else {
						_t56 =  *((intOrPtr*)(__ecx + 8));
						if(_t56 != 0) {
							_t57 = _t56 + 2;
						} else {
							_t57 = 0x467570;
						}
						_t44 = _t57 & 0xffffff00 |  *_t57 == 0x0000003a;
					}
					if(_t44 != 0) {
						_t53 = E00401A68(_t91, _t94 - 0x68, 0, 2);
						_t22 = _t94 - 0x40; // 0x46757c
						 *(_t94 - 4) = 3;
						L00401A1E(_t22, _t53);
						 *(_t94 - 4) = 1;
						L0040125C(_t94 - 0x68);
					}
				} else {
					_t69 = __ecx + 4;
					_t89 = 0x5c;
					 *((intOrPtr*)(_t94 - 0x14)) = _t89;
					_t101 = E0040238F(__ecx + 4, _t94 - 0x14, 2, 1) -  *0x467594; // 0xffffffff
					if(_t101 != 0) {
						 *((intOrPtr*)(_t94 - 0x14)) = _t89;
						_t59 = E0040238F(_t69, _t94 - 0x14, _t59 + 1, 1);
					}
					_t61 = E00401A68(_t91, _t94 - 0x68, 0, _t59);
					_t13 = _t94 - 0x40; // 0x46757c
					 *(_t94 - 4) = 2;
					L00401A1E(_t13, _t61);
					 *(_t94 - 4) = 1;
					L0040125C(_t94 - 0x68);
					_t87 = 1;
				}
				if( *((char*)(_t94 + 0xc)) != 0) {
					_t28 = _t94 - 0x40; // 0x46757c
					E00402943(_t28, _t94 - 0x68);
					L0040125C(_t94 - 0x68);
				}
				_t92 =  *((intOrPtr*)(_t94 + 8));
				_t31 = _t94 - 0x40; // 0x46757c
				_push(0);
				 *_t92 = 0x46757c;
				 *((intOrPtr*)(_t92 + 0x20)) = 0x467574;
				L00401CDD(_t92);
				 *(_t94 - 0x18) = _t87;
				 *(_t94 - 4) =  *(_t94 - 4) & 0x00000000;
				_t36 = _t94 - 0x40; // 0x46757c
				L0040125C(_t36);
				 *[fs:0x0] =  *((intOrPtr*)(_t94 - 0xc));
				return _t92;
			}

0x00402248
0x00402255
0x0040225a
0x0040225b
0x0040225f
0x00402262
0x00402269
0x00402270
0x00402279
0x0040227a
0x00402284
0x004022e4
0x004022e9
0x00402309
0x004022ef
0x004022ef
0x004022f4
0x004022fd
0x004022f6
0x004022f6
0x004022f6
0x00402304
0x00402304
0x0040230d
0x00402318
0x0040231e
0x00402321
0x00402325
0x0040232d
0x00402331
0x00402331
0x00402286
0x00402288
0x0040228b
0x00402296
0x0040229e
0x004022a4
0x004022b0
0x004022b3
0x004022b3
0x004022c1
0x004022c7
0x004022ca
0x004022ce
0x004022d6
0x004022da
0x004022e1
0x004022e1
0x0040233a
0x0040233f
0x00402343
0x0040234b
0x0040234b
0x00402350
0x00402353
0x00402356
0x0040235b
0x00402361
0x00402368
0x0040236d
0x00402370
0x00402374
0x00402377
0x00402384
0x0040238c

APIs

__EH_prolog.LIBCMT ref: 00402248

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

|uF, xrefs: 004022C7
puF, xrefs: 004022F6
tuF, xrefs: 00402361
tuF, xrefs: 00402269

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$tuF$tuF$|uF
API String ID: 1057991267-470079222
Opcode ID: e10871ad9ed2f8140651231550cf3aaa2bfc7a4c2bb005527e505f9ce0c97e09
Instruction ID: 19ef8dc64543a560d058212fe0915cb8bc950248631bb34def88f0595e663f59
Opcode Fuzzy Hash: e10871ad9ed2f8140651231550cf3aaa2bfc7a4c2bb005527e505f9ce0c97e09
Instruction Fuzzy Hash: 18419771A00308AEDF11EB95C985BEEB7B8AB54308F10406FE506F72C1DBBC5A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00452980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00452980(void* __ecx, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v36;
				char _v40;
				void* _v52;
				intOrPtr _v56;
				char _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t34;
				signed int _t80;
				intOrPtr _t82;
				void* _t83;

				_push(0xffffffff);
				_push(E004667C0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				_t83 = _t82 - 0x34;
				_t31 =  *0x4675f4; // 0x24
				_v56 = 0x4675f0;
				_v24 = 0x4675e8;
				 *((intOrPtr*)(_t83 + _t31 + 0x14)) = GetLastError();
				_t33 = _a4;
				_v4 = 0;
				if(_t33 == 0) {
					_t34 = 0;
				} else {
					_t34 = _t33 + 4;
				}
				L00452D50( &_v52, _t34);
				L00447D30( &_v40);
				L00447D70( &_v28, 0);
				_v24 = 0;
				_v12 = 1;
				E00456190();
				_t15 =  &_v40; // 0x4675e8
				asm("sbb eax, eax");
				_v20 = 0xffffffff;
				_t41 =  ~( &_v72) & _t15;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v72) & _t15) + 4)) + _t41)) = GetLastError();
				asm("sbb esi, esi");
				_t80 =  ~( &_v72) &  &_v52;
				E0043AE17( *_t80);
				_t20 = _t80 + 8; // 0x468e68
				__imp__#6( *_t20,  &_v72,  &_v64);
				asm("sbb ecx, ecx");
				E0040213C( ~( &_v76) &  &_v72, 1);
				SetLastError( *(_t83 + 4 +  *((intOrPtr*)(_v80 + 4)) + 0x14));
				 *[fs:0x0] = _v36;
				return _v88 + 0x34;
			}

0x00452980
0x00452982
0x0045298d
0x0045298e
0x00452995
0x00452998
0x004529a8
0x004529b0
0x004529be
0x004529c0
0x004529c8
0x004529cc
0x004529d3
0x004529ce
0x004529ce
0x004529ce
0x004529da
0x004529e3
0x004529ed
0x004529f2
0x00452a02
0x00452a0a
0x00452a13
0x00452a19
0x00452a1b
0x00452a23
0x00452a2e
0x00452a36
0x00452a3c
0x00452a41
0x00452a46
0x00452a4d
0x00452a5d
0x00452a63
0x00452a74
0x00452a88
0x00452a92

APIs

GetLastError.KERNEL32 ref: 004529BC
GetLastError.KERNEL32(?,?,?,?,004675F0,00000000,00000000), ref: 00452A2C
SysFreeString.OLEAUT32(00468E68), ref: 00452A4D
SetLastError.KERNEL32(?,00000001), ref: 00452A74

Strings

uF, xrefs: 00452A13

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: uF
API String ID: 2425351278-700906890
Opcode ID: d8dde4c61ce43b07f0fe30c9af25a7168f0df0a945c503dcdfaecc5cc90ce43a
Instruction ID: 1016264e39e7d01b42e2148a0b576516c107721e59c4490010c648522944a42b
Opcode Fuzzy Hash: d8dde4c61ce43b07f0fe30c9af25a7168f0df0a945c503dcdfaecc5cc90ce43a
Instruction Fuzzy Hash: 7D3170B26083019FC304DF68D981A5BB7E4EF85718F104A2EF59693291E774E909CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0042E4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042E4DA(void* __eflags) {
				void* _t39;
				signed char _t45;
				signed char _t52;
				signed char _t59;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t81;

				_t81 = __eflags;
				L0043B644(0x463c75, _t76);
				L0042DF6C(_t76 - 0x80);
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				_push(1);
				_push(_t76 - 0xd);
				_push("Kernel32.dll");
				L00401B15(_t76 - 0xa8);
				_push(1);
				_push(_t76 - 0xd0);
				 *(_t76 - 4) = 1;
				_t39 = E00404ADB();
				_push(0);
				_push(_t39);
				 *(_t76 - 4) = 2;
				 *((intOrPtr*)(_t76 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t76 - 0x18)) = 0x467574;
				L00401CDD(_t76 - 0x38);
				_push(_t76 - 0xa8);
				_push(_t76 - 0xf8);
				 *(_t76 - 4) = 3;
				_t44 =  *((intOrPtr*)(L00405670(_t76 - 0x38, _t81) + 8));
				 *(_t76 - 4) = 4;
				if( *((intOrPtr*)(L00405670(_t76 - 0x38, _t81) + 8)) == 0) {
					_t44 = 0x467570;
				}
				_t45 = L00439BD1(_t76 - 0x80, _t74, _t75, _t44);
				asm("sbb bl, bl");
				 *(_t76 - 4) = 3;
				L0040125C(_t76 - 0xf8);
				 *(_t76 - 4) = 2;
				L0040125C(_t76 - 0x38);
				 *(_t76 - 4) = 1;
				L0040125C(_t76 - 0xd0);
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				L0040125C(_t76 - 0xa8);
				if( ~_t45 + 1 == 0) {
					__eflags =  *(_t76 - 0x74) >> 0x10 - 4;
					if( *(_t76 - 0x74) >> 0x10 != 4) {
						L7:
						_t52 = 0;
						__eflags = 0;
					} else {
						__eflags =  *(_t76 - 0x74) - 0x5a;
						if( *(_t76 - 0x74) != 0x5a) {
							goto L7;
						} else {
							_t52 = 1;
						}
					}
					_t59 = _t52;
				} else {
					_t59 = 0;
				}
				 *((intOrPtr*)(_t76 - 0x80)) = 0x46825c;
				L0042DFD4(_t76 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t59;
			}

0x0042e4da
0x0042e4df
0x0042e4ed
0x0042e4f2
0x0042e4f9
0x0042e4fb
0x0042e4fc
0x0042e507
0x0042e512
0x0042e514
0x0042e515
0x0042e519
0x0042e520
0x0042e522
0x0042e526
0x0042e52a
0x0042e531
0x0042e538
0x0042e546
0x0042e54d
0x0042e54e
0x0042e557
0x0042e55a
0x0042e560
0x0042e562
0x0042e562
0x0042e56c
0x0042e57b
0x0042e57d
0x0042e583
0x0042e58b
0x0042e58f
0x0042e59a
0x0042e59e
0x0042e5a3
0x0042e5ad
0x0042e5b4
0x0042e5c0
0x0042e5c4
0x0042e5d1
0x0042e5d1
0x0042e5d1
0x0042e5c6
0x0042e5c6
0x0042e5cb
0x00000000
0x0042e5cd
0x0042e5cd
0x0042e5cd
0x0042e5cb
0x0042e5d3
0x0042e5b6
0x0042e5b6
0x0042e5b6
0x0042e5d8
0x0042e5df
0x0042e5ea
0x0042e5f2

APIs

__EH_prolog.LIBCMT ref: 0042E4DF

Part of subcall function 00401B15: __EH_prolog.LIBCMT ref: 00401B1A
Part of subcall function 00401B15: SetLastError.KERNEL32(?,?,00000000,?,?,00401AE5,?,?,00000001), ref: 00401B80

Part of subcall function 00404ADB: __EH_prolog.LIBCMT ref: 00404AE0
Part of subcall function 00404ADB: GetModuleHandleW.KERNEL32(KERNEL32.DLL,004675A0,00467598,00000000), ref: 00404B08
Part of subcall function 00404ADB: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 00404B18

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00405670: __EH_prolog.LIBCMT ref: 00405675

Strings

|uF, xrefs: 0042E52A
Kernel32.dll, xrefs: 0042E4FC
tuF, xrefs: 0042E531
puF, xrefs: 0042E562

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast$AddressHandleModuleProc
String ID: Kernel32.dll$puF$tuF$|uF
API String ID: 211623515-3733994101
Opcode ID: 68170a934bd635c7d3ea206b82defd38511ff90615794fcf45a588e5bddaf7e9
Instruction ID: f78a0168724e43a2688cdfb4090a1d4ea827945dce951bf5d8380e27c16dec54
Opcode Fuzzy Hash: 68170a934bd635c7d3ea206b82defd38511ff90615794fcf45a588e5bddaf7e9
Instruction Fuzzy Hash: 0531A630D40258ADDF10DB95D585BDDBB78AB15308F50409EE045B3282EF785B88DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4B6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A4B6(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t40;
				intOrPtr _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t65;

				L0043B644(0x45fcfc, _t56);
				_push(0);
				_push(_t56 - 0xd);
				 *((intOrPtr*)(_t56 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t56 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t56 - 0x1c)) = 0x4675d0;
				L0040B243(_t56 - 0x3c);
				_t25 =  *((intOrPtr*)(__ecx + 0xd8));
				_t63 = _t25;
				 *(_t56 - 4) = 0;
				_t50 = 0x4675e4;
				if(_t25 != 0) {
					_t50 = _t25;
				}
				_t44 =  *0x47e1d4; // 0x2380b70
				_t27 = E00403E82(_t44, _t63, _t56 - 0x64, 0x676);
				_t28 =  *((intOrPtr*)(_t27 + 8));
				 *(_t56 - 4) = 1;
				if( *((intOrPtr*)(_t27 + 8)) == 0) {
					_t28 = 0x467570;
				}
				L0040AF38(_t56 - 0x3c, _t28, _t50);
				 *(_t56 - 4) = 0;
				L0040125C(_t56 - 0x64);
				_t65 =  *0x47e1d1; // 0x0
				if(_t65 != 0) {
					L9:
					 *0x47e1d0 = 1;
					EnableWindow(GetDlgItem( *(_t56 + 8), 9), 0);
				} else {
					_t36 =  *((intOrPtr*)(_t56 - 0x34));
					if( *((intOrPtr*)(_t56 - 0x34)) == 0) {
						_t36 = 0x4675e4;
					}
					if(E004084D4( *((intOrPtr*)(_t56 - 0x14)), _t36, 4, 6) == 6) {
						goto L9;
					} else {
						 *0x47e1d0 = 0;
					}
				}
				_t40 =  *0x47e1d0; // 0x0
				 *(_t56 - 4) =  *(_t56 - 4) | 0xffffffff;
				E004061C1(_t56 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t40;
			}

0x0040a4bb
0x0040a4cd
0x0040a4ce
0x0040a4d2
0x0040a4d5
0x0040a4dc
0x0040a4e3
0x0040a4e8
0x0040a4f3
0x0040a4f5
0x0040a4f8
0x0040a4fa
0x0040a4fc
0x0040a4fc
0x0040a4fe
0x0040a50d
0x0040a512
0x0040a515
0x0040a51b
0x0040a51d
0x0040a51d
0x0040a528
0x0040a533
0x0040a536
0x0040a53b
0x0040a541
0x0040a566
0x0040a56c
0x0040a57a
0x0040a543
0x0040a543
0x0040a548
0x0040a54a
0x0040a54a
0x0040a55c
0x00000000
0x0040a55e
0x0040a55e
0x0040a55e
0x0040a55c
0x0040a580
0x0040a586
0x0040a58d
0x0040a59a
0x0040a5a2

APIs

__EH_prolog.LIBCMT ref: 0040A4BB

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

GetDlgItem.USER32 ref: 0040A573
EnableWindow.USER32(00000000), ref: 0040A57A

Strings

puF, xrefs: 0040A51D
uF, xrefs: 0040A4EE

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast$EnableItemWindow
String ID: puF$uF
API String ID: 2857171898-2786608507
Opcode ID: b7201ce2f5a893f84749e72fc6ccd3c67f8fd1fdb9746df9a32c1d3185276760
Instruction ID: 890b8da829defe3c35641f222f65b31e6b904468c3b14dd050efc7c03572c288
Opcode Fuzzy Hash: b7201ce2f5a893f84749e72fc6ccd3c67f8fd1fdb9746df9a32c1d3185276760
Instruction Fuzzy Hash: 9E21A871D00244BBCB14DBA5DC45A9DB7B8EB15308F1041BBF546F7291EB788E48C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004141E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004141E3(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				WCHAR* _t24;
				void* _t27;
				void* _t38;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t55;
				void* _t56;

				_t38 = __ebx;
				L0043B644(0x461130, _t56);
				_t51 = __ecx;
				_t48 = __ecx + 8;
				 *((intOrPtr*)(_t56 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t56 - 0x40)) = __ecx;
				L0043B670(_t56 - 0x80, __ecx + 8, 0x40);
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_push(1);
				_push(_t56 - 0xd);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				_t24 =  *(E0040A5F5(_t56 - 0x3c) + 8);
				if(_t24 == 0) {
					_t24 = 0x4675e4;
				}
				lstrcpyW(_t51 + 0x50, _t24);
				E004061C1(_t56 - 0x3c);
				_t27 = E0043C804(_t38, _t48, _t51 + 0x50, _t56, _t48, 3, 0x43b31a,  *(_t56 - 4), 0x46c820);
				_t66 = _t27;
				if(_t27 != 0) {
					_t53 = _t27;
				} else {
					_t55 =  *((intOrPtr*)(_t56 - 0x14));
					L00415C13(_t55, L0041575B(_t38, _t55, _t66), 0x1d7);
					L00415C13(_t55,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x294)))) + 0x10))(0x1d9),  *((intOrPtr*)(_t55 + 0x294)));
					_t53 = 0;
				}
				L0043B670( *((intOrPtr*)(_t56 - 0x40)) + 8, _t56 - 0x80, 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t53;
			}

0x004141e3
0x004141e8
0x004141f1
0x004141f6
0x004141fe
0x00414201
0x00414204
0x0041420c
0x00414213
0x00414215
0x00414216
0x00414223
0x00414228
0x0041422a
0x0041422a
0x00414234
0x0041423d
0x00414252
0x0041425a
0x0041425c
0x004142b5
0x0041425e
0x0041425e
0x00414270
0x00414289
0x0041428e
0x0041428e
0x0041429d
0x004142aa
0x004142b4

APIs

__EH_prolog.LIBCMT ref: 004141E8

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 00414234
__setjmp3.LIBCMT ref: 00414252

Strings

uF, xrefs: 0041422A
C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 00414216

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$uF
API String ID: 746370007-983517006
Opcode ID: 94ac7b94be17b14e4e835e9ccfb3fad171da342fff7740afbde6ca93a8990bf1
Instruction ID: 19589a3641052e72120cacd840cbe38e0fab869edac53ce4d9d3ac0d94f3705e
Opcode Fuzzy Hash: 94ac7b94be17b14e4e835e9ccfb3fad171da342fff7740afbde6ca93a8990bf1
Instruction Fuzzy Hash: F8218771A00514FBDB10EB55DC42FEE73ACEF84B08F14006AFA05F7281EB789A45879A

Uniqueness

Uniqueness Score: -1.00%

Function 00414114 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00414114(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				WCHAR* _t26;
				void* _t29;
				void* _t38;
				intOrPtr _t50;
				void* _t52;
				void* _t55;

				_t38 = __ebx;
				L0043B644(0x46111c, _t55);
				_t50 = __ecx;
				_t47 = __ecx + 8;
				 *((intOrPtr*)(_t55 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t55 - 0x40)) = __ecx;
				L0043B670(_t55 - 0x80, __ecx + 8, 0x40);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_push(1);
				_push(_t55 - 0xd);
				_push("C:\\CodeBases\\isdev\\src\\Runtime\\InstallScript\\SetupNew\\setup.cpp");
				_t26 =  *(E0040A5F5(_t55 - 0x3c) + 8);
				if(_t26 == 0) {
					_t26 = 0x4675e4;
				}
				lstrcpyW(_t50 + 0x50, _t26);
				E004061C1(_t55 - 0x3c);
				_t29 = E0043C804(_t38, _t47, _t50 + 0x50, _t55, _t47, 3, 0x43b31a,  *(_t55 - 4), 0x46c7f8);
				if(_t29 != 0) {
					_t52 = _t29;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x14)) + 0x390)) = 0xffffec6d;
				} else {
					L00415C13( *((intOrPtr*)(_t55 - 0x14)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x14)) + 0x294)))) + 0xc))(0x1c7),  *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x14)) + 0x294)));
					_t52 = 0;
				}
				L0043B670( *((intOrPtr*)(_t55 - 0x40)) + 8, _t55 - 0x80, 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t52;
			}

0x00414114
0x00414119
0x00414122
0x00414127
0x0041412f
0x00414132
0x00414135
0x0041413d
0x00414144
0x00414146
0x00414147
0x00414154
0x00414159
0x0041415b
0x0041415b
0x00414165
0x0041416e
0x00414183
0x0041418d
0x004141d5
0x004141d7
0x0041418f
0x004141a6
0x004141ab
0x004141ab
0x004141ba
0x004141c7
0x004141d1

APIs

__EH_prolog.LIBCMT ref: 00414119

Part of subcall function 0040A5F5: __EH_prolog.LIBCMT ref: 0040A5FA
Part of subcall function 0040A5F5: SetLastError.KERNEL32(?,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040A660

lstrcpyW.KERNEL32 ref: 00414165
__setjmp3.LIBCMT ref: 00414183

Strings

C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp, xrefs: 00414147
uF, xrefs: 0041415B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast__setjmp3lstrcpy
String ID: C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp$uF
API String ID: 746370007-983517006
Opcode ID: a71309c8bc6c4f200b29201d49fd30cd08e9bab68f12fbff9433212bc3137c9e
Instruction ID: 6fa26325f0f0e989a2ea8b1a1185d8d00ca8c4b04aea055963ff1376607dcaeb
Opcode Fuzzy Hash: a71309c8bc6c4f200b29201d49fd30cd08e9bab68f12fbff9433212bc3137c9e
Instruction Fuzzy Hash: F92195B1A00114BBDB10DB54CC46FDE77B8EB44708F14006AFA05F7281EB789E05879A

Uniqueness

Uniqueness Score: -1.00%

Function 00402986 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402986(void* __ecx, char _a4, char _a8) {
				signed int _v8;
				void* __ebp;
				signed int _t17;
				signed int _t20;
				intOrPtr _t22;
				signed int* _t23;
				signed int _t26;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t35;
				void* _t37;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t35 = __ecx;
				_t30 =  *((intOrPtr*)(__ecx + 0xc));
				_t26 = _t30 - 1;
				if(_t30 == 0 || _t26 >= _t30) {
					_t17 = 0;
				} else {
					_t22 =  *((intOrPtr*)(__ecx + 8));
					if(_t22 != 0) {
						_t23 = _t22 + _t26 * 2;
					} else {
						_t23 = 0x467570;
					}
					_t24 =  *_t23;
					_t8 =  &_a8; // 0x5c
					_t17 =  *_t23 & 0xffffff00 | _t24 ==  *_t8;
				}
				if(_t17 != 0) {
					_t20 =  *(_t35 + 0x1c);
					if(_t20 != 0) {
						__imp__#6(_t20);
						 *(_t35 + 0x1c) =  *(_t35 + 0x1c) & 0x00000000;
					}
					L00401F50(_t35 + 4, _t37, _t30 - 1, 1);
				}
				_t15 =  &_a4; // 0x467574
				_t31 =  *_t15;
				_push(0);
				_push(_t35);
				 *_t31 = 0x46757c;
				 *((intOrPtr*)(_t31 + 0x20)) = 0x467574;
				L00401CDD(_t31);
				return _t31;
			}

0x00402989
0x0040298a
0x0040298f
0x00402992
0x00402997
0x0040299a
0x004029bd
0x004029a0
0x004029a0
0x004029a5
0x004029ae
0x004029a7
0x004029a7
0x004029a7
0x004029b1
0x004029b4
0x004029b8
0x004029b8
0x004029c1
0x004029c3
0x004029c8
0x004029cb
0x004029d1
0x004029d1
0x004029dc
0x004029dc
0x004029e1
0x004029e1
0x004029e4
0x004029e6
0x004029e9
0x004029ef
0x004029f6
0x00402a00

APIs

SysFreeString.OLEAUT32(?), ref: 004029CB

Strings

tuF, xrefs: 004029E1
tuF, xrefs: 004029EF
puF, xrefs: 004029A7
\tuF, xrefs: 004029B4

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FreeString
String ID: \tuF$puF$tuF$tuF
API String ID: 3341692771-2090975921
Opcode ID: d11cb3e6a63da5f7f9fda28455b0316614356fd212ff254f8d319d616d8a4ccc
Instruction ID: aeb6824c45771695924bfeccdee7e655169803be1b822bd58814d2411f5e0506
Opcode Fuzzy Hash: d11cb3e6a63da5f7f9fda28455b0316614356fd212ff254f8d319d616d8a4ccc
Instruction Fuzzy Hash: 28019272314201ABCB209F19CA05BA6B3A8EF81714F14416FA846A77D0E7B8E905CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004129C7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004129C7(intOrPtr* __ecx, void* __edx) {
				char* _t18;
				void* _t21;
				void* _t24;
				void* _t33;
				intOrPtr* _t35;
				void* _t38;
				void* _t40;

				_t33 = __edx;
				L0043B644(0x460e74, _t40);
				_t35 = __ecx;
				_t18 = L" This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please rebuild the setup to run it again. The setup will now exit.";
				 *((intOrPtr*)(_t40 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t40 - 0x18)) = 0x467574;
				if(_t18 == 0) {
					_t18 = 0x47e150;
				}
				_push(0);
				_push(_t40 - 0xd);
				_push(_t18);
				_t4 = _t40 - 0x38; // 0x46757c
				L0040176A(_t4);
				_t5 = _t40 - 0x38; // 0x46757c
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_push(0x86e);
				_push(5);
				_push( *((intOrPtr*)(_t40 + 0xc)));
				_push( *((intOrPtr*)(_t40 + 8)));
				_t21 = E00412A56(_t35, _t33);
				 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
				_t12 = _t40 - 0x38; // 0x46757c
				_t38 = _t21;
				L0040125C(_t12);
				if(_t38 == 0) {
					E004127B8(_t35,  *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0x10)));
					_t24 = 0;
				} else {
					_t24 = _t38;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t24;
			}

0x004129c7
0x004129cc
0x004129d6
0x004129d8
0x004129df
0x004129e8
0x004129ef
0x004129f1
0x004129f1
0x004129f9
0x004129fb
0x004129fc
0x004129fd
0x00412a00
0x00412a05
0x00412a08
0x00412a0d
0x00412a12
0x00412a16
0x00412a19
0x00412a1c
0x00412a21
0x00412a25
0x00412a28
0x00412a2a
0x00412a31
0x00412a3f
0x00412a44
0x00412a33
0x00412a33
0x00412a33
0x00412a4b
0x00412a53

APIs

__EH_prolog.LIBCMT ref: 004129CC

Part of subcall function 004127B8: __EH_prolog.LIBCMT ref: 004127BD

Strings

PG, xrefs: 004129F1
This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r, xrefs: 004129D8, 004129FC
|uF, xrefs: 004129FD
tuF, xrefs: 004129E8

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r$PG$tuF$|uF
API String ID: 3519838083-1983415454
Opcode ID: 69ef6f00d487749d6ee7d92e5ddb7af70564dd315585fdd2ca2a366e107ab4ac
Instruction ID: 2ec940a07a1d5a1dfe412328aa54c317d656f7c35e56f7dcb9c03d70ee4d112e
Opcode Fuzzy Hash: 69ef6f00d487749d6ee7d92e5ddb7af70564dd315585fdd2ca2a366e107ab4ac
Instruction Fuzzy Hash: 3C019235A00204BBCB15DB69C942BEFBF75EF44714F50822AF816E7291DBB88A50CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041A57D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A57D(void* __ecx) {
				char* _t16;
				signed int _t19;
				signed int _t24;
				void* _t34;
				void* _t36;

				L0043B644(0x461e08, _t36);
				_t34 = __ecx;
				_t16 = L"http://";
				 *((intOrPtr*)(_t36 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t36 - 0x18)) = 0x467574;
				if(_t16 == 0) {
					_t16 = 0x47e150;
				}
				_t24 = 0;
				_push(0);
				_push(_t36 - 0xd);
				_push(_t16);
				_t4 = _t36 - 0x38; // 0x46757c
				L0040176A(_t4);
				_t5 = _t36 - 0x38; // 0x46757c
				 *(_t36 - 4) = 0;
				_t19 = E0040248C(_t34, _t5, 0);
				if(_t19 == 0 && (_t19 & 0xffffff00 |  *((intOrPtr*)(_t34 + 0xc)) - 0x00000007 > 0x00000000) != 0) {
					_t24 = 1;
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				_t12 = _t36 - 0x38; // 0x46757c
				L0040125C(_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t24;
			}

0x0041a582
0x0041a58c
0x0041a58e
0x0041a595
0x0041a59e
0x0041a5a5
0x0041a5a7
0x0041a5a7
0x0041a5ac
0x0041a5b1
0x0041a5b2
0x0041a5b3
0x0041a5b4
0x0041a5b7
0x0041a5bc
0x0041a5c3
0x0041a5c6
0x0041a5cd
0x0041a5da
0x0041a5da
0x0041a5dc
0x0041a5e0
0x0041a5e3
0x0041a5ef
0x0041a5f7

APIs

__EH_prolog.LIBCMT ref: 0041A582

Strings

PG, xrefs: 0041A5A7
|uF, xrefs: 0041A5B4
http://, xrefs: 0041A58E, 0041A5B3
tuF, xrefs: 0041A59E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG$http://$tuF$|uF
API String ID: 3519838083-3850368814
Opcode ID: 5d2348a1e15c5981cff63e5bacfa5599a212d769fc544de859e3ab79589fbcf5
Instruction ID: fcc78770edaa9560613f28ef547cf3cc5738fa1fcbad9bea13a76afa77639520
Opcode Fuzzy Hash: 5d2348a1e15c5981cff63e5bacfa5599a212d769fc544de859e3ab79589fbcf5
Instruction Fuzzy Hash: FA018B71A011087FCB14EBA9D5915EE77B9DB04358F00456FF416E3681EB784D448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5F8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A5F8(void* __ecx) {
				char* _t16;
				signed int _t19;
				signed int _t24;
				void* _t34;
				void* _t36;

				L0043B644(0x461e1c, _t36);
				_t34 = __ecx;
				_t16 = L"https://";
				 *((intOrPtr*)(_t36 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t36 - 0x18)) = 0x467574;
				if(_t16 == 0) {
					_t16 = 0x47e150;
				}
				_t24 = 0;
				_push(0);
				_push(_t36 - 0xd);
				_push(_t16);
				_t4 = _t36 - 0x38; // 0x46757c
				L0040176A(_t4);
				_t5 = _t36 - 0x38; // 0x46757c
				 *(_t36 - 4) = 0;
				_t19 = E0040248C(_t34, _t5, 0);
				if(_t19 == 0 && (_t19 & 0xffffff00 |  *((intOrPtr*)(_t34 + 0xc)) - 0x00000008 > 0x00000000) != 0) {
					_t24 = 1;
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				_t12 = _t36 - 0x38; // 0x46757c
				L0040125C(_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t24;
			}

0x0041a5fd
0x0041a607
0x0041a609
0x0041a610
0x0041a619
0x0041a620
0x0041a622
0x0041a622
0x0041a627
0x0041a62c
0x0041a62d
0x0041a62e
0x0041a62f
0x0041a632
0x0041a637
0x0041a63e
0x0041a641
0x0041a648
0x0041a655
0x0041a655
0x0041a657
0x0041a65b
0x0041a65e
0x0041a66a
0x0041a672

APIs

__EH_prolog.LIBCMT ref: 0041A5FD

Strings

|uF, xrefs: 0041A62F
tuF, xrefs: 0041A619
PG, xrefs: 0041A622
https://, xrefs: 0041A609, 0041A62E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG$https://$tuF$|uF
API String ID: 3519838083-117363339
Opcode ID: d752c2b26ff7110bdc30e638b9d40d5764c91c8e8a62225a3b0e7629893cb005
Instruction ID: a3365e055311eebef901f7d01fb80b52d8270d25d5d75d2c257d0ff302d4ebd7
Opcode Fuzzy Hash: d752c2b26ff7110bdc30e638b9d40d5764c91c8e8a62225a3b0e7629893cb005
Instruction Fuzzy Hash: A301D671A01104AFCB04EBA9D982AEEB7B8DB18358F00817FF416E3680E77C4E44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A673 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A673(void* __ecx) {
				char* _t16;
				signed int _t19;
				signed int _t24;
				void* _t34;
				void* _t36;

				L0043B644(0x461e30, _t36);
				_t34 = __ecx;
				_t16 = L"ftp://";
				 *((intOrPtr*)(_t36 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t36 - 0x18)) = 0x467574;
				if(_t16 == 0) {
					_t16 = 0x47e150;
				}
				_t24 = 0;
				_push(0);
				_push(_t36 - 0xd);
				_push(_t16);
				_t4 = _t36 - 0x38; // 0x46757c
				L0040176A(_t4);
				_t5 = _t36 - 0x38; // 0x46757c
				 *(_t36 - 4) = 0;
				_t19 = E0040248C(_t34, _t5, 0);
				if(_t19 == 0 && (_t19 & 0xffffff00 |  *((intOrPtr*)(_t34 + 0xc)) - 0x00000006 > 0x00000000) != 0) {
					_t24 = 1;
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				_t12 = _t36 - 0x38; // 0x46757c
				L0040125C(_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t24;
			}

0x0041a678
0x0041a682
0x0041a684
0x0041a68b
0x0041a694
0x0041a69b
0x0041a69d
0x0041a69d
0x0041a6a2
0x0041a6a7
0x0041a6a8
0x0041a6a9
0x0041a6aa
0x0041a6ad
0x0041a6b2
0x0041a6b9
0x0041a6bc
0x0041a6c3
0x0041a6d0
0x0041a6d0
0x0041a6d2
0x0041a6d6
0x0041a6d9
0x0041a6e5
0x0041a6ed

APIs

__EH_prolog.LIBCMT ref: 0041A678

Strings

ftp://, xrefs: 0041A684, 0041A6A9
PG, xrefs: 0041A69D
tuF, xrefs: 0041A694
|uF, xrefs: 0041A6AA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG$ftp://$tuF$|uF
API String ID: 3519838083-1445873752
Opcode ID: e22182a840d72d37f7bff17f2e40f8ef37a737b8b89363088eb9cbf92bca2105
Instruction ID: 8aeee821c98689f08c0f74b2c6effd62a0adf516e54d247b43d8adcc5c6e296f
Opcode Fuzzy Hash: e22182a840d72d37f7bff17f2e40f8ef37a737b8b89363088eb9cbf92bca2105
Instruction Fuzzy Hash: CF01DB719011046FCB14EBA9C9915EE77B8DF04358F04416FF446E3291EB384D548B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408742 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00408742(void* __ecx) {
				char* _t22;
				void* _t25;
				char _t26;
				void* _t41;
				void* _t43;

				L0043B644(0x45fa00, _t43);
				_t41 = __ecx;
				_t22 = L".msi";
				 *((intOrPtr*)(_t43 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t43 - 0x18)) = 0x467574;
				_t48 = _t22;
				if(_t22 == 0) {
					_t22 = 0x47e150;
				}
				_push(0);
				_push(_t43 - 0xe);
				_push(_t22);
				L0040176A(_t43 - 0x38);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_push(_t43 - 0x60);
				_t25 = E0040A6F4(_t41 + 0x2a4);
				 *(_t43 - 4) = 1;
				_t26 = L0040B211(_t25, _t48, _t43 - 0x38);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((char*)(_t43 - 0xd)) = _t26;
				L0040125C(_t43 - 0x60);
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				L0040125C(_t43 - 0x38);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return  *((intOrPtr*)(_t43 - 0xd));
			}

0x00408747
0x00408750
0x00408752
0x00408757
0x00408760
0x00408767
0x00408769
0x0040876b
0x0040876b
0x00408773
0x00408775
0x00408776
0x0040877a
0x0040877f
0x00408786
0x0040878d
0x00408795
0x0040879c
0x004087a1
0x004087a8
0x004087ab
0x004087b0
0x004087b7
0x004087c3
0x004087cb

APIs

__EH_prolog.LIBCMT ref: 00408747

Strings

PG, xrefs: 0040876B
.msi, xrefs: 00408752, 00408776
tuF, xrefs: 00408760
|uF, xrefs: 00408757

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: .msi$PG$tuF$|uF
API String ID: 3519838083-1007228386
Opcode ID: 8999dc23c0dbf5ecb4f90ac2ccc718ce38680fc2119fc13fb637c52046ff060d
Instruction ID: 5871903da7cb0ccbb28bfce96b7bf8a40d415b14be9ea782b79dc4c40578c187
Opcode Fuzzy Hash: 8999dc23c0dbf5ecb4f90ac2ccc718ce38680fc2119fc13fb637c52046ff060d
Instruction Fuzzy Hash: C7019231D04248AACB08EBA4C9557EDBB789F54308F0081AEB017B32D1EF785A08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042E6F9(void* __ecx) {
				signed int _v8;
				intOrPtr* _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t16 != 0) {
					 *_t16(GetCurrentProcess(),  &_v8);
				}
				return 0 | _v8 != 0x00000000;
			}

0x0042e6fd
0x0042e719
0x0042e71d
0x0042e72a
0x0042e72a
0x0042e736

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0042E70C
GetProcAddress.KERNEL32(00000000), ref: 0042E713
GetCurrentProcess.KERNEL32(00000000), ref: 0042E723

Strings

kernel32, xrefs: 0042E707
IsWow64Process, xrefs: 0042E702

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 7cfaf255bb3b8876612b3ac386314aad57ef68315cc7202a8567d42468c52609
Instruction ID: b17dd7e87c07eb5deb15951b31d52cb449fe1a1ed338857337db47cf76381064
Opcode Fuzzy Hash: 7cfaf255bb3b8876612b3ac386314aad57ef68315cc7202a8567d42468c52609
Instruction Fuzzy Hash: 13E08671D05318FBCF109BF09C0DBCF76AC9B06769B104566F400E3240EAB8DD0087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A04F Relevance: 7.6, APIs: 5, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A04F(intOrPtr* __ecx) {
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t47;
				intOrPtr* _t49;
				intOrPtr _t63;
				intOrPtr* _t67;
				void* _t69;
				void* _t73;

				L0043B644(0x461d93, _t69);
				_push(__ecx);
				_t67 = __ecx;
				 *((intOrPtr*)(_t69 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t69 + 0x14)) != 0) {
					 *((intOrPtr*)(__ecx + 0xc)) = 0x46801c;
					 *((intOrPtr*)(__ecx + 0x14)) = 0x468014;
				}
				_t35 =  *((intOrPtr*)(_t67 + 0xc));
				_t49 = _t67 + 0xc;
				_t7 = _t35 + 4; // 0xc
				 *((intOrPtr*)( *_t7 + _t49)) = GetLastError();
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				 *(_t67 + 0x10) =  *(_t67 + 0x10) & 0x00000000;
				 *(_t69 - 4) = 1;
				_t63 = 1;
				 *((intOrPtr*)(_t67 + 4)) = L0043BC14(_t63);
				 *((intOrPtr*)(_t67 + 8)) = _t63;
				 *_t67 = 0x468010;
				_t17 =  *((intOrPtr*)(_t67 + 0x14)) + 4; // 0x4
				SetLastError( *( *_t17 + _t67 + 0x14));
				_t41 =  *((intOrPtr*)(_t69 + 0x10));
				 *_t67 = 0x468008;
				_t73 = _t41 -  *0x467fe8; // 0xffffffff
				if(_t73 == 0) {
					_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 8)) + 0x10));
					if(_t47 != 0) {
						__imp__#7(_t47);
					}
					_t41 = _t47 -  *(_t69 + 0xc);
				}
				 *((intOrPtr*)(_t69 + 0x14)) = _t67;
				 *(_t69 - 4) = 4;
				if(_t67 != 0) {
					_push(1);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t69 + 8)) + 0x10)) +  *(_t69 + 0xc) * 2);
					_push(_t41);
					E0041A135(_t67);
				}
				SetLastError( *( *((intOrPtr*)( *_t49 + 4)) + _t67 + 0xc));
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t67;
			}

0x0041a054
0x0041a059
0x0041a060
0x0041a063
0x0041a066
0x0041a068
0x0041a06f
0x0041a06f
0x0041a076
0x0041a079
0x0041a07c
0x0041a087
0x0041a089
0x0041a08d
0x0041a093
0x0041a097
0x0041a09f
0x0041a0a2
0x0041a0a5
0x0041a0b7
0x0041a0be
0x0041a0c0
0x0041a0c3
0x0041a0c9
0x0041a0cf
0x0041a0d4
0x0041a0d9
0x0041a0dc
0x0041a0dc
0x0041a0e2
0x0041a0e2
0x0041a0e5
0x0041a0ea
0x0041a0ee
0x0041a0f6
0x0041a0fe
0x0041a0ff
0x0041a102
0x0041a102
0x0041a110
0x0041a11a
0x0041a122

APIs

__EH_prolog.LIBCMT ref: 0041A054
GetLastError.KERNEL32(0000005C,00000001,00000000,?,00419491,?,00000000,00000001,00000000,?,00000001,00000001), ref: 0041A081
SetLastError.KERNEL32(?,?,00419491,?,00000000,00000001,00000000,?,00000001,00000001), ref: 0041A0BE
SysStringLen.OLEAUT32(00000000), ref: 0041A0DC
SetLastError.KERNEL32(?,?,00419491,?,00000000,00000001,00000000,?,00000001,00000001), ref: 0041A110

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prologString
String ID:
API String ID: 3649329844-0
Opcode ID: aee24f9526ff0f5a4e4bfe0b34aef8a0794dd2f335a9586a5416bfdd361c97c5
Instruction ID: 226e31de53bc699c49ff19352ad0e180c0afbeb077abd5af6d4773a9a5854734
Opcode Fuzzy Hash: aee24f9526ff0f5a4e4bfe0b34aef8a0794dd2f335a9586a5416bfdd361c97c5
Instruction Fuzzy Hash: A2318771200605DFCB20CF58C984B9ABBF4EF44718F10895EE8958B361DBB8E945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0043E3B3 Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E3B3() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x47ae40);
				if(_t16 == 0) {
					_t16 = L00441E85(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x47ae40, _t16) == 0) {
						L0043D444(0x10);
					} else {
						E0043E3A0(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x0043e3c1
0x0043e3c9
0x0043e3cd
0x0043e3d8
0x0043e3de
0x0043e408
0x0043e3f1
0x0043e3f2
0x0043e3f8
0x0043e3fe
0x0043e402
0x0043e402
0x0043e3de
0x0043e40f
0x0043e419

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0043CC95,0043D696,00000000,?,?,00000000,00000001), ref: 0043E3B5
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0043E3C3
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0043E40F

Part of subcall function 00441E85: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,0043E3D8,00000001,00000074,?,?,00000000,00000001), ref: 00441F7B

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 0043E3E7
GetCurrentThreadId.KERNEL32 ref: 0043E3F8

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 09ed93aec1ecac221e4800ceaf663bf22c428b67361d5e97828b54ebb7298d0a
Instruction ID: 6065638d780b03f2f31162f291eb5573a12442795eef3eedaefe3d0bccea3b30
Opcode Fuzzy Hash: 09ed93aec1ecac221e4800ceaf663bf22c428b67361d5e97828b54ebb7298d0a
Instruction Fuzzy Hash: 68F02B315052115BD6312B32BC0D65A3A51AF49775F10013AFD46967E2EFA88C82D69E

Uniqueness

Uniqueness Score: -1.00%

Function 00452030 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00452030(signed int __ecx, void* __eflags) {
				intOrPtr* _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v24;
				void* _v36;
				void* _v48;
				char _v64;
				void* _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				char _v96;
				char _v97;
				char _v98;
				char _v100;
				char _v124;
				void* __ebp;
				intOrPtr _t68;
				intOrPtr _t71;
				void* _t77;
				void* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t106;
				char* _t108;
				intOrPtr _t115;
				void* _t122;
				signed int _t128;
				signed int _t129;
				intOrPtr* _t130;
				void* _t132;
				signed int _t133;
				void* _t138;
				intOrPtr _t139;
				signed int _t142;
				intOrPtr _t144;

				 *[fs:0x0] = _t144;
				_t133 = __ecx;
				_v84 = 0;
				_t89 =  *((intOrPtr*)(E0043266C(__ecx, __eflags) + 0xc));
				asm("sbb eax, eax");
				_v8 = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v68) &  &_v36) + 4)) + ( ~( &_v68) &  &_v36))) = GetLastError();
				asm("sbb edi, edi");
				_t128 =  ~( &_v68) &  &_v48;
				E0043AE17( *_t128);
				__imp__#6( *((intOrPtr*)(_t128 + 8)),  &_v64, _t122, _t132, _t138, _t88,  *[fs:0x0], E00466768, 0xffffffff);
				asm("sbb ecx, ecx");
				E0040213C( ~( &_v72) &  &_v68, 1);
				_v16 = 0xffffffff;
				SetLastError( *(_t144 - 0x4c + 4 +  *((intOrPtr*)(_v76 + 4)) + 0x28));
				_t68 =  *0x467594; // 0xffffffff
				_t129 = _t133 + 4;
				_v96 = 0x2e;
				_t139 = E0040202E(_t129,  &_v96, _t68, 1);
				_t71 =  *0x467594; // 0xffffffff
				if(_t139 == _t71 || _t139 < _t89) {
					asm("sbb ebp, ebp");
					_t142 =  ~_t133 & _t129;
					__eflags = _t142;
					_t130 = _v4;
					 *_t130 = 0x4675bc;
					 *((intOrPtr*)(_t130 + 0x20)) = 0x4675b4;
					L00447D40(_t130, 0);
					L00447B80(_t130 + 4,  &_v97);
					L00447D30(_t130 + 0x14);
					L00447D70(_t130 + 0x20, 0);
					_v24 = 3;
					 *((intOrPtr*)(_t130 + 0x24)) =  *((intOrPtr*)(_t133 + 0xc));
					 *((intOrPtr*)(_t130 + 0x28)) = _t71;
					 *(_t130 + 0x2c) = _t142;
					_t77 = L0040563D(_t142,  &_v100,  *((intOrPtr*)(_t133 + 0xc)), _t71);
					_t106 =  *0x467594; // 0xffffffff
					_v36 = 4;
					E004024B9(_t130 + 4, _t77, 0, _t106);
					_v48 = 3;
					_push(1);
					_t108 =  &_v124;
				} else {
					asm("sbb esi, esi");
					_t130 = _v4;
					 *_t130 = 0x4675bc;
					 *((intOrPtr*)(_t130 + 0x20)) = 0x4675b4;
					L00447D40(_t130, 0);
					L00447B80(_t130 + 4,  &_v98);
					L00447D30(_t130 + 0x14);
					L00447D70(_t130 + 0x20, 0);
					_v24 = 1;
					 *((intOrPtr*)(_t130 + 0x24)) = _t139;
					 *((intOrPtr*)(_t130 + 0x28)) = _t71;
					 *(_t130 + 0x2c) =  ~_t133 & _t129;
					_t86 = L0040563D( ~_t133 & _t129,  &_v100, _t139, _t71);
					_t115 =  *0x467594; // 0xffffffff
					_v36 = 2;
					E004024B9(_t130 + 4, _t86, 0, _t115);
					_v48 = 1;
					_push(1);
					_t108 =  &_v124;
				}
				E0040213C(_t108);
				 *[fs:0x0] = _v24;
				return _t130;
			}

0x0045203e
0x00452052
0x00452055
0x0045205e
0x0045206b
0x0045206d
0x00452080
0x00452088
0x0045208e
0x00452093
0x0045209f
0x004520af
0x004520b5
0x004520be
0x004520d2
0x004520d8
0x004520e0
0x004520ea
0x004520f7
0x004520f9
0x00452100
0x0045219c
0x004521a0
0x004521a0
0x004521a2
0x004521aa
0x004521b0
0x004521b7
0x004521c4
0x004521cc
0x004521d6
0x004521e4
0x004521ec
0x004521ef
0x004521f2
0x004521f5
0x004521fa
0x00452200
0x0045220c
0x00452211
0x00452216
0x00452218
0x0045210e
0x00452110
0x00452116
0x0045211e
0x00452124
0x0045212b
0x00452138
0x00452140
0x0045214a
0x00452158
0x00452160
0x00452163
0x00452166
0x00452169
0x0045216e
0x00452174
0x00452180
0x00452185
0x0045218a
0x0045218c
0x0045218c
0x0045221c
0x0045222b
0x00452235

APIs

Part of subcall function 0043266C: __EH_prolog.LIBCMT ref: 00432671

GetLastError.KERNEL32(?,?,0046758C,00000000,00000038,?,?,?,?,?,?,?,?,?,?,?), ref: 0045207A
SysFreeString.OLEAUT32(?), ref: 0045209F
SetLastError.KERNEL32(?), ref: 004520D2

Part of subcall function 00447D40: GetLastError.KERNEL32(?,?,004521BC,00000000,?,FFFFFFFF,00000001), ref: 00447D59

Part of subcall function 00447D70: SetLastError.KERNEL32(?,004675F0,0044C457,00000000,00467570,?), ref: 00447D8A

Strings

., xrefs: 004520EA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeH_prologString
String ID: .
API String ID: 1156525562-248832578
Opcode ID: 008be679d9056496c88329d8f4f125141090bc54778729ce7d43678c9a0df037
Instruction ID: b8286aae95ee5c111187989465d30f13d797aef141f1191bdd1c2286c4144ce3
Opcode Fuzzy Hash: 008be679d9056496c88329d8f4f125141090bc54778729ce7d43678c9a0df037
Instruction Fuzzy Hash: 4151A4B1108701AFD304DF25C941F5AB7E9FF88718F004A1EF15997691EBB4A909CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043439C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0043439C(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t76;
				intOrPtr* _t79;
				intOrPtr* _t103;
				char* _t104;
				intOrPtr _t105;
				void* _t107;
				void* _t109;
				intOrPtr* _t111;

				L0043B644(E0046471F, _t107);
				_t103 = __ecx;
				_t111 = _t109 - 0x5c;
				 *((intOrPtr*)(_t107 - 0x18)) = _t111;
				_t79 = _t111;
				_push(0);
				_push(_t107 + 0x30);
				 *(_t107 - 4) = 1;
				 *_t79 = 0x46757c;
				 *((intOrPtr*)(_t79 + 0x20)) = 0x467574;
				L00401CDD(_t79);
				 *((intOrPtr*)(_t107 - 0x14)) = _t111 - 0x28;
				 *(_t107 - 4) = 2;
				L00401708(_t111 - 0x28, _t107 + 8, 1);
				 *(_t107 - 4) = 1;
				if( *((intOrPtr*)( *_t103 + 0x50))() != 0) {
					_push(_t107 + 0x30);
					_push(_t107 + 8);
					_t55 = L00435084(0x46757c, L004351E9(0x46757c, _t103 + 4, __eflags) + 4, __eflags);
					 *((intOrPtr*)(_t107 - 0x20)) = 0x467574;
					_push(0);
					_push(_t55);
					 *((intOrPtr*)(_t107 - 0x40)) = 0x46757c;
					L00401CDD(_t107 - 0x40);
					__eflags =  *((intOrPtr*)(_t107 - 0x34));
					 *(_t107 - 4) = 3;
					if( *((intOrPtr*)(_t107 - 0x34)) != 0) {
						_t104 = L"0x";
						_t76 = 0xa;
						_t58 = E0040238F(_t107 - 0x3c, _t104, 0, L0043BA1F(_t104));
						__eflags = _t58;
						if(_t58 == 0) {
							_t76 = 0x10;
							_push(1);
							_push(_t107 + 0x5b);
							_push(0x47e150);
							L0040176A(_t107 - 0x90);
							_push(1);
							_push(_t107 - 0xd);
							_push(_t104);
							 *(_t107 - 4) = 4;
							L0040176A(_t107 - 0x68);
							 *(_t107 - 4) = 5;
							L00401E2C(_t107 - 0x40, __eflags, _t107 - 0x68, _t107 - 0x90);
							 *(_t107 - 4) = 4;
							L0040125C(_t107 - 0x68);
							 *(_t107 - 4) = 3;
							L0040125C(_t107 - 0x90);
						}
						_t59 =  *((intOrPtr*)(_t107 - 0x38));
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = 0x467570;
						}
						_t105 = E0043C997(_t59, 0, _t76);
					} else {
						_t105 =  *((intOrPtr*)(_t107 + 0x58));
					}
					 *(_t107 - 4) = 1;
					L0040125C(_t107 - 0x40);
				} else {
					_t105 =  *((intOrPtr*)(_t107 + 0x58));
				}
				 *(_t107 - 4) =  *(_t107 - 4) & 0x00000000;
				L0040125C(_t107 + 8);
				 *(_t107 - 4) =  *(_t107 - 4) | 0xffffffff;
				L0040125C(_t107 + 0x30);
				 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
				return _t105;
			}

0x004343a1
0x004343af
0x004343b1
0x004343b7
0x004343ba
0x004343c6
0x004343c8
0x004343c9
0x004343d0
0x004343d2
0x004343d5
0x004343e2
0x004343e8
0x004343ec
0x004343f5
0x004343fe
0x0043440e
0x00434412
0x0043441d
0x00434422
0x00434427
0x00434428
0x0043442c
0x0043442f
0x00434434
0x00434437
0x0043443b
0x00434447
0x0043444c
0x0043445a
0x0043445f
0x00434461
0x00434468
0x0043446f
0x00434471
0x00434472
0x00434477
0x0043447f
0x00434481
0x00434482
0x00434486
0x0043448a
0x0043449d
0x004344a1
0x004344a9
0x004344ad
0x004344b8
0x004344bc
0x004344bc
0x004344c1
0x004344c4
0x004344c6
0x004344c8
0x004344c8
0x004344d8
0x0043443d
0x0043443d
0x0043443d
0x004344dd
0x004344e1
0x00434400
0x00434400
0x00434400
0x004344e6
0x004344ed
0x004344f2
0x004344f9
0x00434505
0x0043450e

APIs

__EH_prolog.LIBCMT ref: 004343A1

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

|uF, xrefs: 004343BC
puF, xrefs: 004344C8
tuF, xrefs: 004343C1

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$tuF$|uF
API String ID: 1057991267-2118565386
Opcode ID: ad3a6d80fd102c06b025a483c820ec5679abbe9a2c4a95e50dcf15a09f317eba
Instruction ID: 8eac8e99a82762c33ea5ae67f7d100762e571f1eaa2dcd78d5e22ed957301ac0
Opcode Fuzzy Hash: ad3a6d80fd102c06b025a483c820ec5679abbe9a2c4a95e50dcf15a09f317eba
Instruction Fuzzy Hash: 91419371900248EBDF14EBA5C885BED7B78EF55318F1040AEF506B7281EB785B44C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00434511 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00434511(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t41;
				intOrPtr _t54;
				intOrPtr* _t57;
				intOrPtr* _t77;
				void* _t80;
				void* _t82;
				intOrPtr* _t84;

				L0043B644(E0046474C, _t80);
				_t77 = __ecx;
				_t84 = _t82 - 8;
				 *((intOrPtr*)(_t80 - 0x10)) = _t84;
				_t57 = _t84;
				_push(0);
				_push(_t80 + 0x30);
				 *(_t80 - 4) = 1;
				 *_t57 = 0x46757c;
				 *((intOrPtr*)(_t57 + 0x20)) = 0x467574;
				L00401CDD(_t57);
				 *((intOrPtr*)(_t80 - 0x14)) = _t84 - 0x28;
				 *(_t80 - 4) = 2;
				L00401708(_t84 - 0x28, _t80 + 8, 1);
				 *(_t80 - 4) = 1;
				if( *((intOrPtr*)( *_t77 + 0x50))() != 0) {
					_t78 = _t77 + 4;
					_push(_t80 + 0x30);
					_push(_t80 + 8);
					_t41 = L00435084(0x46757c, L004351E9(0x46757c, _t77 + 4, __eflags) + 4, __eflags);
					_push(0);
					_push(_t41);
					 *((intOrPtr*)(_t80 - 0x3c)) = 0x46757c;
					 *((intOrPtr*)(_t80 - 0x1c)) = 0x467574;
					L00401CDD(_t80 - 0x3c);
					__eflags =  *((intOrPtr*)(_t80 - 0x30));
					 *(_t80 - 4) = 3;
					if(__eflags != 0) {
						_push(_t80 + 0x30);
						_push(_t80 + 8);
						__eflags = L004351E9(0x46757c, _t78, __eflags) + 4;
						_t54 = E0043460C(L00435084(0x46757c, L004351E9(0x46757c, _t78, __eflags) + 4, __eflags), __eflags);
					} else {
						_t54 =  *((intOrPtr*)(_t80 + 0x58));
					}
					 *(_t80 - 4) = 1;
					L0040125C(_t80 - 0x3c);
				} else {
					_t54 =  *((intOrPtr*)(_t80 + 0x58));
				}
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				L0040125C(_t80 + 8);
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				L0040125C(_t80 + 0x30);
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t54;
			}

0x00434516
0x00434521
0x00434523
0x00434529
0x0043452c
0x00434538
0x0043453a
0x0043453b
0x00434542
0x00434544
0x00434547
0x00434554
0x0043455a
0x0043455e
0x00434567
0x00434570
0x0043457a
0x0043457d
0x00434581
0x0043458e
0x00434593
0x00434595
0x00434599
0x0043459c
0x0043459f
0x004345a4
0x004345a8
0x004345ac
0x004345b8
0x004345bc
0x004345c4
0x004345d3
0x004345ae
0x004345ae
0x004345ae
0x004345d8
0x004345dc
0x00434572
0x00434572
0x00434572
0x004345e1
0x004345e8
0x004345ed
0x004345f4
0x00434600
0x00434609

APIs

__EH_prolog.LIBCMT ref: 00434516

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

Startup, xrefs: 0043451F
tuF, xrefs: 00434533
|uF, xrefs: 0043452E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: Startup$tuF$|uF
API String ID: 1057991267-1490249854
Opcode ID: a16646168b9ab5ff5c34044231c9d944b77f3993c16f42f56dc650f13cf90a92
Instruction ID: 73acf4e110eaa50923954b553ab26b62710736029ffb4edfcf22a54f856be5d6
Opcode Fuzzy Hash: a16646168b9ab5ff5c34044231c9d944b77f3993c16f42f56dc650f13cf90a92
Instruction Fuzzy Hash: 3F31A770D01248EBDF05EFA5C856BED7BB8AF59308F00415FF402A7291DB789645C799

Uniqueness

Uniqueness Score: -1.00%

Function 0043A209 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0043A209(intOrPtr __ecx) {
				void* __ebx;
				intOrPtr _t35;
				void* _t40;
				void* _t42;
				intOrPtr* _t53;
				void* _t67;
				void* _t69;
				intOrPtr* _t70;

				L0043B644(0x464eec, _t67);
				_t70 = _t69 - 0x38;
				 *((intOrPtr*)(_t67 - 0x18)) = __ecx;
				 *(_t67 - 4) = 0;
				 *((intOrPtr*)(_t67 - 0x14)) = 0;
				do {
					_push(0);
					_push(_t67 - 0xd);
					 *((intOrPtr*)(_t67 - 0x44)) = 0x46757c;
					 *((intOrPtr*)(_t67 - 0x24)) = 0x467574;
					L00401C68(_t67 - 0x44);
					_t35 =  *((intOrPtr*)(_t67 + 0x14));
					 *(_t67 - 4) = 1;
					_t73 = _t35;
					if(_t35 == 0) {
						_t35 = 0x467570;
					}
					L004057E0(_t67 - 0x44, _t35,  *((intOrPtr*)(_t67 - 0x14)));
					_t70 = _t70 - 0x1c;
					 *((intOrPtr*)(_t67 - 0x1c)) = _t70;
					_t53 = _t70;
					_push(0);
					_push(_t67 - 0x44);
					 *_t53 = 0x46757c;
					 *((intOrPtr*)(_t53 + 0x20)) = 0x467574;
					L00401CDD(_t53);
					_t40 = L00439FFA( *((intOrPtr*)(_t67 - 0x18)), _t73);
					_t74 = _t40;
					if(_t40 == 0) {
						__eflags =  *((intOrPtr*)(_t67 - 0x14));
						if( *((intOrPtr*)(_t67 - 0x14)) != 0) {
							 *(_t67 - 4) = 0;
							L0040125C(_t67 - 0x44);
						} else {
							goto L6;
						}
					} else {
						_push(_t67 - 0x44);
						E00419C0E( *((intOrPtr*)(_t67 + 8)), L00435084(0,  *((intOrPtr*)(_t67 - 0x18)) + 4, _t74));
						goto L6;
					}
					L9:
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					_t42 = L0040125C(_t67 + 0xc);
					 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
					return _t42;
					L6:
					 *(_t67 - 4) = 0;
					L0040125C(_t67 - 0x44);
					_t23 = _t67 - 0x14;
					 *_t23 =  *((intOrPtr*)(_t67 - 0x14)) + 1;
				} while ( *_t23 >= 0);
				goto L9;
			}

0x0043a20e
0x0043a213
0x0043a219
0x0043a223
0x0043a226
0x0043a22e
0x0043a231
0x0043a232
0x0043a236
0x0043a239
0x0043a23c
0x0043a241
0x0043a244
0x0043a248
0x0043a24a
0x0043a24c
0x0043a24c
0x0043a259
0x0043a25e
0x0043a264
0x0043a267
0x0043a269
0x0043a26a
0x0043a26b
0x0043a26d
0x0043a270
0x0043a278
0x0043a27d
0x0043a27f
0x0043a29b
0x0043a29e
0x0043a2b9
0x0043a2bc
0x00000000
0x00000000
0x00000000
0x0043a281
0x0043a284
0x0043a294
0x00000000
0x0043a294
0x0043a2c1
0x0043a2c1
0x0043a2c8
0x0043a2d2
0x0043a2db
0x0043a2a0
0x0043a2a3
0x0043a2a6
0x0043a2ab
0x0043a2ab
0x0043a2ab
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0043A20E

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Strings

tuF, xrefs: 0043A229
puF, xrefs: 0043A24C
|uF, xrefs: 0043A21E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$tuF$|uF
API String ID: 1057991267-2118565386
Opcode ID: 661c1d3dfdf4b3a9e08d4ba69da8a62fcc40956418fdd913d566866fd3b6065c
Instruction ID: 84b77d060b9c87847c12d3edb915e9514d3a40d16cd8502cec85af5f4718b131
Opcode Fuzzy Hash: 661c1d3dfdf4b3a9e08d4ba69da8a62fcc40956418fdd913d566866fd3b6065c
Instruction Fuzzy Hash: 48212E75D40109EBCB00EF95C5819EEBBB8AF58304F6041AFE406B7251E7399F15CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3ED Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C3ED(void* __ecx, char* _a4, int _a8, int _a12) {
				signed int _t23;
				intOrPtr _t29;
				unsigned int _t32;
				void* _t33;
				short* _t35;
				signed int _t36;

				_t33 = __ecx;
				if(_a12 == 0x4b0 || _a12 == 0x4b1) {
					_t32 = _a8;
					if(_t32 != 0) {
						_t40 = _a4;
						_t23 = _t32 >> 1;
						_a4[_t23 * 2 - 2] = _a4[_t23 * 2 - 2] & 0x00000000;
						_t36 = _t23 - 1;
						if(_t36 < _t23) {
							_t23 = _t36;
						}
						_t34 =  *(_t33 + 8);
						if( *(_t33 + 8) == 0) {
							_t34 = 0x467570;
						}
						L0043B9A5(_t40, _t34, _t23);
						if(_a12 == 0x4b1) {
							L0043BBEA(_t40, _t40, _t32);
						}
						return _t32;
					}
					return  *((intOrPtr*)(_t33 + 0xc)) +  *((intOrPtr*)(_t33 + 0xc)) + 2;
				} else {
					_t29 =  *((intOrPtr*)(__ecx + 0xc));
					_t35 =  *(__ecx + 8);
					if(_t35 == 0) {
						_t35 = 0x467570;
					}
					return WideCharToMultiByte(_a12, 0, _t35, _t29 + 1, _a4, _a8, 0, 0);
				}
			}

0x0040c3ed
0x0040c3fe
0x0040c42d
0x0040c432
0x0040c440
0x0040c443
0x0040c445
0x0040c44b
0x0040c450
0x0040c452
0x0040c452
0x0040c454
0x0040c459
0x0040c45b
0x0040c45b
0x0040c463
0x0040c46e
0x0040c473
0x0040c478
0x00000000
0x0040c47d
0x00000000
0x0040c405
0x0040c405
0x0040c408
0x0040c40f
0x0040c411
0x0040c411
0x00000000
0x0040c425

APIs

WideCharToMultiByte.KERNEL32(000004B0,00000000,?,?,?,?,00000000,00000000,?,kernel32.dll,?,0040BC79,?,?,00000000,761B4EE0), ref: 0040C425

Strings

puF, xrefs: 0040C45B
kernel32.dll, xrefs: 0040C3F7
puF, xrefs: 0040C411

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: kernel32.dll$puF$puF
API String ID: 626452242-2252799361
Opcode ID: 5c81e7d8127926f9f16e62f830abeb984b50bc23c224edc855aff25b26594cd3
Instruction ID: f647241d03dd50b4c47066250e9347d0594074132e38aa0873ab4eca8509fdcc
Opcode Fuzzy Hash: 5c81e7d8127926f9f16e62f830abeb984b50bc23c224edc855aff25b26594cd3
Instruction Fuzzy Hash: 4F11B2B0610104EFEB148F04CCD0DBB73ADFF90318B14823EF9095A251E7769D168799

Uniqueness

Uniqueness Score: -1.00%

Function 00434B74 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00434B74(intOrPtr* __ecx) {
				intOrPtr _t37;
				void* _t39;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t60;
				void* _t62;
				void* _t64;
				intOrPtr* _t66;

				L0043B644(E00464880, _t62);
				_t60 = __ecx;
				 *(_t62 - 4) = 0;
				 *((char*)(_t62 - 0x24)) =  *((intOrPtr*)(_t62 + 0x2f));
				 *((intOrPtr*)(_t62 - 0x20)) = 0;
				 *((intOrPtr*)(_t62 - 0x1c)) = 0;
				 *((intOrPtr*)(_t62 - 0x18)) = 0;
				_t66 = _t64 - 0xfffffffffffffff0;
				 *((intOrPtr*)(_t62 - 0x10)) = _t66;
				_t48 = _t66;
				_push(0);
				_push(_t62 + 8);
				 *(_t62 - 4) = 1;
				 *_t48 = 0x46757c;
				 *((intOrPtr*)(_t48 + 0x20)) = 0x467574;
				L00401CDD(_t48);
				_push(_t62 - 0x24);
				 *((intOrPtr*)( *__ecx + 0x5c))();
				_t37 =  *((intOrPtr*)(_t62 - 0x20));
				 *((intOrPtr*)(_t62 - 0x10)) = _t37;
				while(_t37 !=  *((intOrPtr*)(_t62 - 0x1c))) {
					_t66 = _t66 - 0x28;
					 *((intOrPtr*)(_t62 - 0x14)) = _t66;
					_t54 = _t66;
					 *_t54 = 0x46757c;
					 *((intOrPtr*)(_t54 + 0x20)) = 0x467574;
					L00401CDD(_t54);
					 *((intOrPtr*)( *_t60 + 0x70))( *((intOrPtr*)(_t62 - 0x10)), 0);
					 *((intOrPtr*)(_t62 - 0x10)) =  *((intOrPtr*)(_t62 - 0x10)) + 0x28;
					_t37 =  *((intOrPtr*)(_t62 - 0x10));
				}
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				L00401C2F(_t62 - 0x24);
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				_t39 = L0040125C(_t62 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t39;
			}

0x00434b79
0x00434b84
0x00434b8b
0x00434b8e
0x00434b91
0x00434b94
0x00434b97
0x00434b9a
0x00434ba2
0x00434ba5
0x00434ba7
0x00434bb0
0x00434bb1
0x00434bb5
0x00434bb7
0x00434bba
0x00434bc4
0x00434bc7
0x00434bca
0x00434bcd
0x00434bd0
0x00434bd5
0x00434bd8
0x00434bdb
0x00434be2
0x00434be4
0x00434be7
0x00434bf0
0x00434bf3
0x00434bf7
0x00434bf7
0x00434bfc
0x00434c03
0x00434c08
0x00434c0f
0x00434c19
0x00434c22

APIs

__EH_prolog.LIBCMT ref: 00434B79

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

tuF, xrefs: 00434BAB
|uF, xrefs: 00434B9D
(, xrefs: 00434BF3

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: ($tuF$|uF
API String ID: 1057991267-2301320529
Opcode ID: 2080b39100b66ec940ee63e17c6d8b7855712b469dc4fee56a3eba889a89b771
Instruction ID: f335184d28fd123cb829e6369a32bdc70890225a25c3156e3027341feec5f0a3
Opcode Fuzzy Hash: 2080b39100b66ec940ee63e17c6d8b7855712b469dc4fee56a3eba889a89b771
Instruction Fuzzy Hash: 8E214C71D052189FCB04EFA9C8816EDBBF4BF4D318F10469EE415B7291D7399A01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406005 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406005() {
				intOrPtr _t20;
				signed char _t42;
				intOrPtr* _t46;
				void* _t48;

				L0043B644(0x45f62f, _t48);
				_t20 =  *((intOrPtr*)(_t48 + 0xc));
				 *(_t48 - 0x10) = 0;
				 *((intOrPtr*)(_t48 - 0x38)) = 0x46757c;
				 *((intOrPtr*)(_t48 - 0x18)) = 0x467574;
				if(_t20 == 0) {
					_t20 = 0x47e150;
				}
				_push(0);
				_push(_t48 + 0xf);
				_push(_t20);
				_t6 = _t48 - 0x38; // 0x46757c
				L0040176A(_t6);
				_t42 = 1;
				 *(_t48 - 4) = _t42;
				asm("sbb ecx, ecx");
				L004057F3(_t48 - 0x34,  ~( *(_t48 + 0x10)) &  *(_t48 + 0x10) + 0x00000004, 0,  *0x467594);
				_t46 =  *((intOrPtr*)(_t48 + 8));
				_t11 = _t48 - 0x38; // 0x46757c
				_push(0);
				 *_t46 = 0x46757c;
				 *((intOrPtr*)(_t46 + 0x20)) = 0x467574;
				L00401CDD(_t46);
				 *(_t48 - 0x10) = _t42;
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				_t16 = _t48 - 0x38; // 0x46757c
				L0040125C(_t16);
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t46;
			}

0x0040600a
0x00406012
0x00406021
0x00406024
0x0040602b
0x0040602e
0x00406030
0x00406030
0x00406038
0x00406039
0x0040603a
0x0040603b
0x0040603e
0x0040604d
0x00406054
0x00406059
0x00406062
0x00406067
0x0040606a
0x0040606d
0x00406072
0x00406078
0x0040607b
0x00406080
0x00406083
0x00406087
0x0040608a
0x00406097
0x0040609f

APIs

__EH_prolog.LIBCMT ref: 0040600A

Strings

PG, xrefs: 00406030
|uF, xrefs: 0040603B
tuF, xrefs: 00406019

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG$tuF$|uF
API String ID: 3519838083-1736204332
Opcode ID: 51119693ac6bad35653a72689fcf376a8b2df94ea7811f803ee9bd2bb5ef7b67
Instruction ID: 2e0c505d9abc545c574100bc6477aabd5c588db9c57a80b7e5a493f1a4fb7418
Opcode Fuzzy Hash: 51119693ac6bad35653a72689fcf376a8b2df94ea7811f803ee9bd2bb5ef7b67
Instruction Fuzzy Hash: 34117371A00118ABCB04DF99D881AEEBBB8EF48718F00416FF502A7291E7B49944CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004028AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004028AE(intOrPtr* __ecx) {
				intOrPtr _t25;
				intOrPtr* _t46;
				void* _t48;

				L0043B644(0x45eef4, _t48);
				_push(__ecx);
				_t46 = __ecx;
				 *((intOrPtr*)(_t48 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t48 + 0x14)) != 0) {
					 *__ecx = 0x46758c;
					 *((intOrPtr*)(__ecx + 0x20)) = 0x467584;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t46 + 4)) + _t46)) = GetLastError();
				_t25 =  *((intOrPtr*)(_t48 + 8));
				 *((intOrPtr*)(_t48 - 4)) = 0;
				 *((intOrPtr*)(_t48 + 0x14)) = _t25;
				if(_t25 == 0) {
					 *((intOrPtr*)(_t48 + 0x14)) = 0x47e150;
				}
				_t43 = _t46 + 4;
				 *((char*)(_t46 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t48 + 0x10))));
				E0040213C(_t46 + 4, 0);
				_t12 = _t48 + 0x14; // 0x47e150
				L0040BF1A(_t43,  *_t12,  *((intOrPtr*)(_t48 + 0xc)));
				 *((intOrPtr*)(_t46 + 0x14)) = 0;
				 *((intOrPtr*)(_t46 + 0x18)) = 0;
				 *((intOrPtr*)(_t46 + 0x1c)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t46 + 0x20)) + 4)) + _t46 + 0x20));
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t46;
			}

0x004028b3
0x004028b8
0x004028bd
0x004028c3
0x004028c6
0x004028c8
0x004028ce
0x004028ce
0x004028e2
0x004028e4
0x004028e7
0x004028ec
0x004028ef
0x004028f1
0x004028f1
0x004028fb
0x00402903
0x00402905
0x0040290f
0x00402912
0x00402917
0x0040291a
0x0040291d
0x0040292a
0x00402938
0x00402940

APIs

__EH_prolog.LIBCMT ref: 004028B3
GetLastError.KERNEL32(000004B1,00000000,?,?,0040287E,?,00000000,?,00000000,00467574,?,0046757C), ref: 004028DC
SetLastError.KERNEL32(?,000004B0,?,00000000,?,0040287E,?,00000000,?,00000000,00467574,?,0046757C), ref: 0040292A

Strings

PG, xrefs: 0040290F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog
String ID: PG
API String ID: 2881783280-134009939
Opcode ID: 77bd90e451b82f9d9df9e3bdbc7de8cd192d23f151d3a7fd0de03b02885f3393
Instruction ID: 30628e6db469868f43fefba820e14323f5a5650aad60b4ded696d247c2b09e12
Opcode Fuzzy Hash: 77bd90e451b82f9d9df9e3bdbc7de8cd192d23f151d3a7fd0de03b02885f3393
Instruction Fuzzy Hash: 391188756002069FCB10CF1AC98488AFBF0FF48308B00896FE89AA7752D774D904CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00438636 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
timeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00438636(void* __ecx, void* __eflags, struct _FILETIME* _a4) {
				char _v8;
				struct _SYSTEMTIME _v24;
				void* _t9;
				long _t20;
				void* _t23;
				signed int _t24;

				_t23 = __ecx;
				_v8 = 0x10;
				_t24 = E0043804E(_t9, __ecx) & 0x000000ff;
				if(_t24 != 0) {
					_t24 =  *0x47e0dc( *((intOrPtr*)(_t23 + 4)), 0x4000000b,  &_v24,  &_v8, 0);
				}
				_t20 = GetLastError();
				if(_t24 != 0) {
					SystemTimeToFileTime( &_v24, _a4);
				}
				L004379BD(_t23);
				SetLastError(_t20);
				return 0 | _t24 == 0x00000001;
			}

0x0043863f
0x00438641
0x0043864d
0x00438652
0x0043866c
0x0043866c
0x00438676
0x00438678
0x00438681
0x00438681
0x00438689
0x0043868f
0x004386a1

APIs

GetLastError.KERNEL32 ref: 0043866E
SystemTimeToFileTime.KERNEL32(?,?), ref: 00438681
SetLastError.KERNEL32(00000000), ref: 0043868F

Strings

LRD, xrefs: 00438666

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: LRD
API String ID: 1528435940-2147293161
Opcode ID: 3d9634f0dff463ad433c21d2504463f43144631bece3ccc06938127e0827b150
Instruction ID: 6c2cd338d7ee4f8460fc23432f508d6faac84bc156d9464e19837cee027c3274
Opcode Fuzzy Hash: 3d9634f0dff463ad433c21d2504463f43144631bece3ccc06938127e0827b150
Instruction Fuzzy Hash: E1F0C2B2900228ABCB10ABA49D49EDFB7ACAF08718F110137F905E7251DFB4CD0586A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB07 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042EB07(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;

				_t3 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetProcessId");
				if(_t3 == 0) {
					return 0;
				} else {
					return  *_t3(_a4);
				}
			}

0x0042eb18
0x0042eb20
0x0042eb2b
0x0042eb22
0x0042eb28
0x0042eb28

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,0042EA34,?), ref: 0042EB11
GetProcAddress.KERNEL32(00000000), ref: 0042EB18

Strings

kernel32.dll, xrefs: 0042EB0C
GetProcessId, xrefs: 0042EB07

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetProcessId$kernel32.dll
API String ID: 1646373207-399901964
Opcode ID: cfd18c5229e2118b839dd4c183f38007748000b0ebb4617894fdc99373e1443b
Instruction ID: e45d47cca77043f5879fe6f4050294dfed87cf463d391ec8cdb90a2632673ab7
Opcode Fuzzy Hash: cfd18c5229e2118b839dd4c183f38007748000b0ebb4617894fdc99373e1443b
Instruction Fuzzy Hash: FCC04C7034920067CF142FB19C49E8B3A559EC7B06B148466F009D12A4EFB9DC00F61A

Uniqueness

Uniqueness Score: -1.00%

Function 00456450 Relevance: 6.4, APIs: 4, Instructions: 420
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00456450(intOrPtr __ecx) {
				intOrPtr* _t199;
				intOrPtr _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr* _t207;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t219;
				intOrPtr* _t222;
				intOrPtr _t226;
				intOrPtr _t229;
				intOrPtr* _t230;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t239;
				intOrPtr _t242;
				intOrPtr* _t243;
				intOrPtr _t248;
				intOrPtr _t251;
				intOrPtr* _t257;
				intOrPtr _t259;
				intOrPtr _t260;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr _t265;
				intOrPtr _t267;
				intOrPtr _t270;
				intOrPtr* _t271;
				intOrPtr* _t272;
				intOrPtr* _t273;
				intOrPtr* _t278;
				intOrPtr _t279;
				intOrPtr* _t280;
				intOrPtr _t282;
				intOrPtr _t288;
				intOrPtr _t290;
				intOrPtr* _t291;
				intOrPtr _t294;
				intOrPtr _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t300;
				intOrPtr _t302;
				intOrPtr* _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr* _t310;
				intOrPtr _t313;
				intOrPtr _t315;
				intOrPtr* _t316;
				intOrPtr _t319;
				intOrPtr _t321;
				intOrPtr* _t322;
				intOrPtr* _t324;
				intOrPtr* _t327;
				intOrPtr _t328;
				intOrPtr _t330;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t335;
				intOrPtr _t336;
				intOrPtr _t337;
				intOrPtr* _t338;
				intOrPtr _t339;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t352;

				 *((intOrPtr*)(_t340 + 8)) = __ecx;
				_t324 =  *((intOrPtr*)(_t340 + 0x28));
				E00458920(_t340 + 0x28);
				_t332 =  *_t324;
				_t279 =  *0x47e920; // 0x2221560
				_t239 = _t324 + 8;
				 *((intOrPtr*)(_t340 + 0x14)) = _t324;
				_t335 = _t239;
				if(_t332 != _t279) {
					_t199 =  *_t239;
					__eflags = _t199 - _t279;
					if(_t199 == _t279) {
						goto L6;
					}
					_t278 =  *_t199;
					__eflags = _t278 - _t279;
					if(_t278 == _t279) {
						L5:
						_t332 =  *((intOrPtr*)(_t199 + 8));
						_t7 = _t199 + 8; // 0x8
						_t335 = _t7;
						 *((intOrPtr*)(_t340 + 0x14)) = _t199;
						goto L6;
					} else {
						goto L4;
					}
					do {
						L4:
						_t199 = _t278;
						_t278 =  *_t199;
						__eflags = _t278 - _t279;
					} while (_t278 != _t279);
					goto L5;
				} else {
					_t332 =  *_t239;
					L6:
					L0043B179(_t340 + 0x1c);
					_t280 =  *((intOrPtr*)(_t340 + 0x14));
					if(_t280 == _t324) {
						_t248 =  *((intOrPtr*)(_t340 + 0x10));
						 *((intOrPtr*)(_t332 + 4)) =  *((intOrPtr*)(_t280 + 4));
						_t202 =  *((intOrPtr*)(_t248 + 4));
						__eflags =  *((intOrPtr*)(_t202 + 4)) - _t324;
						if( *((intOrPtr*)(_t202 + 4)) != _t324) {
							_t203 =  *((intOrPtr*)(_t324 + 4));
							__eflags =  *_t203 - _t324;
							if( *_t203 != _t324) {
								 *((intOrPtr*)(_t203 + 8)) = _t332;
							} else {
								 *_t203 = _t332;
							}
						} else {
							 *((intOrPtr*)(_t202 + 4)) = _t332;
						}
						_t204 =  *((intOrPtr*)(_t248 + 4));
						 *((intOrPtr*)(_t340 + 0x18)) = _t204;
						__eflags =  *_t204 - _t324;
						if( *_t204 != _t324) {
							L29:
							_t336 =  *((intOrPtr*)(_t248 + 4));
							__eflags =  *((intOrPtr*)(_t336 + 8)) - _t324;
							if( *((intOrPtr*)(_t336 + 8)) != _t324) {
								L35:
								_t337 =  *((intOrPtr*)(_t340 + 0x10));
								goto L36;
							}
							_t242 =  *0x47e920; // 0x2221560
							__eflags =  *_t324 - _t242;
							if( *_t324 != _t242) {
								_t229 =  *((intOrPtr*)(_t332 + 8));
								_t272 = _t332;
								__eflags = _t229 - _t242;
								if(_t229 == _t242) {
									L34:
									 *((intOrPtr*)(_t336 + 8)) = _t272;
									goto L35;
								} else {
									goto L33;
								}
								do {
									L33:
									_t272 = _t229;
									_t229 =  *((intOrPtr*)(_t272 + 8));
									__eflags = _t229 - _t242;
								} while (_t229 != _t242);
								goto L34;
							}
							_t272 =  *((intOrPtr*)(_t324 + 4));
							goto L34;
						} else {
							_t339 =  *0x47e920; // 0x2221560
							__eflags =  *_t239 - _t339;
							if( *_t239 != _t339) {
								_t243 =  *_t332;
								_t273 = _t332;
								__eflags = _t243 - _t339;
								if(_t243 == _t339) {
									L28:
									 *_t204 = _t273;
									_t248 =  *((intOrPtr*)(_t340 + 0x10));
									goto L29;
								}
								_t230 = _t243;
								do {
									_t273 = _t230;
									_t230 =  *_t273;
									__eflags = _t230 - _t339;
								} while (_t230 != _t339);
								_t204 =  *((intOrPtr*)(_t340 + 0x18));
								goto L28;
							}
							 *_t204 =  *((intOrPtr*)(_t324 + 4));
							goto L29;
						}
					} else {
						 *((intOrPtr*)( *_t324 + 4)) = _t280;
						 *_t280 =  *_t324;
						if(_t280 !=  *_t239) {
							 *((intOrPtr*)(_t332 + 4)) =  *((intOrPtr*)(_t280 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t280 + 4)))) = _t332;
							 *_t335 =  *_t239;
							 *((intOrPtr*)( *_t239 + 4)) = _t280;
						} else {
							 *((intOrPtr*)(_t332 + 4)) = _t280;
						}
						_t337 =  *((intOrPtr*)(_t340 + 0x10));
						_t235 =  *((intOrPtr*)(_t337 + 4));
						if( *((intOrPtr*)(_t235 + 4)) != _t324) {
							_t236 =  *((intOrPtr*)(_t324 + 4));
							__eflags =  *_t236 - _t324;
							if( *_t236 != _t324) {
								 *((intOrPtr*)(_t236 + 8)) = _t280;
							} else {
								 *_t236 = _t280;
							}
						} else {
							 *((intOrPtr*)(_t235 + 4)) = _t280;
						}
						 *((intOrPtr*)(_t340 + 0x14)) = _t324;
						 *((intOrPtr*)(_t280 + 4)) =  *((intOrPtr*)(_t324 + 4));
						 *((intOrPtr*)(_t280 + 0x38)) =  *((intOrPtr*)(_t324 + 0x38));
						 *((intOrPtr*)(_t324 + 0x38)) =  *((intOrPtr*)(_t280 + 0x38));
						_t280 = _t324;
						L36:
						_t205 =  *((intOrPtr*)(_t280 + 0x38));
						if( *((intOrPtr*)(_t280 + 0x38)) != 1) {
							L100:
							L0043B215(_t205);
							_t241 =  *((intOrPtr*)(_t340 + 0x14));
							_t333 =  *((intOrPtr*)(_t340 + 0x14)) + 0xc;
							if(_t333 == 0) {
								_t207 = 0;
								__eflags = 0;
							} else {
								_t207 = _t333 + 0x20;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 4)) + _t207)) = GetLastError();
							if(_t333 == 0) {
								_t327 = 0;
								__eflags = 0;
							} else {
								_t327 = _t333 + 0x14;
							}
							E0043AE17( *_t327);
							_t338 = __imp__#6;
							_t341 = _t340 + 4;
							 *_t338( *((intOrPtr*)(_t327 + 8)));
							_t282 = 0;
							if(_t333 == 0) {
								_t328 = 0;
								__eflags = 0;
							} else {
								_t328 = _t333 + 4;
							}
							_t251 =  *((intOrPtr*)(_t328 + 4));
							if(_t251 != _t282) {
								_t216 =  *((intOrPtr*)(_t251 - 1));
								if(_t216 == 0 || _t216 == 0xff) {
									 *_t338(_t251 + 0xfffffffe);
									_t282 = 0;
									__eflags = 0;
								} else {
									 *((char*)(_t251 - 1)) = _t216 - 1;
								}
							}
							 *((intOrPtr*)(_t328 + 4)) = _t282;
							 *((intOrPtr*)(_t328 + 8)) = _t282;
							 *((intOrPtr*)(_t328 + 0xc)) = _t282;
							SetLastError( *( *((intOrPtr*)( *_t333 + 4)) + _t333));
							E0043AE17(_t241);
							_t214 =  *((intOrPtr*)(_t341 + 0x14));
							_t342 = _t341 + 4;
							 *((intOrPtr*)(_t214 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t341 + 0x14)) + 0xc)) - 1;
							_t215 =  *((intOrPtr*)(_t342 + 0x1c));
							 *_t215 =  *((intOrPtr*)(_t342 + 0x20));
							return _t215;
						}
						if(_t332 ==  *((intOrPtr*)( *((intOrPtr*)(_t337 + 4)) + 4))) {
							L99:
							 *((intOrPtr*)(_t332 + 0x38)) = 1;
							goto L100;
						}
						while( *((intOrPtr*)(_t332 + 0x38)) == 1) {
							_t257 =  *((intOrPtr*)(_t332 + 4));
							_t219 =  *_t257;
							if(_t332 != _t219) {
								_t330 = 0;
								__eflags =  *((intOrPtr*)(_t219 + 0x38));
								if( *((intOrPtr*)(_t219 + 0x38)) == 0) {
									 *((intOrPtr*)(_t219 + 0x38)) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 0;
									_t222 =  *((intOrPtr*)(_t332 + 4));
									_t265 =  *_t222;
									 *_t222 =  *((intOrPtr*)(_t265 + 8));
									_t300 =  *((intOrPtr*)(_t265 + 8));
									__eflags = _t300 -  *0x47e920; // 0x2221560
									if(__eflags != 0) {
										 *((intOrPtr*)(_t300 + 4)) = _t222;
									}
									 *((intOrPtr*)(_t265 + 4)) =  *((intOrPtr*)(_t222 + 4));
									_t302 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t222 -  *((intOrPtr*)(_t302 + 4));
									if(_t222 !=  *((intOrPtr*)(_t302 + 4))) {
										_t303 =  *((intOrPtr*)(_t222 + 4));
										__eflags = _t222 -  *((intOrPtr*)(_t303 + 8));
										if(_t222 !=  *((intOrPtr*)(_t303 + 8))) {
											 *_t303 = _t265;
										} else {
											 *((intOrPtr*)(_t303 + 8)) = _t265;
										}
									} else {
										 *((intOrPtr*)(_t302 + 4)) = _t265;
									}
									 *((intOrPtr*)(_t265 + 8)) = _t222;
									 *((intOrPtr*)(_t222 + 4)) = _t265;
									_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4))));
								}
								_t259 =  *((intOrPtr*)(_t219 + 8));
								__eflags =  *((intOrPtr*)(_t259 + 0x38)) - 1;
								if( *((intOrPtr*)(_t259 + 0x38)) != 1) {
									L81:
									_t260 =  *_t219;
									__eflags =  *((intOrPtr*)(_t260 + 0x38)) - 1;
									if( *((intOrPtr*)(_t260 + 0x38)) == 1) {
										 *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) = 1;
										_t264 =  *((intOrPtr*)(_t219 + 8));
										 *((intOrPtr*)(_t219 + 0x38)) = _t330;
										 *((intOrPtr*)(_t219 + 8)) =  *_t264;
										_t294 =  *_t264;
										__eflags = _t294 -  *0x47e920; // 0x2221560
										if(__eflags != 0) {
											 *((intOrPtr*)(_t294 + 4)) = _t219;
										}
										 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t219 + 4));
										_t296 =  *((intOrPtr*)(_t337 + 4));
										__eflags = _t219 -  *((intOrPtr*)(_t296 + 4));
										if(_t219 !=  *((intOrPtr*)(_t296 + 4))) {
											_t297 =  *((intOrPtr*)(_t219 + 4));
											__eflags = _t219 -  *_t297;
											if(_t219 !=  *_t297) {
												 *((intOrPtr*)(_t297 + 8)) = _t264;
											} else {
												 *_t297 = _t264;
											}
										} else {
											 *((intOrPtr*)(_t296 + 4)) = _t264;
										}
										 *_t264 = _t219;
										 *((intOrPtr*)(_t219 + 4)) = _t264;
										_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4))));
									}
									 *((intOrPtr*)(_t219 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38));
									 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 1;
									 *((intOrPtr*)( *_t219 + 0x38)) = 1;
									_t205 =  *((intOrPtr*)(_t332 + 4));
									_t263 =  *_t205;
									 *_t205 =  *((intOrPtr*)(_t263 + 8));
									_t288 =  *((intOrPtr*)(_t263 + 8));
									__eflags = _t288 -  *0x47e920; // 0x2221560
									if(__eflags != 0) {
										 *((intOrPtr*)(_t288 + 4)) = _t205;
									}
									 *((intOrPtr*)(_t263 + 4)) =  *((intOrPtr*)(_t205 + 4));
									_t290 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t205 -  *((intOrPtr*)(_t290 + 4));
									if(_t205 !=  *((intOrPtr*)(_t290 + 4))) {
										_t291 =  *((intOrPtr*)(_t205 + 4));
										__eflags = _t205 -  *((intOrPtr*)(_t291 + 8));
										if(_t205 !=  *((intOrPtr*)(_t291 + 8))) {
											 *_t291 = _t263;
										} else {
											 *((intOrPtr*)(_t291 + 8)) = _t263;
										}
									} else {
										 *((intOrPtr*)(_t290 + 4)) = _t263;
									}
									 *((intOrPtr*)(_t263 + 8)) = _t205;
									L98:
									 *((intOrPtr*)(_t205 + 4)) = _t263;
								} else {
									_t298 =  *_t219;
									__eflags =  *((intOrPtr*)(_t298 + 0x38)) - 1;
									if( *((intOrPtr*)(_t298 + 0x38)) != 1) {
										goto L81;
									}
									L63:
									 *((intOrPtr*)(_t219 + 0x38)) = _t330;
									_t205 =  *((intOrPtr*)(_t337 + 4));
									_t332 =  *((intOrPtr*)(_t332 + 4));
									if(_t332 !=  *((intOrPtr*)( *((intOrPtr*)(_t337 + 4)) + 4))) {
										continue;
									}
								}
								goto L99;
							}
							_t219 =  *((intOrPtr*)(_t257 + 8));
							_t330 = 0;
							if( *((intOrPtr*)(_t219 + 0x38)) == 0) {
								 *((intOrPtr*)(_t219 + 0x38)) = 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 0;
								_t226 =  *((intOrPtr*)(_t332 + 4));
								_t271 =  *((intOrPtr*)(_t226 + 8));
								 *((intOrPtr*)(_t226 + 8)) =  *_t271;
								_t319 =  *_t271;
								_t352 = _t319 -  *0x47e920; // 0x2221560
								if(_t352 != 0) {
									 *((intOrPtr*)(_t319 + 4)) = _t226;
								}
								 *((intOrPtr*)(_t271 + 4)) =  *((intOrPtr*)(_t226 + 4));
								_t321 =  *((intOrPtr*)(_t337 + 4));
								if(_t226 !=  *((intOrPtr*)(_t321 + 4))) {
									_t322 =  *((intOrPtr*)(_t226 + 4));
									__eflags = _t226 -  *_t322;
									if(_t226 !=  *_t322) {
										 *((intOrPtr*)(_t322 + 8)) = _t271;
									} else {
										 *_t322 = _t271;
									}
								} else {
									 *((intOrPtr*)(_t321 + 4)) = _t271;
								}
								 *_t271 = _t226;
								 *((intOrPtr*)(_t226 + 4)) = _t271;
								_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 8));
							}
							if( *((intOrPtr*)( *_t219 + 0x38)) != 1 ||  *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) != 1) {
								_t267 =  *((intOrPtr*)(_t219 + 8));
								__eflags =  *((intOrPtr*)(_t267 + 0x38)) - 1;
								if( *((intOrPtr*)(_t267 + 0x38)) == 1) {
									 *((intOrPtr*)( *_t219 + 0x38)) = 1;
									_t270 =  *_t219;
									 *((intOrPtr*)(_t219 + 0x38)) = _t330;
									 *_t219 =  *((intOrPtr*)(_t270 + 8));
									_t313 =  *((intOrPtr*)(_t270 + 8));
									__eflags = _t313 -  *0x47e920; // 0x2221560
									if(__eflags != 0) {
										 *((intOrPtr*)(_t313 + 4)) = _t219;
									}
									 *((intOrPtr*)(_t270 + 4)) =  *((intOrPtr*)(_t219 + 4));
									_t315 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t219 -  *((intOrPtr*)(_t315 + 4));
									if(_t219 !=  *((intOrPtr*)(_t315 + 4))) {
										_t316 =  *((intOrPtr*)(_t219 + 4));
										__eflags = _t219 -  *((intOrPtr*)(_t316 + 8));
										if(_t219 !=  *((intOrPtr*)(_t316 + 8))) {
											 *_t316 = _t270;
										} else {
											 *((intOrPtr*)(_t316 + 8)) = _t270;
										}
									} else {
										 *((intOrPtr*)(_t315 + 4)) = _t270;
									}
									 *((intOrPtr*)(_t270 + 8)) = _t219;
									 *((intOrPtr*)(_t219 + 4)) = _t270;
									_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 8));
								}
								 *((intOrPtr*)(_t219 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38));
								 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) = 1;
								_t205 =  *((intOrPtr*)(_t332 + 4));
								_t263 =  *((intOrPtr*)(_t205 + 8));
								 *((intOrPtr*)(_t205 + 8)) =  *_t263;
								_t307 =  *_t263;
								__eflags = _t307 -  *0x47e920; // 0x2221560
								if(__eflags != 0) {
									 *((intOrPtr*)(_t307 + 4)) = _t205;
								}
								 *((intOrPtr*)(_t263 + 4)) =  *((intOrPtr*)(_t205 + 4));
								_t309 =  *((intOrPtr*)(_t337 + 4));
								__eflags = _t205 -  *((intOrPtr*)(_t309 + 4));
								if(_t205 !=  *((intOrPtr*)(_t309 + 4))) {
									_t310 =  *((intOrPtr*)(_t205 + 4));
									__eflags = _t205 -  *_t310;
									if(_t205 !=  *_t310) {
										 *((intOrPtr*)(_t310 + 8)) = _t263;
										 *_t263 = _t205;
									} else {
										 *_t310 = _t263;
										 *_t263 = _t205;
									}
								} else {
									 *((intOrPtr*)(_t309 + 4)) = _t263;
									 *_t263 = _t205;
								}
								goto L98;
							} else {
								goto L63;
							}
						}
						goto L99;
					}
				}
			}

0x00456455
0x0045645b
0x00456463
0x00456468
0x0045646a
0x00456470
0x00456475
0x00456479
0x0045647b
0x00456481
0x00456483
0x00456485
0x00000000
0x00000000
0x00456487
0x00456489
0x0045648b
0x00456495
0x00456495
0x00456498
0x00456498
0x0045649b
0x00000000
0x00000000
0x00000000
0x00000000
0x0045648d
0x0045648d
0x0045648d
0x0045648f
0x00456491
0x00456491
0x00000000
0x0045647d
0x0045647d
0x0045649f
0x004564a3
0x004564a8
0x004564ae
0x00456518
0x0045651c
0x0045651f
0x00456522
0x00456525
0x0045652c
0x0045652f
0x00456531
0x00456537
0x00456533
0x00456533
0x00456533
0x00456527
0x00456527
0x00456527
0x0045653a
0x0045653d
0x00456541
0x00456543
0x00456572
0x00456572
0x00456575
0x00456578
0x004565a0
0x004565a0
0x00000000
0x004565a0
0x0045657a
0x00456582
0x00456584
0x0045658b
0x0045658e
0x00456590
0x00456592
0x0045659d
0x0045659d
0x00000000
0x00000000
0x00000000
0x00000000
0x00456594
0x00456594
0x00456594
0x00456596
0x00456599
0x00456599
0x00000000
0x00456594
0x00456586
0x00000000
0x00456545
0x00456545
0x0045654b
0x0045654d
0x00456556
0x00456558
0x0045655a
0x0045655c
0x0045656c
0x0045656c
0x0045656e
0x00000000
0x0045656e
0x0045655e
0x00456560
0x00456560
0x00456562
0x00456564
0x00456564
0x00456568
0x00000000
0x00456568
0x00456552
0x00000000
0x00456552
0x004564b0
0x004564b2
0x004564b7
0x004564bd
0x004564c7
0x004564cd
0x004564d1
0x004564d6
0x004564bf
0x004564bf
0x004564bf
0x004564d9
0x004564dd
0x004564e3
0x004564ea
0x004564ed
0x004564ef
0x004564f5
0x004564f1
0x004564f1
0x004564f1
0x004564e5
0x004564e5
0x004564e5
0x004564fb
0x004564ff
0x00456508
0x0045650b
0x0045650e
0x004565a4
0x004565a4
0x004565ae
0x00456820
0x00456824
0x00456829
0x0045682d
0x00456832
0x00456839
0x00456839
0x00456834
0x00456834
0x00456834
0x0045684a
0x0045684c
0x00456853
0x00456853
0x0045684e
0x0045684e
0x0045684e
0x00456858
0x00456860
0x00456866
0x0045686a
0x0045686c
0x00456870
0x00456877
0x00456877
0x00456872
0x00456872
0x00456872
0x00456879
0x0045687e
0x00456880
0x00456885
0x00456896
0x00456898
0x00456898
0x0045688b
0x0045688d
0x0045688d
0x00456885
0x0045689a
0x0045689d
0x004568a0
0x004568ac
0x004568b3
0x004568b8
0x004568bc
0x004568c5
0x004568c8
0x004568d1
0x004568d7
0x004568d7
0x004565ba
0x0045681d
0x0045681d
0x00000000
0x0045681d
0x004565c0
0x004565c9
0x004565cc
0x004565d0
0x00456645
0x00456647
0x00456649
0x0045664b
0x00456651
0x00456654
0x00456657
0x0045665c
0x0045665e
0x00456661
0x00456667
0x00456669
0x00456669
0x0045666f
0x00456672
0x00456675
0x00456678
0x0045667f
0x00456682
0x00456685
0x0045668c
0x00456687
0x00456687
0x00456687
0x0045667a
0x0045667a
0x0045667a
0x0045668e
0x00456691
0x00456697
0x00456697
0x00456699
0x0045669c
0x0045669f
0x00456779
0x00456779
0x0045677b
0x0045677e
0x00456783
0x00456786
0x00456789
0x0045678e
0x00456791
0x00456793
0x00456799
0x0045679b
0x0045679b
0x004567a1
0x004567a4
0x004567a7
0x004567aa
0x004567b1
0x004567b4
0x004567b6
0x004567bc
0x004567b8
0x004567b8
0x004567b8
0x004567ac
0x004567ac
0x004567ac
0x004567bf
0x004567c1
0x004567c7
0x004567c7
0x004567cf
0x004567d5
0x004567da
0x004567dd
0x004567e0
0x004567e5
0x004567e7
0x004567ea
0x004567f0
0x004567f2
0x004567f2
0x004567f8
0x004567fb
0x004567fe
0x00456801
0x00456808
0x0045680b
0x0045680e
0x00456815
0x00456810
0x00456810
0x00456810
0x00456803
0x00456803
0x00456803
0x00456817
0x0045681a
0x0045681a
0x004566a5
0x004566a5
0x004566a7
0x004566aa
0x00000000
0x00000000
0x004566b0
0x004566b0
0x004566b3
0x004566b6
0x004566bc
0x00000000
0x00000000
0x004566c2
0x00000000
0x0045669f
0x004565d2
0x004565d5
0x004565da
0x004565dc
0x004565e2
0x004565e5
0x004565e8
0x004565ed
0x004565f0
0x004565f2
0x004565f8
0x004565fa
0x004565fa
0x00456600
0x00456603
0x00456609
0x00456610
0x00456613
0x00456615
0x0045661b
0x00456617
0x00456617
0x00456617
0x0045660b
0x0045660b
0x0045660b
0x0045661e
0x00456620
0x00456626
0x00456626
0x0045662e
0x004566c7
0x004566ca
0x004566cd
0x004566d1
0x004566d4
0x004566d6
0x004566dc
0x004566de
0x004566e1
0x004566e7
0x004566e9
0x004566e9
0x004566ef
0x004566f2
0x004566f5
0x004566f8
0x004566ff
0x00456702
0x00456705
0x0045670c
0x00456707
0x00456707
0x00456707
0x004566fa
0x004566fa
0x004566fa
0x0045670e
0x00456711
0x00456717
0x00456717
0x00456720
0x00456726
0x0045672c
0x0045672f
0x00456732
0x00456737
0x0045673a
0x0045673c
0x00456742
0x00456744
0x00456744
0x0045674a
0x0045674d
0x00456750
0x00456753
0x0045675f
0x00456762
0x00456764
0x0045676f
0x00456772
0x00456766
0x00456766
0x00456768
0x00456768
0x00456755
0x00456755
0x00456758
0x00456758
0x00000000
0x00456640
0x00000000
0x00456640
0x0045662e
0x00000000
0x004565c0
0x004564ae

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00456842
SysFreeString.OLEAUT32(?), ref: 0045686A
SysFreeString.OLEAUT32(?), ref: 00456896
SetLastError.KERNEL32(00000000), ref: 004568AC

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: b2896d3e94e2ab054727a4b2d5f570ba70d6cae45077c452547e1c48942cb4e1
Instruction ID: 519459cdb198f5bf2f70f6d8dae12a34e24b81be94158ae1d38be78d04fd2c75
Opcode Fuzzy Hash: b2896d3e94e2ab054727a4b2d5f570ba70d6cae45077c452547e1c48942cb4e1
Instruction Fuzzy Hash: EA12C2B4601601CFC754CF09D180816FBE2FF893153A6C6AED85A8B326D735EC86CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004569D0 Relevance: 6.4, APIs: 4, Instructions: 420
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004569D0(intOrPtr __ecx) {
				intOrPtr* _t199;
				intOrPtr _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr* _t207;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t219;
				intOrPtr* _t222;
				intOrPtr _t226;
				intOrPtr _t229;
				intOrPtr* _t230;
				intOrPtr _t235;
				intOrPtr* _t236;
				intOrPtr* _t239;
				intOrPtr _t242;
				intOrPtr* _t243;
				intOrPtr _t248;
				intOrPtr _t251;
				intOrPtr* _t257;
				intOrPtr _t259;
				intOrPtr _t260;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr _t265;
				intOrPtr _t267;
				intOrPtr _t270;
				intOrPtr* _t271;
				intOrPtr* _t272;
				intOrPtr* _t273;
				intOrPtr* _t278;
				intOrPtr _t279;
				intOrPtr* _t280;
				intOrPtr _t282;
				intOrPtr _t288;
				intOrPtr _t290;
				intOrPtr* _t291;
				intOrPtr _t294;
				intOrPtr _t296;
				intOrPtr* _t297;
				intOrPtr _t298;
				intOrPtr _t300;
				intOrPtr _t302;
				intOrPtr* _t303;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr* _t310;
				intOrPtr _t313;
				intOrPtr _t315;
				intOrPtr* _t316;
				intOrPtr _t319;
				intOrPtr _t321;
				intOrPtr* _t322;
				intOrPtr* _t324;
				intOrPtr* _t327;
				intOrPtr _t328;
				intOrPtr _t330;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t335;
				intOrPtr _t336;
				intOrPtr _t337;
				intOrPtr* _t338;
				intOrPtr _t339;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t352;

				 *((intOrPtr*)(_t340 + 8)) = __ecx;
				_t324 =  *((intOrPtr*)(_t340 + 0x28));
				E004589D0(_t340 + 0x28);
				_t332 =  *_t324;
				_t279 =  *0x47e928; // 0x2221908
				_t239 = _t324 + 8;
				 *((intOrPtr*)(_t340 + 0x14)) = _t324;
				_t335 = _t239;
				if(_t332 != _t279) {
					_t199 =  *_t239;
					__eflags = _t199 - _t279;
					if(_t199 == _t279) {
						goto L6;
					}
					_t278 =  *_t199;
					__eflags = _t278 - _t279;
					if(_t278 == _t279) {
						L5:
						_t332 =  *((intOrPtr*)(_t199 + 8));
						_t7 = _t199 + 8; // 0x8
						_t335 = _t7;
						 *((intOrPtr*)(_t340 + 0x14)) = _t199;
						goto L6;
					} else {
						goto L4;
					}
					do {
						L4:
						_t199 = _t278;
						_t278 =  *_t199;
						__eflags = _t278 - _t279;
					} while (_t278 != _t279);
					goto L5;
				} else {
					_t332 =  *_t239;
					L6:
					L0043B179(_t340 + 0x1c);
					_t280 =  *((intOrPtr*)(_t340 + 0x14));
					if(_t280 == _t324) {
						_t248 =  *((intOrPtr*)(_t340 + 0x10));
						 *((intOrPtr*)(_t332 + 4)) =  *((intOrPtr*)(_t280 + 4));
						_t202 =  *((intOrPtr*)(_t248 + 4));
						__eflags =  *((intOrPtr*)(_t202 + 4)) - _t324;
						if( *((intOrPtr*)(_t202 + 4)) != _t324) {
							_t203 =  *((intOrPtr*)(_t324 + 4));
							__eflags =  *_t203 - _t324;
							if( *_t203 != _t324) {
								 *((intOrPtr*)(_t203 + 8)) = _t332;
							} else {
								 *_t203 = _t332;
							}
						} else {
							 *((intOrPtr*)(_t202 + 4)) = _t332;
						}
						_t204 =  *((intOrPtr*)(_t248 + 4));
						 *((intOrPtr*)(_t340 + 0x18)) = _t204;
						__eflags =  *_t204 - _t324;
						if( *_t204 != _t324) {
							L29:
							_t336 =  *((intOrPtr*)(_t248 + 4));
							__eflags =  *((intOrPtr*)(_t336 + 8)) - _t324;
							if( *((intOrPtr*)(_t336 + 8)) != _t324) {
								L35:
								_t337 =  *((intOrPtr*)(_t340 + 0x10));
								goto L36;
							}
							_t242 =  *0x47e928; // 0x2221908
							__eflags =  *_t324 - _t242;
							if( *_t324 != _t242) {
								_t229 =  *((intOrPtr*)(_t332 + 8));
								_t272 = _t332;
								__eflags = _t229 - _t242;
								if(_t229 == _t242) {
									L34:
									 *((intOrPtr*)(_t336 + 8)) = _t272;
									goto L35;
								} else {
									goto L33;
								}
								do {
									L33:
									_t272 = _t229;
									_t229 =  *((intOrPtr*)(_t272 + 8));
									__eflags = _t229 - _t242;
								} while (_t229 != _t242);
								goto L34;
							}
							_t272 =  *((intOrPtr*)(_t324 + 4));
							goto L34;
						} else {
							_t339 =  *0x47e928; // 0x2221908
							__eflags =  *_t239 - _t339;
							if( *_t239 != _t339) {
								_t243 =  *_t332;
								_t273 = _t332;
								__eflags = _t243 - _t339;
								if(_t243 == _t339) {
									L28:
									 *_t204 = _t273;
									_t248 =  *((intOrPtr*)(_t340 + 0x10));
									goto L29;
								}
								_t230 = _t243;
								do {
									_t273 = _t230;
									_t230 =  *_t273;
									__eflags = _t230 - _t339;
								} while (_t230 != _t339);
								_t204 =  *((intOrPtr*)(_t340 + 0x18));
								goto L28;
							}
							 *_t204 =  *((intOrPtr*)(_t324 + 4));
							goto L29;
						}
					} else {
						 *((intOrPtr*)( *_t324 + 4)) = _t280;
						 *_t280 =  *_t324;
						if(_t280 !=  *_t239) {
							 *((intOrPtr*)(_t332 + 4)) =  *((intOrPtr*)(_t280 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t280 + 4)))) = _t332;
							 *_t335 =  *_t239;
							 *((intOrPtr*)( *_t239 + 4)) = _t280;
						} else {
							 *((intOrPtr*)(_t332 + 4)) = _t280;
						}
						_t337 =  *((intOrPtr*)(_t340 + 0x10));
						_t235 =  *((intOrPtr*)(_t337 + 4));
						if( *((intOrPtr*)(_t235 + 4)) != _t324) {
							_t236 =  *((intOrPtr*)(_t324 + 4));
							__eflags =  *_t236 - _t324;
							if( *_t236 != _t324) {
								 *((intOrPtr*)(_t236 + 8)) = _t280;
							} else {
								 *_t236 = _t280;
							}
						} else {
							 *((intOrPtr*)(_t235 + 4)) = _t280;
						}
						 *((intOrPtr*)(_t340 + 0x14)) = _t324;
						 *((intOrPtr*)(_t280 + 4)) =  *((intOrPtr*)(_t324 + 4));
						 *((intOrPtr*)(_t280 + 0x38)) =  *((intOrPtr*)(_t324 + 0x38));
						 *((intOrPtr*)(_t324 + 0x38)) =  *((intOrPtr*)(_t280 + 0x38));
						_t280 = _t324;
						L36:
						_t205 =  *((intOrPtr*)(_t280 + 0x38));
						if( *((intOrPtr*)(_t280 + 0x38)) != 1) {
							L100:
							L0043B215(_t205);
							_t241 =  *((intOrPtr*)(_t340 + 0x14));
							_t333 =  *((intOrPtr*)(_t340 + 0x14)) + 0xc;
							if(_t333 == 0) {
								_t207 = 0;
								__eflags = 0;
							} else {
								_t207 = _t333 + 0x20;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 4)) + _t207)) = GetLastError();
							if(_t333 == 0) {
								_t327 = 0;
								__eflags = 0;
							} else {
								_t327 = _t333 + 0x14;
							}
							E0043AE17( *_t327);
							_t338 = __imp__#6;
							_t341 = _t340 + 4;
							 *_t338( *((intOrPtr*)(_t327 + 8)));
							_t282 = 0;
							if(_t333 == 0) {
								_t328 = 0;
								__eflags = 0;
							} else {
								_t328 = _t333 + 4;
							}
							_t251 =  *((intOrPtr*)(_t328 + 4));
							if(_t251 != _t282) {
								_t216 =  *((intOrPtr*)(_t251 - 1));
								if(_t216 == 0 || _t216 == 0xff) {
									 *_t338(_t251 + 0xfffffffe);
									_t282 = 0;
									__eflags = 0;
								} else {
									 *((char*)(_t251 - 1)) = _t216 - 1;
								}
							}
							 *((intOrPtr*)(_t328 + 4)) = _t282;
							 *((intOrPtr*)(_t328 + 8)) = _t282;
							 *((intOrPtr*)(_t328 + 0xc)) = _t282;
							SetLastError( *( *((intOrPtr*)( *_t333 + 4)) + _t333));
							E0043AE17(_t241);
							_t214 =  *((intOrPtr*)(_t341 + 0x14));
							_t342 = _t341 + 4;
							 *((intOrPtr*)(_t214 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t341 + 0x14)) + 0xc)) - 1;
							_t215 =  *((intOrPtr*)(_t342 + 0x1c));
							 *_t215 =  *((intOrPtr*)(_t342 + 0x20));
							return _t215;
						}
						if(_t332 ==  *((intOrPtr*)( *((intOrPtr*)(_t337 + 4)) + 4))) {
							L99:
							 *((intOrPtr*)(_t332 + 0x38)) = 1;
							goto L100;
						}
						while( *((intOrPtr*)(_t332 + 0x38)) == 1) {
							_t257 =  *((intOrPtr*)(_t332 + 4));
							_t219 =  *_t257;
							if(_t332 != _t219) {
								_t330 = 0;
								__eflags =  *((intOrPtr*)(_t219 + 0x38));
								if( *((intOrPtr*)(_t219 + 0x38)) == 0) {
									 *((intOrPtr*)(_t219 + 0x38)) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 0;
									_t222 =  *((intOrPtr*)(_t332 + 4));
									_t265 =  *_t222;
									 *_t222 =  *((intOrPtr*)(_t265 + 8));
									_t300 =  *((intOrPtr*)(_t265 + 8));
									__eflags = _t300 -  *0x47e928; // 0x2221908
									if(__eflags != 0) {
										 *((intOrPtr*)(_t300 + 4)) = _t222;
									}
									 *((intOrPtr*)(_t265 + 4)) =  *((intOrPtr*)(_t222 + 4));
									_t302 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t222 -  *((intOrPtr*)(_t302 + 4));
									if(_t222 !=  *((intOrPtr*)(_t302 + 4))) {
										_t303 =  *((intOrPtr*)(_t222 + 4));
										__eflags = _t222 -  *((intOrPtr*)(_t303 + 8));
										if(_t222 !=  *((intOrPtr*)(_t303 + 8))) {
											 *_t303 = _t265;
										} else {
											 *((intOrPtr*)(_t303 + 8)) = _t265;
										}
									} else {
										 *((intOrPtr*)(_t302 + 4)) = _t265;
									}
									 *((intOrPtr*)(_t265 + 8)) = _t222;
									 *((intOrPtr*)(_t222 + 4)) = _t265;
									_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4))));
								}
								_t259 =  *((intOrPtr*)(_t219 + 8));
								__eflags =  *((intOrPtr*)(_t259 + 0x38)) - 1;
								if( *((intOrPtr*)(_t259 + 0x38)) != 1) {
									L81:
									_t260 =  *_t219;
									__eflags =  *((intOrPtr*)(_t260 + 0x38)) - 1;
									if( *((intOrPtr*)(_t260 + 0x38)) == 1) {
										 *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) = 1;
										_t264 =  *((intOrPtr*)(_t219 + 8));
										 *((intOrPtr*)(_t219 + 0x38)) = _t330;
										 *((intOrPtr*)(_t219 + 8)) =  *_t264;
										_t294 =  *_t264;
										__eflags = _t294 -  *0x47e928; // 0x2221908
										if(__eflags != 0) {
											 *((intOrPtr*)(_t294 + 4)) = _t219;
										}
										 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t219 + 4));
										_t296 =  *((intOrPtr*)(_t337 + 4));
										__eflags = _t219 -  *((intOrPtr*)(_t296 + 4));
										if(_t219 !=  *((intOrPtr*)(_t296 + 4))) {
											_t297 =  *((intOrPtr*)(_t219 + 4));
											__eflags = _t219 -  *_t297;
											if(_t219 !=  *_t297) {
												 *((intOrPtr*)(_t297 + 8)) = _t264;
											} else {
												 *_t297 = _t264;
											}
										} else {
											 *((intOrPtr*)(_t296 + 4)) = _t264;
										}
										 *_t264 = _t219;
										 *((intOrPtr*)(_t219 + 4)) = _t264;
										_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4))));
									}
									 *((intOrPtr*)(_t219 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38));
									 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 1;
									 *((intOrPtr*)( *_t219 + 0x38)) = 1;
									_t205 =  *((intOrPtr*)(_t332 + 4));
									_t263 =  *_t205;
									 *_t205 =  *((intOrPtr*)(_t263 + 8));
									_t288 =  *((intOrPtr*)(_t263 + 8));
									__eflags = _t288 -  *0x47e928; // 0x2221908
									if(__eflags != 0) {
										 *((intOrPtr*)(_t288 + 4)) = _t205;
									}
									 *((intOrPtr*)(_t263 + 4)) =  *((intOrPtr*)(_t205 + 4));
									_t290 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t205 -  *((intOrPtr*)(_t290 + 4));
									if(_t205 !=  *((intOrPtr*)(_t290 + 4))) {
										_t291 =  *((intOrPtr*)(_t205 + 4));
										__eflags = _t205 -  *((intOrPtr*)(_t291 + 8));
										if(_t205 !=  *((intOrPtr*)(_t291 + 8))) {
											 *_t291 = _t263;
										} else {
											 *((intOrPtr*)(_t291 + 8)) = _t263;
										}
									} else {
										 *((intOrPtr*)(_t290 + 4)) = _t263;
									}
									 *((intOrPtr*)(_t263 + 8)) = _t205;
									L98:
									 *((intOrPtr*)(_t205 + 4)) = _t263;
								} else {
									_t298 =  *_t219;
									__eflags =  *((intOrPtr*)(_t298 + 0x38)) - 1;
									if( *((intOrPtr*)(_t298 + 0x38)) != 1) {
										goto L81;
									}
									L63:
									 *((intOrPtr*)(_t219 + 0x38)) = _t330;
									_t205 =  *((intOrPtr*)(_t337 + 4));
									_t332 =  *((intOrPtr*)(_t332 + 4));
									if(_t332 !=  *((intOrPtr*)( *((intOrPtr*)(_t337 + 4)) + 4))) {
										continue;
									}
								}
								goto L99;
							}
							_t219 =  *((intOrPtr*)(_t257 + 8));
							_t330 = 0;
							if( *((intOrPtr*)(_t219 + 0x38)) == 0) {
								 *((intOrPtr*)(_t219 + 0x38)) = 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 0;
								_t226 =  *((intOrPtr*)(_t332 + 4));
								_t271 =  *((intOrPtr*)(_t226 + 8));
								 *((intOrPtr*)(_t226 + 8)) =  *_t271;
								_t319 =  *_t271;
								_t352 = _t319 -  *0x47e928; // 0x2221908
								if(_t352 != 0) {
									 *((intOrPtr*)(_t319 + 4)) = _t226;
								}
								 *((intOrPtr*)(_t271 + 4)) =  *((intOrPtr*)(_t226 + 4));
								_t321 =  *((intOrPtr*)(_t337 + 4));
								if(_t226 !=  *((intOrPtr*)(_t321 + 4))) {
									_t322 =  *((intOrPtr*)(_t226 + 4));
									__eflags = _t226 -  *_t322;
									if(_t226 !=  *_t322) {
										 *((intOrPtr*)(_t322 + 8)) = _t271;
									} else {
										 *_t322 = _t271;
									}
								} else {
									 *((intOrPtr*)(_t321 + 4)) = _t271;
								}
								 *_t271 = _t226;
								 *((intOrPtr*)(_t226 + 4)) = _t271;
								_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 8));
							}
							if( *((intOrPtr*)( *_t219 + 0x38)) != 1 ||  *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) != 1) {
								_t267 =  *((intOrPtr*)(_t219 + 8));
								__eflags =  *((intOrPtr*)(_t267 + 0x38)) - 1;
								if( *((intOrPtr*)(_t267 + 0x38)) == 1) {
									 *((intOrPtr*)( *_t219 + 0x38)) = 1;
									_t270 =  *_t219;
									 *((intOrPtr*)(_t219 + 0x38)) = _t330;
									 *_t219 =  *((intOrPtr*)(_t270 + 8));
									_t313 =  *((intOrPtr*)(_t270 + 8));
									__eflags = _t313 -  *0x47e928; // 0x2221908
									if(__eflags != 0) {
										 *((intOrPtr*)(_t313 + 4)) = _t219;
									}
									 *((intOrPtr*)(_t270 + 4)) =  *((intOrPtr*)(_t219 + 4));
									_t315 =  *((intOrPtr*)(_t337 + 4));
									__eflags = _t219 -  *((intOrPtr*)(_t315 + 4));
									if(_t219 !=  *((intOrPtr*)(_t315 + 4))) {
										_t316 =  *((intOrPtr*)(_t219 + 4));
										__eflags = _t219 -  *((intOrPtr*)(_t316 + 8));
										if(_t219 !=  *((intOrPtr*)(_t316 + 8))) {
											 *_t316 = _t270;
										} else {
											 *((intOrPtr*)(_t316 + 8)) = _t270;
										}
									} else {
										 *((intOrPtr*)(_t315 + 4)) = _t270;
									}
									 *((intOrPtr*)(_t270 + 8)) = _t219;
									 *((intOrPtr*)(_t219 + 4)) = _t270;
									_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 8));
								}
								 *((intOrPtr*)(_t219 + 0x38)) =  *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38));
								 *((intOrPtr*)( *((intOrPtr*)(_t332 + 4)) + 0x38)) = 1;
								 *((intOrPtr*)( *((intOrPtr*)(_t219 + 8)) + 0x38)) = 1;
								_t205 =  *((intOrPtr*)(_t332 + 4));
								_t263 =  *((intOrPtr*)(_t205 + 8));
								 *((intOrPtr*)(_t205 + 8)) =  *_t263;
								_t307 =  *_t263;
								__eflags = _t307 -  *0x47e928; // 0x2221908
								if(__eflags != 0) {
									 *((intOrPtr*)(_t307 + 4)) = _t205;
								}
								 *((intOrPtr*)(_t263 + 4)) =  *((intOrPtr*)(_t205 + 4));
								_t309 =  *((intOrPtr*)(_t337 + 4));
								__eflags = _t205 -  *((intOrPtr*)(_t309 + 4));
								if(_t205 !=  *((intOrPtr*)(_t309 + 4))) {
									_t310 =  *((intOrPtr*)(_t205 + 4));
									__eflags = _t205 -  *_t310;
									if(_t205 !=  *_t310) {
										 *((intOrPtr*)(_t310 + 8)) = _t263;
										 *_t263 = _t205;
									} else {
										 *_t310 = _t263;
										 *_t263 = _t205;
									}
								} else {
									 *((intOrPtr*)(_t309 + 4)) = _t263;
									 *_t263 = _t205;
								}
								goto L98;
							} else {
								goto L63;
							}
						}
						goto L99;
					}
				}
			}

0x004569d5
0x004569db
0x004569e3
0x004569e8
0x004569ea
0x004569f0
0x004569f5
0x004569f9
0x004569fb
0x00456a01
0x00456a03
0x00456a05
0x00000000
0x00000000
0x00456a07
0x00456a09
0x00456a0b
0x00456a15
0x00456a15
0x00456a18
0x00456a18
0x00456a1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00456a0d
0x00456a0d
0x00456a0d
0x00456a0f
0x00456a11
0x00456a11
0x00000000
0x004569fd
0x004569fd
0x00456a1f
0x00456a23
0x00456a28
0x00456a2e
0x00456a98
0x00456a9c
0x00456a9f
0x00456aa2
0x00456aa5
0x00456aac
0x00456aaf
0x00456ab1
0x00456ab7
0x00456ab3
0x00456ab3
0x00456ab3
0x00456aa7
0x00456aa7
0x00456aa7
0x00456aba
0x00456abd
0x00456ac1
0x00456ac3
0x00456af2
0x00456af2
0x00456af5
0x00456af8
0x00456b20
0x00456b20
0x00000000
0x00456b20
0x00456afa
0x00456b02
0x00456b04
0x00456b0b
0x00456b0e
0x00456b10
0x00456b12
0x00456b1d
0x00456b1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00456b14
0x00456b14
0x00456b14
0x00456b16
0x00456b19
0x00456b19
0x00000000
0x00456b14
0x00456b06
0x00000000
0x00456ac5
0x00456ac5
0x00456acb
0x00456acd
0x00456ad6
0x00456ad8
0x00456ada
0x00456adc
0x00456aec
0x00456aec
0x00456aee
0x00000000
0x00456aee
0x00456ade
0x00456ae0
0x00456ae0
0x00456ae2
0x00456ae4
0x00456ae4
0x00456ae8
0x00000000
0x00456ae8
0x00456ad2
0x00000000
0x00456ad2
0x00456a30
0x00456a32
0x00456a37
0x00456a3d
0x00456a47
0x00456a4d
0x00456a51
0x00456a56
0x00456a3f
0x00456a3f
0x00456a3f
0x00456a59
0x00456a5d
0x00456a63
0x00456a6a
0x00456a6d
0x00456a6f
0x00456a75
0x00456a71
0x00456a71
0x00456a71
0x00456a65
0x00456a65
0x00456a65
0x00456a7b
0x00456a7f
0x00456a88
0x00456a8b
0x00456a8e
0x00456b24
0x00456b24
0x00456b2e
0x00456da0
0x00456da4
0x00456da9
0x00456dad
0x00456db2
0x00456db9
0x00456db9
0x00456db4
0x00456db4
0x00456db4
0x00456dca
0x00456dcc
0x00456dd3
0x00456dd3
0x00456dce
0x00456dce
0x00456dce
0x00456dd8
0x00456de0
0x00456de6
0x00456dea
0x00456dec
0x00456df0
0x00456df7
0x00456df7
0x00456df2
0x00456df2
0x00456df2
0x00456df9
0x00456dfe
0x00456e00
0x00456e05
0x00456e16
0x00456e18
0x00456e18
0x00456e0b
0x00456e0d
0x00456e0d
0x00456e05
0x00456e1a
0x00456e1d
0x00456e20
0x00456e2c
0x00456e33
0x00456e38
0x00456e3c
0x00456e45
0x00456e48
0x00456e51
0x00456e57
0x00456e57
0x00456b3a
0x00456d9d
0x00456d9d
0x00000000
0x00456d9d
0x00456b40
0x00456b49
0x00456b4c
0x00456b50
0x00456bc5
0x00456bc7
0x00456bc9
0x00456bcb
0x00456bd1
0x00456bd4
0x00456bd7
0x00456bdc
0x00456bde
0x00456be1
0x00456be7
0x00456be9
0x00456be9
0x00456bef
0x00456bf2
0x00456bf5
0x00456bf8
0x00456bff
0x00456c02
0x00456c05
0x00456c0c
0x00456c07
0x00456c07
0x00456c07
0x00456bfa
0x00456bfa
0x00456bfa
0x00456c0e
0x00456c11
0x00456c17
0x00456c17
0x00456c19
0x00456c1c
0x00456c1f
0x00456cf9
0x00456cf9
0x00456cfb
0x00456cfe
0x00456d03
0x00456d06
0x00456d09
0x00456d0e
0x00456d11
0x00456d13
0x00456d19
0x00456d1b
0x00456d1b
0x00456d21
0x00456d24
0x00456d27
0x00456d2a
0x00456d31
0x00456d34
0x00456d36
0x00456d3c
0x00456d38
0x00456d38
0x00456d38
0x00456d2c
0x00456d2c
0x00456d2c
0x00456d3f
0x00456d41
0x00456d47
0x00456d47
0x00456d4f
0x00456d55
0x00456d5a
0x00456d5d
0x00456d60
0x00456d65
0x00456d67
0x00456d6a
0x00456d70
0x00456d72
0x00456d72
0x00456d78
0x00456d7b
0x00456d7e
0x00456d81
0x00456d88
0x00456d8b
0x00456d8e
0x00456d95
0x00456d90
0x00456d90
0x00456d90
0x00456d83
0x00456d83
0x00456d83
0x00456d97
0x00456d9a
0x00456d9a
0x00456c25
0x00456c25
0x00456c27
0x00456c2a
0x00000000
0x00000000
0x00456c30
0x00456c30
0x00456c33
0x00456c36
0x00456c3c
0x00000000
0x00000000
0x00456c42
0x00000000
0x00456c1f
0x00456b52
0x00456b55
0x00456b5a
0x00456b5c
0x00456b62
0x00456b65
0x00456b68
0x00456b6d
0x00456b70
0x00456b72
0x00456b78
0x00456b7a
0x00456b7a
0x00456b80
0x00456b83
0x00456b89
0x00456b90
0x00456b93
0x00456b95
0x00456b9b
0x00456b97
0x00456b97
0x00456b97
0x00456b8b
0x00456b8b
0x00456b8b
0x00456b9e
0x00456ba0
0x00456ba6
0x00456ba6
0x00456bae
0x00456c47
0x00456c4a
0x00456c4d
0x00456c51
0x00456c54
0x00456c56
0x00456c5c
0x00456c5e
0x00456c61
0x00456c67
0x00456c69
0x00456c69
0x00456c6f
0x00456c72
0x00456c75
0x00456c78
0x00456c7f
0x00456c82
0x00456c85
0x00456c8c
0x00456c87
0x00456c87
0x00456c87
0x00456c7a
0x00456c7a
0x00456c7a
0x00456c8e
0x00456c91
0x00456c97
0x00456c97
0x00456ca0
0x00456ca6
0x00456cac
0x00456caf
0x00456cb2
0x00456cb7
0x00456cba
0x00456cbc
0x00456cc2
0x00456cc4
0x00456cc4
0x00456cca
0x00456ccd
0x00456cd0
0x00456cd3
0x00456cdf
0x00456ce2
0x00456ce4
0x00456cef
0x00456cf2
0x00456ce6
0x00456ce6
0x00456ce8
0x00456ce8
0x00456cd5
0x00456cd5
0x00456cd8
0x00456cd8
0x00000000
0x00456bc0
0x00000000
0x00456bc0
0x00456bae
0x00000000
0x00456b40
0x00456a2e

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00456DC2
SysFreeString.OLEAUT32(?), ref: 00456DEA
SysFreeString.OLEAUT32(?), ref: 00456E16
SetLastError.KERNEL32(00000000), ref: 00456E2C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: 7347352e3968dfba5f646e48c5dfb719dd2fd715423a65dada13118714f31143
Instruction ID: 120846b57e2843f7e1950c222492ca8f5bd0c0f26ac425f730224e1b15cdc8d7
Opcode Fuzzy Hash: 7347352e3968dfba5f646e48c5dfb719dd2fd715423a65dada13118714f31143
Instruction Fuzzy Hash: 3212A0B4604601CF8715CF19C180816FBF2FF893157A6C6AED85A8B726D735EC8ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0044095D Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044095D() {
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x47b150 != 0xffffffff) {
					_t43 = HeapAlloc( *0x47fd40, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x47b140;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x47b140) {
							HeapFree( *0x47fd40, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x47b140) {
						 *_t43 = 0x47b140;
						 *(_t43 + 4) =  *0x47b144;
						 *0x47b144 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x47b140 == 0) {
							 *0x47b140 = 0x47b140;
						}
						if( *0x47b144 == 0) {
							 *0x47b144 = 0x47b140;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E0043C5B0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00440968
0x00440984
0x00440988
0x00000000
0x00000000
0x00000000
0x0044096a
0x0044096a
0x0044098e
0x004409a4
0x004409a8
0x00440a83
0x00440a89
0x00440a94
0x00440a94
0x00440a9a
0x00000000
0x00440a9a
0x004409c0
0x00440a7d
0x00000000
0x00440a7d
0x004409cd
0x004409ed
0x004409f4
0x004409f7
0x00440a00
0x004409cf
0x004409d6
0x004409d8
0x004409d8
0x004409e4
0x004409e6
0x004409e6
0x004409e4
0x00440a02
0x00440a08
0x00440a0e
0x00440a11
0x00440a11
0x00440a14
0x00440a17
0x00440a1a
0x00440a1d
0x00440a24
0x00440a26
0x00440a30
0x00440a31
0x00440a33
0x00440a36
0x00440a39
0x00440a45
0x00440a4d
0x00440a56
0x00440a5d
0x00440a60
0x00440a62
0x00440a69
0x00440a69
0x00000000
0x00440a71

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,00440E29,00000000,00000010,00000000,00000009,00000009,?,0043CECF,00000010,00000000), ref: 0044097E
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00440E29,00000000,00000010,00000000,00000009,00000009,?,0043CECF,00000010,00000000), ref: 004409A2
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00440E29,00000000,00000010,00000000,00000009,00000009,?,0043CECF,00000010,00000000), ref: 004409BC
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00440E29,00000000,00000010,00000000,00000009,00000009,?,0043CECF,00000010,00000000,?), ref: 00440A7D
HeapFree.KERNEL32(00000000,00000000,?,?,00440E29,00000000,00000010,00000000,00000009,00000009,?,0043CECF,00000010,00000000,?,00000000), ref: 00440A94

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 6fc3a2b0503e7f1570aa5bafee28b4fe22413e0133d4f692ebcd28f0c1bbd32b
Instruction ID: b023eae9f6a8551fabd52657db10bc085e8b9104289cba65dd6adf1f644e9fcc
Opcode Fuzzy Hash: 6fc3a2b0503e7f1570aa5bafee28b4fe22413e0133d4f692ebcd28f0c1bbd32b
Instruction Fuzzy Hash: 3231C3B16407059FE3308F24DC49B62BBE0FB54798F10863BE659A7391E778A854CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0045EADC Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045EADC(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x47fc20 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x47fc20 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t20 = _t108 + 1; // 0x2
						_t119 = _t20;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E00442203(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = L0043CC1D(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(L0043CC90())) = 9;
				_t103 = L0043CC99();
				 *_t103 = _t125;
				goto L10;
			}

0x0045eae2
0x0045eaeb
0x0045eaf0
0x0045eaf2
0x0045ecae
0x0045ecae
0x00000000
0x0045ecae
0x0045eaf8
0x0045eb00
0x0045eb0d
0x0045eb14
0x0045eb17
0x0045eb19
0x0045eb1f
0x00000000
0x00000000
0x0045eb28
0x0045eb2a
0x0045eb2f
0x0045eb31
0x0045eb34
0x0045eb38
0x0045eb38
0x0045eb3b
0x0045eb42
0x0045eb42
0x0045eb2f
0x0045eb5e
0x0045eb99
0x0045eb9b
0x0045eb9e
0x0045eba1
0x0045eba1
0x0045eba5
0x0045eba9
0x0045ebab
0x0045eca9
0x00000000
0x0045eca9
0x0045ebb1
0x0045ebb3
0x0045ebbe
0x0045ebbe
0x0045ebbe
0x0045ebc0
0x0045ebc0
0x0045ebc2
0x0045ebc8
0x0045ebcb
0x0045ebcd
0x0045ebcf
0x0045ebd2
0x0045eca3
0x0045eca3
0x0045eca3
0x0045eca6
0x00000000
0x00000000
0x00000000
0x00000000
0x0045ebd8
0x0045ebd8
0x0045ebdb
0x0045ebdd
0x0045ebdf
0x00000000
0x00000000
0x0045ebe5
0x0045ebe7
0x0045ebf5
0x0045ebf8
0x0045ec18
0x0045ec26
0x0045ec2c
0x0045ec2e
0x0045ec3a
0x0045ec3a
0x0045ec3e
0x0045ec81
0x0045ec81
0x0045ec84
0x0045ec84
0x0045ec84
0x0045ec85
0x0045ec85
0x0045ec88
0x0045ec8b
0x00000000
0x00000000
0x00000000
0x0045ec91
0x0045ec40
0x0045ec42
0x0045ec47
0x0045ec5c
0x0045ec5f
0x0045ec6c
0x0045ec73
0x0045ec78
0x0045ec7b
0x0045ec7f
0x00000000
0x00000000
0x00000000
0x0045ec7f
0x0045ec61
0x0045ec65
0x00000000
0x00000000
0x0045ec67
0x0045ec67
0x00000000
0x0045ec67
0x0045ec49
0x0045ec4c
0x0045ec4e
0x00000000
0x00000000
0x0045ec50
0x0045ec55
0x0045ec56
0x00000000
0x0045ec56
0x0045ec30
0x0045ec36
0x0045ec38
0x00000000
0x00000000
0x00000000
0x0045ec38
0x0045ebfd
0x0045ebfe
0x0045ec01
0x0045ec09
0x0045ec0c
0x0045ec0d
0x00000000
0x0045ec0d
0x0045ec03
0x00000000
0x0045ec03
0x0045ebe9
0x0045ebeb
0x0045ebec
0x00000000
0x0045ebec
0x0045ec95
0x0045ec99
0x0045ec9b
0x0045ec9d
0x0045ec9f
0x0045ec9f
0x0045eca1
0x0045eca1
0x00000000
0x0045ec9d
0x0045ebb5
0x0045ebb8
0x00000000
0x00000000
0x0045ebba
0x00000000
0x0045ebba
0x0045eb60
0x0045eb68
0x0045eb6b
0x0045eb81
0x0045eb84
0x00000000
0x00000000
0x0045eb8b
0x0045eb91
0x00000000
0x0045eb91
0x0045eb72
0x0045eb78
0x0045eb7d
0x00000000

APIs

ReadFile.KERNEL32(00000001,00000001,00000000,00000001,00000000,00000001,?,0045DA6D), ref: 0045EB56
GetLastError.KERNEL32 ref: 0045EB60
ReadFile.KERNEL32(?,?,00000001,00000001,00000000), ref: 0045EC26
GetLastError.KERNEL32 ref: 0045EC30

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 5382e5a82fcdb0ac45de2dbed66f5fea29f2bddb7bc81b2a15d1d5b8a0183f2d
Instruction ID: 5b36f468bc8fbbb4de6051fdcc851ae74073f20978134a68f7cf722b117d26fd
Opcode Fuzzy Hash: 5382e5a82fcdb0ac45de2dbed66f5fea29f2bddb7bc81b2a15d1d5b8a0183f2d
Instruction Fuzzy Hash: F451B6345043859FDF2ACF59C884B9A7BB0AF06306F14449BEC558B353D378DA4ACB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00452860 Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00452860(void* __ecx, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v36;
				void* _v40;
				void* _v52;
				intOrPtr _v56;
				char _v64;
				void* _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t34;
				signed int _t80;
				intOrPtr _t82;
				void* _t83;

				_push(0xffffffff);
				_push(E00466798);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				_t83 = _t82 - 0x34;
				_t31 =  *0x467590; // 0x24
				_v56 = 0x46758c;
				_v24 = 0x467584;
				 *((intOrPtr*)(_t83 + _t31 + 0x14)) = GetLastError();
				_t33 = _a4;
				_v4 = 0;
				if(_t33 == 0) {
					_t34 = 0;
				} else {
					_t34 = _t33 + 4;
				}
				L00452FC0( &_v52, _t34);
				L00447D30( &_v40);
				L00447D70( &_v28, 0);
				_v24 = 0;
				_v12 = 1;
				L00455950();
				asm("sbb eax, eax");
				_v20 = 2;
				_t41 =  ~( &_v72) &  &_v40;
				 *((intOrPtr*)( *((intOrPtr*)( *( ~( &_v72) &  &_v40) + 4)) + _t41)) = GetLastError();
				asm("sbb esi, esi");
				_t80 =  ~( &_v72) &  &_v52;
				E0043AE17( *_t80);
				_t20 = _t80 + 8; // 0xffffffff
				__imp__#6( *_t20,  &_v72,  &_v64);
				asm("sbb ecx, ecx");
				E0040213C( ~( &_v76) &  &_v72, 1);
				SetLastError( *(_t83 + 4 +  *((intOrPtr*)(_v80 + 4)) + 0x14));
				 *[fs:0x0] = _v36;
				return _v88 + 0x34;
			}

0x00452860
0x00452862
0x0045286d
0x0045286e
0x00452875
0x00452878
0x00452888
0x00452890
0x0045289e
0x004528a0
0x004528a8
0x004528ac
0x004528b3
0x004528ae
0x004528ae
0x004528ae
0x004528ba
0x004528c3
0x004528cd
0x004528d2
0x004528e2
0x004528ea
0x004528f9
0x004528fb
0x00452903
0x0045290e
0x00452916
0x0045291c
0x00452921
0x00452926
0x0045292d
0x0045293d
0x00452943
0x00452954
0x00452968
0x00452972

APIs

GetLastError.KERNEL32 ref: 0045289C
GetLastError.KERNEL32(?,?,?,?,0046758C,00000000,00000000), ref: 0045290C
SysFreeString.OLEAUT32(FFFFFFFF), ref: 0045292D
SetLastError.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00452954

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 288bb2d95bd1c2db790a8f4b144ed4c7dae768d022635a9d7f1d3de658881cf9
Instruction ID: 4b6602e625ba1c5dd8471a47c4c653f29da2e68668c7f53458093efe87eb0e19
Opcode Fuzzy Hash: 288bb2d95bd1c2db790a8f4b144ed4c7dae768d022635a9d7f1d3de658881cf9
Instruction Fuzzy Hash: 4A316FB26082119FC304DF64D985A5BB7E4EF85708F104A2EF58693291E778E809CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004300B2 Relevance: 6.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004300B2(intOrPtr* __ecx) {
				void* _t36;
				intOrPtr* _t54;
				void* _t56;

				L0043B644(0x463fff, _t56);
				_push(__ecx);
				_t54 = __ecx;
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t56 + 0x10)) != 0) {
					 *__ecx = 0x46758c;
					 *((intOrPtr*)(__ecx + 0x20)) = 0x467584;
				}
				 *( *((intOrPtr*)( *_t54 + 4)) + _t54) = GetLastError();
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((char*)(_t54 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t56 + 0xc))));
				E0040213C(_t54 + 4, 0);
				 *((intOrPtr*)(_t54 + 0x14)) = 0;
				 *((intOrPtr*)(_t54 + 0x18)) = 0;
				 *((intOrPtr*)(_t54 + 0x1c)) = 0;
				_t13 =  *((intOrPtr*)(_t54 + 0x20)) + 4; // 0x4
				SetLastError( *( *_t13 + _t54 + 0x20));
				 *((intOrPtr*)(_t56 + 0xc)) = _t54;
				 *((char*)(_t56 - 4)) = 4;
				if(_t54 != 0) {
					if( *((intOrPtr*)(_t56 + 8)) == 0) {
						_t36 = 0;
					} else {
						_t36 = L0043BC30( *((intOrPtr*)(_t56 + 8)));
					}
					E0043018C(_t54,  *((intOrPtr*)(_t56 + 8)), _t36, _t56 + 0x13, 1);
				}
				SetLastError( *( *((intOrPtr*)( *_t54 + 4)) + _t54));
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

0x004300b7
0x004300bc
0x004300c1
0x004300c7
0x004300ca
0x004300cc
0x004300d2
0x004300d2
0x004300e6
0x004300ef
0x004300f4
0x004300f6
0x004300fb
0x004300fe
0x00430101
0x00430110
0x00430117
0x00430119
0x0043011e
0x00430122
0x00430127
0x00430134
0x00430129
0x0043012c
0x00430131
0x00430142
0x00430142
0x0043014f
0x00430159
0x00430161

APIs

__EH_prolog.LIBCMT ref: 004300B7
GetLastError.KERNEL32(004675A0,00467598,00000000,?,0043247E,Fonts,?,00000001,00000001,00000000,004764FC,?,?,00000000), ref: 004300E0
SetLastError.KERNEL32(00000001,00000000,?,0043247E,Fonts,?,00000001,00000001,00000000,004764FC,?,?,00000000), ref: 00430117
SetLastError.KERNEL32(?,?,0043247E,Fonts,?,00000001,00000001,00000000,004764FC,?,?,00000000), ref: 0043014F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog
String ID:
API String ID: 2881783280-0
Opcode ID: 02f32d641f57773d6973181f62bf7c727d39858c2e1cc0f160092fe263803a48
Instruction ID: 23f0e0215504e764d40adde30153342282df8d25123ea85e054be51f2a76be46
Opcode Fuzzy Hash: 02f32d641f57773d6973181f62bf7c727d39858c2e1cc0f160092fe263803a48
Instruction Fuzzy Hash: 8C214771500608EFCB219F59C88099AFBF4FF18308B14866EE58A97321D779EA05CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004085B5 Relevance: 6.1, APIs: 4, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004085B5(intOrPtr __ecx, void* __esi, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebp;
				long _t10;
				struct HWND__* _t22;
				intOrPtr _t26;

				_push(__ecx);
				_t26 =  *0x47e1d1; // 0x0
				_v8 = __ecx;
				if(_t26 == 0) {
					__eflags =  *0x47e1d2; // 0x1
					if(__eflags == 0) {
						_t10 =  *0x47e1d4; // 0x2380b70
						__eflags =  *((intOrPtr*)(_t10 + 1));
						if( *((intOrPtr*)(_t10 + 1)) == 0) {
							__eflags =  *((intOrPtr*)(_t10 + 2));
							if( *((intOrPtr*)(_t10 + 2)) == 0) {
								_t10 = SetWindowTextW(GetDlgItem( *0x47e1c8, 0x3eb), _a4);
							}
						}
					} else {
						_push(_a4);
						_t10 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc8)))) + 0x54))();
					}
				} else {
					_t10 = E0040A374(__ecx);
					_t22 = _t10;
					if(_t22 != 0) {
						SendMessageW(_t22, 0xc, 0, _a4);
						_t10 = SendMessageW(_t22, 0x111, 2, 0);
						_t28 = _t10 - 9;
						if(_t10 == 9) {
							_t10 = E0040A4B6(_v8, _t28, _t22);
						}
					}
				}
				return _t10;
			}

0x004085b8
0x004085bc
0x004085c3
0x004085c6
0x004085ff
0x00408605
0x00408617
0x0040861c
0x0040861f
0x00408621
0x00408624
0x0040863b
0x0040863b
0x00408624
0x00408607
0x0040860d
0x00408612
0x00408612
0x004085c8
0x004085c8
0x004085cd
0x004085d1
0x004085e1
0x004085ec
0x004085ee
0x004085f2
0x004085f8
0x004085f8
0x004085f2
0x004085d1
0x00408644

APIs

Part of subcall function 0040A374: FindWindowExW.USER32 ref: 0040A3B6

SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 004085E1
SendMessageW.USER32(00000000,00000111,00000002,00000000), ref: 004085EC

Part of subcall function 0040A4B6: __EH_prolog.LIBCMT ref: 0040A4BB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: MessageSend$FindH_prologWindow
String ID:
API String ID: 3185295285-0
Opcode ID: 742905553a5eebc38eb8f58e0a65b186480df18e59c185fe751ccd905e45d10b
Instruction ID: 2f61490992a18e118f5eab89e00eae6bb0d843312cdc578e6f9056fd0dfff2dd
Opcode Fuzzy Hash: 742905553a5eebc38eb8f58e0a65b186480df18e59c185fe751ccd905e45d10b
Instruction Fuzzy Hash: E2012631144240BFDB11DB60DD86C6F7F29DB46304B0644BEF1456B1A2DA7A8C94DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004061C1 Relevance: 6.0, APIs: 4, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E004061C1(signed int __ecx) {
				signed int _t16;
				intOrPtr _t23;
				void* _t32;
				signed int _t33;
				void* _t35;
				signed int _t40;
				void* _t42;

				L0043B644(0x45f680, _t42);
				_t33 = __ecx;
				 *((intOrPtr*)(_t42 - 0x10)) = __ecx;
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				asm("sbb eax, eax");
				_t16 =  ~__ecx & __ecx + 0x00000020;
				 *((intOrPtr*)( *((intOrPtr*)( *_t16 + 4)) + _t16)) = GetLastError();
				asm("sbb esi, esi");
				_t40 =  ~_t33 & _t33 + 0x00000014;
				E0043AE17( *_t40);
				__imp__#6( *((intOrPtr*)(_t40 + 8)), _t32, _t35, __ecx);
				asm("sbb ecx, ecx");
				E0040213C( ~_t33 & _t33 + 0x00000004, 1);
				_t23 =  *((intOrPtr*)( *_t33 + 4));
				SetLastError( *(_t23 + _t33));
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t23;
			}

0x004061c6
0x004061ce
0x004061d0
0x004061d3
0x004061de
0x004061e0
0x004061ef
0x004061f8
0x004061fa
0x004061fe
0x00406207
0x00406214
0x0040621a
0x00406221
0x00406227
0x00406232
0x0040623a

APIs

__EH_prolog.LIBCMT ref: 004061C6
GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
SysFreeString.OLEAUT32(?), ref: 00406207
SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$FreeH_prologString
String ID:
API String ID: 1156525562-0
Opcode ID: 290a07d26414f73d4a38e4cff5e3497600924e15c2ba9dce5eae62a1e4f96747
Instruction ID: a2641ebcd69a7439d599127c5f5f49e6b752c199db8b3c8c71c56b81530866a3
Opcode Fuzzy Hash: 290a07d26414f73d4a38e4cff5e3497600924e15c2ba9dce5eae62a1e4f96747
Instruction Fuzzy Hash: EB01DF36A00411DFC7188F28E909A99B7F0FF48308B05427EE856D3361EBB4AD04CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2F9 Relevance: 6.0, APIs: 4, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A2F9() {
				struct tagMSG _v32;
				intOrPtr _t7;
				int _t11;
				int _t13;
				intOrPtr _t21;
				intOrPtr _t22;

				_t7 =  *0x47e1d4; // 0x2380b70
				if( *((intOrPtr*)(_t7 + 1)) != 0 ||  *((intOrPtr*)(_t7 + 2)) != 0) {
					L4:
					return 0;
				} else {
					_t21 =  *0x47e1d1; // 0x0
					if(_t21 != 0) {
						goto L4;
					}
					_t22 =  *0x47e1d2; // 0x1
					if(_t22 == 0) {
						while(1) {
							__eflags =  *0x47e1d0; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t11 = PeekMessageW( &_v32, 0, 0, 0, 1);
							__eflags = _t11;
							if(_t11 == 0) {
								break;
							}
							_t13 = IsDialogMessageW( *0x47e1c8,  &_v32);
							__eflags = _t13;
							if(_t13 == 0) {
								TranslateMessage( &_v32);
								DispatchMessageW( &_v32);
							}
						}
						return  *0x47e1d0 & 0x000000ff;
					}
					goto L4;
				}
			}

0x0040a2ff
0x0040a30a
0x0040a321
0x00000000
0x0040a311
0x0040a311
0x0040a317
0x00000000
0x00000000
0x0040a319
0x0040a31f
0x0040a325
0x0040a325
0x0040a32b
0x00000000
0x00000000
0x0040a336
0x0040a33c
0x0040a33e
0x00000000
0x00000000
0x0040a34a
0x0040a350
0x0040a352
0x0040a358
0x0040a362
0x0040a362
0x0040a352
0x00000000
0x0040a36a
0x00000000
0x0040a31f

APIs

PeekMessageW.USER32 ref: 0040A336
IsDialogMessageW.USER32(?), ref: 0040A34A
TranslateMessage.USER32(?), ref: 0040A358
DispatchMessageW.USER32 ref: 0040A362

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 0ebea518aacdd311ba29bf4faed5ed3ae4c139a613c6bb2462fc8d8a9c9e85d9
Instruction ID: 72b6fb165ba1d4ad80c4f2dc7b945f4c6745cf0d019beb09467c600a71d15b26
Opcode Fuzzy Hash: 0ebea518aacdd311ba29bf4faed5ed3ae4c139a613c6bb2462fc8d8a9c9e85d9
Instruction Fuzzy Hash: D501A271D08385AFEB21DBB6AC498673BBCA60430878481B2E845E31A1F63DD858871F

Uniqueness

Uniqueness Score: -1.00%

Function 0041A135 Relevance: 6.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041A135(intOrPtr* __ecx) {
				long _t24;
				intOrPtr* _t38;
				void* _t40;

				L0043B644(0x461db6, _t40);
				_push(__ecx);
				_t38 = __ecx;
				 *((intOrPtr*)(_t40 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t40 + 0x10)) != 0) {
					 *((intOrPtr*)(__ecx + 0xc)) = 0x46801c;
					 *((intOrPtr*)(__ecx + 0x14)) = 0x468014;
				}
				_t7 =  *((intOrPtr*)(_t38 + 0xc)) + 4; // 0xc
				_t24 = GetLastError();
				 *( *_t7 + _t38 + 0xc) = _t24;
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				__imp__#4( *((intOrPtr*)(_t40 + 0xc)),  *((intOrPtr*)(_t40 + 8)));
				 *(_t38 + 0x10) = _t24;
				 *(_t40 - 4) = 1;
				 *((intOrPtr*)(_t38 + 4)) = L0043BC14(1);
				 *((intOrPtr*)(_t38 + 8)) = 1;
				 *_t38 = 0x468010;
				_t17 =  *((intOrPtr*)(_t38 + 0x14)) + 4; // 0x4
				SetLastError( *( *_t17 + _t38 + 0x14));
				 *_t38 = 0x468008;
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t38;
			}

0x0041a13a
0x0041a13f
0x0041a145
0x0041a148
0x0041a14b
0x0041a14d
0x0041a154
0x0041a154
0x0041a161
0x0041a166
0x0041a16c
0x0041a171
0x0041a178
0x0041a17e
0x0041a183
0x0041a18c
0x0041a18f
0x0041a196
0x0041a1a0
0x0041a1a7
0x0041a1b0
0x0041a1ba
0x0041a1c2

APIs

__EH_prolog.LIBCMT ref: 0041A13A
GetLastError.KERNEL32(00000000,?,?,0041A3B9,?,?,00000001,?,?,?,00418B34,?), ref: 0041A166
SysAllocStringLen.OLEAUT32(?,00000000), ref: 0041A178
SetLastError.KERNEL32(00000000,?,0041A3B9,?,?,00000001,?,?,?,00418B34,?), ref: 0041A1A7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$AllocH_prologString
String ID:
API String ID: 1734030179-0
Opcode ID: 02b97e3c96d0f4de4986b044b3b3f29e25afab0af68d096c30637f16391cfc2b
Instruction ID: 36b8bbd43e052a4951c385474a900bb7325f54bc014c4663d39925d470783aab
Opcode Fuzzy Hash: 02b97e3c96d0f4de4986b044b3b3f29e25afab0af68d096c30637f16391cfc2b
Instruction Fuzzy Hash: CC113571500600DFC7208F54D904B8ABBF0FF05718F108A2EE99697751EBB9E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1A9 Relevance: 6.0, APIs: 4, Instructions: 38
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E1A9(void* __ecx) {
				struct tagMSG _v32;
				void* _t18;
				signed char _t20;

				_t18 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x26c)) == 0) {
					L5:
					return  *0x47e1e0 & 0x000000ff;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t20 =  *0x47e1e0; // 0x0
					if(_t20 != 0 || PeekMessageW( &_v32, 0, 0, 0, 1) == 0) {
						goto L5;
					}
					if(IsDialogMessageW( *(_t18 + 0x26c),  &_v32) == 0) {
						TranslateMessage( &_v32);
						DispatchMessageW( &_v32);
					}
				}
				goto L5;
			}

0x0040e1b1
0x0040e1bb
0x0040e202
0x0040e20c
0x00000000
0x00000000
0x00000000
0x0040e1bd
0x0040e1bd
0x0040e1bd
0x0040e1c3
0x00000000
0x00000000
0x0040e1ea
0x0040e1f0
0x0040e1fa
0x0040e1fa
0x0040e1ea
0x00000000

APIs

PeekMessageW.USER32 ref: 0040E1CE
IsDialogMessageW.USER32(?,?), ref: 0040E1E2
TranslateMessage.USER32(?), ref: 0040E1F0
DispatchMessageW.USER32 ref: 0040E1FA

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 463eee2b51834f07e6506cdff049abf3cf83e6c6a28f518d284cf26a69c6650c
Instruction ID: e090fa8121ad5632e3101d1e18b8fcaf3c82bfeff054aa50ae37106edb2119cd
Opcode Fuzzy Hash: 463eee2b51834f07e6506cdff049abf3cf83e6c6a28f518d284cf26a69c6650c
Instruction Fuzzy Hash: 1CF09C72904109AFDB109FF59C4DDB77B6CE704349B044877F152E11D2E7789905C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040A298 Relevance: 6.0, APIs: 4, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A298(int _a4) {
				int _t11;
				struct HWND__* _t14;

				if(IsWindow( *0x47e1c8) == 0) {
					return  *0x47e1d0 & 0x000000ff;
				} else {
					_t11 = 0;
					_t14 = GetDlgItem( *0x47e1c8, 0x12d);
					if(_a4 != SendMessageW(_t14, 0x408, 0, 0)) {
						_t11 = E0040A2F9();
						SendMessageW(_t14, 0x402, _a4, 0);
					}
					return _t11;
				}
			}

0x0040a2a6
0x0040a2f8
0x0040a2a8
0x0040a2b6
0x0040a2c5
0x0040a2d4
0x0040a2dd
0x0040a2e9
0x0040a2e9
0x0040a2f0
0x0040a2f0

APIs

IsWindow.USER32(0040A035), ref: 0040A29E
GetDlgItem.USER32 ref: 0040A2B8
SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 0040A2CE
SendMessageW.USER32(00000000,00000402,?,00000000), ref: 0040A2E9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: MessageSend$ItemWindow
String ID:
API String ID: 591194657-0
Opcode ID: 8823358b7a475c5ba7aaecebce16f7fb008493eddcfced0863f2184f54b48035
Instruction ID: 5663f8fa032687e205dbd2e81ef76d1030b856827d14f447d8886a20020027fb
Opcode Fuzzy Hash: 8823358b7a475c5ba7aaecebce16f7fb008493eddcfced0863f2184f54b48035
Instruction Fuzzy Hash: 10F027702003107BEB005B726C81E3BBAA8EB48795F4001BEF300E56E0DBB68C519A6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EACB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040EACB(intOrPtr __ecx) {
				void* __ebx;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				struct HINSTANCE__* _t80;
				intOrPtr* _t90;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				_Unknown_base(*)()* _t104;
				intOrPtr _t118;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr _t148;
				intOrPtr* _t149;
				void* _t151;

				L0043B644(E0046055A, _t151);
				_push(__ecx);
				_push(__ecx);
				_t148 = __ecx;
				 *((intOrPtr*)(_t151 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x467e3c;
				 *((intOrPtr*)(__ecx + 4)) = 0x467dd4;
				_t73 =  *((intOrPtr*)(__ecx + 0x294));
				 *(_t151 - 4) = 0xe;
				if(_t73 != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) = 0;
					 *((intOrPtr*)( *_t73 + 8))(_t73);
				}
				_t74 =  *((intOrPtr*)(_t148 + 0x290));
				if(_t74 != 0) {
					 *((intOrPtr*)(_t148 + 0x290)) = 0;
					 *((intOrPtr*)( *_t74 + 8))(_t74);
				}
				_t75 =  *((intOrPtr*)(_t148 + 0x28c));
				if(_t75 != 0) {
					 *((intOrPtr*)(_t148 + 0x28c)) = 0;
					 *((intOrPtr*)( *_t75 + 8))(_t75);
				}
				_t76 =  *((intOrPtr*)(_t148 + 0x288));
				if(_t76 != 0) {
					 *((intOrPtr*)(_t148 + 0x288)) = 0;
					 *((intOrPtr*)( *_t76 + 8))(_t76);
				}
				_t77 =  *((intOrPtr*)(_t148 + 0x284));
				if(_t77 != 0) {
					 *((intOrPtr*)(_t148 + 0x284)) = 0;
					 *((intOrPtr*)( *_t77 + 8))(_t77);
				}
				_t78 =  *((intOrPtr*)(_t148 + 0x280));
				if(_t78 != 0) {
					 *((intOrPtr*)(_t148 + 0x280)) = 0;
					 *((intOrPtr*)( *_t78 + 8))(_t78);
				}
				_t79 =  *((intOrPtr*)(_t148 + 0x264));
				if(_t79 != 0) {
					 *((intOrPtr*)(_t148 + 0x264)) = 0;
					 *((intOrPtr*)( *_t79 + 8))(_t79);
				}
				_t80 =  *(_t148 + 0x3a0);
				if(_t80 != 0) {
					_t104 = GetProcAddress(_t80, "RemoveEngineTypelib");
					if(_t104 != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x25c)) + 3)) == 0) {
						 *_t104();
					}
				}
				_t144 = _t148 + 0x260;
				E0043AE17( *_t144);
				 *_t144 = 0;
				_t145 = _t148 + 0x25c;
				_t118 =  *_t145;
				 *((intOrPtr*)(_t151 - 0x10)) = _t118;
				if(_t118 != 0) {
					L0040ECF7(0, _t118);
					E0043AE17( *((intOrPtr*)(_t151 - 0x10)));
				}
				 *_t145 = 0;
				 *(_t151 - 4) = 0xd;
				L00419EEE(_t148 + 0x3a0);
				 *(_t151 - 4) = 0xc;
				E0041A563(_t148 + 0x38c);
				 *(_t151 - 4) = 0xb;
				L0040125C(_t148 + 0x364);
				 *(_t151 - 4) = 0xa;
				L0040125C(_t148 + 0x33c);
				 *(_t151 - 4) = 9;
				L0040125C(_t148 + 0x314);
				 *(_t151 - 4) = 8;
				L0040125C(_t148 + 0x2ec);
				 *(_t151 - 4) = 7;
				L0040125C(_t148 + 0x2c4);
				 *(_t151 - 4) = 6;
				L0040125C(_t148 + 0x29c);
				_t90 =  *((intOrPtr*)(_t148 + 0x294));
				 *(_t151 - 4) = 5;
				if(_t90 != 0) {
					 *((intOrPtr*)( *_t90 + 8))(_t90);
				}
				_t91 =  *((intOrPtr*)(_t148 + 0x290));
				 *(_t151 - 4) = 4;
				if(_t91 != 0) {
					 *((intOrPtr*)( *_t91 + 8))(_t91);
				}
				_t92 =  *((intOrPtr*)(_t148 + 0x28c));
				 *(_t151 - 4) = 3;
				if(_t92 != 0) {
					 *((intOrPtr*)( *_t92 + 8))(_t92);
				}
				_t93 =  *((intOrPtr*)(_t148 + 0x288));
				 *(_t151 - 4) = 2;
				if(_t93 != 0) {
					 *((intOrPtr*)( *_t93 + 8))(_t93);
				}
				_t94 =  *((intOrPtr*)(_t148 + 0x284));
				 *(_t151 - 4) = 1;
				if(_t94 != 0) {
					 *((intOrPtr*)( *_t94 + 8))(_t94);
				}
				_t95 =  *((intOrPtr*)(_t148 + 0x280));
				 *(_t151 - 4) = 0;
				if(_t95 != 0) {
					_t95 =  *((intOrPtr*)( *_t95 + 8))(_t95);
				}
				_t149 =  *((intOrPtr*)(_t148 + 0x264));
				 *(_t151 - 4) =  *(_t151 - 4) | 0xffffffff;
				if(_t149 != 0) {
					_t95 =  *((intOrPtr*)( *_t149 + 8))(_t149);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0xc));
				return _t95;
			}

0x0040ead0
0x0040ead5
0x0040ead6
0x0040ead9
0x0040eadb
0x0040eade
0x0040eae4
0x0040eaeb
0x0040eaf5
0x0040eafc
0x0040eafe
0x0040eb07
0x0040eb07
0x0040eb0a
0x0040eb12
0x0040eb14
0x0040eb1d
0x0040eb1d
0x0040eb20
0x0040eb28
0x0040eb2a
0x0040eb33
0x0040eb33
0x0040eb36
0x0040eb3e
0x0040eb40
0x0040eb49
0x0040eb49
0x0040eb4c
0x0040eb54
0x0040eb56
0x0040eb5f
0x0040eb5f
0x0040eb62
0x0040eb6a
0x0040eb6c
0x0040eb75
0x0040eb75
0x0040eb78
0x0040eb80
0x0040eb82
0x0040eb8b
0x0040eb8b
0x0040eb8e
0x0040eb96
0x0040eb9e
0x0040eba6
0x0040ebb3
0x0040ebb3
0x0040eba6
0x0040ebb6
0x0040ebbe
0x0040ebc3
0x0040ebc5
0x0040ebcc
0x0040ebd0
0x0040ebd3
0x0040ebd5
0x0040ebdd
0x0040ebe2
0x0040ebe9
0x0040ebeb
0x0040ebef
0x0040ebfa
0x0040ebfe
0x0040ec09
0x0040ec0d
0x0040ec18
0x0040ec1c
0x0040ec27
0x0040ec2b
0x0040ec36
0x0040ec3a
0x0040ec45
0x0040ec49
0x0040ec54
0x0040ec58
0x0040ec5d
0x0040ec63
0x0040ec6a
0x0040ec6f
0x0040ec6f
0x0040ec72
0x0040ec78
0x0040ec7e
0x0040ec83
0x0040ec83
0x0040ec86
0x0040ec8c
0x0040ec92
0x0040ec97
0x0040ec97
0x0040ec9a
0x0040eca0
0x0040eca6
0x0040ecab
0x0040ecab
0x0040ecae
0x0040ecb4
0x0040ecba
0x0040ecbf
0x0040ecbf
0x0040ecc2
0x0040ecc8
0x0040eccd
0x0040ecd2
0x0040ecd2
0x0040ecd5
0x0040ecdb
0x0040ece1
0x0040ece6
0x0040ece6
0x0040ecee
0x0040ecf6

APIs

__EH_prolog.LIBCMT ref: 0040EAD0
GetProcAddress.KERNEL32(?,RemoveEngineTypelib), ref: 0040EB9E

Strings

RemoveEngineTypelib, xrefs: 0040EB98

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressH_prologProc
String ID: RemoveEngineTypelib
API String ID: 3705524523-1749684603
Opcode ID: 73e30d6fb41f1aeb4eb3e303af8f8029479ce73f8331a42fbc835b02e58bb224
Instruction ID: 845ee7493d0d148d14f1953c2ffbb25454bba1ff7373ff8805f78140686b0e55
Opcode Fuzzy Hash: 73e30d6fb41f1aeb4eb3e303af8f8029479ce73f8331a42fbc835b02e58bb224
Instruction Fuzzy Hash: 27717A34501741DFDB20DFA5C488A9ABBF4AF49304F2488AEE49BE7381CB39AD45CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9EA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A9EA(void* __ecx, void* __eflags) {
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t80;
				void* _t91;
				void* _t102;
				intOrPtr _t117;
				signed int _t139;
				intOrPtr* _t140;
				void* _t142;
				void* _t152;

				L0043B644(0x45fe0b, _t142);
				 *(_t142 - 0x10) =  *(_t142 - 0x10) & 0x00000000;
				_push(0);
				_push(__ecx);
				_t3 = _t142 - 0x44; // 0x467594
				 *((intOrPtr*)(_t142 - 0x44)) = 0x4675d8;
				 *((intOrPtr*)(_t142 - 0x24)) = 0x4675d0;
				L0040B2B8(_t3);
				_t71 =  *0x4675e0; // 0xffffffff
				_t139 = 1;
				_t6 = _t142 - 0x40; // 0x467598
				_t7 = _t142 - 0x14; // 0x4675c4
				 *(_t142 - 4) = _t139;
				 *((intOrPtr*)(_t142 - 0x14)) = 0x5c;
				_t73 = L0040BF5C(_t6, _t7, _t71, _t139);
				_t10 = _t142 - 0x44; // 0x467594
				 *((intOrPtr*)(_t142 - 0x14)) = _t73;
				if(L0040BB88(_t10) == 0) {
					_t12 = _t142 - 0xbc; // 0x46751c
					_push(0);
					_t13 = _t142 - 0x44; // 0x467594
					_t76 = L0040B931(_t13, __eflags);
					 *(_t142 - 0x10) = _t139;
					 *(_t142 - 4) = 2;
					_t78 =  *((intOrPtr*)(L0040BE33(_t76, _t76)));
				} else {
					_t78 = 0x47e150;
				}
				 *((intOrPtr*)(_t142 - 0x94)) = 0x4675d8;
				 *((intOrPtr*)(_t142 - 0x74)) = 0x4675d0;
				if(_t78 == 0) {
					_t78 = 0x47e150;
				}
				_t18 = _t142 - 0x15; // 0x4675c3
				_push(0);
				_push(_t78);
				_t19 = _t142 - 0x94; // 0x467544
				L0040B34B(_t19);
				 *(_t142 - 4) = 4;
				if(( *(_t142 - 0x10) & 0x00000001) != 0) {
					 *(_t142 - 0x10) =  *(_t142 - 0x10) & 0xfffffffe;
					_t26 = _t142 - 0xbc; // 0x46751c
					E004061C1(_t26);
				}
				_t27 = _t142 - 0x14; // 0x4765f0
				_t80 =  *_t27;
				_t28 = _t142 - 0x88; // 0x0
				_t117 =  *_t28;
				_t152 = _t80 -  *0x4675e0; // 0xffffffff
				 *((intOrPtr*)(_t142 - 0x1c)) = _t117;
				if(_t152 == 0 || _t80 < _t117) {
					_t36 = _t142 - 0x94; // 0x467544
					_t37 = _t142 - 0x44; // 0x467594
					E004066ED(_t37, _t36);
				} else {
					_t30 = _t142 - 0x44; // 0x467594
					_t31 = _t142 - 0x6c; // 0x46756c
					_t102 = E0040A73B(_t30, _t31, 0, _t80 + 1);
					_t32 = _t142 - 0x44; // 0x467594
					 *(_t142 - 4) = 5;
					E004066ED(_t32, _t102);
					_t34 = _t142 - 0x6c; // 0x46756c
					 *(_t142 - 4) = 4;
					E004061C1(_t34);
				}
				if( *((char*)(_t142 + 0xc)) == 0) {
					_t39 = _t142 - 0x1c; // 0x0
					if( *((intOrPtr*)(_t142 - 0x38)) >  *_t39 + 1) {
						_t41 = _t142 - 0x6c; // 0x46756c
						_t42 = _t142 - 0x44; // 0x467594
						L0040B8EE(_t42, _t41);
						_t43 = _t142 - 0x6c; // 0x46756c
						E004061C1(_t43);
					}
				}
				_t156 =  *((char*)(_t142 + 0x10));
				if( *((char*)(_t142 + 0x10)) != 0) {
					_t45 = _t142 + 0xf; // 0x4675e7
					_push(_t139);
					_push(0x47e150);
					_t46 = _t142 - 0x6c; // 0x46756c
					L0040B34B(_t46);
					_t47 = _t142 - 0xe4; // 0x4674f4
					_push(0);
					_t48 = _t142 - 0x44; // 0x467594
					 *(_t142 - 4) = 6;
					_t91 = L0040B931(_t48, _t156);
					_t50 = _t142 - 0x6c; // 0x46756c
					 *(_t142 - 4) = 7;
					_t52 = _t142 - 0x44; // 0x467594
					L0040B3E7(_t52, _t156, _t91, _t50);
					_t53 = _t142 - 0xe4; // 0x4674f4
					 *(_t142 - 4) = 6;
					E004061C1(_t53);
					_t55 = _t142 - 0x6c; // 0x46756c
					 *(_t142 - 4) = 4;
					E004061C1(_t55);
				}
				_t57 = _t142 + 8; // 0xffffffff
				_t140 =  *_t57;
				_t58 = _t142 - 0x44; // 0x467594
				_push(0);
				 *_t140 = 0x4675d8;
				 *((intOrPtr*)(_t140 + 0x20)) = 0x4675d0;
				L0040B2B8(_t140);
				 *(_t142 - 0x10) =  *(_t142 - 0x10) | 0x00000002;
				_t62 = _t142 - 0x94; // 0x467544
				 *(_t142 - 4) = 1;
				E004061C1(_t62);
				 *(_t142 - 4) =  *(_t142 - 4) & 0x00000000;
				_t66 = _t142 - 0x44; // 0x467594
				E004061C1(_t66);
				_t67 = _t142 - 0xc; // 0x40623b
				 *[fs:0x0] =  *_t67;
				return _t140;
			}

0x0040a9ef
0x0040a9fa
0x0040aa01
0x0040aa0d
0x0040aa0e
0x0040aa11
0x0040aa14
0x0040aa17
0x0040aa1c
0x0040aa23
0x0040aa24
0x0040aa29
0x0040aa2c
0x0040aa30
0x0040aa37
0x0040aa3c
0x0040aa3f
0x0040aa49
0x0040aa52
0x0040aa58
0x0040aa5b
0x0040aa5e
0x0040aa63
0x0040aa68
0x0040aa71
0x0040aa4b
0x0040aa4b
0x0040aa4b
0x0040aa75
0x0040aa7b
0x0040aa7e
0x0040aa80
0x0040aa80
0x0040aa85
0x0040aa88
0x0040aa8b
0x0040aa8c
0x0040aa92
0x0040aa9b
0x0040aaa2
0x0040aaa4
0x0040aaa8
0x0040aaae
0x0040aaae
0x0040aab3
0x0040aab3
0x0040aab6
0x0040aab6
0x0040aabc
0x0040aac2
0x0040aac5
0x0040aaf6
0x0040aafc
0x0040ab00
0x0040aacb
0x0040aacc
0x0040aad0
0x0040aad6
0x0040aadc
0x0040aadf
0x0040aae3
0x0040aae8
0x0040aaeb
0x0040aaef
0x0040aaef
0x0040ab09
0x0040ab0b
0x0040ab12
0x0040ab14
0x0040ab17
0x0040ab1b
0x0040ab20
0x0040ab23
0x0040ab23
0x0040ab12
0x0040ab28
0x0040ab2c
0x0040ab2e
0x0040ab31
0x0040ab33
0x0040ab38
0x0040ab3b
0x0040ab40
0x0040ab46
0x0040ab49
0x0040ab4c
0x0040ab50
0x0040ab55
0x0040ab58
0x0040ab5e
0x0040ab61
0x0040ab66
0x0040ab6c
0x0040ab70
0x0040ab75
0x0040ab78
0x0040ab7c
0x0040ab7c
0x0040ab81
0x0040ab81
0x0040ab84
0x0040ab87
0x0040ab8c
0x0040ab8e
0x0040ab91
0x0040ab96
0x0040ab9a
0x0040aba0
0x0040aba4
0x0040aba9
0x0040abad
0x0040abb0
0x0040abb5
0x0040abbd
0x0040abc5

APIs

__EH_prolog.LIBCMT ref: 0040A9EF

Part of subcall function 0040B2B8: __EH_prolog.LIBCMT ref: 0040B2BD
Part of subcall function 0040B2B8: GetLastError.KERNEL32(004675D0,00000000,004675D8,?,0040C0EE,?,00000000,00000000,?,?,00000000), ref: 0040B2E5
Part of subcall function 0040B2B8: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,0040C0EE,?,00000000,00000000,?,?,00000000), ref: 0040B332

Part of subcall function 004061C1: __EH_prolog.LIBCMT ref: 004061C6
Part of subcall function 004061C1: GetLastError.KERNEL32(000004B1,00000000,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 004061E9
Part of subcall function 004061C1: SysFreeString.OLEAUT32(?), ref: 00406207
Part of subcall function 004061C1: SetLastError.KERNEL32(?,00000001,?,0040C82E,004675D8,?,00000000,?,00000000,004675D0,?,004675D8), ref: 00406227

Strings

PG, xrefs: 0040AA80
PG, xrefs: 0040AA4B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: PG$PG
API String ID: 3800368667-3551648151
Opcode ID: f80885784fa5349718937918e4a0f1a1411436e22323c5e960c4c0d4355eaefc
Instruction ID: d11bbb7fd03b418af09c6ee343516b0ccb57f065b5bde37b84e2d840f27f94e2
Opcode Fuzzy Hash: f80885784fa5349718937918e4a0f1a1411436e22323c5e960c4c0d4355eaefc
Instruction Fuzzy Hash: 3E518471D00248DADB14DB95C945BEEB7B8EF14308F6041AFE50AB72C2DB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042EB2C(intOrPtr _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				void* __ecx;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t34;
				unsigned int _t36;
				signed char _t39;
				void* _t40;
				long _t43;
				void* _t47;
				void* _t48;
				void* _t49;

				_push(_t40);
				_t36 = _a12;
				if((_t36 & 0x00000004) != 0) {
					_t36 = _t36 | 0x00000002;
					_a12 = _t36;
				}
				if((_t36 & 0x00000002) != 0) {
					_t36 = _t36 | 0x00000001;
					_a12 = _t36;
				}
				if((_t36 & 0x00000001) == 0 || _a16 == 0) {
					L20:
					_t29 = 0;
				} else {
					if(_a4 == 0 && (_t36 & 0x00000002) != 0) {
						_t34 = E0042EB07(_a8);
						_pop(_t40);
						_a4 = _t34;
					}
					_t29 = L0042EBF9(_t40, _a8, _t36, _a16);
					_t49 = _t48 + 0xc;
					_v8 = _t29;
					if(_t29 == 0) {
						if((_t36 & 0x00000002) == 0 || _a4 == 0) {
							goto L20;
						} else {
							_t39 = _t36 >> 0x00000002 & 0x00000001;
							while(1) {
								_push(_t39);
								_push(_a8);
								_push(_a4);
								_t43 = L0042EC7B();
								_t49 = _t49 + 0xc;
								if(_t43 == 0) {
									break;
								}
								_t47 = OpenProcess(0x1f0fff, 1, _t43);
								if(_t47 == 0) {
									_t43 = 0;
									goto L18;
								} else {
									_t32 = L0042EBF9(_t40, _t47, _a12, _a16);
									_t49 = _t49 + 0xc;
									_v8 = _t32;
									CloseHandle(_t47);
									_t29 = _v8;
									if(_t29 == 0) {
										L18:
										if(_t43 != 0) {
											continue;
										} else {
											break;
										}
									}
								}
								goto L21;
							}
							_t29 = _v8;
						}
					}
				}
				L21:
				return _t29;
			}

0x0042eb2f
0x0042eb31
0x0042eb39
0x0042eb3b
0x0042eb3e
0x0042eb3e
0x0042eb44
0x0042eb46
0x0042eb49
0x0042eb49
0x0042eb4f
0x0042ebf2
0x0042ebf2
0x0042eb60
0x0042eb63
0x0042eb6d
0x0042eb72
0x0042eb73
0x0042eb73
0x0042eb7d
0x0042eb82
0x0042eb87
0x0042eb8a
0x0042eb8f
0x00000000
0x0042eb96
0x0042eb99
0x0042eb9c
0x0042eb9c
0x0042eb9d
0x0042eba0
0x0042eba8
0x0042ebaa
0x0042ebaf
0x00000000
0x00000000
0x0042ebbf
0x0042ebc3
0x0042ebe7
0x00000000
0x0042ebc5
0x0042ebcc
0x0042ebd1
0x0042ebd4
0x0042ebd8
0x0042ebde
0x0042ebe3
0x0042ebe9
0x0042ebeb
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ebeb
0x0042ebe3
0x00000000
0x0042ebc3
0x0042ebed
0x0042ebed
0x0042eb8f
0x0042eb8a
0x0042ebf4
0x0042ebf8

APIs

OpenProcess.KERNEL32(001F0FFF,00000001,00000000,?,?,?,?,00000008,?), ref: 0042EBB9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000008,?), ref: 0042EBD8

Strings

puF, xrefs: 0042EB2C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CloseHandleOpenProcess
String ID: puF
API String ID: 39102293-3351151900
Opcode ID: 8bfa22cd526e1dd7fe635c8db8a9c64c4686716ea7b3432149bb77737a24ecef
Instruction ID: e7221ec011fd58f7382ce3627e5a64a0b69fd6be337d97dae14f5a3234752117
Opcode Fuzzy Hash: 8bfa22cd526e1dd7fe635c8db8a9c64c4686716ea7b3432149bb77737a24ecef
Instruction Fuzzy Hash: 9921B332B01239ABCB22CF56EC42BAB3F65EF44750F58402AFD0656211D3B9ED51C699

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041E1F8() {
				signed int _t41;
				signed int _t57;
				signed int _t62;
				void* _t64;
				void* _t66;

				L0043B644(E004622FC, _t64);
				 *(_t64 - 4) =  *(_t64 - 4) & 0x00000000;
				_t57 =  *(_t64 + 0xc);
				_t41 =  *(_t64 + 8);
				asm("sbb esi, esi");
				_t62 =  ~(_t64 + 0x10) & _t64 + 0x00000014;
				while(1) {
					asm("sbb ecx, ecx");
					if(L0040CD59( ~_t41 & _t41 + 0x00000004, _t62) >= 0) {
						goto L4;
					}
					 *(_t64 + 0xc) = _t41 + 4;
					do {
						 *(_t64 + 0xc) =  *(_t64 + 0xc) + 0x28;
						_t41 = _t41 + 0x28;
						asm("sbb ecx, ecx");
					} while (L0040CD59( ~_t41 &  *(_t64 + 0xc), _t62) < 0);
					L4:
					_t57 = _t57 - 0x28;
					asm("sbb ecx, ecx");
					if(L0040CD59(_t62,  ~_t57 & _t57 + 0x00000004) < 0) {
						 *(_t64 + 0xc) = _t57 + 4;
						do {
							 *(_t64 + 0xc) =  *(_t64 + 0xc) - 0x28;
							_t57 = _t57 - 0x28;
							asm("sbb eax, eax");
						} while (L0040CD59(_t62,  ~_t57 &  *(_t64 + 0xc)) < 0);
					}
					_t73 = _t57 - _t41;
					if(_t57 > _t41) {
						_push(0);
						_push(_t57);
						_push(_t41);
						E0041E2C1(_t73);
						_t66 = _t66 + 0xc;
						_t41 = _t41 + 0x28;
						continue;
					}
					_t19 = _t64 - 4;
					 *_t19 =  *(_t64 - 4) | 0xffffffff;
					__eflags =  *_t19;
					E004061C1(_t64 + 0x10);
					 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
					return _t41;
				}
			}

0x0041e1fd
0x0041e205
0x0041e209
0x0041e20c
0x0041e214
0x0041e219
0x0041e21b
0x0041e222
0x0041e22e
0x00000000
0x00000000
0x0041e233
0x0041e236
0x0041e236
0x0041e23a
0x0041e242
0x0041e24c
0x0041e250
0x0041e250
0x0041e25a
0x0041e268
0x0041e26d
0x0041e270
0x0041e270
0x0041e274
0x0041e27d
0x0041e288
0x0041e270
0x0041e28c
0x0041e28e
0x0041e290
0x0041e292
0x0041e293
0x0041e294
0x0041e299
0x0041e29c
0x00000000
0x0041e29c
0x0041e2a4
0x0041e2a4
0x0041e2a4
0x0041e2ab
0x0041e2b8
0x0041e2c0
0x0041e2c0

APIs

__EH_prolog.LIBCMT ref: 0041E1FD

Strings

(, xrefs: 0041E270
tuF, xrefs: 0041E204

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: ($tuF
API String ID: 3519838083-2261516843
Opcode ID: 6568866ac18e61a60dfe672ac16ee16cb2b98b65035eebd13a746464b7146d58
Instruction ID: d784cecf273e227423ed87896c39ebf6e19f62aa7d53da69df9eb221dd0d768d
Opcode Fuzzy Hash: 6568866ac18e61a60dfe672ac16ee16cb2b98b65035eebd13a746464b7146d58
Instruction Fuzzy Hash: CD21AF76650105EBCF08DF36DDA2AED77A8AF44318F00823EEC16D7281E738DA488B54

Uniqueness

Uniqueness Score: -1.00%

Function 004342AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004342AF(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t41;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t54;
				void* _t73;
				void* _t75;
				intOrPtr* _t77;

				L0043B644(E004646DF, _t73);
				 *(_t73 - 0x10) =  *(_t73 - 0x10) & 0x00000000;
				_t50 = __ecx;
				_t77 = _t75 - 0xffffffffffffffe4;
				 *((intOrPtr*)(_t73 - 0x14)) = _t77;
				_t54 = _t77;
				_push(0);
				_push(_t73 + 0x34);
				 *(_t73 - 4) = 3;
				 *_t54 = 0x46757c;
				 *((intOrPtr*)(_t54 + 0x20)) = 0x467574;
				L00401CDD(_t54);
				 *((intOrPtr*)(_t73 - 0x18)) = _t77 - 0x28;
				 *(_t73 - 4) = 4;
				L00401708(_t77 - 0x28, _t73 + 0xc, 1);
				 *(_t73 - 4) = 3;
				if( *((intOrPtr*)( *_t50 + 0x50))() != 0) {
					_push(_t73 + 0x34);
					_push(_t73 + 0xc);
					_t41 = L00435084(_t50, L004351E9(_t50, _t50 + 4, __eflags) + 4, L004351E9(_t50, _t50 + 4, __eflags) + 4);
					_t51 =  *((intOrPtr*)(_t73 + 8));
					_push(0);
					_push(_t41);
					 *_t51 = 0x46757c;
					 *((intOrPtr*)(_t51 + 0x20)) = 0x467574;
					L00401CDD(_t51);
					 *(_t73 - 0x10) = 1;
				} else {
					_t51 =  *((intOrPtr*)(_t73 + 8));
					_push(0);
					_push(_t73 + 0x5c);
					 *_t51 = 0x46757c;
					 *((intOrPtr*)(_t51 + 0x20)) = 0x467574;
					L00401CDD(_t51);
					 *(_t73 - 0x10) = 1;
				}
				 *(_t73 - 4) = 2;
				L0040125C(_t73 + 0xc);
				 *(_t73 - 4) = 1;
				L0040125C(_t73 + 0x34);
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				L0040125C(_t73 + 0x5c);
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t51;
			}

0x004342b4
0x004342bc
0x004342c3
0x004342c5
0x004342cb
0x004342ce
0x004342da
0x004342dc
0x004342dd
0x004342e4
0x004342e6
0x004342e9
0x004342f6
0x004342fc
0x00434300
0x00434309
0x00434312
0x00434338
0x0043433c
0x00434347
0x0043434c
0x0043434f
0x00434351
0x00434354
0x00434356
0x00434359
0x0043435e
0x00434314
0x00434314
0x0043431a
0x0043431c
0x0043431f
0x00434321
0x00434324
0x00434329
0x00434329
0x00434368
0x0043436c
0x00434374
0x00434378
0x0043437d
0x00434384
0x00434390
0x00434399

APIs

__EH_prolog.LIBCMT ref: 004342B4

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

tuF, xrefs: 004342D5
|uF, xrefs: 004342D0

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: tuF$|uF
API String ID: 1057991267-3059473046
Opcode ID: 88f1e9813601896a90352ffd3c6bf15591372222c5e4b2f3d0788b6749733877
Instruction ID: b75967e325d1a204be5f88fe8149e08ef3f280995c6634ab2b193c06f6b09f4b
Opcode Fuzzy Hash: 88f1e9813601896a90352ffd3c6bf15591372222c5e4b2f3d0788b6749733877
Instruction Fuzzy Hash: 25317570A04208EFDF05EF95C485BDDBBF8AF58308F10406EF505A7291D7B89A09C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004126F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004126F3(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				intOrPtr _t40;
				signed int _t42;
				void* _t46;
				void* _t63;
				void* _t65;
				void* _t68;
				intOrPtr* _t69;
				void* _t71;

				_t63 = __edx;
				L0043B644(0x460e0c, _t71);
				_t68 = __ecx;
				_t33 = GetProcAddress( *(__ecx + 0x3a0), "GetProductSKU");
				if(_t33 != 0) {
					 *(_t71 - 0x20) = 0;
					 *((intOrPtr*)(_t71 - 0x1c)) = 0;
					_t65 =  *_t33(_t71 - 0x20);
					_t69 = _t68 + 4;
					 *((char*)(_t71 - 0xd)) =  *((intOrPtr*)(E004125E4( *((intOrPtr*)( *_t69 + 0x2c))(), _t71 - 0x48) + 0xc)) != 0;
					L0040125C(_t71 - 0x48);
					_t40 =  *_t69;
					if( *((intOrPtr*)(_t71 - 0xd)) == 0) {
						 *((intOrPtr*)(_t71 - 0x18)) =  *((intOrPtr*)(_t40 + 0x2c))();
						_t42 = 1;
						 *(_t71 - 4) = _t42;
						_t46 = E004129C7(_t71 - 0x18, _t63, _t71 - 0x00000020 & 0xffffff00 | _t65 == 0x00000002, _t71 - 0x20, _t42 & 0xffffff00 | _t65 == 0x00000002, _t71 - 0x20);
					} else {
						 *((intOrPtr*)(_t71 - 0x14)) =  *((intOrPtr*)(_t40 + 0x2c))();
						 *(_t71 - 4) = 0;
						_t46 = E004127B8(_t71 - 0x14, (_t47 & 0xffffff00 | _t65 == 0x00000001) & 0xffffff00 | _t65 == 0x00000002, _t47 & 0xffffff00 | _t65 == 0x00000001);
					}
				} else {
					_t46 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t46;
			}

0x004126f3
0x004126f8
0x00412702
0x00412711
0x0041271b
0x00412727
0x0041272b
0x00412730
0x00412732
0x0041274d
0x00412751
0x00412759
0x0041275d
0x00412783
0x0041278b
0x0041278e
0x004127a4
0x0041275f
0x00412762
0x00412776
0x00412779
0x00412779
0x0041271d
0x0041271d
0x0041271d
0x004127af
0x004127b7

APIs

__EH_prolog.LIBCMT ref: 004126F8
GetProcAddress.KERNEL32(?,GetProductSKU), ref: 00412711

Strings

GetProductSKU, xrefs: 00412705

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AddressH_prologProc
String ID: GetProductSKU
API String ID: 3705524523-665147802
Opcode ID: 296506d3ac740ee065d935c47bc27ed98e04df412309a19e2260957f45cbea2a
Instruction ID: cf3115a305f6bf17b5338464ccf7463738f6bd2ab1f3530429ca9b8b22525714
Opcode Fuzzy Hash: 296506d3ac740ee065d935c47bc27ed98e04df412309a19e2260957f45cbea2a
Instruction Fuzzy Hash: 51218EB6E10214AFCF14EFB8C9959EEBBB8EF48310B14442FE406E3241DB784A54CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A3D5(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t58;
				void* _t63;

				L0043B644(0x45fcdf, _t63);
				 *((intOrPtr*)(_t63 - 0x14)) = __ecx;
				_push(0);
				_push(_t63 - 0xd);
				 *((intOrPtr*)(_t63 - 0x3c)) = 0x4675d8;
				 *((intOrPtr*)(_t63 - 0x1c)) = 0x4675d0;
				L0040B243(_t63 - 0x3c);
				_t50 =  *0x47e1d4; // 0x2380b70
				 *(_t63 - 4) = 0;
				_t32 =  *((intOrPtr*)(L00403659(_t50, _t63 - 0x8c) + 8));
				_t70 = _t32;
				 *(_t63 - 4) = 1;
				_t58 = 0x467570;
				if(_t32 != 0) {
					_t58 = _t32;
				}
				_t51 =  *0x47e1d4; // 0x2380b70
				_t34 = E00403E82(_t51, _t70, _t63 - 0x64, 0x684);
				_t35 =  *((intOrPtr*)(_t34 + 8));
				 *(_t63 - 4) = 2;
				if( *((intOrPtr*)(_t34 + 8)) == 0) {
					_t35 = 0x467570;
				}
				L0040AF38(_t63 - 0x3c, _t35, _t58);
				 *(_t63 - 4) = 1;
				L0040125C(_t63 - 0x64);
				 *(_t63 - 4) = 0;
				L0040125C(_t63 - 0x8c);
				_t40 =  *((intOrPtr*)(_t63 - 0x34));
				if( *((intOrPtr*)(_t63 - 0x34)) == 0) {
					_t40 = 0x4675e4;
				}
				_t41 = E004084D4( *((intOrPtr*)(_t63 - 0x14)), _t40, 0x24, 6);
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				E004061C1(_t63 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return 0 | _t41 == 0x00000006;
			}

0x0040a3da
0x0040a3ea
0x0040a3f0
0x0040a3f1
0x0040a3f5
0x0040a3fc
0x0040a403
0x0040a408
0x0040a415
0x0040a41d
0x0040a425
0x0040a427
0x0040a42b
0x0040a42d
0x0040a42f
0x0040a42f
0x0040a431
0x0040a440
0x0040a445
0x0040a448
0x0040a44e
0x0040a450
0x0040a450
0x0040a458
0x0040a463
0x0040a467
0x0040a472
0x0040a475
0x0040a47a
0x0040a47f
0x0040a481
0x0040a481
0x0040a48e
0x0040a49c
0x0040a4a0
0x0040a4ad
0x0040a4b5

APIs

__EH_prolog.LIBCMT ref: 0040A3DA

Part of subcall function 0040B243: __EH_prolog.LIBCMT ref: 0040B248
Part of subcall function 0040B243: GetLastError.KERNEL32(?,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000,0046757C), ref: 0040B271
Part of subcall function 0040B243: SetLastError.KERNEL32(?,00000000,?,00000000,?,0040A625,?,00000000,?,?,0040F157,C:\CodeBases\isdev\src\Runtime\InstallScript\SetupNew\setup.cpp,?,00000001,00467574,00000000), ref: 0040B29F

Strings

uF, xrefs: 0040A481
puF, xrefs: 0040A420

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: puF$uF
API String ID: 1057991267-2786608507
Opcode ID: 29c0ca0925bce158cfa1f97195a2d529711bbd49a4f8cf49d45ae9c7dc77c1ec
Instruction ID: 105727b3c49690488f1a9603941203695230d0042a35d2c82e8a0e3c8a099ddf
Opcode Fuzzy Hash: 29c0ca0925bce158cfa1f97195a2d529711bbd49a4f8cf49d45ae9c7dc77c1ec
Instruction Fuzzy Hash: DF217771D00248AACB14EB95D985ADDB7B8AB14308F1081BFE515F7291DB789E08CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00432AB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00432AB6(void* __ecx, void* __eflags) {
				void* _t35;
				signed int _t47;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t60;

				L0043B644(E004642FB, _t54);
				 *(_t54 - 0x14) =  *(_t54 - 0x14) & 0x00000000;
				_t35 = __ecx;
				_push(0);
				_push(__ecx);
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x4675a0;
				 *((intOrPtr*)(_t54 - 0x1c)) = 0x467598;
				L00401CDD(_t54 - 0x3c);
				_t50 = __ecx + 4;
				_t47 = 1;
				 *(_t54 - 4) = _t47;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x20;
				_t60 =  *0x467594 - E0040238F(_t50, _t54 - 0x10, 0, _t47); // 0xffffffff
				if(_t60 != 0) {
					_t52 =  *((intOrPtr*)(_t50 + 4));
					if(_t52 == 0) {
						_t52 = 0x467570;
					}
					_t53 = 0x22;
					if( *_t52 != _t53) {
						L004331ED(_t54 - 0x38, 0, _t47, _t53);
					}
					if(L00405618(_t35) != _t53) {
						L00401EE7(_t54 - 0x38, _t54, _t47, _t53);
					}
				}
				_push(_t47);
				_push(_t54 - 0x3c);
				L00401CDD( *((intOrPtr*)(_t54 + 8)));
				 *(_t54 - 0x14) = _t47;
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				L0040125C(_t54 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return  *((intOrPtr*)(_t54 + 8));
			}

0x00432abb
0x00432ac3
0x00432aca
0x00432acc
0x00432ace
0x00432ad2
0x00432ad9
0x00432ae0
0x00432ae7
0x00432aea
0x00432af4
0x00432af7
0x00432b03
0x00432b09
0x00432b0b
0x00432b10
0x00432b12
0x00432b12
0x00432b1c
0x00432b20
0x00432b29
0x00432b29
0x00432b38
0x00432b3f
0x00432b3f
0x00432b38
0x00432b4a
0x00432b4b
0x00432b4c
0x00432b51
0x00432b54
0x00432b5b
0x00432b69
0x00432b71

APIs

__EH_prolog.LIBCMT ref: 00432ABB

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

, xrefs: 00432AF7
puF, xrefs: 00432B12

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: $puF
API String ID: 1057991267-2981486902
Opcode ID: 364c34b76b3899163e74e860a8448ae30a623d54118bdf4b2b1f9ef506ee362c
Instruction ID: 7accac319827065fe7de10e0176f3f8bef9fa462a6ec0309bd8881fd51b4a01d
Opcode Fuzzy Hash: 364c34b76b3899163e74e860a8448ae30a623d54118bdf4b2b1f9ef506ee362c
Instruction Fuzzy Hash: 97219235D00204ABDB24EF95D945BEEFB78EF44708F40402FB41677591DBB86904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412A56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
timeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00412A56(void* __ecx, void* __edx) {
				void* _t23;
				signed int* _t25;
				intOrPtr _t29;
				void* _t34;
				void* _t36;
				void* _t43;
				signed int _t46;
				signed int _t49;
				void* _t50;
				void* _t57;
				void* _t59;

				_t43 = __edx;
				L0043B644(0x460e88, _t50);
				_t36 = __ecx;
				if( *((char*)(_t50 + 8)) == 0) {
					L8:
					_t23 = 0;
				} else {
					GetSystemTimeAsFileTime(_t50 - 0x14);
					_t25 =  *(_t50 + 0xc);
					_t46 =  *_t25;
					_t49 = _t25[1];
					if((_t46 | _t49) == 0) {
						L9:
						_push(1);
						_push(0xa);
						_push( *((intOrPtr*)(_t50 + 0x10)));
						_t29 =  *((intOrPtr*)(L00419761(_t50 - 0x3c) + 8));
						 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
						if(_t29 == 0) {
							_t29 = 0x4675e4;
						}
						_push(_t29);
						_push( *((intOrPtr*)(_t50 + 0x18)));
						_push( *((intOrPtr*)(_t50 + 0x14)));
						E00412890(_t36);
						 *(_t50 - 4) =  *(_t50 - 4) | 0xffffffff;
						E004061C1(_t50 - 0x3c);
						_t23 = 0x80042000;
					} else {
						_t57 =  *((intOrPtr*)(_t50 - 0x10)) - _t49;
						if(_t57 < 0 || _t57 <= 0 &&  *(_t50 - 0x14) < _t46) {
							goto L9;
						} else {
							asm("cdq");
							_t34 = E0043CB70( *((intOrPtr*)(_t50 + 0x10)), _t43, 0x2a69c000, 0xc9) + _t46;
							asm("adc edx, esi");
							_t59 =  *((intOrPtr*)(_t50 - 0x10)) - _t43;
							if(_t59 > 0 || _t59 >= 0 &&  *(_t50 - 0x14) > _t34) {
								goto L9;
							} else {
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
				return _t23;
			}

0x00412a56
0x00412a5b
0x00412a6a
0x00412a6c
0x00412ab7
0x00412ab7
0x00412a6e
0x00412a72
0x00412a78
0x00412a7b
0x00412a7d
0x00412a84
0x00412abb
0x00412abb
0x00412abd
0x00412abf
0x00412aca
0x00412acd
0x00412ad3
0x00412ad5
0x00412ad5
0x00412ada
0x00412add
0x00412ae0
0x00412ae3
0x00412ae8
0x00412aef
0x00412af4
0x00412a86
0x00412a86
0x00412a89
0x00000000
0x00412a92
0x00412a9a
0x00412aa7
0x00412aa9
0x00412aab
0x00412aae
0x00000000
0x00000000
0x00000000
0x00000000
0x00412aae
0x00412a89
0x00412a84
0x00412aff
0x00412b07

APIs

__EH_prolog.LIBCMT ref: 00412A5B
GetSystemTimeAsFileTime.KERNEL32(0043D41C,?,?,00000000), ref: 00412A72

Strings

uF, xrefs: 00412AD5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: Time$FileH_prologSystem
String ID: uF
API String ID: 2940262298-700906890
Opcode ID: 139ff91c2c71e18011ee5a6a5346bbfd21b36aefbef81e278d6c4292bd894c5d
Instruction ID: af929b459a16659faaf37bb5f2812c003029620d2ee390f7c5b7b35b26500d30
Opcode Fuzzy Hash: 139ff91c2c71e18011ee5a6a5346bbfd21b36aefbef81e278d6c4292bd894c5d
Instruction Fuzzy Hash: 8F11C031A0020AABDF20DB90DE41BDEB765EF44794F14882BF911E7251E7B89DA0C65D

Uniqueness

Uniqueness Score: -1.00%

Function 00434AC8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00434AC8(void* __ebx, void* __ecx) {
				intOrPtr _t29;
				signed int _t37;
				intOrPtr _t46;
				signed int _t47;
				intOrPtr _t56;
				void* _t59;
				signed int _t60;
				void* _t62;

				L0043B644(E00464864, _t62);
				_t59 = __ecx;
				_t56 =  *((intOrPtr*)(__ecx + 8));
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				if(_t56 !=  *((intOrPtr*)(__ecx + 0xc))) {
					do {
						_push(0);
						_push(_t56);
						 *((intOrPtr*)(_t62 - 0x34)) = 0x46757c;
						 *((intOrPtr*)(_t62 - 0x14)) = 0x467574;
						L00401CDD(_t62 - 0x34);
						_t9 = _t62 - 0x34; // 0x46757c
						 *(_t62 - 4) = 1;
						_t37 = E0040248C(_t9, _t62 + 0xc, 0);
						_t11 = _t62 - 0x34; // 0x46757c
						asm("sbb bl, bl");
						 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
						L0040125C(_t11);
						if( ~_t37 + 1 != 0) {
							E00419C0E( *((intOrPtr*)(_t62 + 8)), _t56);
						}
						_t56 = _t56 + 0x50;
					} while (_t56 !=  *((intOrPtr*)(_t59 + 0xc)));
				}
				_t29 =  *((intOrPtr*)(_t62 + 8));
				_t46 =  *((intOrPtr*)(_t29 + 4));
				if(_t46 != 0) {
					_t47 = 0x28;
					asm("cdq");
					_t60 = ( *((intOrPtr*)(_t29 + 8)) - _t46) / _t47;
				} else {
					_t60 = 0;
				}
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				L0040125C(_t62 + 0xc);
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t60;
			}

0x00434acd
0x00434ad7
0x00434ad9
0x00434adc
0x00434ae3
0x00434ae6
0x00434ae6
0x00434ae8
0x00434aec
0x00434af3
0x00434afa
0x00434b05
0x00434b08
0x00434b0c
0x00434b13
0x00434b18
0x00434b1a
0x00434b20
0x00434b27
0x00434b2d
0x00434b2d
0x00434b32
0x00434b35
0x00434b3a
0x00434b3b
0x00434b3e
0x00434b43
0x00434b50
0x00434b51
0x00434b54
0x00434b45
0x00434b45
0x00434b45
0x00434b56
0x00434b5d
0x00434b69
0x00434b71

APIs

__EH_prolog.LIBCMT ref: 00434ACD

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 00434AF3
|uF, xrefs: 00434B05

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: tuF$|uF
API String ID: 3800368667-3059473046
Opcode ID: a5a3e519dce41145f4da774b084318a32219571610bfee830f3356aef3b7ed94
Instruction ID: 70beaec3f910b70b59b40f2411e5394718a95f670b7bb4a57643d418f5795ee6
Opcode Fuzzy Hash: a5a3e519dce41145f4da774b084318a32219571610bfee830f3356aef3b7ed94
Instruction Fuzzy Hash: DC110336646204AFCB14EBA5C581BDEF3B4AB88314F20815FE456A72C1D778BE04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00434A14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00434A14(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t30;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				void* _t56;
				intOrPtr* _t57;
				intOrPtr* _t58;

				L0043B644(E00464848, _t54);
				_push(__ecx);
				_t57 = _t56 - 0x28;
				 *((intOrPtr*)(_t54 - 0x10)) = _t57;
				_t39 = _t57;
				_push(0);
				_push(_t54 + 8);
				 *(_t54 - 4) = 1;
				 *_t39 = 0x46757c;
				 *((intOrPtr*)(_t39 + 0x20)) = 0x467574;
				L00401CDD(_t39);
				if( *((intOrPtr*)( *__ecx + 0x4c))() != 0) {
					_t58 = _t57 - 0x28;
					 *((intOrPtr*)(_t54 - 0x10)) = _t58;
					_t41 = _t58;
					_push(0);
					_push(_t54 + 0x30);
					 *_t41 = 0x46757c;
					 *((intOrPtr*)(_t41 + 0x20)) = 0x467574;
					L00401CDD(_t41);
					_push(_t54 + 8);
					 *(_t54 - 4) = 1;
					_t30 = E0043A03C(L004351E9(0x46757c, __ecx + 4, __eflags), __eflags);
					__eflags = _t30;
					if(_t30 != 0) {
						 *((char*)(__ecx + 0x51)) = 1;
					}
					_t36 = _t30;
				} else {
					_t36 = 0;
				}
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				L0040125C(_t54 + 8);
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				L0040125C(_t54 + 0x30);
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t36;
			}

0x00434a19
0x00434a1e
0x00434a24
0x00434a2a
0x00434a2d
0x00434a39
0x00434a3b
0x00434a3c
0x00434a43
0x00434a45
0x00434a48
0x00434a56
0x00434a5c
0x00434a62
0x00434a65
0x00434a67
0x00434a69
0x00434a6a
0x00434a6c
0x00434a6f
0x00434a7a
0x00434a7b
0x00434a86
0x00434a8b
0x00434a8d
0x00434a8f
0x00434a8f
0x00434a93
0x00434a58
0x00434a58
0x00434a58
0x00434a95
0x00434a9c
0x00434aa1
0x00434aa8
0x00434ab4
0x00434abd

APIs

__EH_prolog.LIBCMT ref: 00434A19

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

tuF, xrefs: 00434A34
|uF, xrefs: 00434A2F

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: tuF$|uF
API String ID: 1057991267-3059473046
Opcode ID: 9397bd1409ff8d6005d1e14073e96271019d216ab6a0e02faf6527578468b55f
Instruction ID: 07a3d897230bf9ac495bed5729cf4cd98644fe8b7c77b9d0f2593220a1e146f7
Opcode Fuzzy Hash: 9397bd1409ff8d6005d1e14073e96271019d216ab6a0e02faf6527578468b55f
Instruction Fuzzy Hash: 3911B670A40304EBDB04EF69C842BED7BB8AF49308F10419FE446973D2D779AA05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043A161 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0043A161(void* __ecx, void* __edx, void* __eflags) {
				void* _t22;
				signed int _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				void* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				void* _t58;

				_t58 = __eflags;
				L0043B644(0x464ed0, _t52);
				_push(__ecx);
				_t55 = _t54 - 0x28;
				 *((intOrPtr*)(_t52 - 0x10)) = _t55;
				_t37 = _t55;
				_push(0);
				_push(_t52 + 8);
				 *(_t52 - 4) = 1;
				 *_t37 = 0x46757c;
				 *((intOrPtr*)(_t37 + 0x20)) = 0x467574;
				L00401CDD(_t37);
				_t22 = L00439FFA(__ecx, _t58);
				_t59 = _t22;
				if(_t22 == 0) {
					L3:
					_t34 = 0;
					__eflags = 0;
				} else {
					_t57 = _t55 - 0x28;
					 *((intOrPtr*)(_t52 - 0x10)) = _t57;
					_t42 = _t57;
					_push(0);
					_push(_t52 + 0x30);
					 *_t42 = 0x46757c;
					 *((intOrPtr*)(_t42 + 0x20)) = 0x467574;
					L00401CDD(_t42);
					if(L00439FFA(__ecx, _t59) == 0) {
						goto L3;
					} else {
						_push(_t52 + 0x30);
						_push(_t52 + 8);
						E0043A3C3(__ecx + 4, __edx);
						_t34 = 1;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				L0040125C(_t52 + 8);
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				L0040125C(_t52 + 0x30);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t34;
			}

0x0043a161
0x0043a166
0x0043a16b
0x0043a171
0x0043a177
0x0043a17a
0x0043a186
0x0043a188
0x0043a189
0x0043a190
0x0043a192
0x0043a195
0x0043a19c
0x0043a1a1
0x0043a1a3
0x0043a1dc
0x0043a1dc
0x0043a1dc
0x0043a1a5
0x0043a1a5
0x0043a1ab
0x0043a1ae
0x0043a1b0
0x0043a1b2
0x0043a1b3
0x0043a1b5
0x0043a1b8
0x0043a1c6
0x00000000
0x0043a1c8
0x0043a1ce
0x0043a1d2
0x0043a1d3
0x0043a1d8
0x0043a1d8
0x0043a1c6
0x0043a1de
0x0043a1e5
0x0043a1ea
0x0043a1f1
0x0043a1fd
0x0043a206

APIs

__EH_prolog.LIBCMT ref: 0043A166

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 00439FFA: __EH_prolog.LIBCMT ref: 00439FFF

Part of subcall function 0043A3C3: __EH_prolog.LIBCMT ref: 0043A3C8

Strings

tuF, xrefs: 0043A181
|uF, xrefs: 0043A17C

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$ErrorLast
String ID: tuF$|uF
API String ID: 2901101390-3059473046
Opcode ID: 5d43bace1ceecd99a9a5aefc71afca27f9c44ec7145af0d6c166e4c43837e756
Instruction ID: c15ea726761f4a51da8956a3d0a73c4fe61b5abb6d13606511c1e967abdf9827
Opcode Fuzzy Hash: 5d43bace1ceecd99a9a5aefc71afca27f9c44ec7145af0d6c166e4c43837e756
Instruction Fuzzy Hash: B211EB70940208ABCF04EF65C882BDD7B68AF49708F10526FF842972D1D779DA06C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0042CA53 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042CA53() {
				int _t24;
				void* _t26;
				void* _t28;
				signed int _t46;
				intOrPtr* _t49;
				void* _t51;

				L0043B644(0x4638b7, _t51);
				 *(_t51 - 0x14) =  *(_t51 - 0x14) & 0x00000000;
				_t24 = GetWindowsDirectoryW(_t51 - 0x260, 0x104);
				_t56 = _t24;
				if(_t24 == 0) {
					E00404959(_t51 - 0x58, _t56);
					L0043BD6A(_t51 - 0x58, 0x46a390);
				}
				 *((intOrPtr*)(_t51 - 0x3c)) = 0x4680fc;
				 *((intOrPtr*)(_t51 - 0x1c)) = 0x4680f4;
				_t26 = _t51 - 0x260;
				if(_t51 == 0x260) {
					_t26 = 0x47e150;
				}
				_push(0);
				_push(_t51 - 0xd);
				_push(_t26);
				L0040176A(_t51 - 0x3c);
				_t46 = 1;
				 *(_t51 - 4) = _t46;
				_t28 = E004245CE(_t51 - 0x3c, _t51, 0x4764fc);
				_t49 =  *((intOrPtr*)(_t51 + 8));
				_push(0);
				_push(_t28);
				 *_t49 = 0x4680fc;
				 *((intOrPtr*)(_t49 + 0x20)) = 0x4680f4;
				L00401CDD(_t49);
				 *(_t51 - 0x14) = _t46;
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				L0040125C(_t51 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return _t49;
			}

0x0042ca58
0x0042ca63
0x0042ca73
0x0042ca79
0x0042ca7b
0x0042ca80
0x0042ca8e
0x0042ca8e
0x0042caa3
0x0042caaa
0x0042caad
0x0042cab3
0x0042cab5
0x0042cab5
0x0042cabd
0x0042cabf
0x0042cac0
0x0042cac4
0x0042cace
0x0042cad4
0x0042cad7
0x0042cadc
0x0042cadf
0x0042cae1
0x0042cae4
0x0042caea
0x0042caed
0x0042caf2
0x0042caf5
0x0042cafc
0x0042cb09
0x0042cb11

APIs

__EH_prolog.LIBCMT ref: 0042CA58
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0042CA73

Part of subcall function 00404959: __EH_prolog.LIBCMT ref: 0040495E
Part of subcall function 00404959: GetLastError.KERNEL32(?,?,004135BD,?,?,?,0041352E,?,00000001), ref: 00404973

Part of subcall function 0043BD6A: RaiseException.KERNEL32(0043B0A7,00000000,?,00468364,?,invalid string position,0043B0A7,00000000,00471E90,?,invalid string position), ref: 0043BD98

Strings

PG, xrefs: 0042CAB5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog$DirectoryErrorExceptionLastRaiseWindows
String ID: PG
API String ID: 1780030332-134009939
Opcode ID: c10a06c72279c01e6ad79b534ee1ea7c97f2f01020f92311d2e697dcdb4d031d
Instruction ID: 257de73a44baf7d4219df270168d701f46800863d13dfcd7c93b67d0a6ad76c8
Opcode Fuzzy Hash: c10a06c72279c01e6ad79b534ee1ea7c97f2f01020f92311d2e697dcdb4d031d
Instruction Fuzzy Hash: 3D118471E00218ABDB10EF95D885BDEB778EF54704F10846FF506B7191EB785A048B59

Uniqueness

Uniqueness Score: -1.00%

Function 0043483E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043483E(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t35;
				intOrPtr* _t38;
				intOrPtr* _t40;
				void* _t53;
				void* _t55;
				intOrPtr* _t56;
				intOrPtr* _t57;

				L0043B644(E004647E8, _t53);
				_push(__ecx);
				_t56 = _t55 - 0x28;
				 *((intOrPtr*)(_t53 - 0x10)) = _t56;
				_t38 = _t56;
				_push(0);
				_push(_t53 + 8);
				 *(_t53 - 4) = 1;
				 *_t38 = 0x46757c;
				 *((intOrPtr*)(_t38 + 0x20)) = 0x467574;
				L00401CDD(_t38);
				if( *((intOrPtr*)( *__ecx + 0x4c))() != 0) {
					_t57 = _t56 - 0x28;
					 *((intOrPtr*)(_t53 - 0x10)) = _t57;
					_t40 = _t57;
					_push(0);
					_push(_t53 + 0x30);
					 *_t40 = 0x46757c;
					 *((intOrPtr*)(_t40 + 0x20)) = 0x467574;
					L00401CDD(_t40);
					_push(_t53 + 8);
					 *(_t53 - 4) = 1;
					_t35 = L00439FFA(L004351E9(0x46757c, __ecx + 4, __eflags), __eflags);
				} else {
					_t35 = 0;
				}
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				L0040125C(_t53 + 8);
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				L0040125C(_t53 + 0x30);
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t35;
			}

0x00434843
0x00434848
0x0043484e
0x00434854
0x00434857
0x00434863
0x00434865
0x00434866
0x0043486d
0x0043486f
0x00434872
0x00434880
0x00434886
0x0043488c
0x0043488f
0x00434891
0x00434893
0x00434894
0x00434896
0x00434899
0x004348a4
0x004348a5
0x004348b5
0x00434882
0x00434882
0x00434882
0x004348b7
0x004348be
0x004348c3
0x004348ca
0x004348d6
0x004348df

APIs

__EH_prolog.LIBCMT ref: 00434843

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

|uF, xrefs: 00434859
tuF, xrefs: 0043485E

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: tuF$|uF
API String ID: 1057991267-3059473046
Opcode ID: a3a44d0027f73fa9395dd686812780a69b091149d7ce631495b66815bb6fc86c
Instruction ID: b9c1e7058308a52eadd67b9fdfd46e25127bdf802190f0e784ec31c2d08c20c6
Opcode Fuzzy Hash: a3a44d0027f73fa9395dd686812780a69b091149d7ce631495b66815bb6fc86c
Instruction Fuzzy Hash: C511C870901204EFDB04EF69C842BED7BB8AF49318F10415FE446972D1D7799A05C759

Uniqueness

Uniqueness Score: -1.00%

Function 00418898 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00418898(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v48;
				void* __edi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t17;
				char _t21;
				intOrPtr _t25;
				intOrPtr* _t27;
				void* _t28;

				_t21 = 0;
				_t28 = __ecx;
				_push( &_v48);
				_v8 = 0;
				_t13 =  *((intOrPtr*)(E00418779(__ecx, __eflags) + 0x10));
				_t27 = __imp__#7;
				if(_t13 != 0) {
					_t21 =  *_t27(_t13);
				}
				E0041A273( &_v48);
				_t15 =  *0x467fe8; // 0xffffffff
				_v8 = 0x2e;
				_t17 = E0041A98E(_t28,  &_v8, 1, _t15);
				_t25 =  *0x467fe8; // 0xffffffff
				if(_t17 == _t25 || _t17 < _t21) {
					_t17 =  *((intOrPtr*)(_t28 + 0x10));
					__eflags = _t17;
					if(_t17 != 0) {
						_t17 =  *_t27(_t17);
					}
					_push(1);
					_push( *0x467fe8);
				} else {
					if(_a8 != 0) {
						_t17 = _t17 + 1;
					}
					_push(1);
					_push(_t25);
				}
				_push(_t17);
				_push(_t28);
				E00418ADD(_a4, _t27);
				return _a4;
			}

0x004188a4
0x004188a6
0x004188a8
0x004188a9
0x004188b1
0x004188b4
0x004188bc
0x004188c1
0x004188c1
0x004188c6
0x004188cb
0x004188d9
0x004188e0
0x004188e5
0x004188ed
0x004188ff
0x00418902
0x00418904
0x00418907
0x00418907
0x00418909
0x0041890b
0x004188f3
0x004188f7
0x004188f9
0x004188f9
0x004188fa
0x004188fc
0x004188fc
0x00418914
0x00418915
0x00418916
0x00418922

APIs

Part of subcall function 00418779: __EH_prolog.LIBCMT ref: 0041877E
Part of subcall function 00418779: SysStringLen.OLEAUT32(?), ref: 004187E6

SysStringLen.OLEAUT32(?), ref: 004188BF
SysStringLen.OLEAUT32(?), ref: 00418907

Strings

., xrefs: 004188D9

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: String$H_prolog
String ID: .
API String ID: 2395862998-248832578
Opcode ID: 0f68a520711ff1e22b964fd976ed5bffc313c1d7827a76f36527aa30be24c7fd
Instruction ID: 0a88755d19233361f5f68af0576b5f456c5db34024bcd36b92137b880e31834c
Opcode Fuzzy Hash: 0f68a520711ff1e22b964fd976ed5bffc313c1d7827a76f36527aa30be24c7fd
Instruction Fuzzy Hash: AB1161B5600208BBDB14EBA5DC85EDA77ADAB44314F10442FF501D7291DEB8DEC4CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00434069 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00434069(intOrPtr* __ecx) {
				void* _t28;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t52;
				void* _t54;
				intOrPtr _t55;
				intOrPtr* _t57;
				intOrPtr _t58;

				L0043B644(E0046464C, _t52);
				_t55 = _t54 - 0xc;
				_t37 = __ecx;
				_t50 =  *((intOrPtr*)(_t52 + 0x30));
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				_t47 =  *((intOrPtr*)(_t50 + 8));
				if(_t47 !=  *((intOrPtr*)(_t50 + 0xc))) {
					 *((intOrPtr*)(_t52 + 0x30)) = _t47 + 0x28;
					do {
						_t57 = _t55 - 0x28;
						 *((intOrPtr*)(_t52 - 0x10)) = _t57;
						_t42 = _t57;
						 *_t42 = 0x46757c;
						 *((intOrPtr*)(_t42 + 0x20)) = 0x467574;
						L00401CDD(_t42);
						_t58 = _t57 - 0x28;
						 *(_t52 - 4) = 1;
						 *((intOrPtr*)(_t52 - 0x14)) = _t58;
						L00401708(_t58, _t47, 1);
						_t55 = _t58 - 0x28;
						 *((intOrPtr*)(_t52 - 0x18)) = _t55;
						 *(_t52 - 4) = 2;
						L00401708(_t55, _t52 + 8, 1);
						 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
						 *((intOrPtr*)( *_t37 + 0x30))( *((intOrPtr*)(_t52 + 0x30)), 0);
						 *((intOrPtr*)(_t52 + 0x30)) =  *((intOrPtr*)(_t52 + 0x30)) + 0x50;
						_t47 = _t47 + 0x50;
					} while (_t47 !=  *((intOrPtr*)(_t50 + 0xc)));
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				_t28 = L0040125C(_t52 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t28;
			}

0x0043406e
0x00434073
0x00434079
0x0043407b
0x0043407e
0x00434082
0x00434088
0x0043408d
0x00434090
0x00434090
0x00434093
0x00434096
0x0043409d
0x004340a3
0x004340aa
0x004340af
0x004340b2
0x004340b8
0x004340be
0x004340c3
0x004340cb
0x004340d1
0x004340d5
0x004340dc
0x004340e2
0x004340e5
0x004340e9
0x004340ec
0x00434090
0x004340f1
0x004340f8
0x00434102
0x0043410b

APIs

__EH_prolog.LIBCMT ref: 0043406E

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Strings

tuF, xrefs: 004340A3
P, xrefs: 004340E5

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: P$tuF
API String ID: 1057991267-1332652325
Opcode ID: e787dceebef6e8e74c77ebe062f76ae3b031bbe13264e3d27c66ff2454a663ea
Instruction ID: e558d99a562239c76710e23f1ab53e8725652b5a5441605e17c7e0a5470b470f
Opcode Fuzzy Hash: e787dceebef6e8e74c77ebe062f76ae3b031bbe13264e3d27c66ff2454a663ea
Instruction Fuzzy Hash: B911E631A10304EFCB04EFA9C882B9DBFB4EF45318F10415EF40167681D374AA448B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040A050(void* __ecx, void* __edx, void* __eflags) {
				void* _t29;
				void* _t47;
				void* _t49;
				intOrPtr _t51;
				void* _t55;

				_t55 = __eflags;
				L0043B644(0x45fc84, _t47);
				_push(0);
				_push( *((intOrPtr*)(_t47 + 0x10)));
				 *((intOrPtr*)(_t47 - 0x3c)) = 0x46757c;
				 *((intOrPtr*)(_t47 - 0x1c)) = 0x467574;
				L00401CDD(_t47 - 0x3c);
				 *(_t47 - 4) = 0;
				L0042DF59(0x409b9b, __ecx);
				_push(0x8000);
				_t51 = _t49 - 8;
				 *((intOrPtr*)(_t47 - 0x10)) = _t51;
				L00401708(_t51,  *((intOrPtr*)(_t47 + 0x10)), 1);
				 *((intOrPtr*)(_t47 - 0x14)) = _t51 - 0x28;
				 *(_t47 - 4) = 1;
				L00401732(_t51 - 0x28, E0040A5A5( *((intOrPtr*)(_t47 + 8)) + 4), _t47 + 0x13, 1);
				 *(_t47 - 4) = 0;
				E0042D8B5(__edx, _t55);
				L0042DF59(0, 0);
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				_t16 = _t47 - 0x3c; // 0x46757c
				_t29 = L0040125C(_t16);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t29;
			}

0x0040a050
0x0040a055
0x0040a061
0x0040a062
0x0040a06a
0x0040a071
0x0040a078
0x0040a083
0x0040a086
0x0040a08d
0x0040a092
0x0040a097
0x0040a09f
0x0040a0ac
0x0040a0b5
0x0040a0c4
0x0040a0c9
0x0040a0cc
0x0040a0d3
0x0040a0d8
0x0040a0df
0x0040a0e2
0x0040a0eb
0x0040a0f4

APIs

__EH_prolog.LIBCMT ref: 0040A055

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0042D8B5: __EH_prolog.LIBCMT ref: 0042D8BA
Part of subcall function 0042D8B5: GetLastError.KERNEL32 ref: 0042D907

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

|uF, xrefs: 0040A0DF
tuF, xrefs: 0040A071

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$FreeString
String ID: tuF$|uF
API String ID: 3800368667-3059473046
Opcode ID: ce1de65975798e3af5922414e350b31de95b0262bf79067469d86496ae9f9063
Instruction ID: 9a6a5a9dbdced7f452f7b95584819c9af3d937ff48730099d610856af24fb35a
Opcode Fuzzy Hash: ce1de65975798e3af5922414e350b31de95b0262bf79067469d86496ae9f9063
Instruction Fuzzy Hash: C6119471D00208AFDB04EFA5D986A9DBB74EB04354F00416EF811731D1DB785A148B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402179 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402179(void* __eflags) {
				intOrPtr* _t41;
				void* _t43;

				L0043B644(0x45ee77, _t43);
				 *(_t43 - 0x14) =  *(_t43 - 0x14) & 0x00000000;
				_push(0);
				_push(_t43 - 0xd);
				 *((intOrPtr*)(_t43 - 0x3c)) = 0x46757c;
				 *((intOrPtr*)(_t43 - 0x1c)) = 0x467574;
				L00401C68(_t43 - 0x3c);
				_push( *((intOrPtr*)(_t43 + 0x14)));
				 *(_t43 - 4) = 1;
				_push( *((intOrPtr*)(_t43 + 0x10)));
				_push( *((intOrPtr*)(_t43 + 0xc)));
				_push(_t43 - 0x3c);
				E00402718();
				_t41 =  *((intOrPtr*)(_t43 + 8));
				_push(0);
				_push(_t43 - 0x3c);
				 *_t41 = 0x46757c;
				 *((intOrPtr*)(_t41 + 0x20)) = 0x467574;
				L00401CDD(_t41);
				 *(_t43 - 0x14) = 1;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				L0040125C(_t43 - 0x3c);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t41;
			}

0x0040217e
0x00402186
0x0040219a
0x0040219c
0x004021a0
0x004021a3
0x004021a6
0x004021ab
0x004021b1
0x004021b8
0x004021bb
0x004021be
0x004021bf
0x004021c4
0x004021cf
0x004021d1
0x004021d2
0x004021d4
0x004021d7
0x004021dc
0x004021e3
0x004021ea
0x004021f7
0x004021ff

APIs

__EH_prolog.LIBCMT ref: 0040217E

Part of subcall function 00401C68: __EH_prolog.LIBCMT ref: 00401C6D
Part of subcall function 00401C68: GetLastError.KERNEL32(00467574,00000000,0046757C,?,0040E781,?,00000000,?,00000000), ref: 00401C96
Part of subcall function 00401C68: SetLastError.KERNEL32(?,00000000,?,0040E781,?,00000000,?,00000000), ref: 00401CC4

Part of subcall function 00402718: __EH_prolog.LIBCMT ref: 0040271D
Part of subcall function 00402718: MultiByteToWideChar.KERNEL32(000004B0,00000000,?,00000100,00000000,00000000,00467574,?,0046757C), ref: 0040276B
Part of subcall function 00402718: MultiByteToWideChar.KERNEL32(000004B0,00000000,?,000000FF,00000000,00000000,000004B0,?,0046757C), ref: 00402798

Part of subcall function 00401CDD: __EH_prolog.LIBCMT ref: 00401CE2
Part of subcall function 00401CDD: GetLastError.KERNEL32(00467574,00000000,0046757C,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D0A
Part of subcall function 00401CDD: SetLastError.KERNEL32(?,00000000,00000000,00000000,?,004021DC,?,00000000,00000000,00000000,?,00000000), ref: 00401D57

Part of subcall function 0040125C: __EH_prolog.LIBCMT ref: 00401261
Part of subcall function 0040125C: GetLastError.KERNEL32(000004B1,00000000,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 00401284
Part of subcall function 0040125C: SysFreeString.OLEAUT32(?), ref: 004012A2
Part of subcall function 0040125C: SetLastError.KERNEL32(?,00000001,?,0040289D,|uF,?,00000000,?,00000000,00467574,?,0046757C), ref: 004012C2

Strings

tuF, xrefs: 00402195
|uF, xrefs: 00402190

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: ErrorLast$H_prolog$ByteCharMultiWide$FreeString
String ID: tuF$|uF
API String ID: 3513484322-3059473046
Opcode ID: d025e7752fd052262b097f1eb28f765046a1895b110f659d35d77e25da4c97a5
Instruction ID: d8502a9802dbc71841d66c0c2450ed015a9f826cc9ed6977148ce4dafa3cd938
Opcode Fuzzy Hash: d025e7752fd052262b097f1eb28f765046a1895b110f659d35d77e25da4c97a5
Instruction Fuzzy Hash: 76014C75E00208ABDB14DF95D985BEDFBB8EF44318F10806EF915B3291DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB7A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0042AB7A(intOrPtr* __ecx) {
				void* _t14;
				char _t18;
				signed char _t21;
				void* _t26;
				intOrPtr* _t32;
				void* _t34;

				L0043B644(0x463648, _t34);
				_push(__ecx);
				_t12 =  *((intOrPtr*)(_t34 + 8));
				_t18 =  *((intOrPtr*)(_t34 + 0xc));
				_t32 = __ecx;
				_t21 =  *((intOrPtr*)( *((intOrPtr*)(_t34 + 8)) + 0xd9));
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				_t37 = _t18;
				if(_t18 == 0) {
					asm("sbb ecx, ecx");
					_t24 = ( ~_t21 & 0x00000017) + 0x69;
					__eflags = ( ~_t21 & 0x00000017) + 0x69;
				} else {
					asm("sbb ecx, ecx");
					_t24 = ( ~_t21 & 0x00000004) + 0x7d;
				}
				E0042AAA8(_t32, _t37, _t24, _t12);
				 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
				_t14 = 0x479b9c;
				 *((char*)(_t32 + 0x6c)) = _t18;
				 *_t32 = 0x468198;
				_t26 = _t32 + 0x18;
				if(0x479b9c == 0) {
					_t14 = 0x47e150;
				}
				L00401E03(_t26, _t14);
				 *[fs:0x0] =  *((intOrPtr*)(_t34 - 0xc));
				return _t32;
			}

0x0042ab7f
0x0042ab84
0x0042ab85
0x0042ab89
0x0042ab8d
0x0042ab8f
0x0042ab95
0x0042ab98
0x0042ab9a
0x0042abaa
0x0042abaf
0x0042abaf
0x0042ab9c
0x0042ab9e
0x0042aba3
0x0042aba3
0x0042abb6
0x0042abbb
0x0042abbf
0x0042abc6
0x0042abcb
0x0042abd1
0x0042abd4
0x0042abd6
0x0042abd6
0x0042abdc
0x0042abe8
0x0042abf0

APIs

__EH_prolog.LIBCMT ref: 0042AB7F

Strings

PG, xrefs: 0042ABD6
sbs, xrefs: 0042ABBF, 0042ABDB

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prolog
String ID: PG$sbs
API String ID: 3519838083-3006340717
Opcode ID: 84c68c0f5fc6f651a1c4b7d1e657d29d1c527dac77d1f75b408b150746bff7b2
Instruction ID: 1e1d4f7815dd3c0ab509c50f0b62394f44f5cac1d0548a1a4e29c31c7e42bc8f
Opcode Fuzzy Hash: 84c68c0f5fc6f651a1c4b7d1e657d29d1c527dac77d1f75b408b150746bff7b2
Instruction Fuzzy Hash: 0D014972B005106BC7088F58D421BAABBE4EB59304F48856FF946D3301C73C990087DD

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042E5F3(void* __edi) {
				void* _t32;
				void* _t34;
				signed int _t36;
				intOrPtr _t37;

				L0043B644(0x463c90, _t32);
				 *(_t32 - 0x14) =  *(_t32 - 0x14) & 0x00000000;
				_push(0x20019);
				_t36 = _t34 - 0xffffffffffffffe8;
				 *(_t32 - 0x14) = _t36;
				L00401732(_t36, 0x47e150, _t32 - 0xd, 1);
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				_t37 = _t36 - 0x28;
				 *((intOrPtr*)(_t32 - 0x18)) = _t37;
				L00401732(_t37, L"Version", _t32 - 0xe, 1);
				_t38 = _t37 - 0x28;
				 *((intOrPtr*)(_t32 - 0x1c)) = _t37 - 0x28;
				 *(_t32 - 4) = 1;
				L00401732(_t38, L"Software\\Microsoft\\Internet Explorer", _t32 - 0xf, 1);
				_t12 = _t32 - 4;
				 *(_t32 - 4) =  *(_t32 - 4) | 0xffffffff;
				_push(0x80000002);
				_push( *((intOrPtr*)(_t32 + 8)));
				E0042F45D(__edi,  *_t12);
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return  *((intOrPtr*)(_t32 + 8));
			}

0x0042e5f8
0x0042e600
0x0042e604
0x0042e609
0x0042e611
0x0042e61c
0x0042e621
0x0042e625
0x0042e62a
0x0042e638
0x0042e63d
0x0042e645
0x0042e650
0x0042e654
0x0042e659
0x0042e659
0x0042e65d
0x0042e662
0x0042e665
0x0042e676
0x0042e67e

APIs

__EH_prolog.LIBCMT ref: 0042E5F8

Part of subcall function 0042F45D: __EH_prolog.LIBCMT ref: 0042F462
Part of subcall function 0042F45D: RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,?,00000000,00467574,ISlogit), ref: 0042F4B8
Part of subcall function 0042F45D: RegQueryValueExW.KERNELBASE(0043D41C,?,00000000,?,00000000,?,0046757C), ref: 0042F4FA
Part of subcall function 0042F45D: RegQueryValueExW.ADVAPI32(0043D41C,?,00000000,?,?,?,?,?), ref: 0042F545

Strings

Version, xrefs: 0042E633
Software\Microsoft\Internet Explorer, xrefs: 0042E64B

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: H_prologQueryValue$Open
String ID: Software\Microsoft\Internet Explorer$Version
API String ID: 3487285757-2486530099
Opcode ID: 8f72de31ebda749d3b1e8d6a661fea79435650c051c45efcd5e14aa050e20f6b
Instruction ID: 865fd2a9500ed627824771c7796e14bfd49288dd2da49d08f58a66bc1baecc09
Opcode Fuzzy Hash: 8f72de31ebda749d3b1e8d6a661fea79435650c051c45efcd5e14aa050e20f6b
Instruction Fuzzy Hash: E201BC31E40208ABDB00EBA5C943BECBB74EB04708F50416AF815762C2D7B80B448B86

Uniqueness

Uniqueness Score: -1.00%

Function 0040A374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040A374(void* __ecx) {
				signed char _v8;
				char _v48;
				void* __ebp;
				WCHAR* _t16;
				struct HWND__* _t22;

				_v8 = _v8 & 0x00000000;
				if( *0x47e1d1 == 0) {
					_t22 = 0;
				} else {
					_push(0x10);
					_push( &_v48);
					_t16 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc8)))) + 0x1c))() + 8);
					_v8 = 1;
					if(_t16 == 0) {
						_t16 = 0x467570;
					}
					_t22 = FindWindowExW(0xfffffffd, 0, L"IsPrqHook", _t16);
				}
				if((_v8 & 0x00000001) != 0) {
					L0040125C( &_v48);
				}
				return _t22;
			}

0x0040a37a
0x0040a386
0x0040a3c0
0x0040a388
0x0040a391
0x0040a393
0x0040a399
0x0040a39c
0x0040a3a5
0x0040a3a7
0x0040a3a7
0x0040a3bc
0x0040a3bc
0x0040a3c6
0x0040a3cb
0x0040a3cb
0x0040a3d4

APIs

FindWindowExW.USER32 ref: 0040A3B6

Strings

IsPrqHook, xrefs: 0040A3AD
puF, xrefs: 0040A3A7

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: FindWindow
String ID: IsPrqHook$puF
API String ID: 134000473-770897530
Opcode ID: a586498062291074ed82857683c55fc9f1fc9776452c65685094a74c92418dbf
Instruction ID: da9532b7dc3ce3d707ad47a03fe822b47584a7555c44d0f2fbf48a7b7dd944a7
Opcode Fuzzy Hash: a586498062291074ed82857683c55fc9f1fc9776452c65685094a74c92418dbf
Instruction Fuzzy Hash: 66F09631A14314ABD714D7A4CC09FD9B7A49F44718F1081A6EC06B72E1E6B49D58879E

Uniqueness

Uniqueness Score: -1.00%

Function 004404BB Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004404BB() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				intOrPtr* _t29;

				_t15 =  *0x47fd34;
				_t26 =  *0x47fd24;
				if(_t15 != _t26) {
					L3:
					_t29 =  *0x47fd38 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x47fd40, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x47fd34 =  *0x47fd34 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x47fd40, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t25 = HeapReAlloc( *0x47fd40, 0,  *0x47fd38, _t26 + 0x50 + _t26 * 4 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x47fd24 =  *0x47fd24 + 0x10;
				 *0x47fd38 = _t25;
				_t15 =  *0x47fd34;
				goto L3;
			}

0x004404bb
0x004404c0
0x004404cc
0x004404fe
0x00440514
0x00440517
0x0044051f
0x00440522
0x0044054e
0x00000000
0x0044054e
0x00440531
0x00440539
0x0044053c
0x00440552
0x00440556
0x00440558
0x0044055b
0x00440564
0x00000000
0x00440567
0x00440548
0x00000000
0x00440548
0x004404e3
0x004404eb
0x00000000
0x00000000
0x004404ed
0x004404f4
0x004404f9
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,00440283,00000000,00000000,00000000,0043CE71,00000000,00000000,?,00000000,00000000,00000000), ref: 004404E3
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00440283,00000000,00000000,00000000,0043CE71,00000000,00000000,?,00000000,00000000,00000000), ref: 00440517
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00440531
HeapFree.KERNEL32(00000000,?), ref: 00440548

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a12daaf3859a7d4299f457c7aaa71c8d3c306f095523ff49a9fd0ea0bbacdf4e
Instruction ID: 81434b80fd03d25c52ea4816303e4b3a2877287693e2fdc1bfa4a679662eb0e5
Opcode Fuzzy Hash: a12daaf3859a7d4299f457c7aaa71c8d3c306f095523ff49a9fd0ea0bbacdf4e
Instruction Fuzzy Hash: C4112B71204200EFD730CF19ED499627BB5FB85714710493AF65AC66B0D378989ACF48

Uniqueness

Uniqueness Score: -1.00%

Function 0043E4D1 Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E4D1(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x47b098);
				InitializeCriticalSection( *0x47b088);
				InitializeCriticalSection( *0x47b078);
				InitializeCriticalSection( *0x47b058);
				return _t1;
			}

0x0043e4d1
0x0043e4de
0x0043e4e6
0x0043e4ee
0x0043e4f6
0x0043e4f9

APIs

InitializeCriticalSection.KERNEL32(?,0043E352,?,0043D3AD), ref: 0043E4DE
InitializeCriticalSection.KERNEL32(?,0043E352,?,0043D3AD), ref: 0043E4E6
InitializeCriticalSection.KERNEL32(?,0043E352,?,0043D3AD), ref: 0043E4EE
InitializeCriticalSection.KERNEL32(?,0043E352,?,0043D3AD), ref: 0043E4F6

Memory Dump Source

Source File: 00000021.00000002.1066448478.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000021.00000002.1066399747.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067115750.0000000000467000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067203545.0000000000476000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067243825.000000000047A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067272872.000000000047D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067298223.0000000000480000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067518123.00000000004AA000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000021.00000002.1067607637.00000000004BA000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_400000_OSC_Gaming_7.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: d603fe545717beef6ab9e3d38202dd77d2e2dcf8b61acd4c6b4362e934f5d726
Instruction ID: e144e94750b2ae2d21f9417a8c9d1ba7d605a512b1591b5d578e6dd5a9e3ecf1
Opcode Fuzzy Hash: d603fe545717beef6ab9e3d38202dd77d2e2dcf8b61acd4c6b4362e934f5d726
Instruction Fuzzy Hash: 83C002318042B49BCE112B65FC0C94B7F26EB052A03010073E91C5153487611CD6EFC8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dotNetFx40_Full_x86_x64.exePID: 6568, Parent PID: 980COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	75

Executed Functions

Function 0125774A Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0125774A(WCHAR* _a4, WCHAR* _a8, intOrPtr _a12) {
				WCHAR* _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				long _v36;
				union _ULARGE_INTEGER _v40;
				struct %anon54 _v48;
				struct %anon54 _v56;
				union _ULARGE_INTEGER _v64;
				union _ULARGE_INTEGER _v72;
				void* __ebx;
				void* __esi;
				void* _t66;
				signed int _t70;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t86;
				WCHAR* _t87;
				intOrPtr _t90;
				long _t95;
				struct %anon54 _t110;
				short* _t113;
				signed int _t115;
				WCHAR* _t124;
				void* _t127;
				void* _t128;

				_t105 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v28 = 0;
				_v48.LowPart = 0;
				_v48.HighPart = 0;
				_v20 = 0;
				_v56.LowPart = 0;
				_v56.HighPart = 0;
				_v24 = 0;
				_v16 = 0;
				_t66 = E01257CD0( &_v16); // executed
				if(_t66 >= 0) {
					L3:
					E012584C7(_t105, _t113, 1, "Cluster drive map: \'%S\'", _v16); // executed
					_t128 = _t127 + 0xc;
					_t115 = E012587EB(0x9d,  &_v12);
					__eflags = _t115 - _t105;
					if(_t115 >= _t105) {
						_t105 = GetLogicalDriveStringsW;
						_t70 = GetLogicalDriveStringsW(0x9c, _v12); // executed
						_v36 = _t70;
						__eflags = _t70;
						if(_t70 != 0) {
							__eflags = _t70 - 0x9c;
							if(_t70 <= 0x9c) {
								L14:
								_t124 = _v12;
								__eflags =  *_t124;
								if( *_t124 == 0) {
									L41:
									_push("Failed to find any drive to extract to");
									L55:
									_t115 = 0x80070070;
									L56:
									_push(_t115);
									E0125854A(_t105, _t106, _t113);
									L57:
									_t105 = 0;
									__eflags = _v12;
									if(_v12 != 0) {
										E01258E6F(_v12);
									}
									L59:
									if(_v16 != _t105) {
										E01258E6F(_v16);
									}
									return _t115;
								} else {
									goto L15;
								}
								do {
									L15:
									CharUpperW(_t124);
									E012584C7(_t105, _t113, 1, "Considering drive: \'%S\'...", _t124); // executed
									_t128 = _t128 + 0xc;
									_t78 = E012695A3(_v16,  *_t124 & 0x0000ffff);
									_pop(_t106);
									_push(_t124);
									__eflags = _t78;
									if(_t78 == 0) {
										_t105 =  &_v28;
										_t79 = E01257A0A( &_v28); // executed
										_t115 = _t79;
										__eflags = _t115;
										if(_t115 < 0) {
											_push("Unable to get the drive type");
											goto L56;
										}
										__eflags = _v28;
										if(_v28 != 0) {
											_t106 = _t124; // executed
											_t80 = E0125768D( &_v28, _t124); // executed
											_push(_t124);
											__eflags = _t80;
											if(_t80 != 0) {
												_t81 = E01257AE7(_t113); // executed
												_t115 = _t81;
												__eflags = _t115;
												if(_t115 < 0) {
													_push("Failed to dtermine whether a drive can be written to");
													goto L56;
												}
												__eflags = _t115 - 1;
												if(_t115 != 1) {
													asm("stosd");
													asm("stosd");
													asm("stosd");
													_t86 = GetDiskFreeSpaceExW(_t124,  &_v40,  &_v72,  &_v64); // executed
													__eflags = _t86;
													if(_t86 == 0) {
														L36:
														_t87 = _t124;
														_t113 =  &(_t87[1]);
														__eflags = 0;
														do {
															_t106 =  *_t87;
															_t87 =  &(_t87[1]);
															__eflags = _t106;
														} while (_t106 != 0);
														goto L38;
													}
													__eflags = _v28 - 2;
													_t95 = _v36;
													_t110 = _v40.LowPart;
													if(_v28 != 2) {
														L32:
														__eflags = _t95 - _v48.HighPart;
														if(__eflags < 0) {
															goto L36;
														}
														if(__eflags > 0) {
															L35:
															_v48.LowPart = _t110;
															_v48.HighPart = _t95;
															_v20 = _t124;
															goto L36;
														}
														__eflags = _t110 - _v48.LowPart;
														if(_t110 <= _v48.LowPart) {
															goto L36;
														}
														goto L35;
													}
													__eflags = _t95 - _v56.HighPart;
													if(__eflags < 0) {
														goto L32;
													}
													if(__eflags > 0) {
														L31:
														_v56.LowPart = _t110;
														_v56.HighPart = _t95;
														_v24 = _t124;
														goto L36;
													}
													__eflags = _t110 - _v56.LowPart;
													if(_t110 <= _v56.LowPart) {
														goto L32;
													}
													goto L31;
												}
												_push(_t124);
												_push("Drive \'%S\' is rejected because it can\'t be written to");
												L17:
												_push(1); // executed
												E012584C7(_t105, _t113); // executed
												_t128 = _t128 + 0xc;
												goto L36;
											}
											_push("Drive \'%S\' is rejected because it\'s not a hard disk or RAM disk");
											goto L17;
										}
										_push(_t124);
										_push("Drive \'%S\' is rejected because of the unknown or unsuitable drive type");
										goto L17;
									}
									_push("Drive \'%S\' is rejected because it\'s a resource of a cluster");
									goto L17;
									L38:
									_t124 = _t124 + 2 + (_t87 - _t113 >> 1) * 2;
									__eflags =  *_t124;
								} while ( *_t124 != 0);
								__eflags = _v20;
								if(_v20 != 0) {
									L44:
									_t90 = _a12;
									_t106 = _a8;
									__eflags = _v48.HighPart - _t90;
									if(__eflags < 0) {
										L50:
										__eflags = _v56.HighPart - _t90;
										if(__eflags < 0) {
											L54:
											_push("Insufficient size on any available drives");
											goto L55;
										}
										if(__eflags > 0) {
											L53:
											E012584C7(_t105, _t113, 1, "Drive \'%S\' has been selected as the largest removable drive", _v24);
											_push(_v24);
											L48:
											_t106 = _a4;
											_t115 = E01258889(0, _a4);
											__eflags = _t115;
											if(_t115 >= 0) {
												goto L57;
											}
											_push("Unable to allocate a string for extracion drive");
											goto L56;
										}
										__eflags = _v56.LowPart - _t106;
										if(_v56.LowPart <= _t106) {
											goto L54;
										}
										goto L53;
									}
									if(__eflags > 0) {
										L47:
										E012584C7(_t105, _t113, 1, "Drive \'%S\' has been selected as the largest fixed drive", _v20); // executed
										_push(_v20);
										goto L48;
									}
									__eflags = _v48.LowPart - _t106;
									if(_v48.LowPart <= _t106) {
										goto L50;
									}
									goto L47;
								}
								__eflags = _v24;
								if(_v24 != 0) {
									goto L44;
								}
								goto L41;
							}
							_t115 = E012587EB(_t70 + 1,  &_v12);
							__eflags = _t115;
							if(_t115 < 0) {
								goto L4;
							}
							GetLogicalDriveStringsW(_v36, _v12);
							goto L14;
						}
						_t115 = GetLastError();
						__eflags = _t115;
						if(__eflags > 0) {
							_t115 = _t115 & 0x0000ffff | 0x80070000;
							__eflags = _t115;
						}
						if(__eflags >= 0) {
							_t115 = 0x80004005;
						}
						_push("Failed to get logical drives");
						goto L56;
					}
					L4:
					_push("Failed to allocate memory for logical drives");
					goto L56;
				}
				_t115 = E012587EB(1,  &_v16);
				if(_t115 >= 0) {
					goto L3;
				}
				_push("Unable to allocate the cluster drive map");
				_push(_t115);
				E0125854A(0, _t106, _t113);
				goto L59;
			}

0x01257756
0x01257759
0x01257760
0x01257763
0x01257766
0x01257769
0x0125776c
0x0125776f
0x01257772
0x01257775
0x01257778
0x0125777b
0x01257782
0x012577a7
0x012577b1
0x012577b6
0x012577c6
0x012577c8
0x012577ca
0x012577d9
0x012577e5
0x012577e7
0x012577ea
0x012577ec
0x01257819
0x0125781b
0x01257834
0x01257834
0x01257837
0x0125783b
0x01257958
0x01257958
0x012579d3
0x012579d3
0x012579d8
0x012579d8
0x012579d9
0x012579e0
0x012579e0
0x012579e2
0x012579e5
0x012579ea
0x012579ea
0x012579ef
0x012579f2
0x012579f7
0x012579f7
0x01257a02
0x00000000
0x00000000
0x00000000
0x01257841
0x01257841
0x01257842
0x01257850
0x01257858
0x0125785f
0x01257865
0x01257866
0x01257867
0x01257869
0x0125787f
0x01257882
0x01257887
0x01257889
0x0125788b
0x0125795f
0x00000000
0x0125795f
0x01257891
0x01257895
0x0125789f
0x012578a1
0x012578a6
0x012578a7
0x012578a9
0x012578b2
0x012578b7
0x012578b9
0x012578bb
0x01257966
0x00000000
0x01257966
0x012578c1
0x012578c4
0x012578d3
0x012578d7
0x012578db
0x012578e9
0x012578ef
0x012578f1
0x0125792b
0x0125792b
0x0125792d
0x01257930
0x01257932
0x01257932
0x01257935
0x01257938
0x01257938
0x00000000
0x01257932
0x012578f3
0x012578f7
0x012578fa
0x012578fd
0x01257916
0x01257916
0x01257919
0x00000000
0x00000000
0x0125791b
0x01257922
0x01257922
0x01257925
0x01257928
0x00000000
0x01257928
0x0125791d
0x01257920
0x00000000
0x00000000
0x00000000
0x01257920
0x012578ff
0x01257902
0x00000000
0x00000000
0x01257904
0x0125790b
0x0125790b
0x0125790e
0x01257911
0x00000000
0x01257911
0x01257906
0x01257909
0x00000000
0x00000000
0x00000000
0x01257909
0x012578c6
0x012578c7
0x01257870
0x01257870
0x01257872
0x01257877
0x00000000
0x01257877
0x012578ab
0x00000000
0x012578ab
0x01257897
0x01257898
0x00000000
0x01257898
0x0125786b
0x00000000
0x0125793d
0x01257941
0x01257945
0x01257945
0x0125794e
0x01257951
0x0125796d
0x0125796d
0x01257970
0x01257973
0x01257976
0x012579ab
0x012579ab
0x012579ae
0x012579ce
0x012579ce
0x00000000
0x012579ce
0x012579b0
0x012579b7
0x012579c1
0x012579c9
0x01257994
0x01257994
0x0125799e
0x012579a0
0x012579a2
0x00000000
0x00000000
0x012579a4
0x00000000
0x012579a4
0x012579b2
0x012579b5
0x00000000
0x00000000
0x00000000
0x012579b5
0x01257978
0x0125797f
0x01257989
0x01257991
0x00000000
0x01257991
0x0125797a
0x0125797d
0x00000000
0x00000000
0x00000000
0x0125797d
0x01257953
0x01257956
0x00000000
0x00000000
0x00000000
0x01257956
0x01257826
0x01257828
0x0125782a
0x00000000
0x00000000
0x01257832
0x00000000
0x01257832
0x012577f4
0x012577f6
0x012577f8
0x01257800
0x01257806
0x01257806
0x01257808
0x0125780a
0x0125780a
0x0125780f
0x00000000
0x0125780f
0x012577cc
0x012577cc
0x00000000
0x012577cc
0x0125778f
0x01257793
0x00000000
0x00000000
0x01257795
0x0125779a
0x0125779b
0x00000000

APIs

Part of subcall function 012587EB: GetProcessHeap.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258802
Part of subcall function 012587EB: HeapReAlloc.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258809

GetLogicalDriveStringsW.KERNELBASE(0000009C,?,00000000,00000000,0127BEF0,?,?,01256F09,?,?,00000000,?,?,01255B53,?,?), ref: 012577E5
GetLastError.KERNEL32(?,?,01256F09,?,?,00000000,?,?,01255B53,?,?,?,?,?,0127BEF0), ref: 012577EE

Strings

Drive '%S' is rejected because of the unknown or unsuitable drive type, xrefs: 01257898
Drive '%S' has been selected as the largest fixed drive, xrefs: 01257982
Failed to find any drive to extract to, xrefs: 01257958
Failed to allocate memory for logical drives, xrefs: 012577CC
Unable to allocate a string for extracion drive, xrefs: 012579A4
Drive '%S' has been selected as the largest removable drive, xrefs: 012579BA
Drive '%S' is rejected because it can't be written to, xrefs: 012578C7
Insufficient size on any available drives, xrefs: 012579CE
Drive '%S' is rejected because it's not a hard disk or RAM disk, xrefs: 012578AB
Cluster drive map: '%S', xrefs: 012577AA
Failed to get logical drives, xrefs: 0125780F
Failed to dtermine whether a drive can be written to, xrefs: 01257966
Drive '%S' is rejected because it's a resource of a cluster, xrefs: 0125786B
Unable to get the drive type, xrefs: 0125795F
Unable to allocate the cluster drive map, xrefs: 01257795
Considering drive: '%S'..., xrefs: 01257849

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocDriveErrorLastLogicalProcessStrings
String ID: Cluster drive map: '%S'$Considering drive: '%S'...$Drive '%S' has been selected as the largest fixed drive$Drive '%S' has been selected as the largest removable drive$Drive '%S' is rejected because it can't be written to$Drive '%S' is rejected because it's a resource of a cluster$Drive '%S' is rejected because it's not a hard disk or RAM disk$Drive '%S' is rejected because of the unknown or unsuitable drive type$Failed to allocate memory for logical drives$Failed to dtermine whether a drive can be written to$Failed to find any drive to extract to$Failed to get logical drives$Insufficient size on any available drives$Unable to allocate a string for extracion drive$Unable to allocate the cluster drive map$Unable to get the drive type
API String ID: 3325457267-4228337169
Opcode ID: c06fee3e126ba6c5ed3fafe0f80b6f0e258e4c45cd0aac9ba1e5d72dab35166d
Instruction ID: bbe24f55de001b33df93bf5180542ae38e95a24b1a1e7c5d96d7528482130a41
Opcode Fuzzy Hash: c06fee3e126ba6c5ed3fafe0f80b6f0e258e4c45cd0aac9ba1e5d72dab35166d
Instruction Fuzzy Hash: 0881A471DB0206ABDF91AF99D8C19FEBBB5EF54650F91012AEE05B3100E7709A81CB71

Uniqueness

Uniqueness Score: -1.00%

Function 012592BB Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 213
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E012592BB(void* __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v560;
				intOrPtr _v562;
				struct _WIN32_FIND_DATAW _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				int _t63;
				signed int _t64;
				signed char _t68;
				void* _t74;
				void* _t75;
				int _t83;
				signed int _t84;
				signed int _t86;
				signed int _t88;
				signed int _t92;
				void* _t94;
				signed char _t100;
				void* _t105;
				signed int _t108;
				signed int _t114;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				signed int _t130;
				signed int _t140;

				_t105 = __edx;
				_t56 =  *0x127a050; // 0xa41d0fe1
				_v12 = _t56 ^ _t114;
				_v616 = _v616 & 0x00000000;
				_t108 = E01259926( &_v616, _a4);
				if(_t108 < 0) {
					L47:
					if(_v620 != 0xffffffff) {
						FindClose(_v620); // executed
					}
					L49:
					if(_v612 != 0) {
						E01258E6F(_v612);
					}
					if(_t108 < 0) {
						L56:
						if(_v616 != 0) {
							E01258E6F(_v616);
						}
						return E012691D5(_t108, _t100, _v12 ^ _t114, _t105, 0x80070000, _t108);
					} else {
						L52:
						_t63 = RemoveDirectoryW(_v616); // executed
						if(_t63 == 0) {
							_t64 = GetLastError();
							if(_t64 > 0) {
								_t64 = _t64 & 0x0000ffff | 0x80070000;
							}
							_t108 = _t64;
						}
						goto L56;
					}
				}
				_v620 = _v620 | 0xffffffff;
				_v612 = _v612 & 0x00000000;
				_t68 = GetFileAttributesW(_v616); // executed
				_t100 = _t68;
				if(_t100 != 0xffffffff) {
					L5:
					if((_t100 & 0x00000010) == 0) {
						_t108 = 0x8000ffff;
						goto L47;
					}
					_t120 = _t100 & 0x00000001;
					_t100 = SetFileAttributesW;
					if(_t120 == 0 || SetFileAttributesW(_v616, 0x80) != 0) {
						L11:
						_t108 = 0;
						if(_a8 != 0 || _a12 != 0) {
							_t108 = E01258889(0,  &_v612, _v616);
							if(_t108 < 0) {
								goto L49;
							}
							_t108 = E01258ABB( &_v612,  &_v612, L"\\*.*", 0);
							if(_t108 < 0) {
								goto L49;
							}
							_t74 = FindFirstFileW(_v612,  &_v608); // executed
							_v620 = _t74;
							if(_t74 != 0xffffffff) {
								do {
									L19:
									_t75 = 0x2e;
									if(_t75 != _v608.cFileName) {
										L23:
										_t108 = E01258889(0,  &_v612, _v616);
										if(_t108 < 0) {
											goto L47;
										}
										_t108 = E01258ABB( &_v612,  &_v612,  &(_v608.cFileName), 0);
										if(_t108 < 0) {
											goto L47;
										}
										if(_a12 == 0 || (_v608.dwFileAttributes & 0x00000010) == 0) {
											__eflags = _a8;
											if(_a8 == 0) {
												goto L40;
											}
											__eflags = _v608.dwFileAttributes & 0x00000007;
											if((_v608.dwFileAttributes & 0x00000007) == 0) {
												L35:
												_t86 = DeleteFileW(_v612);
												__eflags = _t86;
												if(_t86 != 0) {
													goto L40;
												}
												_t108 = GetLastError();
												__eflags = _t108;
												if(_t108 <= 0) {
													goto L39;
												}
												_t108 = _t108 & 0x0000ffff | 0x80070000;
												__eflags = _t108;
												goto L38;
											}
											_t88 = SetFileAttributesW(_v612, 0x80);
											__eflags = _t88;
											if(_t88 != 0) {
												goto L35;
											}
											_t108 = GetLastError();
											__eflags = _t108;
											if(__eflags > 0) {
												_t108 = _t108 & 0x0000ffff | 0x80070000;
												__eflags = _t108;
											}
											if(__eflags < 0) {
												goto L47;
											} else {
												goto L35;
											}
										} else {
											_t108 = E01258ABB( &_v612,  &_v612, "\\", 0);
											if(_t108 < 0) {
												goto L47;
											}
											_t92 = E012592BB(_t105, _v612, _a8, _a12); // executed
											_t108 = _t92;
											L38:
											_t140 = _t108;
											L39:
											if(_t140 < 0) {
												goto L47;
											}
											goto L40;
										}
									}
									if(0 == _v562) {
										goto L40;
									}
									_t94 = 0x2e;
									if(_t94 != _v562 || 0 != _v560) {
										goto L23;
									}
									L40:
									_t83 = FindNextFileW(_v620,  &_v608); // executed
								} while (_t83 != 0);
								_t84 = GetLastError();
								if(_t84 != 0x12) {
									__eflags = _t84;
									if(_t84 > 0) {
										_t84 = _t84 & 0x0000ffff | 0x80070000;
										__eflags = _t84;
									}
									_t108 = _t84;
								} else {
									_t108 = 0;
								}
								goto L47;
							}
							_t108 = GetLastError();
							if(_t108 > 0) {
								_t108 = _t108 & 0x0000ffff | 0x80070000;
								_t130 = _t108;
							}
							if(_t130 < 0) {
								goto L49;
							} else {
								goto L19;
							}
						} else {
							goto L52;
						}
					} else {
						_t108 = GetLastError();
						if(_t108 > 0) {
							_t123 = _t108;
						}
						if(_t123 < 0) {
							goto L56;
						} else {
							goto L11;
						}
					}
				} else {
					_t108 = GetLastError();
					if(_t108 > 0) {
						_t118 = _t108;
					}
					if(_t118 < 0) {
						goto L56;
					}
					goto L5;
				}
			}

0x012592bb
0x012592c6
0x012592cd
0x012592d3
0x012592e9
0x012592f2
0x01259547
0x0125954e
0x01259556
0x01259556
0x0125955c
0x01259563
0x0125956b
0x0125956b
0x01259572
0x01259597
0x0125959e
0x012595a6
0x012595a6
0x012595bb
0x01259574
0x01259574
0x0125957a
0x01259582
0x01259584
0x0125958c
0x01259593
0x01259593
0x01259595
0x01259595
0x00000000
0x01259582
0x01259572
0x012592fe
0x01259305
0x0125930c
0x01259312
0x01259317
0x01259335
0x01259338
0x01259542
0x00000000
0x01259542
0x0125933e
0x01259341
0x01259347
0x01259376
0x01259376
0x0125937b
0x01259399
0x0125939d
0x00000000
0x00000000
0x012593b5
0x012593b9
0x00000000
0x00000000
0x012593cc
0x012593d2
0x012593db
0x012593f9
0x012593f9
0x012593fb
0x01259403
0x0125942f
0x01259442
0x01259446
0x00000000
0x00000000
0x01259460
0x01259466
0x00000000
0x00000000
0x0125946f
0x012594aa
0x012594ad
0x00000000
0x00000000
0x012594af
0x012594b6
0x012594e1
0x012594e7
0x012594ed
0x012594ef
0x00000000
0x00000000
0x012594f7
0x012594f9
0x012594fb
0x00000000
0x00000000
0x01259503
0x01259503
0x00000000
0x01259503
0x012594c3
0x012594c5
0x012594c7
0x00000000
0x00000000
0x012594cf
0x012594d1
0x012594d3
0x012594db
0x012594dd
0x012594dd
0x012594df
0x00000000
0x00000000
0x00000000
0x00000000
0x0125947a
0x0125948b
0x0125948f
0x00000000
0x00000000
0x012594a1
0x012594a6
0x01259505
0x01259505
0x01259507
0x01259507
0x00000000
0x00000000
0x00000000
0x01259507
0x0125946f
0x0125940e
0x00000000
0x00000000
0x01259416
0x0125941e
0x00000000
0x00000000
0x01259509
0x01259516
0x0125951c
0x01259524
0x0125952d
0x01259533
0x01259535
0x0125953c
0x0125953c
0x0125953c
0x0125953e
0x0125952f
0x0125952f
0x0125952f
0x00000000
0x0125952d
0x012593e3
0x012593e7
0x012593ef
0x012593f1
0x012593f1
0x012593f3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0125935a
0x01259360
0x01259364
0x0125936e
0x0125936e
0x01259370
0x00000000
0x00000000
0x00000000
0x00000000
0x01259370
0x01259319
0x0125931f
0x01259323
0x0125932d
0x0125932d
0x0125932f
0x00000000
0x00000000
0x00000000
0x0125932f

APIs

GetFileAttributesW.KERNELBASE(00000000,?,00000000,00000000,0127BEF0), ref: 0125930C
GetLastError.KERNEL32 ref: 01259319
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 01259354
GetLastError.KERNEL32 ref: 0125935A
FindFirstFileW.KERNELBASE(00000000,?,\*.*,00000000,00000000), ref: 012593CC
GetLastError.KERNEL32 ref: 012593DD
SetFileAttributesW.KERNEL32(00000000,00000080,?,00000000,00000000), ref: 012594C3
GetLastError.KERNEL32 ref: 012594C9
DeleteFileW.KERNEL32(00000000,?,00000000,00000000), ref: 012594E7
GetLastError.KERNEL32 ref: 012594F1
FindNextFileW.KERNELBASE(000000FF,?,?,00000000,00000000), ref: 01259516
GetLastError.KERNEL32 ref: 01259524
FindClose.KERNELBASE(000000FF,?,00000000,00000000,0127BEF0), ref: 01259556
RemoveDirectoryW.KERNELBASE(00000000,?,00000000,00000000,0127BEF0), ref: 0125957A
GetLastError.KERNEL32 ref: 01259584

Strings

\*.*, xrefs: 012593A5

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorLast$File$AttributesFind$CloseDeleteDirectoryFirstNextRemove
String ID: \*.*
API String ID: 2447602905-1173974218
Opcode ID: c65ca4dd0fd93fd985673426abeb8335564f1b9055214d83a2405447365fc003
Instruction ID: e51fbf063a2acdb8159f305d7d6e1ffec51318c9db6c02e0b90410e6c305696a
Opcode Fuzzy Hash: c65ca4dd0fd93fd985673426abeb8335564f1b9055214d83a2405447365fc003
Instruction Fuzzy Hash: 9B719432D2163BDBDFB15B28ECC87AD7A64AF04768F0502A09E05F6191D7718ED0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125A505 Relevance: 21.1, APIs: 14, Instructions: 135
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0125A505(void** __edi, void* __eflags) {
				signed int _v8;
				void* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				long _v36;
				signed int _t50;
				long _t53;
				void* _t55;
				int _t62;
				signed int _t63;
				signed int _t70;
				void* _t72;
				void* _t75;
				void* _t80;
				intOrPtr _t82;
				void** _t85;

				_t85 = __edi;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v32 = 0;
				_t50 = E01259B6A( *__edi, 0, 0); // executed
				_v8 = _t50;
				if(_t50 < 0) {
					L21:
					return _v8;
				} else {
					do {
						_v8 = _v16;
						if(_v12 != 0) {
							_t53 = _v28;
							_v16 = _t53;
							_t55 = RtlReAllocateHeap(GetProcessHeap(), 0, _v12, _t53); // executed
							if(_t55 == 0) {
								L12:
								_v8 = 0x8007000e;
								L18:
								if(_v12 != 0 && HeapFree(GetProcessHeap(), 0, _v12) == 0) {
									E01259A29();
								}
								goto L21;
							}
							_v12 = _t55;
							L7:
							_v36 = _v36 & 0x00000000;
							_t62 = ReadFile( *_t85, _v12 + _v8, _v16 - _v8,  &_v36, 0); // executed
							if(_t62 == 0) {
								_t63 = GetLastError();
								_v8 = _t63;
								if(_t63 > 0) {
									_v8 = _t63 & 0x0000ffff | 0x80070000;
								}
								if(_v8 >= 0) {
									_v8 = 0x80004005;
								}
								goto L18;
							}
							goto L8;
						}
						_v16 = 0x20000;
						_t80 = RtlAllocateHeap(GetProcessHeap(), 8, 0x20000); // executed
						_v12 = _t80;
						if(_t80 != 0) {
							goto L7;
						}
						_v8 = 0x8007000e;
						goto L21;
						L8:
						_t70 = E0125A681(_v12, _v16,  &_v28,  &_v24,  &_v20,  &_v32);
						_v8 = _t70;
					} while (_t70 == 0x8007007a);
					if(_t70 < 0) {
						goto L18;
					}
					_t72 = HeapAlloc(GetProcessHeap(), 8, _v20);
					_t85[2] = _t72;
					if(_t72 == 0) {
						goto L12;
					}
					_t34 = _v24 + 0x20; // 0x8b000006
					_t75 = HeapAlloc(GetProcessHeap(), 8,  *_t34);
					_t85[3] = _t75;
					if(_t75 != 0) {
						_t82 = _v24;
						E01271150(_t85[2], _t82, _v20);
						_t44 = _t82 + 0x20; // 0x8b000006
						E01271150(_t85[3], _v32,  *_t44);
						goto L18;
					}
					goto L12;
				}
			}

0x0125a505
0x0125a515
0x0125a518
0x0125a51b
0x0125a51e
0x0125a521
0x0125a524
0x0125a527
0x0125a52c
0x0125a531
0x0125a675
0x0125a67b
0x0125a537
0x0125a543
0x0125a54a
0x0125a54d
0x0125a572
0x0125a579
0x0125a581
0x0125a589
0x0125a603
0x0125a603
0x0125a658
0x0125a65c
0x0125a670
0x0125a670
0x00000000
0x0125a65c
0x0125a58b
0x0125a58e
0x0125a591
0x0125a5a7
0x0125a5af
0x0125a60c
0x0125a612
0x0125a617
0x0125a623
0x0125a623
0x0125a62a
0x0125a62c
0x0125a62c
0x00000000
0x0125a62a
0x00000000
0x0125a5af
0x0125a557
0x0125a55d
0x0125a55f
0x0125a564
0x00000000
0x00000000
0x0125a566
0x00000000
0x0125a5b1
0x0125a5c7
0x0125a5cc
0x0125a5cf
0x0125a5dc
0x00000000
0x00000000
0x0125a5e6
0x0125a5e8
0x0125a5ed
0x00000000
0x00000000
0x0125a5f2
0x0125a5fa
0x0125a5fc
0x0125a601
0x0125a638
0x0125a63f
0x0125a647
0x0125a650
0x00000000
0x0125a655
0x00000000
0x0125a601

APIs

Part of subcall function 01259B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01259B82
Part of subcall function 01259B6A: GetLastError.KERNEL32(?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259B8C

GetProcessHeap.KERNEL32(00000008,00020000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A55A
RtlAllocateHeap.NTDLL(00000000,?,?,01255AF6,0127BEF0), ref: 0125A55D
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A57E
RtlReAllocateHeap.NTDLL(00000000,?,?,01255AF6,0127BEF0), ref: 0125A581
ReadFile.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0125A5A7
GetProcessHeap.KERNEL32(00000008,0127BEF0,00000000,?,?,01255AF6,0127BEF0,?), ref: 0125A5E3
HeapAlloc.KERNEL32(00000000), ref: 0125A5E6
GetProcessHeap.KERNEL32(00000008,8B000006), ref: 0125A5F7
HeapAlloc.KERNEL32(00000000), ref: 0125A5FA
GetLastError.KERNEL32 ref: 0125A60C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A663
HeapFree.KERNEL32(00000000,?,?,01255AF6,0127BEF0), ref: 0125A666

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$Process$AllocAllocateErrorFileLast$FreePointerRead
String ID:
API String ID: 15841721-0
Opcode ID: 17cee0b5aef08b35292330398b176f027c8b5b3a203505531bc27a8f62d73e1b
Instruction ID: af26ad742cecc78e35657f52566abe94e8bf2f9ed3b9bc3fea97ebafd6b80c79
Opcode Fuzzy Hash: 17cee0b5aef08b35292330398b176f027c8b5b3a203505531bc27a8f62d73e1b
Instruction Fuzzy Hash: 8D4127B1D1021AEFDF119FE5D889BAEBFB8FF08344F108156EA04E7250D7749A509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01257C12 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 56
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E01257C12(intOrPtr _a4) {
				signed int _t2;
				signed int _t4;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t11;
				void* _t14;
				signed int _t18;

				if( *0x127c118 != 0) {
					L13:
					__imp__DecryptFileW(_a4, 0); // executed
					__eflags = _t2;
					if(_t2 == 0) {
						_t4 = GetLastError();
						__eflags = _t4;
						if(__eflags > 0) {
							_t4 = _t4 & 0x0000ffff | 0x80070000;
							__eflags = _t4;
						}
						if(__eflags >= 0) {
							_t4 = 0x80004005;
						}
						_push("Failed to decrypt the extract directory");
						goto L19;
					}
				} else {
					_t7 = LoadLibraryW(L"advapi32.dll");
					if(_t7 != 0) {
						_t2 = GetProcAddress(_t7, "DecryptFileW");
						 *0x127c118 = _t2;
						__eflags = _t2;
						if(_t2 != 0) {
							goto L13;
						} else {
							_t4 = GetLastError();
							__eflags = _t4;
							if(__eflags > 0) {
								_t4 = _t4 & 0x0000ffff | 0x80070000;
								__eflags = _t4;
							}
							if(__eflags >= 0) {
								_t4 = 0x80004005;
							}
							_push("Failed to load DecryptFileW from advapi.dll");
							goto L19;
						}
					} else {
						_t4 = GetLastError();
						if(_t4 > 0) {
							_t4 = _t4 & 0x0000ffff | 0x80070000;
							_t18 = _t4;
						}
						if(_t18 >= 0) {
							_t4 = 0x80004005;
						}
						_push("Failed to load advapi32.dll");
						L19:
						_push(_t4);
						E0125854A(_t10, _t11, _t14);
					}
				}
				return 0;
			}

0x01257c1e
0x01257c8c
0x01257c91
0x01257c97
0x01257c99
0x01257c9b
0x01257ca1
0x01257ca3
0x01257caa
0x01257caf
0x01257caf
0x01257cb1
0x01257cb3
0x01257cb3
0x01257cb8
0x00000000
0x01257cb8
0x01257c20
0x01257c25
0x01257c2d
0x01257c59
0x01257c5f
0x01257c64
0x01257c66
0x00000000
0x01257c68
0x01257c68
0x01257c6e
0x01257c70
0x01257c77
0x01257c7c
0x01257c7c
0x01257c7e
0x01257c80
0x01257c80
0x01257c85
0x00000000
0x01257c85
0x01257c2f
0x01257c2f
0x01257c37
0x01257c3e
0x01257c43
0x01257c43
0x01257c45
0x01257c47
0x01257c47
0x01257c4c
0x01257cbd
0x01257cbd
0x01257cbe
0x01257cc4
0x01257c2d
0x01257cc8

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,01256F3D,00C874B0,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?), ref: 01257C25
GetLastError.KERNEL32(?,01256F3D,00C874B0,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?,?), ref: 01257C2F
GetProcAddress.KERNEL32(00000000,DecryptFileW), ref: 01257C59
GetLastError.KERNEL32(?,01256F3D,00C874B0,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?,?), ref: 01257C68
DecryptFileW.ADVAPI32(?,00000000), ref: 01257C91
GetLastError.KERNEL32(?,01256F3D,00C874B0,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?,?), ref: 01257C9B

Strings

Failed to load DecryptFileW from advapi.dll, xrefs: 01257C85
Failed to decrypt the extract directory, xrefs: 01257CB8
Failed to load advapi32.dll, xrefs: 01257C4C
DecryptFileW, xrefs: 01257C53
advapi32.dll, xrefs: 01257C20

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorLast$AddressDecryptFileLibraryLoadProc
String ID: DecryptFileW$Failed to decrypt the extract directory$Failed to load DecryptFileW from advapi.dll$Failed to load advapi32.dll$advapi32.dll
API String ID: 156776402-3428403797
Opcode ID: 29b3179bfa893cb321f11bc3292d9c0bc2be221e257c8bfaadab8a1f48e0462a
Instruction ID: e176b84acfba42a8b05217c0e13d9fd8170efb11d17cebca40a010d73264b4c4
Opcode Fuzzy Hash: 29b3179bfa893cb321f11bc3292d9c0bc2be221e257c8bfaadab8a1f48e0462a
Instruction Fuzzy Hash: C51157327F0343ABE3B42A7ABECDB227A885B11756F900038BF09D9154F6B8C4608754

Uniqueness

Uniqueness Score: -1.00%

Function 0125751D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0125751D(void* __edx, signed int* _a4) {
				signed int _v8;
				char _v24;
				signed int _v25;
				signed int _v32;
				long* _v36;
				signed int* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				int _t38;
				signed int _t40;
				signed int _t57;
				void* _t61;
				void* _t66;
				signed int* _t68;
				signed int _t70;
				signed int _t73;
				void* _t74;
				signed int _t77;

				_t66 = __edx;
				_t33 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t33 ^ _t73;
				_v40 = _a4;
				asm("stosd");
				asm("stosd");
				_t57 = 0;
				asm("stosd");
				asm("stosd");
				_t70 = 0;
				_v36 = 0;
				_v32 = 0;
				_t38 = CryptAcquireContextA( &_v36, 0, 0, 1, 0xf0000000); // executed
				if(_t38 != 0) {
					_t40 = CryptGenRandom(_v36, 0x10,  &_v24);
					__eflags = _t40;
					if(_t40 != 0) {
						_t68 = _v40;
						_t57 = (_v24 & 0x00000007) + 9 + (_v24 & 0x00000007) + 9;
						__eflags = _t57;
						 *_t68 = 0;
						_v25 = 0;
						if(_t57 == 0) {
							L24:
							if(_v36 != 0) {
								CryptReleaseContext(_v36, 0);
							}
							if(_v32 != 0) {
								E01258E6F(_v32);
							}
							return E012691D5(_t70, _t57, _v8 ^ _t73, _t66, 0, _t70);
						} else {
							goto L13;
						}
						while(1) {
							L13:
							_v32 = _v32 & 0x00000000;
							_t70 = E01258B7E( &_v32, L"%02x",  *(_t73 + ((_v25 & 0x000000ff) >> 1) - 0x14) & 0x000000ff);
							_t74 = _t74 + 0xc;
							__eflags = _t70;
							if(_t70 < 0) {
								break;
							}
							__eflags =  *_t68;
							if( *_t68 != 0) {
								_t70 = E01258ABB(_t68, _t61, _v32, 0);
								__eflags = _t70;
								if(_t70 < 0) {
									_push("Failed to concatenate the formatted byte to the random string");
									L23:
									_push(_t70);
									E0125854A(_t57, _t61, _t66);
									goto L24;
								}
								__eflags = _v32;
								if(_v32 != 0) {
									E01258E6F(_v32);
								}
								L19:
								_v25 = _v25 + 2;
								_v32 = _v32 & 0x00000000;
								__eflags = _v25 - _t57;
								if(_v25 < _t57) {
									continue;
								}
								goto L24;
							}
							 *_t68 = _v32;
							goto L19;
						}
						_push("Failed to allocate formatted current byte for the random string");
						goto L23;
					}
					_t70 = GetLastError();
					__eflags = _t70;
					if(__eflags > 0) {
						_t70 = _t70 & 0x0000ffff | 0x80070000;
						__eflags = _t70;
					}
					if(__eflags >= 0) {
						_t70 = 0x80004005;
					}
					_push("Failed to generate a random value");
					goto L23;
				}
				_t70 = GetLastError();
				if(_t70 > 0) {
					_t70 = _t70 & 0x0000ffff | 0x80070000;
					_t77 = _t70;
				}
				if(_t77 >= 0) {
					_t70 = 0x80004005;
				}
				_push("Failed to acquire Crypto context");
				goto L23;
			}

0x0125751d
0x01257525
0x0125752c
0x01257535
0x0125753d
0x0125753e
0x01257544
0x01257546
0x0125754a
0x01257550
0x01257552
0x01257555
0x01257558
0x01257560
0x01257596
0x0125759c
0x0125759e
0x012575ce
0x012575d7
0x012575d7
0x012575d9
0x012575db
0x012575df
0x01257657
0x0125765c
0x01257662
0x01257662
0x0125766b
0x01257670
0x01257670
0x01257685
0x00000000
0x00000000
0x00000000
0x012575e1
0x012575e1
0x012575e5
0x012575ff
0x01257601
0x01257604
0x01257606
0x00000000
0x00000000
0x01257608
0x0125760b
0x01257620
0x01257622
0x01257624
0x0125764a
0x0125764f
0x0125764f
0x01257650
0x00000000
0x01257656
0x01257626
0x0125762a
0x0125762f
0x0125762f
0x01257634
0x01257634
0x01257638
0x0125763c
0x0125763f
0x00000000
0x00000000
0x00000000
0x01257641
0x01257610
0x00000000
0x01257610
0x01257643
0x00000000
0x01257643
0x012575a6
0x012575a8
0x012575aa
0x012575b2
0x012575b8
0x012575b8
0x012575ba
0x012575bc
0x012575bc
0x012575c1
0x00000000
0x012575c1
0x01257568
0x0125756c
0x01257574
0x0125757a
0x0125757a
0x0125757c
0x0125757e
0x0125757e
0x01257583
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,00000000,0127BEF0,?,?,?,?,?,0127BEF0), ref: 01257558
GetLastError.KERNEL32 ref: 01257562
CryptGenRandom.ADVAPI32(?,00000010,?), ref: 01257596
GetLastError.KERNEL32 ref: 012575A0
CryptReleaseContext.ADVAPI32(?,00000000), ref: 01257662

Strings

Failed to allocate formatted current byte for the random string, xrefs: 01257643
%02x, xrefs: 012575F4
Failed to concatenate the formatted byte to the random string, xrefs: 0125764A
Failed to acquire Crypto context, xrefs: 01257583
Failed to generate a random value, xrefs: 012575C1

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Crypt$ContextErrorLast$AcquireRandomRelease
String ID: %02x$Failed to acquire Crypto context$Failed to allocate formatted current byte for the random string$Failed to concatenate the formatted byte to the random string$Failed to generate a random value
API String ID: 236824231-4110481378
Opcode ID: 808af5e774ab324b5c52e7839e8bbb8b20c7560eda69394ba9504c922924f72b
Instruction ID: 56f4e752b0bb68c5756a39580382345bed3b99dd7d9993b44f76899bb6591471
Opcode Fuzzy Hash: 808af5e774ab324b5c52e7839e8bbb8b20c7560eda69394ba9504c922924f72b
Instruction Fuzzy Hash: EE41E972D60257AFDB619BADD8C5BFEFBB5AF14350F550029EE00B3141D7B849008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0125F9FE Relevance: 16.8, APIs: 7, Strings: 2, Instructions: 1051
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0125F9FE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a16, signed int _a20) {
				signed int _v8;
				signed int _v16;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				struct _CRITICAL_SECTION _v64;
				signed int _v68;
				char _v72;
				intOrPtr* _v76;
				char _v80;
				void* _v84;
				intOrPtr* _v88;
				intOrPtr _v92;
				char _v96;
				void* _v100;
				char _v104;
				void* _v108;
				void* _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v148;
				char _v204;
				void* _v208;
				char _v212;
				char _v220;
				void* _v228;
				char _v232;
				char _v236;
				void* _v240;
				char _v244;
				void* _v256;
				void* _v264;
				void* _v268;
				void* _v272;
				void* _v276;
				char _v280;
				char _v288;
				char _v292;
				signed int _v296;
				char _v300;
				signed int _v304;
				signed int _v308;
				char _v312;
				char _v316;
				signed int _v320;
				char _v324;
				signed int _v328;
				struct _CRITICAL_SECTION _v332;
				char _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				signed int _v364;
				signed int _v368;
				char _v372;
				char _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				struct _CRITICAL_SECTION _v392;
				char _v396;
				char _v400;
				signed int _v404;
				signed int _v408;
				char _v412;
				char _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				char _v436;
				void* _v444;
				void* _v452;
				char _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				struct _CRITICAL_SECTION _v476;
				struct _CRITICAL_SECTION _v484;
				char _v500;
				intOrPtr _v504;
				struct _CRITICAL_SECTION _v516;
				struct _CRITICAL_SECTION _v520;
				struct _CRITICAL_SECTION _v524;
				signed int _v528;
				struct _CRITICAL_SECTION _v532;
				struct _CRITICAL_SECTION _v544;
				struct _CRITICAL_SECTION _v556;
				struct _CRITICAL_SECTION _v560;
				signed int _v564;
				struct _CRITICAL_SECTION _v568;
				struct _CRITICAL_SECTION _v572;
				struct _CRITICAL_SECTION _v576;
				struct _CRITICAL_SECTION _v580;
				struct _CRITICAL_SECTION _v584;
				struct _CRITICAL_SECTION _v588;
				struct _CRITICAL_SECTION _v592;
				intOrPtr* _v596;
				struct _CRITICAL_SECTION _v600;
				signed int _v604;
				signed int _v608;
				char _v612;
				intOrPtr* _v616;
				struct _CRITICAL_SECTION _v620;
				signed int _v624;
				signed int _v628;
				void* _v632;
				struct _CRITICAL_SECTION _v636;
				signed int _v640;
				struct _CRITICAL_SECTION _v644;
				struct _CRITICAL_SECTION _v648;
				struct _CRITICAL_SECTION _v652;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				intOrPtr* _v676;
				signed int _v680;
				struct _CRITICAL_SECTION _v684;
				intOrPtr _v688;
				intOrPtr* _v692;
				void* _v696;
				void* _v700;
				void* _v704;
				void* _v708;
				void* _v712;
				void* _v716;
				void* _v720;
				void* _v724;
				void* _v728;
				void* _v732;
				void* _v736;
				signed int _t591;
				signed int _t618;
				char _t620;
				void* _t621;
				intOrPtr _t626;
				signed int _t633;
				struct _CRITICAL_SECTION _t642;
				void* _t651;
				intOrPtr* _t666;
				intOrPtr* _t675;
				void* _t677;
				intOrPtr* _t691;
				signed int _t698;
				struct _CRITICAL_SECTION _t701;
				intOrPtr _t704;
				struct _CRITICAL_SECTION _t717;
				intOrPtr* _t726;
				intOrPtr* _t728;
				signed int _t737;
				signed int _t738;
				struct _CRITICAL_SECTION _t745;
				void* _t749;
				intOrPtr* _t751;
				struct _CRITICAL_SECTION _t763;
				intOrPtr* _t768;
				intOrPtr* _t773;
				intOrPtr* _t783;
				signed int _t784;
				intOrPtr* _t790;
				intOrPtr* _t799;
				intOrPtr* _t800;
				intOrPtr* _t801;
				intOrPtr* _t806;
				intOrPtr* _t811;
				signed int _t825;
				void* _t829;
				signed int _t830;
				signed int _t832;
				signed char _t836;
				struct _CRITICAL_SECTION _t839;
				intOrPtr* _t844;
				struct _CRITICAL_SECTION _t846;
				signed int _t866;
				struct _CRITICAL_SECTION _t868;
				void* _t874;
				char _t876;
				intOrPtr* _t877;
				signed int _t891;
				intOrPtr _t894;
				intOrPtr _t915;
				signed int _t925;
				signed int _t929;
				signed int _t930;
				signed int _t935;
				intOrPtr* _t969;
				signed int _t977;
				char _t980;
				struct _CRITICAL_SECTION _t985;
				struct _CRITICAL_SECTION _t987;
				struct _CRITICAL_SECTION _t988;
				signed int _t993;
				intOrPtr _t994;
				intOrPtr _t995;
				intOrPtr* _t998;
				signed int _t999;
				signed int _t1003;
				signed int _t1005;
				signed int _t1007;
				struct _CRITICAL_SECTION _t1008;
				struct _CRITICAL_SECTION _t1020;
				signed int _t1024;
				signed int _t1026;
				void* _t1028;

				_push(0xffffffff);
				_push(0x1276c8c);
				_push( *[fs:0x0]);
				_t1026 = (_t1024 & 0xfffffff8) - 0x278;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t591 =  *0x127a050; // 0xa41d0fe1
				_push(_t591 ^ _t1026);
				 *[fs:0x0] =  &_v16;
				_t868 = 0;
				_t980 = 8;
				_v424 = 0;
				_v420 = 0;
				_v416 = 0;
				_v412 = _t980;
				_v428 = 0x12552d4;
				_v8 = 0;
				_t972 = 0x12552d4;
				_v344 = 0;
				_v340 = 0;
				_v336 = 0;
				_v332 = 1;
				_v348 = 0x12552d4;
				_t876 = 4;
				_v384 = 0;
				_v380 = 0;
				_v376 = 0;
				_v372 = _t876;
				_v388 = 0x12552d4;
				_v468 = 0;
				_v464 = 0;
				_v460 = 0;
				_v456 = _t876;
				_v472 = 0x12552dc;
				_v304 = 0;
				_v300 = 0;
				_v296 = 0;
				_v292 = _t876;
				_v308 = 0x12552d4;
				_v324 = 0;
				_v320 = 0;
				_v316 = 0;
				_v312 = _t980;
				_v328 = 0x12552d4;
				_v404 = 0;
				_v400 = 0;
				_v396 = 0;
				_v392 = 1;
				_v408 = 0x12552d4;
				_v364 = 0;
				_v360 = 0;
				_v356 = 0;
				_v352 = _t876;
				_v368 = 0x12552d4;
				_t991 = _a4;
				_v8 = 7;
				E0125F833(0x12552d4, _a4, 0, _a16,  &_v428,  &_v348,  &_v388,  &_v472,  &_v308,  &_v328,  &_v408,  &_v368);
				_v604 = 0;
				E01264193( &_v204, _t1028);
				_t877 = _a16;
				_v648 = 0;
				_v644 =  *_t877 + _a8;
				asm("adc eax, [ebp+0x10]");
				_v640 =  *((intOrPtr*)(_t877 + 4));
				if(_v504 <= 0) {
					L139:
					_push(_t1026 + 0x1f4);
					_v8 = 7;
					L159(); // executed
					 *(_t1026 + 0x290) = 6;
					E01262BD6( &_v372);
					 *(_t1026 + 0x290) = 5;
					E01262BD6( &_v412);
					 *(_t1026 + 0x290) = 4;
					E01262BD6( &_v332);
					 *(_t1026 + 0x290) = 3;
					E01262BD6( &_v312);
					_push( &_v476);
					 *((char*)(_t1026 + 0x294)) = 2;
					E0125DAA7(_t991, _t1058);
					_v16 = 1;
					E01262BD6( &_v396);
					_v16 = _t868;
					E01262BD6( &_v356);
					_v16 = _v16 | 0xffffffff;
					E01262BD6( &_v436);
					_t618 = 0;
					goto L140;
				} else {
					 *((intOrPtr*)(_t1026 + 0x17c)) = 0;
					_v280 = 0;
					_v288 = 0x12552c8;
					do {
						_t983 =  *(_v460 + _v608 * 4);
						_v624 = _t983;
						_v8 = 9;
						_t620 = E012735E6(0xc);
						_v612 = _t620;
						_v8 = 0xa;
						if(_t620 == _t868) {
							_t621 = 0;
							__eflags = 0;
						} else {
							_t621 = E01261BE9(_t620,  &_v288);
							_t868 = 0;
						}
						_t993 = _a20;
						_v8 = 9;
						E01264F46(_t972, _t993, _t621);
						_push(_t868);
						 *((char*)(_t1026 + 0x294)) = 8;
						E01273539();
						_v620 =  *( *((intOrPtr*)(_t993 + 0xc)) +  *(_t993 + 8) * 4 - 4);
						_t626 =  *((intOrPtr*)(_t983 + 0x44));
						if(_t626 != _t868) {
							_t891 = _t626 - 1;
							while(1) {
								__eflags = _t891 - _t868;
								if(_t891 < _t868) {
									goto L158;
								}
								_t972 =  *(_t983 + 0x1c);
								__eflags = _t972 - _t868;
								if(_t972 <= _t868) {
									L13:
									_t993 = 0xffffffff;
									__eflags = 0xffffffff;
								} else {
									_t866 =  *((intOrPtr*)(_t983 + 0x20)) + 4;
									__eflags = _t866;
									while(1) {
										__eflags =  *_t866 - _t891;
										if( *_t866 == _t891) {
											goto L14;
										}
										_t993 = 1;
										_t866 = _t866 + 8;
										__eflags = 1 - _t972;
										if(1 < _t972) {
											continue;
										} else {
											goto L13;
										}
										goto L14;
									}
								}
								L14:
								__eflags = _t993 - _t868;
								if(_t993 < _t868) {
									_t983 =  *(_t983 + 0x48);
									_t894 =  *((intOrPtr*)(_t983 + 4 + _t891 * 8));
									_v556 =  *(_t983 + _t891 * 8);
									goto L17;
								} else {
									_t891 = _t891 - 1;
									continue;
								}
								goto L162;
							}
							goto L158;
						} else {
							_v556 = _t868;
							_t894 = 0;
							L17:
							_t639 = _v556;
							if(_v556 != _v556 || _t868 != _t894) {
								L157:
								E0125EA39(_t868, _t894);
								L158:
								_v560 = 1;
								E01273B07( &_v560, 0x12771d8);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(0);
								E01274DF4(0x1276215, _t868, _t983, _t993);
								_t994 = _a4;
								_push(_t994 + 0x78);
								_v8 = 1;
								E01264F70(_t868, _t983, _t994, __eflags);
								_v8 = 0;
								_t633 =  *(_t994 + 0x74);
								__eflags = _t633;
								if(_t633 != 0) {
									 *((intOrPtr*)( *_t633 + 8))(_t633);
								}
								_t995 = _t994 + 4;
								_a4 = _t995;
								_v8 = 2;
								E01262BD6(_t995 + 0x50);
								_t588 =  &_v8;
								 *_t588 = _v8 | 0xffffffff;
								__eflags =  *_t588;
								_push(_t995);
								return E01274EE0(E0125E618(_t995,  *_t588));
							} else {
								E012618E8(_t639, _v616);
								_t642 = E012735E6(0x14);
								if(_t642 == _t868) {
									_v620 = _t868;
									_t985 = _t868;
								} else {
									_t985 = _t642;
									 *(_t642 + 4) = _t868;
									 *_t642 = 0x12554a8;
									_v620 = _t985;
								}
								 *(_t1026 + 0x1f0) = _t985;
								_t1035 = _t985 - _t868;
								if(_t985 != _t868) {
									 *((intOrPtr*)( *_t985 + 4))(_t985);
								}
								_v8 = 0xb;
								 *((intOrPtr*)(_t985 + 8)) =  *((intOrPtr*)(_v616 + 8));
								 *(_t985 + 0xc) = _v556;
								 *(_t985 + 0x10) = _t868;
								_t897 = _v624;
								_v516 = _v416 + _v564 * 8;
								_t998 =  *_a4;
								_v592 = _v604;
								_v588 = _v600;
								_t651 = E0125E749(_t868, _v624, _t985, _t998, _t1035);
								_t1036 = _t651;
								if(_t651 == 0) {
									_t999 = 0x80004001;
									goto L149;
								} else {
									_v580 = _t868;
									_v576 = _t868;
									_v572 = _t868;
									_v568 = 4;
									_v584 = 0x125556c;
									_v544 = _t868;
									_push(_t1026 + 0x7c);
									_v8 = 0xd;
									E01267E82(_t1036);
									 *(_t1026 + 0x290) = 0xe;
									if(_t998 != _t868) {
										 *((intOrPtr*)( *_t998 + 4))(_t998);
									}
									_t666 =  *((intOrPtr*)(_t1026 + 0x78));
									if(_t666 != _t868) {
										_t897 =  *_t666;
										 *((intOrPtr*)( *_t666 + 8))(_t666);
									}
									 *((intOrPtr*)(_t1026 + 0x78)) = _t998;
									_v640 = _t868;
									if( *((intOrPtr*)(_v628 + 0x30)) > _t868) {
										do {
											_t839 = E012735E6(0x18);
											if(_t839 == _t868) {
												_t988 = 0;
												__eflags = 0;
											} else {
												 *(_t839 + 4) = _t868;
												 *_t839 = 0x1255550;
												_t988 = _t839;
											}
											_v644 = _t988;
											if(_t988 != _t868) {
												 *((intOrPtr*)( *_t988 + 4))(_t988);
											}
											 *(_t1026 + 0x290) = 0xf;
											 *((intOrPtr*)(_t988 + 8)) = _t1026 + 0x78;
											 *((intOrPtr*)(_t988 + 0x10)) = _v596;
											 *(_t988 + 0x14) = _v592;
											_t844 = _v520 + _v640 * 8;
											_v596 = _v596 +  *_t844;
											_v616 = _t844;
											asm("adc [esp+0x4c], eax");
											_t846 = E012735E6(0x28);
											if(_t846 == _t868) {
												_t846 = 0;
												__eflags = 0;
											} else {
												 *(_t846 + 4) = _t868;
												 *_t846 = 0x1255540;
												 *(_t846 + 8) = _t868;
											}
											_v648 = _t846;
											_v636 = _t846;
											_t1043 = _t846 - _t868;
											if(_t846 != _t868) {
												 *((intOrPtr*)( *_t846 + 4))(_t846);
											}
											 *(_t1026 + 0x290) = 0x10;
											E01262BB6(_t988, _v648 + 8);
											_t1020 = _v648;
											_t969 = _v616;
											 *((intOrPtr*)(_t1020 + 0x10)) =  *_t969;
											 *((intOrPtr*)(_t1020 + 0x14)) =  *((intOrPtr*)(_t969 + 4));
											 *(_t1020 + 0x18) = _t868;
											 *(_t1020 + 0x1c) = _t868;
											 *(_t1020 + 0x20) = _t868;
											E01268911(_t868, _t972, _t988, _t1020, _t1043);
											 *(_t1026 + 0x290) = 0xf;
											 *((intOrPtr*)( *_t1020 + 8))(_t1020,  &_v588,  &_v636);
											 *(_t1026 + 0x290) = 0xe;
											 *((intOrPtr*)( *_t988 + 8))(_t988);
											 *((intOrPtr*)(_t1026 + 0x1c)) =  *((intOrPtr*)(_t1026 + 0x1c)) + 1;
											_t897 =  *((intOrPtr*)(_t1026 + 0x1c));
										} while ( *((intOrPtr*)(_t1026 + 0x1c)) <  *((intOrPtr*)(_v644 + 0x30)));
									}
									_t983 = _v628;
									_v640 =  *((intOrPtr*)(_v628 + 8));
									E012641FA( &_v280);
									 *(_t1026 + 0x1d8) = _t868;
									 *(_t1026 + 0x1dc) = _t868;
									 *(_t1026 + 0x1e0) = _t868;
									 *((intOrPtr*)(_t1026 + 0x1e4)) = 8;
									 *(_t1026 + 0x1d4) = 0x12552d4;
									 *(_t1026 + 0x290) = 0x11;
									E01263F8A( &_v280, _v628);
									if( *((intOrPtr*)(_t1026 + 0x1f4)) == _t868) {
										L43:
										 *((intOrPtr*)(_v48 + 4))(_t868,  *((intOrPtr*)(_t1026 + 0x274)));
										_t675 = _v60;
										if(_t675 != _t868) {
											 *((intOrPtr*)( *_t675 + 8))(_t675);
											_v64 = _t868;
										}
										if(_v72 != _t868) {
											_t829 = E012735E6(0x88); // executed
											if(_t829 == _t868) {
												_t830 = 0;
												__eflags = 0;
											} else {
												_t830 = E01264E54(_t829);
											}
											_t983 = _t830;
											_v68 = _t830;
											E01262BB6(_t830,  &_v60);
											_t832 = _v68;
											if(_t832 == _t868) {
												_v64 = _t868;
											} else {
												_v64 = _t832 + 4;
											}
										}
										_t972 =  &_v288;
										_t677 =  *((intOrPtr*)( *_v64))( &_v288);
										_t1000 = _t677;
										_t1051 = _t677 - _t868;
										if(_t677 == _t868) {
											_v660 = _t868;
											__eflags = _v652 - _t868;
											if(__eflags <= 0) {
												L77:
												_t1001 = _t1026 + 0x1f8;
												E01264EBA( &_v292, _t1026 + 0x1f8, __eflags);
												 *((intOrPtr*)(_v96 + 4))(_t868, _v88);
												_t983 =  &_v220;
												E01261D0D( &_v104,  &_v96,  &_v220);
												 *((char*)(_t1026 + 0x1f4)) = 1;
												goto L78;
											} else {
												while(1) {
													_t1005 =  *((intOrPtr*)( *((intOrPtr*)(_v640 + 0xc)) + _v660 * 4));
													 *(_t1026 + 0x18) = _t868;
													_v644 = _t868;
													_push( &_v644);
													_push(_t1026 + 0x1c);
													 *((char*)(_t1026 + 0x298)) = 0x15;
													_push( *((intOrPtr*)(_t1005 + 4)));
													_push( *_t1005);
													_t983 = E01262B6C(_t868, _t983, _t1005, __eflags);
													__eflags = _t983 - _t868;
													if(_t983 != _t868) {
														break;
													}
													_v664 = _t868;
													 *(_t1026 + 0x290) = 0x18;
													__eflags =  *((intOrPtr*)(_t1005 + 0x14)) - 1;
													_t983 = _v672;
													if( *((intOrPtr*)(_t1005 + 0x14)) != 1) {
														L63:
														_t1005 = _v660;
														__eflags = _t1005 - _t868;
														if(_t1005 == _t868) {
															 *(_t1026 + 0x290) = 0x11;
															_t790 = _v672;
															__eflags = _t790 - _t868;
															if(_t790 != _t868) {
																 *((intOrPtr*)( *_t790 + 8))(_t790);
															}
															 *(_t1026 + 0x290) = 0x1b;
															E01262BD6( &_v228);
															_push( &_v308);
															 *((char*)(_t1026 + 0x294)) = 0xe;
															E0125E618(_t1005, __eflags);
															 *(_t1026 + 0x290) = 0x1c;
															goto L145;
														} else {
															 *((intOrPtr*)( *_t1005 + 4))(_t1005);
															_v668 = _t1005;
															__eflags = _v96 - _t868;
															if(__eflags != 0) {
																_t1010 = _v92;
																E01268513(_t868, _v92, _t972, _t983, _v92, __eflags);
																_t983 = _v664;
																E01262BB6(_v664,  *((intOrPtr*)( *((intOrPtr*)(_t1010 + 0x80)) +  *(_t1010 + 0x7c) * 4 - 4)) + 0x18);
															}
															goto L66;
														}
													} else {
														__eflags =  *(_t1005 + 0x18) - 1;
														if( *(_t1005 + 0x18) != 1) {
															goto L63;
														} else {
															__eflags = _t983 - _t868;
															if(_t983 == _t868) {
																 *(_t1026 + 0x290) = 0x14;
																_t811 = _v660;
																__eflags = _t811 - _t868;
																if(_t811 != _t868) {
																	 *((intOrPtr*)( *_t811 + 8))(_t811);
																}
																 *(_t1026 + 0x290) = 0x19;
																E01262BD6( &_v228);
																_push( &_v308);
																 *((char*)(_t1026 + 0x294)) = 0xe;
																E0125E618(_t1005, __eflags);
																 *(_t1026 + 0x290) = 0x1a;
																goto L145;
															} else {
																 *((intOrPtr*)( *_t983 + 4))(_t983);
																_v668 = _t983;
																__eflags = _v96 - _t868;
																if(__eflags != 0) {
																	_t1013 = _v92;
																	E01268513(_t868, _v92, _t972, _t983, _v92, __eflags);
																	E01262BB6(_t983,  *((intOrPtr*)( *((intOrPtr*)(_t1013 + 0x80)) +  *(_t1013 + 0x7c) * 4 - 4)) + 0x14);
																}
																L66:
																_t1008 = E012735E6(4);
																_v648 = _t1008;
																 *(_t1026 + 0x290) = 0x1d;
																__eflags = _t1008 - _t868;
																if(_t1008 == _t868) {
																	_t1008 = 0;
																	__eflags = 0;
																} else {
																	_t806 = _v668;
																	 *_t1008 = _t806;
																	__eflags = _t806 - _t868;
																	if(_t806 != _t868) {
																		 *((intOrPtr*)( *_t806 + 4))(_t806);
																	}
																}
																 *((char*)(_t1026 + 0x294)) = 0x18;
																E01264F46(_t972,  &_v80, _t1008);
																_v48 = 0x15;
																_t799 = _v672;
																__eflags = _t799 - _t868;
																if(_t799 != _t868) {
																	 *((intOrPtr*)( *_t799 + 8))(_t799);
																}
																 *(_t1026 + 0x290) = 0x14;
																_t800 = _v664;
																__eflags = _t800 - _t868;
																if(_t800 != _t868) {
																	 *((intOrPtr*)( *_t800 + 8))(_t800);
																}
																 *(_t1026 + 0x290) = 0x11;
																_t801 = _v676;
																__eflags = _t801 - _t868;
																if(_t801 != _t868) {
																	 *((intOrPtr*)( *_t801 + 8))(_t801);
																}
																_v680 = _v680 + 1;
																__eflags = _v680 - _v672;
																if(__eflags < 0) {
																	continue;
																} else {
																	goto L77;
																}
															}
														}
													}
													goto L162;
												}
												 *(_t1026 + 0x290) = 0x14;
												_t783 = _v660;
												__eflags = _t783 - _t868;
												if(_t783 != _t868) {
													 *((intOrPtr*)( *_t783 + 8))(_t783);
												}
												 *(_t1026 + 0x290) = 0x11;
												_t784 = _v672;
												__eflags = _t784 - _t868;
												if(_t784 != _t868) {
													 *((intOrPtr*)( *_t784 + 8))(_t784);
												}
												 *(_t1026 + 0x290) = 0x16;
												E01262BD6( &_v228);
												_push( &_v308);
												 *((char*)(_t1026 + 0x294)) = 0xe;
												E0125E618(_t1005, __eflags);
												 *(_t1026 + 0x290) = 0x17;
												goto L103;
											}
										} else {
											 *(_t1026 + 0x290) = 0x12;
											E01262BD6( &_v212);
											_push( &_v292);
											 *((char*)(_t1026 + 0x294)) = 0xe;
											E0125E618(_t1000, _t1051);
											 *((char*)(_t1026 + 0x294)) = 0x13;
											DeleteCriticalSection( &_v560);
											 *(_t1026 + 0x290) = 0xc;
											_t825 = _v564;
											_t1052 = _t825 - _t868;
											if(_t825 != _t868) {
												 *((intOrPtr*)( *_t825 + 8))(_t825);
											}
											_push( &_v604);
											 *((char*)(_t1026 + 0x294)) = 0xb;
											E01264F70(_t868, _t983, _t1000, _t1052);
											goto L131;
										}
									} else {
										_t1001 = _t1026 + 0x1f8;
										_t836 = E012640B0( &_v280, _t897, _t1026 + 0x1f8);
										asm("sbb al, al");
										if( ~_t836 + 1 == 0) {
											L78:
											 *((intOrPtr*)( *_v76 + 4))();
											_v636 = _t868;
											_v652 = _t868;
											_v664 = _t868;
											__eflags = _v660 - _t868;
											if(_v660 <= _t868) {
												L116:
												_t972 =  &_v300;
												E01263EAE( &_v456,  *_v228,  &_v300,  &_v636);
												__eflags = _v88 - _t868;
												if(_v88 != _t868) {
													 *((intOrPtr*)(_v80 + 0x70)) = _v456;
												}
												__eflags = _v660 - _t868;
												if(_v660 != _t868) {
													_v532 = _t868;
													_v528 = _t868;
													_v524 = _t868;
													_v520 = 4;
													 *(_t1026 + 0x98) = 0x12552d4;
													 *(_t1026 + 0x290) = 0x2c;
													E01262C43(_v600, _t1026 + 0x98);
													_t983 = 0;
													__eflags = _v600;
													if(_v600 > 0) {
														do {
															E01262C08(_t1026 + 0x98, _t972);
															 *((intOrPtr*)(_v524 + _v528 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_v596 + _t983 * 4))));
															_v528 = _v528 + 1;
															_t983 = _t983 + 1;
															__eflags = _t983 - _v600;
														} while (_t983 < _v600);
													}
													_t972 =  &_v584;
													_v584 = _v644;
													_t691 = _v72;
													_t999 =  *((intOrPtr*)( *_t691 + 0xc))(_t691, _v524, 0, _v600,  &_v584, 0, 1, 0);
													_v64 = 0x11;
													E01262BD6( &_v568);
													_v64 = 0x2d;
													E01262BD6(_t1026 + 0x1d4);
													_push( &_v332);
													_v64 = 0xe;
													E0125E618(_t999, __eflags);
													_v68 = 0x2e;
													DeleteCriticalSection( &_v600);
													_v68 = 0xc;
													_t698 = _v604;
													__eflags = _t698;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t698 + 8))(_t698);
													}
													_push( &_v644);
													_v68 = 0xb;
													E01264F70(0, _t983, _t999, __eflags);
													_t868 = 0;
													__eflags = 0;
													goto L131;
												} else {
													 *(_t1026 + 0x290) = 0x2a;
													E01262BD6( &_v220);
													_push( &_v300);
													 *((char*)(_t1026 + 0x294)) = 0xe;
													E0125E618(_t1001, __eflags);
													 *((char*)(_t1026 + 0x294)) = 0x2b;
													DeleteCriticalSection( &_v568);
													 *(_t1026 + 0x290) = 0xc;
													_t717 = _v572;
													__eflags = _t717 - _t868;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t717 + 8))(_t717);
													}
													_push( &_v612);
													 *((char*)(_t1026 + 0x294)) = 0xb;
													E01264F70(_t868, _t983, _t1001, __eflags);
													goto L132;
												}
											} else {
												 *(_t1026 + 0x20) = _t868;
												do {
													_t1005 =  *((intOrPtr*)( *((intOrPtr*)(_v648 + 0xc)) + _v664 * 4));
													_v668 = _t868;
													 *((char*)(_t1026 + 0x294)) = 0x1e;
													_t726 =  *((intOrPtr*)( *((intOrPtr*)( *(_t1026 + 0x20) + _v56))));
													 *((intOrPtr*)( *_t726))(_t726, 0x1255230,  &_v668);
													_t728 = _v680;
													__eflags = _t728 - _t868;
													if(_t728 == _t868) {
														L85:
														 *(_t1026 + 0x290) = 0x11;
														__eflags = _t728 - _t868;
														if(_t728 != _t868) {
															 *((intOrPtr*)( *_t728 + 8))(_t728);
														}
														_t976 =  *((intOrPtr*)(_t1005 + 0x14));
														_t983 =  *(_t1005 + 0x18);
														_t925 = 4;
														_v668 = _v668 + _t925;
														_v680 =  *((intOrPtr*)(_t1005 + 0x14));
														_v524 = _t868;
														_v520 = _t868;
														_v516 = _t868;
														 *(_t1026 + 0xbc) = _t925;
														_v528 = 0x12552d4;
														_v484 = _t868;
														 *(_t1026 + 0xdc) = _t868;
														_v476 = _t868;
														_v472 = _t925;
														 *(_t1026 + 0xd4) = 0x12552d4;
														 *(_t1026 + 0x290) = 0x27;
														E01262C43( *((intOrPtr*)(_t1005 + 0x14)),  &_v528);
														_t1001 = _t1026 + 0xd4;
														E01262C43(_t983, _t1026 + 0xd4);
														__eflags = _t983;
														if(_t983 != 0) {
															do {
																_t925 = _v664;
																_t1001 = _t1026 + 0xd8;
																E01264F46(_t976, _t1026 + 0xd8,  *((intOrPtr*)(_v660 + 0x48)) + _t925 * 8);
																_v668 = _v668 + 1;
																_t983 = _t983 - 1;
																__eflags = _t983;
															} while (_t983 != 0);
														}
														_t874 = 0;
														__eflags = _v680;
														if(_v680 > 0) {
															_t987 = _v648;
															do {
																_t737 = _v660;
																_t977 =  *(_t737 + 0x1c);
																_t1007 = 0;
																__eflags = _t977;
																if(_t977 <= 0) {
																	L95:
																	_t929 = _t925 | 0xffffffff;
																	__eflags = _t929;
																} else {
																	_t935 =  *(_t737 + 0x20);
																	while(1) {
																		__eflags =  *_t935 - _t987;
																		if( *_t935 == _t987) {
																			break;
																		}
																		_t1007 = _t1007 + 1;
																		_t935 = _t935 + 8;
																		__eflags = _t1007 - _t977;
																		if(_t1007 < _t977) {
																			continue;
																		} else {
																			goto L95;
																		}
																		goto L96;
																	}
																	_t929 = _t1007;
																}
																L96:
																__eflags = _t929;
																if(_t929 < 0) {
																	_t930 =  *(_t737 + 0x30);
																	_t978 = 0;
																	__eflags = _t930;
																	if(_t930 <= 0) {
																		L111:
																		_t738 = _t737 | 0xffffffff;
																		__eflags = _t738;
																	} else {
																		_t751 =  *((intOrPtr*)(_t737 + 0x34));
																		while(1) {
																			__eflags =  *_t751 - _t987;
																			if( *_t751 == _t987) {
																				break;
																			}
																			_t978 = _t978 + 1;
																			_t751 = _t751 + 4;
																			__eflags = _t978 - _t930;
																			if(_t978 < _t930) {
																				continue;
																			} else {
																				goto L111;
																			}
																			goto L112;
																		}
																		_t738 = _t978;
																	}
																	L112:
																	__eflags = _t738;
																	if(_t738 < 0) {
																		 *(_t1026 + 0x290) = 0x26;
																		E01262BD6(_t1026 + 0xd4);
																		 *(_t1026 + 0x290) = 0x11;
																		E01262BD6( &_v528);
																		 *(_t1026 + 0x290) = 0x28;
																		E01262BD6( &_v232);
																		_push( &_v312);
																		 *((char*)(_t1026 + 0x294)) = 0xe;
																		E0125E618(_t1007, __eflags);
																		_v48 = 0x29;
																		DeleteCriticalSection( &_v580);
																		_v48 = 0xc;
																		_t745 = _v584;
																		__eflags = _t745;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t745 + 8))(_t745);
																		}
																		_push( &_v624);
																		_v48 = 0xb;
																		E01264F70(_t874, _t987, _t1007, __eflags);
																		_t999 = 0x80004005;
																		_t868 = 0;
																		goto L148;
																	} else {
																		_t925 =  *(_t1026 + 0x94);
																		_t749 = _t925 + _t738 * 8;
																		goto L114;
																	}
																} else {
																	_t978 =  *(_t737 + 0x20);
																	_t925 =  *( *(_t737 + 0x20) + 4 + _t929 * 8);
																	_t749 =  *((intOrPtr*)(_t737 + 0x48)) + _t925 * 8;
																	goto L114;
																}
																goto L162;
																L114:
																_t1001 =  &_v528;
																E01264F46(_t978,  &_v528, _t749);
																_t874 = _t874 + 1;
																_t987 = _t987 + 1;
																_v652 = _t987;
																__eflags = _t874 - _v684;
															} while (_t874 < _v684);
														}
														goto L115;
													} else {
														_t972 =  *(_t1005 + 0xc);
														__eflags = _t972 - 0xffffffff;
														if(_t972 > 0xffffffff) {
															 *(_t1026 + 0x290) = 0x11;
															 *((intOrPtr*)( *_t728 + 8))(_t728);
															_v48 = 0x1f;
															E01262BD6( &_v236);
															_push( &_v316);
															_v48 = 0xe;
															E0125E618(_t1005, __eflags);
															_v52 = 0x20;
															L145:
															DeleteCriticalSection( &_v584);
															_v52 = 0xc;
															_t763 = _v588;
															__eflags = _t763 - _t868;
															if(__eflags != 0) {
																 *((intOrPtr*)( *_t763 + 8))(_t763);
															}
															_push( &_v628);
															_v52 = 0xb;
															E01264F70(_t868, _t983, _t1005, __eflags);
															_t999 = 0x80004001;
															goto L148;
														} else {
															__eflags = _t972 - _t868;
															if(_t972 <= _t868) {
																goto L85;
															} else {
																_t983 =  *((intOrPtr*)( *_t728 + 0xc))(_t728,  *((intOrPtr*)(_t1005 + 0x10)), _t972);
																__eflags = _t983 - _t868;
																if(_t983 != _t868) {
																	_v56 = 0x11;
																	_t768 = _v692;
																	__eflags = _t768 - _t868;
																	if(_t768 != _t868) {
																		 *((intOrPtr*)( *_t768 + 8))(_t768);
																	}
																	_v56 = 0x21;
																	E01262BD6( &_v244);
																	_push( &_v324);
																	_v56 = 0xe;
																	E0125E618(_t1005, __eflags);
																	_v60 = 0x22;
																	L103:
																	DeleteCriticalSection( &_v592);
																	_v60 = 0xc;
																	_t773 = _v596;
																	__eflags = _t773 - _t868;
																	if(__eflags != 0) {
																		 *((intOrPtr*)( *_t773 + 8))(_t773);
																	}
																	_push( &_v636);
																	_v60 = 0xb;
																	E01264F70(_t868, _t983, _t1005, __eflags);
																	_t999 = _t983;
																	L131:
																	if(_t999 != _t868) {
																		L148:
																		_t985 = _v684;
																		L149:
																		_v8 = 8;
																		 *((intOrPtr*)( *_t985 + 8))(_t985);
																		_push(_t1026 + 0x1f4);
																		 *((char*)(_t1026 + 0x294)) = 7;
																		L159();
																		_v16 = 6;
																		E01262BD6( &_v376);
																		_v16 = 5;
																		E01262BD6( &_v416);
																		_v16 = 4;
																		E01262BD6( &_v336);
																		_v16 = 3;
																		E01262BD6( &_v316);
																		_push(_t1026 + 0xc0);
																		_v16 = 2;
																		E0125DAA7(_t999, __eflags);
																		 *(_t1026 + 0x290) = 1;
																		E01262BD6( &_v400);
																		 *(_t1026 + 0x290) = _t868;
																		E01262BD6( &_v360);
																		 *(_t1026 + 0x290) =  *(_t1026 + 0x290) | 0xffffffff;
																		E01262BD6(_t1026 + 0xec);
																		_t618 = _t999;
																		L140:
																		 *[fs:0x0] =  *((intOrPtr*)(_t1026 + 0x288));
																		return _t618;
																	} else {
																		L132:
																		_t991 = _v688;
																		if( *((intOrPtr*)(_t991 + 0x54)) == _t868) {
																			L134:
																			_v680 = _t868;
																			if( *((intOrPtr*)(_t991 + 0x30)) > _t868) {
																				_t704 = _a4;
																				_t1003 = _v628;
																				do {
																					_t915 =  *((intOrPtr*)( *((intOrPtr*)(_t1026 + 0xf8)) + _t1003 * 8));
																					_t1003 = _t1003 + 1;
																					_v668 = _v668 + _t915;
																					asm("adc [esp+0x40], edx");
																					 *((intOrPtr*)(_t704 + 0x48)) =  *((intOrPtr*)(_t704 + 0x48)) + _t915;
																					asm("adc [eax+0x4c], edx");
																					_v680 = _v680 + 1;
																					_t972 = _v680;
																				} while (_v680 <  *((intOrPtr*)(_v688 + 0x30)));
																				_v628 = _t1003;
																			}
																			goto L138;
																		} else {
																			_t894 =  *((intOrPtr*)(_v680 + 8));
																			if(E0125E502(_v680, _v620) !=  *((intOrPtr*)(_t991 + 0x50))) {
																				goto L157;
																			} else {
																				goto L134;
																			}
																		}
																	}
																} else {
																	_t728 = _v692;
																	goto L85;
																}
															}
														}
													}
													goto L162;
													L115:
													 *((intOrPtr*)( *_v88 + 8))(_v676, _v516, _v476);
													_v56 = 0x26;
													E01262BD6( &_v500);
													_v56 = 0x11;
													E01262BD6(_t1026 + 0xac);
													_v688 = _v688 + 1;
													_t868 = 0;
													__eflags = _v688 - _v684;
												} while (_v688 < _v684);
												goto L116;
											}
										} else {
											goto L43;
										}
									}
								}
							}
						}
						goto L162;
						L138:
						_t701 = _v684;
						_v72 = 8;
						 *((intOrPtr*)( *_t701 + 8))(_t701);
						_v676 = _v676 + 1;
						_t1058 = _v676 - _v532;
					} while (_v676 < _v532);
					goto L139;
				}
				L162:
			}

0x0125fa06
0x0125fa08
0x0125fa13
0x0125fa14
0x0125fa1a
0x0125fa1b
0x0125fa1c
0x0125fa1d
0x0125fa24
0x0125fa2c
0x0125fa32
0x0125fa36
0x0125fa3c
0x0125fa43
0x0125fa4a
0x0125fa51
0x0125fa58
0x0125fa5f
0x0125fa66
0x0125fa6b
0x0125fa72
0x0125fa79
0x0125fa80
0x0125fa8b
0x0125fa94
0x0125fa9a
0x0125faa1
0x0125faa8
0x0125faaf
0x0125fab6
0x0125fabd
0x0125fac4
0x0125facb
0x0125fad2
0x0125fad9
0x0125fae4
0x0125faeb
0x0125faf2
0x0125faf9
0x0125fb00
0x0125fb07
0x0125fb0e
0x0125fb15
0x0125fb1c
0x0125fb23
0x0125fb2a
0x0125fb31
0x0125fb38
0x0125fb3f
0x0125fb4a
0x0125fb51
0x0125fb58
0x0125fb5f
0x0125fb66
0x0125fb6d
0x0125fb74
0x0125fbba
0x0125fbc3
0x0125fbcf
0x0125fbd3
0x0125fbd8
0x0125fbe0
0x0125fbe4
0x0125fbeb
0x0125fbee
0x0125fbf9
0x012607d2
0x012607d9
0x012607da
0x012607e2
0x012607ee
0x012607f6
0x01260802
0x0126080a
0x01260816
0x0126081e
0x0126082a
0x01260832
0x0126083e
0x0126083f
0x01260847
0x01260853
0x0126085b
0x01260867
0x0126086e
0x01260873
0x01260882
0x01260887
0x00000000
0x0125fbff
0x0125fbff
0x0125fc06
0x0125fc0d
0x0125fc18
0x0125fc23
0x0125fc26
0x0125fc2c
0x0125fc34
0x0125fc3a
0x0125fc3e
0x0125fc48
0x0125fc5a
0x0125fc5a
0x0125fc4a
0x0125fc51
0x0125fc56
0x0125fc56
0x0125fc5c
0x0125fc60
0x0125fc68
0x0125fc6d
0x0125fc6e
0x0125fc76
0x0125fc86
0x0125fc8a
0x0125fc8f
0x0125fc99
0x0125fc9c
0x0125fc9c
0x0125fc9e
0x00000000
0x00000000
0x0125fca4
0x0125fca9
0x0125fcab
0x0125fcbf
0x0125fcbf
0x0125fcbf
0x0125fcad
0x0125fcb0
0x0125fcb0
0x0125fcb3
0x0125fcb3
0x0125fcb5
0x00000000
0x00000000
0x0125fcb7
0x0125fcb8
0x0125fcbb
0x0125fcbd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0125fcbd
0x0125fcb3
0x0125fcc2
0x0125fcc2
0x0125fcc4
0x0125fcc9
0x0125fccf
0x0125fcd3
0x00000000
0x0125fcc6
0x0125fcc6
0x00000000
0x0125fcc6
0x00000000
0x0125fcc4
0x00000000
0x0125fc91
0x0125fc91
0x0125fc95
0x0125fcd7
0x0125fcd7
0x0125fcdd
0x01260b20
0x01260b20
0x01260b25
0x01260b2f
0x01260b37
0x01260b3c
0x01260b3d
0x01260b3e
0x01260b3f
0x01260b40
0x01260b41
0x01260b42
0x01260b49
0x01260b4e
0x01260b54
0x01260b55
0x01260b5c
0x01260b61
0x01260b65
0x01260b68
0x01260b6a
0x01260b6f
0x01260b6f
0x01260b72
0x01260b75
0x01260b7b
0x01260b82
0x01260b87
0x01260b87
0x01260b87
0x01260b8b
0x01260b96
0x0125fceb
0x0125fcf1
0x0125fcf8
0x0125fd00
0x0125fd13
0x0125fd17
0x0125fd02
0x0125fd02
0x0125fd04
0x0125fd07
0x0125fd0d
0x0125fd0d
0x0125fd19
0x0125fd20
0x0125fd22
0x0125fd27
0x0125fd27
0x0125fd32
0x0125fd3d
0x0125fd44
0x0125fd47
0x0125fd54
0x0125fd58
0x0125fd62
0x0125fd68
0x0125fd70
0x0125fd74
0x0125fd79
0x0125fd7b
0x012608a1
0x00000000
0x0125fd81
0x0125fd81
0x0125fd85
0x0125fd89
0x0125fd8d
0x0125fd95
0x0125fd9d
0x0125fda5
0x0125fda6
0x0125fdae
0x0125fdb3
0x0125fdbd
0x0125fdc2
0x0125fdc2
0x0125fdc5
0x0125fdcb
0x0125fdcd
0x0125fdd0
0x0125fdd0
0x0125fdd7
0x0125fddb
0x0125fde2
0x0125fde8
0x0125fdea
0x0125fdf2
0x0125fe01
0x0125fe01
0x0125fdf4
0x0125fdf4
0x0125fdf7
0x0125fdfd
0x0125fdfd
0x0125fe03
0x0125fe09
0x0125fe0e
0x0125fe0e
0x0125fe15
0x0125fe21
0x0125fe28
0x0125fe2f
0x0125fe39
0x0125fe3e
0x0125fe42
0x0125fe49
0x0125fe4f
0x0125fe57
0x0125fe67
0x0125fe67
0x0125fe59
0x0125fe59
0x0125fe5c
0x0125fe62
0x0125fe62
0x0125fe69
0x0125fe6d
0x0125fe71
0x0125fe73
0x0125fe78
0x0125fe78
0x0125fe7b
0x0125fe8a
0x0125fe8f
0x0125fe93
0x0125fe9c
0x0125fea9
0x0125feac
0x0125feaf
0x0125feb2
0x0125feb5
0x0125feba
0x0125fec5
0x0125fec8
0x0125fed3
0x0125fed6
0x0125fede
0x0125fee2
0x0125fde8
0x0125feeb
0x0125fef2
0x0125fefd
0x0125ff02
0x0125ff09
0x0125ff10
0x0125ff17
0x0125ff22
0x0125ff34
0x0125ff3c
0x0125ff48
0x0125ff69
0x0125ff7f
0x0125ff82
0x0125ff8b
0x0125ff90
0x0125ff93
0x0125ff93
0x0125ffa1
0x0125ffa8
0x0125ffb0
0x0125ffbb
0x0125ffbb
0x0125ffb2
0x0125ffb4
0x0125ffb4
0x0125ffbd
0x0125ffc6
0x0125ffcd
0x0125ffd2
0x0125ffdb
0x0125ffe9
0x0125ffdd
0x0125ffe0
0x0125ffe0
0x0125ffdb
0x0125fff9
0x01260001
0x01260003
0x01260005
0x01260007
0x01260072
0x01260076
0x0126007a
0x012601f5
0x012601fc
0x01260203
0x0126021e
0x01260221
0x0126022f
0x01260234
0x00000000
0x01260080
0x01260080
0x0126008b
0x0126008e
0x01260092
0x0126009a
0x0126009f
0x012600a0
0x012600a8
0x012600ab
0x012600b2
0x012600b4
0x012600b6
0x00000000
0x00000000
0x012600bc
0x012600c0
0x012600c8
0x012600cc
0x012600d0
0x01260118
0x01260118
0x0126011c
0x0126011e
0x012609f8
0x01260a00
0x01260a04
0x01260a06
0x01260a0b
0x01260a0b
0x01260a15
0x01260a1d
0x01260a29
0x01260a2a
0x01260a32
0x01260a37
0x00000000
0x01260124
0x01260127
0x0126012a
0x0126012e
0x01260135
0x01260137
0x01260140
0x01260152
0x01260159
0x01260159
0x00000000
0x01260135
0x012600d2
0x012600d2
0x012600d6
0x00000000
0x012600d8
0x012600d8
0x012600da
0x012608ab
0x012608b3
0x012608b7
0x012608b9
0x012608be
0x012608be
0x012608c8
0x012608d0
0x012608dc
0x012608dd
0x012608e5
0x012608ea
0x00000000
0x012600e0
0x012600e3
0x012600e6
0x012600ea
0x012600f1
0x012600f3
0x012600fc
0x01260111
0x01260111
0x0126015e
0x01260165
0x01260168
0x0126016c
0x01260174
0x01260176
0x0126018a
0x0126018a
0x01260178
0x01260178
0x0126017c
0x0126017e
0x01260180
0x01260185
0x01260185
0x01260180
0x01260194
0x0126019c
0x012601a1
0x012601a9
0x012601ad
0x012601af
0x012601b4
0x012601b4
0x012601b7
0x012601bf
0x012601c3
0x012601c5
0x012601ca
0x012601ca
0x012601cd
0x012601d5
0x012601d9
0x012601db
0x012601e0
0x012601e0
0x012601e3
0x012601eb
0x012601ef
0x00000000
0x00000000
0x00000000
0x00000000
0x012601ef
0x012600da
0x012600d6
0x00000000
0x012600d0
0x012603d1
0x012603d9
0x012603dd
0x012603df
0x012603e4
0x012603e4
0x012603e7
0x012603ef
0x012603f3
0x012603f5
0x012603fa
0x012603fa
0x01260404
0x0126040c
0x01260418
0x01260419
0x01260421
0x01260426
0x00000000
0x01260426
0x01260009
0x01260010
0x01260018
0x01260024
0x01260025
0x0126002d
0x01260037
0x0126003f
0x01260045
0x0126004d
0x01260051
0x01260053
0x01260058
0x01260058
0x0126005f
0x01260060
0x01260068
0x00000000
0x01260068
0x0125ff4a
0x0125ff4a
0x0125ff58
0x0125ff5f
0x0125ff63
0x0126023c
0x01260245
0x01260248
0x0126024c
0x01260250
0x01260254
0x01260258
0x01260517
0x0126052c
0x01260533
0x01260538
0x0126053f
0x0126054f
0x0126054f
0x01260552
0x01260556
0x01260618
0x0126061f
0x01260626
0x0126062d
0x01260638
0x01260643
0x01260656
0x0126065d
0x0126065f
0x01260663
0x01260665
0x01260675
0x01260688
0x0126068b
0x01260692
0x01260693
0x01260693
0x01260665
0x012606a1
0x012606aa
0x012606ae
0x012606ca
0x012606cc
0x012606d4
0x012606e0
0x012606e8
0x012606f4
0x012606f5
0x012606fd
0x01260707
0x0126070f
0x01260715
0x0126071d
0x01260721
0x01260723
0x01260728
0x01260728
0x0126072f
0x01260730
0x01260738
0x0126073d
0x0126073d
0x00000000
0x0126055c
0x01260563
0x0126056b
0x01260577
0x01260578
0x01260580
0x0126058a
0x01260592
0x01260598
0x012605a0
0x012605a4
0x012605a6
0x012605ab
0x012605ab
0x012605b2
0x012605b3
0x012605bb
0x00000000
0x012605bb
0x0126025e
0x0126025e
0x01260262
0x0126026d
0x0126027e
0x01260287
0x0126028f
0x01260299
0x0126029b
0x0126029f
0x012602a1
0x012602cc
0x012602cc
0x012602d4
0x012602d6
0x012602db
0x012602db
0x012602de
0x012602e1
0x012602e6
0x012602e7
0x012602f0
0x012602f4
0x012602fb
0x01260302
0x01260309
0x01260310
0x01260317
0x0126031e
0x01260325
0x0126032c
0x01260333
0x01260343
0x0126034b
0x01260352
0x01260359
0x0126035e
0x01260360
0x01260362
0x01260369
0x01260371
0x01260378
0x0126037d
0x01260381
0x01260381
0x01260381
0x01260362
0x01260384
0x01260386
0x0126038a
0x01260390
0x01260394
0x01260394
0x01260398
0x0126039b
0x0126039d
0x0126039f
0x012603b4
0x012603b4
0x012603b4
0x012603a1
0x012603a1
0x012603a4
0x012603a4
0x012603a6
0x00000000
0x00000000
0x012603ac
0x012603ad
0x012603b0
0x012603b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012603b2
0x01260468
0x01260468
0x012603b7
0x012603b7
0x012603b9
0x0126046f
0x01260472
0x01260474
0x01260476
0x0126048b
0x0126048b
0x0126048b
0x01260478
0x01260478
0x0126047b
0x0126047b
0x0126047d
0x00000000
0x00000000
0x01260483
0x01260484
0x01260487
0x01260489
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01260489
0x012605c5
0x012605c5
0x0126048e
0x0126048e
0x01260490
0x01260a8f
0x01260a97
0x01260aa3
0x01260aab
0x01260ab7
0x01260abf
0x01260acb
0x01260acc
0x01260ad4
0x01260ade
0x01260ae6
0x01260aec
0x01260af4
0x01260af8
0x01260afa
0x01260aff
0x01260aff
0x01260b06
0x01260b07
0x01260b0f
0x01260b14
0x01260b19
0x00000000
0x01260496
0x01260496
0x0126049d
0x00000000
0x0126049d
0x012603bf
0x012603bf
0x012603c2
0x012603c9
0x00000000
0x012603c9
0x00000000
0x012604a0
0x012604a1
0x012604a8
0x012604ad
0x012604ae
0x012604af
0x012604b3
0x012604b3
0x01260394
0x00000000
0x012602a3
0x012602a3
0x012602a6
0x012602a9
0x01260a44
0x01260a4f
0x01260a59
0x01260a61
0x01260a6d
0x01260a6e
0x01260a76
0x01260a7b
0x012608f2
0x012608f7
0x012608fd
0x01260905
0x01260909
0x0126090b
0x01260910
0x01260910
0x01260917
0x01260918
0x01260920
0x01260925
0x00000000
0x012602af
0x012602af
0x012602b1
0x00000000
0x012602b3
0x012602be
0x012602c0
0x012602c2
0x012605cc
0x012605d4
0x012605d8
0x012605da
0x012605df
0x012605df
0x012605e9
0x012605f1
0x012605fd
0x012605fe
0x01260606
0x0126060b
0x0126042e
0x01260433
0x01260439
0x01260441
0x01260445
0x01260447
0x0126044c
0x0126044c
0x01260453
0x01260454
0x0126045c
0x01260461
0x0126073f
0x01260741
0x0126092a
0x0126092a
0x0126092e
0x0126092e
0x01260939
0x01260943
0x01260944
0x0126094c
0x01260958
0x01260960
0x0126096c
0x01260974
0x01260980
0x01260988
0x01260994
0x0126099c
0x012609a8
0x012609a9
0x012609b1
0x012609bd
0x012609c5
0x012609d1
0x012609d8
0x012609dd
0x012609ec
0x012609f1
0x01260889
0x01260890
0x0126089e
0x01260747
0x01260747
0x01260747
0x0126074e
0x01260769
0x01260769
0x01260770
0x01260772
0x01260775
0x01260779
0x01260780
0x01260787
0x01260788
0x0126078c
0x01260790
0x01260797
0x0126079a
0x0126079e
0x012607a2
0x012607a7
0x012607a7
0x00000000
0x01260750
0x01260758
0x01260763
0x00000000
0x00000000
0x00000000
0x00000000
0x01260763
0x0126074e
0x012602c8
0x012602c8
0x00000000
0x012602c8
0x012602c2
0x012602b1
0x012602a9
0x00000000
0x012604bd
0x012604d8
0x012604e2
0x012604ea
0x012604f6
0x012604fe
0x01260503
0x0126050b
0x0126050d
0x0126050d
0x00000000
0x01260262
0x00000000
0x00000000
0x00000000
0x0125ff63
0x0125ff48
0x0125fd7b
0x0125fcdd
0x00000000
0x012607ab
0x012607ab
0x012607af
0x012607ba
0x012607bd
0x012607c5
0x012607c5
0x00000000
0x0125fc18
0x00000000

APIs

Part of subcall function 012735E6: _malloc.LIBCMT ref: 01273600

DeleteCriticalSection.KERNEL32(?,?), ref: 0126003F
DeleteCriticalSection.KERNEL32(?,?,?), ref: 01260592

Part of subcall function 01262B6C: __EH_prolog3.LIBCMT ref: 01262B73

DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 01260433
DeleteCriticalSection.KERNEL32(?,?), ref: 0126070F
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?), ref: 012608F7
DeleteCriticalSection.KERNEL32(?,?), ref: 01260AE6

Part of subcall function 01268513: __EH_prolog3.LIBCMT ref: 0126851D

__CxxThrowException@8.LIBCMT ref: 01260B37

Strings

), xrefs: 01260ADE
(, xrefs: 01260AB7

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CriticalDeleteSection$H_prolog3$Exception@8Throw_malloc
String ID: ($)
API String ID: 3630289165-2051389312
Opcode ID: 477ed8405e34c8ef5a7c4a248c7ea7949dbcf2b4e694486cc9a2789c3ee41f7c
Instruction ID: 2823c461986c75c6dd66bcb07781d50d996a07c77be3ada3547d9b3cdcd50cb3
Opcode Fuzzy Hash: 477ed8405e34c8ef5a7c4a248c7ea7949dbcf2b4e694486cc9a2789c3ee41f7c
Instruction Fuzzy Hash: 78B24971518386CFD370DF68C488B9EBBE8BF99304F04496DE98D87291DB71A885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01264252 Relevance: 14.8, APIs: 7, Strings: 1, Instructions: 792
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01264252(struct _CRITICAL_SECTION __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				struct _CRITICAL_SECTION _v36;
				struct _CRITICAL_SECTION _v40;
				struct _CRITICAL_SECTION _v44;
				struct _CRITICAL_SECTION _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v100;
				char _v128;
				char _v136;
				char _v140;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				struct _CRITICAL_SECTION _v172;
				struct _CRITICAL_SECTION _v176;
				struct _CRITICAL_SECTION _v180;
				struct _CRITICAL_SECTION _v184;
				signed int _v188;
				struct _CRITICAL_SECTION _v192;
				struct _CRITICAL_SECTION _v196;
				struct _CRITICAL_SECTION _v200;
				struct _CRITICAL_SECTION _v204;
				struct _CRITICAL_SECTION _v216;
				struct _CRITICAL_SECTION _v220;
				signed int _v224;
				struct _CRITICAL_SECTION _v228;
				struct _CRITICAL_SECTION _v232;
				signed int _v236;
				struct _CRITICAL_SECTION _v240;
				char _v248;
				intOrPtr* _v252;
				struct _CRITICAL_SECTION _v256;
				struct _CRITICAL_SECTION _v260;
				struct _CRITICAL_SECTION _v264;
				struct _CRITICAL_SECTION _v268;
				struct _CRITICAL_SECTION _v272;
				struct _CRITICAL_SECTION _v276;
				struct _CRITICAL_SECTION _v280;
				struct _CRITICAL_SECTION _v284;
				struct _CRITICAL_SECTION _v288;
				struct _CRITICAL_SECTION _v292;
				struct _CRITICAL_SECTION _v296;
				signed int _v300;
				struct _CRITICAL_SECTION _v304;
				struct _CRITICAL_SECTION _v308;
				struct _CRITICAL_SECTION _v312;
				struct _CRITICAL_SECTION _v320;
				intOrPtr _v324;
				struct _CRITICAL_SECTION _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t412;
				struct _CRITICAL_SECTION* _t418;
				struct _CRITICAL_SECTION _t426;
				struct _CRITICAL_SECTION _t428;
				char* _t435;
				intOrPtr* _t443;
				struct _CRITICAL_SECTION _t450;
				struct _CRITICAL_SECTION _t453;
				struct _CRITICAL_SECTION _t468;
				intOrPtr* _t469;
				struct _CRITICAL_SECTION _t471;
				signed int _t481;
				signed int _t482;
				struct _CRITICAL_SECTION _t489;
				void* _t491;
				intOrPtr* _t494;
				intOrPtr* _t501;
				struct _CRITICAL_SECTION _t503;
				intOrPtr _t505;
				struct _CRITICAL_SECTION _t506;
				struct _CRITICAL_SECTION _t511;
				struct _CRITICAL_SECTION _t520;
				struct _CRITICAL_SECTION _t522;
				struct _CRITICAL_SECTION _t523;
				struct _CRITICAL_SECTION _t528;
				struct _CRITICAL_SECTION _t535;
				struct _CRITICAL_SECTION _t536;
				struct _CRITICAL_SECTION _t537;
				struct _CRITICAL_SECTION _t542;
				struct _CRITICAL_SECTION _t546;
				struct _CRITICAL_SECTION _t555;
				struct _CRITICAL_SECTION _t556;
				struct _CRITICAL_SECTION _t567;
				struct _CRITICAL_SECTION _t580;
				intOrPtr _t581;
				struct _CRITICAL_SECTION _t583;
				intOrPtr _t584;
				signed char _t587;
				intOrPtr* _t590;
				struct _CRITICAL_SECTION _t595;
				struct _CRITICAL_SECTION _t597;
				struct _CRITICAL_SECTION _t607;
				struct _CRITICAL_SECTION _t616;
				struct _CRITICAL_SECTION _t617;
				struct _CRITICAL_SECTION _t623;
				signed int _t641;
				signed int _t645;
				struct _CRITICAL_SECTION _t646;
				signed int _t651;
				struct _CRITICAL_SECTION _t659;
				intOrPtr _t684;
				struct _CRITICAL_SECTION _t690;
				void* _t692;
				struct _CRITICAL_SECTION _t698;
				struct _CRITICAL_SECTION _t703;
				char* _t704;
				intOrPtr* _t712;
				void* _t713;
				struct _CRITICAL_SECTION _t714;
				void* _t716;
				struct _CRITICAL_SECTION _t717;
				intOrPtr _t721;
				signed int _t724;
				intOrPtr* _t727;
				struct _CRITICAL_SECTION _t728;
				signed int _t738;

				_t692 = __edx;
				_push(0xffffffff);
				_push(0x1276978);
				_push( *[fs:0x0]);
				_push(_t713);
				_t412 =  *0x127a050; // 0xa41d0fe1
				_push(_t412 ^ (_t738 & 0xfffffff8) - 0x00000108);
				 *[fs:0x0] =  &_v16;
				_t616 = __ecx;
				_t703 = _a20;
				_t622 = _t703;
				if(E0125E749(__ecx, _t703, _t703, _t713, __eflags) != 0) {
					_t714 = 0;
					_v184 = 0;
					_v180 = 0;
					_v176 = 0;
					_v172 = 4;
					_v188 = 0x125556c;
					_v8 = 0;
					_v236 = 0;
					_push( &_v232);
					_v8 = 1;
					E01267E82(__eflags);
					_v12 = 2;
					__eflags = _t616;
					if(_t616 != 0) {
						 *((intOrPtr*)( *_t616 + 4))(_t616);
					}
					_t418 = _v240;
					__eflags = _t418 - _t714;
					if(_t418 != _t714) {
						_t622 =  *_t418;
						 *((intOrPtr*)( *_t418 + 8))(_t418);
					}
					_v240 = _t616;
					_v268 = _t714;
					__eflags =  *((intOrPtr*)(_t703 + 0x30)) - _t714;
					if( *((intOrPtr*)(_t703 + 0x30)) <= _t714) {
						L20:
						_v268 =  *(_t703 + 8);
						E012641FA( &_v128);
						_v44 = _t714;
						_v40 = _t714;
						_v36 = _t714;
						_v32 = 8;
						_v48 = 0x12552d4;
						_v12 = 5;
						E01263F8A( &_v128, _t703);
						_t704 = _a4;
						__eflags =  *_t704;
						if( *_t704 == 0) {
							L22:
							_t623 = _t704 + 0x78;
							_v272 = _t623;
							 *((intOrPtr*)( *_t623 + 4))(0,  *((intOrPtr*)(_t623 + 8)));
							_t617 = _t704 + 0x74;
							_t426 =  *_t617;
							__eflags = _t426;
							if(_t426 != 0) {
								 *((intOrPtr*)( *_t426 + 8))(_t426);
								 *_t617 =  *_t617 & 0x00000000;
								__eflags =  *_t617;
							}
							__eflags =  *((char*)(_t704 + 0x68));
							if( *((char*)(_t704 + 0x68)) != 0) {
								_t580 = E012735E6(0x88);
								__eflags = _t580;
								if(_t580 == 0) {
									_t581 = 0;
									__eflags = 0;
								} else {
									_t581 = E01264E54(_t580);
								}
								 *((intOrPtr*)(_t704 + 0x6c)) = _t581;
								E01262BB6(_t581, _t617);
								_t684 = _a4;
								_t583 =  *(_t684 + 0x6c);
								__eflags = _t583;
								if(_t583 == 0) {
									_t584 = 0;
									__eflags = 0;
								} else {
									_t584 = _t583 + 4;
								}
								 *((intOrPtr*)(_t684 + 0x70)) = _t584;
								_t704 = _t684;
							}
							_t693 =  &_v136;
							_t428 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t704 + 0x70))))))( &_v136);
							_t715 = _t428;
							__eflags = _t428;
							if(_t428 == 0) {
								_v276 = _v276 & 0x00000000;
								__eflags = _v280;
								if(__eflags <= 0) {
									L60:
									_t716 = _t704 + 4;
									E01264EBA( &_v140, _t716, __eflags);
									 *((intOrPtr*)( *((intOrPtr*)(_t716 + 0x50)) + 4))(0,  *((intOrPtr*)(_t716 + 0x58)));
									E01261D0D(_t716 + 0x50, _t716 + 0x50,  &_v68);
									_t435 = _a4;
									 *_t435 = 1;
									_t704 = _t435;
									L61:
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t704 + 0x70)))) + 4))();
									_t717 = 0;
									_v276 = 0;
									_v272 = 0;
									_v300 = 0;
									__eflags = _v288;
									if(_v288 <= 0) {
										L114:
										_t694 =  &_v148;
										E01263EAE( &_v292,  *_v76,  &_v148,  &_v276);
										__eflags =  *((char*)(_t704 + 0x68));
										if( *((char*)(_t704 + 0x68)) != 0) {
											 *( *((intOrPtr*)(_t704 + 0x6c)) + 0x70) = _v292;
										}
										__eflags = _v288 - _t717;
										if(_v288 != _t717) {
											_v228 = _t717;
											_v224 = _t717;
											_v220 = _t717;
											_v216 = 4;
											_v232 = 0x12552d4;
											_v32 = 0x20;
											E01262C43(_v204,  &_v232);
											_t617 = 0;
											__eflags = _v204;
											if(_v204 <= 0) {
												L135:
												_v152 = _a24;
												_t443 =  *(_t704 + 0x74);
												_t717 =  *((intOrPtr*)( *_t443 + 0xc))(_t443, _v220, 0, _v204,  &_v152, 0, 1, _a28);
												_v64 = 5;
												E01262BD6( &_v264);
												_v64 = 0x21;
												E01262BD6( &_v100);
												_push( &_v180);
												_v64 = 2;
												E0125E618(_t717, __eflags);
												_v68 = 0x22;
												goto L34;
											} else {
												goto L134;
											}
											do {
												L134:
												E01262C08( &_v232, _t694);
												 *((intOrPtr*)(_v220 + _v224 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_v200 + _t617 * 4))));
												_v224 = _v224 + 1;
												_t617 = _t617 + 1;
												__eflags = _t617 - _v204;
											} while (_t617 < _v204);
											goto L135;
										} else {
											_v32 = 0x1e;
											E01262BD6( &_v68);
											_push( &_v148);
											_v32 = 2;
											E0125E618(_t717, __eflags);
											_v36 = 0x1f;
											DeleteCriticalSection( &_v260);
											_v36 = 0;
											_t450 = _v264;
											__eflags = _t450 - _t717;
											goto L35;
										}
									}
									_v264 = 0;
									do {
										_t721 =  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xc)) + _v300 * 4));
										_t468 =  *(_v264 +  *((intOrPtr*)(_t704 + 0x84)));
										_t617 = 0;
										_v292 = _t468;
										_v284 = 0;
										_v32 = 0x12;
										_t469 =  *_t468;
										 *((intOrPtr*)( *_t469))(_t469, 0x1255230,  &_v284);
										_t471 = _v296;
										__eflags = _t471;
										if(_t471 == 0) {
											L68:
											_v44 = 5;
											__eflags = _t471 - _t617;
											if(_t471 != _t617) {
												 *((intOrPtr*)( *_t471 + 8))(_t471);
											}
											__eflags = _a32;
											if(_a32 == 0) {
												L76:
												_t697 =  *(_t721 + 0x14);
												_t641 = 4;
												_v276 = _v276 + _t641;
												_v292 =  *(_t721 + 0x18);
												_v304 =  *(_t721 + 0x14);
												_v200 = _t617;
												_v196 = _t617;
												_v192 = _t617;
												_v188 = _t641;
												_v204 = 0x12552d4;
												_v180 = _t617;
												_v176 = _t617;
												_v172 = _t617;
												_v168 = _t641;
												_v184 = 0x12552d4;
												_v44 = 0x1b;
												E01262C43( *(_t721 + 0x14),  &_v204);
												_t617 = _v292;
												E01262C43(_t617,  &_v184);
												__eflags = _t617;
												if(_t617 <= 0) {
													L78:
													_v292 = _v292 & 0x00000000;
													__eflags = _v304;
													if(_v304 <= 0) {
														goto L112;
													}
													_t617 = _v288;
													do {
														_t481 = _a20;
														_t698 =  *(_t481 + 0x1c);
														_t724 = 0;
														__eflags = _t698;
														if(_t698 <= 0) {
															L84:
															_t645 = _t641 | 0xffffffff;
															__eflags = _t645;
															L85:
															__eflags = _t645;
															if(_t645 < 0) {
																_t646 =  *(_t481 + 0x30);
																_t699 = 0;
																__eflags = _t646;
																if(_t646 <= 0) {
																	L108:
																	_t482 = _t481 | 0xffffffff;
																	__eflags = _t482;
																	L109:
																	__eflags = _t482;
																	if(_t482 < 0) {
																		_v44 = 0x1a;
																		E01262BD6( &_v184);
																		_v44 = 5;
																		E01262BD6( &_v204);
																		_v44 = 0x1c;
																		E01262BD6( &_v80);
																		_push( &_v160);
																		_v44 = 2;
																		E0125E618(_t724, __eflags);
																		_v48 = 0x1d;
																		DeleteCriticalSection( &_v272);
																		_v48 = 0;
																		_t489 = _v276;
																		__eflags = _t489;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t489 + 8))(_t489);
																		}
																		_t717 = 0x80004005;
																		goto L37;
																	}
																	_t641 = _a16;
																	_t491 = _t641 + _t482 * 8;
																	goto L111;
																}
																_t494 =  *((intOrPtr*)(_t481 + 0x34));
																while(1) {
																	__eflags =  *_t494 - _t617;
																	if( *_t494 == _t617) {
																		break;
																	}
																	_t699 = _t699 + 1;
																	_t494 = _t494 + 4;
																	__eflags = _t699 - _t646;
																	if(_t699 < _t646) {
																		continue;
																	}
																	goto L108;
																}
																_t482 = _t699;
																goto L109;
															}
															_t699 =  *(_t481 + 0x20);
															_t641 =  *( *(_t481 + 0x20) + 4 + _t645 * 8);
															_t491 =  *((intOrPtr*)(_t481 + 0x48)) + _t641 * 8;
															goto L111;
														}
														_t651 =  *(_t481 + 0x20);
														while(1) {
															__eflags =  *_t651 - _t617;
															if( *_t651 == _t617) {
																break;
															}
															_t724 = _t724 + 1;
															_t651 = _t651 + 8;
															__eflags = _t724 - _t698;
															if(_t724 < _t698) {
																continue;
															}
															goto L84;
														}
														_t645 = _t724;
														goto L85;
														L111:
														E01264F46(_t699,  &_v204, _t491);
														_v296 = _v296 + 1;
														_t617 = _t617 + 1;
														_v292 = _t617;
														__eflags = _v296 - _v308;
													} while (_v296 < _v308);
													goto L112;
												} else {
													goto L77;
												}
												do {
													L77:
													_t641 = _v284;
													E01264F46(_t697,  &_v184,  *((intOrPtr*)(_a20 + 0x48)) + _t641 * 8);
													_v288 = _v288 + 1;
													_t617 = _t617 - 1;
													__eflags = _t617;
												} while (_t617 != 0);
												goto L78;
											} else {
												_v308 = _t617;
												_v44 = 0x17;
												_t501 =  *_v304;
												 *((intOrPtr*)( *_t501))(_t501, 0x1255250,  &_v308);
												_t503 = _v320;
												__eflags = _t503 - _t617;
												if(_t503 == _t617) {
													L74:
													_v56 = 5;
													__eflags = _t503 - _t617;
													if(_t503 != _t617) {
														 *((intOrPtr*)( *_t503 + 8))(_t503);
													}
													goto L76;
												}
												_t505 =  *((intOrPtr*)( *_t503 + 0xc))(_t503, _a36);
												_v324 = _t505;
												__eflags = _t505 - _t617;
												if(_t505 != _t617) {
													_v64 = 5;
													_t506 = _v328;
													__eflags = _t506 - _t617;
													if(_t506 != _t617) {
														 *((intOrPtr*)( *_t506 + 8))(_t506);
													}
													_v64 = 0x18;
													E01262BD6( &_v100);
													_push( &_v180);
													_v64 = 2;
													E0125E618(_t721, __eflags);
													_v68 = 0x19;
													DeleteCriticalSection( &_v292);
													_v68 = 0;
													_t511 = _v296;
													__eflags = _t511 - _t617;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t511 + 8))(_t511);
													}
													_t717 = _v328;
													goto L37;
												}
												_t503 = _v328;
												goto L74;
											}
										}
										_t659 =  *(_t721 + 0xc);
										__eflags = _t659 - 0xffffffff;
										if(_t659 > 0xffffffff) {
											_v44 = 5;
											 *((intOrPtr*)( *_t471 + 8))(_t471);
											_v48 = 0x13;
											E01262BD6( &_v84);
											_push( &_v164);
											_v48 = 2;
											E0125E618(_t721, __eflags);
											_v52 = 0x14;
											L97:
											DeleteCriticalSection( &_v276);
											_v52 = 0;
											_t520 = _v280;
											__eflags = _t520 - _t617;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t520 + 8))(_t520);
											}
											_t717 = 0x80004001;
											goto L37;
										}
										__eflags = _t659;
										if(_t659 <= 0) {
											goto L68;
										}
										_t522 =  *((intOrPtr*)( *_t471 + 0xc))(_t471,  *((intOrPtr*)(_t721 + 0x10)), _t659);
										_v304 = _t522;
										__eflags = _t522;
										if(_t522 != 0) {
											_v56 = 5;
											_t523 = _v308;
											__eflags = _t523;
											if(_t523 != 0) {
												 *((intOrPtr*)( *_t523 + 8))(_t523);
											}
											_v56 = 0x15;
											E01262BD6( &_v92);
											_push( &_v172);
											_v56 = 2;
											E0125E618(_t721, __eflags);
											_v60 = 0x16;
											DeleteCriticalSection( &_v284);
											_v60 = 0;
											_t528 = _v288;
											__eflags = _t528 - _t617;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t528 + 8))(_t528);
											}
											_t717 = _v308;
											goto L37;
										}
										_t471 = _v308;
										goto L68;
										L112:
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t704 + 0x70)))) + 8))(_v312, _v192, _v172);
										_v56 = 0x1a;
										E01262BD6( &_v196);
										_v56 = 5;
										E01262BD6( &_v216);
										_v324 = _v324 + 1;
										__eflags = _v324 - _v312;
									} while (_v324 < _v312);
									_t717 = 0;
									__eflags = 0;
									goto L114;
								} else {
									goto L39;
								}
								while(1) {
									L39:
									_t727 =  *((intOrPtr*)( *((intOrPtr*)(_a20 + 0xc)) + _v276 * 4));
									_t617 = 0;
									_v292 = 0;
									_v288 = 0;
									_push( &_v288);
									_push( &_v292);
									_v24 = 9;
									_push( *((intOrPtr*)(_t727 + 4)));
									_push( *_t727);
									_t535 = E01262B6C(0, _t704, _t727, __eflags);
									_v284 = _t535;
									__eflags = _t535;
									if(_t535 != 0) {
										break;
									}
									_v280 = 0;
									_v40 = 0xc;
									__eflags =  *((intOrPtr*)(_t727 + 0x14)) - 1;
									if( *((intOrPtr*)(_t727 + 0x14)) != 1) {
										L45:
										__eflags = _v304 - _t617;
										if(_v304 == _t617) {
											_v40 = 5;
											_t546 = _v308;
											__eflags = _t546 - _t617;
											if(_t546 != _t617) {
												 *((intOrPtr*)( *_t546 + 8))(_t546);
											}
											_v40 = 0xf;
											E01262BD6( &_v76);
											_push( &_v156);
											_v40 = 2;
											E0125E618(_t727, __eflags);
											_v44 = 0x10;
											goto L97;
										}
										_t617 = _v304;
										 *((intOrPtr*)( *_t617 + 4))(_t617);
										__eflags =  *((char*)(_t704 + 0x68));
										_v284 = _t617;
										if(__eflags == 0) {
											L49:
											_t728 = E012735E6(4);
											_v288 = _t728;
											_v44 = 0x11;
											__eflags = _t728;
											if(_t728 == 0) {
												_t728 = 0;
												__eflags = 0;
											} else {
												 *_t728 = _t617;
												__eflags = _t617;
												if(_t617 != 0) {
													 *((intOrPtr*)( *_t617 + 4))(_t617);
												}
											}
											_v44 = 0xc;
											E01264F46(_t693, _v304, _t728);
											_v48 = 9;
											__eflags = _t617;
											if(_t617 != 0) {
												 *((intOrPtr*)( *_t617 + 8))(_t617);
											}
											_v44 = 8;
											_t555 = _v308;
											__eflags = _t555;
											if(_t555 != 0) {
												 *((intOrPtr*)( *_t555 + 8))(_t555);
											}
											_v44 = 5;
											_t556 = _v312;
											__eflags = _t556;
											if(_t556 != 0) {
												 *((intOrPtr*)( *_t556 + 8))(_t556);
											}
											_v296 = _v296 + 1;
											__eflags = _v296 - _v300;
											if(__eflags < 0) {
												continue;
											} else {
												goto L60;
											}
										}
										E01268513(_t617,  *((intOrPtr*)(_t704 + 0x6c)), _t693,  *((intOrPtr*)(_t704 + 0x6c)), _t727, __eflags);
										E01262BB6(_t617,  *((intOrPtr*)( *((intOrPtr*)(_t707 + 0x80)) +  *(_t707 + 0x7c) * 4 - 4)) + 0x18);
										L48:
										_t704 = _a4;
										goto L49;
									}
									__eflags =  *((intOrPtr*)(_t727 + 0x18)) - 1;
									if( *((intOrPtr*)(_t727 + 0x18)) != 1) {
										goto L45;
									}
									__eflags = _v308;
									if(_v308 == 0) {
										_v40 = 8;
										_t567 = _v304;
										__eflags = _t567;
										if(_t567 != 0) {
											 *((intOrPtr*)( *_t567 + 8))(_t567);
										}
										_v40 = 0xd;
										E01262BD6( &_v76);
										_push( &_v156);
										_v40 = 2;
										E0125E618(_t727, __eflags);
										_v44 = 0xe;
										goto L97;
									}
									_t617 = _v308;
									 *((intOrPtr*)( *_t617 + 4))(_t617);
									__eflags =  *((char*)(_t704 + 0x68));
									_v284 = _t617;
									if(__eflags == 0) {
										goto L49;
									}
									E01268513(_t617,  *((intOrPtr*)(_t704 + 0x6c)), _t693,  *((intOrPtr*)(_t704 + 0x6c)), _t727, __eflags);
									E01262BB6(_t617,  *((intOrPtr*)( *((intOrPtr*)(_t709 + 0x80)) +  *(_t709 + 0x7c) * 4 - 4)) + 0x14);
									goto L48;
								}
								_v40 = 8;
								_t536 = _v304;
								__eflags = _t536;
								if(_t536 != 0) {
									 *((intOrPtr*)( *_t536 + 8))(_t536);
								}
								_v40 = 5;
								_t537 = _v308;
								__eflags = _t537 - _t617;
								if(_t537 != _t617) {
									 *((intOrPtr*)( *_t537 + 8))(_t537);
								}
								_v40 = 0xa;
								E01262BD6( &_v76);
								_push( &_v156);
								_v40 = 2;
								E0125E618(_t727, __eflags);
								_v44 = 0xb;
								DeleteCriticalSection( &_v268);
								_v44 = 0;
								_t542 = _v272;
								__eflags = _t542 - _t617;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t542 + 8))(_t542);
								}
								_t717 = _v288;
								goto L37;
							} else {
								_v24 = 6;
								E01262BD6( &_v60);
								_push( &_v140);
								_v24 = 2;
								E0125E618(_t715, __eflags);
								_v28 = 7;
								L34:
								DeleteCriticalSection( &_v292);
								_v68 = 0;
								_t450 = _v296;
								__eflags = _t450;
								L35:
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t450 + 8))(_t450);
								}
								L37:
								_v68 = _v68 | 0xffffffff;
								_push( &_v248);
								E01264F70(_t617, _t704, _t717, __eflags);
								_t453 = _t717;
								goto L2;
							}
						}
						_t587 = E012640B0( &_v128, _t622, _t704 + 4);
						asm("sbb al, al");
						__eflags =  ~_t587 + 1;
						if( ~_t587 + 1 == 0) {
							goto L61;
						}
						goto L22;
					} else {
						do {
							_t590 = E012735E6(0x18);
							__eflags = _t590 - _t714;
							if(_t590 == _t714) {
								_t712 = 0;
								__eflags = 0;
							} else {
								 *(_t590 + 4) = _t714;
								 *_t590 = 0x1255550;
								_t712 = _t590;
							}
							_v252 = _t712;
							__eflags = _t712 - _t714;
							if(_t712 != _t714) {
								 *((intOrPtr*)( *_t712 + 4))(_t712);
							}
							_v12 = 3;
							 *((intOrPtr*)(_t712 + 8)) =  &_v240;
							 *((intOrPtr*)(_t712 + 0x10)) = _a8;
							 *((intOrPtr*)(_t712 + 0x14)) = _a12;
							_t595 = _a16 + _v268 * 8;
							_a8 = _a8 +  *_t595;
							_v272 = _t595;
							asm("adc [ebp+0x10], eax");
							_t597 = E012735E6(0x28);
							__eflags = _t597 - _t714;
							if(_t597 == _t714) {
								_t617 = 0;
								__eflags = 0;
							} else {
								 *(_t597 + 4) = _t714;
								 *_t597 = 0x1255540;
								 *(_t597 + 8) = _t714;
								_t617 = _t597;
							}
							_v256 = _t617;
							__eflags = _t617 - _t714;
							if(_t617 != _t714) {
								 *((intOrPtr*)( *_t617 + 4))(_t617);
							}
							_t42 = _t617 + 8; // 0x8
							_v12 = 4;
							E01262BB6(_t712, _t42);
							_t690 = _v272;
							 *(_t617 + 0x18) =  *(_t617 + 0x18) & 0x00000000;
							 *(_t617 + 0x1c) =  *(_t617 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t617 + 0x10)) =  *_t690;
							 *((intOrPtr*)(_t617 + 0x14)) =  *((intOrPtr*)(_t690 + 4));
							 *((char*)(_t617 + 0x20)) = 0;
							E01268911(_t617, _t692, _t712, _t42, __eflags);
							_v20 = 3;
							 *((intOrPtr*)( *_t617 + 8))(_t617,  &_v192,  &_v256);
							_v24 = 2;
							 *((intOrPtr*)( *_t712 + 8))(_t712);
							_v284 = _v284 + 1;
							_t607 = _a20;
							_t622 = _v284;
							_t714 = 0;
							__eflags = _v284 -  *((intOrPtr*)(_t607 + 0x30));
						} while (_v284 <  *((intOrPtr*)(_t607 + 0x30)));
						_t703 = _t607;
						goto L20;
					}
				} else {
					_t453 = 0x80004001;
					L2:
					 *[fs:0x0] = _v80;
					return _t453;
				}
			}

0x01264252
0x0126425a
0x0126425c
0x01264267
0x0126426f
0x01264271
0x01264278
0x01264280
0x01264286
0x01264288
0x0126428b
0x01264294
0x012642b3
0x012642b5
0x012642b9
0x012642bd
0x012642c1
0x012642c9
0x012642d1
0x012642d8
0x012642e0
0x012642e1
0x012642e9
0x012642ee
0x012642f6
0x012642f8
0x012642fd
0x012642fd
0x01264300
0x01264304
0x01264306
0x01264308
0x0126430b
0x0126430b
0x0126430e
0x01264312
0x01264316
0x01264319
0x01264416
0x01264419
0x01264424
0x01264429
0x01264430
0x01264437
0x0126443e
0x01264449
0x0126445b
0x01264463
0x01264468
0x0126446b
0x0126446e
0x0126448b
0x0126448b
0x01264495
0x01264499
0x0126449c
0x0126449f
0x012644a1
0x012644a3
0x012644a8
0x012644ab
0x012644ab
0x012644ab
0x012644ae
0x012644b2
0x012644b9
0x012644bf
0x012644c1
0x012644cc
0x012644cc
0x012644c3
0x012644c5
0x012644c5
0x012644ce
0x012644d5
0x012644da
0x012644dd
0x012644e0
0x012644e2
0x012644e9
0x012644e9
0x012644e4
0x012644e4
0x012644e4
0x012644eb
0x012644ee
0x012644ee
0x012644f5
0x012644fd
0x012644ff
0x01264501
0x01264503
0x01264570
0x01264575
0x0126457a
0x012646e6
0x012646e6
0x012646f0
0x01264700
0x0126470d
0x01264712
0x01264715
0x01264718
0x0126471a
0x0126471f
0x01264722
0x01264724
0x01264728
0x0126472c
0x01264730
0x01264734
0x01264b04
0x01264b16
0x01264b1d
0x01264b22
0x01264b26
0x01264b2f
0x01264b2f
0x01264b32
0x01264b36
0x01264d3c
0x01264d40
0x01264d44
0x01264d48
0x01264d50
0x01264d58
0x01264d68
0x01264d6d
0x01264d6f
0x01264d73
0x01264d9d
0x01264db6
0x01264dbd
0x01264dd0
0x01264dd2
0x01264dda
0x01264de6
0x01264dee
0x01264dfa
0x01264dfb
0x01264e03
0x01264e08
0x00000000
0x00000000
0x00000000
0x00000000
0x01264d75
0x01264d75
0x01264d82
0x01264d8f
0x01264d92
0x01264d96
0x01264d97
0x01264d97
0x00000000
0x01264b3c
0x01264b43
0x01264b4b
0x01264b57
0x01264b58
0x01264b60
0x01264b6a
0x01264b72
0x01264b78
0x01264b80
0x01264b84
0x00000000
0x01264b84
0x01264b36
0x0126473a
0x0126473e
0x01264748
0x01264755
0x01264758
0x0126475a
0x0126475e
0x01264767
0x0126476f
0x01264779
0x0126477b
0x0126477f
0x01264781
0x012647ad
0x012647ad
0x012647b5
0x012647b7
0x012647bc
0x012647bc
0x012647bf
0x012647c3
0x01264819
0x0126481c
0x01264821
0x01264822
0x01264826
0x0126482f
0x01264833
0x0126483a
0x01264841
0x01264848
0x0126484f
0x01264856
0x0126485d
0x01264864
0x0126486b
0x01264872
0x01264882
0x0126488a
0x0126488f
0x0126489a
0x0126489f
0x012648a1
0x012648c4
0x012648c4
0x012648c9
0x012648ce
0x00000000
0x00000000
0x012648d4
0x012648d8
0x012648d8
0x012648db
0x012648de
0x012648e0
0x012648e2
0x012648f7
0x012648f7
0x012648f7
0x012648fa
0x012648fa
0x012648fc
0x01264a5d
0x01264a60
0x01264a62
0x01264a64
0x01264a79
0x01264a79
0x01264a79
0x01264a7c
0x01264a7c
0x01264a7e
0x01264cbf
0x01264cc7
0x01264cd3
0x01264cdb
0x01264ce7
0x01264cef
0x01264cfb
0x01264cfc
0x01264d04
0x01264d0e
0x01264d16
0x01264d1c
0x01264d24
0x01264d28
0x01264d2a
0x01264d2f
0x01264d2f
0x01264d32
0x00000000
0x01264d32
0x01264a84
0x01264a87
0x00000000
0x01264a87
0x01264a66
0x01264a69
0x01264a69
0x01264a6b
0x00000000
0x00000000
0x01264a71
0x01264a72
0x01264a75
0x01264a77
0x00000000
0x00000000
0x00000000
0x01264a77
0x01264b8b
0x00000000
0x01264b8b
0x01264902
0x01264905
0x0126490c
0x00000000
0x0126490c
0x012648e4
0x012648e7
0x012648e7
0x012648e9
0x00000000
0x00000000
0x012648ef
0x012648f0
0x012648f3
0x012648f5
0x00000000
0x00000000
0x00000000
0x012648f5
0x01264a56
0x00000000
0x01264a8a
0x01264a92
0x01264a97
0x01264a9f
0x01264aa0
0x01264aa4
0x01264aa4
0x00000000
0x00000000
0x00000000
0x00000000
0x012648a3
0x012648a3
0x012648a9
0x012648b8
0x012648bd
0x012648c1
0x012648c1
0x012648c1
0x00000000
0x012647c5
0x012647c5
0x012647c9
0x012647d5
0x012647e4
0x012647e6
0x012647ea
0x012647ec
0x01264807
0x01264807
0x0126480f
0x01264811
0x01264816
0x01264816
0x00000000
0x01264811
0x012647f4
0x012647f7
0x012647fb
0x012647fd
0x01264c47
0x01264c4f
0x01264c53
0x01264c55
0x01264c5a
0x01264c5a
0x01264c64
0x01264c6c
0x01264c78
0x01264c79
0x01264c81
0x01264c8b
0x01264c93
0x01264c99
0x01264ca1
0x01264ca5
0x01264ca7
0x01264cac
0x01264cac
0x01264caf
0x00000000
0x01264caf
0x01264803
0x00000000
0x01264803
0x012647c3
0x01264783
0x01264786
0x01264789
0x01264b92
0x01264b9d
0x01264ba7
0x01264baf
0x01264bbb
0x01264bbc
0x01264bc4
0x01264bc9
0x012649e2
0x012649e7
0x012649ed
0x012649f5
0x012649f9
0x012649fb
0x01264a00
0x01264a00
0x01264a03
0x00000000
0x01264a03
0x0126478f
0x01264791
0x00000000
0x00000000
0x0126479a
0x0126479d
0x012647a1
0x012647a3
0x01264bd6
0x01264bde
0x01264be2
0x01264be4
0x01264be9
0x01264be9
0x01264bf3
0x01264bfb
0x01264c07
0x01264c08
0x01264c10
0x01264c1a
0x01264c22
0x01264c28
0x01264c30
0x01264c34
0x01264c36
0x01264c3b
0x01264c3b
0x01264c3e
0x00000000
0x01264c3e
0x012647a9
0x00000000
0x01264aae
0x01264ac5
0x01264acf
0x01264ad7
0x01264ae3
0x01264aeb
0x01264af0
0x01264af8
0x01264af8
0x01264b02
0x01264b02
0x00000000
0x00000000
0x00000000
0x00000000
0x01264580
0x01264580
0x0126458a
0x0126458d
0x0126458f
0x01264593
0x0126459b
0x012645a0
0x012645a1
0x012645a9
0x012645ac
0x012645ae
0x012645b3
0x012645b7
0x012645b9
0x00000000
0x00000000
0x012645bf
0x012645c3
0x012645cb
0x012645cf
0x01264618
0x01264618
0x0126461c
0x01264a0d
0x01264a15
0x01264a19
0x01264a1b
0x01264a20
0x01264a20
0x01264a2a
0x01264a32
0x01264a3e
0x01264a3f
0x01264a47
0x01264a4c
0x00000000
0x01264a4c
0x01264622
0x01264629
0x0126462c
0x01264630
0x01264634
0x0126465a
0x01264661
0x01264664
0x01264668
0x01264670
0x01264672
0x01264682
0x01264682
0x01264674
0x01264674
0x01264676
0x01264678
0x0126467d
0x0126467d
0x01264678
0x01264684
0x01264691
0x01264696
0x0126469e
0x012646a0
0x012646a5
0x012646a5
0x012646a8
0x012646b0
0x012646b4
0x012646b6
0x012646bb
0x012646bb
0x012646be
0x012646c6
0x012646ca
0x012646cc
0x012646d1
0x012646d1
0x012646d4
0x012646dc
0x012646e0
0x00000000
0x00000000
0x00000000
0x00000000
0x012646e0
0x0126463b
0x01264652
0x01264657
0x01264657
0x00000000
0x01264657
0x012645d1
0x012645d5
0x00000000
0x00000000
0x012645d7
0x012645db
0x0126499b
0x012649a3
0x012649a7
0x012649a9
0x012649ae
0x012649ae
0x012649b8
0x012649c0
0x012649cc
0x012649cd
0x012649d5
0x012649da
0x00000000
0x012649da
0x012645e1
0x012645e8
0x012645eb
0x012645ef
0x012645f3
0x00000000
0x00000000
0x012645fa
0x01264611
0x00000000
0x01264611
0x01264914
0x0126491c
0x01264920
0x01264922
0x01264927
0x01264927
0x0126492a
0x01264932
0x01264936
0x01264938
0x0126493d
0x0126493d
0x01264947
0x0126494f
0x0126495b
0x0126495c
0x01264964
0x0126496e
0x01264976
0x0126497c
0x01264984
0x01264988
0x0126498a
0x0126498f
0x0126498f
0x01264992
0x00000000
0x01264505
0x0126450c
0x01264514
0x01264520
0x01264521
0x01264529
0x0126452e
0x01264536
0x0126453b
0x01264541
0x01264549
0x0126454d
0x0126454f
0x0126454f
0x01264554
0x01264554
0x01264557
0x01264557
0x01264563
0x01264564
0x01264569
0x00000000
0x01264569
0x01264503
0x0126447a
0x01264481
0x01264483
0x01264485
0x00000000
0x00000000
0x00000000
0x0126431f
0x0126431f
0x01264321
0x01264327
0x01264329
0x01264338
0x01264338
0x0126432b
0x0126432b
0x0126432e
0x01264334
0x01264334
0x0126433a
0x0126433e
0x01264340
0x01264345
0x01264345
0x0126434c
0x01264358
0x0126435e
0x01264364
0x0126436a
0x0126436f
0x01264372
0x01264379
0x0126437e
0x01264384
0x01264386
0x01264398
0x01264398
0x01264388
0x01264388
0x0126438b
0x01264391
0x01264394
0x01264394
0x0126439a
0x0126439e
0x012643a0
0x012643a5
0x012643a5
0x012643a8
0x012643ab
0x012643b3
0x012643b8
0x012643c1
0x012643c5
0x012643c9
0x012643d6
0x012643d9
0x012643dd
0x012643e2
0x012643ed
0x012643f0
0x012643fb
0x012643fe
0x01264402
0x01264405
0x01264409
0x0126440b
0x0126440b
0x01264414
0x00000000
0x01264414
0x01264296
0x01264296
0x0126429b
0x012642a2
0x012642b0
0x012642b0

Strings

", xrefs: 01264E08

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3_
String ID: "
API String ID: 2427045233-123907689
Opcode ID: d91ad1655ee9acfb9d8afaa22ee9b3376503fb4ef13c40dbaf0745b06071bfc0
Instruction ID: 1f294105fef7ae5330ef8876f8911645ebda914b99a7cbd49f7ea5849219101b
Opcode Fuzzy Hash: d91ad1655ee9acfb9d8afaa22ee9b3376503fb4ef13c40dbaf0745b06071bfc0
Instruction Fuzzy Hash: 3D726D705183C2DFD721DF68C484BAABBE8BF99304F044A5DE5C98B291D774E885CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01257A0A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01257A0A(long* __ebx, WCHAR* _a4) {
				signed int _v12;
				short _v20;
				short _v28;
				intOrPtr _v48;
				void _v56;
				void* _v60;
				int _v64;
				long _v68;
				void* __edi;
				void* __esi;
				signed int _t19;
				WCHAR* _t21;
				int _t22;
				signed int _t25;
				long _t30;
				void* _t34;
				void* _t40;
				signed int _t43;
				void* _t49;
				void* _t53;
				signed int _t56;

				_t42 = __ebx;
				_t19 =  *0x127a050; // 0xa41d0fe1
				_v12 = _t19 ^ _t56;
				_t21 = _a4;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v60 = _t21;
				asm("movsw"); // executed
				_t22 = GetDriveTypeW(_t21); // executed
				 *__ebx = _t22;
				_t43 = 6;
				memset( &_v56, 0, _t43 << 2);
				_t53 = SetErrorMode;
				_v68 = 0;
				_t25 = SetErrorMode(0); // executed
				_v64 = _t25;
				SetErrorMode(_t25 | 0x00000001); // executed
				_t30 =  *__ebx;
				if(_t30 == 0) {
					_v20 =  *_v60;
					_t34 = CreateFileW( &_v28, 0x80000000, 3, 0, 3, 0, 0);
					_v60 = _t34;
					if(_t34 != 0xffffffff) {
						if(DeviceIoControl(_t34, 0x70000, 0, 0,  &_v56, 0x18,  &_v68, 0) == 0 || _v48 != 0xb) {
							 *_t42 = 0;
							CloseHandle(_v60);
						}
						L9:
						SetErrorMode(_v64); // executed
						return E012691D5(0, _t42, _v12 ^ _t56, _t49, _t53, 0);
					}
					L5:
					 *_t42 = 0;
					goto L9;
				}
				_t40 = _t30 - 1;
				if(_t40 == 0) {
					goto L9;
				}
				if(_t40 != 3) {
					goto L5;
				}
				 *__ebx = 3;
				goto L9;
			}

0x01257a0a
0x01257a12
0x01257a19
0x01257a1c
0x01257a29
0x01257a2a
0x01257a2b
0x01257a2d
0x01257a30
0x01257a32
0x01257a3a
0x01257a3c
0x01257a44
0x01257a46
0x01257a4d
0x01257a50
0x01257a52
0x01257a59
0x01257a5e
0x01257a5f
0x01257a7e
0x01257a8b
0x01257a91
0x01257a97
0x01257ab8
0x01257ac3
0x01257ac5
0x01257ac5
0x01257acb
0x01257ace
0x01257adf
0x01257adf
0x01257a99
0x01257a99
0x00000000
0x01257a99
0x01257a61
0x01257a62
0x00000000
0x00000000
0x01257a67
0x00000000
0x00000000
0x01257a69
0x00000000

APIs

GetDriveTypeW.KERNELBASE(01257887,00000000,?), ref: 01257A32
SetErrorMode.KERNELBASE(00000000), ref: 01257A50
SetErrorMode.KERNELBASE(00000000), ref: 01257A59
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 01257A8B
DeviceIoControl.KERNEL32 ref: 01257AB0
CloseHandle.KERNEL32(?), ref: 01257AC5
SetErrorMode.KERNELBASE(?), ref: 01257ACE

Strings

\\.\?:, xrefs: 01257A21

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorMode$CloseControlCreateDeviceDriveFileHandleType
String ID: \\.\?:
API String ID: 1714706890-2364848050
Opcode ID: ce6d468eb5fb3ea574717c397e9c7bab8062945f0546764d848f301c4bc5404c
Instruction ID: 8e4d6f13d384510250e90f1a6d332cd8d9b97a5cef235debf5424e48b0a36d19
Opcode Fuzzy Hash: ce6d468eb5fb3ea574717c397e9c7bab8062945f0546764d848f301c4bc5404c
Instruction Fuzzy Hash: F4212B71920219BBDB21DFA9E888BDEBFB9EF45320F004415FA05E7184D7719641CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01258E9C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E01258E9C(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				struct _SYSTEMTIME _v40;
				struct _TIME_ZONE_INFORMATION _v212;
				signed int _t14;
				intOrPtr _t34;
				signed int _t37;

				_t34 = __edx;
				_t14 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t14 ^ _t37;
				GetTimeZoneInformation( &_v212); // executed
				GetSystemTime( &_v40);
				SystemTimeToTzSpecificLocalTime( &_v212,  &_v40,  &_v24); // executed
				_push(_v24.wSecond & 0x0000ffff);
				_push(_v24.wMinute & 0x0000ffff);
				_push(_v24.wHour & 0x0000ffff);
				_push(_v24.wDay & 0x0000ffff);
				return E012691D5(E01258B7E(__esi, L"%04d/%02d/%02d %02d:%02d:%02d", _v24.wYear & 0x0000ffff), __ebx, _v8 ^ _t37, _t34, __edi, __esi, _v24.wMonth & 0x0000ffff);
			}

0x01258e9c
0x01258ea7
0x01258eae
0x01258eb8
0x01258ec2
0x01258ed7
0x01258ee1
0x01258ee6
0x01258eeb
0x01258ef0
0x01258f14

APIs

GetTimeZoneInformation.KERNELBASE(?), ref: 01258EB8
GetSystemTime.KERNEL32(?), ref: 01258EC2
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?), ref: 01258ED7

Strings

%04d/%02d/%02d %02d:%02d:%02d, xrefs: 01258EFB

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Time$System$InformationLocalSpecificZone
String ID: %04d/%02d/%02d %02d:%02d:%02d
API String ID: 1716759327-2911751566
Opcode ID: 3c5073ccb224f5185fa0a6953e552454f013f7d43a54e761c606325fb7760012
Instruction ID: 73c01b49d7d61cb0d758c3da2cd2b68d0ba7135e6d8a0a13672ab29539ad3a29
Opcode Fuzzy Hash: 3c5073ccb224f5185fa0a6953e552454f013f7d43a54e761c606325fb7760012
Instruction Fuzzy Hash: 9101A87290021DAACB60DBE6D948FFFB7FCAF0C605F104496F945E2144EA38AA84D771

Uniqueness

Uniqueness Score: -1.00%

Function 01260BD0 Relevance: 3.6, APIs: 2, Instructions: 576
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E01260BD0(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t342;
				intOrPtr _t343;
				signed int _t356;
				intOrPtr _t358;
				signed int _t359;
				signed int _t360;
				intOrPtr _t362;
				void* _t377;
				signed int _t386;
				signed int* _t390;
				signed int _t397;
				signed int _t413;
				intOrPtr _t416;
				signed int _t423;
				signed int _t437;
				signed int _t440;
				signed int _t448;
				signed int _t453;
				signed int _t455;
				signed int _t462;
				signed int _t463;
				intOrPtr _t468;
				signed int _t474;
				signed int _t481;
				signed int _t490;
				signed int _t494;
				signed int* _t496;
				intOrPtr* _t498;
				signed int _t504;
				signed int _t508;
				signed int _t509;
				signed int _t513;
				void* _t520;

				_t481 = __edx;
				_push(0xec);
				E01274DF4(0x1276d2e, __ebx, __edi, __esi);
				_t503 =  *(_t520 + 8);
				_t342 = E0125EB62(__edx,  *((intOrPtr*)( *(_t520 + 8) + 0x18)));
				 *(_t520 - 0x24) = _t342;
				 *(_t520 - 0x20) = __edx;
				if(_t342 != 2 || __edx != 0) {
					L6:
					_t343 = 4;
					 *((intOrPtr*)(_t520 - 0x4c)) = 0;
					 *((intOrPtr*)(_t520 - 0x48)) = 0;
					 *((intOrPtr*)(_t520 - 0x44)) = 0;
					 *((intOrPtr*)(_t520 - 0x40)) = _t343;
					 *((intOrPtr*)(_t520 - 0x50)) = 0x12554b8;
					 *(_t520 - 4) = 0;
					if( *(_t520 - 0x24) != 3 ||  *(_t520 - 0x20) != 0) {
						_t448 =  *(_t520 + 0xc);
						goto L13;
					} else {
						_t448 =  *(_t520 + 0xc);
						_push(_t520 - 0x50);
						_t498 = _t448 + 0x150;
						_push(_t498);
						_push( *((intOrPtr*)(_t448 + 0x144)));
						_push( *((intOrPtr*)(_t448 + 0x140)));
						_t437 = E0125F9FE(_t448, _t498, _t503, _t503);
						_t527 = _t437;
						if(_t437 == 0) {
							 *_t498 =  *_t498 +  *((intOrPtr*)(_t448 + 0x140));
							asm("adc [edi+0x4], eax");
							_t440 = E0125EB62(_t481,  *((intOrPtr*)(_t503 + 0x18)));
							 *(_t520 - 0x24) = _t440;
							 *(_t520 - 0x20) = _t481;
							_t343 = 4;
							L13:
							_t504 = 0;
							 *((intOrPtr*)(_t520 - 0xbc)) = 0;
							 *((intOrPtr*)(_t520 - 0xb8)) = 0;
							 *((intOrPtr*)(_t520 - 0xb4)) = 0;
							 *((intOrPtr*)(_t520 - 0xb0)) = 8;
							 *(_t520 - 0xc0) = 0x12552d4;
							 *((intOrPtr*)(_t520 - 0xa8)) = 0;
							 *((intOrPtr*)(_t520 - 0xa4)) = 0;
							 *((intOrPtr*)(_t520 - 0xa0)) = 0;
							 *(_t520 - 0x9c) = 1;
							 *(_t520 - 0xac) = 0x12552d4;
							 *((intOrPtr*)(_t520 - 0x94)) = 0;
							 *((intOrPtr*)(_t520 - 0x90)) = 0;
							 *((intOrPtr*)(_t520 - 0x8c)) = 0;
							 *((intOrPtr*)(_t520 - 0x88)) = _t343;
							 *(_t520 - 0x98) = 0x12552d4;
							 *(_t520 - 4) = 3;
							__eflags =  *(_t520 - 0x24) - _t343;
							if( *(_t520 - 0x24) != _t343) {
								L19:
								 *(_t520 - 0x18) = _t504;
								__eflags =  *((intOrPtr*)(_t448 + 0x44)) - _t504;
								if( *((intOrPtr*)(_t448 + 0x44)) <= _t504) {
									L17:
									_t489 = _t448 + 0x64;
									_t453 = _t489;
									 *(_t520 - 0x28) = _t489;
									 *((intOrPtr*)( *_t489 + 4))(_t504,  *((intOrPtr*)(_t489 + 8)));
									__eflags =  *(_t520 - 0x24) |  *(_t520 - 0x20);
									if(( *(_t520 - 0x24) |  *(_t520 - 0x20)) != 0) {
										L35:
										__eflags =  *(_t520 - 0x24) - 5;
										if( *(_t520 - 0x24) != 5) {
											L37:
											E0125EA39(_t448, _t453);
											L38:
											 *(_t520 - 0x14) = E0125E6C6( *(_t520 + 8), _t448, _t481);
											E01262C43(_t350, _t489);
											_t448 = 0;
											__eflags =  *(_t520 - 0x14);
											if( *(_t520 - 0x14) <= 0) {
												L44:
												_t490 =  *(_t520 + 0xc);
												_t506 = _t490 + 0x158;
												 *(_t520 - 0x28) = _t490 + 0x158;
												E0126192F(_t490 + 0x158, 9, _t448);
												__eflags =  *((intOrPtr*)(_t490 + 8)) - _t448;
												if( *((intOrPtr*)(_t490 + 8)) != _t448) {
													E0126192F(_t506, 6, _t448);
												}
												__eflags =  *(_t520 - 0x14) - _t448;
												if( *(_t520 - 0x14) > _t448) {
													__eflags =  *((intOrPtr*)(_t520 - 0x90)) - _t448;
													if( *((intOrPtr*)(_t520 - 0x90)) != _t448) {
														E0126192F(_t506, 0xa, _t448);
													}
												}
												_t507 = 0x12552d4;
												 *(_t520 - 0x60) = _t448;
												 *(_t520 - 0x5c) = _t448;
												 *(_t520 - 0x58) = _t448;
												 *((intOrPtr*)(_t520 - 0x54)) = 1;
												 *(_t520 - 0x64) = 0x12552d4;
												 *(_t520 - 4) = 6;
												E0125E71C( *(_t520 - 0x14), _t520 - 0x64);
												 *(_t520 - 0xe4) = _t448;
												 *(_t520 - 0xe0) = _t448;
												 *(_t520 - 0xdc) = _t448;
												 *((intOrPtr*)(_t520 - 0xd8)) = 1;
												 *(_t520 - 0xe8) = 0x12552d4;
												 *(_t520 - 0xd0) = _t448;
												 *(_t520 - 0xcc) = _t448;
												 *(_t520 - 0xc8) = _t448;
												 *((intOrPtr*)(_t520 - 0xc4)) = 1;
												 *(_t520 - 0xd4) = 0x12552d4;
												 *(_t520 - 4) = 8;
												 *(_t520 - 0x1c) = _t448;
												while(1) {
													_t356 = E0125EB62(_t481,  *((intOrPtr*)( *(_t520 + 8) + 0x18)));
													 *(_t520 - 0x34) = _t356;
													__eflags = _t356 | _t481;
													 *(_t520 - 0x30) = _t481;
													if((_t356 | _t481) == 0) {
														break;
													}
													_t508 =  *(_t520 + 8);
													_t489 =  *(_t508 + 0x18);
													_t358 = E0125EB62(_t481,  *(_t508 + 0x18));
													_t453 =  *(_t508 + 0x18);
													 *(_t520 - 0x38) = _t481;
													 *((intOrPtr*)(_t520 - 0x3c)) = _t358;
													 *(_t520 - 0x20) =  *(_t453 + 8);
													__eflags =  *(_t520 - 0x30) - _t448;
													if(__eflags > 0) {
														L87:
														_t507 =  *(_t453 + 8);
														_t481 =  *((intOrPtr*)(_t453 + 4)) - _t507;
														__eflags =  *(_t520 - 0x38) - _t448;
														if(__eflags > 0) {
															goto L37;
														}
														if(__eflags < 0) {
															L90:
															_t359 = _t358 + _t507;
															__eflags = _t359;
															 *(_t453 + 8) = _t359;
															L91:
															_t360 =  *(_t520 + 0xc);
															__eflags =  *((intOrPtr*)(_t360 + 0x130)) - _t448;
															if( *((intOrPtr*)(_t360 + 0x130)) > _t448) {
																L93:
																_t362 =  *((intOrPtr*)( *(_t520 + 8) + 0x18));
																_t453 = 0;
																__eflags =  *((intOrPtr*)(_t362 + 8)) -  *(_t520 - 0x20) -  *((intOrPtr*)(_t520 - 0x3c));
																if( *((intOrPtr*)(_t362 + 8)) -  *(_t520 - 0x20) !=  *((intOrPtr*)(_t520 - 0x3c))) {
																	goto L37;
																}
																__eflags = 0 -  *(_t520 - 0x38);
																if(0 !=  *(_t520 - 0x38)) {
																	goto L37;
																}
																continue;
															}
															__eflags =  *((char*)(_t360 + 0x131)) - 2;
															if( *((char*)(_t360 + 0x131)) <= 2) {
																continue;
															}
															goto L93;
														}
														__eflags = _t358 - _t481;
														if(_t358 > _t481) {
															goto L37;
														}
														goto L90;
													}
													if(__eflags < 0) {
														L53:
														_t481 =  *(_t520 - 0x34) + 0xfffffff2;
														__eflags = _t481 - 0xb;
														if(__eflags > 0) {
															goto L87;
														}
														switch( *((intOrPtr*)(_t481 * 4 +  &M012613AC))) {
															case 0:
																__ecx =  *(__ebp - 0x14);
																__ebp - 0x64 = E0125F8B4(__ebp - 0x64,  *(__ebp - 0x14), __esi);
																__eax = 0;
																__eflags =  *((intOrPtr*)(__ebp - 0x5c)) - __ebx;
																if( *((intOrPtr*)(__ebp - 0x5c)) <= __ebx) {
																	L70:
																	__eax =  *(__ebp - 0x1c);
																	__ecx = __ebp - 0xe8;
																	__eax = E0125E71C( *(__ebp - 0x1c), __ebp - 0xe8);
																	__eax =  *(__ebp - 0x1c);
																	__ecx = __ebp - 0xd4;
																	__eax = E0125E71C( *(__ebp - 0x1c), __ebp - 0xd4);
																	goto L59;
																} else {
																	goto L67;
																}
																do {
																	L67:
																	__ecx =  *(__ebp - 0x58);
																	__eflags =  *((intOrPtr*)(__ecx + __eax)) - __bl;
																	if( *((intOrPtr*)(__ecx + __eax)) != __bl) {
																		_t234 = __ebp - 0x1c;
																		 *_t234 =  *(__ebp - 0x1c) + 1;
																		__eflags =  *_t234;
																	}
																	__eax = __eax + 1;
																	__eflags = __eax -  *((intOrPtr*)(__ebp - 0x5c));
																} while (__eax <  *((intOrPtr*)(__ebp - 0x5c)));
																goto L70;
															case 1:
																__eax = __ebp - 0xe8;
																goto L72;
															case 2:
																__eax = __ebp - 0xd4;
																L72:
																__ecx =  *(__ebp - 0x1c);
																__eax = E0125F8B4(__eax,  *(__ebp - 0x1c), __esi);
																goto L59;
															case 3:
																 *(_t520 - 0xf4) = _t448;
																 *(_t520 - 4) = 9;
																E0125EB19(_t520 - 0xf8, _t481, _t489, _t520 - 0x50,  *(_t520 + 8));
																_t367 =  *(_t520 + 0xc);
																_t512 = 0;
																__eflags =  *((intOrPtr*)(_t367 + 0x6c)) - _t448;
																if( *((intOrPtr*)(_t367 + 0x6c)) <= _t448) {
																	L57:
																	 *(_t520 - 4) = 8;
																	E0125EA6A(_t520 - 0xf8);
																	goto L58;
																} else {
																	goto L56;
																}
																do {
																	L56:
																	E0125EBFA( *((intOrPtr*)( *(_t520 + 8) + 0x18)), _t453,  *((intOrPtr*)( *((intOrPtr*)( *(_t520 + 0xc) + 0x70)) + _t512 * 4)) + 0x10);
																	_t376 =  *(_t520 + 0xc);
																	_t512 = _t512 + 1;
																	__eflags = _t512 -  *((intOrPtr*)(_t376 + 0x6c));
																} while (_t512 <  *((intOrPtr*)(_t376 + 0x6c)));
																goto L57;
															case 4:
																__edi =  *(__ebp + 0xc);
																__edi =  *(__ebp + 0xc) + 0x78;
																goto L75;
															case 5:
																__edi =  *(__ebp + 0xc);
																__edi =  *(__ebp + 0xc) + 0xa0;
																goto L75;
															case 6:
																__edi =  *(__ebp + 0xc);
																__edi =  *(__ebp + 0xc) + 0xc8;
																goto L75;
															case 7:
																 *((intOrPtr*)(__ebp - 0x74)) = __ebx;
																 *((intOrPtr*)(__ebp - 0x70)) = __ebx;
																 *((intOrPtr*)(__ebp - 0x6c)) = __ebx;
																 *(__ebp - 0x68) = 1;
																 *(__ebp - 0x78) = 0x12552d4;
																__eax =  *(__ebp + 0xc);
																 *((char*)(__ebp - 4)) = 0xa;
																__ecx =  *( *(__ebp + 0xc) + 0x6c);
																__ebp - 0x78 = E0125F90F(__ebp - 0x78,  *( *(__ebp + 0xc) + 0x6c),  *(__ebp + 8));
																 *((char*)(__ebp - 0xec)) = __bl;
																__esi = __ebp - 0x50;
																__eax = __ebp - 0xf0;
																 *((char*)(__ebp - 4)) = 0xb;
																__eax = E0125EB19(__ebp - 0xf0, __edx, __edi, __esi,  *(__ebp + 8));
																__eax = 0;
																 *(__ebp - 0x18) = 0;
																__eflags =  *(__ebp - 0x14) - __ebx;
																if( *(__ebp - 0x14) <= __ebx) {
																	L65:
																	__ebx = __ebp - 0xf0;
																	 *((char*)(__ebp - 4)) = 0xa;
																	__eax = E0125EA6A(__ebx);
																	__ecx = __ebp - 0x78;
																	 *((char*)(__ebp - 4)) = 8;
																	__eax = E01262BD6(__ebp - 0x78);
																	L58:
																	_t448 = 0;
																	__eflags = 0;
																	goto L59;
																} else {
																	goto L61;
																}
																do {
																	L61:
																	 *(__ebp + 0xc) =  *( *(__ebp + 0xc) + 0x70);
																	__edx =  *((intOrPtr*)(__ebp - 0x6c));
																	__ecx =  *( *( *(__ebp + 0xc) + 0x70) + __eax * 4);
																	__al =  *((intOrPtr*)( *((intOrPtr*)(__ebp - 0x6c)) + __eax));
																	 *((char*)(__ecx + 0x1f)) = __al;
																	__eflags = __al - __bl;
																	if(__al == __bl) {
																		goto L64;
																	}
																	__eax =  *(__ebp + 8);
																	__eax =  *( *(__ebp + 8) + 0x18);
																	__edx =  *((intOrPtr*)(__eax + 8));
																	__esi = __edx + 4;
																	__eflags = __esi -  *((intOrPtr*)(__eax + 4));
																	if(__esi >  *((intOrPtr*)(__eax + 4))) {
																		goto L37;
																	}
																	__edi =  *__eax;
																	__edx =  *((intOrPtr*)(__edx + __edi));
																	 *((intOrPtr*)(__eax + 8)) = __esi;
																	 *((intOrPtr*)(__ecx + 8)) = __edx;
																	L64:
																	__eax =  *(__ebp - 0x18);
																	__eax =  *(__ebp - 0x18) + 1;
																	 *(__ebp - 0x18) = __eax;
																	__eflags = __eax -  *(__ebp - 0x14);
																} while (__eax <  *(__ebp - 0x14));
																goto L65;
															case 8:
																goto L87;
															case 9:
																__edi =  *(__ebp + 0xc);
																__edi =  *(__ebp + 0xc) + 0xf0;
																__eflags = __edi;
																L75:
																_push( *(__ebp - 0x14));
																__eax = __ebp - 0x50;
																_push(__ebp - 0x50);
																_push(__esi);
																__eax = E0125F95E(__ebx, __edx, __edi, __esi, __eflags);
																L59:
																_t507 =  *(_t520 - 0x28);
																E0126192F( *(_t520 - 0x28),  *(_t520 - 0x34),  *(_t520 - 0x30));
																goto L91;
															case 0xa:
																__edi = 0;
																__esi = 0;
																__eflags =  *((intOrPtr*)(__ebp - 0x38)) - __ebx;
																if(__eflags < 0) {
																	goto L91;
																}
																if(__eflags > 0) {
																	while(1) {
																		L82:
																		 *(__ebp + 8) = E0125E6A7( *(__ebp + 8), __ebx);
																		__eflags = __al;
																		if(__al != 0) {
																			goto L37;
																		}
																		__edi = __edi + 1;
																		asm("adc esi, ebx");
																		__eflags = __esi -  *((intOrPtr*)(__ebp - 0x38));
																		if(__eflags < 0) {
																			continue;
																		}
																		if(__eflags > 0) {
																			goto L91;
																		}
																		__eflags = __edi -  *((intOrPtr*)(__ebp - 0x3c));
																		if(__edi <  *((intOrPtr*)(__ebp - 0x3c))) {
																			continue;
																		}
																		goto L91;
																	}
																	goto L37;
																}
																__eflags =  *((intOrPtr*)(__ebp - 0x3c)) - __ebx;
																if( *((intOrPtr*)(__ebp - 0x3c)) <= __ebx) {
																	goto L91;
																}
																goto L82;
														}
													}
													__eflags =  *(_t520 - 0x34) - 0x40000000;
													if( *(_t520 - 0x34) > 0x40000000) {
														goto L87;
													}
													goto L53;
												}
												_t494 = 0;
												_t377 = 0;
												 *(_t520 - 0x28) = _t448;
												 *(_t520 + 8) = _t448;
												__eflags =  *(_t520 - 0x1c) - _t448;
												if( *(_t520 - 0x1c) <= _t448) {
													L100:
													_t455 = 0;
													 *(_t520 - 0x18) = 0;
													__eflags =  *(_t520 - 0x14) - _t448;
													if( *(_t520 - 0x14) <= _t448) {
														L107:
														 *(_t520 - 4) = 7;
														E01262BD6(_t520 - 0xd4);
														 *(_t520 - 4) = 6;
														E01262BD6(_t520 - 0xe8);
														 *(_t520 - 4) = 3;
														E01262BD6(_t520 - 0x64);
														 *(_t520 - 4) = 2;
														E01262BD6(_t520 - 0x98);
														 *(_t520 - 4) = 1;
														E01262BD6(_t520 - 0xac);
														 *(_t520 - 4) = _t448;
														E01262BD6(_t520 - 0xc0);
														 *(_t520 - 4) =  *(_t520 - 4) | 0xffffffff;
														_push(_t520 - 0x50);
														E012619EA(_t507, __eflags);
														_t386 = 0;
														__eflags = 0;
														L108:
														return E01274EE0(_t386);
													} else {
														goto L101;
													}
													do {
														L101:
														__eflags =  *((intOrPtr*)( *(_t520 - 0x58) + _t455)) - _t448;
														_t390 =  *( *((intOrPtr*)( *(_t520 + 0xc) + 0x70)) + _t455 * 4);
														_t462 = _t455 & 0xffffff00 |  *((intOrPtr*)( *(_t520 - 0x58) + _t455)) == _t448;
														_t390[7] = _t462;
														__eflags = _t462 - _t448;
														if(_t462 == _t448) {
															_t463 =  *(_t520 - 0xdc);
															_t509 =  *(_t520 - 0x28);
															__eflags =  *((intOrPtr*)(_t463 + _t509)) - _t448;
															_t390[7] = _t463 & 0xffffff00 |  *((intOrPtr*)(_t463 + _t509)) == _t448;
															_t507 = _t509 + 1;
															__eflags = _t507;
															 *(_t520 - 0x1c) =  *((intOrPtr*)( *(_t520 - 0xc8) + _t509));
															 *(_t520 - 0x28) = _t507;
															 *_t390 = _t448;
															_t390[1] = _t448;
															_t390[7] = _t448;
														} else {
															_t390[7] = _t448;
															_t468 =  *((intOrPtr*)(_t520 - 0xb4));
															 *_t390 =  *(_t468 + _t494 * 8);
															_t390[1] =  *(_t468 + 4 + _t494 * 8);
															_t390[3] =  *( *((intOrPtr*)(_t520 - 0x8c)) + _t494 * 4);
															 *(_t520 - 0x1c) = _t448;
															_t390[7] =  *((intOrPtr*)( *((intOrPtr*)(_t520 - 0xa0)) + _t494));
															_t494 = _t494 + 1;
														}
														__eflags =  *(_t520 + 8) - _t448;
														if( *(_t520 + 8) != _t448) {
															_t507 =  *(_t520 + 0xc) + 0x118;
															__eflags =  *(_t520 + 0xc) + 0x118;
															E012619C0( *(_t520 + 0xc) + 0x118,  *(_t520 - 0x1c));
														}
														_t455 =  *(_t520 - 0x18) + 1;
														 *(_t520 - 0x18) = _t455;
														__eflags = _t455 -  *(_t520 - 0x14);
													} while (_t455 <  *(_t520 - 0x14));
													goto L107;
												} else {
													goto L97;
												}
												do {
													L97:
													_t474 =  *(_t520 - 0xc8);
													__eflags =  *((intOrPtr*)(_t474 + _t377)) - _t448;
													if( *((intOrPtr*)(_t474 + _t377)) != _t448) {
														_t277 = _t520 + 8;
														 *_t277 =  *(_t520 + 8) + 1;
														__eflags =  *_t277;
													}
													_t377 = _t377 + 1;
													__eflags = _t377 -  *(_t520 - 0x1c);
												} while (_t377 <  *(_t520 - 0x1c));
												goto L100;
											}
											 *(_t520 - 0x18) =  *(_t520 - 0x14);
											do {
												E0125C403(_t520 - 0x74);
												 *(_t520 - 0x68) = 1;
												 *(_t520 - 4) = 4;
												_t397 = E012735E6(0x20); // executed
												_t513 = _t397;
												 *(_t520 - 0x20) = _t513;
												 *(_t520 - 4) = 5;
												__eflags = _t513 - _t448;
												if(_t513 == _t448) {
													_t513 = 0;
													__eflags = 0;
												} else {
													 *_t513 =  *((intOrPtr*)(_t520 - 0x84));
													 *((intOrPtr*)(_t513 + 4)) =  *((intOrPtr*)(_t520 - 0x80));
													 *((intOrPtr*)(_t513 + 8)) =  *((intOrPtr*)(_t520 - 0x7c));
													 *((intOrPtr*)(_t513 + 0xc)) =  *((intOrPtr*)(_t520 - 0x78));
													_t123 = _t513 + 0x10; // 0x10
													E0125D91E(_t123, _t448, _t520 - 0x74);
													_t489 =  *(_t520 - 0x28);
													 *(_t513 + 0x1c) = 1;
												}
												 *(_t520 - 4) = 4;
												E01264F46(_t481, _t489, _t513);
												 *(_t520 - 4) = 3;
												_push( *((intOrPtr*)(_t520 - 0x74)));
												E01273539();
												_t130 = _t520 - 0x18;
												 *_t130 =  *(_t520 - 0x18) - 1;
												__eflags =  *_t130;
											} while ( *_t130 != 0);
											goto L44;
										}
										__eflags =  *(_t520 - 0x20) - _t504;
										if( *(_t520 - 0x20) == _t504) {
											goto L38;
										}
										goto L37;
									}
									 *(_t520 - 4) = 2;
									E01262BD6(_t520 - 0x98);
									 *(_t520 - 4) = 1;
									E01262BD6(_t520 - 0xac);
									 *(_t520 - 4) = 0;
									E01262BD6(_t520 - 0xc0);
									L10:
									 *(_t520 - 4) =  *(_t520 - 4) | 0xffffffff;
									_push(_t520 - 0x50);
									E012619EA(_t504, _t527);
									_t386 = _t504;
									goto L108;
								} else {
									goto L20;
								}
								do {
									L20:
									_t504 = _t448 + 0x50;
									E01264F46(_t481, _t504, 1);
									_t489 =  *( *((intOrPtr*)(_t448 + 0x48)) +  *(_t520 - 0x18) * 4);
									_t413 =  *(_t489 + 0x44);
									__eflags = _t413;
									if(_t413 != 0) {
										_t453 = _t413 - 1;
										while(1) {
											__eflags = _t453;
											if(_t453 < 0) {
												break;
											}
											_t481 =  *(_t489 + 0x1c);
											__eflags = _t481;
											if(_t481 <= 0) {
												L28:
												_t504 = 0xffffffff;
												__eflags = 0xffffffff;
												L29:
												__eflags = _t504;
												if(_t504 < 0) {
													_t416 =  *((intOrPtr*)(_t489 + 0x48));
													_t481 =  *(_t416 + _t453 * 8);
													_t413 =  *(_t416 + 4 + _t453 * 8);
													goto L32;
												}
												_t453 = _t453 - 1;
												continue;
											}
											_t423 =  *((intOrPtr*)(_t489 + 0x20)) + 4;
											__eflags = _t423;
											while(1) {
												__eflags =  *_t423 - _t453;
												if( *_t423 == _t453) {
													goto L29;
												}
												_t504 = 1;
												_t423 = _t423 + 8;
												__eflags = 1 - _t481;
												if(1 < _t481) {
													continue;
												}
												goto L28;
											}
											goto L29;
										}
										 *(_t520 - 0x28) = 1;
										E01273B07(_t520 - 0x28, 0x12771d8);
										goto L35;
									}
									_t481 = 0;
									L32:
									E0126192F(_t520 - 0xc0, _t481, _t413);
									E012619C0(_t520 - 0xac,  *(_t489 + 0x54) & 0x000000ff);
									E01264F46(_t481, _t520 - 0x98,  *((intOrPtr*)(_t489 + 0x50)));
									 *(_t520 - 0x18) =  *(_t520 - 0x18) + 1;
									__eflags =  *(_t520 - 0x18) -  *((intOrPtr*)(_t448 + 0x44));
								} while ( *(_t520 - 0x18) <  *((intOrPtr*)(_t448 + 0x44)));
								L16:
								_t504 = 0;
								__eflags = 0;
								goto L17;
							}
							__eflags =  *(_t520 - 0x20);
							if( *(_t520 - 0x20) != 0) {
								goto L19;
							}
							_t496 = _t448 + 0x148;
							E0125F833(_t481,  *(_t520 + 8), _t520 - 0x50, _t496, _t448, _t448 + 0x14, _t448 + 0x28, _t448 + 0x3c, _t448 + 0x50, _t520 - 0xc0, _t520 - 0xac, _t520 - 0x98);
							 *_t496 =  *_t496 +  *((intOrPtr*)(_t448 + 0x140));
							__eflags =  *_t496;
							asm("adc [edi+0x4], eax");
							 *(_t520 - 0x24) = E0125EB62(_t481,  *((intOrPtr*)( *(_t520 + 8) + 0x18)));
							 *(_t520 - 0x20) = _t481;
							goto L16;
						}
						_t504 = _t437;
						goto L10;
					}
				} else {
					while((E0125EB62(_t481,  *((intOrPtr*)(_t503 + 0x18))) | _t481) != 0) {
						E0125E6E8(_t503, _t481);
					}
					 *(_t520 - 0x24) = E0125EB62(_t481,  *((intOrPtr*)(_t503 + 0x18)));
					 *(_t520 - 0x20) = _t481;
					goto L6;
				}
			}

0x01260bd0
0x01260bd0
0x01260bda
0x01260bdf
0x01260be5
0x01260bec
0x01260bef
0x01260bf5
0x01260c1e
0x01260c20
0x01260c21
0x01260c24
0x01260c27
0x01260c2a
0x01260c2d
0x01260c34
0x01260c3b
0x01260ca0
0x00000000
0x01260c42
0x01260c42
0x01260c48
0x01260c49
0x01260c4f
0x01260c50
0x01260c56
0x01260c5d
0x01260c62
0x01260c64
0x01260c82
0x01260c8a
0x01260c90
0x01260c97
0x01260c9a
0x01260c9d
0x01260ca3
0x01260ca3
0x01260ca5
0x01260cab
0x01260cb1
0x01260cb7
0x01260cc1
0x01260ccb
0x01260cd1
0x01260cd7
0x01260cdd
0x01260ce7
0x01260cf1
0x01260cf7
0x01260cfd
0x01260d03
0x01260d09
0x01260d13
0x01260d17
0x01260d1a
0x01260dd2
0x01260dd2
0x01260dd5
0x01260dd8
0x01260d83
0x01260d83
0x01260d8c
0x01260d8e
0x01260d91
0x01260d97
0x01260d9a
0x01260e82
0x01260e82
0x01260e86
0x01260e8d
0x01260e8d
0x01260e92
0x01260e9e
0x01260ea1
0x01260ea6
0x01260ea8
0x01260eab
0x01260f2c
0x01260f2c
0x01260f30
0x01260f38
0x01260f3b
0x01260f40
0x01260f43
0x01260f48
0x01260f48
0x01260f4d
0x01260f50
0x01260f52
0x01260f58
0x01260f5d
0x01260f5d
0x01260f58
0x01260f65
0x01260f6a
0x01260f6d
0x01260f70
0x01260f73
0x01260f76
0x01260f7f
0x01260f83
0x01260f88
0x01260f8e
0x01260f94
0x01260f9a
0x01260fa0
0x01260fa6
0x01260fac
0x01260fb2
0x01260fb8
0x01260fbe
0x01260fc4
0x01260fc8
0x01261256
0x0126125c
0x01261261
0x01261264
0x01261266
0x01261269
0x00000000
0x00000000
0x01260fd0
0x01260fd3
0x01260fd6
0x01260fdb
0x01260fde
0x01260fe4
0x01260fe7
0x01260fea
0x01260fed
0x01261202
0x01261202
0x01261208
0x0126120a
0x0126120d
0x00000000
0x00000000
0x01261213
0x0126121d
0x0126121d
0x0126121d
0x0126121f
0x01261222
0x01261222
0x01261225
0x0126122b
0x01261236
0x01261239
0x01261242
0x01261244
0x01261247
0x00000000
0x00000000
0x0126124d
0x01261250
0x00000000
0x00000000
0x00000000
0x01261250
0x0126122d
0x01261234
0x00000000
0x00000000
0x00000000
0x01261234
0x01261215
0x01261217
0x00000000
0x00000000
0x00000000
0x01261217
0x01260ff3
0x01261002
0x01261005
0x01261008
0x0126100b
0x00000000
0x00000000
0x01261011
0x00000000
0x01261135
0x0126113c
0x01261141
0x01261143
0x01261146
0x01261159
0x01261159
0x0126115c
0x01261162
0x01261167
0x0126116a
0x01261170
0x00000000
0x00000000
0x00000000
0x00000000
0x01261148
0x01261148
0x01261148
0x0126114b
0x0126114e
0x01261150
0x01261150
0x01261150
0x01261150
0x01261153
0x01261154
0x01261154
0x00000000
0x00000000
0x0126117a
0x00000000
0x00000000
0x0126118e
0x01261180
0x01261180
0x01261184
0x00000000
0x00000000
0x01261018
0x0126102a
0x0126102e
0x01261033
0x01261036
0x01261038
0x0126103b
0x0126105e
0x01261064
0x01261068
0x00000000
0x00000000
0x00000000
0x00000000
0x0126103d
0x0126103d
0x01261050
0x01261055
0x01261058
0x01261059
0x01261059
0x00000000
0x00000000
0x012611b1
0x012611b4
0x00000000
0x00000000
0x012611b9
0x012611bc
0x00000000
0x00000000
0x012611c4
0x012611c7
0x00000000
0x00000000
0x01261082
0x01261085
0x01261088
0x0126108b
0x01261092
0x01261099
0x0126109f
0x012610a3
0x012610a9
0x012610ae
0x012610b7
0x012610ba
0x012610c0
0x012610c4
0x012610c9
0x012610cb
0x012610ce
0x012610d1
0x01261115
0x01261115
0x0126111b
0x0126111f
0x01261124
0x01261127
0x0126112b
0x0126106d
0x0126106d
0x0126106d
0x00000000
0x00000000
0x00000000
0x00000000
0x012610d3
0x012610d3
0x012610d6
0x012610d9
0x012610dc
0x012610df
0x012610e2
0x012610e5
0x012610e7
0x00000000
0x00000000
0x012610e9
0x012610ec
0x012610ef
0x012610f2
0x012610f5
0x012610f8
0x00000000
0x00000000
0x012610fe
0x01261100
0x01261103
0x01261106
0x01261109
0x01261109
0x0126110c
0x0126110d
0x01261110
0x01261110
0x00000000
0x00000000
0x00000000
0x00000000
0x01261196
0x01261199
0x01261199
0x0126119f
0x0126119f
0x012611a2
0x012611a5
0x012611a6
0x012611a7
0x0126106f
0x01261072
0x01261078
0x00000000
0x00000000
0x012611cf
0x012611d1
0x012611d3
0x012611d6
0x00000000
0x00000000
0x012611d8
0x012611df
0x012611df
0x012611e2
0x012611e7
0x012611e9
0x00000000
0x00000000
0x012611ef
0x012611f2
0x012611f4
0x012611f7
0x00000000
0x00000000
0x012611f9
0x00000000
0x00000000
0x012611fb
0x012611fe
0x00000000
0x00000000
0x00000000
0x01261200
0x00000000
0x012611df
0x012611da
0x012611dd
0x00000000
0x00000000
0x00000000
0x00000000
0x01261011
0x01260ff5
0x01260ffc
0x00000000
0x00000000
0x00000000
0x01260ffc
0x0126126f
0x01261271
0x01261273
0x01261276
0x01261279
0x0126127c
0x01261292
0x01261292
0x01261294
0x01261297
0x0126129a
0x0126133c
0x01261342
0x01261346
0x01261351
0x01261355
0x0126135d
0x01261361
0x0126136c
0x01261370
0x0126137b
0x0126137f
0x0126138a
0x0126138d
0x01261392
0x01261399
0x0126139a
0x0126139f
0x0126139f
0x012613a1
0x012613a6
0x00000000
0x00000000
0x00000000
0x012612a0
0x012612a0
0x012612a6
0x012612ac
0x012612af
0x012612b2
0x012612b5
0x012612b7
0x012612ec
0x012612f2
0x012612f5
0x012612fb
0x01261307
0x01261307
0x01261308
0x0126130b
0x0126130e
0x01261310
0x01261313
0x012612b9
0x012612b9
0x012612bc
0x012612c5
0x012612cb
0x012612d7
0x012612e3
0x012612e6
0x012612e9
0x012612e9
0x01261316
0x01261319
0x01261321
0x01261321
0x01261327
0x01261327
0x0126132f
0x01261330
0x01261333
0x01261333
0x00000000
0x00000000
0x00000000
0x00000000
0x0126127e
0x0126127e
0x0126127e
0x01261284
0x01261287
0x01261289
0x01261289
0x01261289
0x01261289
0x0126128c
0x0126128d
0x0126128d
0x00000000
0x0126127e
0x01260eb0
0x01260eb3
0x01260eb6
0x01260ebb
0x01260ec4
0x01260ec8
0x01260ecd
0x01260ed0
0x01260ed3
0x01260ed7
0x01260ed9
0x01260f0c
0x01260f0c
0x01260edb
0x01260ee1
0x01260ee6
0x01260eec
0x01260ef2
0x01260ef5
0x01260efb
0x01260f00
0x01260f03
0x01260f03
0x01260f11
0x01260f15
0x01260f1a
0x01260f1e
0x01260f21
0x01260f26
0x01260f26
0x01260f26
0x01260f29
0x00000000
0x01260eb3
0x01260e88
0x01260e8b
0x00000000
0x00000000
0x00000000
0x01260e8b
0x01260da6
0x01260daa
0x01260db5
0x01260db9
0x01260dc4
0x01260dc8
0x01260c68
0x01260c68
0x01260c6f
0x01260c70
0x01260c75
0x00000000
0x00000000
0x00000000
0x00000000
0x01260dda
0x01260dda
0x01260ddc
0x01260ddf
0x01260dea
0x01260ded
0x01260df0
0x01260df2
0x01260df8
0x01260dfb
0x01260dfb
0x01260dfd
0x00000000
0x00000000
0x01260dff
0x01260e04
0x01260e06
0x01260e1a
0x01260e1a
0x01260e1a
0x01260e1d
0x01260e1d
0x01260e1f
0x01260e24
0x01260e27
0x01260e2a
0x00000000
0x01260e2a
0x01260e21
0x00000000
0x01260e21
0x01260e0b
0x01260e0b
0x01260e0e
0x01260e0e
0x01260e10
0x00000000
0x00000000
0x01260e12
0x01260e13
0x01260e16
0x01260e18
0x00000000
0x00000000
0x00000000
0x01260e18
0x00000000
0x01260e0e
0x01260e76
0x01260e7d
0x00000000
0x01260e7d
0x01260df4
0x01260e2e
0x01260e36
0x01260e46
0x01260e54
0x01260e59
0x01260e5f
0x01260e5f
0x01260d81
0x01260d81
0x01260d81
0x00000000
0x01260d81
0x01260d20
0x01260d23
0x00000000
0x00000000
0x01260d52
0x01260d5d
0x01260d68
0x01260d68
0x01260d70
0x01260d7b
0x01260d7e
0x00000000
0x01260d7e
0x01260c66
0x00000000
0x01260c66
0x01260bfb
0x01260c04
0x01260bff
0x01260bff
0x01260c18
0x01260c1b
0x00000000
0x01260c1b

APIs

__EH_prolog3.LIBCMT ref: 01260BDA
__CxxThrowException@8.LIBCMT ref: 01260E7D

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 3528c9245f82320c6e7a746566b61858f250c3e361ab01d07b80142a6ab3dee0
Instruction ID: 95d0201de0765bd1b2635bd2f70e6882a358e8d00de70718eccd4da68e304296
Opcode Fuzzy Hash: 3528c9245f82320c6e7a746566b61858f250c3e361ab01d07b80142a6ab3dee0
Instruction Fuzzy Hash: C4427271D2025ADFCF10DF98C880AEDBBB9FF54310F15819AD949AB281D730AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01255E0B Relevance: 59.7, APIs: 18, Strings: 16, Instructions: 220
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E01255E0B(void* __ecx, long _a4, struct HWND__* _a8, DWORD* _a12) {
				WCHAR* _v12;
				WCHAR* _v16;
				char _v20;
				struct _PROCESS_INFORMATION _v36;
				struct _STARTUPINFOW _v112;
				void* __ebx;
				signed int _t44;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t56;
				struct HWND__* _t57;
				signed int _t71;
				void* _t77;
				void* _t79;
				intOrPtr _t83;
				intOrPtr _t85;
				signed int _t90;
				struct HWND__* _t91;

				_t77 = __ecx;
				_push(0x44);
				_pop(0);
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				E0126DE40( &_v112, 0, 0);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(E012595C3(_t77,  &_v20) >= 0) {
					_t44 = E01259663(_t77,  *0x127bef8); // executed
					__eflags = _t44;
					if(_t44 >= 0) {
						_t46 = E012599D2( &_v16);
						__eflags = _t46;
						if(_t46 >= 0) {
							_t47 = SetEnvironmentVariableW(L"_SFX_CAB_EXE_PATH",  *0x127bef8); // executed
							__eflags = _t47;
							if(_t47 != 0) {
								_t48 = SetEnvironmentVariableW(L"_SFX_CAB_EXE_PACKAGE", _v16);
								__eflags = _t48;
								if(_t48 != 0) {
									_t49 = SetEnvironmentVariableW(L"_SFX_CAB_EXE_PARAMETERS",  *0x127befc);
									__eflags = _t49;
									if(_t49 != 0) {
										__eflags = _a8 - 1;
										if(_a8 != 1) {
											L31:
											_t90 = E01259779(_t77,  &_v12, _a4);
											__eflags = _t90;
											if(_t90 >= 0) {
												_v112.cb = 0;
												_v112.dwFlags = 1;
												_v112.wShowWindow = 1;
												E012584C7(0, _t79, 1, "Executing command line: \'%S\'", _v12); // executed
												_t56 = CreateProcessW(0, _v12, 0, 0, 0, 0x20, 0,  *0x127bef8,  &_v112,  &_v36); // executed
												__eflags = _t56;
												if(_t56 != 0) {
													_a8 = 0;
													do {
														_t83 = _v36.dwProcessId;
														_t57 = GetTopWindow(0);
														while(1) {
															_t91 = _t57;
															__eflags = _t91;
															if(_t91 == 0) {
																goto L40;
															}
															_a4 = _a4 | 0xffffffff;
															GetWindowThreadProcessId(_t91,  &_a4);
															__eflags = _t83 - _a4;
															if(_t83 != _a4) {
																_t57 = GetWindow(_t91, 2);
																continue;
															}
															goto L41;
														}
														L40:
														Sleep(0x64); // executed
														_a8 = _a8 + 1;
														__eflags = _a8 - 0x32;
													} while (_a8 < 0x32);
													L41:
													_t90 = E012568FB();
													__eflags = _t90;
													if(_t90 >= 0) {
														WaitForSingleObject(_v36.hProcess, 0xffffffff);
														GetExitCodeProcess(_v36.hProcess, _a12); // executed
														FindCloseChangeNotification(_v36.hThread); // executed
														CloseHandle(_v36);
													} else {
														_push("Failed to stop reporting progress");
														goto L43;
													}
												} else {
													_t90 = 0x80070667;
													_push("Failed to start the process");
													goto L43;
												}
											} else {
												_push("Unable to resolve the path of the exe");
												goto L43;
											}
										} else {
											_t71 = SetEnvironmentVariableW(L"__COMPAT_LAYER", 0x1253a30);
											__eflags = _t71;
											if(_t71 != 0) {
												goto L31;
											} else {
												_t90 = GetLastError();
												__eflags = _t90;
												if(__eflags > 0) {
													_t90 = _t90 & 0x0000ffff | 0x80070000;
													__eflags = _t90;
												}
												if(__eflags >= 0) {
													_t90 = 0x80004005;
												}
												_push("Failed to set __COMPAT_LAYER");
												goto L43;
											}
										}
									} else {
										_t90 = GetLastError();
										__eflags = _t90;
										if(__eflags > 0) {
											_t90 = _t90 & 0x0000ffff | 0x80070000;
											__eflags = _t90;
										}
										if(__eflags >= 0) {
											_t90 = 0x80004005;
										}
										_push("Failed to set _SFX_CAB_EXE_PARAMETERS");
										goto L43;
									}
								} else {
									_t90 = GetLastError();
									__eflags = _t90;
									if(__eflags > 0) {
										_t90 = _t90 & 0x0000ffff | 0x80070000;
										__eflags = _t90;
									}
									if(__eflags >= 0) {
										_t90 = 0x80004005;
									}
									_push("Failed to set _SFX_CAB_EXE_PACKAGE");
									goto L43;
								}
							} else {
								_t90 = GetLastError();
								__eflags = _t90;
								if(__eflags > 0) {
									_t90 = _t90 & 0x0000ffff | 0x80070000;
									__eflags = _t90;
								}
								if(__eflags >= 0) {
									_t90 = 0x80004005;
								}
								_push("Failed to set _SFX_CAB_EXE_PATH");
								goto L43;
							}
						} else {
							_push("Failed to get the name of the module");
							goto L43;
						}
					} else {
						_push("Failed to set target directory");
						goto L43;
					}
				} else {
					_push("Failed to get current directory");
					L43:
					E0125854A(0, _t77, _t79);
					_t77 = _t90;
				}
				_t85 = _v20;
				if(_t85 != 0) {
					E01259663(_t77, _t85); // executed
				}
				if(_v12 != 0) {
					E01258E6F(_v12);
				}
				if(_v16 != 0) {
					E01258E6F(_v16);
				}
				if(_t85 != 0) {
					E01258E6F(_t85);
				}
				return _t90;
			}

0x01255e0b
0x01255e16
0x01255e1a
0x01255e1d
0x01255e20
0x01255e23
0x01255e2a
0x01255e34
0x01255e35
0x01255e36
0x01255e37
0x01255e48
0x01255e5a
0x01255e61
0x01255e63
0x01255e72
0x01255e79
0x01255e7b
0x01255e98
0x01255e9a
0x01255e9c
0x01255ed1
0x01255ed3
0x01255ed5
0x01255f0d
0x01255f0f
0x01255f11
0x01255f41
0x01255f44
0x01255f81
0x01255f8d
0x01255f8f
0x01255f91
0x01255fa8
0x01255fab
0x01255fae
0x01255fb2
0x01255fd4
0x01255fda
0x01255fdc
0x01255fea
0x01255fed
0x01255fed
0x01255ff1
0x01256016
0x01256016
0x01256018
0x0125601a
0x00000000
0x00000000
0x01255ff9
0x01256002
0x01256008
0x0125600b
0x01256010
0x00000000
0x01256010
0x00000000
0x0125600b
0x0125601c
0x0125601e
0x01256024
0x01256027
0x01256027
0x0125602d
0x01256032
0x01256034
0x01256036
0x0125604c
0x01256058
0x01256067
0x0125606c
0x01256038
0x01256038
0x00000000
0x01256038
0x01255fde
0x01255fde
0x01255fe3
0x00000000
0x01255fe3
0x01255f93
0x01255f93
0x00000000
0x01255f93
0x01255f46
0x01255f50
0x01255f52
0x01255f54
0x00000000
0x01255f56
0x01255f5c
0x01255f5e
0x01255f60
0x01255f68
0x01255f6e
0x01255f6e
0x01255f70
0x01255f72
0x01255f72
0x01255f77
0x00000000
0x01255f77
0x01255f54
0x01255f13
0x01255f19
0x01255f1b
0x01255f1d
0x01255f25
0x01255f2b
0x01255f2b
0x01255f2d
0x01255f2f
0x01255f2f
0x01255f34
0x00000000
0x01255f34
0x01255ed7
0x01255edd
0x01255edf
0x01255ee1
0x01255ee9
0x01255eef
0x01255eef
0x01255ef1
0x01255ef3
0x01255ef3
0x01255ef8
0x00000000
0x01255ef8
0x01255e9e
0x01255ea4
0x01255ea6
0x01255ea8
0x01255eb0
0x01255eb6
0x01255eb6
0x01255eb8
0x01255eba
0x01255eba
0x01255ebf
0x00000000
0x01255ebf
0x01255e7d
0x01255e7d
0x00000000
0x01255e7d
0x01255e65
0x01255e65
0x00000000
0x01255e65
0x01255e4a
0x01255e4a
0x0125603d
0x0125603e
0x01256044
0x01256044
0x0125606e
0x01256073
0x01256076
0x01256076
0x0125607f
0x01256084
0x01256084
0x0125608d
0x01256092
0x01256092
0x01256099
0x0125609c
0x0125609c
0x012560a7

APIs

_memset.LIBCMT ref: 01255E2A

Part of subcall function 012595C3: GetCurrentDirectoryW.KERNEL32(00000040,00000000,00000000,00000000,0127BEF0,?,?,01256F89,0127BEF8,00000000,0127BEF0,?,?,?,01256F09,?), ref: 012595E8
Part of subcall function 012595C3: GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,01256F89,0127BEF8,00000000,0127BEF0,?,?,?,01256F09,?,?,00000000), ref: 01259607
Part of subcall function 012595C3: GetLastError.KERNEL32(?,?,01256F89,0127BEF8,00000000,0127BEF0,?,?,?,01256F09,?,?,00000000,?,?,01255B53), ref: 0125960D

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 0125604C
GetExitCodeProcess.KERNELBASE ref: 01256058
FindCloseChangeNotification.KERNELBASE(01255BB4,?,?,?,?,?,?), ref: 01256067
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0125606C

Strings

_SFX_CAB_EXE_PATH, xrefs: 01255E93
_SFX_CAB_EXE_PACKAGE, xrefs: 01255ECC
Failed to set _SFX_CAB_EXE_PACKAGE, xrefs: 01255EF8
Executing command line: '%S', xrefs: 01255FA2
__COMPAT_LAYER, xrefs: 01255F4B
Unable to resolve the path of the exe, xrefs: 01255F93
Failed to set target directory, xrefs: 01255E65
Failed to get current directory, xrefs: 01255E4A
Failed to set __COMPAT_LAYER, xrefs: 01255F77
Failed to get the name of the module, xrefs: 01255E7D
Failed to set _SFX_CAB_EXE_PARAMETERS, xrefs: 01255F34
Failed to start the process, xrefs: 01255FE3
Failed to set _SFX_CAB_EXE_PATH, xrefs: 01255EBF
2, xrefs: 01256027
Failed to stop reporting progress, xrefs: 01256038
_SFX_CAB_EXE_PARAMETERS, xrefs: 01255F08

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CloseCurrentDirectory$ChangeCodeErrorExitFindHandleLastNotificationObjectProcessSingleWait_memset
String ID: 2$Executing command line: '%S'$Failed to get current directory$Failed to get the name of the module$Failed to set _SFX_CAB_EXE_PACKAGE$Failed to set _SFX_CAB_EXE_PARAMETERS$Failed to set _SFX_CAB_EXE_PATH$Failed to set __COMPAT_LAYER$Failed to set target directory$Failed to start the process$Failed to stop reporting progress$Unable to resolve the path of the exe$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$__COMPAT_LAYER
API String ID: 2731901335-3483177241
Opcode ID: 30c94de952e15a569685a2b95ec0c5aa24b903ed31aa64be0863df913cd2e48c
Instruction ID: 04c8e2d7a99a0ffa3900edac76be9a8dd2d485a0c69719e7e0367cbf61570f76
Opcode Fuzzy Hash: 30c94de952e15a569685a2b95ec0c5aa24b903ed31aa64be0863df913cd2e48c
Instruction Fuzzy Hash: 4861C572D7022ABFDBA29AA5DCC9EBEBA78BF04790F054125EE10F7150D7749C118B90

Uniqueness

Uniqueness Score: -1.00%

Function 0125805A Relevance: 50.9, APIs: 14, Strings: 15, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0125805A(void* __ebx, void* __esi) {
				signed int _v8;
				signed int _v12;
				int _t21;
				int _t24;
				signed int _t25;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t38;
				int _t41;
				void* _t43;
				void* _t46;
				signed int _t47;

				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t47 =  *0x127b14c; // 0x0
				if(_t47 == 1) {
					_push(__esi);
					_t41 = 0x104;
					if(E012587EB(0x104,  &_v8) >= 0) {
						_t21 = GetSystemDirectoryW(_v8, 0x104);
						__eflags = _t21;
						if(_t21 != 0) {
							__eflags = _t21 - 0x104;
							if(_t21 <= 0x104) {
								L13:
								_t47 = E01258B7E( &_v12,  &M01254B28, _v8);
								__eflags = _t47;
								if(_t47 >= 0) {
									_t24 = LoadLibraryW(_v12); // executed
									_t41 = _t24;
									__eflags = _t41;
									if(_t41 != 0) {
										_t25 = GetProcAddress(_t41, "OpenCluster");
										 *0x127bf44 = _t25;
										__eflags = _t25;
										if(_t25 == 0) {
											L30:
											_t47 = GetLastError();
											__eflags = _t47;
											if(__eflags > 0) {
												_t47 = _t47 & 0x0000ffff | 0x80070000;
												__eflags = _t47;
											}
											if(__eflags >= 0) {
												_t47 = 0x80004005;
											}
											_push("Failed to load all required functions from the clusapi.dll");
											goto L35;
										} else {
											_t28 = GetProcAddress(_t41, "CloseCluster");
											 *0x127bf40 = _t28;
											__eflags = _t28;
											if(_t28 == 0) {
												goto L30;
											} else {
												_t29 = GetProcAddress(_t41, "ClusterOpenEnum");
												 *0x127bf3c = _t29;
												__eflags = _t29;
												if(_t29 == 0) {
													goto L30;
												} else {
													_t30 = GetProcAddress(_t41, "ClusterCloseEnum");
													 *0x127bf38 = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L30;
													} else {
														_t31 = GetProcAddress(_t41, "ClusterEnum");
														 *0x127bf34 = _t31;
														__eflags = _t31;
														if(_t31 == 0) {
															goto L30;
														} else {
															_t32 = GetProcAddress(_t41, "OpenClusterResource");
															 *0x127bf30 = _t32;
															__eflags = _t32;
															if(_t32 == 0) {
																goto L30;
															} else {
																_t33 = GetProcAddress(_t41, "CloseClusterResource");
																 *0x127bf2c = _t33;
																__eflags = _t33;
																if(_t33 == 0) {
																	goto L30;
																} else {
																	_t34 = GetProcAddress(_t41, "ClusterResourceControl");
																	 *0x127bf28 = _t34;
																	__eflags = _t34;
																	if(_t34 == 0) {
																		goto L30;
																	} else {
																		_push("Successfully bound to the ClusApi.dll");
																		_push(1); // executed
																		E012584C7(_t41, _t46); // executed
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t47 = GetLastError();
										__eflags = _t47;
										if(__eflags > 0) {
											_t47 = _t47 & 0x0000ffff | 0x80070000;
											__eflags = _t47;
										}
										if(__eflags >= 0) {
											_t47 = 0x80004005;
										}
										_push("Failed to load clusapi.dll");
										goto L35;
									}
								} else {
									_push("Failed to allocate the path ro the clusapi.dll");
									goto L35;
								}
							} else {
								_t41 = _t21;
								_t47 = E012587EB(_t21,  &_v8);
								__eflags = _t47;
								if(_t47 < 0) {
									goto L2;
								} else {
									_t38 = GetSystemDirectoryW(_v8, _t41);
									__eflags = _t38;
									if(_t38 == 0) {
										goto L4;
									} else {
										__eflags = _t38 - _t41;
										if(_t38 > _t41) {
											goto L4;
										} else {
											goto L13;
										}
									}
								}
							}
						} else {
							L4:
							_t47 = GetLastError();
							__eflags = _t47;
							if(__eflags > 0) {
								_t47 = _t47 & 0x0000ffff | 0x80070000;
								__eflags = _t47;
							}
							if(__eflags >= 0) {
								_t47 = 0x80004005;
							}
							_push("Failed to get the system directory");
							goto L35;
						}
					} else {
						L2:
						_push("Failed to allocate the system directory");
						L35:
						_push(_t47);
						E0125854A(_t41, _t43, _t46);
					}
				}
				 *0x127b14c = _t47;
				if(_v8 != 0) {
					E01258E6F(_v8);
				}
				if(_v12 != 0) {
					E01258E6F(_v12);
				}
				return _t47;
			}

0x01258062
0x01258066
0x0125806b
0x01258074
0x0125807b
0x0125807c
0x0125808f
0x0125809f
0x012580a5
0x012580a7
0x012580d4
0x012580d6
0x012580fa
0x0125810b
0x01258110
0x01258112
0x01258121
0x01258127
0x01258129
0x0125812b
0x01258164
0x01258166
0x0125816b
0x0125816d
0x012581f8
0x012581fe
0x01258200
0x01258202
0x0125820a
0x01258210
0x01258210
0x01258212
0x01258214
0x01258214
0x01258219
0x00000000
0x01258173
0x01258179
0x0125817b
0x01258180
0x01258182
0x00000000
0x01258184
0x0125818a
0x0125818c
0x01258191
0x01258193
0x00000000
0x01258195
0x0125819b
0x0125819d
0x012581a2
0x012581a4
0x00000000
0x012581a6
0x012581ac
0x012581ae
0x012581b3
0x012581b5
0x00000000
0x012581b7
0x012581bd
0x012581bf
0x012581c4
0x012581c6
0x00000000
0x012581c8
0x012581ce
0x012581d0
0x012581d5
0x012581d7
0x00000000
0x012581d9
0x012581df
0x012581e1
0x012581e6
0x012581e8
0x00000000
0x012581ea
0x012581ea
0x012581ef
0x012581f1
0x012581f1
0x012581e8
0x012581d7
0x012581c6
0x012581b5
0x012581a4
0x01258193
0x01258182
0x0125812d
0x01258133
0x01258135
0x01258137
0x0125813f
0x01258145
0x01258145
0x01258147
0x01258149
0x01258149
0x0125814e
0x00000000
0x0125814e
0x01258114
0x01258114
0x00000000
0x01258114
0x012580d8
0x012580db
0x012580e2
0x012580e4
0x012580e6
0x00000000
0x012580e8
0x012580ec
0x012580f2
0x012580f4
0x00000000
0x012580f6
0x012580f6
0x012580f8
0x00000000
0x00000000
0x00000000
0x00000000
0x012580f8
0x012580f4
0x012580e6
0x012580a9
0x012580a9
0x012580af
0x012580b1
0x012580b3
0x012580bb
0x012580c1
0x012580c1
0x012580c3
0x012580c5
0x012580c5
0x012580ca
0x00000000
0x012580ca
0x01258091
0x01258091
0x01258091
0x0125821e
0x0125821e
0x0125821f
0x0125821f
0x01258227
0x0125822c
0x01258232
0x01258237
0x01258237
0x01258240
0x01258245
0x01258245
0x0125824e

APIs

Part of subcall function 012587EB: GetProcessHeap.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258802
Part of subcall function 012587EB: HeapReAlloc.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258809

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0125809F
GetLastError.KERNEL32 ref: 012580A9

Strings

Failed to load clusapi.dll, xrefs: 0125814E
Failed to load all required functions from the clusapi.dll, xrefs: 01258219
Failed to get the system directory, xrefs: 012580CA
CloseClusterResource, xrefs: 012581C8
OpenCluster, xrefs: 0125815E
Successfully bound to the ClusApi.dll, xrefs: 012581EA
Failed to allocate the system directory, xrefs: 01258091
ClusterEnum, xrefs: 012581A6
%s\clusapi.dll, xrefs: 01258100
OpenClusterResource, xrefs: 012581B7
ClusterResourceControl, xrefs: 012581D9
ClusterCloseEnum, xrefs: 01258195
CloseCluster, xrefs: 01258173
Failed to allocate the path ro the clusapi.dll, xrefs: 01258114
ClusterOpenEnum, xrefs: 01258184

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocDirectoryErrorLastProcessSystem
String ID: %s\clusapi.dll$CloseCluster$CloseClusterResource$ClusterCloseEnum$ClusterEnum$ClusterOpenEnum$ClusterResourceControl$Failed to allocate the path ro the clusapi.dll$Failed to allocate the system directory$Failed to get the system directory$Failed to load all required functions from the clusapi.dll$Failed to load clusapi.dll$OpenCluster$OpenClusterResource$Successfully bound to the ClusApi.dll
API String ID: 1959106193-2729475906
Opcode ID: ee328a5ee6a02393a7f32ad18ed29f5e0209e394e6c53812315fe5788ca65524
Instruction ID: 2308687f0a2b90e5f2ee509f201533b31d7fbaf9329ba65051d740b01d67d70e
Opcode Fuzzy Hash: ee328a5ee6a02393a7f32ad18ed29f5e0209e394e6c53812315fe5788ca65524
Instruction Fuzzy Hash: 1A41F975EB0747ABE7A1677BADC5B6A7DA99F50650F210029AF04E3144FFF4C4408B11

Uniqueness

Uniqueness Score: -1.00%

Function 012559A6 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E012559A6(void* __edx) {
				signed int _v8;
				void* _v52;
				void* _v542;
				void* _v544;
				void* _v1070;
				intOrPtr _v1072;
				void _v1100;
				WCHAR* _v1104;
				char _v1108;
				signed int _v1112;
				signed int _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void* _v1132;
				void* _v1148;
				void* _v1156;
				void* _v1160;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t46;
				void* _t51;
				signed int _t54;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int _t74;
				signed int _t88;
				signed int _t101;
				void* _t110;
				signed int _t113;
				void* _t120;
				signed int _t128;
				void* _t129;
				void* _t136;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t120 = __edx;
				_t141 = (_t139 & 0xfffffff8) - 0x45c;
				_t46 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t46 ^ _t141;
				_t113 = 8;
				_v1112 = 0;
				memset( &_v1100, 0, _t113 << 2);
				_t142 = _t141 + 0xc;
				_t114 = 0;
				_v1116 = 0;
				_v1108 = 0;
				_v1104 = 0;
				 *0x127c0e0 = GetModuleHandleW(0); // executed
				_t51 = E01256C5C(0x127bef0); // executed
				if(_t51 >= 0) {
					__eflags =  *0x127bef4; // 0xc91410
					if(__eflags != 0) {
						L6:
						E01258417(_t114, __eflags,  *0x127bef4); // executed
						goto L7;
					} else {
						_t8 = E012691E9( *0x127bef0, 0x5c) + 2; // 0x2
						 *((short*)(_t142 + 0x50)) = 0;
						E0126DE40(_t142 + 0x52, 0, 0x208);
						_t144 = _t142 + 0x14;
						E0126921C(_t144 + 0x44, 0x104, _t8);
						_t145 = _t144 + 0xc;
						PathRemoveExtensionW(_t145 + 0x40);
						 *((short*)(_t145 + 0x258)) = 0;
						E0126DE40(_t145 + 0x25a, 0, 0x208);
						_t146 = _t145 + 0xc;
						_t101 = GetEnvironmentVariableW(L"temp", _t146 + 0x254, 0x104);
						_t108 = 0x104 - _t101;
						swprintf(_t146 + 0x258 + _t101 * 2, 0x104, L"\\dd_%s_decompression_log.txt", _t146 + 0x40);
						_t142 = _t146 + 0x10;
						_t114 = 0x127bef4;
						_t128 = E01258889(0, 0x127bef4, _t142 + 0x250);
						__eflags = _t128;
						if(_t128 >= 0) {
							__eflags =  *0x127bef4;
							if(__eflags != 0) {
								goto L6;
							}
							L7:
							_t108 =  &_v1100;
							_t54 = E012560AF( &_v1116,  &_v1100, __eflags,  *0x127bef0); // executed
							__eflags = _t54;
							if(_t54 >= 0) {
								_t57 = E01256123(_v1116,  &_v1100,  &_v1108); // executed
								__eflags = _t57;
								if(_t57 >= 0) {
									_t58 =  *(_t142 + 0x38);
									__eflags = _t58;
									if(_t58 == 0) {
										L13:
										 *0x127bf04 = 1;
									} else {
										__eflags =  *_t58;
										if( *_t58 == 0) {
											goto L13;
										}
									}
									_t59 = E01256EF5(0x127bef0, _v1108, _v1104); // executed
									__eflags = _t59;
									if(_t59 >= 0) {
										__imp__#17();
										_t108 = GetTickCount();
										_t62 = E0125621F(0x127bef0, _v1116,  &_v1100); // executed
										_t128 = _t62;
										__eflags = _t128;
										if(_t128 >= 0) {
											E01255945(GetTickCount() - _t108, _t108);
											__eflags =  *0x127bf04;
											if( *0x127bf04 == 0) {
												_t88 = E01255E0B(_t114,  *((intOrPtr*)(_t142 + 0x40)), _v1072,  &_v1112); // executed
												_t128 = _t88;
												__eflags = _t128;
												if(_t128 < 0) {
													_push("Failed to execute file");
													goto L21;
												}
											}
										} else {
											_push("Failed to extract");
											goto L21;
										}
									} else {
										_push("Failed to select and/or prepare the directory for extraction");
										goto L21;
									}
								} else {
									_push("Unable to estimate the required size");
									goto L21;
								}
							} else {
								_push("Failed to open the box");
								goto L21;
							}
						} else {
							_push("Failed to allocate log");
							goto L21;
						}
					}
				} else {
					_push("Failed to initialize arguments");
					L21:
					_push(_t128);
					E0125854A(_t108, _t114, _t120);
				}
				E012568FB();
				_t109 = _v1116;
				if(_v1116 != 0) {
					E0125A414(_t109);
				}
				if(_v1112 != 0xcabf00d1) {
					_t109 = 0x127bef0;
					E01256463(0x127bef0);
				} else {
					_v1112 = _v1112 & 0x00000000;
				}
				if(_t128 < 0 && _t128 != 0x80070642) {
					E01255CDA(_t128, _t128);
				}
				E012584C7(_t109, _t120, 1, "Exiting with result code: 0x%x", _t128); // executed
				_v1116 = _v1116 & 0x00000000;
				_t143 = _t142 + 0xc;
				_t69 = E01258E9C(_t109, _t120, _t128,  &_v1116); // executed
				if(_t69 >= 0) {
					E012584C7(_t109, _t120, 1, "=== Logging stopped: %S ===", _v1116); // executed
					_t143 = _t143 + 0xc;
				}
				if(_v1116 != 0) {
					E01258E6F(_v1116);
				}
				_t70 =  *0x127b140; // 0xffffffff
				 *0x127c11c = 0;
				if(_t70 != 0xffffffff) {
					FindCloseChangeNotification(_t70); // executed
					 *0x127b140 =  *0x127b140 | 0xffffffff;
				}
				_t71 =  *0x127c120;
				if( *0x127c120 != 0) {
					E01258E6F(_t71);
					 *0x127c120 = 0;
				}
				_t72 =  *0x127bef8; // 0xc874b0
				if(_t72 != 0) {
					E01258E6F(_t72);
				}
				_t73 =  *0x127bef0; // 0xc941d0
				if(_t73 != 0) {
					E01258E6F(_t73);
				}
				_t74 =  *0x127bef4; // 0xc91410
				if(_t74 != 0) {
					E01258E6F(_t74);
				}
				if(_t128 < 0) {
					_t76 = _t128 & 0x0000ffff;
					__eflags = _t128 & 0x0000ffff;
				} else {
					_t76 = _v1112;
				}
				_pop(_t129);
				_pop(_t136);
				_pop(_t110);
				return E012691D5(_t76, _t110, _v8 ^ _t143, _t120, _t129, _t136);
			}

0x012559a6
0x012559ae
0x012559b4
0x012559bb
0x012559c9
0x012559d1
0x012559d5
0x012559d5
0x012559d5
0x012559d7
0x012559db
0x012559df
0x012559ee
0x012559f3
0x012559fc
0x01255a08
0x01255a0e
0x01255ad8
0x01255ade
0x00000000
0x01255a14
0x01255a21
0x01255a2d
0x01255a37
0x01255a3c
0x01255a4b
0x01255a50
0x01255a58
0x01255a62
0x01255a72
0x01255a77
0x01255a88
0x01255a93
0x01255aa3
0x01255aa8
0x01255ab5
0x01255abf
0x01255ac1
0x01255ac3
0x01255acf
0x01255ad6
0x00000000
0x00000000
0x01255ae3
0x01255aed
0x01255af1
0x01255af8
0x01255afa
0x01255b14
0x01255b1b
0x01255b1d
0x01255b29
0x01255b2d
0x01255b2f
0x01255b37
0x01255b37
0x01255b31
0x01255b31
0x01255b35
0x00000000
0x00000000
0x01255b35
0x01255b4e
0x01255b55
0x01255b57
0x01255b60
0x01255b6e
0x01255b7e
0x01255b83
0x01255b85
0x01255b87
0x01255b94
0x01255b99
0x01255ba0
0x01255baf
0x01255bb4
0x01255bb6
0x01255bb8
0x01255bba
0x00000000
0x01255bba
0x01255bb8
0x01255b89
0x01255b89
0x00000000
0x01255b89
0x01255b59
0x01255b59
0x00000000
0x01255b59
0x01255b1f
0x01255b1f
0x00000000
0x01255b1f
0x01255afc
0x01255afc
0x00000000
0x01255afc
0x01255ac5
0x01255ac5
0x00000000
0x01255ac5
0x01255ac3
0x012559fe
0x012559fe
0x01255bbf
0x01255bbf
0x01255bc0
0x01255bc6
0x01255bc7
0x01255bcc
0x01255bd2
0x01255bd4
0x01255bd4
0x01255be1
0x01255bea
0x01255bef
0x01255be3
0x01255be3
0x01255be3
0x01255bf6
0x01255c02
0x01255c02
0x01255c0f
0x01255c14
0x01255c19
0x01255c20
0x01255c27
0x01255c34
0x01255c39
0x01255c39
0x01255c42
0x01255c48
0x01255c48
0x01255c4d
0x01255c52
0x01255c5b
0x01255c5e
0x01255c64
0x01255c64
0x01255c6b
0x01255c72
0x01255c75
0x01255c7a
0x01255c7a
0x01255c80
0x01255c87
0x01255c8a
0x01255c8a
0x01255c8f
0x01255c96
0x01255c99
0x01255c99
0x01255c9e
0x01255ca5
0x01255ca8
0x01255ca8
0x01255caf
0x01255cb9
0x01255cb9
0x01255cb1
0x01255cb1
0x01255cb1
0x01255cc5
0x01255cc6
0x01255cc7
0x01255cd2

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 012559E3

Part of subcall function 01256C5C: GetCommandLineW.KERNEL32(?,00000000,0127BEF0), ref: 01256C76
Part of subcall function 01256C5C: CommandLineToArgvW.SHELL32(00000000,00000000), ref: 01256C84
Part of subcall function 01256C5C: GetLastError.KERNEL32 ref: 01256C91

_wcsrchr.LIBCMT ref: 01255A1C
_memset.LIBCMT ref: 01255A37
PathRemoveExtensionW.SHLWAPI(?), ref: 01255A58
_memset.LIBCMT ref: 01255A72
GetEnvironmentVariableW.KERNEL32(temp,?,00000104), ref: 01255A88
swprintf.LIBCMT ref: 01255AA3

Part of subcall function 01256463: GetProcessHeap.KERNEL32(00000000,00000000,7620EA30,?,01255BF4), ref: 012564A0
Part of subcall function 01256463: HeapFree.KERNEL32(00000000,?,01255BF4), ref: 012564A7

FindCloseChangeNotification.KERNELBASE(FFFFFFFF), ref: 01255C5E

Part of subcall function 01258E6F: GetProcessHeap.KERNEL32(00000000,00000000,?,012585A8,00000000,00000000,?,?,01256E90,00000000), ref: 01258E79
Part of subcall function 01258E6F: HeapFree.KERNEL32(00000000,?,012585A8,00000000,00000000,?,?,01256E90,00000000), ref: 01258E80

Strings

Failed to select and/or prepare the directory for extraction, xrefs: 01255B59
\dd_%s_decompression_log.txt, xrefs: 01255A95
Failed to initialize arguments, xrefs: 012559FE
temp, xrefs: 01255A83
Failed to open the box, xrefs: 01255AFC
Unable to estimate the required size, xrefs: 01255B1F
Failed to execute file, xrefs: 01255BBA
Failed to allocate log, xrefs: 01255AC5
Failed to extract, xrefs: 01255B89
Exiting with result code: 0x%x, xrefs: 01255C08
=== Logging stopped: %S ===, xrefs: 01255C2D

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$CommandFreeLineProcess_memset$ArgvChangeCloseEnvironmentErrorExtensionFindHandleLastModuleNotificationPathRemoveVariable_wcsrchrswprintf
String ID: === Logging stopped: %S ===$Exiting with result code: 0x%x$Failed to allocate log$Failed to execute file$Failed to extract$Failed to initialize arguments$Failed to open the box$Failed to select and/or prepare the directory for extraction$Unable to estimate the required size$\dd_%s_decompression_log.txt$temp
API String ID: 2418371052-1996636437
Opcode ID: 65cd301253a648f879c0d4b936bdcf1f7fa4e7ec8fa821688374c92a86657721
Instruction ID: 74fae282323642820742b778d23e99d3a0c743032da561f62ba3712ef0a83e5e
Opcode Fuzzy Hash: 65cd301253a648f879c0d4b936bdcf1f7fa4e7ec8fa821688374c92a86657721
Instruction Fuzzy Hash: 7181CE716343469FC7A2EB65ECC8E2B77E9BB94710F000929FE4493245EBB0D8448B92

Uniqueness

Uniqueness Score: -1.00%

Function 01256C5C Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 242
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E01256C5C(void* _a4) {
				int _v8;
				signed int _v12;
				void* _v16;
				short* _v20;
				void* __ebx;
				short* _t37;
				PWCHAR* _t38;
				signed int _t39;
				signed int _t40;
				WCHAR* _t48;
				void* _t59;
				int _t65;
				void* _t77;
				void* _t89;
				signed int _t93;
				signed short* _t96;
				void* _t106;
				signed int _t107;
				void* _t111;
				signed int _t112;
				WCHAR** _t113;
				signed int _t119;

				_v8 = _v8 & 0x00000000;
				_t111 = _a4;
				_t93 = 8;
				memset(_t111, 0, _t93 << 2);
				_t37 = GetCommandLineW();
				_t95 =  &_v8;
				_v20 = _t37;
				_t38 = CommandLineToArgvW(_t37,  &_v8);
				_v16 = _t38;
				if(_t38 != 0) {
					_push(_t89);
					_t39 = 1;
					_v12 = 1;
					if(_v8 <= 1) {
						L34:
						if( *_t111 != 0) {
							L39:
							_t96 = _v20;
							_t107 = 0;
							do {
								_t40 =  *_t96 & 0x0000ffff;
								if(_t40 != 0x22) {
									_t96 =  &(_t96[1]);
									if(_t40 == 0) {
										 *(_t111 + 0xc) = " ";
									} else {
										goto L43;
									}
								} else {
									_t96 =  &(_t96[1]);
									_t107 = 0 | _t107 == 0x00000000;
									_t40 = 0x22;
									goto L43;
								}
								L48:
								_t112 = 0;
								goto L49;
								L43:
							} while (_t107 != 0 || _t40 != 0x20 && _t40 != 9);
							 *(_t111 + 0xc) =  &(_t96[0xffffffffffffffff]);
							goto L48;
						} else {
							_t112 = E012599D2(_t111);
							if(_t112 >= 0) {
								_t111 = _a4;
								goto L39;
							} else {
								_push("Failed to get path to executable.");
								goto L37;
							}
						}
					} else {
						do {
							_t113 = _v16 + _t39 * 4;
							_t48 =  *_t113;
							_t95 =  *_t48 & 0x0000ffff;
							if(_t95 == 0x2d || _t95 == 0x2f) {
								if(lstrlenW(_t48) <= 3 || CompareStringW(0x7f, 1,  &(( *_t113)[1]), 2, L"b:", 0xffffffff) != 2) {
									if(lstrlenW( *_t113) <= 3 || CompareStringW(0x7f, 1,  &(( *_t113)[1]), 2, L"x:", 0xffffffff) != 2) {
										if(lstrlenW( *_t113) <= 3 || CompareStringW(0x7f, 1,  &(( *_t113)[1]), 2, L"l:", 0xffffffff) != 2) {
											if(lstrlenW( *_t113) != 2) {
												L25:
												if(lstrlenW( *_t113) != 2 || CompareStringW(0x7f, 1,  &(( *_t113)[1]), 1, "u", 0xffffffff) != 2) {
													if(lstrlenW( *_t113) == 2 && CompareStringW(0x7f, 1,  &(( *_t113)[1]), 1, "q", 0xffffffff) == 2) {
														_t59 = _a4;
														 *((intOrPtr*)(_t59 + 0x18)) = 1;
														goto L31;
													}
												} else {
													_t59 = _a4;
													L31:
													 *((intOrPtr*)(_t59 + 0x1c)) = 1;
												}
											} else {
												_t65 = CompareStringW(0x7f, 1,  &(( *_t113)[1]), 1, "x", 0xffffffff); // executed
												if(_t65 != 2) {
													goto L25;
												} else {
													 *((intOrPtr*)(_a4 + 0x14)) = 1;
												}
											}
											goto L32;
										} else {
											_t95 = _a4 + 4;
											_t112 = E01258889(0, _a4 + 4,  &(( *_t113)[3]));
											if(_t112 >= 0) {
												goto L32;
											} else {
												_push("Failed to allocate log");
												goto L37;
											}
										}
									} else {
										_t77 = _a4;
										 *((intOrPtr*)(_t77 + 0x14)) = 1;
										_t95 = _t77 + 8;
										_t112 = E01258889(0, _t77 + 8,  &(( *_t113)[3]));
										if(_t112 >= 0) {
											goto L32;
										} else {
											_push("Failed to allocate extract directory");
											goto L37;
										}
									}
								} else {
									_t95 = _a4;
									_t112 = E01258889(0, _a4,  &(( *_t113)[3]));
									if(_t112 >= 0) {
										goto L32;
									} else {
										_push("Failed to allocate box path");
										L37:
										_push(_t112);
										E0125854A(1, _t95, _t106);
									}
								}
							} else {
								goto L32;
							}
							goto L49;
							L32:
							_t39 = _v12 + 1;
							_v12 = _t39;
						} while (_t39 < _v8);
						_t111 = _a4;
						goto L34;
					}
					L49:
					LocalFree(_v16);
				} else {
					_t112 = GetLastError();
					if(_t112 > 0) {
						_t112 = _t112 & 0x0000ffff | 0x80070000;
						_t119 = _t112;
					}
					if(_t119 >= 0) {
						_t112 = 0x80004005;
					}
					_push("Failed to get command line.");
					_push(_t112);
					E0125854A(_t89, _t95, _t106);
				}
				return _t112;
			}

0x01256c64
0x01256c69
0x01256c6f
0x01256c74
0x01256c76
0x01256c7c
0x01256c81
0x01256c84
0x01256c8a
0x01256c8f
0x01256cc4
0x01256cc8
0x01256cca
0x01256cd0
0x01256e73
0x01256e76
0x01256e97
0x01256e97
0x01256e9a
0x01256e9c
0x01256e9c
0x01256ea2
0x01256eb5
0x01256ebb
0x01256ed5
0x00000000
0x00000000
0x00000000
0x01256ea4
0x01256ead
0x01256eb0
0x01256eb2
0x00000000
0x01256eb2
0x01256edc
0x01256edc
0x00000000
0x01256ebd
0x01256ebd
0x01256ed0
0x00000000
0x01256e78
0x01256e7f
0x01256e83
0x01256e94
0x00000000
0x01256e85
0x01256e85
0x00000000
0x01256e85
0x01256e83
0x01256cd6
0x01256cdc
0x01256cdf
0x01256ce2
0x01256ce4
0x01256cea
0x01256cff
0x01256d49
0x01256d99
0x01256de6
0x01256e08
0x01256e13
0x01256e3d
0x01256e57
0x01256e5a
0x00000000
0x01256e5a
0x01256e2d
0x01256e2d
0x01256e5d
0x01256e5d
0x01256e5d
0x01256de8
0x01256df9
0x01256dfe
0x00000000
0x01256e00
0x01256e03
0x01256e03
0x01256dfe
0x00000000
0x01256db4
0x01256dbd
0x01256dc7
0x01256dcb
0x00000000
0x01256dd1
0x01256dd1
0x00000000
0x01256dd1
0x01256dcb
0x01256d64
0x01256d64
0x01256d67
0x01256d70
0x01256d7a
0x01256d7e
0x00000000
0x01256d84
0x01256d84
0x00000000
0x01256d84
0x01256d7e
0x01256d1a
0x01256d1c
0x01256d2a
0x01256d2e
0x00000000
0x01256d34
0x01256d34
0x01256e8a
0x01256e8a
0x01256e8b
0x01256e91
0x01256d2e
0x00000000
0x00000000
0x00000000
0x00000000
0x01256e60
0x01256e63
0x01256e64
0x01256e67
0x01256e70
0x00000000
0x01256e70
0x01256ede
0x01256ee1
0x01256c91
0x01256c97
0x01256c9b
0x01256ca3
0x01256ca9
0x01256ca9
0x01256cab
0x01256cad
0x01256cad
0x01256cb2
0x01256cb7
0x01256cb8
0x01256cbe
0x01256eed

APIs

GetCommandLineW.KERNEL32(?,00000000,0127BEF0), ref: 01256C76
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 01256C84
GetLastError.KERNEL32 ref: 01256C91
lstrlenW.KERNEL32(00000001), ref: 01256CF6
CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,01253E10,000000FF), ref: 01256D13
lstrlenW.KERNEL32(?), ref: 01256D40
CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,01253E34,000000FF), ref: 01256D5D
lstrlenW.KERNEL32(?), ref: 01256D90
CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000002,01253E64,000000FF), ref: 01256DAD
lstrlenW.KERNEL32(?), ref: 01256DDD
CompareStringW.KERNELBASE(0000007F,00000001,-00000002,00000001,01253E6C,000000FF), ref: 01256DF9
LocalFree.KERNEL32(?), ref: 01256EE1

Strings

Failed to allocate extract directory, xrefs: 01256D84
Failed to get command line., xrefs: 01256CB2
Failed to get path to executable., xrefs: 01256E85
Failed to allocate log, xrefs: 01256DD1
Failed to allocate box path, xrefs: 01256D34

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CompareStringlstrlen$CommandLine$ArgvErrorFreeLastLocal
String ID: Failed to allocate box path$Failed to allocate extract directory$Failed to allocate log$Failed to get command line.$Failed to get path to executable.
API String ID: 881607980-1268566871
Opcode ID: 90a8aef313cf2b1634d64d15a853273bea7af9c6cde6fdb13158576380692509
Instruction ID: ec9055738a9877de032884678f25bd0695f40b556de019c7569cd19baef16149
Opcode Fuzzy Hash: 90a8aef313cf2b1634d64d15a853273bea7af9c6cde6fdb13158576380692509
Instruction Fuzzy Hash: 6B710372E61216ABDBB19F58DCCAE3A77A5EF00360BA04919FD51E7281D630EC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0125621F Relevance: 22.7, APIs: 6, Strings: 9, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0125621F(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				void* __ebx;
				void* __esi;
				void* _t58;
				void* _t69;
				void* _t78;
				void* _t85;
				void* _t86;
				signed int* _t94;
				signed int _t101;
				intOrPtr _t105;
				signed int _t106;
				intOrPtr _t107;
				signed int _t108;
				intOrPtr _t109;
				void* _t111;

				_v24 = _v24 | 0xffffffff;
				_t109 = _a12;
				_t106 = 2;
				_t58 = HeapAlloc(GetProcessHeap(), 8,  *(_t109 + 0x14) << 2);
				_v16 = _t58;
				if(_t58 != 0) {
					_v12 = _v12 & 0x00000000;
					if( *(_t109 + 0x14) <= 0) {
						L16:
						_t96 = _a4;
						if( *((intOrPtr*)(_a4 + 0x14)) != 0) {
							L21:
							_t111 = E0125676F(_t98, _t96, _t106);
							if(_t111 >= 0) {
								E012584C7(_t96, _t105, 1, "Extracting files to: %S",  *((intOrPtr*)(_t96 + 8))); // executed
								E012569B0();
								_t107 = _a12;
								_t96 = 0;
								if( *((intOrPtr*)(_t107 + 0x14)) <= 0) {
									L30:
									E012569B0();
									_t111 = E012569E3();
									if(_t111 >= 0) {
										L34:
										_t108 = 0;
										if(_v16 == 0) {
											L41:
											return _t111;
										}
										if( *((intOrPtr*)(_a12 + 0x14)) <= 0) {
											L39:
											if(HeapFree(GetProcessHeap(), 0, _v16) == 0) {
												E01259A29();
											}
											goto L41;
										} else {
											goto L36;
										}
										do {
											L36:
											_t69 = _v16;
											_t97 =  *((intOrPtr*)(_t69 + _t108 * 4));
											if( *((intOrPtr*)(_t69 + _t108 * 4)) != 0) {
												E0125A46E(_t97);
											}
											_t108 = _t108 + 1;
										} while (_t108 <  *((intOrPtr*)(_a12 + 0x14)));
										goto L39;
									}
									L31:
									_push("User canceled extraction...");
									L32:
									_push(_t111);
									E0125854A(_t96, _t98, _t105);
									L33:
									E012568FB();
									goto L34;
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t111 = E012569E3();
									if(_t111 < 0) {
										goto L31;
									}
									if(_t96 == _v24) {
										L27:
										_t111 = E012569E3();
										if(_t111 < 0) {
											goto L31;
										}
										_t78 = E0125A222(_t105,  *((intOrPtr*)(_v16 + _t96 * 4)),  *((intOrPtr*)(_a4 + 8))); // executed
										_t111 = _t78;
										if(_t111 < 0) {
											_push(_t96);
											_push("Failed to extract all files out of box container #%d.");
											L44:
											_push(_t111);
											E0125854A(_t96, _t98, _t105);
											goto L33;
										}
										_t96 = _t96 + 1;
										if(_t96 <  *((intOrPtr*)(_t107 + 0x14))) {
											continue;
										}
										goto L30;
									}
									_t98 =  *((intOrPtr*)(_v16 + _t96 * 4));
									_t111 = E0125A003( *((intOrPtr*)(_v16 + _t96 * 4)), _t105);
									if(_t111 < 0) {
										_push(_t96);
										_push("Failed to verify box container #%d.");
										goto L44;
									}
									goto L27;
								}
								goto L31;
							}
							_push("Failed to start reporting progress");
							goto L32;
						}
						 *0x127c0e8 = _t106;
						 *0x127c0ec = 0;
						_t85 = HeapAlloc(GetProcessHeap(), 0, _t106 << 2);
						 *0x127c0e4 = _t85;
						if(_t85 != 0) {
							goto L21;
						}
						_t111 = 0x8007000e;
						_push("Failed to alloc cleanup list buffer");
						goto L32;
					}
					_v20 = _t58;
					while(1) {
						_t86 = E01259DC6(_t98, _a8, _v12, _v20); // executed
						_t111 = _t86;
						if(_t111 < 0) {
							break;
						}
						_t96 =  &_v56;
						_t111 = E01259EF3( &_v56,  *_v20);
						if(_t111 < 0) {
							_push("Failed to read container header.");
							goto L32;
						}
						if(_v40 == 0) {
							_t106 = _t106 + (_v48 + 0xfffff >> 0x14);
						} else {
							_v24 = _v12;
						}
						_t105 = _v32;
						if(_t105 == 0) {
							L15:
							_v12 = _v12 + 1;
							_t98 = _v12;
							_v20 = _v20 + 4;
							if(_v12 <  *((intOrPtr*)(_a12 + 0x14))) {
								continue;
							}
							goto L16;
						} else {
							_t94 = _v28 + 0x10;
							do {
								_t101 =  *_t94;
								if(_t101 == 0) {
									_t23 =  &(_t94[2]); // 0x0
									_t106 = _t106 + ( *_t23 + 0x7ffff >> 0x13);
								} else {
									_t106 = _t106 + _t101 * 2;
								}
								_t94 =  &(_t94[8]);
								_t105 = _t105 - 1;
							} while (_t105 != 0);
							goto L15;
						}
					}
					_push("Failed to open container.");
					goto L32;
				}
				_t111 = 0x8007000e;
				_push("Failed to allocate memory to hold container handles.");
				goto L32;
			}

0x01256227
0x0125622d
0x01256236
0x01256244
0x0125624a
0x0125624f
0x01256260
0x01256268
0x012562fd
0x012562fd
0x01256305
0x01256353
0x0125635a
0x0125635e
0x01256374
0x0125637c
0x01256381
0x01256384
0x01256389
0x012563d8
0x012563d8
0x012563e2
0x012563e6
0x012563fa
0x012563fa
0x012563ff
0x0125643d
0x01256442
0x01256442
0x01256407
0x01256421
0x01256435
0x01256437
0x01256437
0x00000000
0x00000000
0x00000000
0x00000000
0x01256409
0x01256409
0x01256409
0x0125640c
0x01256411
0x01256413
0x01256413
0x0125641b
0x0125641c
0x00000000
0x01256409
0x012563e8
0x012563e8
0x012563ed
0x012563ed
0x012563ee
0x012563f5
0x012563f5
0x00000000
0x00000000
0x00000000
0x00000000
0x0125638b
0x0125638b
0x01256390
0x01256394
0x00000000
0x00000000
0x01256399
0x012563b0
0x012563b5
0x012563b9
0x00000000
0x00000000
0x012563c7
0x012563cc
0x012563d0
0x0125644d
0x0125644e
0x01256453
0x01256453
0x01256454
0x00000000
0x01256459
0x012563d2
0x012563d6
0x00000000
0x00000000
0x00000000
0x012563d6
0x0125639e
0x012563a6
0x012563aa
0x01256445
0x01256446
0x00000000
0x01256446
0x00000000
0x012563aa
0x00000000
0x0125638b
0x01256360
0x00000000
0x01256360
0x0125630e
0x01256314
0x01256321
0x01256327
0x0125632e
0x00000000
0x00000000
0x01256330
0x01256335
0x00000000
0x01256335
0x0125626e
0x01256271
0x0125627a
0x0125627f
0x01256283
0x00000000
0x00000000
0x0125628e
0x01256296
0x0125629a
0x01256349
0x00000000
0x01256349
0x012562a4
0x012562b9
0x012562a6
0x012562a9
0x012562a9
0x012562bb
0x012562c0
0x012562e7
0x012562e7
0x012562ed
0x012562f0
0x012562f7
0x00000000
0x00000000
0x00000000
0x012562c2
0x012562c5
0x012562c8
0x012562c8
0x012562cc
0x012562d3
0x012562df
0x012562ce
0x012562ce
0x012562ce
0x012562e1
0x012562e4
0x012562e4
0x00000000
0x012562c8
0x012562c0
0x0125633f
0x00000000
0x0125633f
0x01256251
0x01256256
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,7620EA30,00000000,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 0125623D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 01256244
GetProcessHeap.KERNEL32(00000000,00000002,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 0125631A
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 01256321
GetProcessHeap.KERNEL32(00000000,?,?,00000000,00000002,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 01256426
HeapFree.KERNEL32(00000000,?,00000000,00000002,?,?,?,?,?,?,?,01255B83,0127BEF0), ref: 0125642D

Strings

Failed to extract all files out of box container #%d., xrefs: 0125644E
Failed to allocate memory to hold container handles., xrefs: 01256256
Extracting files to: %S, xrefs: 0125636D
Failed to read container header., xrefs: 01256349
Failed to verify box container #%d., xrefs: 01256446
Failed to open container., xrefs: 0125633F
Failed to start reporting progress, xrefs: 01256360
Failed to alloc cleanup list buffer, xrefs: 01256335
User canceled extraction..., xrefs: 012563E8

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID: Extracting files to: %S$Failed to alloc cleanup list buffer$Failed to allocate memory to hold container handles.$Failed to extract all files out of box container #%d.$Failed to open container.$Failed to read container header.$Failed to start reporting progress$Failed to verify box container #%d.$User canceled extraction...
API String ID: 1864747095-3704756192
Opcode ID: 25999a44390712ae645e9d44b2f8ffaf859c4add14ec8ee350f7ce678e1152cb
Instruction ID: 855df6584de2b8d99cc2c869bbef70a5b9482c082bed01d188705e5b226ec02d
Opcode Fuzzy Hash: 25999a44390712ae645e9d44b2f8ffaf859c4add14ec8ee350f7ce678e1152cb
Instruction Fuzzy Hash: 3761C431D20217ABDBA1DF98D8C5A6E7B71FF10B50F854169EE11AB201DB70DD50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01257AE7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E01257AE7(void* __edx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				int _v24;
				void* __ebx;
				void* __esi;
				signed int _t29;
				void* _t33;
				int _t42;
				int _t46;
				void* _t49;
				void* _t52;
				void* _t54;
				WCHAR* _t56;
				void* _t58;

				_t52 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t29 = SetErrorMode(0);
				_v24 = _t29;
				SetErrorMode(_t29 | 0x00000001); // executed
				_v16 = 0;
				while(1) {
					_t33 = E0125746A(_t52,  &_v8); // executed
					_t54 = _t33;
					if(_t54 < 0) {
						break;
					}
					_push(_v8);
					_t54 = E01258B7E( &_v12, L"%s%s", _a4);
					_t58 = _t58 + 0x10;
					if(_t54 < 0) {
						_push("Unable to generate random directory name");
						L24:
						_push(_t54);
						E0125854A(0, _t49, _t52);
						L16:
						if(_v8 != 0) {
							E01258E6F(_v8);
						}
						if(_v12 != 0) {
							E01258E6F(_v12);
						}
						L20:
						SetErrorMode(_v24); // executed
						return _t54;
					}
					_v20 = 0;
					_t54 = E01259926( &_v20, _v12);
					if(_t54 < 0) {
						_push("Failed to allocate long path");
						goto L24;
					}
					_t56 = _v20;
					_t42 = CreateDirectoryW(_t56, 0); // executed
					_v20 = _t42;
					if(_t42 != 0) {
						_t46 = RemoveDirectoryW(_t56); // executed
						if(_t46 == 0) {
							MoveFileExW(_t56, 0, 4);
						}
					}
					if(_t56 != 0) {
						E01258E6F(_t56);
					}
					if(_v8 != 0) {
						E01258E6F(_v8);
					}
					if(_v12 != 0) {
						E01258E6F(_v12);
					}
					_v8 = 0;
					_v12 = 0;
					if(_v20 != 0) {
						_t54 = 0;
						goto L20;
					} else {
						_v16 = _v16 + 1;
						if(_v16 < 0x3e8) {
							continue;
						}
						_t54 = 1;
						goto L16;
					}
				}
				_push("Unable to generate random name");
				goto L24;
			}

0x01257ae7
0x01257afb
0x01257afe
0x01257b01
0x01257b03
0x01257b0a
0x01257b0c
0x01257b0f
0x01257b13
0x01257b18
0x01257b1c
0x00000000
0x00000000
0x01257b22
0x01257b36
0x01257b38
0x01257b3d
0x01257bf3
0x01257bff
0x01257bff
0x01257c00
0x01257bc4
0x01257bc7
0x01257bcc
0x01257bcc
0x01257bd4
0x01257bd9
0x01257bd9
0x01257bde
0x01257be1
0x01257be9
0x01257be9
0x01257b49
0x01257b51
0x01257b55
0x01257bfa
0x00000000
0x01257bfa
0x01257b5b
0x01257b60
0x01257b66
0x01257b6b
0x01257b6e
0x01257b76
0x01257b7c
0x01257b7c
0x01257b76
0x01257b84
0x01257b87
0x01257b87
0x01257b8f
0x01257b94
0x01257b94
0x01257b9c
0x01257ba1
0x01257ba1
0x01257ba6
0x01257ba9
0x01257baf
0x01257c09
0x00000000
0x01257bb1
0x01257bb1
0x01257bbb
0x00000000
0x00000000
0x01257bc3
0x00000000
0x01257bc3
0x01257baf
0x01257bec
0x00000000

APIs

SetErrorMode.KERNEL32(00000000,00000000,?,?,?,?,?,012578B7,?,?), ref: 01257B01
SetErrorMode.KERNELBASE(00000000,?,?,?,012578B7,?,?,?,?,?,?,?,?,?,?,01256F09), ref: 01257B0A

Part of subcall function 0125746A: UuidCreate.RPCRT4(?), ref: 01257496
Part of subcall function 0125746A: RpcStringFreeW.RPCRT4(00000000), ref: 012574FF

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,012578B7,?,?), ref: 01257B60
RemoveDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,012578B7,?,?), ref: 01257B6E
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,?,?,?,?,012578B7,?,?), ref: 01257B7C
SetErrorMode.KERNELBASE(?,?,?,?,?,012578B7,?,?), ref: 01257BE1

Strings

%s%s, xrefs: 01257B2B
Failed to allocate long path, xrefs: 01257BFA
Unable to generate random directory name, xrefs: 01257BF3
Unable to generate random name, xrefs: 01257BEC

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorMode$CreateDirectory$FileFreeMoveRemoveStringUuid
String ID: %s%s$Failed to allocate long path$Unable to generate random directory name$Unable to generate random name
API String ID: 1102146613-1274944306
Opcode ID: 28b7c88a0a7d2a0d4c389dfb6a09ed377b7bbbb4cf496df30597e8f0cdf95496
Instruction ID: 15f6d14a5161bff723e8d9657161848a2d2c0b0840f895338fd9baa0f41167c5
Opcode Fuzzy Hash: 28b7c88a0a7d2a0d4c389dfb6a09ed377b7bbbb4cf496df30597e8f0cdf95496
Instruction Fuzzy Hash: B1316D71D6026AFFCF91AFE99CC49AEFBB8AF10350B51446AEF01B2110E7704A419B91

Uniqueness

Uniqueness Score: -1.00%

Function 01257CD0 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 012587EB: GetProcessHeap.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258802
Part of subcall function 012587EB: HeapReAlloc.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258809

GetLastError.KERNEL32(?,?,?,01257780,?,00000000,00000000,0127BEF0,?,?,01256F09,?,?,00000000), ref: 01257D34
GetLastError.KERNEL32(?,?,?,01257780,?,00000000,00000000,0127BEF0,?,?,01256F09,?,?,00000000), ref: 01257D6C

Part of subcall function 012584C7: GetLocalTime.KERNEL32(?,?,00000000,?,?,01256E90,00000000), ref: 012584E2
Part of subcall function 012584C7: swprintf.LIBCMT ref: 01258513

Strings

Failed to concatenate to the cluster drive map, xrefs: 01257E66
Failed to allocate an empty drive map, xrefs: 01257D02
Failed to initialize the Cluster API, xrefs: 01257D1F
Failed to open the current cluster, xrefs: 01257D55
Failed to open the clsuter enumeration for resources, xrefs: 01257D8D
Considering cluster resource: '%S'..., xrefs: 01257DB5
Drive map for cluster resource '%S' : '%S', xrefs: 01257DEE
Failed to get the next resource in the cluster enum, xrefs: 01257E4B
Failed to get cluster drive map from resource, xrefs: 01257E5F

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorHeapLast$AllocLocalProcessTimeswprintf
String ID: Considering cluster resource: '%S'...$Drive map for cluster resource '%S' : '%S'$Failed to allocate an empty drive map$Failed to concatenate to the cluster drive map$Failed to get cluster drive map from resource$Failed to get the next resource in the cluster enum$Failed to initialize the Cluster API$Failed to open the clsuter enumeration for resources$Failed to open the current cluster
API String ID: 196121278-1807027133
Opcode ID: 9d6407bb39b1774403594a5465efd1839e750aaaa463d8707f4d9002e83c1036
Instruction ID: a87732d54cd7c637c6997f58b10d2e4ab90c3adf5f3be32ad8cabc714c2318e0
Opcode Fuzzy Hash: 9d6407bb39b1774403594a5465efd1839e750aaaa463d8707f4d9002e83c1036
Instruction Fuzzy Hash: 1C515C72C6026BEFCFA1AFE5DCC98BEBAB4AB04200F550579EE11B3110D7710E40AB91

Uniqueness

Uniqueness Score: -1.00%

Function 0125B07F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0125B07F(void* __edx, void* _a4, long _a8) {
				long _v8;
				struct _FILETIME _v16;
				struct _FILETIME _v24;
				signed int _t42;
				signed int _t43;
				void* _t45;
				void* _t51;
				void* _t55;
				int _t60;
				int _t66;
				signed int _t69;
				void* _t70;
				signed int _t72;
				long* _t75;
				long _t76;
				signed short* _t77;

				_t69 = 0;
				_t42 = _a4 - 1;
				_t75 = _a8;
				_t76 = _t75[4];
				 *0x127c154 = 0;
				_v8 = 0;
				_a8 = 0;
				if(_t42 == 0) {
					L28:
					 *0x127c154 = _t69;
					if(_t69 != 0) {
						_t43 = _t42 | 0xffffffff;
						__eflags = _t43;
						return _t43;
					}
					return _v8;
				}
				_t45 = _t42 - 1;
				if(_t45 == 0) {
					_push(_t75[1]);
					_t42 = E01258B7E( &_a8, L"%s%S",  *_t76);
					_t69 = _t42;
					__eflags = _t69;
					if(_t69 < 0) {
						L26:
						__eflags = _a8;
						if(_a8 != 0) {
							_t42 = E01258E6F(_a8);
						}
						goto L28;
					}
					_t72 =  *(_t76 + 4);
					__eflags = _t72;
					if(_t72 == 0) {
						L16:
						_t73 = _a8;
						_t77 = E012596C7(_a8);
						_a4 =  *_t77 & 0x0000ffff;
						 *_t77 = 0; // executed
						_t42 = E012591D3(_t73, _t73, 0); // executed
						_t69 = _t42;
						__eflags = _t69;
						if(_t69 < 0) {
							goto L26;
						}
						 *_t77 = _a4; // executed
						_t51 = E01259CA3(_t73, _a8, 0x40000000, 1, 2, 0x8000080); // executed
						_t70 = _t51;
						__eflags = _t70 - 0xffffffff;
						if(_t70 != 0xffffffff) {
							_t42 = SetFilePointer(_t70,  *_t75, 0, 0); // executed
							__eflags = _t42;
							if(_t42 != 0) {
								SetEndOfFile(_t70); // executed
								__eflags = 0;
								_t42 = SetFilePointer(_t70, 0, 0, 0); // executed
							}
							_v8 = _t70;
							L25:
							_t69 = 0;
							__eflags = 0;
							goto L26;
						}
						_t42 = GetLastError();
						_t69 = _t42;
						__eflags = _t69;
						if(__eflags > 0) {
							_t69 = _t69 & 0x0000ffff | 0x80070000;
							__eflags = _t69;
						}
						if(__eflags >= 0) {
							_t69 = 0x80004005;
						}
						goto L26;
					}
					asm("cdq");
					_t42 =  *_t72(0, _a8,  *_t75, __edx,  *((intOrPtr*)(_t76 + 8)));
					_t69 = _t42;
					__eflags = _t69;
					if(_t69 != 0) {
						L11:
						 *(_t76 + 0xc) = _t69;
						goto L26;
					}
					goto L16;
				}
				_t55 = _t45 - 1;
				if(_t55 == 0) {
					_a4 = _t75[5];
					_t60 = DosDateTimeToFileTime(_t75[6] & 0x0000ffff, _t75[6] & 0x0000ffff,  &_v24);
					__eflags = _t60;
					if(_t60 != 0) {
						_t66 = LocalFileTimeToFileTime( &_v24,  &_v16);
						__eflags = _t66;
						if(_t66 != 0) {
							SetFileTime(_a4,  &_v16,  &_v16, _t67); // executed
						}
					}
					FindCloseChangeNotification(_a4); // executed
					_t75[5] = _t75[5] & _t69;
					__eflags =  *(_t76 + 4) - _t69;
					if( *(_t76 + 4) == _t69) {
						L12:
						__eflags = _t69;
						_t42 = 0 | _t69 == 0x00000000;
						_v8 = _t42;
						goto L25;
					}
					_push(_t75[1]);
					_t42 = E01258B7E( &_a8, L"%s%S",  *_t76);
					_t69 = _t42;
					__eflags = _t69;
					if(_t69 < 0) {
						goto L26;
					}
					_t42 =  *(_t76 + 4)(2, _a8, 0, 0,  *((intOrPtr*)(_t76 + 8)));
					_t69 = _t42;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L12;
					}
					goto L11;
				}
				_t42 = _t55 - 1;
				if(_t42 == 0) {
					goto L26;
				} else {
					goto L28;
				}
			}

0x0125b08c
0x0125b08e
0x0125b090
0x0125b093
0x0125b096
0x0125b09c
0x0125b09f
0x0125b0a2
0x0125b234
0x0125b234
0x0125b23c
0x0125b243
0x0125b243
0x00000000
0x0125b243
0x00000000
0x0125b23e
0x0125b0a8
0x0125b0a9
0x0125b15a
0x0125b168
0x0125b16d
0x0125b172
0x0125b174
0x0125b226
0x0125b226
0x0125b22a
0x0125b22f
0x0125b22f
0x00000000
0x0125b22a
0x0125b17a
0x0125b17d
0x0125b17f
0x0125b196
0x0125b196
0x0125b19e
0x0125b1a3
0x0125b1aa
0x0125b1ad
0x0125b1b2
0x0125b1b4
0x0125b1b6
0x00000000
0x00000000
0x0125b1cd
0x0125b1d0
0x0125b1d5
0x0125b1d7
0x0125b1da
0x0125b20c
0x0125b20e
0x0125b210
0x0125b213
0x0125b219
0x0125b21f
0x0125b21f
0x0125b221
0x0125b224
0x0125b224
0x0125b224
0x00000000
0x0125b224
0x0125b1dc
0x0125b1e2
0x0125b1e4
0x0125b1e6
0x0125b1ee
0x0125b1f4
0x0125b1f4
0x0125b1f6
0x0125b1f8
0x0125b1f8
0x00000000
0x0125b1f6
0x0125b186
0x0125b18e
0x0125b190
0x0125b192
0x0125b194
0x0125b143
0x0125b143
0x00000000
0x0125b143
0x00000000
0x0125b194
0x0125b0af
0x0125b0b0
0x0125b0c1
0x0125b0d2
0x0125b0d8
0x0125b0da
0x0125b0e4
0x0125b0ea
0x0125b0ec
0x0125b0f7
0x0125b0f7
0x0125b0ec
0x0125b100
0x0125b106
0x0125b109
0x0125b10c
0x0125b14b
0x0125b14d
0x0125b14f
0x0125b152
0x00000000
0x0125b152
0x0125b10e
0x0125b11c
0x0125b121
0x0125b126
0x0125b128
0x00000000
0x00000000
0x0125b13a
0x0125b13d
0x0125b13f
0x0125b141
0x00000000
0x00000000
0x00000000
0x0125b141
0x0125b0b2
0x0125b0b3
0x00000000
0x0125b0b9
0x00000000
0x0125b0b9

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0125B0D2
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0125B0E4
SetFileTime.KERNELBASE(?,?,?,?), ref: 0125B0F7
FindCloseChangeNotification.KERNELBASE(?), ref: 0125B100
GetLastError.KERNEL32(?,40000000,00000001,00000002,08000080,?,00000000), ref: 0125B1DC

Strings

%s%S, xrefs: 0125B116, 0125B162

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Time$File$ChangeCloseDateErrorFindLastLocalNotification
String ID: %s%S
API String ID: 604158762-4203644592
Opcode ID: 564b604404f499491ee231a5f0ac60efce32527d3bee97f48ac33669a65ff94b
Instruction ID: d487f9bd46e31831efaf0ec1973218bcef983265257b79ffcd2475c1b9ffdc68
Opcode Fuzzy Hash: 564b604404f499491ee231a5f0ac60efce32527d3bee97f48ac33669a65ff94b
Instruction Fuzzy Hash: D9518171A20707BBEB619FA9D8C4BBA7BA9EF08250F108529BF15D6140DBB0D950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0125AB0C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0125AB0C(void** __ebx, void* __edx, void* __eflags) {
				signed int _v8;
				long _v20;
				void _v44;
				signed int _v48;
				long _v52;
				void* _v56;
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t42;
				int _t47;
				signed int _t57;
				signed int _t64;
				void** _t67;
				signed int _t70;
				void* _t72;
				long _t73;
				long _t76;
				signed int _t78;

				_t72 = __edx;
				_t67 = __ebx;
				_t39 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t39 ^ _t78;
				_t76 = 0;
				_v52 = 0;
				_t42 = E01259B6A( *__ebx,  *((intOrPtr*)(__ebx[4] + 8)),  *((intOrPtr*)(__ebx[4] + 0xc))); // executed
				_v48 = _t42;
				if(_t42 < 0) {
					L23:
					return E012691D5(_v48, _t67, _v8 ^ _t78, _t72, _t73, _t76);
				}
				_t47 = ReadFile( *__ebx,  &_v44, 0x24,  &_v52, 0); // executed
				if(_t47 != 0) {
					if(_v52 == 0x24) {
						_t73 = HeapAlloc(GetProcessHeap(), 0, _v20);
						_v56 = _t73;
						if(_t73 != 0) {
							_t70 = 9;
							memcpy(_t73,  &_v44, _t70 << 2);
							_t73 = 0;
							_t76 = 0x24;
							_v52 = 0;
							while(ReadFile( *_t67, _v56 + _t76, _v20 - _t76,  &_v52, _t73) != 0) {
								_t76 = _t76 + _v52;
								if(_v52 != _t73) {
									continue;
								}
								if(_t76 == _v20) {
									_t67[5] = _v56;
									_v56 = _t73;
								} else {
									_v48 = 0x8007001e;
								}
								L20:
								if(_v56 != _t73 && HeapFree(GetProcessHeap(), _t73, _v56) == 0) {
									E01259A29();
								}
								goto L23;
							}
							_t57 = GetLastError();
							_v48 = _t57;
							if(_t57 > _t73) {
								_v48 = _t57 & 0x0000ffff | 0x80070000;
							}
							if(_v48 >= _t73) {
								_v48 = 0x80004005;
							}
							goto L20;
						}
						_v48 = 0x8007000e;
						goto L23;
					}
					_v48 = 0x8007001e;
				} else {
					_t64 = GetLastError();
					_v48 = _t64;
					if(_t64 > 0) {
						_v48 = _t64 & 0x0000ffff | 0x80070000;
					}
					if(_v48 >= _t76) {
						_v48 = 0x80004005;
					}
				}
			}

0x0125ab0c
0x0125ab0c
0x0125ab14
0x0125ab1b
0x0125ab23
0x0125ab25
0x0125ab30
0x0125ab35
0x0125ab3a
0x0125ac51
0x0125ac61
0x0125ac61
0x0125ab4d
0x0125ab55
0x0125ab8a
0x0125aba9
0x0125abab
0x0125abb0
0x0125abc0
0x0125abc4
0x0125abc8
0x0125abca
0x0125abcb
0x0125abce
0x0125abeb
0x0125abf1
0x00000000
0x00000000
0x0125abf6
0x0125ac2c
0x0125ac2f
0x0125abf8
0x0125abf8
0x0125abf8
0x0125ac32
0x0125ac35
0x0125ac4c
0x0125ac4c
0x00000000
0x0125ac35
0x0125ac01
0x0125ac07
0x0125ac0c
0x0125ac18
0x0125ac18
0x0125ac1e
0x0125ac20
0x0125ac20
0x00000000
0x0125ac1e
0x0125abb2
0x00000000
0x0125abb2
0x0125ab8c
0x0125ab57
0x0125ab57
0x0125ab5d
0x0125ab62
0x0125ab6e
0x0125ab6e
0x0125ab74
0x0125ab7a
0x0125ab7a
0x0125ab74

APIs

Part of subcall function 01259B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01259B82
Part of subcall function 01259B6A: GetLastError.KERNEL32(?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259B8C

ReadFile.KERNELBASE(00000000,01259ECF,00000024,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,01259ECF,?), ref: 0125AB4D
GetLastError.KERNEL32(?,?,?,?,01259ECF,?,?,01256163,?,?,?,00000000,00000000), ref: 0125AB57
GetProcessHeap.KERNEL32(00000000,?), ref: 0125AB9C
HeapAlloc.KERNEL32(00000000), ref: 0125ABA3
ReadFile.KERNEL32(00000000,?,?,00000024,00000000), ref: 0125ABE1
GetProcessHeap.KERNEL32(00000000,?), ref: 0125AC3B
HeapFree.KERNEL32(00000000), ref: 0125AC42

Strings

$, xrefs: 0125AB86

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$File$ErrorLastProcessRead$AllocFreePointer
String ID: $
API String ID: 1504513977-3993045852
Opcode ID: 6ff4fcb2ce1140fd5d41a74e603a93714f2227f157a16fcc0749f5a97df3cb5d
Instruction ID: 43e7206ff3e9bba70c11b9bc9bd661aa46be46be3d4910fc318ecf0b36312870
Opcode Fuzzy Hash: 6ff4fcb2ce1140fd5d41a74e603a93714f2227f157a16fcc0749f5a97df3cb5d
Instruction Fuzzy Hash: 93415B71D20219EFCF519FA9E989AEDBBB5FF08711F10861AEA11E7100E7758840DF64

Uniqueness

Uniqueness Score: -1.00%

Function 012585B2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E012585B2(void* __ebx, void* __edx) {
				signed int _v8;
				short _v528;
				short _v1048;
				char _v1052;
				struct HINSTANCE__* _v1056;
				struct HINSTANCE__* _v1060;
				long _v1064;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t33;
				int _t36;
				void* _t37;
				void* _t48;
				unsigned int _t49;
				void* _t53;
				unsigned int _t54;
				signed int _t60;
				void* _t61;

				_t53 = __edx;
				_t48 = __ebx;
				_t22 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t22 ^ _t60;
				_t54 = 0;
				_v1064 = 0x104;
				_v1060 = 0;
				_v1056 = 0;
				_v1052 = 0;
				if( *0x127b140 == 0xffffffff ||  *0x127c120 == 0) {
					_t57 = 1;
				} else {
					if(GetModuleFileNameW(0,  &_v528, 0x104) == 0) {
						E0126DE40( &_v528, 0, 0x208);
						_t61 = _t61 + 0xc;
					}
					_push(_t48);
					_t33 = E01259A63(_t54,  &_v528,  &_v1060,  &_v1056); // executed
					if(_t33 >= 0) {
						_t54 = _v1060;
						_t49 = _v1056;
					} else {
						_t49 = 0;
					}
					_t36 = GetComputerNameW( &_v1048,  &_v1064); // executed
					if(_t36 == 0) {
						E0126DE40( &_v1048, _t36, 0x208);
						_t61 = _t61 + 0xc;
					}
					_t37 = E01258E9C(_t49, _t53, _t54,  &_v1052); // executed
					_t57 = _t37;
					if(_t37 >= 0) {
						E012584C7(_t49, _t53, 1, "=== Logging started: %S ===", _v1052); // executed
						_push(_t49 & 0x0000ffff);
						_push(_t49 >> 0x10);
						_push(_t54 & 0x0000ffff);
						_push(_t54 >> 0x10);
						E012584C7(_t49 >> 0x10, _t53, 1, "Executable: %S v%d.%d.%d.%d",  &_v528); // executed
						E012584C7(_t49 >> 0x10, _t53, 1, "--- logging level: %s ---", "standard"); // executed
					}
					_t54 = 0;
					_pop(_t48);
				}
				if(_v1052 != _t54) {
					E01258E6F(_v1052);
				}
				return E012691D5(_t57, _t48, _v8 ^ _t60, _t53, _t54, _t57);
			}

0x012585b2
0x012585b2
0x012585bd
0x012585c4
0x012585c9
0x012585d7
0x012585dd
0x012585e3
0x012585e9
0x012585ef
0x01258704
0x01258601
0x01258617
0x01258622
0x01258627
0x01258627
0x0125862a
0x01258640
0x01258647
0x0125864d
0x01258653
0x01258649
0x01258649
0x01258649
0x01258667
0x0125866f
0x0125867a
0x0125867f
0x0125867f
0x01258688
0x0125868d
0x01258691
0x012586a0
0x012586a8
0x012586af
0x012586b0
0x012586b4
0x012586c3
0x012586d4
0x012586d9
0x012586dc
0x012586de
0x012586de
0x012586e5
0x012586ed
0x012586ed
0x01258701

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 0125860A
_memset.LIBCMT ref: 01258622
GetComputerNameW.KERNEL32 ref: 01258667
_memset.LIBCMT ref: 0125867A

Strings

=== Logging started: %S ===, xrefs: 01258699
Executable: %S v%d.%d.%d.%d, xrefs: 012586BC
--- logging level: %s ---, xrefs: 012586CD
standard, xrefs: 012586C8

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Name_memset$ComputerFileModule
String ID: --- logging level: %s ---$=== Logging started: %S ===$Executable: %S v%d.%d.%d.%d$standard
API String ID: 949451329-1073105773
Opcode ID: 2df9acf15dfb3f6f5f580112223d6c7700f8b1f9a16e6bee9e0a043837aa3661
Instruction ID: 31238c007ca890de24867e59cbfaa7dc0d29f2bfb0e8c10911e9508baaa635eb
Opcode Fuzzy Hash: 2df9acf15dfb3f6f5f580112223d6c7700f8b1f9a16e6bee9e0a043837aa3661
Instruction Fuzzy Hash: C031AAF191022D9FCB619A569CC4EEBB7BCEB54704F0041A5AF09E2141EAB09EC48FB4

Uniqueness

Uniqueness Score: -1.00%

Function 0125A46E Relevance: 13.6, APIs: 9, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125A46E(void* __ebx) {
				void* _t7;
				void* _t8;
				void* _t9;
				int _t13;
				signed int _t14;
				void* _t25;

				_t25 = __ebx;
				if( *__ebx != 0xffffffff) {
					__eax = FindCloseChangeNotification(__eax); // executed
				}
				_t7 =  *(_t25 + 0x10);
				if(_t7 != 0 && HeapFree(GetProcessHeap(), 0, _t7) == 0) {
					L1();
				}
				_t8 =  *(_t25 + 0x14);
				if(_t8 != 0 && HeapFree(GetProcessHeap(), 0, _t8) == 0) {
					L1();
				}
				_t9 =  *(_t25 + 0x18);
				if(_t9 != 0 && HeapFree(GetProcessHeap(), 0, _t9) == 0) {
					L1();
				}
				_t10 =  *((intOrPtr*)(_t25 + 0xc));
				if( *((intOrPtr*)(_t25 + 0xc)) != 0) {
					E01258E6F(_t10);
				}
				_t11 =  *((intOrPtr*)(_t25 + 4));
				if( *((intOrPtr*)(_t25 + 4)) != 0) {
					E01258E6F(_t11);
				}
				_t13 = HeapFree(GetProcessHeap(), 0, _t25);
				if(_t13 != 0) {
					return _t13;
				} else {
					_t14 = GetLastError();
					if(_t14 > 0) {
						return _t14 & 0x0000ffff | 0x80070000;
					}
					return _t14;
				}
			}

0x0125a46e
0x0125a473
0x0125a476
0x0125a476
0x0125a47c
0x0125a48f
0x0125a49d
0x0125a49d
0x0125a4a2
0x0125a4a7
0x0125a4b5
0x0125a4b5
0x0125a4ba
0x0125a4bf
0x0125a4cd
0x0125a4cd
0x0125a4d2
0x0125a4d7
0x0125a4da
0x0125a4da
0x0125a4df
0x0125a4e4
0x0125a4e7
0x0125a4e7
0x0125a4f2
0x0125a4f8
0x0125a4ff
0x0125a4fa
0x01259a29
0x01259a31
0x00000000
0x01259a38
0x01259a3d
0x01259a3d

APIs

FindCloseChangeNotification.KERNELBASE(012796F0,012561FB,00000000,00000000,?,?,?,?,?,01255B19,?,?,?,0127BEF0), ref: 0125A476
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,012561FB,00000000,00000000,?,?,?,?,?,01255B19,?,?,?), ref: 0125A494
HeapFree.KERNEL32(00000000,?,?,?,?,01255B19,?,?,?,0127BEF0), ref: 0125A497
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,012561FB,00000000,00000000,?,?,?,?,?,01255B19,?,?,?), ref: 0125A4AC
HeapFree.KERNEL32(00000000,?,?,?,?,01255B19,?,?,?,0127BEF0), ref: 0125A4AF
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,012561FB,00000000,00000000,?,?,?,?,?,01255B19,?,?,?), ref: 0125A4C4
HeapFree.KERNEL32(00000000,?,?,?,?,01255B19,?,?,?,0127BEF0), ref: 0125A4C7
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,012561FB,00000000,00000000,?,?,?,?,?,01255B19,?,?,?), ref: 0125A4EF
HeapFree.KERNEL32(00000000,?,?,?,?,01255B19,?,?,?,0127BEF0), ref: 0125A4F2

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$FreeProcess$ChangeCloseFindNotification
String ID:
API String ID: 128005546-0
Opcode ID: a6fb9d212a5fd7b301e4186049a665b4c45046db74817c1c7f4f10570e5bdf10
Instruction ID: 4e5ac1e7ee6d49841e1c7d527ac109444b3e4c5e0253e16564fefe010538724f
Opcode Fuzzy Hash: a6fb9d212a5fd7b301e4186049a665b4c45046db74817c1c7f4f10570e5bdf10
Instruction Fuzzy Hash: A5014060720217A7EFA0BAFAADCDF273E9CDF80A94B444251FF04D7189DA74D8409A71

Uniqueness

Uniqueness Score: -1.00%

Function 01256F5C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E01256F5C(long __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* __ecx;
				int _t10;
				long _t18;
				intOrPtr* _t19;
				void* _t24;
				int _t28;

				_t18 = __eax;
				_t1 = _t18 + 8; // 0x127bef8
				_t9 = _t1;
				_t19 =  *_t1;
				_t28 = 0;
				if(_t19 == 0 ||  *_t19 == 0) {
					if( *((intOrPtr*)(_t18 + 0x1c)) != 0 ||  *((intOrPtr*)(_t18 + 0x14)) == 0) {
						_t10 = E012573A1(_t18, _t19, _a4, _a8); // executed
						_t28 = _t10;
						if(_t28 >= 0) {
							goto L9;
						} else {
							_push("Failed to select temporary directory for extraction");
							goto L14;
						}
					} else {
						_t28 = E012595C3(_t19, _t9);
						if(_t28 >= 0) {
							goto L9;
						} else {
							_push("Failed to get current directory");
							E0125854A(_t18, _t19, _t24);
							_t19 = _t28;
							if(_t28 >= 0) {
								goto L9;
							} else {
								_push("Failed to select current directory for extraction");
								goto L14;
							}
						}
					}
				} else {
					L9:
					if( *((intOrPtr*)(_t18 + 0x1c)) == 0 &&  *((intOrPtr*)(_t18 + 0x14)) != 0) {
						_t28 = DialogBoxParamW(GetModuleHandleW(0), 0x82, 0, E01257016, _t18);
						if(_t28 < 0) {
							_push("Failed while running the extract directory selection dialog.");
							E0125854A(_t18, _t19, _t24);
							_t19 = _t28;
							if(_t28 < 0) {
								_push("Failed to select the user-specified directory for extraction");
								L14:
								_push(_t28);
								E0125854A(_t18, _t19, _t24);
							}
						}
					}
				}
				return _t28;
			}

0x01256f64
0x01256f66
0x01256f66
0x01256f69
0x01256f6e
0x01256f72
0x01256f7c
0x01256fad
0x01256fb2
0x01256fb6
0x00000000
0x01256fb8
0x01256fb8
0x00000000
0x01256fb8
0x01256f83
0x01256f89
0x01256f8d
0x00000000
0x01256f8f
0x01256f8f
0x01256f95
0x01256f9b
0x01256f9e
0x00000000
0x01256fa0
0x01256fa0
0x00000000
0x01256fa0
0x01256f9e
0x01256f8d
0x01256fbf
0x01256fbf
0x01256fc2
0x01256fe3
0x01256fe7
0x01256fe9
0x01256fef
0x01256ff5
0x01256ff8
0x01256ffa
0x01256fff
0x01256fff
0x01257000
0x01257006
0x01256ff8
0x01256fe7
0x01256fc2
0x0125700e

APIs

GetModuleHandleW.KERNEL32(00000000,00000082,00000000,01257016,0127BEF0,?,?,00000000,0127BEF0,?,?,?,01256F09,?,?,00000000), ref: 01256FD6
DialogBoxParamW.USER32 ref: 01256FDD

Strings

Failed to select current directory for extraction, xrefs: 01256FA0
Failed to get current directory, xrefs: 01256F8F
Failed to select temporary directory for extraction, xrefs: 01256FB8
Failed to select the user-specified directory for extraction, xrefs: 01256FFA
Failed while running the extract directory selection dialog., xrefs: 01256FE9

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: DialogHandleModuleParam
String ID: Failed to get current directory$Failed to select current directory for extraction$Failed to select temporary directory for extraction$Failed to select the user-specified directory for extraction$Failed while running the extract directory selection dialog.
API String ID: 3900296288-2402499859
Opcode ID: ec1382c7c7c2870cf72ea8c95ef8a1fe2700e12f9e45aa55ba52da29660adc06
Instruction ID: ec0f31b6ad69ffca066120fa533e6cec7e2a01b8ef752ccedc3bb62efffb0200
Opcode Fuzzy Hash: ec1382c7c7c2870cf72ea8c95ef8a1fe2700e12f9e45aa55ba52da29660adc06
Instruction Fuzzy Hash: AF115E329B4612BF4FF36915ACC5C7BB7D8EA807703D0011AED45A6115E97188414390

Uniqueness

Uniqueness Score: -1.00%

Function 012737AF Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E012737AF(struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t16;
				DWORD* _t21;
				char _t33;
				void* _t35;

				_t33 = _a12;
				_t26 = 0;
				_t37 = _t33;
				if(_t33 != 0) {
					E0126A57F();
					_t35 = E0126DC24(1, 0x214);
					__eflags = _t35;
					if(__eflags == 0) {
						L7:
						E0126C318(_t35);
						__eflags = _t26;
						if(_t26 != 0) {
							E0126B089(_t26);
						}
						_t16 = 0;
						__eflags = 0;
						L10:
						return _t16;
					}
					_push( *((intOrPtr*)(E0126A753(0, __eflags) + 0x6c)));
					_push(_t35);
					E0126A61C(0, _t33, _t35, __eflags);
					 *(_t35 + 4) =  *(_t35 + 4) | 0xffffffff;
					 *((intOrPtr*)(_t35 + 0x58)) = _a16;
					_t21 = _a24;
					 *((intOrPtr*)(_t35 + 0x54)) = _t33;
					__eflags = _t21;
					if(_t21 == 0) {
						_t21 =  &_a12;
					}
					_t16 = CreateThread(_a4, _a8, E01273745, _t35, _a20, _t21); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						goto L10;
					} else {
						_t26 = GetLastError();
						goto L7;
					}
				}
				 *((intOrPtr*)(E0126B059(_t37))) = 0x16;
				E0126AFFD();
				return 0;
			}

0x012737b6
0x012737b9
0x012737bb
0x012737bd
0x012737d4
0x012737e5
0x012737e9
0x012737eb
0x01273836
0x01273837
0x0127383d
0x0127383f
0x01273842
0x01273847
0x01273848
0x01273848
0x0127384a
0x00000000
0x0127384a
0x012737f2
0x012737f5
0x012737f6
0x012737fe
0x01273802
0x01273805
0x0127380a
0x0127380d
0x0127380f
0x01273811
0x01273811
0x01273824
0x0127382a
0x0127382c
0x00000000
0x0127382e
0x01273834
0x00000000
0x01273834
0x0127382c
0x012737c4
0x012737ca
0x00000000

APIs

___set_flsgetvalue.LIBCMT ref: 012737D4
__calloc_crt.LIBCMT ref: 012737E0
__getptd.LIBCMT ref: 012737ED
__initptd.LIBCMT ref: 012737F6
CreateThread.KERNELBASE(?,?,01273745,00000000,?,?), ref: 01273824
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0127382E
_free.LIBCMT ref: 01273837
__dosmaperr.LIBCMT ref: 01273842

Part of subcall function 0126B059: __getptd_noexit.LIBCMT ref: 0126B059

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
String ID:
API String ID: 73303432-0
Opcode ID: 07e23f19546241d207a4a13d84b3e0d01ea62d7fb66570e7150329728bec1766
Instruction ID: ab93d5ec4a11ddac5885e441501f9f2d42b987f78204cff5b0696cc391b03591
Opcode Fuzzy Hash: 07e23f19546241d207a4a13d84b3e0d01ea62d7fb66570e7150329728bec1766
Instruction Fuzzy Hash: 2C11E57222434B6FEB21EFA9EC849AB7BDCEF146707000429FA15971D1DB71D8509761

Uniqueness

Uniqueness Score: -1.00%

Function 01259A63 Relevance: 10.6, APIs: 7, Instructions: 88
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01259A63(void* __edi, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				int _v8;
				int _v12;
				void* _v16;
				int _v20;
				void* __esi;
				int _t27;
				void* _t28;
				signed int _t29;
				int _t34;
				void* _t35;
				int _t43;
				signed int _t46;
				signed int _t52;

				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_v8 = 0;
				_t46 = E01259926( &_v8, _a4);
				if(_t46 < 0) {
					L17:
					if(_v8 != 0) {
						E01258E6F(_v8);
					}
					return _t46;
				}
				_t27 = GetFileVersionInfoSizeW(_v8,  &_v12); // executed
				_t43 = _t27;
				if(_t43 != 0) {
					_t28 = GlobalAlloc(0, _t43);
					_a4 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t29 = GetFileVersionInfoW(_v8, _v12, _t43, _t28); // executed
						__eflags = _t29;
						if(_t29 == 0) {
							L10:
							_t46 = GetLastError();
							__eflags = _t46;
							if(__eflags > 0) {
								_t46 = _t46 & 0x0000ffff | 0x80070000;
								__eflags = _t46;
							}
							if(__eflags >= 0) {
								_t46 = 0x80004005;
							}
							L15:
							GlobalFree(_a4);
							L16:
							goto L17;
						}
						_t34 = VerQueryValueW(_a4, "\\",  &_v16,  &_v20);
						__eflags = _t34;
						if(_t34 != 0) {
							_t35 = _v16;
							 *_a8 =  *((intOrPtr*)(_t35 + 8));
							 *_a12 =  *((intOrPtr*)(_t35 + 0xc));
							goto L15;
						}
						goto L10;
					}
					_t46 = 0x8007000e;
					goto L16;
				}
				_t46 = GetLastError();
				if(_t46 > 0) {
					_t46 = _t46 & 0x0000ffff | 0x80070000;
					_t52 = _t46;
				}
				if(_t52 >= 0) {
					_t46 = 0x80004005;
				}
				goto L16;
			}

0x01259a75
0x01259a78
0x01259a7b
0x01259a7e
0x01259a86
0x01259a8a
0x01259b50
0x01259b53
0x01259b58
0x01259b58
0x01259b62
0x01259b62
0x01259a98
0x01259a9e
0x01259aa2
0x01259ad0
0x01259ad6
0x01259ad9
0x01259adb
0x01259aec
0x01259af2
0x01259af4
0x01259b10
0x01259b16
0x01259b18
0x01259b1a
0x01259b22
0x01259b28
0x01259b28
0x01259b2a
0x01259b2c
0x01259b2c
0x01259b46
0x01259b49
0x01259b4f
0x00000000
0x01259b4f
0x01259b06
0x01259b0c
0x01259b0e
0x01259b33
0x01259b3f
0x01259b44
0x00000000
0x01259b44
0x00000000
0x01259b0e
0x01259add
0x00000000
0x01259add
0x01259aaa
0x01259aae
0x01259ab6
0x01259abc
0x01259abc
0x01259abe
0x01259ac4
0x01259ac4
0x00000000

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,00000000,?,00000208,?,?,?,?), ref: 01259A98
GetLastError.KERNEL32(?,?,?,?), ref: 01259AA4
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 01259AD0
GetFileVersionInfoW.KERNELBASE(?,?,00000000,00000000,?,?,?,?), ref: 01259AEC
VerQueryValueW.VERSION(?,012550AC,?,?,?,?,?,?), ref: 01259B06
GetLastError.KERNEL32(?,?,?,?), ref: 01259B10
GlobalFree.KERNEL32 ref: 01259B49

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileGlobalInfoLastVersion$AllocFreeQuerySizeValue
String ID:
API String ID: 2886811419-0
Opcode ID: 21b37dadbfefd78ebc5e18dfc9f9b5f0e82a50273058f24eeb05f7600167b807
Instruction ID: 6e8873cde9763578e67e446938815ca5b8b7f480420249390a4fd3d3d4e7e71e
Opcode Fuzzy Hash: 21b37dadbfefd78ebc5e18dfc9f9b5f0e82a50273058f24eeb05f7600167b807
Instruction Fuzzy Hash: E3315076D10116EFDF60EFA8D8C89ADBBB5EB04354B554179EE05E7201E3318E90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01259DC6 Relevance: 9.1, APIs: 6, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E01259DC6(void* __ecx, void** _a4, signed int _a8, HANDLE** _a12) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				signed int _t32;
				void* _t36;
				void* _t38;
				void* _t39;
				void* _t40;
				signed int _t42;
				signed int _t44;
				signed int _t45;
				HANDLE* _t53;
				signed int _t57;
				long _t59;
				signed int _t64;
				signed int _t73;
				void** _t77;

				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t73 = _a8;
				if(_t73 <  *((intOrPtr*)(_a4[2] + 0x1c))) {
					_t32 = E0125A3DC( &_v8);
					_t53 = _v8;
					_t64 = _t32;
					__eflags = _t64;
					if(_t64 < 0) {
						L19:
						__eflags = _t53;
						if(_t53 != 0) {
							E0125A46E(_t53);
						}
						goto L21;
					}
					_t53[2] = _t73;
					_t53[3] = _t53[3] & 0x00000000;
					_t36 = HeapAlloc(GetProcessHeap(), 8, 0x38);
					_t53[4] = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						_t57 = 0xe;
						memcpy(_t36, _a4[3] + _t73 * 0x38, _t57 << 2);
						_t38 = _t53[4];
						_t77 = _a4;
						_t59 = 0;
						__eflags =  *_t38;
						if( *_t38 == 0) {
							L8:
							_t39 = _t53[4];
							__eflags =  *((intOrPtr*)(_t39 + 8)) - _t59;
							if( *((intOrPtr*)(_t39 + 8)) != _t59) {
								L11:
								_t40 = GetCurrentProcess();
								_t42 = DuplicateHandle(GetCurrentProcess(),  *_t77, _t40, _t53, _t59, _t59, 2); // executed
								__eflags = _t42;
								if(_t42 != 0) {
									L15:
									_t27 =  &(_t53[1]); // 0x4
									__eflags = 0;
									_t44 = E01258889(0, _t27, _t77[1]);
									L16:
									_t64 = _t44;
									__eflags = _t64;
									if(__eflags >= 0) {
										_t45 = E0125AB0C(_t53, _t62, __eflags); // executed
										_t64 = _t45;
										__eflags = _t64;
										if(_t64 >= 0) {
											 *_a12 = _t53;
											_t53 = 0;
											__eflags = 0;
										}
									}
									goto L19;
								}
								_t64 = GetLastError();
								__eflags = _t64;
								if(__eflags > 0) {
									_t64 = _t64 & 0x0000ffff | 0x80070000;
									__eflags = _t64;
								}
								if(__eflags < 0) {
									goto L19;
								} else {
									goto L15;
								}
							}
							__eflags =  *((intOrPtr*)(_t39 + 0xc)) - _t59;
							if( *((intOrPtr*)(_t39 + 0xc)) != _t59) {
								goto L11;
							}
							_t62 = _t77[1];
							_t44 = E0125A7B1(_t59, _t77[1], _t53, _t77[2], _a8);
							goto L16;
						}
						_t19 =  &(_t53[3]); // 0xc
						_t64 = E01258889(0, _t19, _t77[3] +  *_t38);
						__eflags = _t64;
						if(_t64 < 0) {
							goto L19;
						}
						_t59 = 0;
						__eflags = 0;
						goto L8;
					} else {
						_t64 = 0x8007000e;
						goto L19;
					}
				} else {
					_t64 = 0x80070103;
					L21:
					return _t64;
				}
			}

0x01259dcb
0x01259dcc
0x01259dd3
0x01259dd9
0x01259de0
0x01259df0
0x01259df5
0x01259df8
0x01259dfa
0x01259dfc
0x01259edc
0x01259edc
0x01259ede
0x01259ee0
0x01259ee0
0x00000000
0x01259ede
0x01259e04
0x01259e07
0x01259e14
0x01259e1a
0x01259e1d
0x01259e1f
0x01259e38
0x01259e39
0x01259e3b
0x01259e3e
0x01259e41
0x01259e43
0x01259e45
0x01259e5f
0x01259e5f
0x01259e62
0x01259e65
0x01259e7e
0x01259e89
0x01259e91
0x01259e97
0x01259e99
0x01259eb7
0x01259eba
0x01259ebd
0x01259ebf
0x01259ec4
0x01259ec4
0x01259ec6
0x01259ec8
0x01259eca
0x01259ecf
0x01259ed1
0x01259ed3
0x01259ed8
0x01259eda
0x01259eda
0x01259eda
0x01259ed3
0x00000000
0x01259ec8
0x01259ea1
0x01259ea3
0x01259ea5
0x01259ead
0x01259eb3
0x01259eb3
0x01259eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01259eb5
0x01259e67
0x01259e6a
0x00000000
0x00000000
0x01259e6f
0x01259e77
0x00000000
0x01259e77
0x01259e4c
0x01259e57
0x01259e59
0x01259e5b
0x00000000
0x00000000
0x01259e5d
0x01259e5d
0x00000000
0x01259e21
0x01259e21
0x00000000
0x01259e21
0x01259de2
0x01259de2
0x01259ee5
0x01259eeb
0x01259eeb

APIs

GetProcessHeap.KERNEL32(00000008,00000038,00000000,?,00000000,?,00000008,00000008,?,01256163,?,?,?,00000000,00000000), ref: 01259E0D
HeapAlloc.KERNEL32(00000000,?,01256163,?,?,?,00000000,00000000), ref: 01259E14

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: ba48a665cba5382b4c66278676fbcff169743dcbe5d97dbf11bcef3dc55c412d
Instruction ID: 5acb64200668979df53ce2d0b6a2526aeb2e4ec3bb797946345443812b0e89cb
Opcode Fuzzy Hash: ba48a665cba5382b4c66278676fbcff169743dcbe5d97dbf11bcef3dc55c412d
Instruction Fuzzy Hash: 7A311636120306DFCF55DF68C8C4A1A7BAAEF80264B16846EEE099F241EB71EC41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0125B8D7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 223
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0125B8D7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				short _v18;
				char _v20;
				intOrPtr _v28;
				char _v36;
				char _v52;
				char _v64;
				char _v68;
				struct _FILETIME _v76;
				short _v80;
				char _v84;
				intOrPtr _v88;
				signed short _v92;
				short _v100;
				intOrPtr _v108;
				intOrPtr _v112;
				struct _FILETIME _v124;
				short _v132;
				short _v136;
				signed int _v144;
				short _v148;
				short _v152;
				short _v156;
				void* __esi;
				intOrPtr* _t100;
				intOrPtr* _t111;
				intOrPtr* _t115;
				intOrPtr _t122;
				intOrPtr* _t126;
				short _t128;
				intOrPtr* _t132;
				intOrPtr* _t135;
				signed int _t137;
				short _t139;
				void* _t152;
				short _t153;
				intOrPtr _t155;
				void* _t166;
				void* _t181;
				intOrPtr _t185;
				char* _t187;
				void* _t194;
				intOrPtr _t195;
				void* _t197;
				void* _t198;

				_t195 = _a4;
				_t153 = 0;
				_v20 = 0;
				_v18 = 0;
				_v76.dwHighDateTime = 0;
				_v68 = 0;
				( *(_t195 + 0x14))[0xa] = 0;
				_t100 =  *((intOrPtr*)(_t195 + 0xc));
				_v76.dwLowDateTime = 0;
				_v64 = 0;
				_t198 =  *((intOrPtr*)( *_t100 + 0x18))(_t100, _a8, 6,  &_v20, _t194, _t197, _t152);
				if(_t198 != 0) {
					L23:
					 *((intOrPtr*)( *((intOrPtr*)(_t195 + 8)) + 4))(_v92);
					( *(_t195 + 0x14))[2] = _t153;
					L24:
					E0125C02B( &_v36);
					return _t198;
				}
				if(_v28 != 0) {
					L19:
					_t155 =  *((intOrPtr*)(_t195 + 8));
					_t185 =  *((intOrPtr*)(_t195 + 0x18));
					_v80 = ( *(_t195 + 0x14))[0xa];
					if(E0125B547(_t155) != 0) {
						 *((intOrPtr*)(_t185 + 8)) = _t155;
						 *(_t185 + 0xc) = _v80;
					}
					_t111 =  *((intOrPtr*)(_t195 + 0x18));
					 *((intOrPtr*)( *_t111 + 4))(_t111);
					 *_a12 =  *((intOrPtr*)(_t195 + 0x18));
					if(_t198 == 0) {
						goto L24;
					} else {
						_t153 = 0;
						goto L23;
					}
				}
				_t115 =  *((intOrPtr*)(_t195 + 0xc));
				_t198 =  *((intOrPtr*)( *_t115 + 0x18))(_t115, _a8, 3,  &_v36);
				if(_t198 != 0) {
					goto L23;
				}
				E0125E47C(E0125C2E3( &_v52,  &_v84),  &_v64);
				E01273539();
				_t201 = _v64 + 1;
				_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t195 + 8))))(_v64 + 1, _v88);
				_pop(_t166);
				_v112 = _t122;
				if(_t122 != 0) {
					E0126DE40(_t122, 0, _t201);
					E0126DB76(_v108, _t201, _v64);
					E01273539();
					_t126 =  *((intOrPtr*)(_t195 + 0xc));
					_t187 =  &_v52;
					_t198 =  *((intOrPtr*)( *_t126 + 0x18))(_t126, _a8, 7, _t187, _v64);
					if(_t198 != 0) {
						goto L23;
					}
					_t169 =  &_v68;
					_t128 = E0125C3B5( &_v68);
					_v100 = _t128;
					if(_t187 > 0 || _t128 > 0x7fffffff) {
						E0125B580(_t169,  *((intOrPtr*)( *((intOrPtr*)(_t195 + 8)) + 0x1c)), 6);
						_t198 = 0x8007139f;
						goto L23;
					} else {
						E0125C02B( &_v68);
						_t132 =  *((intOrPtr*)(_t195 + 0xc));
						_t198 =  *((intOrPtr*)( *_t132 + 0x18))(_t132, _a8, 0xc,  &_v68);
						if(_t198 != 0) {
							goto L23;
						}
						if(_v84 == 0x40) {
							FileTimeToLocalFileTime( &_v76,  &_v124);
							FileTimeToDosDateTime( &_v124,  &_v136,  &_v132);
						}
						E0125C02B( &_v84);
						_t135 =  *((intOrPtr*)(_t195 + 0xc));
						_t198 =  *((intOrPtr*)( *_t135 + 0x18))(_t135, _a8, 9,  &_v84);
						if(_t198 != _t153) {
							goto L23;
						} else {
							_t137 = _v92 & 0x0000ffff;
							if(_v100 != 0x13) {
								_t137 = _v144;
							}
							( *(_t195 + 0x14))[2] = _v156;
							 *( *(_t195 + 0x14)) = _v132;
							( *(_t195 + 0x14))[0xc] = _v152;
							( *(_t195 + 0x14))[0xd] = _v148;
							( *(_t195 + 0x14))[0xe] = _t137;
							( *(_t195 + 0x14))[0x11] = 0;
							_t139 =  *((intOrPtr*)(_t195 + 0x10))( *(_t195 + 0x14));
							_t181 = 2;
							if(_t139 != _t153) {
								if(_t139 != 0xffffffff) {
									( *(_t195 + 0x14))[0xa] = _t139;
								} else {
									E0125B580(_t181,  *((intOrPtr*)( *((intOrPtr*)(_t195 + 8)) + 0x1c)), 0xb);
									_t198 = 0x80004004;
								}
							}
							goto L19;
						}
					}
				} else {
					E0125B580(_t166,  *((intOrPtr*)( *((intOrPtr*)(_t195 + 8)) + 0x1c)), 5);
					_push(_v68);
					_t198 = 0x8007000e;
					E01273539();
					goto L23;
				}
			}

0x0125b8e5
0x0125b8ea
0x0125b8ec
0x0125b8f1
0x0125b903
0x0125b907
0x0125b90b
0x0125b90e
0x0125b914
0x0125b918
0x0125b91f
0x0125b923
0x0125bb49
0x0125bb50
0x0125bb57
0x0125bb5a
0x0125bb5e
0x0125bb6b
0x0125bb6b
0x0125b92e
0x0125bb0d
0x0125bb13
0x0125bb16
0x0125bb19
0x0125bb26
0x0125bb2c
0x0125bb2f
0x0125bb2f
0x0125bb32
0x0125bb38
0x0125bb41
0x0125bb45
0x00000000
0x0125bb47
0x0125bb47
0x00000000
0x0125bb47
0x0125bb45
0x0125b934
0x0125b947
0x0125b94b
0x00000000
0x00000000
0x0125b965
0x0125b96e
0x0125b97b
0x0125b97d
0x0125b97f
0x0125b980
0x0125b986
0x0125b9ac
0x0125b9bd
0x0125b9c9
0x0125b9ce
0x0125b9d4
0x0125b9e2
0x0125b9e6
0x00000000
0x00000000
0x0125b9ec
0x0125b9f0
0x0125b9f5
0x0125b9fb
0x0125ba0c
0x0125ba11
0x00000000
0x0125ba1b
0x0125ba1f
0x0125ba24
0x0125ba37
0x0125ba3b
0x00000000
0x00000000
0x0125ba47
0x0125ba53
0x0125ba68
0x0125ba68
0x0125ba72
0x0125ba77
0x0125ba8a
0x0125ba8e
0x00000000
0x0125ba94
0x0125ba9a
0x0125ba9f
0x0125baa1
0x0125baa1
0x0125baac
0x0125bab6
0x0125bac0
0x0125bacc
0x0125bad3
0x0125badc
0x0125bae5
0x0125bae9
0x0125baec
0x0125baf1
0x0125bb0a
0x0125baf3
0x0125bafb
0x0125bb00
0x0125bb00
0x0125baf1
0x00000000
0x0125baec
0x0125ba8e
0x0125b988
0x0125b990
0x0125b995
0x0125b999
0x0125b99e
0x00000000
0x0125b9a3

APIs

_memset.LIBCMT ref: 0125B9AC
_strcpy_s.LIBCMT ref: 0125B9BD

Part of subcall function 0125B580: __get_errno.LIBCMT ref: 0125B58E

Strings

@, xrefs: 0125BA41

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: __get_errno_memset_strcpy_s
String ID: @
API String ID: 179418724-2766056989
Opcode ID: 33902db2d0cf6a1275cec0b41cc28a5a5df0c640de6b01d970c00a658cb087f6
Instruction ID: e2560c67722e2bbeef5b59c7b97dcf1d03bad0e15122ea10c489c9c52bdf7387
Opcode Fuzzy Hash: 33902db2d0cf6a1275cec0b41cc28a5a5df0c640de6b01d970c00a658cb087f6
Instruction Fuzzy Hash: B8819DB5514302AFC710EF68D48496AFBB5FF98324F108A1DFA4987260E771E991CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0125746A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 01257496
UuidToStringW.RPCRT4(?,00000000), ref: 012574C3
RpcStringFreeW.RPCRT4(00000000), ref: 012574FF

Strings

Failed to create a new GUID., xrefs: 012574B4
Failed to convert GUID to string., xrefs: 012574D7

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: StringUuid$CreateFree
String ID: Failed to convert GUID to string.$Failed to create a new GUID.
API String ID: 3044360575-1364151769
Opcode ID: 4ea0a8c3a5164ac19a87fb148e803527feee2602e2c8cc10361f8e1ad9dd409d
Instruction ID: cb3f173daa87fe5920c708e8a816bbe372e3865a54592fe2302e77307d28deaa
Opcode Fuzzy Hash: 4ea0a8c3a5164ac19a87fb148e803527feee2602e2c8cc10361f8e1ad9dd409d
Instruction Fuzzy Hash: E6115472B6031AABDB519EB9DCC9ABFBBF8AB48214F404435AA15E2140EA78D4458B50

Uniqueness

Uniqueness Score: -1.00%

Function 012735E6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012735E6(intOrPtr _a4) {
				char* _v8;
				char _v20;
				void* _t10;
				signed int _t11;
				void* _t23;
				void* _t24;
				void* _t26;

				L0:
				while(1) {
					L0:
					while(1) {
						L2:
						_t10 = E0126CDB5(_t23, _t24, _t26, _a4); // executed
						if(_t10 != 0) {
							break;
						}
						L1:
						_t11 = E0126D44A(_a4);
						__eflags = _t11;
						if(_t11 == 0) {
							L4:
							__eflags =  *0x127bea4 & 0x00000001;
							if(( *0x127bea4 & 0x00000001) == 0) {
								 *0x127bea4 =  *0x127bea4 | 0x00000001;
								__eflags =  *0x127bea4;
								_push(1);
								_v8 = "bad allocation";
								E0127399F(0x127be98,  &_v8);
								 *0x127be98 = 0x1252b6c;
								E0126D5A9( *0x127bea4, 0x1276e3b);
							}
							L6:
							E01273ADD( &_v20, 0x127be98);
							_v20 = 0x1252b6c;
							E01273B07( &_v20, 0x1277124);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							L7:
							goto L0;
						}
					}
					L3:
					return _t10;
				}
			}

0x012735e6
0x012735e6
0x012735ee
0x012735fd
0x012735fd
0x01273600
0x01273608
0x00000000
0x00000000
0x012735f0
0x012735f3
0x012735f9
0x012735fb
0x0127360c
0x0127360c
0x0127361d
0x0127361f
0x0127361f
0x01273626
0x0127362e
0x01273635
0x0127363f
0x01273645
0x0127364a
0x0127364b
0x0127364f
0x0127365d
0x01273660
0x01273665
0x01273666
0x01273667
0x01273668
0x01273669
0x0127366a
0x0127366d
0x00000000
0x01273670
0x012735fb
0x0127360b
0x0127360b
0x0127360b

APIs

_malloc.LIBCMT ref: 01273600

Part of subcall function 0126CDB5: __FF_MSGBANNER.LIBCMT ref: 0126CDCE
Part of subcall function 0126CDB5: __NMSG_WRITE.LIBCMT ref: 0126CDD5
Part of subcall function 0126CDB5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0126DBEB,?,00000001,?,?,0126D143,00000018,01276FA0,0000000C,0126D1D8), ref: 0126CDFA

std::exception::exception.LIBCMT ref: 01273635
std::exception::exception.LIBCMT ref: 0127364F
__CxxThrowException@8.LIBCMT ref: 01273660

Strings

bad allocation, xrefs: 0127362E

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 5f34e6c765280fbc6b4bd860cbec8d17ff4708b2a9f82e6c78fcc4860b1036c0
Instruction ID: f9975ec0adf6dfe640ef80155bb7b5b33fa5a69ec2c43c20580f6eeb05ce0acb
Opcode Fuzzy Hash: 5f34e6c765280fbc6b4bd860cbec8d17ff4708b2a9f82e6c78fcc4860b1036c0
Instruction Fuzzy Hash: 0D017B3293020F9BCB00FB54E80AD7F7BBCBF90210B480019D904962C4DBB09A459341

Uniqueness

Uniqueness Score: -1.00%

Function 012591D3 Relevance: 7.6, APIs: 5, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012591D3(void* __ecx, intOrPtr _a4, struct _SECURITY_ATTRIBUTES* _a8) {
				signed int _v8;
				void* __esi;
				signed int _t11;
				signed char _t14;
				int _t15;
				signed int _t17;
				short _t20;
				signed int _t22;
				WCHAR* _t25;
				WCHAR* _t28;
				signed int _t30;
				WCHAR* _t36;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = E01259926( &_v8, _a4);
				_t25 = _v8;
				_t30 = _t11;
				if(_t30 < 0) {
					L19:
					if(_t25 != 0) {
						E01258E6F(_t25);
					}
					return _t30;
				}
				_t14 = GetFileAttributesW(_t25); // executed
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) == 0) {
					_t15 = CreateDirectoryW(_t25, _a8); // executed
					if(_t15 != 0) {
						goto L19;
					}
					if(GetLastError() == 0xb7) {
						L18:
						_t30 = 0;
						goto L19;
					}
					_t17 =  *_t25 & 0x0000ffff;
					_t36 = 0;
					_t28 = _t25;
					if(_t17 == 0) {
						L10:
						_t30 = 0x80070003;
						goto L19;
					} else {
						goto L6;
					}
					do {
						L6:
						if(_t17 == 0x5c) {
							_t36 = _t28;
						}
						_t28 =  &(_t28[1]);
						_t17 =  *_t28 & 0x0000ffff;
					} while (_t17 != 0);
					if(_t36 != 0) {
						 *_t36 = 0;
						_t30 = E012591D3(_t28, _t25, _a8);
						_t20 = 0x5c;
						 *_t36 = _t20;
						if(_t30 < 0) {
							goto L19;
						}
						if(CreateDirectoryW(_t25, _a8) != 0) {
							goto L18;
						}
						_t22 = GetLastError();
						if(_t22 != 0xb7) {
							if(_t22 > 0) {
								_t22 = _t22 & 0x0000ffff | 0x80070000;
							}
							_t30 = _t22;
						} else {
							_t30 = 1;
						}
						goto L19;
					}
					goto L10;
				} else {
					goto L19;
				}
			}

0x012591d8
0x012591d9
0x012591e6
0x012591eb
0x012591ee
0x012591f2
0x012592a3
0x012592a5
0x012592a8
0x012592a8
0x012592b3
0x012592b3
0x012591f9
0x01259202
0x01259210
0x01259218
0x00000000
0x00000000
0x01259229
0x012592a1
0x012592a1
0x00000000
0x012592a1
0x0125922b
0x0125922e
0x01259230
0x01259235
0x0125924e
0x0125924e
0x00000000
0x00000000
0x00000000
0x00000000
0x01259237
0x01259237
0x0125923b
0x0125923d
0x0125923d
0x0125923f
0x01259242
0x01259245
0x0125924c
0x0125925b
0x01259263
0x01259267
0x01259268
0x0125926d
0x00000000
0x00000000
0x0125927b
0x00000000
0x00000000
0x0125927d
0x01259288
0x01259291
0x01259298
0x01259298
0x0125929d
0x0125928a
0x0125928c
0x0125928c
0x00000000
0x01259288
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFileAttributesW.KERNELBASE(00000000,?,00000000,0127BEF0,?,?,?,01256F20,00C874B0,00000000,?,?,00000000,?,?,01255B53), ref: 012591F9
CreateDirectoryW.KERNELBASE(00000000,?,?,?,01256F20,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?), ref: 01259210
GetLastError.KERNEL32(?,?,01256F20,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?,?), ref: 0125921E

Part of subcall function 012591D3: CreateDirectoryW.KERNEL32(00000000,?,?,?,01256F20,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?), ref: 01259273
Part of subcall function 012591D3: GetLastError.KERNEL32(?,?,01256F20,00C874B0,00000000,?,?,00000000,?,?,01255B53,?,?,?,?,?), ref: 0125927D

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateDirectoryErrorLast$AttributesFile
String ID:
API String ID: 925696554-0
Opcode ID: 4ae77e65b5ab2e16e9da61845ac8ad753fbca44e5a35d61fd081ed77cf0f63e4
Instruction ID: b2d1f8a16e3d50c72a86ae974c4b086a092935af6572075279e97e03289a0eb4
Opcode Fuzzy Hash: 4ae77e65b5ab2e16e9da61845ac8ad753fbca44e5a35d61fd081ed77cf0f63e4
Instruction Fuzzy Hash: 8A21D437520203EBFFA11A69DCC5B7A3A69DF802F8F240429EE49D6141DAB5C9828350

Uniqueness

Uniqueness Score: -1.00%

Function 0125870C Relevance: 7.6, APIs: 5, Instructions: 80
filestringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0125870C(void* __ebx, void* __ecx, void* __edi, void* __esi, int _a4, signed int _a8, intOrPtr _a12) {
				struct _OVERLAPPED* _v8;
				long _v12;
				signed int _t25;
				int _t28;
				int _t30;
				signed int _t31;
				int _t39;
				signed int _t40;
				void* _t52;

				_push(__ebx);
				_v8 = 0;
				_t52 = 0;
				_v12 = 0;
				_t25 = E01258C9A( &_v8, _a4, _a8);
				_a8 = _t25;
				if(_t25 < 0) {
					L8:
					if(_v8 != 0) {
						E01258E6F(_v8);
					}
					return _a8;
				}
				_t28 = lstrlenA(_v8);
				_a4 = _t28;
				if(_t28 <= 0) {
					L4:
					if(_a12 != 0) {
						_t30 = WriteFile( *0x127b140, "\r\n", 2,  &_v12, 0); // executed
						if(_t30 == 0) {
							_t31 = GetLastError();
							_a8 = _t31;
							if(_t31 > 0) {
								_a8 = _t31 & 0x0000ffff | 0x80070000;
							}
						}
					}
					goto L8;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t39 = WriteFile( *0x127b140,  &(_v8[_t52]), _a4 - _t52,  &_v12, 0); // executed
					if(_t39 == 0) {
						_t40 = GetLastError();
						_a8 = _t40;
						if(_t40 > 0) {
							_a8 = _t40 & 0x0000ffff | 0x80070000;
						}
						if(_a8 >= 0) {
							_a8 = 0x80004005;
						}
						goto L8;
					}
					_t52 = _t52 + _v12;
					if(_t52 < _a4) {
						continue;
					}
					goto L4;
				}
				goto L8;
			}

0x01258713
0x01258721
0x01258724
0x01258726
0x01258729
0x0125872e
0x01258733
0x012587a7
0x012587ad
0x012587b2
0x012587b2
0x012587bb
0x012587bb
0x01258738
0x01258744
0x01258749
0x01258770
0x01258773
0x01258787
0x0125878b
0x0125878d
0x01258793
0x01258798
0x012587a4
0x012587a4
0x01258798
0x0125878b
0x00000000
0x00000000
0x00000000
0x00000000
0x0125874b
0x0125874b
0x01258762
0x01258766
0x012587be
0x012587c4
0x012587c9
0x012587d5
0x012587d5
0x012587db
0x012587dd
0x012587dd
0x00000000
0x012587db
0x01258768
0x0125876e
0x00000000
0x00000000
0x00000000
0x0125876e
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000004,01256E90,01256E90,0127C170,01256E90,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000), ref: 01258738
WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170), ref: 01258762
WriteFile.KERNELBASE(01254DA4,00000002,00000004,00000000,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170), ref: 01258787
GetLastError.KERNEL32(?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170,0127C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0125878D
GetLastError.KERNEL32(?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170,0127C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 012587BE

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLastWrite$lstrlen
String ID:
API String ID: 3048800281-0
Opcode ID: ad3f7f920468c01fa5c3e0c506a737d132550d826a53451281cf4140dcdab970
Instruction ID: 11a8f997a3b919c32911a62f8d9464cc089b8d6906b1267605c51f6f6b6a36d2
Opcode Fuzzy Hash: ad3f7f920468c01fa5c3e0c506a737d132550d826a53451281cf4140dcdab970
Instruction Fuzzy Hash: 53216B7591020AFFDB609F6ADCC8AAE7FB9EF44390F108465EE14D6100E3759A60DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0125BC8E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0125BC8E(void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				void* __ebx;
				intOrPtr* _t90;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t99;
				void* _t107;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t114;
				void* _t122;
				intOrPtr _t124;
				intOrPtr* _t130;
				void* _t131;
				void* _t133;
				intOrPtr* _t134;
				intOrPtr _t140;
				intOrPtr* _t141;
				intOrPtr _t142;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				signed int _t157;
				void* _t165;
				void* _t166;
				void* _t169;
				intOrPtr _t170;
				intOrPtr* _t171;
				void* _t172;
				void* _t175;
				void* _t177;
				intOrPtr _t183;

				_t141 = _a4;
				if(E0125B547(_t141) == 0 || _a8 == 0 || _a12 == 0 || _a20 == 0) {
					__eflags = 0;
					return 0;
				} else {
					_push(__esi);
					_v12 = 0;
					_v32 = 0;
					_v28 = 0;
					if(E012735E6(0x200) == 0) {
						_v8 = 0;
					} else {
						_t140 = E0125CA78(_t89); // executed
						_v8 = _t140;
					}
					_t90 = _v8;
					if(_t90 != 0) {
						 *((intOrPtr*)( *_t90 + 4))(_t90);
					}
					_t91 = E012735E6(0x10);
					if(_t91 == 0) {
						_v20 = 0;
					} else {
						 *((intOrPtr*)(_t91 + 4)) = 0;
						 *_t91 = 0x1255140;
						_v20 = _t91;
					}
					_t92 = _v20;
					if(_t92 != 0) {
						 *((intOrPtr*)( *_t92 + 4))(_t92);
					}
					_t93 = E012735E6(8);
					if(_t93 == 0) {
						_v24 = 0;
					} else {
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *_t93 = 0x1255164;
						_v24 = _t93;
					}
					_t94 = _v24;
					if(_t94 != 0) {
						 *((intOrPtr*)( *_t94 + 4))(_t94);
					}
					_t95 = E012735E6(0x1c);
					if(_t95 == 0) {
						_v16 = 0;
					} else {
						 *((intOrPtr*)(_t95 + 4)) = 0;
						 *_t95 = 0x1255178;
						 *((intOrPtr*)(_t95 + 0xc)) = 0;
						 *((intOrPtr*)(_t95 + 0x18)) = 0;
						_v16 = _t95;
					}
					_t96 = _v16;
					if(_t96 != 0) {
						 *((intOrPtr*)( *_t96 + 4))(_t96);
					}
					_t97 = _a12;
					_t165 = _t97 + 1;
					do {
						_t148 =  *_t97;
						_t97 = _t97 + 1;
					} while (_t148 != 0);
					_t175 = _t97 - _t165;
					_t99 = _a8;
					_t169 = _t99 + 1;
					do {
						_t149 =  *_t99;
						_t99 = _t99 + 1;
					} while (_t149 != 0);
					_t176 = _t99 - _t169 + _t175 + 1;
					_t170 =  *_t141(_t99 - _t169 + _t175 + 1);
					_pop(_t150);
					_v36 = _t170;
					if(_t170 != 0) {
						E0126DE40(_t170, 0, _t176);
						E0126DB76(_t170, _t176, _a12);
						E01270FF0(_t170, _t176, _a8);
						_t166 =  *((intOrPtr*)(_t141 + 8))(_t170, 0x8020, 0);
						_v32 = _t166;
						__eflags = _t166 - 0xffffffff;
						if(_t166 != 0xffffffff) {
							_t107 = E0125B547(_t141);
							__eflags = _t107;
							if(_t107 == 0) {
								L45:
								_v12 = 0x80070057;
								L40:
								_t171 = _v8;
								 *((intOrPtr*)( *_t171 + 0x10))(_t171);
								 *((intOrPtr*)(_t141 + 4))(_v28);
								if(_v32 != 0) {
									_t122 =  *((intOrPtr*)(_t141 + 0x14))(_v32);
									_pop(_t156);
									if(_t122 == 0xffffffff) {
										E0125B580(_t156,  *((intOrPtr*)(_t141 + 0x1c)), 1);
									}
								}
								 *((intOrPtr*)(_t141 + 4))(_v36);
								_t142 =  *((intOrPtr*)(_t141 + 0x1c));
								_t177 = 0;
								_pop(_t152);
								if(_v12 != 0) {
									__eflags =  *(_t142 + 8);
									if( *(_t142 + 8) == 0) {
										E0125B580(_t152, _t142, 4);
										_t177 = 0;
										__eflags = 0;
									}
								} else {
									_t177 = 1;
								}
								_t112 = _v16;
								if(_t112 != 0) {
									 *((intOrPtr*)( *_t112 + 8))(_t112);
								}
								_t113 = _v24;
								if(_t113 != 0) {
									 *((intOrPtr*)( *_t113 + 8))(_t113);
								}
								_t114 = _v20;
								if(_t114 != 0) {
									 *((intOrPtr*)( *_t114 + 8))(_t114);
								}
								 *((intOrPtr*)( *_t171 + 8))(_t171);
								return _t177;
							}
							__eflags = _t166;
							if(_t166 <= 0) {
								goto L45;
							}
							_t124 = _v20;
							_v12 = _v12 & 0x00000000;
							 *((intOrPtr*)(_t124 + 8)) = _t141;
							 *(_t124 + 0xc) = _t166;
							_t172 =  *_t141();
							_t150 = 0x28;
							_v28 = _t172;
							__eflags = _t172;
							if(_t172 == 0) {
								goto L29;
							}
							_t182 = _v28;
							_t157 = 0xa;
							memset(_t172, 0, _t157 << 2);
							 *((intOrPtr*)(_v28 + 0x10)) = _a28;
							_t130 = _v8;
							_t131 =  *((intOrPtr*)( *_t130 + 0xc))(_t130, _v20, 0x1254ed8, _v24);
							_v12 = _t131;
							__eflags = _t131;
							if(__eflags == 0) {
								_t183 = _v16;
								_t133 = E0125B841(_v8, _t182, _a4, _t183, __eflags, _a20);
								_v12 = _t133;
								__eflags = _t133;
								if(_t133 == 0) {
									_t134 = _v8;
									_v12 =  *((intOrPtr*)( *_t134 + 0x1c))(_t134, 0, 0xffffffff, 0, _t183);
								}
								_t141 = _a4;
							}
							goto L40;
						}
						_push(1);
						L30:
						E0125B580(_t150,  *((intOrPtr*)(_t141 + 0x1c)));
						goto L40;
					}
					L29:
					_push(5);
					goto L30;
				}
			}

0x0125bc97
0x0125bca4
0x0125bf11
0x00000000
0x0125bcc7
0x0125bcc7
0x0125bccd
0x0125bcd0
0x0125bcd3
0x0125bcde
0x0125bcec
0x0125bce0
0x0125bce2
0x0125bce7
0x0125bce7
0x0125bcef
0x0125bcf4
0x0125bcf9
0x0125bcf9
0x0125bcfe
0x0125bd06
0x0125bd16
0x0125bd08
0x0125bd08
0x0125bd0b
0x0125bd11
0x0125bd11
0x0125bd19
0x0125bd1e
0x0125bd23
0x0125bd23
0x0125bd28
0x0125bd30
0x0125bd40
0x0125bd32
0x0125bd32
0x0125bd35
0x0125bd3b
0x0125bd3b
0x0125bd43
0x0125bd48
0x0125bd4d
0x0125bd4d
0x0125bd52
0x0125bd5a
0x0125bd70
0x0125bd5c
0x0125bd5c
0x0125bd5f
0x0125bd65
0x0125bd68
0x0125bd6b
0x0125bd6b
0x0125bd73
0x0125bd78
0x0125bd7d
0x0125bd7d
0x0125bd80
0x0125bd83
0x0125bd86
0x0125bd86
0x0125bd88
0x0125bd89
0x0125bd8f
0x0125bd91
0x0125bd94
0x0125bd97
0x0125bd97
0x0125bd99
0x0125bd9a
0x0125bda0
0x0125bda7
0x0125bda9
0x0125bdaa
0x0125bdaf
0x0125bdc4
0x0125bdce
0x0125bdd8
0x0125bde8
0x0125bded
0x0125bdf0
0x0125bdf3
0x0125bdfb
0x0125be00
0x0125be02
0x0125bec6
0x0125bec6
0x0125be86
0x0125be86
0x0125be8c
0x0125be92
0x0125be9a
0x0125be9f
0x0125bea2
0x0125bea6
0x0125bead
0x0125bead
0x0125bea6
0x0125beb5
0x0125beb8
0x0125bebb
0x0125bebd
0x0125bec1
0x0125becf
0x0125bed2
0x0125bed8
0x0125bedd
0x0125bedd
0x0125bedd
0x0125bec3
0x0125bec3
0x0125bec3
0x0125bedf
0x0125bee4
0x0125bee9
0x0125bee9
0x0125beec
0x0125bef1
0x0125bef6
0x0125bef6
0x0125bef9
0x0125befe
0x0125bf03
0x0125bf03
0x0125bf09
0x00000000
0x0125bf0e
0x0125be08
0x0125be0a
0x00000000
0x00000000
0x0125be10
0x0125be13
0x0125be19
0x0125be1c
0x0125be21
0x0125be23
0x0125be24
0x0125be27
0x0125be29
0x00000000
0x00000000
0x0125be2b
0x0125be30
0x0125be36
0x0125be43
0x0125be46
0x0125be4c
0x0125be4f
0x0125be52
0x0125be54
0x0125be61
0x0125be64
0x0125be69
0x0125be6c
0x0125be6e
0x0125be70
0x0125be80
0x0125be80
0x0125be83
0x0125be83
0x00000000
0x0125be54
0x0125bdf5
0x0125bdb3
0x0125bdb6
0x00000000
0x0125bdb6
0x0125bdb1
0x0125bdb1
0x00000000
0x0125bdb1

APIs

Part of subcall function 012735E6: _malloc.LIBCMT ref: 01273600

Part of subcall function 0125CA78: GetSystemInfo.KERNELBASE(?), ref: 0125CACB

_memset.LIBCMT ref: 0125BDC4
_strcpy_s.LIBCMT ref: 0125BDCE
_strcat_s.LIBCMT ref: 0125BDD8

Part of subcall function 0125B580: __get_errno.LIBCMT ref: 0125B58E

Strings

W, xrefs: 0125BEC6

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: InfoSystem__get_errno_malloc_memset_strcat_s_strcpy_s
String ID: W
API String ID: 3172754772-655174618
Opcode ID: b8034e1c2fdd14206e8361212787345af21ade94b9c39fc080e451b7f08474c7
Instruction ID: 14e062ed36d06e8aa76c853175d290e520699de7268f108373fce43407426ecb
Opcode Fuzzy Hash: b8034e1c2fdd14206e8361212787345af21ade94b9c39fc080e451b7f08474c7
Instruction Fuzzy Hash: 05918030A1020AEFDF51DFA8C8C4AAEBBB6BF45710F248559EA05EB251DB71D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125768D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0125768D(intOrPtr __ebx, intOrPtr* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				char _v2062;
				short _v2064;
				void* __edi;
				void* __esi;
				signed int _t14;
				short _t18;
				long _t24;
				intOrPtr _t29;
				intOrPtr _t33;
				intOrPtr _t39;
				char* _t40;
				signed int _t42;

				_t33 = __ebx;
				_t14 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t14 ^ _t42;
				_t40 =  &_v14;
				asm("stosd");
				_v16 =  *((intOrPtr*)(__ecx));
				_t18 = 0x3a;
				_v14 = _t18;
				_v12 = 0;
				_v2064 = 0;
				E0126DE40( &_v2062, 0, 0x7fe);
				_t24 = QueryDosDeviceW( &_v16,  &_v2064, 0x400); // executed
				if(_t24 != 0) {
					E01269522( &_v2064, 0x400);
					if(E0126953E( &_v2064, L"harddisk") != 0 || E0126953E( &_v2064,  &M012543A4) != 0) {
						_t29 = 1;
					} else {
						goto L1;
					}
				} else {
					L1:
					_t29 = 0;
				}
				return E012691D5(_t29, _t33, _v8 ^ _t42, _t39, _t40, 0x400);
			}

0x0125768d
0x01257698
0x0125769f
0x012576a6
0x012576a9
0x012576af
0x012576b3
0x012576b4
0x012576c0
0x012576c4
0x012576d2
0x012576eb
0x012576f3
0x01257701
0x0125771c
0x01257735
0x00000000
0x00000000
0x00000000
0x012576f5
0x012576f5
0x012576f5
0x012576f5
0x01257744

APIs

_memset.LIBCMT ref: 012576D2
QueryDosDeviceW.KERNELBASE(?,?,00000400,?,00000000,?), ref: 012576EB

Strings

harddisk, xrefs: 0125770C
ramdisk, xrefs: 01257724

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: DeviceQuery_memset
String ID: harddisk$ramdisk
API String ID: 2562551966-3524468269
Opcode ID: 601d04513dc59d08deb3b7186f606bccee9c32ce72fc21216a8c2ccd730e1592
Instruction ID: c69ee054851a6500d1db07f01b0eea98967eb796732684acadb7d11571896637
Opcode Fuzzy Hash: 601d04513dc59d08deb3b7186f606bccee9c32ce72fc21216a8c2ccd730e1592
Instruction Fuzzy Hash: 3D119435E60219BADF50DFB5EC45AEE73BCAF44314F4084A6D904E3140FE349A898B94

Uniqueness

Uniqueness Score: -1.00%

Function 012584C7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
timeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012584C7(intOrPtr __ebx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t29;
				intOrPtr _t32;
				signed int _t35;

				_t32 = __edx;
				_t13 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t13 ^ _t35;
				GetLocalTime( &_v24);
				swprintf(0x127c170, 0x32, "%u/%u/%u, %u:%u:%u", _v24.wMonth & 0x0000ffff, _v24.wDay & 0x0000ffff, _v24.wYear & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff);
				E0125848D(_a4, "[%s] ", 0x127c170); // executed
				E0125870C(__ebx, _t29, _a8, 0x127c170, _a8,  &_a12, 1); // executed
				return E012691D5(0, __ebx, _v8 ^ _t35, _t32, _a8, 0x127c170);
			}

0x012584c7
0x012584cf
0x012584d6
0x012584e2
0x01258513
0x01258521
0x01258530
0x01258544

APIs

GetLocalTime.KERNEL32(?,?,00000000,?,?,01256E90,00000000), ref: 012584E2
swprintf.LIBCMT ref: 01258513

Part of subcall function 0125870C: lstrlenA.KERNEL32(00000000,00000004,01256E90,01256E90,0127C170,01256E90,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000), ref: 01258738
Part of subcall function 0125870C: WriteFile.KERNELBASE(00000000,00000004,00000004,00000000,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170), ref: 01258762
Part of subcall function 0125870C: WriteFile.KERNELBASE(01254DA4,00000002,00000004,00000000,?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170), ref: 01258787
Part of subcall function 0125870C: GetLastError.KERNEL32(?,?,?,012584C0,01256E90,?,00000000,?,01258526,00000000,[%s] ,0127C170,0127C170,00000032,%u/%u/%u, %u:%u:%u,?), ref: 0125878D

Strings

[%s] , xrefs: 01258519
%u/%u/%u, %u:%u:%u, xrefs: 01258506

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: FileWrite$ErrorLastLocalTimelstrlenswprintf
String ID: %u/%u/%u, %u:%u:%u$[%s]
API String ID: 4160318958-2469116371
Opcode ID: 0542b6a8ccce8270f3bc38c323778be5d2b2c9cdff20e3f34cc02f2344261466
Instruction ID: 65731fdb27a638f0d78760305fcb3bed7f3c5b15c2236f9a769810a2f1c510c2
Opcode Fuzzy Hash: 0542b6a8ccce8270f3bc38c323778be5d2b2c9cdff20e3f34cc02f2344261466
Instruction Fuzzy Hash: 85012C75910119BACB51EFA69C45EBFB7FCEF48614F000056FD04E2180E6789E91E765

Uniqueness

Uniqueness Score: -1.00%

Function 01259C21 Relevance: 6.0, APIs: 4, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01259C21(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				signed int _t6;
				int _t9;
				long _t10;
				WCHAR* _t14;
				signed int _t18;
				signed int _t31;

				_v8 = _v8 & 0x00000000;
				_t6 = E01259926( &_v8, _a4);
				_t14 = _v8;
				_t18 = _t6;
				if(_t18 >= 0) {
					_t9 = DeleteFileW(_t14); // executed
					if(_t9 == 0) {
						_t10 = GetLastError();
						if(_t10 != 2 && _t10 != 3 && MoveFileExW(_t14, 0, 4) == 0) {
							_t18 = GetLastError();
							if(_t18 > 0) {
								_t18 = _t18 & 0x0000ffff | 0x80070000;
								_t31 = _t18;
							}
							if(_t31 >= 0) {
								_t18 = 0x80004005;
							}
						}
					}
				}
				if(_t14 != 0) {
					E01258E6F(_t14);
				}
				return _t18;
			}

0x01259c27
0x01259c34
0x01259c39
0x01259c3c
0x01259c40
0x01259c43
0x01259c4b
0x01259c53
0x01259c58
0x01259c70
0x01259c74
0x01259c7c
0x01259c82
0x01259c82
0x01259c84
0x01259c86
0x01259c86
0x01259c84
0x01259c58
0x01259c4b
0x01259c8d
0x01259c90
0x01259c90
0x01259c9b

APIs

DeleteFileW.KERNELBASE(00000000,?,00000000,00000000,0127BEF0,?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C43
GetLastError.KERNEL32(?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C53
MoveFileExW.KERNEL32(00000000,00000000,00000004,?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C64
GetLastError.KERNEL32(?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C6E

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLast$DeleteMove
String ID:
API String ID: 4226254011-0
Opcode ID: a3742933448deb65842a4d1e5a24266f24569b96fe390b6fa64ce35f41f8ceb1
Instruction ID: 73119ed5cbf4a385b092de89aa30474847d969f4caa13cefc90647220f4ed30d
Opcode Fuzzy Hash: a3742933448deb65842a4d1e5a24266f24569b96fe390b6fa64ce35f41f8ceb1
Instruction Fuzzy Hash: 7F012637620207E7EF7157699DC4B5A7EAD8FC427AF250034EF05E7104DA34D9428368

Uniqueness

Uniqueness Score: -1.00%

Function 0125ECDB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0125ECDB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t65;
				intOrPtr _t69;
				intOrPtr _t72;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t86;
				void* _t88;
				signed int _t89;
				signed int _t95;
				intOrPtr _t96;
				signed int _t102;
				void* _t104;
				signed int _t105;
				intOrPtr _t107;
				intOrPtr* _t108;
				signed int _t109;
				void* _t111;
				void* _t113;
				intOrPtr _t116;
				void* _t123;
				intOrPtr _t125;
				signed int _t126;
				void* _t131;
				void* _t132;
				void* _t133;

				_push(0x28);
				E01274DF4(0x1275d9a, __ebx, __edi, __esi);
				_t123 =  *((intOrPtr*)(_t131 + 8)) + 0x28;
				_push(_t123);
				_t113 = 0x20;
				 *(_t131 - 0x20) = _t123;
				_t65 = E0126534C(__ecx, _t113); // executed
				if(_t65 == 0) {
					if(E0125EC9D(_t123) == 0) {
						 *((intOrPtr*)(_t131 - 0x34)) = 0x12552c8;
						 *((intOrPtr*)(_t131 - 0x30)) = 0;
						 *((intOrPtr*)(_t131 - 0x2c)) = 0;
						 *(_t131 - 4) = 0;
						E012618E8(0x10000, _t131 - 0x34);
						_t125 =  *((intOrPtr*)(_t131 + 8));
						_t116 =  *((intOrPtr*)(_t131 - 0x2c));
						_t69 = 0x1f;
						 *((intOrPtr*)(_t131 - 0x10)) = _t69;
						E01271150(_t116, _t125 + 0x29, _t69);
						_t72 =  *((intOrPtr*)(_t125 + 0x24));
						_t133 = _t132 + 0xc;
						_t95 =  *((intOrPtr*)(_t125 + 0x20)) + 1;
						__eflags = _t95;
						asm("adc eax, 0x0");
						 *((intOrPtr*)(_t131 - 0x24)) = _t72;
						while(1) {
							L4:
							_t109 =  *(_t131 + 0x10);
							__eflags = _t109;
							if(_t109 == 0) {
								goto L8;
							}
							_t104 = _t95 -  *((intOrPtr*)(_t125 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags = _t72 -  *((intOrPtr*)(_t109 + 4));
							if(__eflags > 0) {
								L22:
								 *(_t131 - 4) =  *(_t131 - 4) | 0xffffffff;
								_push(_t116);
								E01273539();
								_t65 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t104 -  *_t109;
									if(_t104 >  *_t109) {
										goto L22;
									} else {
										while(1) {
											L8:
											_t77 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t131 + 0xc)))) + 0xc))( *((intOrPtr*)(_t131 + 0xc)),  *((intOrPtr*)(_t131 - 0x10)) + _t116, 0x10000 -  *((intOrPtr*)(_t131 - 0x10)), _t131 - 0x1c);
											__eflags = _t77;
											if(_t77 != 0) {
												break;
											}
											_t79 =  *(_t131 - 0x1c);
											 *((intOrPtr*)(_t131 - 0x10)) =  *((intOrPtr*)(_t131 - 0x10)) + _t79;
											__eflags = _t79;
											if(_t79 == 0) {
												_t126 = 1;
												L24:
												 *(_t131 - 4) =  *(_t131 - 4) | 0xffffffff;
												_push(_t116);
												goto L27;
											} else {
												__eflags =  *((intOrPtr*)(_t131 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t131 - 0x10)) < 0x20) {
													continue;
												} else {
													_t81 =  *((intOrPtr*)(_t131 - 0x10)) + 0xffffffe1;
													_t102 = 0;
													 *(_t131 - 0x18) = _t81;
													 *(_t131 - 0x14) = 0;
													__eflags = _t81;
													if(_t81 == 0) {
														L21:
														_t95 = _t95 + _t81;
														asm("adc dword [ebp-0x24], 0x0");
														 *((intOrPtr*)(_t131 - 0x10)) =  *((intOrPtr*)(_t131 - 0x10)) - _t81;
														E01273100(_t116, _t81 + _t116,  *((intOrPtr*)(_t131 - 0x10)));
														_t72 =  *((intOrPtr*)(_t131 - 0x24));
														_t133 = _t133 + 0xc;
														goto L4;
													} else {
														while(1) {
															__eflags =  *((char*)(_t116 + _t102)) - 0x37;
															if( *((char*)(_t116 + _t102)) == 0x37) {
															}
															L17:
															__eflags = _t102 - _t81;
															L18:
															if(__eflags == 0) {
																goto L21;
															} else {
																_t86 = E0125EC9D(_t116 + _t102);
																__eflags = _t86;
																if(_t86 != 0) {
																	_t96 = _t95 +  *(_t131 - 0x14);
																	_t105 = 8;
																	_t111 = 0;
																	_t88 = memcpy( *(_t131 - 0x20),  *((intOrPtr*)(_t131 - 0x2c)) +  *(_t131 - 0x14), _t105 << 2);
																	_t107 =  *((intOrPtr*)(_t131 + 8));
																	asm("adc eax, edx");
																	 *((intOrPtr*)(_t107 + 0x20)) = _t96;
																	 *(_t107 + 0x24) = _t88;
																	_t108 =  *((intOrPtr*)(_t131 + 0xc));
																	asm("adc eax, edx");
																	_t89 =  *((intOrPtr*)( *_t108 + 0x10))(_t108, _t96 + 0x20, _t88, _t111, _t111);
																	_t60 = _t131 - 4;
																	 *_t60 =  *(_t131 - 4) | 0xffffffff;
																	__eflags =  *_t60;
																	_push( *((intOrPtr*)(_t131 - 0x2c)));
																	_t126 = _t89;
																	L27:
																	E01273539();
																	_t65 = _t126;
																} else {
																	 *(_t131 - 0x14) =  *(_t131 - 0x14) + 1;
																	__eflags =  *(_t131 - 0x14) -  *(_t131 - 0x18);
																	_t116 =  *((intOrPtr*)(_t131 - 0x2c));
																	_t81 =  *(_t131 - 0x18);
																	if( *(_t131 - 0x14) <  *(_t131 - 0x18)) {
																		_t102 =  *(_t131 - 0x14);
																		while(1) {
																			__eflags =  *((char*)(_t116 + _t102)) - 0x37;
																			if( *((char*)(_t116 + _t102)) == 0x37) {
																			}
																			goto L14;
																		}
																		goto L17;
																	} else {
																		goto L21;
																	}
																}
															}
															goto L28;
															L14:
															__eflags = _t102 - _t81;
															if(__eflags < 0) {
																_t102 = _t102 + 1;
																__eflags = _t102;
																 *(_t131 - 0x14) = _t102;
																continue;
															}
															goto L18;
														}
													}
												}
											}
											goto L28;
										}
										_t126 = _t77;
										goto L24;
									}
								}
							}
							L28:
							goto L29;
						}
					} else {
						_t65 = 0;
					}
				}
				L29:
				return E01274EE0(_t65);
			}

0x0125ecdb
0x0125ece2
0x0125eced
0x0125ecf0
0x0125ecf3
0x0125ecf4
0x0125ecf7
0x0125ed00
0x0125ed0f
0x0125ed18
0x0125ed1f
0x0125ed22
0x0125ed2d
0x0125ed30
0x0125ed35
0x0125ed38
0x0125ed3d
0x0125ed3f
0x0125ed47
0x0125ed4f
0x0125ed52
0x0125ed55
0x0125ed55
0x0125ed58
0x0125ed5b
0x0125ed5e
0x0125ed5e
0x0125ed5e
0x0125ed61
0x0125ed63
0x00000000
0x00000000
0x0125ed67
0x0125ed6a
0x0125ed6d
0x0125ed70
0x0125ee21
0x0125ee21
0x0125ee25
0x0125ee26
0x0125ee2d
0x0125ed76
0x0125ed76
0x00000000
0x0125ed78
0x0125ed78
0x0125ed7a
0x00000000
0x0125ed80
0x0125ed80
0x0125ed80
0x0125ed9b
0x0125ed9e
0x0125eda0
0x00000000
0x00000000
0x0125eda6
0x0125eda9
0x0125edac
0x0125edae
0x0125ee3b
0x0125ee32
0x0125ee32
0x0125ee36
0x00000000
0x0125edb4
0x0125edb4
0x0125edb8
0x00000000
0x0125edba
0x0125edbd
0x0125edc0
0x0125edc2
0x0125edc5
0x0125edc8
0x0125edca
0x0125ee01
0x0125ee01
0x0125ee03
0x0125ee07
0x0125ee11
0x0125ee16
0x0125ee19
0x00000000
0x0125edcc
0x0125eddb
0x0125eddb
0x0125eddf
0x0125eddf
0x0125ede1
0x0125ede1
0x0125ede3
0x0125ede3
0x00000000
0x0125ede5
0x0125ede7
0x0125edec
0x0125edee
0x0125ee47
0x0125ee4f
0x0125ee52
0x0125ee53
0x0125ee55
0x0125ee58
0x0125ee5a
0x0125ee5e
0x0125ee61
0x0125ee6a
0x0125ee6f
0x0125ee72
0x0125ee72
0x0125ee72
0x0125ee76
0x0125ee79
0x0125ee7b
0x0125ee7b
0x0125ee80
0x0125edf0
0x0125edf0
0x0125edf6
0x0125edf9
0x0125edfc
0x0125edff
0x0125edce
0x0125eddb
0x0125eddb
0x0125eddf
0x0125eddf
0x00000000
0x0125eddf
0x00000000
0x00000000
0x00000000
0x00000000
0x0125edff
0x0125edee
0x00000000
0x0125edd3
0x0125edd3
0x0125edd5
0x0125edd7
0x0125edd7
0x0125edd8
0x00000000
0x0125edd8
0x00000000
0x0125edd5
0x0125eddb
0x0125edca
0x0125edb8
0x00000000
0x0125edae
0x0125ee30
0x00000000
0x0125ee30
0x0125ed7a
0x0125ed76
0x0125ee82
0x00000000
0x0125ee82
0x0125ed11
0x0125ed11
0x0125ed11
0x0125ed0f
0x0125ee83
0x0125ee88

APIs

__EH_prolog3.LIBCMT ref: 0125ECE2
_memmove.LIBCMT ref: 0125ED47

Strings

, xrefs: 0125EDB4

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3_memmove
String ID:
API String ID: 1268875249-3916222277
Opcode ID: 6ef1d718add252027edd9b6a6a496b02d6c111252843d15e8b984d02be6ada6b
Instruction ID: 8e87e188f512b87ae918de969e2a27f6ce8245d53428abfd976182e91ee84cd5
Opcode Fuzzy Hash: 6ef1d718add252027edd9b6a6a496b02d6c111252843d15e8b984d02be6ada6b
Instruction Fuzzy Hash: 7A517C71A2021A9BDF50DFA8CC80ABEFBB5FF48324F154519ED15B7241D730AE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 012564D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E012564D8(signed int _a4, WCHAR* _a8, signed int _a12, intOrPtr _a16) {
				signed int _t14;
				void* _t24;

				_t14 = _a4;
				if(_t14 > 8) {
					L20:
					_t24 = E012569E3();
					if(_t24 < 0) {
						_push("User canceled extraction...");
						goto L22;
					}
				} else {
					switch( *((intOrPtr*)(_t14 * 4 +  &M012565D0))) {
						case 0:
							E012565F9(__ecx, _a8) = E012569B0();
							goto L20;
						case 1:
							goto L20;
						case 2:
							E012569B0() = SetFileAttributesW(_a8, 0x80); // executed
							__eax = E012566AE(_a8);
							__esi = __eax;
							__eflags = __eax;
							if(__eax >= 0) {
								goto L20;
							} else {
								_push("Unable ro register file for clean-up");
								L22:
								_push(_t24);
								E0125854A(_t19, _t20, _t23);
							}
							goto L23;
						case 3:
							E012565F9(_t20, _a8);
							goto L3;
						case 4:
							__eax =  *0x127c16c;
							__ecx = 0;
							__eflags = 0 - _a16;
							if(__eflags <= 0) {
								__esi = _a12;
								if(__eflags < 0) {
									L7:
									__eax = E012569B0();
									 *0x127c16c =  *0x127c16c + 0x100000;
									__eax = 0;
									__eflags = 0 - _a16;
								} else {
									__eflags = __eax - __esi;
									if(__eax < __esi) {
										goto L7;
										do {
											do {
												goto L7;
											} while (__eflags < 0);
											if(__eflags <= 0) {
												goto L9;
											}
											goto L20;
											L9:
											__eflags =  *0x127c16c - __esi;
										} while ( *0x127c16c < __esi);
									}
								}
							}
							goto L20;
						case 5:
							L3:
							 *0x127c16c =  *0x127c16c & 0x00000000;
							goto L20;
						case 6:
							__eax =  *0x127c16c;
							__ecx = 0;
							__eflags = 0 - _a16;
							if(__eflags <= 0) {
								__esi = _a12;
								if(__eflags < 0) {
									L17:
									__eax = E012569B0();
									 *0x127c16c =  *0x127c16c + 0x80000;
									__eax = 0;
									__eflags = 0 - _a16;
								} else {
									__eflags = __eax - __esi;
									if(__eax < __esi) {
										goto L17;
										do {
											do {
												goto L17;
											} while (__eflags < 0);
											if(__eflags <= 0) {
												goto L19;
											}
											goto L20;
											L19:
											__eflags =  *0x127c16c - __esi;
										} while ( *0x127c16c < __esi);
									}
								}
							}
							goto L20;
					}
				}
				L23:
				return _t24;
			}

0x012564dd
0x012564e4
0x012565b0
0x012565b5
0x012565b9
0x012565bb
0x00000000
0x012565bb
0x012564ea
0x012564ea
0x00000000
0x0125654c
0x00000000
0x00000000
0x00000000
0x00000000
0x01256560
0x01256569
0x0125656e
0x01256570
0x01256572
0x00000000
0x01256574
0x01256574
0x012565c0
0x012565c0
0x012565c1
0x012565c7
0x00000000
0x00000000
0x012564f4
0x00000000
0x00000000
0x01256505
0x0125650a
0x0125650c
0x0125650f
0x01256515
0x01256518
0x01256522
0x01256522
0x01256527
0x01256531
0x01256533
0x0125651a
0x0125651a
0x0125651c
0x00000000
0x01256522
0x01256522
0x00000000
0x00000000
0x01256538
0x00000000
0x00000000
0x00000000
0x0125653a
0x0125653a
0x0125653a
0x01256542
0x0125651c
0x01256518
0x00000000
0x00000000
0x012564f9
0x012564f9
0x00000000
0x00000000
0x0125657b
0x01256580
0x01256582
0x01256585
0x01256587
0x0125658a
0x01256590
0x01256590
0x01256595
0x0125659f
0x012565a1
0x0125658c
0x0125658c
0x0125658e
0x00000000
0x01256590
0x01256590
0x00000000
0x00000000
0x012565a6
0x00000000
0x00000000
0x00000000
0x012565a8
0x012565a8
0x012565a8
0x01256590
0x0125658e
0x0125658a
0x00000000
0x00000000
0x012564ea
0x012565c8
0x012565cc

APIs

SetFileAttributesW.KERNELBASE(?,00000080,?,00000024,?,0125AFDF,00000007,?,?,00000000,00000000,?,?,?), ref: 01256560

Strings

User canceled extraction..., xrefs: 012565BB
Unable ro register file for clean-up, xrefs: 01256574

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: AttributesFile
String ID: Unable ro register file for clean-up$User canceled extraction...
API String ID: 3188754299-368570184
Opcode ID: 451e92668964888b9f46aa29893dbafea6d9c8f4d3cfc1fc2fac105da4d96624
Instruction ID: c497b3568b38ee713ab386a05c263692b4e4d7bd2b5b68abb37695bf963f2493
Opcode Fuzzy Hash: 451e92668964888b9f46aa29893dbafea6d9c8f4d3cfc1fc2fac105da4d96624
Instruction Fuzzy Hash: 1F21C6B15B41279BCBE1BE20F4C565F3760BB14B68BD48425FD02A612CEE70E850CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01259CFE Relevance: 5.1, APIs: 4, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E01259CFE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				signed int _t10;
				signed int _t12;
				signed int _t18;
				signed int _t22;
				signed int _t28;
				signed int _t31;
				signed int _t37;

				_push(__ecx);
				_t28 = 0; // executed
				_t10 = E01259CA3(__ecx, _a4, 0x80000000, 7, 3, 0x8000080); // executed
				_t22 = _t10;
				_v8 = _t22;
				if(_t22 != 0xffffffff) {
					_t31 = 0;
					_t12 = HeapAlloc(GetProcessHeap(), 8, 0x10);
					__eflags = _t12;
					if(_t12 != 0) {
						 *_t12 =  *_t12 | 0xffffffff;
						__eflags =  *_t12;
						_t28 = _t12;
					} else {
						_t31 = 0x8007000e;
					}
					__eflags = _t31;
					if(_t31 >= 0) {
						_v8 = _v8 | 0xffffffff;
						_t6 = _t28 + 4; // 0x4
						 *_t28 = _t22;
						_t31 = E01258889(0, _t6, _a4);
						__eflags = _t31;
						if(__eflags >= 0) {
							_t18 = E0125A505(_t28, __eflags); // executed
							_t31 = _t18;
							__eflags = _t31;
							if(_t31 >= 0) {
								 *_a8 = _t28;
								_t28 = 0;
								__eflags = 0;
							}
						}
					}
					__eflags = _t28;
					if(_t28 != 0) {
						E0125A414(_t28);
					}
					__eflags = _v8 - 0xffffffff;
					if(_v8 != 0xffffffff) {
						CloseHandle(_v8);
					}
				} else {
					_t31 = GetLastError();
					if(_t31 > 0) {
						_t31 = _t31 & 0x0000ffff | 0x80070000;
						_t37 = _t31;
					}
					if(_t37 >= 0) {
						_t31 = 0x80004005;
					}
				}
				return _t31;
			}

0x01259d03
0x01259d18
0x01259d1a
0x01259d1f
0x01259d21
0x01259d27
0x01259d50
0x01259d59
0x01259d5f
0x01259d61
0x01259d6a
0x01259d6a
0x01259d6d
0x01259d63
0x01259d63
0x01259d63
0x01259d6f
0x01259d71
0x01259d76
0x01259d7a
0x01259d7f
0x01259d86
0x01259d88
0x01259d8a
0x01259d8c
0x01259d91
0x01259d93
0x01259d95
0x01259d9a
0x01259d9c
0x01259d9c
0x01259d9c
0x01259d95
0x01259d8a
0x01259d9e
0x01259da0
0x01259da4
0x01259da4
0x01259da9
0x01259dad
0x01259db2
0x01259db2
0x01259d29
0x01259d2f
0x01259d33
0x01259d3b
0x01259d41
0x01259d41
0x01259d43
0x01259d45
0x01259d45
0x01259d43
0x01259dbe

APIs

Part of subcall function 01259CA3: CreateFileW.KERNELBASE(?,?,0127BEF0,00000000,01255AE3,?,00000000,?,00000000,?,?,?,0125843A,?,40000000,00000005), ref: 01259CD2

GetLastError.KERNEL32(?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,012560C2,?,?,00000000,00000000), ref: 01259D29
GetProcessHeap.KERNEL32(00000008,00000010,?,80000000,00000007,00000003,08000080,00000000,?,?,?,?,012560C2,?,?,00000000), ref: 01259D52
HeapAlloc.KERNEL32(00000000,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259D59
CloseHandle.KERNEL32(000000FF,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259DB2

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocCloseCreateErrorFileHandleLastProcess
String ID:
API String ID: 3300431839-0
Opcode ID: 59531f10c3eb95c951527636b24031e09b581c2c21b0af497236b8c7b44b8fb5
Instruction ID: eace2bb70983af5541c0151dfadaf18455d6d0ec8193135daa24d69c3468575e
Opcode Fuzzy Hash: 59531f10c3eb95c951527636b24031e09b581c2c21b0af497236b8c7b44b8fb5
Instruction Fuzzy Hash: B2112B32D61722EBDB712A68988579DBE50DF41774F114320EE24AB1C0C774CD4087D0

Uniqueness

Uniqueness Score: -1.00%

Function 012736DB Relevance: 4.5, APIs: 3, Instructions: 11
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E012736DB(long _a4) {
				void* _t4;

				if(E0126A6D5(_t4) != 0) {
					E0126A8A6(_t2); // executed
				}
				ExitThread(_a4);
			}

0x012736e7
0x012736ea
0x012736ef
0x012736f3

APIs

__getptd_noexit.LIBCMT ref: 012736E0

Part of subcall function 0126A6D5: GetLastError.KERNEL32(00000001,00000000,0126B05E,0126CE3E,00000000,?,0126DBEB,?,00000001,?,?,0126D143,00000018,01276FA0,0000000C,0126D1D8), ref: 0126A6D9
Part of subcall function 0126A6D5: ___set_flsgetvalue.LIBCMT ref: 0126A6E7
Part of subcall function 0126A6D5: __calloc_crt.LIBCMT ref: 0126A6FB
Part of subcall function 0126A6D5: _DecodePointerInternal@4.DOTNETFX40_FULL_X86_X64(00000000,?,0126DBEB,?,00000001,?,?,0126D143,00000018,01276FA0,0000000C,0126D1D8,?,?,?,0126A803), ref: 0126A715
Part of subcall function 0126A6D5: __initptd.LIBCMT ref: 0126A724
Part of subcall function 0126A6D5: GetCurrentThreadId.KERNEL32 ref: 0126A72B
Part of subcall function 0126A6D5: SetLastError.KERNEL32(00000000,?,0126DBEB,?,00000001,?,?,0126D143,00000018,01276FA0,0000000C,0126D1D8,?,?,?,0126A803), ref: 0126A743

__freeptd.LIBCMT ref: 012736EA

Part of subcall function 0126A8A6: TlsGetValue.KERNEL32(?,?,012736EF,00000000,?,01273720,00000000), ref: 0126A8C7
Part of subcall function 0126A8A6: TlsGetValue.KERNEL32(?,?,012736EF,00000000,?,01273720,00000000), ref: 0126A8D9
Part of subcall function 0126A8A6: RtlDecodePointer.NTDLL(00000000,?,012736EF,00000000,?,01273720,00000000), ref: 0126A8EF
Part of subcall function 0126A8A6: __freefls@4.LIBCMT ref: 0126A8FA
Part of subcall function 0126A8A6: TlsSetValue.KERNEL32(0000001B,00000000,?,012736EF,00000000,?,01273720,00000000), ref: 0126A90C

ExitThread.KERNEL32 ref: 012736F3

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExitInternal@4___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
String ID:
API String ID: 933223392-0
Opcode ID: 8361427e8d76918c8e18453ef1b215ffa79786b2ee3078803ab24e69d11e6bf7
Instruction ID: ebb8eac6dc6078d377fc12ac9183d1f7143ed82a3cd99fa1702754e64af37a9a
Opcode Fuzzy Hash: 8361427e8d76918c8e18453ef1b215ffa79786b2ee3078803ab24e69d11e6bf7
Instruction Fuzzy Hash: 06C08C300102076FDB203B2A980DE2A3A0D9A90160B044020AA04921C4DE70E8819168

Uniqueness

Uniqueness Score: -1.00%

Function 01267EC4 Relevance: 3.8, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01267EC4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				struct _CRITICAL_SECTION* _t31;
				signed int _t35;
				signed int* _t36;
				void* _t37;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t42;
				intOrPtr _t43;

				_v8 = _v8 & 0x00000000;
				_t43 = _a4;
				_t38 =  *((intOrPtr*)(_t43 + 8));
				_v16 =  *((intOrPtr*)(_t43 + 0x10));
				_t31 = _t38 + 4;
				_v12 =  *((intOrPtr*)(_t43 + 0x14));
				EnterCriticalSection(_t31);
				_t25 =  *_t38;
				_t26 =  *((intOrPtr*)( *_t25 + 0x10))(_t25, _v16, _v12, 0, 0, _t37, _t42, _t30);
				_a4 = _t26;
				if(_t26 == 0) {
					_t39 =  *_t38;
					_t28 =  *((intOrPtr*)( *_t39 + 0xc))(_t39, _a8, _a12,  &_v8);
					LeaveCriticalSection(_t31);
					_t29 = _t28;
				} else {
					LeaveCriticalSection(_t31);
					_t29 = _a4;
				}
				_t35 = _v8;
				 *((intOrPtr*)(_t43 + 0x10)) =  *((intOrPtr*)(_t43 + 0x10)) + _t35;
				_t36 = _a16;
				asm("adc dword [esi+0x14], 0x0");
				if(_t36 != 0) {
					 *_t36 = _t35;
					return _t29;
				}
				return _t29;
			}

0x01267ecc
0x01267ed2
0x01267ed9
0x01267edc
0x01267ee2
0x01267ee6
0x01267ee9
0x01267eef
0x01267efe
0x01267f01
0x01267f06
0x01267f14
0x01267f23
0x01267f29
0x01267f2f
0x01267f08
0x01267f09
0x01267f0f
0x01267f0f
0x01267f31
0x01267f34
0x01267f37
0x01267f3b
0x01267f43
0x01267f45
0x00000000
0x01267f45
0x01267f48

APIs

EnterCriticalSection.KERNEL32(00000000), ref: 01267EE9
LeaveCriticalSection.KERNEL32(00000000), ref: 01267F09
LeaveCriticalSection.KERNEL32(00000000), ref: 01267F29

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 849659e25d5360c579cc4f92908a0a7dd12b08275b361ee9c94ffe3d978d7059
Instruction ID: 1b841e228a2234824d14ae7173d70c65fa1e2ce037779e35cc489268d1e6cfe0
Opcode Fuzzy Hash: 849659e25d5360c579cc4f92908a0a7dd12b08275b361ee9c94ffe3d978d7059
Instruction Fuzzy Hash: 8E11FB75A00306EFCB10CF98D888F9ABBB9FF48354F254459FA1597240D774EA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0125F95E Relevance: 3.5, APIs: 2, Instructions: 504
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0125F95E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, struct _CRITICAL_SECTION** _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v0;
				signed int _v4;
				signed int _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				struct _CRITICAL_SECTION _v68;
				signed int _v72;
				char _v76;
				intOrPtr* _v80;
				char _v84;
				void* _v88;
				intOrPtr _v96;
				char _v100;
				void* _v104;
				void* _v112;
				char _v168;
				struct _CRITICAL_SECTION _v172;
				void* _v176;
				void* _v184;
				struct _CRITICAL_SECTION _v192;
				struct _CRITICAL_SECTION _v196;
				struct _CRITICAL_SECTION _v200;
				signed int _v204;
				char _v208;
				void* _v220;
				void* _v228;
				char _v236;
				char _v240;
				void* _v244;
				void* _v252;
				void* _v260;
				char _v284;
				signed int _v288;
				char _v292;
				char _v296;
				signed int _v300;
				char _v304;
				signed int _v308;
				signed int _v312;
				char _v316;
				char _v320;
				signed int _v324;
				char _v328;
				signed int _v332;
				struct _CRITICAL_SECTION _v336;
				char _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				char _v360;
				char _v364;
				signed int _v368;
				signed int _v372;
				char _v376;
				char _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				struct _CRITICAL_SECTION _v396;
				char _v400;
				char _v404;
				signed int _v408;
				signed int _v412;
				char _v416;
				char _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				char _v440;
				void* _v448;
				char _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				struct _CRITICAL_SECTION _v480;
				struct _CRITICAL_SECTION _v484;
				struct _CRITICAL_SECTION _v488;
				signed int _v492;
				void* _v496;
				signed int _v508;
				struct _CRITICAL_SECTION _v520;
				struct _CRITICAL_SECTION _v524;
				struct _CRITICAL_SECTION _v528;
				signed int _v532;
				struct _CRITICAL_SECTION _v536;
				signed int _v540;
				char _v544;
				struct _CRITICAL_SECTION _v548;
				struct _CRITICAL_SECTION* _v552;
				signed int _v556;
				struct _CRITICAL_SECTION _v560;
				struct _CRITICAL_SECTION _v564;
				signed int _v568;
				struct _CRITICAL_SECTION _v572;
				struct _CRITICAL_SECTION _v576;
				struct _CRITICAL_SECTION _v580;
				struct _CRITICAL_SECTION _v584;
				struct _CRITICAL_SECTION _v588;
				struct _CRITICAL_SECTION _v592;
				struct _CRITICAL_SECTION _v596;
				intOrPtr* _v600;
				struct _CRITICAL_SECTION _v604;
				signed int _v608;
				signed int _v612;
				char _v616;
				intOrPtr* _v620;
				struct _CRITICAL_SECTION _v624;
				signed int _v628;
				signed int _v632;
				void* _v636;
				signed int _v644;
				struct _CRITICAL_SECTION _v648;
				struct _CRITICAL_SECTION _v652;
				struct _CRITICAL_SECTION _v656;
				struct _CRITICAL_SECTION _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				intOrPtr* _v680;
				signed int _v684;
				struct _CRITICAL_SECTION _v688;
				intOrPtr _v692;
				intOrPtr* _v696;
				void* _v700;
				intOrPtr* _t633;
				signed int _t636;
				signed int _t663;
				char _t665;
				void* _t666;
				intOrPtr _t671;
				signed int _t678;
				struct _CRITICAL_SECTION _t684;
				struct _CRITICAL_SECTION _t687;
				struct _CRITICAL_SECTION* _t711;
				signed int _t712;
				intOrPtr* _t720;
				void* _t722;
				intOrPtr* _t736;
				signed int _t743;
				struct _CRITICAL_SECTION _t746;
				struct _CRITICAL_SECTION** _t749;
				void* _t751;
				struct _CRITICAL_SECTION _t762;
				intOrPtr* _t771;
				intOrPtr* _t773;
				signed int _t782;
				signed int _t783;
				struct _CRITICAL_SECTION _t790;
				void* _t794;
				intOrPtr* _t796;
				struct _CRITICAL_SECTION _t808;
				intOrPtr* _t813;
				intOrPtr* _t818;
				intOrPtr* _t828;
				signed int _t829;
				intOrPtr* _t835;
				intOrPtr* _t844;
				intOrPtr* _t845;
				intOrPtr* _t846;
				intOrPtr* _t851;
				intOrPtr* _t856;
				signed int _t870;
				void* _t874;
				signed int _t875;
				signed int _t877;
				signed char _t881;
				struct _CRITICAL_SECTION _t884;
				intOrPtr* _t889;
				struct _CRITICAL_SECTION _t891;
				struct _CRITICAL_SECTION _t901;
				signed int _t911;
				intOrPtr _t913;
				struct _CRITICAL_SECTION _t916;
				void* _t922;
				intOrPtr* _t927;
				signed int _t941;
				intOrPtr _t944;
				intOrPtr _t965;
				intOrPtr _t966;
				signed int _t975;
				signed int _t979;
				signed int _t980;
				signed int _t985;
				intOrPtr* _t1019;
				intOrPtr _t1022;
				intOrPtr _t1025;
				signed int _t1031;
				void* _t1033;
				char _t1034;
				struct _CRITICAL_SECTION _t1039;
				struct _CRITICAL_SECTION _t1041;
				struct _CRITICAL_SECTION _t1042;
				intOrPtr _t1047;
				signed int _t1051;
				struct _CRITICAL_SECTION** _t1052;
				struct _CRITICAL_SECTION** _t1053;
				struct _CRITICAL_SECTION* _t1056;
				signed int _t1057;
				signed int _t1061;
				signed int _t1063;
				signed int _t1065;
				struct _CRITICAL_SECTION _t1066;
				struct _CRITICAL_SECTION _t1078;
				signed int _t1082;
				signed int _t1084;

				_t1033 = __edi;
				_push(8);
				E01274DF4(0x127678a, __ebx, __edi, __esi);
				_t913 = _a16;
				E0125F90F(__edi + 0x14, _t913, _a8);
				_v16 = 0;
				_v4 = _v4 & 0x00000000;
				E0125EB19( &_v20, __edx, __edi, _a12, _a8);
				E01262C43(_t913, __edi);
				_a12 = _a12 & 0x00000000;
				if(_t913 <= 0) {
					L5:
					_v4 = _v4 | 0xffffffff;
					return E01274EE0(E0125EA6A( &_v20));
				} else {
					do {
						_t925 = 0;
						_t915 = 0;
						if( *((intOrPtr*)(_a12 +  *((intOrPtr*)(_t1033 + 0x20)))) == 0) {
							goto L4;
						} else {
							_t633 =  *((intOrPtr*)(_a8 + 0x18));
							_t1025 =  *((intOrPtr*)(_t633 + 8));
							_t1047 = _t1025 + 8;
							if(_t1047 >  *((intOrPtr*)(_t633 + 4))) {
								E0125EA39(0, 0);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(0xffffffff);
								_push(0x1276c8c);
								_push( *[fs:0x0]);
								_t1084 = (_t1082 & 0xfffffff8) - 0x278;
								_push(0);
								_push(_t1047);
								_push(_t1033);
								_t636 =  *0x127a050; // 0xa41d0fe1
								_push(_t636 ^ _t1084);
								 *[fs:0x0] =  &_v20;
								_t916 = 0;
								_t1034 = 8;
								_v428 = 0;
								_v424 = 0;
								_v420 = 0;
								_v416 = _t1034;
								_v432 = 0x12552d4;
								_v12 = 0;
								_t1026 = 0x12552d4;
								_v348 = 0;
								_v344 = 0;
								_v340 = 0;
								_v336 = 1;
								_v352 = 0x12552d4;
								_push(4);
								_v388 = 0;
								_v384 = 0;
								_v380 = 0;
								_v376 = 0;
								_v392 = 0x12552d4;
								_v472 = 0;
								_v468 = 0;
								_v464 = 0;
								_v460 = 0;
								_v476 = 0x12552dc;
								_v308 = 0;
								_v304 = 0;
								_v300 = 0;
								_v296 = 0;
								_v312 = 0x12552d4;
								_v328 = 0;
								_v324 = 0;
								_v320 = 0;
								_v316 = _t1034;
								_v332 = 0x12552d4;
								_v408 = 0;
								_v404 = 0;
								_v400 = 0;
								_v396 = 1;
								_v412 = 0x12552d4;
								_v368 = 0;
								_v364 = 0;
								_v360 = 0;
								_v356 = 0;
								_v372 = 0x12552d4;
								_t1049 = _v0;
								_v12 = 7;
								E0125F833(0x12552d4, _v0, 0, _a12,  &_v432,  &_v352,  &_v392,  &_v476,  &_v312,  &_v332,  &_v412,  &_v372);
								_v608 = 0;
								E01264193( &_v208, __eflags);
								_t927 = _a12;
								_v652 = 0;
								_v648 =  *_t927 + _a4;
								asm("adc eax, [ebp+0x10]");
								_v644 =  *((intOrPtr*)(_t927 + 4));
								__eflags = _v508;
								if(_v508 <= 0) {
									L146:
									_push( &_v168);
									_v12 = 7;
									L166(); // executed
									_v16 = 6;
									E01262BD6( &_v376);
									_v16 = 5;
									E01262BD6( &_v416);
									_v16 = 4;
									E01262BD6( &_v336);
									_v16 = 3;
									E01262BD6( &_v316);
									_push( &_v480);
									_v16 = 2;
									E0125DAA7(_t1049, __eflags);
									_v20 = 1;
									E01262BD6( &_v400);
									_v20 = _t916;
									E01262BD6( &_v360);
									_v20 = _v20 | 0xffffffff;
									E01262BD6( &_v440);
									_t663 = 0;
									__eflags = 0;
									goto L147;
								} else {
									_v288 = 0;
									_v284 = 0;
									_v292 = 0x12552c8;
									do {
										_t1037 =  *(_v464 + _v612 * 4);
										_v628 = _t1037;
										_v12 = 9;
										_t665 = E012735E6(0xc);
										_v616 = _t665;
										_v12 = 0xa;
										__eflags = _t665 - _t916;
										if(_t665 == _t916) {
											_t666 = 0;
											__eflags = 0;
										} else {
											_t666 = E01261BE9(_t665,  &_v292);
											_t916 = 0;
										}
										_t1051 = _a20;
										_v12 = 9;
										E01264F46(_t1026, _t1051, _t666);
										_push(_t916);
										_v16 = 8;
										E01273539();
										_v624 =  *( *((intOrPtr*)(_t1051 + 0xc)) +  *(_t1051 + 8) * 4 - 4);
										_t671 =  *((intOrPtr*)(_t1037 + 0x44));
										__eflags = _t671 - _t916;
										if(_t671 != _t916) {
											_t941 = _t671 - 1;
											while(1) {
												__eflags = _t941 - _t916;
												if(_t941 < _t916) {
													goto L165;
												}
												_t1026 =  *(_t1037 + 0x1c);
												__eflags = _t1026 - _t916;
												if(_t1026 <= _t916) {
													L20:
													_t1051 = 0xffffffff;
													__eflags = 0xffffffff;
												} else {
													_t911 =  *((intOrPtr*)(_t1037 + 0x20)) + 4;
													__eflags = _t911;
													while(1) {
														__eflags =  *_t911 - _t941;
														if( *_t911 == _t941) {
															goto L21;
														}
														_t1051 = 1;
														_t911 = _t911 + 8;
														__eflags = 1 - _t1026;
														if(1 < _t1026) {
															continue;
														} else {
															goto L20;
														}
														goto L21;
													}
												}
												L21:
												__eflags = _t1051 - _t916;
												if(_t1051 < _t916) {
													_t1037 =  *(_t1037 + 0x48);
													_t944 =  *((intOrPtr*)(_t1037 + 4 + _t941 * 8));
													_v560 =  *(_t1037 + _t941 * 8);
													goto L24;
												} else {
													_t941 = _t941 - 1;
													continue;
												}
												goto L169;
											}
											goto L165;
										} else {
											_v560 = _t916;
											_t944 = 0;
											L24:
											_t684 = _v560;
											__eflags = _t684 - _t684;
											if(_t684 != _t684) {
												L164:
												E0125EA39(_t916, _t944);
												L165:
												_v564 = 1;
												E01273B07( &_v564, 0x12771d8);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(0);
												E01274DF4(0x1276215, _t916, _t1037, _t1051);
												_t1052 = _a4;
												_push(_t1052 + 0x78);
												_v8 = 1;
												E01264F70(_t916, _t1037, _t1052, __eflags);
												_v8 = 0;
												_t678 =  *(_t1052 + 0x74);
												__eflags = _t678;
												if(_t678 != 0) {
													 *((intOrPtr*)( *_t678 + 8))(_t678);
												}
												_t1053 = _t1052 + 4;
												_a4 = _t1053;
												_v8 = 2;
												E01262BD6(_t1053 + 0x50);
												_t618 =  &_v8;
												 *_t618 = _v8 | 0xffffffff;
												__eflags =  *_t618;
												_push(_t1053);
												return E01274EE0(E0125E618(_t1053,  *_t618));
											} else {
												__eflags = _t916 - _t944;
												if(_t916 != _t944) {
													goto L164;
												} else {
													E012618E8(_t684, _v620);
													_t687 = E012735E6(0x14);
													__eflags = _t687 - _t916;
													if(_t687 == _t916) {
														_v624 = _t916;
														_t1039 = _t916;
													} else {
														_t1039 = _t687;
														 *(_t687 + 4) = _t916;
														 *_t687 = 0x12554a8;
														_v624 = _t1039;
													}
													_v172 = _t1039;
													__eflags = _t1039 - _t916;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t1039 + 4))(_t1039);
													}
													_v12 = 0xb;
													 *((intOrPtr*)(_t1039 + 8)) =  *((intOrPtr*)(_v620 + 8));
													 *(_t1039 + 0xc) = _v560;
													 *(_t1039 + 0x10) = _t916;
													_t947 = _v628;
													_v520 = _v420 + _v568 * 8;
													_t1056 =  *_a4;
													_v596 = _v608;
													_v592 = _v604;
													__eflags = E0125E749(_t916, _v628, _t1039, _t1056, __eflags);
													if(__eflags == 0) {
														_t1057 = 0x80004001;
														goto L156;
													} else {
														_v584 = _t916;
														_v580 = _t916;
														_v576 = _t916;
														_v572 = 4;
														_v588 = 0x125556c;
														_v548 = _t916;
														_push( &_v544);
														_v12 = 0xd;
														E01267E82(__eflags);
														_v16 = 0xe;
														__eflags = _t1056 - _t916;
														if(_t1056 != _t916) {
															 *((intOrPtr*)( *_t1056 + 4))(_t1056);
														}
														_t711 = _v552;
														__eflags = _t711 - _t916;
														if(_t711 != _t916) {
															_t947 =  *_t711;
															 *((intOrPtr*)( *_t711 + 8))(_t711);
														}
														_t712 = _v632;
														_v552 = _t1056;
														_v644 = _t916;
														__eflags =  *((intOrPtr*)(_t712 + 0x30)) - _t916;
														if( *((intOrPtr*)(_t712 + 0x30)) > _t916) {
															do {
																_t884 = E012735E6(0x18);
																__eflags = _t884 - _t916;
																if(_t884 == _t916) {
																	_t1042 = 0;
																	__eflags = 0;
																} else {
																	 *(_t884 + 4) = _t916;
																	 *_t884 = 0x1255550;
																	_t1042 = _t884;
																}
																_v648 = _t1042;
																__eflags = _t1042 - _t916;
																if(_t1042 != _t916) {
																	 *((intOrPtr*)( *_t1042 + 4))(_t1042);
																}
																_v16 = 0xf;
																 *((intOrPtr*)(_t1042 + 8)) =  &_v552;
																 *((intOrPtr*)(_t1042 + 0x10)) = _v600;
																 *(_t1042 + 0x14) = _v596;
																_t889 = _v524 + _v644 * 8;
																_v600 = _v600 +  *_t889;
																_v620 = _t889;
																asm("adc [esp+0x4c], eax");
																_t891 = E012735E6(0x28);
																__eflags = _t891 - _t916;
																if(_t891 == _t916) {
																	_t891 = 0;
																	__eflags = 0;
																} else {
																	 *(_t891 + 4) = _t916;
																	 *_t891 = 0x1255540;
																	 *(_t891 + 8) = _t916;
																}
																_v652 = _t891;
																 *(_t1084 + 0x20) = _t891;
																__eflags = _t891 - _t916;
																if(_t891 != _t916) {
																	 *((intOrPtr*)( *_t891 + 4))(_t891);
																}
																_v16 = 0x10;
																E01262BB6(_t1042, _v652 + 8);
																_t1078 = _v652;
																_t1019 = _v620;
																 *((intOrPtr*)(_t1078 + 0x10)) =  *_t1019;
																 *((intOrPtr*)(_t1078 + 0x14)) =  *((intOrPtr*)(_t1019 + 4));
																 *(_t1078 + 0x18) = _t916;
																 *(_t1078 + 0x1c) = _t916;
																 *(_t1078 + 0x20) = _t916;
																E01268911(_t916, _t1026, _t1042, _t1078, __eflags);
																_v24 = 0xf;
																 *((intOrPtr*)( *_t1078 + 8))(_t1078,  &_v592, _t1084 + 0x20);
																_v28 = 0xe;
																 *((intOrPtr*)( *_t1042 + 8))(_t1042);
																_v660 = _v660 + 1;
																_t901 = _v648;
																_t947 = _v660;
																__eflags = _v660 -  *((intOrPtr*)(_t901 + 0x30));
															} while (_v660 <  *((intOrPtr*)(_t901 + 0x30)));
														}
														_t1037 = _v632;
														_v644 =  *((intOrPtr*)(_v632 + 8));
														E012641FA( &_v284);
														_v200 = _t916;
														_v196 = _t916;
														_v192 = _t916;
														 *((intOrPtr*)(_t1084 + 0x1e4)) = 8;
														_v204 = 0x12552d4;
														_v16 = 0x11;
														E01263F8A( &_v284, _v632);
														__eflags = _v172 - _t916;
														if(_v172 == _t916) {
															L50:
															 *((intOrPtr*)(_v52 + 4))(_t916, _v44);
															_t720 = _v64;
															__eflags = _t720 - _t916;
															if(_t720 != _t916) {
																 *((intOrPtr*)( *_t720 + 8))(_t720);
																_v68 = _t916;
															}
															__eflags = _v76 - _t916;
															if(_v76 != _t916) {
																_t874 = E012735E6(0x88); // executed
																__eflags = _t874 - _t916;
																if(_t874 == _t916) {
																	_t875 = 0;
																	__eflags = 0;
																} else {
																	_t875 = E01264E54(_t874);
																}
																_t1037 = _t875;
																_v72 = _t875;
																E01262BB6(_t875,  &_v64);
																_t877 = _v72;
																__eflags = _t877 - _t916;
																if(_t877 == _t916) {
																	_v68 = _t916;
																} else {
																	_v68 = _t877 + 4;
																}
															}
															_t1026 =  &_v292;
															_t722 =  *((intOrPtr*)( *_v68))( &_v292);
															_t1058 = _t722;
															__eflags = _t722 - _t916;
															if(_t722 == _t916) {
																_v664 = _t916;
																__eflags = _v656 - _t916;
																if(__eflags <= 0) {
																	L84:
																	_t1059 = _t1084 + 0x1f8;
																	E01264EBA( &_v296, _t1084 + 0x1f8, __eflags);
																	 *((intOrPtr*)(_v100 + 4))(_t916,  *((intOrPtr*)(_t1084 + 0x250)));
																	_t1037 = _t1084 + 0x1d4;
																	E01261D0D(_t1084 + 0x248,  &_v100, _t1084 + 0x1d4);
																	_v192 = 1;
																	goto L85;
																} else {
																	while(1) {
																		_t1063 =  *((intOrPtr*)( *((intOrPtr*)(_v644 + 0xc)) + _v664 * 4));
																		_v660 = _t916;
																		_v648 = _t916;
																		_push( &_v648);
																		_push( &_v660);
																		_v28 = 0x15;
																		_push( *((intOrPtr*)(_t1063 + 4)));
																		_push( *_t1063);
																		_t1037 = E01262B6C(_t916, _t1037, _t1063, __eflags);
																		__eflags = _t1037 - _t916;
																		if(_t1037 != _t916) {
																			break;
																		}
																		_v668 = _t916;
																		_v44 = 0x18;
																		__eflags =  *((intOrPtr*)(_t1063 + 0x14)) - 1;
																		_t1037 = _v676;
																		if( *((intOrPtr*)(_t1063 + 0x14)) != 1) {
																			L70:
																			_t1063 = _v664;
																			__eflags = _t1063 - _t916;
																			if(_t1063 == _t916) {
																				_v44 = 0x11;
																				_t835 = _v676;
																				__eflags = _t835 - _t916;
																				if(_t835 != _t916) {
																					 *((intOrPtr*)( *_t835 + 8))(_t835);
																				}
																				_v44 = 0x1b;
																				E01262BD6(_t1084 + 0x1d4);
																				_push( &_v312);
																				_v44 = 0xe;
																				E0125E618(_t1063, __eflags);
																				_v48 = 0x1c;
																				goto L152;
																			} else {
																				 *((intOrPtr*)( *_t1063 + 4))(_t1063);
																				_v672 = _t1063;
																				__eflags = _v100 - _t916;
																				if(__eflags != 0) {
																					_t1068 = _v96;
																					E01268513(_t916, _v96, _t1026, _t1037, _v96, __eflags);
																					_t1037 = _v668;
																					E01262BB6(_v668,  *((intOrPtr*)( *((intOrPtr*)(_t1068 + 0x80)) +  *(_t1068 + 0x7c) * 4 - 4)) + 0x18);
																				}
																				goto L73;
																			}
																		} else {
																			__eflags =  *(_t1063 + 0x18) - 1;
																			if( *(_t1063 + 0x18) != 1) {
																				goto L70;
																			} else {
																				__eflags = _t1037 - _t916;
																				if(_t1037 == _t916) {
																					_v44 = 0x14;
																					_t856 = _v664;
																					__eflags = _t856 - _t916;
																					if(_t856 != _t916) {
																						 *((intOrPtr*)( *_t856 + 8))(_t856);
																					}
																					_v44 = 0x19;
																					E01262BD6(_t1084 + 0x1d4);
																					_push( &_v312);
																					_v44 = 0xe;
																					E0125E618(_t1063, __eflags);
																					_v48 = 0x1a;
																					goto L152;
																				} else {
																					 *((intOrPtr*)( *_t1037 + 4))(_t1037);
																					_v672 = _t1037;
																					__eflags = _v100 - _t916;
																					if(__eflags != 0) {
																						_t1071 = _v96;
																						E01268513(_t916, _v96, _t1026, _t1037, _v96, __eflags);
																						E01262BB6(_t1037,  *((intOrPtr*)( *((intOrPtr*)(_t1071 + 0x80)) +  *(_t1071 + 0x7c) * 4 - 4)) + 0x14);
																					}
																					L73:
																					_t1066 = E012735E6(4);
																					_v652 = _t1066;
																					_v48 = 0x1d;
																					__eflags = _t1066 - _t916;
																					if(_t1066 == _t916) {
																						_t1066 = 0;
																						__eflags = 0;
																					} else {
																						_t851 = _v672;
																						 *_t1066 = _t851;
																						__eflags = _t851 - _t916;
																						if(_t851 != _t916) {
																							 *((intOrPtr*)( *_t851 + 4))(_t851);
																						}
																					}
																					_v48 = 0x18;
																					E01264F46(_t1026,  &_v84, _t1066);
																					_v52 = 0x15;
																					_t844 = _v676;
																					__eflags = _t844 - _t916;
																					if(_t844 != _t916) {
																						 *((intOrPtr*)( *_t844 + 8))(_t844);
																					}
																					_v48 = 0x14;
																					_t845 = _v668;
																					__eflags = _t845 - _t916;
																					if(_t845 != _t916) {
																						 *((intOrPtr*)( *_t845 + 8))(_t845);
																					}
																					_v48 = 0x11;
																					_t846 = _v680;
																					__eflags = _t846 - _t916;
																					if(_t846 != _t916) {
																						 *((intOrPtr*)( *_t846 + 8))(_t846);
																					}
																					_v684 = _v684 + 1;
																					__eflags = _v684 - _v676;
																					if(__eflags < 0) {
																						continue;
																					} else {
																						goto L84;
																					}
																				}
																			}
																		}
																		goto L169;
																	}
																	_v44 = 0x14;
																	_t828 = _v664;
																	__eflags = _t828 - _t916;
																	if(_t828 != _t916) {
																		 *((intOrPtr*)( *_t828 + 8))(_t828);
																	}
																	_v44 = 0x11;
																	_t829 = _v676;
																	__eflags = _t829 - _t916;
																	if(_t829 != _t916) {
																		 *((intOrPtr*)( *_t829 + 8))(_t829);
																	}
																	_v44 = 0x16;
																	E01262BD6(_t1084 + 0x1d4);
																	_push( &_v312);
																	_v44 = 0xe;
																	E0125E618(_t1063, __eflags);
																	_v48 = 0x17;
																	goto L110;
																}
															} else {
																_v28 = 0x12;
																E01262BD6(_t1084 + 0x1d4);
																_push( &_v296);
																_v28 = 0xe;
																E0125E618(_t1058, __eflags);
																_v32 = 0x13;
																DeleteCriticalSection( &_v564);
																_v32 = 0xc;
																_t870 = _v568;
																__eflags = _t870 - _t916;
																if(__eflags != 0) {
																	 *((intOrPtr*)( *_t870 + 8))(_t870);
																}
																_push( &_v608);
																_v32 = 0xb;
																E01264F70(_t916, _t1037, _t1058, __eflags);
																goto L138;
															}
														} else {
															_t1059 =  &_v168;
															_t881 = E012640B0( &_v284, _t947,  &_v168);
															asm("sbb al, al");
															__eflags =  ~_t881 + 1;
															if( ~_t881 + 1 == 0) {
																L85:
																 *((intOrPtr*)( *_v80 + 4))();
																 *(_t1084 + 0x34) = _t916;
																_v656 = _t916;
																_v668 = _t916;
																__eflags = _v664 - _t916;
																if(_v664 <= _t916) {
																	L123:
																	_t1026 =  &_v304;
																	E01263EAE( &_v460,  *((intOrPtr*)( *((intOrPtr*)(_t1084 + 0x1cc)))),  &_v304, _t1084 + 0x34);
																	__eflags =  *((intOrPtr*)(_t1084 + 0x25c)) - _t916;
																	if( *((intOrPtr*)(_t1084 + 0x25c)) != _t916) {
																		 *((intOrPtr*)(_v84 + 0x70)) = _v460;
																	}
																	__eflags = _v664 - _t916;
																	if(_v664 != _t916) {
																		_v536 = _t916;
																		_v532 = _t916;
																		_v528 = _t916;
																		_v524 = 4;
																		_v540 = 0x12552d4;
																		_v36 = 0x2c;
																		E01262C43(_v604,  &_v540);
																		_t1037 = 0;
																		__eflags = _v604;
																		if(_v604 > 0) {
																			do {
																				E01262C08( &_v540, _t1026);
																				 *((intOrPtr*)(_v528 + _v532 * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_v600 + _t1037 * 4))));
																				_v532 = _v532 + 1;
																				_t1037 = _t1037 + 1;
																				__eflags = _t1037 - _v604;
																			} while (_t1037 < _v604);
																		}
																		_t1026 =  &_v588;
																		_v588 = _v648;
																		_t736 = _v76;
																		_t1057 =  *((intOrPtr*)( *_t736 + 0xc))(_t736, _v528, 0, _v604,  &_v588, 0, 1, 0);
																		_v68 = 0x11;
																		E01262BD6( &_v572);
																		_v68 = 0x2d;
																		E01262BD6(_t1084 + 0x1d4);
																		_push( &_v336);
																		_v68 = 0xe;
																		E0125E618(_t1057, __eflags);
																		_v72 = 0x2e;
																		DeleteCriticalSection( &_v604);
																		_v72 = 0xc;
																		_t743 = _v608;
																		__eflags = _t743;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t743 + 8))(_t743);
																		}
																		_push( &_v648);
																		_v72 = 0xb;
																		E01264F70(0, _t1037, _t1057, __eflags);
																		_t916 = 0;
																		__eflags = 0;
																		goto L138;
																	} else {
																		_v36 = 0x2a;
																		E01262BD6(_t1084 + 0x1d4);
																		_push( &_v304);
																		_v36 = 0xe;
																		E0125E618(_t1059, __eflags);
																		_v40 = 0x2b;
																		DeleteCriticalSection( &_v572);
																		_v40 = 0xc;
																		_t762 = _v576;
																		__eflags = _t762 - _t916;
																		if(__eflags != 0) {
																			 *((intOrPtr*)( *_t762 + 8))(_t762);
																		}
																		_push( &_v616);
																		_v40 = 0xb;
																		E01264F70(_t916, _t1037, _t1059, __eflags);
																		goto L139;
																	}
																} else {
																	_v660 = _t916;
																	do {
																		_t1063 =  *((intOrPtr*)( *((intOrPtr*)(_v652 + 0xc)) + _v668 * 4));
																		_v672 = _t916;
																		_v36 = 0x1e;
																		_t771 =  *((intOrPtr*)( *((intOrPtr*)(_v660 + _v60))));
																		 *((intOrPtr*)( *_t771))(_t771, 0x1255230,  &_v672);
																		_t773 = _v684;
																		__eflags = _t773 - _t916;
																		if(_t773 == _t916) {
																			L92:
																			_v48 = 0x11;
																			__eflags = _t773 - _t916;
																			if(_t773 != _t916) {
																				 *((intOrPtr*)( *_t773 + 8))(_t773);
																			}
																			_t1030 =  *((intOrPtr*)(_t1063 + 0x14));
																			_t1037 =  *(_t1063 + 0x18);
																			_t975 = 4;
																			_v672 = _v672 + _t975;
																			_v684 =  *((intOrPtr*)(_t1063 + 0x14));
																			_v528 = _t916;
																			_v524 = _t916;
																			_v520 = _t916;
																			 *(_t1084 + 0xbc) = _t975;
																			_v532 = 0x12552d4;
																			_v488 = _t916;
																			_v484 = _t916;
																			_v480 = _t916;
																			_v476 = _t975;
																			_v492 = 0x12552d4;
																			_v48 = 0x27;
																			E01262C43( *((intOrPtr*)(_t1063 + 0x14)),  &_v532);
																			_t1059 =  &_v492;
																			E01262C43(_t1037,  &_v492);
																			__eflags = _t1037;
																			if(_t1037 != 0) {
																				do {
																					_t975 = _v668;
																					_t1059 =  &_v492;
																					E01264F46(_t1030,  &_v492,  *((intOrPtr*)(_v664 + 0x48)) + _t975 * 8);
																					_v672 = _v672 + 1;
																					_t1037 = _t1037 - 1;
																					__eflags = _t1037;
																				} while (_t1037 != 0);
																			}
																			_t922 = 0;
																			__eflags = _v684;
																			if(_v684 > 0) {
																				_t1041 = _v652;
																				do {
																					_t782 = _v664;
																					_t1031 =  *(_t782 + 0x1c);
																					_t1065 = 0;
																					__eflags = _t1031;
																					if(_t1031 <= 0) {
																						L102:
																						_t979 = _t975 | 0xffffffff;
																						__eflags = _t979;
																					} else {
																						_t985 =  *(_t782 + 0x20);
																						while(1) {
																							__eflags =  *_t985 - _t1041;
																							if( *_t985 == _t1041) {
																								break;
																							}
																							_t1065 = _t1065 + 1;
																							_t985 = _t985 + 8;
																							__eflags = _t1065 - _t1031;
																							if(_t1065 < _t1031) {
																								continue;
																							} else {
																								goto L102;
																							}
																							goto L103;
																						}
																						_t979 = _t1065;
																					}
																					L103:
																					__eflags = _t979;
																					if(_t979 < 0) {
																						_t980 =  *(_t782 + 0x30);
																						_t1032 = 0;
																						__eflags = _t980;
																						if(_t980 <= 0) {
																							L118:
																							_t783 = _t782 | 0xffffffff;
																							__eflags = _t783;
																						} else {
																							_t796 =  *((intOrPtr*)(_t782 + 0x34));
																							while(1) {
																								__eflags =  *_t796 - _t1041;
																								if( *_t796 == _t1041) {
																									break;
																								}
																								_t1032 = _t1032 + 1;
																								_t796 = _t796 + 4;
																								__eflags = _t1032 - _t980;
																								if(_t1032 < _t980) {
																									continue;
																								} else {
																									goto L118;
																								}
																								goto L119;
																							}
																							_t783 = _t1032;
																						}
																						L119:
																						__eflags = _t783;
																						if(_t783 < 0) {
																							_v48 = 0x26;
																							E01262BD6( &_v492);
																							_v48 = 0x11;
																							E01262BD6( &_v532);
																							_v48 = 0x28;
																							E01262BD6( &_v236);
																							_push( &_v316);
																							_v48 = 0xe;
																							E0125E618(_t1065, __eflags);
																							_v52 = 0x29;
																							DeleteCriticalSection( &_v584);
																							_v52 = 0xc;
																							_t790 = _v588;
																							__eflags = _t790;
																							if(__eflags != 0) {
																								 *((intOrPtr*)( *_t790 + 8))(_t790);
																							}
																							_push( &_v628);
																							_v52 = 0xb;
																							E01264F70(_t922, _t1041, _t1065, __eflags);
																							_t1057 = 0x80004005;
																							_t916 = 0;
																							goto L155;
																						} else {
																							_t975 = _v556;
																							_t794 = _t975 + _t783 * 8;
																							goto L121;
																						}
																					} else {
																						_t1032 =  *(_t782 + 0x20);
																						_t975 =  *( *(_t782 + 0x20) + 4 + _t979 * 8);
																						_t794 =  *((intOrPtr*)(_t782 + 0x48)) + _t975 * 8;
																						goto L121;
																					}
																					goto L169;
																					L121:
																					_t1059 =  &_v532;
																					E01264F46(_t1032,  &_v532, _t794);
																					_t922 = _t922 + 1;
																					_t1041 = _t1041 + 1;
																					_v656 = _t1041;
																					__eflags = _t922 - _v688;
																				} while (_t922 < _v688);
																			}
																			goto L122;
																		} else {
																			_t1026 =  *(_t1063 + 0xc);
																			__eflags = _t1026 - 0xffffffff;
																			if(_t1026 > 0xffffffff) {
																				_v48 = 0x11;
																				 *((intOrPtr*)( *_t773 + 8))(_t773);
																				_v52 = 0x1f;
																				E01262BD6( &_v240);
																				_push( &_v320);
																				_v52 = 0xe;
																				E0125E618(_t1063, __eflags);
																				_v56 = 0x20;
																				L152:
																				DeleteCriticalSection( &_v588);
																				_v56 = 0xc;
																				_t808 = _v592;
																				__eflags = _t808 - _t916;
																				if(__eflags != 0) {
																					 *((intOrPtr*)( *_t808 + 8))(_t808);
																				}
																				_push( &_v632);
																				_v56 = 0xb;
																				E01264F70(_t916, _t1037, _t1063, __eflags);
																				_t1057 = 0x80004001;
																				goto L155;
																			} else {
																				__eflags = _t1026 - _t916;
																				if(_t1026 <= _t916) {
																					goto L92;
																				} else {
																					_t1037 =  *((intOrPtr*)( *_t773 + 0xc))(_t773,  *((intOrPtr*)(_t1063 + 0x10)), _t1026);
																					__eflags = _t1037 - _t916;
																					if(_t1037 != _t916) {
																						_v60 = 0x11;
																						_t813 = _v696;
																						__eflags = _t813 - _t916;
																						if(_t813 != _t916) {
																							 *((intOrPtr*)( *_t813 + 8))(_t813);
																						}
																						_v60 = 0x21;
																						E01262BD6(_t1084 + 0x1d4);
																						_push( &_v328);
																						_v60 = 0xe;
																						E0125E618(_t1063, __eflags);
																						_v64 = 0x22;
																						L110:
																						DeleteCriticalSection( &_v596);
																						_v64 = 0xc;
																						_t818 = _v600;
																						__eflags = _t818 - _t916;
																						if(__eflags != 0) {
																							 *((intOrPtr*)( *_t818 + 8))(_t818);
																						}
																						_push(_t1084 + 0x50);
																						_v64 = 0xb;
																						E01264F70(_t916, _t1037, _t1063, __eflags);
																						_t1057 = _t1037;
																						L138:
																						__eflags = _t1057 - _t916;
																						if(_t1057 != _t916) {
																							L155:
																							_t1039 = _v688;
																							L156:
																							_v12 = 8;
																							 *((intOrPtr*)( *_t1039 + 8))(_t1039);
																							_push( &_v172);
																							_v16 = 7;
																							L166();
																							_v20 = 6;
																							E01262BD6( &_v380);
																							_v20 = 5;
																							E01262BD6( &_v420);
																							_v20 = 4;
																							E01262BD6( &_v340);
																							_v20 = 3;
																							E01262BD6( &_v320);
																							_push( &_v484);
																							_v20 = 2;
																							E0125DAA7(_t1057, __eflags);
																							_v24 = 1;
																							E01262BD6( &_v404);
																							_v24 = _t916;
																							E01262BD6( &_v364);
																							_v24 = _v24 | 0xffffffff;
																							E01262BD6(_t1084 + 0xec);
																							_t663 = _t1057;
																							L147:
																							 *[fs:0x0] = _v28;
																							return _t663;
																						} else {
																							L139:
																							_t1049 = _v692;
																							__eflags =  *((intOrPtr*)(_t1049 + 0x54)) - _t916;
																							if( *((intOrPtr*)(_t1049 + 0x54)) == _t916) {
																								L141:
																								_v684 = _t916;
																								__eflags =  *((intOrPtr*)(_t1049 + 0x30)) - _t916;
																								if( *((intOrPtr*)(_t1049 + 0x30)) > _t916) {
																									_t749 = _a4;
																									_t1061 = _v632;
																									do {
																										_t965 =  *((intOrPtr*)(_v484 + _t1061 * 8));
																										_t1061 = _t1061 + 1;
																										_v672 = _v672 + _t965;
																										asm("adc [esp+0x40], edx");
																										_t749[0x12] = _t749[0x12] + _t965;
																										_t966 = _v692;
																										asm("adc [eax+0x4c], edx");
																										_v684 = _v684 + 1;
																										_t1026 = _v684;
																										__eflags = _v684 -  *((intOrPtr*)(_t966 + 0x30));
																									} while (_v684 <  *((intOrPtr*)(_t966 + 0x30)));
																									_v632 = _t1061;
																								}
																								goto L145;
																							} else {
																								_t944 =  *((intOrPtr*)(_v684 + 8));
																								_t751 = E0125E502(_v684, _v624);
																								__eflags = _t751 -  *((intOrPtr*)(_t1049 + 0x50));
																								if(_t751 !=  *((intOrPtr*)(_t1049 + 0x50))) {
																									goto L164;
																								} else {
																									goto L141;
																								}
																							}
																						}
																					} else {
																						_t773 = _v696;
																						goto L92;
																					}
																				}
																			}
																		}
																		goto L169;
																		L122:
																		 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1084 + 0x268)))) + 8))(_v680, _v520, _v480);
																		_v60 = 0x26;
																		E01262BD6(_t1084 + 0xd4);
																		_v60 = 0x11;
																		E01262BD6( &_v544);
																		_v692 = _v692 + 1;
																		_t916 = 0;
																		__eflags = _v692 - _v688;
																	} while (_v692 < _v688);
																	goto L123;
																}
															} else {
																goto L50;
															}
														}
													}
												}
											}
										}
										goto L169;
										L145:
										_t746 = _v688;
										_v76 = 8;
										 *((intOrPtr*)( *_t746 + 8))(_t746);
										_v680 = _v680 + 1;
										__eflags = _v680 - _v536;
									} while (_v680 < _v536);
									goto L146;
								}
							} else {
								_t1022 =  *_t633;
								_t915 =  *((intOrPtr*)(_t1025 + _t1022));
								_t925 =  *((intOrPtr*)(_t1025 + _t1022 + 4));
								 *((intOrPtr*)(_t633 + 8)) = _t1047;
								goto L4;
							}
						}
						goto L169;
						L4:
						E0126192F(_t1033, _t915, _t925);
						_a12 = _a12 + 1;
					} while (_a12 < _a16);
					goto L5;
				}
				L169:
			}

0x0125f95e
0x0125f95e
0x0125f965
0x0125f96a
0x0125f975
0x0125f97a
0x0125f984
0x0125f98b
0x0125f992
0x0125f997
0x0125f99d
0x0125f9df
0x0125f9df
0x0125f9f0
0x0125f99f
0x0125f99f
0x0125f9a5
0x0125f9a7
0x0125f9ac
0x00000000
0x0125f9ae
0x0125f9b1
0x0125f9b4
0x0125f9b7
0x0125f9bd
0x0125f9f3
0x0125f9f8
0x0125f9f9
0x0125f9fa
0x0125f9fb
0x0125f9fc
0x0125f9fd
0x0125fa06
0x0125fa08
0x0125fa13
0x0125fa14
0x0125fa1a
0x0125fa1b
0x0125fa1c
0x0125fa1d
0x0125fa24
0x0125fa2c
0x0125fa32
0x0125fa36
0x0125fa3c
0x0125fa43
0x0125fa4a
0x0125fa51
0x0125fa58
0x0125fa5f
0x0125fa66
0x0125fa6b
0x0125fa72
0x0125fa79
0x0125fa80
0x0125fa8b
0x0125fa92
0x0125fa9a
0x0125faa1
0x0125faa8
0x0125faaf
0x0125fab6
0x0125fabd
0x0125fac4
0x0125facb
0x0125fad2
0x0125fad9
0x0125fae4
0x0125faeb
0x0125faf2
0x0125faf9
0x0125fb00
0x0125fb07
0x0125fb0e
0x0125fb15
0x0125fb1c
0x0125fb23
0x0125fb2a
0x0125fb31
0x0125fb38
0x0125fb3f
0x0125fb4a
0x0125fb51
0x0125fb58
0x0125fb5f
0x0125fb66
0x0125fb6d
0x0125fb74
0x0125fbba
0x0125fbc3
0x0125fbcf
0x0125fbd3
0x0125fbd8
0x0125fbe0
0x0125fbe4
0x0125fbeb
0x0125fbee
0x0125fbf2
0x0125fbf9
0x012607d2
0x012607d9
0x012607da
0x012607e2
0x012607ee
0x012607f6
0x01260802
0x0126080a
0x01260816
0x0126081e
0x0126082a
0x01260832
0x0126083e
0x0126083f
0x01260847
0x01260853
0x0126085b
0x01260867
0x0126086e
0x01260873
0x01260882
0x01260887
0x01260887
0x00000000
0x0125fbff
0x0125fbff
0x0125fc06
0x0125fc0d
0x0125fc18
0x0125fc23
0x0125fc26
0x0125fc2c
0x0125fc34
0x0125fc3a
0x0125fc3e
0x0125fc46
0x0125fc48
0x0125fc5a
0x0125fc5a
0x0125fc4a
0x0125fc51
0x0125fc56
0x0125fc56
0x0125fc5c
0x0125fc60
0x0125fc68
0x0125fc6d
0x0125fc6e
0x0125fc76
0x0125fc86
0x0125fc8a
0x0125fc8d
0x0125fc8f
0x0125fc99
0x0125fc9c
0x0125fc9c
0x0125fc9e
0x00000000
0x00000000
0x0125fca4
0x0125fca9
0x0125fcab
0x0125fcbf
0x0125fcbf
0x0125fcbf
0x0125fcad
0x0125fcb0
0x0125fcb0
0x0125fcb3
0x0125fcb3
0x0125fcb5
0x00000000
0x00000000
0x0125fcb7
0x0125fcb8
0x0125fcbb
0x0125fcbd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0125fcbd
0x0125fcb3
0x0125fcc2
0x0125fcc2
0x0125fcc4
0x0125fcc9
0x0125fccf
0x0125fcd3
0x00000000
0x0125fcc6
0x0125fcc6
0x00000000
0x0125fcc6
0x00000000
0x0125fcc4
0x00000000
0x0125fc91
0x0125fc91
0x0125fc95
0x0125fcd7
0x0125fcd7
0x0125fcdb
0x0125fcdd
0x01260b20
0x01260b20
0x01260b25
0x01260b2f
0x01260b37
0x01260b3c
0x01260b3d
0x01260b3e
0x01260b3f
0x01260b40
0x01260b41
0x01260b42
0x01260b49
0x01260b4e
0x01260b54
0x01260b55
0x01260b5c
0x01260b61
0x01260b65
0x01260b68
0x01260b6a
0x01260b6f
0x01260b6f
0x01260b72
0x01260b75
0x01260b7b
0x01260b82
0x01260b87
0x01260b87
0x01260b87
0x01260b8b
0x01260b96
0x0125fce3
0x0125fce3
0x0125fce5
0x00000000
0x0125fceb
0x0125fcf1
0x0125fcf8
0x0125fcfe
0x0125fd00
0x0125fd13
0x0125fd17
0x0125fd02
0x0125fd02
0x0125fd04
0x0125fd07
0x0125fd0d
0x0125fd0d
0x0125fd19
0x0125fd20
0x0125fd22
0x0125fd27
0x0125fd27
0x0125fd32
0x0125fd3d
0x0125fd44
0x0125fd47
0x0125fd54
0x0125fd58
0x0125fd62
0x0125fd68
0x0125fd70
0x0125fd79
0x0125fd7b
0x012608a1
0x00000000
0x0125fd81
0x0125fd81
0x0125fd85
0x0125fd89
0x0125fd8d
0x0125fd95
0x0125fd9d
0x0125fda5
0x0125fda6
0x0125fdae
0x0125fdb3
0x0125fdbb
0x0125fdbd
0x0125fdc2
0x0125fdc2
0x0125fdc5
0x0125fdc9
0x0125fdcb
0x0125fdcd
0x0125fdd0
0x0125fdd0
0x0125fdd3
0x0125fdd7
0x0125fddb
0x0125fddf
0x0125fde2
0x0125fde8
0x0125fdea
0x0125fdf0
0x0125fdf2
0x0125fe01
0x0125fe01
0x0125fdf4
0x0125fdf4
0x0125fdf7
0x0125fdfd
0x0125fdfd
0x0125fe03
0x0125fe07
0x0125fe09
0x0125fe0e
0x0125fe0e
0x0125fe15
0x0125fe21
0x0125fe28
0x0125fe2f
0x0125fe39
0x0125fe3e
0x0125fe42
0x0125fe49
0x0125fe4f
0x0125fe55
0x0125fe57
0x0125fe67
0x0125fe67
0x0125fe59
0x0125fe59
0x0125fe5c
0x0125fe62
0x0125fe62
0x0125fe69
0x0125fe6d
0x0125fe71
0x0125fe73
0x0125fe78
0x0125fe78
0x0125fe7b
0x0125fe8a
0x0125fe8f
0x0125fe93
0x0125fe9c
0x0125fea9
0x0125feac
0x0125feaf
0x0125feb2
0x0125feb5
0x0125feba
0x0125fec5
0x0125fec8
0x0125fed3
0x0125fed6
0x0125feda
0x0125fede
0x0125fee2
0x0125fee2
0x0125fde8
0x0125feeb
0x0125fef2
0x0125fefd
0x0125ff02
0x0125ff09
0x0125ff10
0x0125ff17
0x0125ff22
0x0125ff34
0x0125ff3c
0x0125ff41
0x0125ff48
0x0125ff69
0x0125ff7f
0x0125ff82
0x0125ff89
0x0125ff8b
0x0125ff90
0x0125ff93
0x0125ff93
0x0125ff9a
0x0125ffa1
0x0125ffa8
0x0125ffae
0x0125ffb0
0x0125ffbb
0x0125ffbb
0x0125ffb2
0x0125ffb4
0x0125ffb4
0x0125ffbd
0x0125ffc6
0x0125ffcd
0x0125ffd2
0x0125ffd9
0x0125ffdb
0x0125ffe9
0x0125ffdd
0x0125ffe0
0x0125ffe0
0x0125ffdb
0x0125fff9
0x01260001
0x01260003
0x01260005
0x01260007
0x01260072
0x01260076
0x0126007a
0x012601f5
0x012601fc
0x01260203
0x0126021e
0x01260221
0x0126022f
0x01260234
0x00000000
0x01260080
0x01260080
0x0126008b
0x0126008e
0x01260092
0x0126009a
0x0126009f
0x012600a0
0x012600a8
0x012600ab
0x012600b2
0x012600b4
0x012600b6
0x00000000
0x00000000
0x012600bc
0x012600c0
0x012600c8
0x012600cc
0x012600d0
0x01260118
0x01260118
0x0126011c
0x0126011e
0x012609f8
0x01260a00
0x01260a04
0x01260a06
0x01260a0b
0x01260a0b
0x01260a15
0x01260a1d
0x01260a29
0x01260a2a
0x01260a32
0x01260a37
0x00000000
0x01260124
0x01260127
0x0126012a
0x0126012e
0x01260135
0x01260137
0x01260140
0x01260152
0x01260159
0x01260159
0x00000000
0x01260135
0x012600d2
0x012600d2
0x012600d6
0x00000000
0x012600d8
0x012600d8
0x012600da
0x012608ab
0x012608b3
0x012608b7
0x012608b9
0x012608be
0x012608be
0x012608c8
0x012608d0
0x012608dc
0x012608dd
0x012608e5
0x012608ea
0x00000000
0x012600e0
0x012600e3
0x012600e6
0x012600ea
0x012600f1
0x012600f3
0x012600fc
0x01260111
0x01260111
0x0126015e
0x01260165
0x01260168
0x0126016c
0x01260174
0x01260176
0x0126018a
0x0126018a
0x01260178
0x01260178
0x0126017c
0x0126017e
0x01260180
0x01260185
0x01260185
0x01260180
0x01260194
0x0126019c
0x012601a1
0x012601a9
0x012601ad
0x012601af
0x012601b4
0x012601b4
0x012601b7
0x012601bf
0x012601c3
0x012601c5
0x012601ca
0x012601ca
0x012601cd
0x012601d5
0x012601d9
0x012601db
0x012601e0
0x012601e0
0x012601e3
0x012601eb
0x012601ef
0x00000000
0x00000000
0x00000000
0x00000000
0x012601ef
0x012600da
0x012600d6
0x00000000
0x012600d0
0x012603d1
0x012603d9
0x012603dd
0x012603df
0x012603e4
0x012603e4
0x012603e7
0x012603ef
0x012603f3
0x012603f5
0x012603fa
0x012603fa
0x01260404
0x0126040c
0x01260418
0x01260419
0x01260421
0x01260426
0x00000000
0x01260426
0x01260009
0x01260010
0x01260018
0x01260024
0x01260025
0x0126002d
0x01260037
0x0126003f
0x01260045
0x0126004d
0x01260051
0x01260053
0x01260058
0x01260058
0x0126005f
0x01260060
0x01260068
0x00000000
0x01260068
0x0125ff4a
0x0125ff4a
0x0125ff58
0x0125ff5f
0x0125ff61
0x0125ff63
0x0126023c
0x01260245
0x01260248
0x0126024c
0x01260250
0x01260254
0x01260258
0x01260517
0x0126052c
0x01260533
0x01260538
0x0126053f
0x0126054f
0x0126054f
0x01260552
0x01260556
0x01260618
0x0126061f
0x01260626
0x0126062d
0x01260638
0x01260643
0x01260656
0x0126065d
0x0126065f
0x01260663
0x01260665
0x01260675
0x01260688
0x0126068b
0x01260692
0x01260693
0x01260693
0x01260665
0x012606a1
0x012606aa
0x012606ae
0x012606ca
0x012606cc
0x012606d4
0x012606e0
0x012606e8
0x012606f4
0x012606f5
0x012606fd
0x01260707
0x0126070f
0x01260715
0x0126071d
0x01260721
0x01260723
0x01260728
0x01260728
0x0126072f
0x01260730
0x01260738
0x0126073d
0x0126073d
0x00000000
0x0126055c
0x01260563
0x0126056b
0x01260577
0x01260578
0x01260580
0x0126058a
0x01260592
0x01260598
0x012605a0
0x012605a4
0x012605a6
0x012605ab
0x012605ab
0x012605b2
0x012605b3
0x012605bb
0x00000000
0x012605bb
0x0126025e
0x0126025e
0x01260262
0x0126026d
0x0126027e
0x01260287
0x0126028f
0x01260299
0x0126029b
0x0126029f
0x012602a1
0x012602cc
0x012602cc
0x012602d4
0x012602d6
0x012602db
0x012602db
0x012602de
0x012602e1
0x012602e6
0x012602e7
0x012602f0
0x012602f4
0x012602fb
0x01260302
0x01260309
0x01260310
0x01260317
0x0126031e
0x01260325
0x0126032c
0x01260333
0x01260343
0x0126034b
0x01260352
0x01260359
0x0126035e
0x01260360
0x01260362
0x01260369
0x01260371
0x01260378
0x0126037d
0x01260381
0x01260381
0x01260381
0x01260362
0x01260384
0x01260386
0x0126038a
0x01260390
0x01260394
0x01260394
0x01260398
0x0126039b
0x0126039d
0x0126039f
0x012603b4
0x012603b4
0x012603b4
0x012603a1
0x012603a1
0x012603a4
0x012603a4
0x012603a6
0x00000000
0x00000000
0x012603ac
0x012603ad
0x012603b0
0x012603b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012603b2
0x01260468
0x01260468
0x012603b7
0x012603b7
0x012603b9
0x0126046f
0x01260472
0x01260474
0x01260476
0x0126048b
0x0126048b
0x0126048b
0x01260478
0x01260478
0x0126047b
0x0126047b
0x0126047d
0x00000000
0x00000000
0x01260483
0x01260484
0x01260487
0x01260489
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01260489
0x012605c5
0x012605c5
0x0126048e
0x0126048e
0x01260490
0x01260a8f
0x01260a97
0x01260aa3
0x01260aab
0x01260ab7
0x01260abf
0x01260acb
0x01260acc
0x01260ad4
0x01260ade
0x01260ae6
0x01260aec
0x01260af4
0x01260af8
0x01260afa
0x01260aff
0x01260aff
0x01260b06
0x01260b07
0x01260b0f
0x01260b14
0x01260b19
0x00000000
0x01260496
0x01260496
0x0126049d
0x00000000
0x0126049d
0x012603bf
0x012603bf
0x012603c2
0x012603c9
0x00000000
0x012603c9
0x00000000
0x012604a0
0x012604a1
0x012604a8
0x012604ad
0x012604ae
0x012604af
0x012604b3
0x012604b3
0x01260394
0x00000000
0x012602a3
0x012602a3
0x012602a6
0x012602a9
0x01260a44
0x01260a4f
0x01260a59
0x01260a61
0x01260a6d
0x01260a6e
0x01260a76
0x01260a7b
0x012608f2
0x012608f7
0x012608fd
0x01260905
0x01260909
0x0126090b
0x01260910
0x01260910
0x01260917
0x01260918
0x01260920
0x01260925
0x00000000
0x012602af
0x012602af
0x012602b1
0x00000000
0x012602b3
0x012602be
0x012602c0
0x012602c2
0x012605cc
0x012605d4
0x012605d8
0x012605da
0x012605df
0x012605df
0x012605e9
0x012605f1
0x012605fd
0x012605fe
0x01260606
0x0126060b
0x0126042e
0x01260433
0x01260439
0x01260441
0x01260445
0x01260447
0x0126044c
0x0126044c
0x01260453
0x01260454
0x0126045c
0x01260461
0x0126073f
0x0126073f
0x01260741
0x0126092a
0x0126092a
0x0126092e
0x0126092e
0x01260939
0x01260943
0x01260944
0x0126094c
0x01260958
0x01260960
0x0126096c
0x01260974
0x01260980
0x01260988
0x01260994
0x0126099c
0x012609a8
0x012609a9
0x012609b1
0x012609bd
0x012609c5
0x012609d1
0x012609d8
0x012609dd
0x012609ec
0x012609f1
0x01260889
0x01260890
0x0126089e
0x01260747
0x01260747
0x01260747
0x0126074b
0x0126074e
0x01260769
0x01260769
0x0126076d
0x01260770
0x01260772
0x01260775
0x01260779
0x01260780
0x01260787
0x01260788
0x0126078c
0x01260790
0x01260793
0x01260797
0x0126079a
0x0126079e
0x012607a2
0x012607a2
0x012607a7
0x012607a7
0x00000000
0x01260750
0x01260758
0x0126075b
0x01260760
0x01260763
0x00000000
0x00000000
0x00000000
0x00000000
0x01260763
0x0126074e
0x012602c8
0x012602c8
0x00000000
0x012602c8
0x012602c2
0x012602b1
0x012602a9
0x00000000
0x012604bd
0x012604d8
0x012604e2
0x012604ea
0x012604f6
0x012604fe
0x01260503
0x0126050b
0x0126050d
0x0126050d
0x00000000
0x01260262
0x00000000
0x00000000
0x00000000
0x0125ff63
0x0125ff48
0x0125fd7b
0x0125fce5
0x0125fcdd
0x00000000
0x012607ab
0x012607ab
0x012607af
0x012607ba
0x012607bd
0x012607c5
0x012607c5
0x00000000
0x0125fc18
0x0125f9bf
0x0125f9bf
0x0125f9c1
0x0125f9c4
0x0125f9c8
0x00000000
0x0125f9c8
0x0125f9bd
0x00000000
0x0125f9cb
0x0125f9cf
0x0125f9d4
0x0125f9da
0x00000000
0x0125f99f
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0125F965

Part of subcall function 01262C43: __CxxThrowException@8.LIBCMT ref: 01262C6A
Part of subcall function 01262C43: _memmove.LIBCMT ref: 01262CBB

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Exception@8H_prolog3Throw_memmove
String ID:
API String ID: 3426943727-0
Opcode ID: d1a7d3ff5b8327b90fbefa8f001760cc1f610fc099ab9f70bfaff7f83daaf354
Instruction ID: 721d685f26f1da6acb71bcf547e52fa969c7b069c148239eacc815d776e86d57
Opcode Fuzzy Hash: d1a7d3ff5b8327b90fbefa8f001760cc1f610fc099ab9f70bfaff7f83daaf354
Instruction Fuzzy Hash: 50322270518386CFD370DF68C5C4BAAFBE4BF88304F54492EE9898B251DB30A984CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0125A222 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 149
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125A222(intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t70;
				signed int _t76;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t101;
				signed int _t104;
				WCHAR* _t106;

				_t100 = __edx;
				_v8 = 0;
				_v12 = 0;
				if(_a8 == 0) {
					_t104 = E012599D2( &_v8);
					__eflags = _t104;
					if(_t104 < 0) {
						L35:
						if(_v8 != 0) {
							E01258E6F(_v8);
						}
						return _t104;
					}
					_t63 = E012596C7(_v8);
					__eflags = _t63;
					if(_t63 != 0) {
						__eflags = 0;
						 *_t63 = 0;
						L8:
						_t86 = _a4;
						_t64 =  *((intOrPtr*)(_t86 + 0x14));
						if( *((intOrPtr*)(_t64 + 0x1c)) == 0) {
							L11:
							_t65 =  *((intOrPtr*)(_t86 + 0x14));
							_v20 = _v20 & 0x00000000;
							if( *((intOrPtr*)(_t65 + 0x20)) <= 0) {
								goto L35;
							}
							_v16 = _v16 & 0x00000000;
							while(1) {
								_t23 = _t65 + 0x24; // 0x24
								_t87 = _v16 + _t23;
								_t91 =  *_t87;
								_t101 = 0;
								if(_t91 == 0) {
									_v24 = 0;
								} else {
									_v24 = _t91 + _t65;
								}
								_t92 =  *((intOrPtr*)(_t87 + 4));
								if(_t92 != _t101) {
									_t101 = _t65 + _t92;
								}
								_t93 =  &_v12;
								_a8 = 1;
								_t104 = E01258889(0,  &_v12, _v8);
								if(_t104 < 0) {
									break;
								}
								if(_t101 == 0) {
									L23:
									if( *((intOrPtr*)(_t87 + 0x10)) == 0) {
										__eflags = _a8;
										if(__eflags == 0) {
											L28:
											_t70 = E0125ADE5(_v12, _t100, _t87, __eflags, _a4);
											L29:
											_t104 = _t70;
											if(_t104 < 0) {
												break;
											}
											_v20 = _v20 + 1;
											_t65 =  *((intOrPtr*)(_a4 + 0x14));
											_v16 = _v16 + 0x28;
											if(_v20 <  *((intOrPtr*)(_t65 + 0x20))) {
												continue;
											}
											break;
										}
										_t104 = E01258ABB( &_v12, _t93, _v24, 0);
										__eflags = _t104;
										if(__eflags < 0) {
											break;
										}
										goto L28;
									}
									if(_a8 == 0) {
										_t104 = 0x80070057;
										break;
									}
									_t70 = E0125AC67(_t87, _a4, _v12); // executed
									goto L29;
								}
								_t104 = E01258ABB( &_v12,  &_v12, _t101, 0);
								if(_t104 < 0) {
									break;
								}
								_t106 = _v12;
								_t76 = lstrlenW(_t106);
								_t93 = 0x5c;
								if( &_v12 !=  *((intOrPtr*)(_t106 + _t76 * 2 - 2))) {
									_a8 = _a8 & 0x00000000;
								}
								goto L23;
							}
							if(_v12 != 0) {
								E01258E6F(_v12);
							}
							goto L35;
						}
						_t104 = E01258ABB( &_v8, _t64,  *((intOrPtr*)(_t64 + 0x1c)) + _t64, 0);
						if(_t104 < 0) {
							goto L35;
						}
						_t104 = E0125997E(_t98,  &_v8);
						if(_t104 < 0) {
							goto L35;
						}
						goto L11;
					}
					_t104 = 0x8000ffff;
					goto L35;
				}
				_t104 = E01258889(0,  &_v8, _a8);
				if(_t104 < 0) {
					goto L35;
				}
				_t104 = E0125997E( &_v8,  &_v8);
				if(_t104 < 0) {
					goto L35;
				} else {
					goto L8;
				}
			}

0x0125a222
0x0125a22f
0x0125a232
0x0125a238
0x0125a26d
0x0125a26f
0x0125a271
0x0125a3c0
0x0125a3c4
0x0125a3c9
0x0125a3c9
0x0125a3d4
0x0125a3d4
0x0125a27a
0x0125a27f
0x0125a281
0x0125a28d
0x0125a28f
0x0125a292
0x0125a292
0x0125a295
0x0125a29c
0x0125a2cc
0x0125a2cc
0x0125a2cf
0x0125a2d7
0x00000000
0x00000000
0x0125a2dd
0x0125a2e1
0x0125a2e4
0x0125a2e4
0x0125a2e8
0x0125a2ea
0x0125a2ee
0x0125a2f7
0x0125a2f0
0x0125a2f2
0x0125a2f2
0x0125a2fa
0x0125a2ff
0x0125a301
0x0125a301
0x0125a309
0x0125a30c
0x0125a318
0x0125a31c
0x00000000
0x00000000
0x0125a324
0x0125a34f
0x0125a354
0x0125a368
0x0125a36b
0x0125a37f
0x0125a387
0x0125a38c
0x0125a38c
0x0125a390
0x00000000
0x00000000
0x0125a392
0x0125a398
0x0125a39e
0x0125a3a5
0x00000000
0x00000000
0x00000000
0x0125a3ab
0x0125a379
0x0125a37b
0x0125a37d
0x00000000
0x00000000
0x00000000
0x0125a37d
0x0125a359
0x0125a3ad
0x00000000
0x0125a3ad
0x0125a361
0x00000000
0x0125a361
0x0125a331
0x0125a335
0x00000000
0x00000000
0x0125a337
0x0125a33b
0x0125a343
0x0125a349
0x0125a34b
0x0125a34b
0x00000000
0x0125a349
0x0125a3b6
0x0125a3bb
0x0125a3bb
0x00000000
0x0125a3b6
0x0125a2b0
0x0125a2b4
0x00000000
0x00000000
0x0125a2c2
0x0125a2c6
0x00000000
0x00000000
0x00000000
0x0125a2c6
0x0125a283
0x00000000
0x0125a283
0x0125a247
0x0125a24b
0x00000000
0x00000000
0x0125a259
0x0125a25d
0x00000000
0x0125a263
0x00000000
0x0125a263

APIs

lstrlenW.KERNEL32(?,00000000,00000000,?,?,00000000,000000FF), ref: 0125A33B

Strings

(, xrefs: 0125A39E

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: lstrlen
String ID: (
API String ID: 1659193697-3887548279
Opcode ID: 63ab264e9b82d6514d073f2733b62eb0b8b547493403ed9e7ec66dee2d5e26c6
Instruction ID: 25dfa3841b39590f539af6b61bb1d3a374a96839c5efe0c71688ed20fdbc344e
Opcode Fuzzy Hash: 63ab264e9b82d6514d073f2733b62eb0b8b547493403ed9e7ec66dee2d5e26c6
Instruction Fuzzy Hash: A551A731D2021AEFCF65DF98C8D26ADBBB1AF04354F1542A9DE01AB251D7B19E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0125B3F5 Relevance: 3.1, APIs: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B3F5(void* _a4, long _a8, long _a12) {
				intOrPtr _t14;
				signed int _t15;
				LONG* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				LONG* _t33;

				_t14 =  *0x127c14c;
				_t21 = 0;
				_t27 = 0;
				 *0x127c154 = 0;
				if(_t14 != 0) {
					_t23 =  *0x127c150;
					_t24 =  *((intOrPtr*)(_t23 + 0x18));
					_t27 =  *((intOrPtr*)( *((intOrPtr*)(_t14 + 0x10)) + 8)) + _t24;
					if(_a12 != 0) {
						if(_a12 == 2) {
							_a8 = _a8 +  *((intOrPtr*)(_t23 + 0x20)) + _t24;
						}
					} else {
						_a8 = _a8 + _t27;
					}
				}
				_t15 = SetFilePointer(_a4, _a8, _t21, _a12); // executed
				_t26 = _t15 - _t27;
				if(_t26 == 0xffffffff) {
					_t15 = GetLastError();
					_t21 = _t15;
					if(_t21 > 0) {
						_t21 = _t21 & 0x0000ffff | 0x80070000;
						_t33 = _t21;
					}
					if(_t33 >= 0) {
						_t21 = 0x80004005;
					}
				}
				 *0x127c154 = _t21;
				if(_t21 >= 0) {
					return _t26;
				} else {
					return _t15 | 0xffffffff;
				}
			}

0x0125b3fa
0x0125b401
0x0125b403
0x0125b406
0x0125b40e
0x0125b410
0x0125b419
0x0125b41f
0x0125b424
0x0125b42f
0x0125b436
0x0125b436
0x0125b426
0x0125b426
0x0125b426
0x0125b424
0x0125b443
0x0125b44b
0x0125b450
0x0125b452
0x0125b458
0x0125b45c
0x0125b464
0x0125b46a
0x0125b46a
0x0125b46c
0x0125b46e
0x0125b46e
0x0125b46c
0x0125b473
0x0125b47b
0x00000000
0x0125b47d
0x00000000
0x0125b47d

APIs

SetFilePointer.KERNELBASE(?,?,00000000,?), ref: 0125B443
GetLastError.KERNEL32 ref: 0125B452

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3df045ac41d4dd4623c849b87a7c15e0620dd12708c3ee775aef0e8b21b9bc14
Instruction ID: 753b1f8fa14d354b613622db898663da421abeccb18485025bb428098253a2bb
Opcode Fuzzy Hash: 3df045ac41d4dd4623c849b87a7c15e0620dd12708c3ee775aef0e8b21b9bc14
Instruction Fuzzy Hash: 3011AC72A203169FCB308EA9F8D856A7B66FB44338B144239EF2487242C770DC16CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0125B296 Relevance: 3.1, APIs: 2, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0125B296(CHAR* _a4) {
				void* _t6;
				signed int _t7;
				void* _t15;
				signed int _t16;
				signed int _t20;

				_t16 = 0;
				 *0x127c154 =  *0x127c154 & 0;
				_t6 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t15 = _t6;
				if(_t15 != 0xffffffff) {
					_t7 =  *0x127c14c;
					if(_t7 != 0) {
						asm("adc ecx, [eax+0x1c]");
						_t7 = E01259B6A(_t15,  *((intOrPtr*)( *((intOrPtr*)(_t7 + 0x10)) + 8)) +  *((intOrPtr*)( *0x127c150 + 0x18)),  *((intOrPtr*)( *((intOrPtr*)(_t7 + 0x10)) + 0xc))); // executed
						_t16 = _t7;
					}
					L7:
					 *0x127c154 = _t16;
					if(_t16 >= 0) {
						return _t15;
					}
					return _t7 | 0xffffffff;
				}
				_t7 = GetLastError();
				_t16 = _t7;
				if(_t16 > 0) {
					_t16 = _t16 & 0x0000ffff | 0x80070000;
					_t20 = _t16;
				}
				if(_t20 >= 0) {
					_t16 = 0x80004005;
				}
				goto L7;
			}

0x0125b29e
0x0125b2a0
0x0125b2b9
0x0125b2bf
0x0125b2c4
0x0125b2e9
0x0125b2f0
0x0125b303
0x0125b309
0x0125b30e
0x0125b30e
0x0125b310
0x0125b310
0x0125b318
0x00000000
0x0125b31f
0x00000000
0x0125b31a
0x0125b2c6
0x0125b2cc
0x0125b2d0
0x0125b2d8
0x0125b2de
0x0125b2de
0x0125b2e0
0x0125b2e2
0x0125b2e2
0x00000000

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0125B2B9
GetLastError.KERNEL32 ref: 0125B2C6

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 017f34592139c178a1bb147fd4c744710e160fdccc59f97c34c707b3ff8a7baf
Instruction ID: 6e0b3e8c7b1221cc7dc7b8d2b8a6d12e945808288b198a9dc3e3d3feaabe0b05
Opcode Fuzzy Hash: 017f34592139c178a1bb147fd4c744710e160fdccc59f97c34c707b3ff8a7baf
Instruction Fuzzy Hash: 3B018836A611216FD3708B55F888F673B59EB41770F154264EE15AB3C1D671DC11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0125B32B Relevance: 3.0, APIs: 2, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B32B(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				signed int _t9;
				signed int _t14;
				signed int _t19;

				_t14 = 0;
				 *0x127c154 =  *0x127c154 & 0;
				_v8 = _v8 & 0;
				_t9 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(_t9 != 0) {
					L5:
					 *0x127c154 = _t14;
					if(_t14 >= 0) {
						return _v8;
					} else {
						return _t9 | 0xffffffff;
					}
				}
				_t9 = GetLastError();
				_t14 = _t9;
				if(_t14 > 0) {
					_t14 = _t14 & 0x0000ffff | 0x80070000;
					_t19 = _t14;
				}
				if(_t19 >= 0) {
					_t14 = 0x80004005;
				}
				goto L5;
			}

0x0125b332
0x0125b334
0x0125b33a
0x0125b34b
0x0125b353
0x0125b376
0x0125b376
0x0125b37f
0x0125b38a
0x0125b381
0x0125b385
0x0125b385
0x0125b37f
0x0125b355
0x0125b35b
0x0125b35f
0x0125b367
0x0125b36d
0x0125b36d
0x0125b36f
0x0125b371
0x0125b371
0x00000000

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0125B34B
GetLastError.KERNEL32 ref: 0125B355

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: a5bfc4245434784f3f38ac96d76a864ff05fa3c7615db0983dd08549742b3b31
Instruction ID: 900940cd898554cf7884b47ecd2e3037a6a0f1504cc090445a2c3b3ff78a2974
Opcode Fuzzy Hash: a5bfc4245434784f3f38ac96d76a864ff05fa3c7615db0983dd08549742b3b31
Instruction Fuzzy Hash: E3F09033D6127AFBCB218FA4E948AAA7E69AF007B4B114234BE10F6251D334DE1097D0

Uniqueness

Uniqueness Score: -1.00%

Function 0125B390 Relevance: 3.0, APIs: 2, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B390(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				signed int _t9;
				signed int _t14;
				signed int _t19;

				_t14 = 0;
				 *0x127c154 =  *0x127c154 & 0;
				_v8 = _v8 & 0;
				_t9 = WriteFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(_t9 != 0) {
					L5:
					 *0x127c154 = _t14;
					if(_t14 >= 0) {
						return _v8;
					} else {
						return _t9 | 0xffffffff;
					}
				}
				_t9 = GetLastError();
				_t14 = _t9;
				if(_t14 > 0) {
					_t14 = _t14 & 0x0000ffff | 0x80070000;
					_t19 = _t14;
				}
				if(_t19 >= 0) {
					_t14 = 0x80004005;
				}
				goto L5;
			}

0x0125b397
0x0125b399
0x0125b39f
0x0125b3b0
0x0125b3b8
0x0125b3db
0x0125b3db
0x0125b3e4
0x0125b3ef
0x0125b3e6
0x0125b3ea
0x0125b3ea
0x0125b3e4
0x0125b3ba
0x0125b3c0
0x0125b3c4
0x0125b3cc
0x0125b3d2
0x0125b3d2
0x0125b3d4
0x0125b3d6
0x0125b3d6
0x00000000

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0125B3B0
GetLastError.KERNEL32 ref: 0125B3BA

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 6187819997185fb25ee7f4be17133667d459756bbe57b5c0dfd57989cff68171
Instruction ID: 872eb8377271399bce62dc46980d246d727c7199efb4f4916b6a70b8ea7d9cf8
Opcode Fuzzy Hash: 6187819997185fb25ee7f4be17133667d459756bbe57b5c0dfd57989cff68171
Instruction Fuzzy Hash: 47F09633D5113ABBCB21CFA4E94859A7E65AF007B4B110264FE10F7141E370DD1097D0

Uniqueness

Uniqueness Score: -1.00%

Function 01259663 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01259663(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* __esi;
				int _t11;
				signed int _t16;
				signed int _t22;

				_v8 = _v8 & 0x00000000;
				_t16 = E01259926( &_v8, _a4);
				if(_t16 >= 0) {
					_t11 = SetCurrentDirectoryW(_v8); // executed
					if(_t11 == 0) {
						_t16 = GetLastError();
						if(_t16 > 0) {
							_t16 = _t16 & 0x0000ffff | 0x80070000;
							_t22 = _t16;
						}
						if(_t22 >= 0) {
							_t16 = 0x80004005;
						}
					}
				}
				if(_v8 != 0) {
					E01258E6F(_v8);
				}
				return _t16;
			}

0x01259669
0x01259679
0x0125967d
0x01259682
0x0125968a
0x01259692
0x01259696
0x0125969e
0x012596a4
0x012596a4
0x012596a6
0x012596a8
0x012596a8
0x012596a6
0x0125968a
0x012596b1
0x012596b6
0x012596b6
0x012596bf

APIs

SetCurrentDirectoryW.KERNELBASE(00000000,01255E5F,00000000,?,?,01255E5F), ref: 01259682
GetLastError.KERNEL32(?,?,01255E5F), ref: 0125968C

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID:
API String ID: 152501406-0
Opcode ID: 37c26b76c59a8968b00de8ffc05d7acf7a0d0135a737c97b8e07ef99dfe5de4f
Instruction ID: 9be9cf6508024854bf2b038e84c17f843adb38d1a2db15bdedcf6b70c3956ca3
Opcode Fuzzy Hash: 37c26b76c59a8968b00de8ffc05d7acf7a0d0135a737c97b8e07ef99dfe5de4f
Instruction Fuzzy Hash: 55F0BE33C21127EFDF615696D948B9DBE749F00768F124170AE00B7150D735CE84E6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01259B6A Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01259B6A(void* _a4, void* _a8, union _LARGE_INTEGER* _a12) {
				int _t6;
				signed int _t8;
				signed int _t10;

				_t10 = 0;
				_push(0);
				_t6 = SetFilePointerEx(_a4, _a8, _a12,  &_a8); // executed
				if(_t6 == 0) {
					_t8 = GetLastError();
					if(_t8 > 0) {
						_t8 = _t8 & 0x0000ffff | 0x80070000;
					}
					_t10 = _t8;
				}
				return _t10;
			}

0x01259b72
0x01259b74
0x01259b82
0x01259b8a
0x01259b8c
0x01259b94
0x01259b9b
0x01259b9b
0x01259ba0
0x01259ba0
0x01259ba8

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01259B82
GetLastError.KERNEL32(?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259B8C

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ab298780ba7fdd4acf9f57598839583b435f2635c9e25a1fb48660b465650933
Instruction ID: fc15dd45f1c2c6621ef3e3c103aeb0370828a3fff5adca86fd80664f98231778
Opcode Fuzzy Hash: ab298780ba7fdd4acf9f57598839583b435f2635c9e25a1fb48660b465650933
Instruction Fuzzy Hash: C6E09233610119BFAB204E85EC49EAB3B5DEB003A0B104129FE14C5040E632D92087D0

Uniqueness

Uniqueness Score: -1.00%

Function 012736FF Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E012736FF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t19;
				void* _t20;

				_t20 = __eflags;
				E0126AAC0(__ebx, __edi, __esi);
				_t8 = E0126A753(__ebx, _t20);
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				E012736DB( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x1277178, 0xc)); // executed
				 *((intOrPtr*)(_t19 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t19 - 0x14))))));
				return E01269D0A( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t19 - 0x14)))))),  *((intOrPtr*)(_t19 - 0x14)));
			}

0x012736ff
0x01273706
0x0127370b
0x01273710
0x0127371b
0x01273727
0x01273733

APIs

__getptd.LIBCMT ref: 0127370B

Part of subcall function 0126A753: __getptd_noexit.LIBCMT ref: 0126A756
Part of subcall function 0126A753: __amsg_exit.LIBCMT ref: 0126A763

Part of subcall function 012736DB: __getptd_noexit.LIBCMT ref: 012736E0
Part of subcall function 012736DB: __freeptd.LIBCMT ref: 012736EA
Part of subcall function 012736DB: ExitThread.KERNEL32 ref: 012736F3

__XcptFilter.LIBCMT ref: 0127372C

Part of subcall function 01269D0A: __getptd_noexit.LIBCMT ref: 01269D10

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: bee71f0b83772565d333143013dbbbc47bd7bc4ae33e77f26ada0cbef5b19bc4
Instruction ID: da97a0ec6bb50df4f3f3be545333bdd5a108ba19f212870380ece79f8cdea886
Opcode Fuzzy Hash: bee71f0b83772565d333143013dbbbc47bd7bc4ae33e77f26ada0cbef5b19bc4
Instruction Fuzzy Hash: 27E0ECB1960606EFEB08FBA1C949E3E7779AF54215F204059E1026B2A0CE759980DB20

Uniqueness

Uniqueness Score: -1.00%

Function 01267E1E Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01267E1E(void** __esi) {
				void* _t1;
				int _t3;
				long _t4;
				signed int* _t6;

				_t6 = __esi;
				_t1 =  *__esi;
				if(_t1 == 0) {
					L4:
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				}
				_t3 = FindCloseChangeNotification(_t1); // executed
				if(_t3 != 0) {
					goto L4;
				}
				_t4 = GetLastError();
				if(_t4 != 0) {
					return _t4;
				} else {
					return _t4 + 1;
				}
			}

0x01267e1e
0x01267e1e
0x01267e22
0x01267e3b
0x01267e3b
0x00000000
0x01267e3e
0x01267e25
0x01267e2d
0x00000000
0x00000000
0x01267e2f
0x01267e37
0x01267e40
0x01267e39
0x01267e3a
0x01267e3a

APIs

FindCloseChangeNotification.KERNELBASE(00000000,0126809D,00000000,01265279,?,?,?,00000000,01268585,?,00000000,?,?,000000CC,01260145), ref: 01267E25
GetLastError.KERNEL32 ref: 01267E2F

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 750d3ad56ad47fc6b601aa132c2a3d473c7208cb8e9462d718cf4aa396267908
Instruction ID: 18e5a8cef1eb15479e6109a331f57c3fdf9b0a58752ed02cb10797f5ed949a64
Opcode Fuzzy Hash: 750d3ad56ad47fc6b601aa132c2a3d473c7208cb8e9462d718cf4aa396267908
Instruction Fuzzy Hash: B8D0C9707202038BEB700F39BD4C72236ECAF0065AF140869AA82C0089EB30C8849650

Uniqueness

Uniqueness Score: -1.00%

Function 0125B26E Relevance: 3.0, APIs: 2, Instructions: 14
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B26E(void* _a4) {
				char _t3;
				signed int _t4;

				_t3 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
				if(_t3 != 0) {
					return _t3;
				} else {
					_t4 = GetLastError();
					if(_t4 > 0) {
						return _t4 & 0x0000ffff | 0x80070000;
					}
					return _t4;
				}
			}

0x0125b27f
0x0125b287
0x0125b290
0x0125b289
0x01259a29
0x01259a31
0x00000000
0x01259a38
0x01259a3d
0x01259a3d

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0125B278
RtlFreeHeap.NTDLL(00000000), ref: 0125B27F

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: e3ef30c8dba93d07a80a894914b8a14a8c42e854164e79a45401cd13439b263e
Instruction ID: c4dd9109a786ca1992f2b8ff3e4712568bc718b92480e935ffa2bd3a320db4d3
Opcode Fuzzy Hash: e3ef30c8dba93d07a80a894914b8a14a8c42e854164e79a45401cd13439b263e
Instruction Fuzzy Hash: 67C08032164309B7DF901EE1B88DF753F5DDB80AA6F444040FA0DC5005D971D4A08760

Uniqueness

Uniqueness Score: -1.00%

Function 0125B250 Relevance: 3.0, APIs: 2, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B250(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x0125b261
0x0125b268

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0125B25A
RtlAllocateHeap.NTDLL(00000000), ref: 0125B261

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 13fe8ba31479652171cc46174989ad35ab72917b603212f83e917109e54e9101
Instruction ID: 01a6b7ac1b3db95eab5c9940c8429ad6dc077802181055de798e5f6aa4be4c80
Opcode Fuzzy Hash: 13fe8ba31479652171cc46174989ad35ab72917b603212f83e917109e54e9101
Instruction Fuzzy Hash: 86C09B76044348B7CF101BD1F84DFD57F1DD785762F00C440F61DC6045CA7194208751

Uniqueness

Uniqueness Score: -1.00%

Function 012697F1 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E012697F1(int _a4) {

				E012697C1(_a4);
				ExitProcess(_a4);
			}

0x012697f9
0x01269802

APIs

___crtCorExitProcess.LIBCMT ref: 012697F9

Part of subcall function 012697C1: GetModuleHandleW.KERNEL32(mscoree.dll,?,012697FE,?,?,0126CDE4,000000FF,0000001E,00000001,00000000,00000000,?,0126DBEB,?,00000001,?), ref: 012697CB
Part of subcall function 012697C1: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 012697DB

ExitProcess.KERNEL32 ref: 01269802

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 1e4fa3cc654919b2af092d1c709b5b26b91b8b3510c38c8f4d8fe96e94fcce67
Instruction ID: b311f2c0d50f8c3db26fc0044ec9b63da450d5159620854662488316878e6972
Opcode Fuzzy Hash: 1e4fa3cc654919b2af092d1c709b5b26b91b8b3510c38c8f4d8fe96e94fcce67
Instruction Fuzzy Hash: 0EB09231000208FFEF162F12EC8D9693F6AEB917A1B208060F80809061DF72ADE2DA80

Uniqueness

Uniqueness Score: -1.00%

Function 01256463 Relevance: 2.5, APIs: 2, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01256463(void* __ebx) {
				void* __ecx;
				void* _t13;
				void* _t14;
				void* _t15;
				long _t17;

				_t13 = __ebx;
				_t17 = 0;
				if( *0x127c0e4 == 0) {
					L8:
					return 0;
				}
				if( *0x127c0ec <= 0) {
					L4:
					if(HeapFree(GetProcessHeap(), _t17,  *0x127c0e4) == 0) {
						E01259A29();
					}
					 *0x127c0e4 = _t17;
					if( *((intOrPtr*)(_t13 + 0x10)) != _t17) {
						_t4 = _t13 + 8; // 0xc874b0, executed
						E012592BB(_t15,  *_t4, 1, 1); // executed
					}
					goto L8;
				} else {
					goto L2;
				}
				do {
					L2:
					E01259C21(_t14,  *((intOrPtr*)( *0x127c0e4 + _t17 * 4))); // executed
					E01258E6F( *((intOrPtr*)( *0x127c0e4 + _t17 * 4)));
					_t17 = _t17 + 1;
				} while (_t17 <  *0x127c0ec);
				_t17 = 0;
				goto L4;
			}

0x01256463
0x01256467
0x01256470
0x012564ce
0x012564d2
0x012564d2
0x01256478
0x01256499
0x012564af
0x012564b1
0x012564b1
0x012564b6
0x012564bf
0x012564c5
0x012564c8
0x012564c8
0x00000000
0x00000000
0x00000000
0x00000000
0x0125647a
0x0125647a
0x01256483
0x01256489
0x0125648e
0x0125648f
0x01256497
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,00000000,7620EA30,?,01255BF4), ref: 012564A0
HeapFree.KERNEL32(00000000,?,01255BF4), ref: 012564A7

Part of subcall function 01259C21: DeleteFileW.KERNELBASE(00000000,?,00000000,00000000,0127BEF0,?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C43
Part of subcall function 01259C21: GetLastError.KERNEL32(?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C53
Part of subcall function 01259C21: MoveFileExW.KERNEL32(00000000,00000000,00000004,?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C64
Part of subcall function 01259C21: GetLastError.KERNEL32(?,?,01256488,00000000,00000000,7620EA30,?,01255BF4), ref: 01259C6E

Part of subcall function 01258E6F: GetProcessHeap.KERNEL32(00000000,00000000,?,012585A8,00000000,00000000,?,?,01256E90,00000000), ref: 01258E79
Part of subcall function 01258E6F: HeapFree.KERNEL32(00000000,?,012585A8,00000000,00000000,?,?,01256E90,00000000), ref: 01258E80

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$ErrorFileFreeLastProcess$DeleteMove
String ID:
API String ID: 2212845612-0
Opcode ID: e6e8a3e6a1d65f709c383f1380d824d299bad702dcdc3e83ce7663876de3001d
Instruction ID: dba64cf31aa0ca4342d0502fd66760f064438035d5eec12492f9f44d32868fbc
Opcode Fuzzy Hash: e6e8a3e6a1d65f709c383f1380d824d299bad702dcdc3e83ce7663876de3001d
Instruction Fuzzy Hash: DAF0AF71570122DBDB72BFF1B9C8A6B7A2AFB41B51704801AFE01D6108C7308492DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0125AC67 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E0125AC67(intOrPtr __ebx, intOrPtr __ecx, char _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				char _v64;
				void* __edi;
				void* __esi;
				signed int _t42;
				void* _t48;
				signed int _t51;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				signed int _t74;
				signed int _t77;

				_t68 = __ecx;
				_t67 = __ebx;
				_t42 =  *0x127a050; // 0xa41d0fe1
				_v12 = _t42 ^ _t77;
				_v44 = _a4;
				_v24 = 0;
				asm("stosd");
				asm("stosd");
				_v64 = 0;
				_t74 =  &_v60;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t48 =  *((intOrPtr*)(__ebx + 0xc)) - 1;
				_v48 = __ecx;
				_v32 = 0;
				if(_t48 == 0) {
					_t74 = __imp__#20;
					_v36 = __imp__#23;
					_v40 = __imp__#22;
					L5:
					_t51 = E012588ED( &_v32,  *((intOrPtr*)(_t68 + 4)));
					_v28 = _t51;
					__eflags = _t51;
					if(_t51 < 0) {
						L19:
						 *0x127c14c = 0;
						 *0x127c150 = 0;
						if(_v32 != 0) {
							E01258E6F(_v32);
						}
						return E012691D5(_v28, _t67, _v12 ^ _t77, 0, _t74, 0);
					}
					_v64 = _v44;
					 *0x127c14c = _v48;
					_v60 = E012564D8;
					_v56 = 0;
					_v52 = 0;
					 *0x127c150 = _t67;
					_t74 =  *_t74(E0125B250, E0125B26E, E0125B296, E0125B32B, E0125B390, E0125B48E, E0125B3F5, 0xffffffff,  &_v24);
					__eflags = _t74;
					if(_t74 != 0) {
						_t61 = _v40(_t74, _v32, 0x12550f5, 0, E0125B07F, 0,  &_v64);
						__eflags = _t61;
						if(_t61 == 0) {
							L10:
							_t62 = _v52;
							__eflags = _t62;
							if(_t62 < 0) {
								L14:
								_v28 = _t62;
								L17:
								__eflags = _v36;
								if(_v36 != 0) {
									_v36(_t74);
								}
								goto L19;
							}
							_t62 = _v20;
							__eflags = _t62;
							if(__eflags == 0) {
								_t64 =  *0x127c154;
								_v28 = _t64;
								__eflags = _t64;
								if(_t64 >= 0) {
									_v28 = 0x80004005;
								}
								goto L17;
							}
							if(__eflags > 0) {
								_t62 = _t62 & 0x0000ffff | 0x80070000;
								__eflags = _t62;
							}
							goto L14;
						}
						__eflags = _v16;
						if(_v16 == 0) {
							goto L17;
						}
						goto L10;
					}
					_v28 = 0x80004005;
					goto L19;
				}
				if(_t48 == 1) {
					_t74 = E0125BBEF;
					_v36 = E0125BF1C;
					_v40 = E0125BC8E;
					goto L5;
				} else {
					_v28 = 0x8000ffff;
					goto L19;
				}
			}

0x0125ac67
0x0125ac67
0x0125ac6f
0x0125ac76
0x0125ac7c
0x0125ac85
0x0125ac8b
0x0125ac8c
0x0125ac8f
0x0125ac92
0x0125ac95
0x0125ac96
0x0125ac97
0x0125ac9b
0x0125ac9c
0x0125ac9f
0x0125aca2
0x0125accd
0x0125acd3
0x0125acdb
0x0125acde
0x0125ace4
0x0125aceb
0x0125acee
0x0125acf0
0x0125adb3
0x0125adb5
0x0125adba
0x0125adc2
0x0125adc7
0x0125adc7
0x0125addc
0x0125addc
0x0125acf9
0x0125acff
0x0125ad2d
0x0125ad34
0x0125ad37
0x0125ad3a
0x0125ad42
0x0125ad47
0x0125ad49
0x0125ad68
0x0125ad6e
0x0125ad70
0x0125ad77
0x0125ad77
0x0125ad7a
0x0125ad7c
0x0125ad91
0x0125ad91
0x0125ada9
0x0125ada9
0x0125adac
0x0125adaf
0x0125adb2
0x00000000
0x0125adac
0x0125ad7e
0x0125ad81
0x0125ad83
0x0125ad96
0x0125ad9b
0x0125ad9e
0x0125ada0
0x0125ada2
0x0125ada2
0x00000000
0x0125ada0
0x0125ad85
0x0125ad8c
0x0125ad8c
0x0125ad8c
0x00000000
0x0125ad85
0x0125ad72
0x0125ad75
0x00000000
0x00000000
0x00000000
0x0125ad75
0x0125ad4b
0x00000000
0x0125ad4b
0x0125aca5
0x0125acb3
0x0125acb8
0x0125acbf
0x00000000
0x0125aca7
0x0125aca7
0x00000000
0x0125aca7

APIs

#20.CABINET(0125B250,0125B26E,0125B296,0125B32B,0125B390,0125B48E,0125B3F5,000000FF,?,?,00000000,00000000), ref: 0125AD40

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73209789efc456cb6d24bb2853c5a59823161fe5942ae9e97e875beae6990551
Instruction ID: f8014c9e9d625233812e0b67bd376468f405f5af6145953a7a33d5ce56e45893
Opcode Fuzzy Hash: 73209789efc456cb6d24bb2853c5a59823161fe5942ae9e97e875beae6990551
Instruction Fuzzy Hash: 15416A70D2121AAF8B90DFA9E8C69EEBFF1EB08710F10412AEE15F7204D77489408F90

Uniqueness

Uniqueness Score: -1.00%

Function 012687CE Relevance: 1.6, APIs: 1, Instructions: 113
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012687CE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28, intOrPtr _a32) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t45;
				intOrPtr _t60;
				intOrPtr* _t61;
				void* _t62;
				void* _t67;
				intOrPtr* _t68;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t77;

				_t62 = __ecx;
				_t60 = _a4;
				if(_a16 !=  *((intOrPtr*)(_t60 + 0x3c))) {
					L28:
					return 0x80070057;
				}
				_t80 = _a28 -  *((intOrPtr*)(_t60 + 0x50));
				if(_a28 !=  *((intOrPtr*)(_t60 + 0x50))) {
					goto L28;
				}
				E012685CB(_t60, __edx, _t71, _t74, _t80, _a8, _a20);
				_t72 = 0;
				if( *((intOrPtr*)(_t60 + 0x7c)) <= 0) {
					L6:
					_t75 = 0;
					if( *((intOrPtr*)(_t60 + 0x7c)) > 0) {
						do {
							if(_t75 !=  *(_t60 + 0x70)) {
								 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x80)) + _t75 * 4)) + 0x10)) = 0;
								E01267F50( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x80)) + _t75 * 4)) + 4);
							}
							_t75 = _t75 + 1;
						} while (_t75 <  *((intOrPtr*)(_t60 + 0x7c)));
					}
					E01268214( *((intOrPtr*)(_t60 + 0x80)),  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x80)) +  *(_t60 + 0x70) * 4)), _a32); // executed
					_t76 = 0;
					if( *((intOrPtr*)(_t60 + 0x7c)) > 0) {
						do {
							if(_t76 !=  *(_t60 + 0x70)) {
								WaitForSingleObject( *( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x80)) + _t76 * 4)) + 8), 0xffffffff);
							}
							_t76 = _t76 + 1;
						} while (_t76 <  *((intOrPtr*)(_t60 + 0x7c)));
					}
					_t45 = E012687A4(0x80004004, _t60);
					if(_t45 == 0) {
						_t45 = E012687A4(0x8007000e, _t60);
						if(_t45 == 0) {
							_t77 =  *((intOrPtr*)(_t60 + 0x7c));
							_t70 = 0;
							if(_t77 <= 0) {
								L22:
								_t45 = E012687A4(1, _t60);
								if(_t45 == 0) {
									_t67 = 0;
									if(_t77 <= 0) {
										L27:
										return 0;
									}
									_t61 =  *((intOrPtr*)(_t60 + 0x80));
									while(1) {
										_t45 =  *((intOrPtr*)( *_t61 + 0x74));
										if(_t45 != 0) {
											goto L29;
										}
										_t67 = _t67 + 1;
										_t61 = _t61 + 4;
										if(_t67 < _t77) {
											continue;
										} else {
											goto L27;
										}
										L30:
									}
								}
							} else {
								_t68 =  *((intOrPtr*)(_t60 + 0x80));
								while(1) {
									_t45 =  *((intOrPtr*)( *_t68 + 0x74));
									if(_t45 != 0 && _t45 != 0x80004005 && _t45 != 1) {
										goto L29;
									}
									_t70 = _t70 + 1;
									_t68 = _t68 + 4;
									if(_t70 < _t77) {
										continue;
									} else {
										goto L22;
									}
									goto L29;
								}
							}
						}
					}
				} else {
					do {
						if(_t72 ==  *(_t60 + 0x70)) {
							goto L5;
						} else {
							_t45 = E01267FD7(_t62,  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x80)) + _t72 * 4))); // executed
							if(_t45 == 0) {
								goto L5;
							}
						}
						goto L29;
						L5:
						_t72 = _t72 + 1;
					} while (_t72 <  *((intOrPtr*)(_t60 + 0x7c)));
					goto L6;
				}
				L29:
				return _t45;
				goto L30;
			}

0x012687ce
0x012687d7
0x012687df
0x01268900
0x00000000
0x01268900
0x012687e8
0x012687eb
0x00000000
0x00000000
0x012687f7
0x012687fc
0x01268801
0x01268824
0x01268824
0x01268829
0x0126882b
0x0126882e
0x01268839
0x01268840
0x01268840
0x01268845
0x01268846
0x0126882b
0x0126885a
0x0126885f
0x01268864
0x01268866
0x01268869
0x01268879
0x01268879
0x0126887f
0x01268880
0x01268866
0x0126888c
0x01268893
0x0126889c
0x012688a3
0x012688a5
0x012688a8
0x012688ac
0x012688d1
0x012688d6
0x012688dd
0x012688df
0x012688e3
0x012688fc
0x00000000
0x012688fc
0x012688e5
0x012688eb
0x012688ed
0x012688f2
0x00000000
0x00000000
0x012688f4
0x012688f5
0x012688fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012688fa
0x012688eb
0x012688ae
0x012688ae
0x012688b4
0x012688b6
0x012688bb
0x00000000
0x00000000
0x012688c9
0x012688ca
0x012688cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012688cf
0x012688b4
0x012688ac
0x012688a3
0x01268803
0x01268803
0x01268806
0x00000000
0x01268808
0x01268811
0x01268818
0x00000000
0x00000000
0x01268818
0x00000000
0x0126881e
0x0126881e
0x0126881f
0x00000000
0x01268803
0x01268909
0x01268909
0x00000000

APIs

Part of subcall function 012685CB: __EH_prolog3.LIBCMT ref: 012685D2

WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 01268879

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3ObjectSingleWait
String ID:
API String ID: 2100491740-0
Opcode ID: e10522b474df8bb6452d3a4feda38183d46698e709d53e489fbcdc69aaad64a5
Instruction ID: 2a6086c331d4d32508bc7eda0898605718cbb832ff47b82bf1ed51993d7721dc
Opcode Fuzzy Hash: e10522b474df8bb6452d3a4feda38183d46698e709d53e489fbcdc69aaad64a5
Instruction Fuzzy Hash: 3741623162035A8BDF72DE2CD8C0B6937A9BF44644F154168DE65EF2A7DB30E8818B91

Uniqueness

Uniqueness Score: -1.00%

Function 01265453 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01265453(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t58;
				void* _t59;
				intOrPtr _t61;
				void* _t63;
				signed int _t64;
				intOrPtr _t68;
				void* _t73;
				intOrPtr* _t74;
				intOrPtr _t76;
				intOrPtr* _t77;
				signed int _t80;
				intOrPtr _t83;
				void* _t94;
				signed int _t99;

				_push(0xc);
				E01274DF4(0x1276106, __ebx, __edi, __esi);
				_t73 = __ecx;
				_t76 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((char*)(_t76 +  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x14)) + 0xc)))) == 0) {
					 *(_t94 - 0x10) = 2;
				} else {
					 *(_t94 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x28)) != 0x00000000;
				}
				 *(_t94 - 0x14) =  *(_t94 - 0x14) & 0x00000000;
				 *(_t94 - 4) =  *(_t94 - 4) & 0x00000000;
				_t58 =  *((intOrPtr*)(_t73 + 0x18)) + _t76;
				_t77 =  *((intOrPtr*)(_t73 + 0x24));
				 *(_t94 - 0x18) = _t58;
				_t59 =  *((intOrPtr*)( *_t77 + 0x14))(_t77,  *((intOrPtr*)(_t73 + 0x1c)) + _t58, _t94 - 0x14,  *(_t94 - 0x10));
				_t91 = _t59;
				if(_t59 == 0) {
					E01262BB6( *(_t94 - 0x14),  *((intOrPtr*)(_t73 + 8)) + 8);
					_t61 =  *((intOrPtr*)(_t73 + 8));
					 *(_t61 + 0x18) =  *(_t61 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t61 + 0x10)) = 0;
					 *((intOrPtr*)(_t61 + 0x14)) = 0;
					 *((char*)(_t61 + 0x1c)) =  *((intOrPtr*)(_t73 + 0x2a));
					if( *(_t94 - 0x10) == 0 &&  *(_t94 - 0x14) == 0) {
						_t68 =  *((intOrPtr*)(_t73 + 0x10));
						_t80 =  *(_t94 - 0x18);
						_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t68 + 0x70)) + _t80 * 4));
						if(_t80 >=  *((intOrPtr*)(_t68 + 0x120)) ||  *((char*)(_t80 +  *((intOrPtr*)(_t68 + 0x124)))) == 0) {
							if( *((char*)(_t83 + 0x1d)) == 0) {
								 *(_t94 - 0x10) = 2;
							}
						}
					}
					_t74 =  *((intOrPtr*)(_t73 + 0x24));
					_t63 =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *(_t94 - 0x10));
					 *(_t94 - 4) =  *(_t94 - 4) | 0xffffffff;
					_t91 = _t63;
					_t64 =  *(_t94 - 0x14);
				} else {
					 *(_t94 - 4) =  *(_t94 - 4) | 0xffffffff;
					_t64 =  *(_t94 - 0x14);
					_t99 = _t64;
				}
				if(_t99 != 0) {
					 *((intOrPtr*)( *_t64 + 8))(_t64);
				}
				return E01274EE0(_t91);
			}

0x01265453
0x0126545a
0x0126545f
0x01265464
0x0126546e
0x0126547d
0x01265470
0x01265478
0x01265478
0x01265484
0x01265488
0x01265499
0x0126549b
0x012654a4
0x012654a7
0x012654aa
0x012654ae
0x012654c4
0x012654c9
0x012654cf
0x012654d5
0x012654d8
0x012654db
0x012654e1
0x012654e8
0x012654eb
0x012654f1
0x012654fa
0x0126550c
0x0126550e
0x0126550e
0x0126550c
0x012654fa
0x01265515
0x0126551e
0x01265521
0x01265525
0x01265527
0x012654b0
0x012654b0
0x012654b4
0x012654b7
0x012654b7
0x0126552c
0x01265531
0x01265531
0x0126553b

APIs

__EH_prolog3.LIBCMT ref: 0126545A

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 9789a9f673c8a37f96f3ed6539844690c18527f9cd71baf257500c095e73fa19
Instruction ID: fd4b2ff37ccc9eaac070be113b1b55f0aad7929b7b9825ef0bef5b6fcfad11e3
Opcode Fuzzy Hash: 9789a9f673c8a37f96f3ed6539844690c18527f9cd71baf257500c095e73fa19
Instruction Fuzzy Hash: E8312D71A20256CFDB15CF68C488AAABBF5FF49360F2506D4D954AB292C374ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0125C49D Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0125C49D(signed int __eax, void* __ebx, void* __ecx, void* __edi, intOrPtr* __esi) {
				intOrPtr _v4;
				char _v8;
				char _v12;
				intOrPtr _v20;
				signed int _t41;
				signed short* _t43;
				void* _t46;
				intOrPtr _t50;
				signed int _t51;
				signed int _t54;
				signed int _t56;
				void* _t58;
				signed int _t59;
				void* _t73;
				signed int _t75;
				signed int _t76;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr* _t83;
				void* _t85;
				void* _t87;
				void* _t90;

				_t83 = __esi;
				_t78 = __edi;
				_t58 = __ecx;
				_t39 = __eax;
				_push(__ecx);
				_t1 = _t39 + 1; // 0x1
				_t54 = _t1;
				if(_t54 ==  *((intOrPtr*)(__esi + 8))) {
					L8:
					return _t39;
				} else {
					if(__eax > 0x20000000) {
						L9:
						_v8 = 0x100eb1;
						_t41 = E01273B07( &_v8, 0x12771d8);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t85 = _t87;
						_push(_t58);
						_push(_t54);
						_t23 = _t41 + 1; // 0x1
						_t56 = _t23;
						__eflags = _t56 -  *(_t83 + 8);
						if(_t56 ==  *(_t83 + 8)) {
							L18:
							return _t41;
						} else {
							__eflags = _t41 - 0x20000000;
							if(_t41 > 0x20000000) {
								L19:
								_v12 = 0x100eb1;
								_t43 = E01273B07( &_v12, 0x12771d8);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t85);
								_t75 = _v20 - _t43;
								__eflags = _t75;
								do {
									_t59 =  *_t43 & 0x0000ffff;
									 *(_t43 + _t75) = _t59;
									_t43 =  &(_t43[1]);
									__eflags = _t59;
								} while (_t59 != 0);
								return _v4;
							} else {
								__eflags = _t41 -  *(_t83 + 4);
								if(__eflags < 0) {
									goto L19;
								} else {
									_push(_t78);
									_push(_t56);
									_t79 = L0127366B(_t73, _t78, _t83, __eflags);
									_t46 = 0;
									__eflags =  *(_t83 + 8);
									if( *(_t83 + 8) > 0) {
										__eflags =  *(_t83 + 4);
										if( *(_t83 + 4) > 0) {
											do {
												 *((char*)(_t46 + _t79)) =  *((intOrPtr*)(_t46 +  *_t83));
												_t46 = _t46 + 1;
												__eflags = _t46 -  *(_t83 + 4);
											} while (_t46 <  *(_t83 + 4));
										}
										_push( *_t83);
										E01273539();
									}
									_t41 =  *(_t83 + 4);
									 *_t83 = _t79;
									 *((char*)(_t79 + _t41)) = 0;
									 *(_t83 + 8) = _t56;
									goto L18;
								}
							}
						}
					} else {
						_t90 = __eax -  *((intOrPtr*)(__esi + 4));
						if(_t90 < 0) {
							goto L9;
						} else {
							_push(__edi);
							_t76 = 2;
							_push( ~(0 | _t90 > 0x00000000) | _t54 * _t76); // executed
							_t50 = L0127366B(_t54 * _t76 >> 0x20, __edi, __esi, _t90); // executed
							_t81 = _t50;
							_t51 = 0;
							if( *((intOrPtr*)(__esi + 8)) > 0) {
								if( *((intOrPtr*)(__esi + 4)) > 0) {
									do {
										 *((short*)(_t81 + _t51 * 2)) =  *((intOrPtr*)( *__esi + _t51 * 2));
										_t51 = _t51 + 1;
									} while (_t51 <  *((intOrPtr*)(__esi + 4)));
								}
								_push( *_t83);
								E01273539();
							}
							_t39 =  *(_t83 + 4);
							 *_t83 = _t81;
							 *((short*)(_t81 + _t39 * 2)) = 0;
							 *(_t83 + 8) = _t54;
							goto L8;
						}
					}
				}
			}

0x0125c49d
0x0125c49d
0x0125c49d
0x0125c49d
0x0125c4a2
0x0125c4a4
0x0125c4a4
0x0125c4aa
0x0125c505
0x0125c507
0x0125c4ac
0x0125c4b1
0x0125c508
0x0125c511
0x0125c518
0x0125c51d
0x0125c51e
0x0125c51f
0x0125c520
0x0125c521
0x0125c522
0x0125c526
0x0125c528
0x0125c529
0x0125c52a
0x0125c52a
0x0125c52d
0x0125c530
0x0125c577
0x0125c579
0x0125c532
0x0125c532
0x0125c537
0x0125c57a
0x0125c583
0x0125c58a
0x0125c58f
0x0125c590
0x0125c591
0x0125c592
0x0125c593
0x0125c594
0x0125c597
0x0125c59d
0x0125c59d
0x0125c59f
0x0125c59f
0x0125c5a2
0x0125c5a6
0x0125c5a9
0x0125c5a9
0x0125c5b2
0x0125c539
0x0125c539
0x0125c53c
0x00000000
0x0125c53e
0x0125c53e
0x0125c53f
0x0125c545
0x0125c547
0x0125c54a
0x0125c54d
0x0125c54f
0x0125c552
0x0125c554
0x0125c559
0x0125c55c
0x0125c55d
0x0125c55d
0x0125c554
0x0125c562
0x0125c564
0x0125c569
0x0125c56a
0x0125c56d
0x0125c56f
0x0125c573
0x00000000
0x0125c576
0x0125c53c
0x0125c537
0x0125c4b3
0x0125c4b3
0x0125c4b6
0x00000000
0x0125c4b8
0x0125c4b8
0x0125c4bd
0x0125c4c9
0x0125c4ca
0x0125c4cf
0x0125c4d1
0x0125c4d7
0x0125c4dc
0x0125c4de
0x0125c4e4
0x0125c4e8
0x0125c4e9
0x0125c4de
0x0125c4ee
0x0125c4f0
0x0125c4f5
0x0125c4f6
0x0125c4f9
0x0125c4fd
0x0125c501
0x00000000
0x0125c504
0x0125c4b6
0x0125c4b1

APIs

__CxxThrowException@8.LIBCMT ref: 0125C518

Part of subcall function 012735E6: _malloc.LIBCMT ref: 01273600

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Exception@8Throw_malloc
String ID:
API String ID: 3476970888-0
Opcode ID: 032b7ad1121c6f643b46a726ca20112e97fe889c34fd00e97cba8b1668f07cf2
Instruction ID: a948c1acba304a6fbdb1f592c94fb810f798f5e7ae168e23d34667a27e218678
Opcode Fuzzy Hash: 032b7ad1121c6f643b46a726ca20112e97fe889c34fd00e97cba8b1668f07cf2
Instruction Fuzzy Hash: 3801CC71120702AFC334DF6EE6C1D3BB7E8FB44714B20882EE586D3660EB31A4508710

Uniqueness

Uniqueness Score: -1.00%

Function 01271603 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E01271603(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x127b9a0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x127be94;
					if( *0x127be94 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E0126D44A(_t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0126B059(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x01271608
0x0127160d
0x0127162a
0x0127162f
0x01271631
0x01271633
0x01271635
0x01271635
0x01271635
0x00000000
0x0127163d
0x01271646
0x0127164c
0x0127164e
0x00000000
0x00000000
0x01271682
0x01271684
0x00000000
0x01271650
0x01271650
0x01271657
0x01271675
0x01271678
0x0127167a
0x0127167c
0x0127167c
0x01271659
0x0127165a
0x01271660
0x01271662
0x01271636
0x01271636
0x01271638
0x0127163b
0x00000000
0x00000000
0x00000000
0x00000000
0x01271664
0x01271664
0x01271667
0x01271669
0x0127166b
0x0127166b
0x01271671
0x01271671
0x01271662
0x00000000
0x0127160f
0x01271613
0x01271616
0x01271619
0x00000000
0x0127161b
0x01271620
0x01271629
0x01271629
0x01271619
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0126DC3A,?,?,00000000,00000000,00000000,?,0126A700,00000001,00000214,?,0126DBEB), ref: 01271646

Part of subcall function 0126B059: __getptd_noexit.LIBCMT ref: 0126B059

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 0cf0be37ad7b9da3cf774c6296edbd93842683f43ab4fbb4df9d329ae7b032d8
Instruction ID: 2e2bda4ba55a95ad56a31a981504e4ce628150838ca21b6fc15846c666e94b6f
Opcode Fuzzy Hash: 0cf0be37ad7b9da3cf774c6296edbd93842683f43ab4fbb4df9d329ae7b032d8
Instruction Fuzzy Hash: 8F01D4313212179FFB399E29D818B673758FF81760F098529EA25CB1D0EB70D920CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01262D7D Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01262D7D(void* __ecx, void* __edi, intOrPtr* __esi) {
				char _v8;
				char _v12;
				intOrPtr* _t21;
				char _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr* _t38;

				_t38 = __esi;
				if( *((char*)(__esi + 0x1c)) == 0) {
					_t31 =  *((intOrPtr*)(__esi + 8));
					asm("cdq");
					 *((intOrPtr*)(__esi + 0x10)) =  *((intOrPtr*)(__esi + 0x10)) +  *__esi - _t31;
					_t21 =  *((intOrPtr*)(__esi + 0xc));
					asm("adc [esi+0x14], edx");
					_t22 =  *((intOrPtr*)( *_t21 + 0xc))(_t21, _t31,  *((intOrPtr*)(__esi + 0x18)),  &_v12, __edi);
					if(_t22 != 0) {
						_v8 = _t22;
						E01273B07( &_v8, 0x1277260);
					}
					_t23 =  *((intOrPtr*)(_t38 + 8));
					_t32 = _v12;
					 *_t38 = _t23;
					_t24 = _t23 + _t32;
					 *(_t38 + 4) = _t24;
					_t25 = _t24 & 0xffffff00 | _t32 == 0x00000000;
					 *(_t38 + 0x1c) = _t25;
					return _t25 & 0xffffff00 | _t25 == 0x00000000;
				} else {
					return 0;
				}
			}

0x01262d7d
0x01262d88
0x01262d8e
0x01262d96
0x01262d97
0x01262d9a
0x01262da0
0x01262dab
0x01262db1
0x01262db3
0x01262dbf
0x01262dbf
0x01262dc4
0x01262dc7
0x01262dca
0x01262dcc
0x01262dd0
0x01262dd3
0x01262dda
0x01262de1
0x01262d8a
0x01262d8d
0x01262d8d

APIs

__CxxThrowException@8.LIBCMT ref: 01262DBF

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 8385490fb8a996edb008a4e85e20f97170660a4ff360784232af0732f03b3d97
Instruction ID: 66fefa25782bb13c030d3fae051708e85af83ce9ee1dd6c83382a50d5855e35e
Opcode Fuzzy Hash: 8385490fb8a996edb008a4e85e20f97170660a4ff360784232af0732f03b3d97
Instruction Fuzzy Hash: B101BC70610702AFCB28CF69C804D5BBBF8EF856147048A5DA082C3640D770FA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01259CA3 Relevance: 1.5, APIs: 1, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01259CA3(void* __ecx, intOrPtr _a4, long _a8, long _a12, long _a16, long _a20) {
				signed int _v8;
				void* __esi;
				signed int _t12;
				signed int _t13;
				signed int _t15;
				signed int _t20;

				_t15 = 0;
				_v8 = _v8 & 0;
				_t12 = E01259926( &_v8, _a4);
				_t20 = _t12;
				if(_t20 >= 0) {
					_t12 = CreateFileW(_v8, _a8, _a12, 0, _a16, _a20, 0); // executed
					_t15 = _t12;
				}
				if(_v8 != 0) {
					_t12 = E01258E6F(_v8);
				}
				if(_t20 < 0) {
					_t13 = _t12 | 0xffffffff;
				} else {
					_t13 = _t15;
				}
				return _t13;
			}

0x01259cae
0x01259cb0
0x01259cb6
0x01259cbb
0x01259cbf
0x01259cd2
0x01259cd8
0x01259cd8
0x01259cde
0x01259ce3
0x01259ce3
0x01259cea
0x01259cf0
0x01259cec
0x01259cec
0x01259cec
0x01259cf6

APIs

CreateFileW.KERNELBASE(?,?,0127BEF0,00000000,01255AE3,?,00000000,?,00000000,?,?,?,0125843A,?,40000000,00000005), ref: 01259CD2

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d00b39450be022ae2c7fed757409b2c278e76df24d4434488f815b302d8cbe5b
Instruction ID: dca83ff2506cce95ceda6c683e976ec1b3d4915128f7482339ece17114ba5c8c
Opcode Fuzzy Hash: d00b39450be022ae2c7fed757409b2c278e76df24d4434488f815b302d8cbe5b
Instruction Fuzzy Hash: F5F09032911119FFCF529E98DEC59DE7EB9EF083A9F104121BE1126160D3718E60E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0126388C Relevance: 1.5, APIs: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0126388C(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;

				E01274DF4(0x1276131, __ebx, __edi, __esi);
				_t31 = __ecx;
				 *((intOrPtr*)(_t35 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x12554d8;
				 *((intOrPtr*)(__ecx + 4)) = 0x12554ec;
				 *((intOrPtr*)(__ecx + 8)) = 0x12554fc;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x125550c;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x1255520;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x1255530;
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				_t34 = __ecx + 0x2c;
				E01267CD5(_t34);
				 *0x127ae24(0x127ae20,  *(_t34 + 0x14), 4); // executed
				 *(_t34 + 0x14) =  *(_t34 + 0x14) & 0x00000000;
				_t23 =  *((intOrPtr*)(__ecx + 0x20));
				if(_t23 != 0) {
					_t26 =  *0x127bf58; // 0x0, executed
					_t23 =  *((intOrPtr*)(_t26 + 4))(_t23);
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				_t32 =  *((intOrPtr*)(_t31 + 0x1c));
				if(_t32 != 0) {
					_t23 =  *((intOrPtr*)( *_t32 + 8))(_t32);
				}
				return E01274EE0(_t23);
			}

0x01263893
0x01263898
0x0126389a
0x0126389d
0x012638a3
0x012638aa
0x012638b1
0x012638b8
0x012638bf
0x012638c6
0x012638ca
0x012638cd
0x012638da
0x012638e0
0x012638e4
0x012638e9
0x012638ec
0x012638f1
0x012638f4
0x012638f5
0x012638f9
0x012638fe
0x01263903
0x01263903
0x0126390b

APIs

__EH_prolog3.LIBCMT ref: 01263893

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7ecbfe1508eaf4e9018e432c905876b440398712d422034ecc373b565f94b848
Instruction ID: 5709e9b8f9b6e5f209a7804e6fcba118e8b9e35dd630d27202e37e76c40506d7
Opcode Fuzzy Hash: 7ecbfe1508eaf4e9018e432c905876b440398712d422034ecc373b565f94b848
Instruction Fuzzy Hash: 51016D71221B42EFD714DF28E54CA1AFBF5FF00725B148608E5199B6A0DB70E954CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01262F92 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E01262F92(intOrPtr* __eax, void* __ecx, char __edx) {
				char _v8;
				void* __esi;
				char _t14;
				intOrPtr* _t21;

				_push(__ecx);
				_t21 = __eax;
				_t18 =  *((intOrPtr*)(__eax + 4));
				 *((char*)( *__eax +  *((intOrPtr*)(__eax + 4)))) = __edx;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)(__eax + 4)) + 1;
				_t14 =  *((intOrPtr*)(__eax + 4));
				if(_t14 ==  *((intOrPtr*)(__eax + 8))) {
					if( *((intOrPtr*)(__eax + 0xc)) == _t14) {
						L4:
						_t14 = 0;
						if(0 != 0) {
							goto L5;
						}
					} else {
						while(1) {
							_t14 = E01262DE7(_t18, _t21); // executed
							if(_t14 != 0) {
								break;
							}
							if( *((intOrPtr*)(_t21 + 0xc)) !=  *((intOrPtr*)(_t21 + 4))) {
								continue;
							} else {
								goto L4;
							}
							goto L6;
						}
						L5:
						_v8 = _t14;
						_t14 = E01273B07( &_v8, 0x1277298);
					}
				}
				L6:
				return _t14;
			}

0x01262f97
0x01262f99
0x01262f9d
0x01262fa0
0x01262fa3
0x01262fa6
0x01262fac
0x01262fb1
0x01262fc4
0x01262fc4
0x01262fc8
0x00000000
0x00000000
0x01262fb3
0x01262fb3
0x01262fb3
0x01262fba
0x00000000
0x00000000
0x01262fc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01262fc2
0x01262fca
0x01262fca
0x01262fd6
0x01262fd6
0x01262fb1
0x01262fdb
0x01262fdd

APIs

__CxxThrowException@8.LIBCMT ref: 01262FD6

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: d4885de089c6e17fe311fc6d73550a7062a5bb86f0c396a9af2904b1089a1ebd
Instruction ID: 34efbcc2803d1b3ddd49cda2d2324de059155f7245c24bab27db6135535e7e36
Opcode Fuzzy Hash: d4885de089c6e17fe311fc6d73550a7062a5bb86f0c396a9af2904b1089a1ebd
Instruction Fuzzy Hash: 3FF0FE30620A06DF9B31DB69C581C67B7ECEF547503148D5DE996C3681E770F981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01265293 Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01265293(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t35;

				_push(0);
				E01274DF4(0x1276062, __ebx, __edi, __esi);
				_t33 =  *((intOrPtr*)(_t35 + 8));
				 *(_t35 - 4) = 4;
				E01262BD6(_t33 + 0x4c);
				 *(_t35 - 4) = 3;
				E01262BD6(_t33 + 0x38);
				 *(_t35 - 4) = 2;
				E01262BD6(_t33 + 0x24);
				 *(_t35 - 4) = 1;
				E01262BD6(_t33 + 0x10);
				 *(_t35 - 4) = 0;
				_t22 =  *((intOrPtr*)(_t33 + 4));
				if(_t22 != 0) {
					_t22 =  *((intOrPtr*)( *_t22 + 8))(_t22);
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				_t34 =  *_t33;
				if(_t34 != 0) {
					_t22 =  *((intOrPtr*)( *_t34 + 8))(_t34);
				}
				return E01274EE0(_t22);
			}

0x01265293
0x0126529a
0x0126529f
0x012652a5
0x012652ac
0x012652b4
0x012652b8
0x012652c0
0x012652c4
0x012652cc
0x012652d0
0x012652d5
0x012652d9
0x012652de
0x012652e3
0x012652e3
0x012652e6
0x012652ea
0x012652ee
0x012652f3
0x012652f3
0x012652fb

APIs

__EH_prolog3.LIBCMT ref: 0126529A

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 5a20e90b4ce619c388bd59d89df1225cacbe75d8c28328f581f79a4c26b397f1
Instruction ID: 119c36e8882e661bd09d1a5dcd716fc503d4b9cd220bacb9c2d7546b1364aa29
Opcode Fuzzy Hash: 5a20e90b4ce619c388bd59d89df1225cacbe75d8c28328f581f79a4c26b397f1
Instruction Fuzzy Hash: 19018130411697DFD720EFA8C148BAEBBB8FF24300F14498CD9865B2C1DB35AA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01265222 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01265222(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				intOrPtr _t29;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_t27 = __edi;
				_t24 = __ebx;
				_push(0);
				E01274DF4(0x1276471, __ebx, __edi, __esi);
				_t29 =  *((intOrPtr*)(_t31 + 8));
				 *(_t31 - 4) = 4;
				E01262BD6(_t29 + 0xb4);
				 *(_t31 - 4) = 3;
				E01262BD6(_t29 + 0xa0);
				_push(_t29 + 0x8c);
				 *(_t31 - 4) = 2;
				E01264F70(__ebx, __edi, _t29, _t32);
				_push(_t29 + 0x78);
				 *(_t31 - 4) = 1;
				E01264F70(_t24, _t27, _t29, _t32);
				 *(_t31 - 4) = 0;
				E01268054(_t24, _t27, _t29, _t32, _t29);
				 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
				_t30 = _t29 + 0x14;
				_push(_t29 + 0x14); // executed
				_t22 = E01265293(_t24, _t27, _t30, _t30); // executed
				return E01274EE0(_t22);
			}

0x01265222
0x01265222
0x01265222
0x01265222
0x01265229
0x0126522e
0x01265237
0x0126523e
0x01265249
0x0126524d
0x01265258
0x01265259
0x0126525d
0x01265265
0x01265266
0x0126526a
0x01265270
0x01265274
0x01265279
0x0126527d
0x01265280
0x01265281
0x0126528b

APIs

__EH_prolog3.LIBCMT ref: 01265229

Part of subcall function 01264F70: __EH_prolog3.LIBCMT ref: 01264F77

Part of subcall function 01268054: __EH_prolog3.LIBCMT ref: 0126805B
Part of subcall function 01268054: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,01265279,?,?,?,00000000,01268585,?,00000000,?,?,000000CC,01260145), ref: 0126808E

Part of subcall function 01265293: __EH_prolog3.LIBCMT ref: 0126529A

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3$ObjectSingleWait
String ID:
API String ID: 3802047751-0
Opcode ID: 87da398e600cc4d1f5fd82b7c04afc2c6b1020538816725ad6cf1bc81187bab5
Instruction ID: cc213fa0ae98667e1266933b491dd78572551537ba5456c9a46ab2bc73c9f1ee
Opcode Fuzzy Hash: 87da398e600cc4d1f5fd82b7c04afc2c6b1020538816725ad6cf1bc81187bab5
Instruction Fuzzy Hash: 90F0903041169BEEE711F7B4C504BDEBBBCAF32204F0445889199531C1CB7527888372

Uniqueness

Uniqueness Score: -1.00%

Function 0125CA78 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125CA78(intOrPtr* __esi) {
				struct _SYSTEM_INFO _v40;

				_t19 = __esi;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *__esi = 0x12552f4;
				_t2 = _t19 + 0x10; // 0x10
				 *((intOrPtr*)(__esi + 8)) = 0;
				E0125CAE4(_t2, 0);
				 *((intOrPtr*)(__esi + 0x1ec)) = 0;
				 *((intOrPtr*)(__esi + 0x1f0)) = 0;
				 *((intOrPtr*)(__esi + 0x1f4)) = 0;
				 *((intOrPtr*)(__esi + 0x1f8)) = 8;
				 *((intOrPtr*)(__esi + 0x1e8)) = 0x12552d4;
				 *((intOrPtr*)(__esi + 0x1e4)) = 4;
				GetSystemInfo( &_v40); // executed
				 *((intOrPtr*)(__esi + 0x1e0)) = _v40.dwNumberOfProcessors;
				return __esi;
			}

0x0125ca78
0x0125ca83
0x0125ca86
0x0125ca8c
0x0125ca8f
0x0125ca92
0x0125ca9a
0x0125caa0
0x0125caa6
0x0125caac
0x0125cab6
0x0125cac1
0x0125cacb
0x0125cad4
0x0125cade

APIs

GetSystemInfo.KERNELBASE(?), ref: 0125CACB

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ec3f23d3be45e80140a668b7435adc9a6bcc0647bd275dcec35306b341e8c4b9
Instruction ID: 1baa8e41f47c15c632addd6f1ba66b16979c4131db76a858a91b607596ed179e
Opcode Fuzzy Hash: ec3f23d3be45e80140a668b7435adc9a6bcc0647bd275dcec35306b341e8c4b9
Instruction Fuzzy Hash: DFF067B45007468BC360DF6AD5846DBFBF8BF98348F50491ED8BAD3250D7B0A5498F50

Uniqueness

Uniqueness Score: -1.00%

Function 01260B42 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01260B42() {
				intOrPtr* _t16;
				void* _t21;
				void* _t24;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_push(0);
				E01274DF4(0x1276215, _t21, _t24, _t25);
				_t26 =  *((intOrPtr*)(_t28 + 8));
				_push(_t26 + 0x78);
				 *(_t28 - 4) = 1;
				E01264F70(_t21, _t24, _t26, _t29);
				 *(_t28 - 4) = 0;
				_t16 =  *((intOrPtr*)(_t26 + 0x74));
				if(_t16 != 0) {
					 *((intOrPtr*)( *_t16 + 8))(_t16);
				}
				_t27 = _t26 + 4;
				 *((intOrPtr*)(_t28 + 8)) = _t27;
				 *(_t28 - 4) = 2;
				E01262BD6(_t27 + 0x50);
				 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
				_push(_t27);
				return E01274EE0(E0125E618(_t27,  *(_t28 - 4)));
			}

0x01260b42
0x01260b49
0x01260b4e
0x01260b54
0x01260b55
0x01260b5c
0x01260b61
0x01260b65
0x01260b6a
0x01260b6f
0x01260b6f
0x01260b72
0x01260b75
0x01260b7b
0x01260b82
0x01260b87
0x01260b8b
0x01260b96

APIs

__EH_prolog3.LIBCMT ref: 01260B49

Part of subcall function 01264F70: __EH_prolog3.LIBCMT ref: 01264F77

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6588283beb7ee202f0b7376f48ab300a53897adf9c967a4939741344f9f91c17
Instruction ID: c1f657de51a525dfa80a7f50770d155e0e1805d4eb1e4ac347eebee1f80d335e
Opcode Fuzzy Hash: 6588283beb7ee202f0b7376f48ab300a53897adf9c967a4939741344f9f91c17
Instruction Fuzzy Hash: 78F0A770510656DFEB10EFA4C404B9EBBB8FF21358F104558E5559B2D0C771AB44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0126501D Relevance: 1.5, APIs: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E0126501D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				void* _t18;

				E01274DF4(0x1275cd0, __ebx, __edi, __esi);
				_t17 =  *((intOrPtr*)(_t18 + 8));
				 *_t17 = 0x1255590;
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				 *0x1255594(0,  *((intOrPtr*)(_t17 + 8)), 0); // executed
				 *(_t18 - 4) =  *(_t18 - 4) | 0xffffffff;
				return E01274EE0(E01262BD6(_t17));
			}

0x01265024
0x01265029
0x0126502c
0x01265032
0x0126503d
0x01265043
0x01265053

APIs

__EH_prolog3.LIBCMT ref: 01265024

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 853b9e7c2d861e3942436c63181a8a0a4f387793b35bff1960ad575f15ad4187
Instruction ID: dd52775a8401d76e3a5e1925bacd8d7490a416b640eec9054b1aa3aefd1ad5cf
Opcode Fuzzy Hash: 853b9e7c2d861e3942436c63181a8a0a4f387793b35bff1960ad575f15ad4187
Instruction Fuzzy Hash: AAE05E34620352DBEB25BF54E40976EBA72FF24732F204A08E4E5AB2D0DB341E40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012650C4 Relevance: 1.5, APIs: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E012650C4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				void* _t18;

				E01274DF4(0x1275cd0, __ebx, __edi, __esi);
				_t17 =  *((intOrPtr*)(_t18 + 8));
				 *_t17 = 0x1255598;
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				 *0x125559c(0,  *((intOrPtr*)(_t17 + 8)), 0); // executed
				 *(_t18 - 4) =  *(_t18 - 4) | 0xffffffff;
				return E01274EE0(E01262BD6(_t17));
			}

0x012650cb
0x012650d0
0x012650d3
0x012650d9
0x012650e4
0x012650ea
0x012650fa

APIs

__EH_prolog3.LIBCMT ref: 012650CB

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 2bf0213ea395bbf991ce35db2c8061f95515e6a02debbaab4f74ea37eb081d24
Instruction ID: da3452d64612d5c6cd3ac68b1efc9b79fba559d6f09b2821439767b43db8f05c
Opcode Fuzzy Hash: 2bf0213ea395bbf991ce35db2c8061f95515e6a02debbaab4f74ea37eb081d24
Instruction Fuzzy Hash: D5E01734620352DBEB24BF54E40976EBA72FB24772F208608E4A5AB2D0CB341A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01269A6C Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E01269A6C(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E01269927(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x01269a71
0x01269a73
0x01269a75
0x01269a78
0x01269a81

APIs

_doexit.LIBCMT ref: 01269A78

Part of subcall function 01269927: __lock.LIBCMT ref: 01269935
Part of subcall function 01269927: RtlDecodePointer.NTDLL(01276E70,00000020,01269A98,?,00000001,00000000,?,01269AE7,000000FF,?,0126D1E4,00000011,?,?,0126A803,0000000D), ref: 01269971
Part of subcall function 01269927: _DecodePointerInternal@4.DOTNETFX40_FULL_X86_X64(?,01269AE7,000000FF,?,0126D1E4,00000011,?,?,0126A803,0000000D,01276EB8,00000008,012737A4,?,00000000), ref: 01269982
Part of subcall function 01269927: _DecodePointerInternal@4.DOTNETFX40_FULL_X86_X64(-00000004,?,01269AE7,000000FF,?,0126D1E4,00000011,?,?,0126A803,0000000D,01276EB8,00000008,012737A4,?,00000000), ref: 012699A8
Part of subcall function 01269927: _DecodePointerInternal@4.DOTNETFX40_FULL_X86_X64(?,01269AE7,000000FF,?,0126D1E4,00000011,?,?,0126A803,0000000D,01276EB8,00000008,012737A4,?,00000000), ref: 012699BB
Part of subcall function 01269927: _DecodePointerInternal@4.DOTNETFX40_FULL_X86_X64(?,01269AE7,000000FF,?,0126D1E4,00000011,?,?,0126A803,0000000D,01276EB8,00000008,012737A4,?,00000000), ref: 012699C5

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: DecodePointer$Internal@4$__lock_doexit
String ID:
API String ID: 665080380-0
Opcode ID: de040e4b3af3e3fd7ea996bf6568ec0e03965820b0d039836c69a1d868c49cad
Instruction ID: 4f33031d1b194cebc01324353d0f3e5976cea2ec6ba058ed18859fa079761d7f
Opcode Fuzzy Hash: de040e4b3af3e3fd7ea996bf6568ec0e03965820b0d039836c69a1d868c49cad
Instruction Fuzzy Hash: BDB0923259020937DE202542AC02F163A0D8BD0A64E240020BA0C291E1A9A3B9A18089

Uniqueness

Uniqueness Score: -1.00%

Function 0126A539 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0126D806,0127B260,00000314,00000000,?,?,?,?,?,01269C55,0127B260,Microsoft Visual C++ Runtime Library,00012010), ref: 0126A53B

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 1e90b13659088d00b9e21cde607b7d4a04676fbc5c4c0ef1eeab48c1779a7e61
Instruction ID: 4891ffccd1b849118ad88e5826256db835ca43aaa69906bea697bc80754e962d
Opcode Fuzzy Hash: 1e90b13659088d00b9e21cde607b7d4a04676fbc5c4c0ef1eeab48c1779a7e61
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01267FD7 Relevance: 1.3, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01267FD7(void* __ecx, intOrPtr __esi) {
				char _v8;
				intOrPtr _t14;
				long _t15;
				intOrPtr _t24;

				_t24 = __esi;
				_t8 = __esi + 4;
				if( *((intOrPtr*)(__esi + 4)) != 0) {
					L2:
					_t22 = _t24 + 8;
					if( *((intOrPtr*)(_t24 + 8)) != 0) {
						L4:
						E01267F70(_t24 + 4);
						E01267F70(_t22);
						 *((char*)(_t24 + 0x10)) = 0;
						if( *((intOrPtr*)(_t24 + 0xc)) == 0) {
							_t14 = E012737AF(0, 0, E01267F90, _t24, 0,  &_v8); // executed
							 *((intOrPtr*)(_t24 + 0xc)) = _t14;
							if(_t14 != 0) {
								goto L5;
							}
							_t15 = GetLastError();
							if(_t15 == 0) {
								_t15 = 1;
							}
							L9:
							L10:
							return _t15;
						}
						L5:
						_t15 = 0;
						goto L9;
					}
					_t15 = E01267E46(_t22, 0, 0);
					if(_t15 != 0) {
						goto L9;
					}
					goto L4;
				}
				_t15 = E01267E46(_t8, 0, 0);
				if(_t15 != 0) {
					goto L10;
				}
				goto L2;
			}

0x01267fd7
0x01267fde
0x01267fe5
0x01267ff3
0x01267ff4
0x01267ff9
0x01268007
0x0126800a
0x01268011
0x01268016
0x0126801c
0x0126802f
0x01268037
0x0126803c
0x00000000
0x00000000
0x0126803e
0x01268046
0x0126804a
0x0126804a
0x0126804b
0x0126804c
0x0126804e
0x0126804e
0x0126801e
0x0126801e
0x00000000
0x0126801e
0x01267ffe
0x01268005
0x00000000
0x00000000
0x00000000
0x01268005
0x01267fea
0x01267ff1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 01267E46: CreateEventA.KERNEL32(00000000,?,00000000,00000000), ref: 01267E5B

GetLastError.KERNEL32 ref: 0126803E

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateErrorEventLast
String ID:
API String ID: 545576003-0
Opcode ID: 7b83e873e182404d47d71977f6b4ce85870759a747af717fdb4243acd7b8e8b0
Instruction ID: 7a2b0ea9018ee15b991126b0179c94ece3b05bf757d35f1a64caa60a57190cde
Opcode Fuzzy Hash: 7b83e873e182404d47d71977f6b4ce85870759a747af717fdb4243acd7b8e8b0
Instruction Fuzzy Hash: 67014BB1630347AF9721AAA9ACC4C7B76ADDE5525C3404C3DE246D2081E774AD888661

Uniqueness

Uniqueness Score: -1.00%

Function 01258417 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01258417(void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _t3;
				void* _t9;
				void* _t12;
				intOrPtr _t13;
				signed int _t14;
				signed int _t19;

				_t13 =  *0x127c0e0;
				_t3 = E01259CA3(__ecx, _a4, 0x40000000, 5, 2, 0x80); // executed
				 *0x127b140 = _t3;
				if(_t3 != 0xffffffff) {
					L4:
					_t14 = E01258889(0, 0x127c120, _a4);
					if(_t14 >= 0) {
						 *0x127c11c = _t13; // executed
						E012585B2(_t9, _t12); // executed
					}
					L6:
					return _t14;
				}
				_t14 = GetLastError();
				if(_t14 > 0) {
					_t14 = _t14 & 0x0000ffff | 0x80070000;
					_t19 = _t14;
				}
				if(_t19 < 0) {
					goto L6;
				} else {
					goto L4;
				}
			}

0x0125841e
0x01258435
0x0125843a
0x01258442
0x01258460
0x0125846f
0x01258473
0x01258475
0x0125847b
0x0125847b
0x01258481
0x01258485
0x01258485
0x0125844a
0x0125844e
0x01258456
0x0125845c
0x0125845c
0x0125845e
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 01259CA3: CreateFileW.KERNELBASE(?,?,0127BEF0,00000000,01255AE3,?,00000000,?,00000000,?,?,?,0125843A,?,40000000,00000005), ref: 01259CD2

GetLastError.KERNEL32(?,40000000,00000005,00000002,00000080,00000000,00000000,?,01255AE3,0127BEF0), ref: 01258444

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 3f8b9900fc1f9f949f27f4a3826f4bcef382c327800c6b5626fe62dd408fa390
Instruction ID: 81777f5e64fb874401259af46232b792615aac939fd057be938c82dd27697957
Opcode Fuzzy Hash: 3f8b9900fc1f9f949f27f4a3826f4bcef382c327800c6b5626fe62dd408fa390
Instruction Fuzzy Hash: 3FF0B472E6152667C371167ABC48B7BBE94EF50774F064235EF00EB280D6B09C104BD0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0125B4B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125B4B3() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t4;

				if( *0x127c158 == 0) {
					_t2 = LoadLibraryW(L"kernel32.dll");
					 *0x127c158 = _t2;
					 *0x127c15c = GetProcAddress(_t2, "EncodePointer");
					_t4 = GetProcAddress( *0x127c158, "DecodePointer");
					 *0x127c160 = _t4;
					return _t4;
				}
				return _t1;
			}

0x0125b4ba
0x0125b4c2
0x0125b4d4
0x0125b4e6
0x0125b4eb
0x0125b4ed
0x00000000
0x0125b4f2
0x0125b4f3

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,0125B503), ref: 0125B4C2
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0125B4D9
GetProcAddress.KERNEL32(DecodePointer), ref: 0125B4EB

Strings

DecodePointer, xrefs: 0125B4DB
EncodePointer, xrefs: 0125B4CE
kernel32.dll, xrefs: 0125B4BD

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: DecodePointer$EncodePointer$kernel32.dll
API String ID: 2238633743-1525541703
Opcode ID: 056382409647559f1728bc50ccebc2d3de135b7fdd10d47e5bed22c3633c1cb3
Instruction ID: f44145255b62677a43b18725483244c2f3dab412ed88d64ba83603f5800ac5f4
Opcode Fuzzy Hash: 056382409647559f1728bc50ccebc2d3de135b7fdd10d47e5bed22c3633c1cb3
Instruction Fuzzy Hash: 7FE062719603B69FDBB09F76B89D7573FA4E718610B01406ABD04A370CD7745464CF94

Uniqueness

Uniqueness Score: -1.00%

Function 012691D5 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E012691D5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x127a050; // 0xa41d0fe1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x127bab0 = _t6;
				 *0x127baac = _t22;
				 *0x127baa8 = _t25;
				 *0x127baa4 = _t21;
				 *0x127baa0 = _t27;
				 *0x127ba9c = _t26;
				 *0x127bac8 = ss;
				 *0x127babc = cs;
				 *0x127ba98 = ds;
				 *0x127ba94 = es;
				 *0x127ba90 = fs;
				 *0x127ba8c = gs;
				asm("pushfd");
				_pop( *0x127bac0);
				 *0x127bab4 =  *_t31;
				 *0x127bab8 = _v0;
				 *0x127bac4 =  &_a4;
				 *0x127ba00 = 0x10001;
				_t11 =  *0x127bab8; // 0x0
				 *0x127b9b4 = _t11;
				 *0x127b9a8 = 0xc0000409;
				 *0x127b9ac = 1;
				_t12 =  *0x127a050; // 0xa41d0fe1
				_v812 = _t12;
				_t13 =  *0x127a054; // 0x5be2f01e
				_v808 = _t13;
				 *0x127b9f8 = IsDebuggerPresent();
				_push(1);
				E0126DE27(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1251e14);
				if( *0x127b9f8 == 0) {
					_push(1);
					E0126DE27(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x012691d5
0x012691d5
0x012691d5
0x012691d5
0x012691d5
0x012691d5
0x012691d5
0x012691db
0x012691dd
0x012691dd
0x0126ad5f
0x0126ad64
0x0126ad6a
0x0126ad70
0x0126ad76
0x0126ad7c
0x0126ad82
0x0126ad89
0x0126ad90
0x0126ad97
0x0126ad9e
0x0126ada5
0x0126adac
0x0126adad
0x0126adb6
0x0126adbe
0x0126adc6
0x0126add1
0x0126addb
0x0126ade0
0x0126ade5
0x0126adef
0x0126adf9
0x0126adfe
0x0126ae04
0x0126ae09
0x0126ae15
0x0126ae1a
0x0126ae1c
0x0126ae24
0x0126ae2f
0x0126ae3c
0x0126ae3e
0x0126ae40
0x0126ae45
0x0126ae59

APIs

IsDebuggerPresent.KERNEL32 ref: 0126AE0F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0126AE24
UnhandledExceptionFilter.KERNEL32(01251E14), ref: 0126AE2F
GetCurrentProcess.KERNEL32(C0000409), ref: 0126AE4B
TerminateProcess.KERNEL32(00000000), ref: 0126AE52

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0963a6e64ec26736dabe817374bc79d4c29e632235e30916671534a7bbbffecd
Instruction ID: ddcf3f685ccc55c33e739c4922b11b63cbed8ab22f64d6741ab9cd6905bff299
Opcode Fuzzy Hash: 0963a6e64ec26736dabe817374bc79d4c29e632235e30916671534a7bbbffecd
Instruction Fuzzy Hash: AB21CAB4811309DFC771FF29F48DA5B7BB4BB08316F10406AE52997B88EBB059848F15

Uniqueness

Uniqueness Score: -1.00%

Function 01258DAE Relevance: 4.6, APIs: 3, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01258DAE(void* __ecx, intOrPtr _a4, long _a8, void* _a12, char _a16) {
				short _v8;
				char* _v12;
				long _t14;
				long _t15;
				signed int _t26;
				signed int _t35;

				_push(__ecx);
				_push(__ecx);
				_t14 = 0x11ff;
				_v8 = 0;
				if(_a12 != 0) {
					_t14 = 0x19ff;
				}
				_v12 =  &_a16;
				_t15 = FormatMessageW(_t14, _a12, _a8, 0,  &_v8, 0,  &_v12);
				_v12 = 0;
				if(_t15 != 0) {
					_t26 = E01258889(_t15, _a4, _v8);
				} else {
					_t26 = GetLastError();
					if(_t26 > 0) {
						_t26 = _t26 & 0x0000ffff | 0x80070000;
						_t35 = _t26;
					}
					if(_t35 >= 0) {
						_t26 = 0x80004005;
					}
				}
				if(_v8 != 0) {
					LocalFree(_v8);
				}
				return _t26;
			}

0x01258db3
0x01258db4
0x01258db9
0x01258dbe
0x01258dc4
0x01258dc6
0x01258dc6
0x01258dce
0x01258de2
0x01258de8
0x01258ded
0x01258e1d
0x01258def
0x01258df5
0x01258df9
0x01258e01
0x01258e07
0x01258e07
0x01258e09
0x01258e0b
0x01258e0b
0x01258e09
0x01258e22
0x01258e27
0x01258e27
0x01258e32

APIs

FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,0000000C,00000000,00000000,?,?,?,01255D40,?,00000000,00000000), ref: 01258DE2
GetLastError.KERNEL32(?,?,?,01255D40,?,00000000,00000000,0000000C,00000000), ref: 01258DEF
LocalFree.KERNEL32(00000000,00000000,?,?,?,01255D40,?,00000000,00000000,0000000C,00000000), ref: 01258E27

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: b29deec6e966d21e118fe8c5256e18b49c39de4098dd13ba43dbec50ffd6804c
Instruction ID: ca402350173b64b0e3752213f80947ba4f53f5e99ef4153a06b3a9a9fd52323e
Opcode Fuzzy Hash: b29deec6e966d21e118fe8c5256e18b49c39de4098dd13ba43dbec50ffd6804c
Instruction Fuzzy Hash: 19019276A10119FBDB159F96DC888EEBE7AEF84710F150479FE0297240D7B08E51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01257016 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 271
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E01257016(void _a4, int _a8, struct HWND__* _a12, long _a16) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr _v32;
				long _v36;
				int _v40;
				void _v48;
				void* __ebx;
				void* __esi;
				void* _t49;
				void* _t54;
				struct HWND__* _t55;
				void* _t62;
				struct HWND__* _t63;
				int _t64;
				int _t67;
				void* _t74;
				int _t75;
				struct HWND__* _t81;
				int _t82;
				int _t86;
				struct HWND__* _t88;
				long _t94;
				signed int _t100;
				void* _t101;
				int _t107;
				long _t108;

				_t94 = 0;
				_t107 = 0;
				_t49 = _a8 - 0x10;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t49 == 0) {
					_t107 = 0x80070642;
					L69:
					_v12 = 1;
					L70:
					if(_v8 != 0) {
						E01258E6F(_v8);
					}
					if(_v16 != 0) {
						E01258E6F(_v16);
					}
					L74:
					if(_t107 >= 0) {
						L76:
						return _v12;
					}
					L75:
					EndDialog(_a4, _t107);
					goto L76;
				}
				_t54 = _t49 - 0x100;
				if(_t54 == 0) {
					_t55 = GetDlgItem(_a4, 0x3f0);
					__eflags = _t55;
					if(_t55 != 0) {
						_t108 = _a16;
						SendMessageW(_t55, 0xc, 0,  *(_t108 + 8));
						SetWindowLongW(_a4, 0xffffffeb, _t108);
						_v12 = 1;
						goto L76;
					}
					_t107 = GetLastError();
					__eflags = _t107;
					if(__eflags > 0) {
						_t107 = _t107 & 0x0000ffff | 0x80070000;
						__eflags = _t107;
					}
					if(__eflags >= 0) {
						_t107 = 0x80004005;
					}
					_push("Failed to get the directory control.");
					L66:
					_push(_t107);
					E0125854A(_t94, 0, _t101);
					goto L74;
				}
				if(_t54 != 1) {
					goto L74;
				}
				_t62 = (_a12 & 0x0000ffff) - 1;
				if(_t62 == 0) {
					_t63 = GetDlgItem(_a4, 0x3f0);
					_a12 = _t63;
					__eflags = _t63;
					if(_t63 != 0) {
						_t64 = SendMessageW(_t63, 0xe, 0, 0);
						__eflags = _t64;
						if(_t64 != 0) {
							_a8 = _t64 + 1;
							_t107 = E012587EB(_t64 + 1,  &_v8);
							__eflags = _t107;
							if(_t107 >= 0) {
								_t94 = _v8;
								_t67 = SendMessageW(_a12, 0xd, _a8, _t94);
								__eflags = _t67;
								if(_t67 != 0) {
									 *(GetWindowLongW(_a4, 0xffffffeb) + 8) = _t94;
									EndDialog(_a4, 0);
									_v12 = 1;
									goto L74;
								}
								_t107 = GetLastError();
								__eflags = _t107;
								if(__eflags > 0) {
									_t107 = _t107 & 0x0000ffff | 0x80070000;
									__eflags = _t107;
								}
								if(__eflags >= 0) {
									_t107 = 0x80004005;
								}
								_push("Failed to get text from the directory control");
								L35:
								_push(_t107);
								E0125854A(_t94, 0, _t101);
								goto L70;
							}
							_push("Failed to allocate memory for the directory control value");
							goto L35;
						}
						_t107 = GetLastError();
						__eflags = _t107;
						if(__eflags > 0) {
							_t107 = _t107 & 0x0000ffff | 0x80070000;
							__eflags = _t107;
						}
						if(__eflags >= 0) {
							_t107 = 0x80004005;
						}
						_push("Failed to get text length from the directory control");
						goto L66;
					}
					_t107 = GetLastError();
					__eflags = _t107;
					if(__eflags > 0) {
						_t107 = _t107 & 0x0000ffff | 0x80070000;
						__eflags = _t107;
					}
					if(__eflags >= 0) {
						_t107 = 0x80004005;
					}
					_push("Failed to get the directory control");
					goto L66;
				}
				_t74 = _t62 - 1;
				if(_t74 == 0) {
					_t107 = 0x80070642;
					_v12 = 1;
					goto L75;
				}
				_t75 = _t74 - 0x3ef;
				if(_t75 != 0) {
					goto L74;
				}
				_t100 = 8;
				memset( &_v48, _t75, _t100 << 2);
				_t107 = E012587EB(0x105,  &_v8);
				if(_t107 >= 0) {
					_t107 = E012587EB(0x104,  &_v16);
					__eflags = _t107;
					if(_t107 >= 0) {
						_t94 = GetDlgItem;
						_t81 = GetDlgItem(_a4, 0x3f2);
						__eflags = _t81;
						if(_t81 != 0) {
							_t82 = SendMessageW(_t81, 0xd, 0x104, _v16);
							__eflags = _t82;
							if(_t82 != 0) {
								_v48 = _a4;
								_v40 = _v8;
								_v36 = _v16;
								_t86 =  &_v48;
								_v32 = 1;
								__imp__SHBrowseForFolderW(_t86);
								__eflags = _t86;
								if(_t86 == 0) {
									L37:
									SendMessageA(_a4, 0x28, 0, 0);
									goto L69;
								}
								__imp__SHGetPathFromIDListW(_t86, _v8);
								__eflags = _t86;
								if(_t86 != 0) {
									_t88 = GetDlgItem(_a4, 0x3f0);
									__eflags = _t88;
									if(_t88 != 0) {
										SendMessageW(_t88, 0xc, 0, _v8);
										goto L37;
									}
									_t107 = GetLastError();
									__eflags = _t107;
									if(__eflags > 0) {
										_t107 = _t107 & 0x0000ffff | 0x80070000;
										__eflags = _t107;
									}
									if(__eflags >= 0) {
										_t107 = 0x80004005;
									}
									_push("Failed to get the directory control");
									goto L35;
								}
								_t107 = GetLastError();
								__eflags = _t107;
								if(__eflags > 0) {
									_t107 = _t107 & 0x0000ffff | 0x80070000;
									__eflags = _t107;
								}
								if(__eflags >= 0) {
									_t107 = 0x80004005;
								}
								_push("Call to the SHGetPathFromIDListW failed");
								goto L35;
							}
							_t107 = GetLastError();
							__eflags = _t107;
							if(__eflags > 0) {
								_t107 = _t107 & 0x0000ffff | 0x80070000;
								__eflags = _t107;
							}
							if(__eflags >= 0) {
								_t107 = 0x80004005;
							}
							_push("Failed to get the text of the label");
							goto L35;
						}
						_t107 = GetLastError();
						__eflags = _t107;
						if(__eflags > 0) {
							_t107 = _t107 & 0x0000ffff | 0x80070000;
							__eflags = _t107;
						}
						if(__eflags >= 0) {
							_t107 = 0x80004005;
						}
						_push("Failed to get the label control");
						goto L35;
					}
					_push("Failed to allocate memory for the title");
					goto L35;
				}
				_push("Failed to allocate memory for the directory value");
				goto L35;
			}

0x01257022
0x01257025
0x01257027
0x0125702b
0x0125702e
0x01257031
0x01257034
0x0125735c
0x01257361
0x01257361
0x01257368
0x0125736c
0x01257371
0x01257371
0x0125737a
0x0125737f
0x0125737f
0x01257384
0x01257386
0x01257392
0x01257399
0x01257399
0x01257388
0x0125738c
0x00000000
0x0125738c
0x0125703a
0x0125703f
0x012572fd
0x01257303
0x01257305
0x01257337
0x01257341
0x0125734d
0x01257353
0x00000000
0x01257353
0x0125730d
0x0125730f
0x01257311
0x01257319
0x0125731f
0x0125731f
0x01257321
0x01257323
0x01257323
0x01257328
0x0125732d
0x0125732d
0x0125732e
0x00000000
0x01257334
0x01257046
0x00000000
0x00000000
0x01257050
0x01257051
0x01257203
0x01257209
0x0125720c
0x0125720e
0x01257246
0x01257248
0x0125724a
0x0125727b
0x01257283
0x01257285
0x01257287
0x01257293
0x0125729f
0x012572a1
0x012572a3
0x012572e0
0x012572e3
0x012572e9
0x00000000
0x012572e9
0x012572ab
0x012572ad
0x012572af
0x012572b7
0x012572bd
0x012572bd
0x012572bf
0x012572c1
0x012572c1
0x012572c6
0x012571bf
0x012571bf
0x012571c0
0x00000000
0x012571c6
0x01257289
0x00000000
0x01257289
0x01257252
0x01257254
0x01257256
0x0125725e
0x01257264
0x01257264
0x01257266
0x01257268
0x01257268
0x0125726d
0x00000000
0x0125726d
0x01257216
0x01257218
0x0125721a
0x01257222
0x01257228
0x01257228
0x0125722a
0x0125722c
0x0125722c
0x01257231
0x00000000
0x01257231
0x01257057
0x01257058
0x012571ea
0x012571ef
0x00000000
0x012571ef
0x0125705e
0x01257063
0x00000000
0x00000000
0x0125706b
0x0125706f
0x0125707e
0x01257082
0x0125709d
0x0125709f
0x012570a1
0x012570ad
0x012570bb
0x012570bd
0x012570bf
0x012570f9
0x012570fb
0x012570fd
0x0125712d
0x01257133
0x01257139
0x0125713c
0x01257140
0x01257147
0x0125714d
0x0125714f
0x012571d6
0x012571df
0x00000000
0x012571df
0x01257159
0x0125715f
0x01257161
0x01257193
0x01257195
0x01257197
0x012571d4
0x00000000
0x012571d4
0x0125719f
0x012571a1
0x012571a3
0x012571ab
0x012571b1
0x012571b1
0x012571b3
0x012571b5
0x012571b5
0x012571ba
0x00000000
0x012571ba
0x01257169
0x0125716b
0x0125716d
0x01257175
0x0125717b
0x0125717b
0x0125717d
0x0125717f
0x0125717f
0x01257184
0x00000000
0x01257184
0x01257105
0x01257107
0x01257109
0x01257111
0x01257117
0x01257117
0x01257119
0x0125711b
0x0125711b
0x01257120
0x00000000
0x01257120
0x012570c7
0x012570c9
0x012570cb
0x012570d3
0x012570d9
0x012570d9
0x012570db
0x012570dd
0x012570dd
0x012570e2
0x00000000
0x012570e2
0x012570a3
0x00000000
0x012570a3
0x01257084
0x00000000

APIs

SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 012571D4
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 012571DF
GetDlgItem.USER32 ref: 01257203
GetLastError.KERNEL32 ref: 01257210
GetDlgItem.USER32 ref: 012572FD
GetLastError.KERNEL32 ref: 01257307
SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 01257341
SetWindowLongW.USER32(?,000000EB,?), ref: 0125734D

Part of subcall function 012587EB: GetProcessHeap.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258802
Part of subcall function 012587EB: HeapReAlloc.KERNEL32(00000000,?,00000104,00000104,012599E4,?,?,01256E7F), ref: 01258809

EndDialog.USER32(00000001,80070642), ref: 0125738C

Strings

Failed to get the text of the label, xrefs: 01257120
Call to the SHGetPathFromIDListW failed, xrefs: 01257184
Failed to get the label control, xrefs: 012570E2
Failed to get the directory control., xrefs: 01257328
Failed to allocate memory for the directory control value, xrefs: 01257289
Failed to get text from the directory control, xrefs: 012572C6
Failed to allocate memory for the directory value, xrefs: 01257084
Failed to allocate memory for the title, xrefs: 012570A3
Failed to get the directory control, xrefs: 012571BA, 01257231
Failed to get text length from the directory control, xrefs: 0125726D

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: MessageSend$ErrorHeapItemLast$AllocDialogLongProcessWindow
String ID: Call to the SHGetPathFromIDListW failed$Failed to allocate memory for the directory control value$Failed to allocate memory for the directory value$Failed to allocate memory for the title$Failed to get text from the directory control$Failed to get text length from the directory control$Failed to get the directory control$Failed to get the directory control.$Failed to get the label control$Failed to get the text of the label
API String ID: 2993860606-745645607
Opcode ID: 52c1f4e8d1b77087fcd7d15bfcb1c6edcbb4787afeb2cf6d22d159af087be637
Instruction ID: eeed1bc820e8b05c1e4ae46eaee47d0228f6d931898d307b5117a0ae4dedec12
Opcode Fuzzy Hash: 52c1f4e8d1b77087fcd7d15bfcb1c6edcbb4787afeb2cf6d22d159af087be637
Instruction Fuzzy Hash: B891D676DB0227ABDB715FA8DCC9BAD7A64AF00360F568134EE05FB281E6748D508790

Uniqueness

Uniqueness Score: -1.00%

Function 0125ADE5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 188
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0125ADE5(intOrPtr __ecx, intOrPtr __edx, void* __esi, void* __eflags, void** _a4) {
				signed int _v12;
				void _v65552;
				void* _v65556;
				char _v65560;
				struct _OVERLAPPED* _v65564;
				intOrPtr _v65568;
				char _v65572;
				long _v65576;
				void** _v65580;
				void* __ebx;
				void* __edi;
				signed int _t48;
				int _t54;
				int _t58;
				void* _t59;
				int _t62;
				long _t64;
				int _t72;
				intOrPtr _t76;
				int _t82;
				intOrPtr _t83;
				long _t93;
				int _t94;
				void* _t100;
				signed int _t101;
				int _t111;

				_t100 = __esi;
				_t97 = __edx;
				_t88 = __ecx;
				E01270FC0(0x1002c);
				_t48 =  *0x127a050; // 0xa41d0fe1
				_v12 = _t48 ^ _t101;
				_t83 = __ecx;
				_v65580 = _a4;
				_v65568 = __ecx;
				E012584C7(__ecx, __edx, 1, "Extracting file: %ws", __ecx);
				_v65560 = 0;
				_v65564 = 0;
				if(E012564D8 == 0) {
					L2:
					_t97 = _v65568;
					_t54 = E01259711( &_v65560, _t83, _v65568, 0,  &_v65560);
					_t84 = _t54;
					if(_t54 < 0) {
						L29:
						if(_v65560 != 0) {
							E01258E6F(_v65560);
						}
						L31:
						return E012691D5(_t84, _t84, _v12 ^ _t101, _t97, 0, _t100);
					}
					_t58 = E012591D3(_t88, _v65560, 0);
					_t84 = _t58;
					if(_t58 < 0) {
						goto L29;
					}
					_t59 = E01259CA3(_t88, _v65568, 0x40000000, 5, 2, 0x8000080);
					_v65556 = _t59;
					if(_t59 != 0xffffffff) {
						_t84 = E01259B6A(_t59,  *((intOrPtr*)(_t100 + 0x20)),  *(_t100 + 0x24));
						__eflags = _t84;
						if(_t84 < 0) {
							L28:
							CloseHandle(_v65556);
							goto L29;
						}
						_t62 = SetEndOfFile(_v65556);
						__eflags = _t62;
						if(_t62 == 0) {
							L32:
							_t84 = GetLastError();
							__eflags = _t84;
							if(__eflags > 0) {
								__eflags = _t84;
							}
							if(__eflags >= 0) {
								_t84 = 0x80004005;
							}
							goto L28;
						}
						_t64 = SetFilePointer(_v65556, 0, 0, 0);
						__eflags = _t64 - 0xffffffff;
						if(_t64 == 0xffffffff) {
							goto L32;
						}
						_t97 =  *((intOrPtr*)(_v65580[4] + 8)) +  *((intOrPtr*)(_t100 + 0x18));
						asm("adc eax, [esi+0x1c]");
						_t84 = E01259B6A( *_v65580,  *((intOrPtr*)(_v65580[4] + 8)) +  *((intOrPtr*)(_t100 + 0x18)),  *((intOrPtr*)(_v65580[4] + 0xc)));
						__eflags = _t84;
						if(_t84 < 0) {
							goto L28;
						} else {
							goto L13;
						}
						do {
							do {
								L13:
								_t97 = 0;
								_t93 =  *((intOrPtr*)(_t100 + 0x20)) - _v65564;
								asm("sbb eax, edx");
								__eflags =  *(_t100 + 0x24);
								if(__eflags < 0) {
									L17:
									_v65576 = 0;
									_t72 = ReadFile( *_v65580,  &_v65552, _t93,  &_v65576, 0);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L32;
									}
									_v65572 = 0;
									_t84 = E01259BB0( &_v65572, _t93, _v65556,  &_v65552, _v65576);
									__eflags = _t84;
									if(_t84 < 0) {
										goto L28;
									}
									_t76 = _v65564 + _v65572;
									_t94 = E012564D8;
									_v65564 = _t76;
									__eflags = E012564D8;
									if(E012564D8 == 0) {
										L22:
										__eflags = 0 -  *(_t100 + 0x24);
										if(__eflags > 0) {
											goto L25;
										}
										goto L23;
									}
									_push(0);
									_t84 = E012564D8(7, _v65568, _t76, 0);
									__eflags = _t84;
									if(_t84 != 0) {
										goto L28;
									}
									_t76 = _v65564;
									goto L22;
								}
								if(__eflags > 0) {
									L16:
									_t93 = 0x10000;
									goto L17;
								}
								__eflags = _t93 - 0x10000;
								if(_t93 <= 0x10000) {
									goto L17;
								}
								goto L16;
								L23:
							} while (__eflags < 0);
							__eflags = _t76 -  *((intOrPtr*)(_t100 + 0x20));
						} while (_t76 <  *((intOrPtr*)(_t100 + 0x20)));
						L25:
						__eflags = E012564D8;
						if(E012564D8 != 0) {
							 *0x127c16c = 0;
							_t84 = E012569E3();
							__eflags = _t84;
							if(_t84 < 0) {
								_push("User canceled extraction...");
								_push(_t84);
								E0125854A(_t84, _t94, _t97);
							}
						}
						goto L28;
					} else {
						_t84 = GetLastError();
						if(_t84 > 0) {
							_t111 = _t84;
						}
						if(_t111 >= 0) {
							_t84 = 0x80004005;
						}
						goto L29;
					}
				}
				_push(0);
				_t82 = E012564D8(6, _t83,  *((intOrPtr*)(__esi + 0x20)),  *((intOrPtr*)(__esi + 0x24)));
				_t84 = _t82;
				if(_t82 != 0) {
					goto L31;
				}
				goto L2;
			}

0x0125ade5
0x0125ade5
0x0125ade5
0x0125adef
0x0125adf4
0x0125adfb
0x0125ae03
0x0125ae0d
0x0125ae13
0x0125ae19
0x0125ae28
0x0125ae2e
0x0125ae36
0x0125ae51
0x0125ae51
0x0125ae5e
0x0125ae63
0x0125ae67
0x0125b032
0x0125b038
0x0125b040
0x0125b040
0x0125b045
0x0125b054
0x0125b054
0x0125ae74
0x0125ae79
0x0125ae7d
0x00000000
0x00000000
0x0125ae97
0x0125ae9c
0x0125aea5
0x0125aedd
0x0125aedf
0x0125aee1
0x0125b026
0x0125b02c
0x00000000
0x0125b02c
0x0125aeed
0x0125aef3
0x0125aef5
0x0125b057
0x0125b05d
0x0125b05f
0x0125b061
0x0125b06f
0x0125b06f
0x0125b071
0x0125b073
0x0125b073
0x00000000
0x0125b071
0x0125af04
0x0125af0a
0x0125af0d
0x00000000
0x00000000
0x0125af1f
0x0125af25
0x0125af31
0x0125af33
0x0125af35
0x00000000
0x00000000
0x00000000
0x00000000
0x0125af3b
0x0125af3b
0x0125af3b
0x0125af41
0x0125af43
0x0125af49
0x0125af4b
0x0125af4d
0x0125af5e
0x0125af76
0x0125af7c
0x0125af82
0x0125af84
0x00000000
0x00000000
0x0125afa3
0x0125afae
0x0125afb0
0x0125afb2
0x00000000
0x00000000
0x0125afba
0x0125afc0
0x0125afc5
0x0125afcb
0x0125afcd
0x0125afeb
0x0125afeb
0x0125afee
0x00000000
0x00000000
0x00000000
0x0125afee
0x0125afcf
0x0125afdf
0x0125afe1
0x0125afe3
0x00000000
0x00000000
0x0125afe5
0x00000000
0x0125afe5
0x0125af4f
0x0125af59
0x0125af59
0x00000000
0x0125af59
0x0125af51
0x0125af57
0x00000000
0x00000000
0x00000000
0x0125aff0
0x0125aff0
0x0125aff6
0x0125aff6
0x0125afff
0x0125b004
0x0125b006
0x0125b008
0x0125b013
0x0125b015
0x0125b017
0x0125b019
0x0125b01e
0x0125b01f
0x0125b025
0x0125b017
0x00000000
0x0125aea7
0x0125aead
0x0125aeb1
0x0125aebf
0x0125aebf
0x0125aec1
0x0125aec7
0x0125aec7
0x00000000
0x0125aec1
0x0125aea5
0x0125ae38
0x0125ae42
0x0125ae47
0x0125ae4b
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 012584C7: GetLocalTime.KERNEL32(?,?,00000000,?,?,01256E90,00000000), ref: 012584E2
Part of subcall function 012584C7: swprintf.LIBCMT ref: 01258513

GetLastError.KERNEL32(?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0125AEA7
SetEndOfFile.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0125AEED
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0125AF04
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 0125AF7C
CloseHandle.KERNEL32(?,00000000,?,?,?,40000000,00000005,00000002,08000080,?,00000000,?,?,00000000,000000FF), ref: 0125B02C
GetLastError.KERNEL32 ref: 0125B057

Part of subcall function 01259B6A: SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01259B82
Part of subcall function 01259B6A: GetLastError.KERNEL32(?,?,?,0125A52C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 01259B8C

Strings

Extracting file: %ws, xrefs: 0125AE06
User canceled extraction..., xrefs: 0125B019

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: File$ErrorLast$Pointer$CloseHandleLocalReadTimeswprintf
String ID: Extracting file: %ws$User canceled extraction...
API String ID: 1889754113-1866894759
Opcode ID: 0336fa80bd35e0755231a1aac6a103ad172ffe495c9ee3990dd35ca7700de09d
Instruction ID: 8ede127f5fab4b0667ccd5197055ac82523c35fc5f5f55aaf339a6d76402666c
Opcode Fuzzy Hash: 0336fa80bd35e0755231a1aac6a103ad172ffe495c9ee3990dd35ca7700de09d
Instruction Fuzzy Hash: 34618670A203199FDBB29B64CCC8FBABBB6EB4C700F140595EA5997190D6B1D9C49F10

Uniqueness

Uniqueness Score: -1.00%

Function 012588ED Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E012588ED(char** __esi, short* _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				int _t20;
				signed int _t21;
				intOrPtr _t25;
				int _t26;
				void* _t29;
				char* _t31;
				int _t33;
				int _t36;
				char** _t40;

				_t40 = __esi;
				_t19 =  *__esi;
				_v8 = 0;
				_v12 = 0;
				if( *__esi == 0) {
					L3:
					_t20 = WideCharToMultiByte(0, 0, _a4, 0xffffffff, 0, 0, 0, 0);
					if(_t20 == 0) {
						L13:
						_t21 = GetLastError();
						_v8 = _t21;
						if(_t21 > 0) {
							_v8 = _t21 & 0x0000ffff | 0x80070000;
						}
						if(_v8 >= 0) {
							_v8 = 0x80004005;
						}
						L18:
						L19:
						return _v8;
					}
					_t25 = _t20 - 1;
					_v16 = _t25;
					_t26 = _t25 + 1;
					if(_v12 >= _t26) {
						L12:
						if(WideCharToMultiByte(0, 0, _a4, 0xffffffff,  *_t40, _v12, 0, 0) != 0) {
							 *((char*)(_v16 +  *_t40)) = 0;
							goto L18;
						}
						goto L13;
					}
					_t36 = _t26;
					_v12 = _t36;
					if(_t36 >= 0x7fffffff) {
						L10:
						_v8 = 0x8007000e;
						goto L18;
					}
					_t29 =  *_t40;
					_push(_t36);
					if(_t29 == 0) {
						_t31 = HeapAlloc(GetProcessHeap(), 8, ??);
					} else {
						_t31 = HeapReAlloc(GetProcessHeap(), 8, _t29, ??);
					}
					if(_t31 != 0) {
						 *_t40 = _t31;
						goto L12;
					} else {
						goto L10;
					}
				}
				_t33 = E01259A43(_t19);
				_v12 = _t33;
				if(_t33 != 0xffffffff) {
					goto L3;
				}
				_v8 = 0x80070057;
				goto L19;
			}

0x012588ed
0x012588f5
0x012588fa
0x012588fd
0x01258902
0x0125891e
0x01258930
0x01258934
0x01258998
0x01258998
0x0125899e
0x012589a3
0x012589af
0x012589af
0x012589b5
0x012589b7
0x012589b7
0x012589c8
0x012589c9
0x012589ce
0x012589ce
0x01258936
0x01258937
0x0125893a
0x0125893e
0x01258984
0x01258996
0x012589c5
0x00000000
0x012589c5
0x00000000
0x01258996
0x01258940
0x01258942
0x0125894b
0x01258979
0x01258979
0x00000000
0x01258979
0x0125894d
0x0125894f
0x01258952
0x0125896f
0x01258954
0x0125895e
0x0125895e
0x01258977
0x01258982
0x00000000
0x00000000
0x00000000
0x00000000
0x01258977
0x01258905
0x0125890a
0x01258910
0x00000000
0x00000000
0x01258912
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,73AD7870,00000024,?,00000000,00000000), ref: 01258930
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,0125A366,?,?,?), ref: 01258957
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0125A366,?,?,?,00000000,000000FF), ref: 0125895E

Part of subcall function 01259A43: GetProcessHeap.KERNEL32(00000000,?,?,01258CCC,?,?,00000000,?,01256E90,00000000), ref: 01259A4D
Part of subcall function 01259A43: HeapSize.KERNEL32(00000000,?,01258CCC,?,?,00000000,?,01256E90,00000000), ref: 01259A54

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,0125A366,?,?,?,00000000), ref: 01258968
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0125A366,?,?,?,00000000,000000FF), ref: 0125896F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 01258992
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0125A366,?,?,?,00000000,000000FF), ref: 01258998

Strings

W, xrefs: 01258912

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$Process$AllocByteCharMultiWide$ErrorLastSize
String ID: W
API String ID: 3423999398-655174618
Opcode ID: 00b6591772d699a4fc21c6874d387c096c808e8b74e7e1a8249dbb6d0bab74ce
Instruction ID: 1d117840d9e7e642c29f43d720cd94c5c28867211b8d572f9ef695e5a35f1801
Opcode Fuzzy Hash: 00b6591772d699a4fc21c6874d387c096c808e8b74e7e1a8249dbb6d0bab74ce
Instruction Fuzzy Hash: 6E2199B191024AFFDB509FA99CC49ADBBBCFF05354F208569EA51E7380C6B58E408B11

Uniqueness

Uniqueness Score: -1.00%

Function 0126C589 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E0126C589(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1276f00);
				E0126AAC0(__ebx, __edi, __esi);
				_t31 = E0126A753(__ebx, _t35);
				_t15 =  *0x127a968; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0126D1BD(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x127a870; // 0x27e15f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x127a448;
								if(_t33 != 0x127a448) {
									E0126C318(_t33);
								}
							}
						}
						_t21 =  *0x127a870; // 0x27e15f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x127a870; // 0x27e15f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0126C624();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					_push(0x20);
					E01269ACA();
				}
				return E0126AB05(_t33);
			}

0x0126c589
0x0126c589
0x0126c589
0x0126c58b
0x0126c590
0x0126c59a
0x0126c59c
0x0126c5a4
0x0126c5c5
0x0126c5cb
0x0126c5cf
0x0126c5d2
0x0126c5d5
0x0126c5db
0x0126c5dd
0x0126c5df
0x0126c5e2
0x0126c5e8
0x0126c5ea
0x0126c5ec
0x0126c5f2
0x0126c5f5
0x0126c5fa
0x0126c5f2
0x0126c5ea
0x0126c5fb
0x0126c600
0x0126c603
0x0126c609
0x0126c60d
0x0126c60d
0x0126c613
0x0126c61a
0x0126c5ac
0x0126c5ac
0x0126c5ac
0x0126c5b1
0x0126c5b3
0x0126c5b5
0x0126c5ba
0x0126c5c2

APIs

__getptd.LIBCMT ref: 0126C595

Part of subcall function 0126A753: __getptd_noexit.LIBCMT ref: 0126A756
Part of subcall function 0126A753: __amsg_exit.LIBCMT ref: 0126A763

__amsg_exit.LIBCMT ref: 0126C5B5
__lock.LIBCMT ref: 0126C5C5
InterlockedDecrement.KERNEL32(?), ref: 0126C5E2
_free.LIBCMT ref: 0126C5F5
InterlockedIncrement.KERNEL32(027E15F8), ref: 0126C60D

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: e4edfd5355f2ca9fb249564f6de4cb7d2b4592b48dfe3544fc4ed6da40ed19f6
Instruction ID: 29effbe945baa7a1c4f63465c10f35efc64b957c1a32ddf9d92effdcef244ec6
Opcode Fuzzy Hash: e4edfd5355f2ca9fb249564f6de4cb7d2b4592b48dfe3544fc4ed6da40ed19f6
Instruction Fuzzy Hash: 7A01D671D20713DBDB21BB68A84876E77A8BF00720F090105D990772C0CB74A9E2CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0125A9AE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0125A9AE(void** __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v24;
				char _v40;
				void _v44;
				struct _OVERLAPPED* _v48;
				long _v52;
				intOrPtr* _v56;
				void** _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				void _t39;
				intOrPtr _t44;
				signed int _t47;
				signed int _t50;
				void* _t53;
				char* _t59;
				intOrPtr* _t60;
				signed int _t61;

				_t58 = __edx;
				_t32 =  *0x127a050; // 0xa41d0fe1
				_v8 = _t32 ^ _t61;
				_t60 = __edx;
				_t59 = 0;
				_v56 = __edx;
				_v60 = __ecx;
				_v48 = 0;
				_t53 = E01259CA3(__ecx, _a4, 0x80000000, 7, 3, 0x80);
				if(_t53 != 0xffffffff) {
					_v52 = 0;
					if(ReadFile(_t53,  &_v44, 0x24,  &_v52, 0) != 0) {
						if(_v52 == 0x24) {
							_t39 = _v44;
							if(_a8 == _t39 || _a8 == 0 && (_t39 == 0xb0c50000 || _t39 == 0xb0c50001 || _t39 == 0xb0c50002 || _t39 == 0xb0c50003)) {
								if(_a12 == _t59) {
									L24:
									if(_t60 == _t59) {
										L28:
										 *_v60 = _t53;
										_t53 = _t53 | 0xffffffff;
										goto L29;
									}
									_t44 =  *_t60;
									if(_t44 != 0xffffffff) {
										if(_t44 != _v24) {
											goto L18;
										}
										goto L28;
									}
									 *_t60 = _v24;
									goto L28;
								}
								_t60 = _a12;
								_push(0x10);
								_t59 =  &_v40;
								asm("repe cmpsb");
								if(0 != 0) {
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
								}
								if(0 != 0) {
									goto L18;
								} else {
									_t60 = _v56;
									_t59 = 0;
									goto L24;
								}
							} else {
								L18:
								_v48 = 0x8007000d;
								L29:
								if(_t53 != 0xffffffff) {
									CloseHandle(_t53);
								}
								goto L31;
							}
						}
						_v48 = 0x8007001e;
						goto L29;
					}
					_t47 = GetLastError();
					_v48 = _t47;
					if(_t47 > 0) {
						_v48 = _t47 & 0x0000ffff | 0x80070000;
					}
					if(_v48 >= _t59) {
						_v48 = 0x80004005;
					}
					goto L29;
				} else {
					_t50 = GetLastError();
					_v48 = _t50;
					if(_t50 > 0) {
						_v48 = _t50 & 0x0000ffff | 0x80070000;
					}
					if(_v48 >= _t59) {
						_v48 = 0x80004005;
					}
					L31:
					return E012691D5(_v48, _t53, _v8 ^ _t61, _t58, _t59, _t60);
				}
			}

0x0125a9ae
0x0125a9b6
0x0125a9bd
0x0125a9d4
0x0125a9d6
0x0125a9d9
0x0125a9dc
0x0125a9df
0x0125a9e7
0x0125a9ec
0x0125aa29
0x0125aa34
0x0125aa69
0x0125aa74
0x0125aa7a
0x0125aaa9
0x0125aac8
0x0125aaca
0x0125aadf
0x0125aae2
0x0125aae4
0x00000000
0x0125aae4
0x0125aacc
0x0125aad1
0x0125aadd
0x00000000
0x00000000
0x00000000
0x0125aadd
0x0125aad6
0x00000000
0x0125aad6
0x0125aaab
0x0125aaae
0x0125aab1
0x0125aab6
0x0125aab8
0x0125aaba
0x0125aabc
0x0125aabc
0x0125aac1
0x00000000
0x0125aac3
0x0125aac3
0x0125aac6
0x00000000
0x0125aac6
0x0125aa9d
0x0125aa9d
0x0125aa9d
0x0125aae7
0x0125aaea
0x0125aaed
0x0125aaed
0x00000000
0x0125aaea
0x0125aa7a
0x0125aa6b
0x00000000
0x0125aa6b
0x0125aa36
0x0125aa3c
0x0125aa41
0x0125aa4d
0x0125aa4d
0x0125aa53
0x0125aa59
0x0125aa59
0x00000000
0x0125a9ee
0x0125a9ee
0x0125a9f4
0x0125a9f9
0x0125aa05
0x0125aa05
0x0125aa0b
0x0125aa11
0x0125aa11
0x0125aaf3
0x0125ab04
0x0125ab04

APIs

Part of subcall function 01259CA3: CreateFileW.KERNELBASE(?,?,0127BEF0,00000000,01255AE3,?,00000000,?,00000000,?,?,?,0125843A,?,40000000,00000005), ref: 01259CD2

GetLastError.KERNEL32(00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000,?,?,?,?,?,?,?,0125A8F1), ref: 0125A9EE
ReadFile.KERNEL32(00000000,?,00000024,?,00000000,00000000,80000000,00000007,00000003,00000080,00000000,00000000,00000000), ref: 0125AA2C
GetLastError.KERNEL32(?,?,?,?,?,?,?,0125A8F1,?,00000000,00000004,?,00000000,?), ref: 0125AA36
CloseHandle.KERNEL32(00000000), ref: 0125AAED

Strings

$, xrefs: 0125AA65

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: $
API String ID: 3160720760-3993045852
Opcode ID: f64a3da1b479690a04cdd841adc0a9eb0f24bbaf85d595dd51a7b983fd34d7a5
Instruction ID: f3d24ade0165e03cbd0aba817eb900e896608b46ac83ed09d14e89c0f02713dd
Opcode Fuzzy Hash: f64a3da1b479690a04cdd841adc0a9eb0f24bbaf85d595dd51a7b983fd34d7a5
Instruction Fuzzy Hash: 87413071D2024A9FDB61CF6DDAC6AAD7BB4EF48320F248719EA21E7180D77495808F25

Uniqueness

Uniqueness Score: -1.00%

Function 0126CD37 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0126CD37(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t20 = __ebx;
				_push(0xc);
				_push(0x1276f40);
				E0126AAC0(__ebx, __edi, __esi);
				_t28 = E0126A753(__ebx, _t31);
				_t12 =  *0x127a968; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E0126D1BD(_t20, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E0126CCE5(_t29,  *0x127abb0);
					 *(_t30 - 4) = 0xfffffffe;
					E0126CDA4();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0126A753(_t20, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					_push(0x20);
					E01269ACA();
				}
				return E0126AB05(_t29);
			}

0x0126cd37
0x0126cd37
0x0126cd37
0x0126cd37
0x0126cd39
0x0126cd3e
0x0126cd48
0x0126cd4a
0x0126cd52
0x0126cd76
0x0126cd78
0x0126cd7e
0x0126cd88
0x0126cd93
0x0126cd96
0x0126cd9d
0x0126cd54
0x0126cd54
0x0126cd58
0x00000000
0x0126cd5a
0x0126cd5f
0x0126cd5f
0x0126cd58
0x0126cd64
0x0126cd66
0x0126cd68
0x0126cd6d
0x0126cd75

APIs

__getptd.LIBCMT ref: 0126CD43

Part of subcall function 0126A753: __getptd_noexit.LIBCMT ref: 0126A756
Part of subcall function 0126A753: __amsg_exit.LIBCMT ref: 0126A763

__getptd.LIBCMT ref: 0126CD5A
__amsg_exit.LIBCMT ref: 0126CD68
__lock.LIBCMT ref: 0126CD78
__updatetlocinfoEx_nolock.LIBCMT ref: 0126CD8C

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 3645d3c4ff092958db3d5f97538c27b4971b14a71b8c99123397cc4fe90ef7b7
Instruction ID: 826f3f1378faf58e4bac01a1187b038ce4ca3668fe12e60225c68a6af9a10096
Opcode Fuzzy Hash: 3645d3c4ff092958db3d5f97538c27b4971b14a71b8c99123397cc4fe90ef7b7
Instruction Fuzzy Hash: 24F02432924702DBE725BB689406B3D7BA86F20720F148149D186B71C1CF7408D1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 012565F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E012565F9(void* __ecx, intOrPtr _a4) {
				int _v8;
				long _t13;
				void* _t16;
				void* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_v8 = 0;
				if(( *0x127c1a8 & 0x00000001) == 0) {
					 *0x127c1a8 =  *0x127c1a8 | 0x00000001;
					 *0x127c1a4 = GetModuleHandleW(0);
				}
				_t13 = E01259166( &_v8,  *0x127c1a4, 0xa);
				if(_t13 < 0) {
					L11:
					if(_v8 != 0) {
						_t13 = E01258E6F(_v8);
					}
					L13:
					return _t13;
				}
				_t13 = _v8;
				if(_t13 == 0) {
					goto L13;
				}
				if( *_t13 != 0) {
					_t13 = E01258ABB( &_v8, _t17, _a4, 0);
					if(_t13 >= 0) {
						if( *0x127c108 != 0) {
							_push(_v8);
							if( *0x127c114 != 0) {
								_push(L"%s...\r\n");
								_t13 = E012692A7();
							} else {
								_t13 = SendMessageW( *0x127c0f8, 0x8001, 0, ??);
							}
						}
					} else {
						_t13 = E0125854A(_t16, _t17, _t20, _t13, "Failed to add file name on to status prefix: %S", _a4);
					}
				}
				goto L11;
			}

0x012565f9
0x012565fe
0x01256609
0x0125660c
0x0125660e
0x0125661c
0x0125661c
0x0125662c
0x01256633
0x01256697
0x0125669a
0x0125669f
0x0125669f
0x012566a4
0x012566a6
0x012566a6
0x01256635
0x0125663a
0x00000000
0x00000000
0x0125663f
0x01256648
0x0125664f
0x0125666a
0x0125666c
0x01256675
0x0125668b
0x01256690
0x01256677
0x01256683
0x01256683
0x01256675
0x01256651
0x0125665a
0x0125665f
0x0125664f
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000024,012564D8,?,0125654C,?,00000024,?,0125AFDF,00000007,?,?,00000000,00000000,?,?), ref: 01256616
SendMessageW.USER32(00008001,00000000,00000000,00000000), ref: 01256683

Strings

Failed to add file name on to status prefix: %S, xrefs: 01256654
%s..., xrefs: 0125668B

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: HandleMessageModuleSend
String ID: %s...$Failed to add file name on to status prefix: %S
API String ID: 1379669478-1181359081
Opcode ID: af073a4cbca52a9150f544c8ab897dc2de5b62eeb37541e5d5174a5ece64eaab
Instruction ID: 9547d93d213e44e60b213d2ca615e03333043793f2c88f131cbc761a003ec6d2
Opcode Fuzzy Hash: af073a4cbca52a9150f544c8ab897dc2de5b62eeb37541e5d5174a5ece64eaab
Instruction Fuzzy Hash: 1511023092131AFFEFA29B21FDC9AAE7F35EF11B44B504025FD0461014D7769AA0DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0125A414 Relevance: 6.3, APIs: 5, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0125A414(void* __ebx) {
				void* _t4;
				int _t7;
				signed int _t8;
				void* _t14;

				_t14 = __ebx;
				if( *__ebx != 0xffffffff) {
					__eax = CloseHandle(__eax);
				}
				_t4 =  *(_t14 + 8);
				if(_t4 != 0 && HeapFree(GetProcessHeap(), 0, _t4) == 0) {
					L1();
				}
				_t5 =  *((intOrPtr*)(_t14 + 4));
				if( *((intOrPtr*)(_t14 + 4)) != 0) {
					E01258E6F(_t5);
				}
				_t7 = HeapFree(GetProcessHeap(), 0, _t14);
				if(_t7 != 0) {
					return _t7;
				} else {
					_t8 = GetLastError();
					if(_t8 > 0) {
						return _t8 & 0x0000ffff | 0x80070000;
					}
					return _t8;
				}
			}

0x0125a414
0x0125a419
0x0125a41c
0x0125a41c
0x0125a422
0x0125a435
0x0125a443
0x0125a443
0x0125a448
0x0125a44d
0x0125a450
0x0125a450
0x0125a45b
0x0125a461
0x0125a468
0x0125a463
0x01259a29
0x01259a31
0x00000000
0x01259a38
0x01259a3d
0x01259a3d

APIs

CloseHandle.KERNEL32(00000000,01259DA9,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A41C
GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,01259DA9,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A43A
HeapFree.KERNEL32(00000000,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A43D
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,01259DA9,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A458
HeapFree.KERNEL32(00000000,?,?,012560C2,?,?,00000000,00000000,?,?,01255AF6,0127BEF0), ref: 0125A45B

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$FreeProcess$CloseHandle
String ID:
API String ID: 1236364404-0
Opcode ID: 49ab37e4295ccb31c0e42d82a030968ff6a1564d2b021313e37f5053e5116143
Instruction ID: 8ef88d15f71d0d03772e6413acb678537affe0cc6da3d1b968a4e6fdb21ec75d
Opcode Fuzzy Hash: 49ab37e4295ccb31c0e42d82a030968ff6a1564d2b021313e37f5053e5116143
Instruction Fuzzy Hash: D9F08C61720312AAEFA06AFEACCDF263E5CDF80691B444251BE04D7088DA70DC408A71

Uniqueness

Uniqueness Score: -1.00%

Function 01258C9A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01258C9A(CHAR** __ebx, intOrPtr _a4, intOrPtr _a8) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				void* __esi;
				CHAR* _t27;
				CHAR* _t33;
				CHAR* _t34;
				intOrPtr _t37;
				CHAR** _t40;
				intOrPtr _t41;
				CHAR* _t44;
				void* _t46;
				CHAR* _t48;
				CHAR* _t49;
				void* _t54;
				void* _t55;

				_t40 = __ebx;
				_t25 =  *__ebx;
				_t55 = _t54 - 0x10;
				_t44 = 0;
				if( *__ebx == 0) {
					_v8 = 0;
				} else {
					_v8 = E01259A43(_t25);
				}
				_t26 =  *_t40;
				_v12 = _t44;
				_v20 = _t44;
				if( *_t40 == _t44) {
					L7:
					__eflags = _v8 - _t44;
					if(_v8 != _t44) {
						do {
							L9:
							_t41 = _v8;
							_t48 =  *_t40;
							_t27 = 0;
							__eflags = _t41 - _t44;
							if(_t41 == _t44) {
								L11:
								_t27 = 0x80070057;
								L12:
								__eflags = _t27 - _t44;
								if(_t27 < _t44) {
									L20:
									_t49 = _t27;
									__eflags = _t27 - 0x8007007a;
									if(_t27 != 0x8007007a) {
										goto L25;
									}
									__eflags = _v12 - _t44;
									if(_v12 == _t44) {
										_t33 =  *_t40;
										_v12 = _t33;
										 *_t40 = _t44;
										_v20[_t33] = 0;
									}
									_v8 = _v8 + _v8;
									_t49 = E01258836(_t40, _v8 + _v8);
									__eflags = _t49 - _t44;
									if(_t49 < _t44) {
										break;
									} else {
										_t49 = 1;
										__eflags = 1;
										goto L25;
									}
								}
								_v16 = _t44;
								_t13 = _t41 - 1; // -1
								_t46 = _t13;
								_t34 = E01273517(_t48, _t46, _a4, _a8);
								_t55 = _t55 + 0x10;
								__eflags = _t34;
								if(_t34 < 0) {
									L17:
									_v16 = 0x8007007a;
									L18:
									 *((char*)(_t46 + _t48)) = 0;
									L19:
									_t27 = _v16;
									_t44 = 0;
									__eflags = 0;
									goto L20;
								}
								__eflags = _t34 - _t46;
								if(__eflags > 0) {
									goto L17;
								}
								if(__eflags != 0) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t41 - 0x7fffffff;
							if(_t41 <= 0x7fffffff) {
								goto L12;
							}
							goto L11;
							L25:
							__eflags = _t49 - 1;
						} while (_t49 == 1);
						__eflags = _v12 - _t44;
						if(_v12 != _t44) {
							E01258E6F(_v12);
						}
						goto L28;
					}
					_v8 = 0x100;
					_t49 = E01258836(_t40, 0x100);
					__eflags = _t49 - _t44;
					if(_t49 < _t44) {
						goto L28;
					}
					goto L9;
				} else {
					_t37 = E01259A43(_t26);
					_v8 = _t37;
					if(_t37 != 0xffffffff) {
						_v20 = lstrlenA( *_t40);
						goto L7;
					}
					_t49 = 0x80070057;
					L28:
					return _t49;
				}
			}

0x01258c9a
0x01258c9f
0x01258ca1
0x01258ca6
0x01258caa
0x01258cb7
0x01258cac
0x01258cb2
0x01258cb2
0x01258cba
0x01258cbc
0x01258cbf
0x01258cc4
0x01258ce9
0x01258ce9
0x01258cec
0x01258d08
0x01258d08
0x01258d08
0x01258d0b
0x01258d0d
0x01258d0f
0x01258d11
0x01258d1b
0x01258d1b
0x01258d20
0x01258d20
0x01258d22
0x01258d56
0x01258d56
0x01258d58
0x01258d5d
0x00000000
0x00000000
0x01258d5f
0x01258d62
0x01258d64
0x01258d69
0x01258d6c
0x01258d6e
0x01258d6e
0x01258d7a
0x01258d82
0x01258d84
0x01258d86
0x00000000
0x01258d88
0x01258d8a
0x01258d8a
0x00000000
0x01258d8a
0x01258d86
0x01258d27
0x01258d2d
0x01258d2d
0x01258d32
0x01258d37
0x01258d3a
0x01258d3c
0x01258d46
0x01258d46
0x01258d4d
0x01258d4d
0x01258d51
0x01258d51
0x01258d54
0x01258d54
0x00000000
0x01258d54
0x01258d3e
0x01258d40
0x00000000
0x00000000
0x01258d42
0x00000000
0x00000000
0x00000000
0x01258d44
0x01258d13
0x01258d19
0x00000000
0x00000000
0x00000000
0x01258d8b
0x01258d8b
0x01258d8b
0x01258d94
0x01258d97
0x01258d9c
0x01258d9c
0x00000000
0x01258d97
0x01258cf6
0x01258cfe
0x01258d00
0x01258d02
0x00000000
0x00000000
0x00000000
0x01258cc6
0x01258cc7
0x01258ccc
0x01258cd2
0x01258ce6
0x00000000
0x01258ce6
0x01258cd4
0x01258da1
0x01258da6
0x01258da6

APIs

Part of subcall function 01259A43: GetProcessHeap.KERNEL32(00000000,?,?,01258CCC,?,?,00000000,?,01256E90,00000000), ref: 01259A4D
Part of subcall function 01259A43: HeapSize.KERNEL32(00000000,?,01258CCC,?,?,00000000,?,01256E90,00000000), ref: 01259A54

lstrlenA.KERNEL32(00000000,?,?,00000000,?,01256E90,00000000), ref: 01258CE0
_vswprintf_s.LIBCMT ref: 01258D32

Part of subcall function 01258836: GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,01258D82,00000000), ref: 01258852
Part of subcall function 01258836: HeapReAlloc.KERNEL32(00000000,?,01258D82,00000000), ref: 01258859

Strings

z, xrefs: 01258D46

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$Process$AllocSize_vswprintf_slstrlen
String ID: z
API String ID: 1418926380-1657960367
Opcode ID: 2db4ff0eb138536aa36840574bca21e08deb66f0cebe2f8e26126f00fea8a70b
Instruction ID: ee7a3c36ea67b26d75563190329ad6b38e51da7ddaeb1e64d7d13a5514a1f419
Opcode Fuzzy Hash: 2db4ff0eb138536aa36840574bca21e08deb66f0cebe2f8e26126f00fea8a70b
Instruction Fuzzy Hash: 0B31C231D21126DBCFA1EB7E88C466DFBF4EF95210F244595DD11EB210E2B18A408B90

Uniqueness

Uniqueness Score: -1.00%

Function 01258836 Relevance: 5.0, APIs: 4, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E01258836(void** __esi, intOrPtr _a4) {
				void* _t4;
				void* _t6;
				long _t8;
				void** _t9;

				_t9 = __esi;
				_t8 = 0;
				if(_a4 >= 0x7fffffff) {
					L5:
					_t8 = 0x8007000e;
				} else {
					_t4 =  *__esi;
					_push(_a4);
					if(_t4 == 0) {
						_t6 = HeapAlloc(GetProcessHeap(), 8, ??);
					} else {
						_t6 = HeapReAlloc(GetProcessHeap(), 0, _t4, ??);
					}
					if(_t6 != _t8) {
						 *_t9 = _t6;
					} else {
						goto L5;
					}
				}
				return _t8;
			}

0x01258836
0x0125883c
0x01258845
0x01258874
0x01258874
0x01258847
0x01258847
0x01258849
0x0125884e
0x0125886a
0x01258850
0x01258859
0x01258859
0x01258872
0x0125887b
0x00000000
0x00000000
0x00000000
0x01258872
0x01258881

APIs

GetProcessHeap.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,01258D82,00000000), ref: 01258852
HeapReAlloc.KERNEL32(00000000,?,01258D82,00000000), ref: 01258859
GetProcessHeap.KERNEL32(00000008,7FFFFFFF,00000000,?,01258D82,00000000), ref: 01258863
HeapAlloc.KERNEL32(00000000,?,01258D82,00000000), ref: 0125886A

Memory Dump Source

Source File: 00000025.00000002.1056721631.0000000001251000.00000020.00000001.01000000.0000000E.sdmp, Offset: 01250000, based on PE: true

Associated: 00000025.00000002.1056713338.0000000001250000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056761514.000000000127A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056775668.000000000127D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000025.00000002.1056791508.000000000127E000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_1250000_dotNetFx40_Full_x86_x64.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3eb65726709c4c93adf4126fe6699ec935b750a7aa18d81dc505f00521fdf470
Instruction ID: a4a4fc23765a507db66c13de0c59b24210972f9ec60d93d614c259d0749b9c3f
Opcode Fuzzy Hash: 3eb65726709c4c93adf4126fe6699ec935b750a7aa18d81dc505f00521fdf470
Instruction Fuzzy Hash: 51F0E575110208EBCB514E6BB8CCB393A7EF7C03A17248624FA55C6044C6B1C8918720

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\81cd3e1c31538730e132\1025\LocalizedData.xml

C:\81cd3e1c31538730e132\1025\SetupResources.dll

C:\81cd3e1c31538730e132\1025\eula.rtf

C:\81cd3e1c31538730e132\1028\LocalizedData.xml

C:\81cd3e1c31538730e132\1028\SetupResources.dll

C:\81cd3e1c31538730e132\1028\eula.rtf

C:\81cd3e1c31538730e132\1029\LocalizedData.xml

C:\81cd3e1c31538730e132\1029\SetupResources.dll

C:\81cd3e1c31538730e132\1029\eula.rtf

C:\81cd3e1c31538730e132\1030\LocalizedData.xml

C:\81cd3e1c31538730e132\1030\SetupResources.dll

C:\81cd3e1c31538730e132\1030\eula.rtf

C:\81cd3e1c31538730e132\1031\LocalizedData.xml

C:\81cd3e1c31538730e132\1031\SetupResources.dll

C:\81cd3e1c31538730e132\1031\eula.rtf

C:\81cd3e1c31538730e132\1032\LocalizedData.xml

C:\81cd3e1c31538730e132\1032\SetupResources.dll

C:\81cd3e1c31538730e132\1032\eula.rtf

C:\81cd3e1c31538730e132\1033\LocalizedData.xml

Windows Analysis Report
https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6Q