Edit tour

Windows Analysis Report
ojSIQVSgby.exe

Overview

General Information

Sample Name:	ojSIQVSgby.exe
Analysis ID:	757790
MD5:	09e9517e74ee5c16b4820c017dbc63bf
SHA1:	46d178d9f1de23936c1278d8e4e8677829dd3221
SHA256:	2e9a89f602c794e320b72b0e9f5766ff920843b02963b8f1d11f905a5b89d113
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Sample is not signed and drops a device driver

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Creates driver files

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Classification

Process Tree

System is w10x64

ojSIQVSgby.exe (PID: 4224 cmdline: C:\Users\user\Desktop\ojSIQVSgby.exe MD5: 09E9517E74EE5C16B4820C017DBC63BF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ojSIQVSgby.exe	ReversingLabs: Detection: 19%
Source: ojSIQVSgby.exe	Virustotal: Detection: 11%			Perma Link

Machine Learning detection for sample

Source: ojSIQVSgby.exe

Joe Sandbox ML: detected

Source: 0.3.ojSIQVSgby.exe.47b933e.16.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.ojSIQVSgby.exe.482369a.20.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.ojSIQVSgby.exe.46dec28.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.ojSIQVSgby.exe.4794b92.12.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: ojSIQVSgby.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: f:\winddk\cglptnt64\objfre_wlh_AMD64\amd64\CGLptNt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp, CGLPT64.SYS.0.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, UNRAR.DLL.0.dr
Source:	Binary string: cglptnt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: b\i386\cglptnt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cglptnt.pdbb\i386\cglptnt.pdbh source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll64\Release\unrar64.pdb source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A

Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	String found in binary or memory: http://anso.da.ru
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	String found in binary or memory: http://buglist.jrsoftware.org/generated/entry0686.htm
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	String found in binary or memory: http://bugs.freepascal.org/view.php?id=17280
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, UNRAR.DLL.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, UNRAR.DLL.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com$SEARCH$.WC
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, WCMD_DUT.INC.0.dr, TOTALCMD.INC.0.dr, WCMD_ROM.INC.0.dr, WCMD_ITA.INC.0.dr	String found in binary or memory: http://www.ghisler.com/
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, WCMD_CZ.INC.0.dr	String found in binary or memory: http://www.ghisler.com/)
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/languages.htm
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ghisler.com/languages.htmU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ghisler.com/plugins.htmU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/plugins.htmhttp://www.ghisler.com/languages.htm
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/reactivate.htm
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/reactivate.htmhttp://www.ghisler.com/reaktivieren.htm
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ghisler.com/reactivate.htmhttp://www.ghisler.com/reaktivieren.htmU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.ghisler.com/reaktivieren.htm
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	String found in binary or memory: http://www.ghisler.com/strace.zip
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TCMDX64.EXE.0.dr, TcUsbRun.exe.0.dr, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	String found in binary or memory: http://www.ghisler.com0
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ghisler.comU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: http://www.google.com/search?q=%s
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	String found in binary or memory: http://www.hardtoc.com/archives/198)
Source: ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.totalcommander.hu/
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00408E84 SetWindowsHookExW 00000002,Function_00008E56,00000000,00000000

0_2_00408E84

Source: ojSIQVSgby.exe, 00000000.00000002.334855872.000000000072A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

File dropped: C:\Program Files (x86)\TotalCommander\HISTORY.TXT -> decrypt function which wasn't set) (32/64)16.04.13 fixed: closing "verify checksums" dialog while any file operation active -> file progress dialog not closed when file operation ended (32/64)14.04.13 fixed: compare by content, utf-8: lines with accented chars (one uppercase, one lowercase) were shown as different, but with no differences within the line (32/64)14.04.13 fixed: do not try to run 16-bit programs from 64-bit tc, they cause a segmentation fault in shellexecuteex (64)14.04.13 fixed: links in html files with utf-8 encoding not shown in different color with uniscribe=0 (32/64)12.04.13 fixed: right click on button bar button: "cd" command in menu incorrect if the command contained parameters and no start path was defined (32/64)12.04.13 fixed: main configuration dialog: tab in list on the left didn't switch to first item in right panel (bug in lazarus). unfortunately the same problem with shift+tab cannot be fixed (64)10.04.13 added: warn also in synchronize dirs when the esc key seems

Jump to dropped file

Source: ojSIQVSgby.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WCMICONS.DLL.0.dr

Static PE information: No import functions for PE file found

Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTotalcmdUsbHandler.EXET vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametotalcmd.exe@ vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTotalcmd-Admin.exe vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCGLPTNT.SYST vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCGLPTNT.SYSR vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326777925.00000000047B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametotalcmd64.exe vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnAceV2.Dllt* vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnrar.dllD vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnrar.dll vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000000.310877360.0000000000423000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326615411.0000000004721000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLZMA.dll, vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTotalcmd-Admin.exej% vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcmdx64.exe vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcmdx64.exef# vs ojSIQVSgby.exe
Source: ojSIQVSgby.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs ojSIQVSgby.exe

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

File created: C:\Program Files (x86)\TotalCommander\CGLPT64.SYS

Jump to behavior

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00405811	0_2_00405811
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004198C3	0_2_004198C3
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004178D6	0_2_004178D6
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040B230	0_2_0040B230
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004142CC	0_2_004142CC
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040BA90	0_2_0040BA90
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040F320	0_2_0040F320
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040EBB8	0_2_0040EBB8
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040B440	0_2_0040B440
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040A4E0	0_2_0040A4E0
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00419551	0_2_00419551
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00418D50	0_2_00418D50
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040C5F0	0_2_0040C5F0
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0041962B	0_2_0041962B
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040A6A0	0_2_0040A6A0
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004127FC	0_2_004127FC

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: String function: 00405041 appears 41 times

Source: CGLPTNT.SYS.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WCMICONS.DLL.0.dr

Static PE information: Section .rsrc

Source: ojSIQVSgby.exe	ReversingLabs: Detection: 19%
Source: ojSIQVSgby.exe	Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

File read: C:\Users\user\Desktop\ojSIQVSgby.exe

Jump to behavior

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_0040976C wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_0040976C

Source: ojSIQVSgby.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_004039F0 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_004039F0

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

File created: C:\Program Files (x86)\TotalCommander

Jump to behavior

Source: CGLPT64.SYS.0.dr

Binary string: \Device\

Source: classification engine

Classification label: mal64.rans.spyw.winEXE@1/93@0/0

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_004048CC _wtol,_wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004048CC

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00402446 GetDiskFreeSpaceExW,SendMessageW,

0_2_00402446

Source: ojSIQVSgby.exe

Static file information: File size 5163027 > 1048576

Source:	Binary string: f:\winddk\cglptnt64\objfre_wlh_AMD64\amd64\CGLptNt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp, CGLPT64.SYS.0.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, UNRAR.DLL.0.dr
Source:	Binary string: cglptnt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: b\i386\cglptnt.pdb source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cglptnt.pdbb\i386\cglptnt.pdbh source: ojSIQVSgby.exe, 00000000.00000003.326522799.00000000046CA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll64\Release\unrar64.pdb source: ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp

Source: CABRK.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x18c5e
Source: TC7Z.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x321e3
Source: UNRAR9X.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x2c4a2
Source: ojSIQVSgby.exe	Static PE information: real checksum: 0x25f9f should be: 0x4f730d
Source: TCMDLZMA.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x21541
Source: SFXHEAD.SFX.0.dr	Static PE information: real checksum: 0x0 should be: 0xc964
Source: TC7Z64.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x3b259
Source: UNACEV2.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x141ef
Source: WCMICONS.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0xaa200
Source: FRERES32.DLL.0.dr	Static PE information: real checksum: 0x0 should be: 0x9d85
Source: wincmd.exe.0.dr	Static PE information: real checksum: 0x21337 should be: 0x250d6

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00419210 push eax; ret		0_2_0041923E
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00418F40 push ecx; mov dword ptr [esp], ecx		0_2_00418F41

Source: CABRK.DLL.0.dr	Static PE information: section name: BEGTEXT
Source: CABRK.DLL.0.dr	Static PE information: section name: DGROUP
Source: TC7Z.DLL.0.dr	Static PE information: section name: .sxdata
Source: TOTALCMD64.EXE.0.dr	Static PE information: section name: /4
Source: UNACEV2.DLL.0.dr	Static PE information: section name: AUTO
Source: UNACEV2.DLL.0.dr	Static PE information: section name: DGROUP

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPT64.SYS			Jump to behavior
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS			Jump to behavior

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD			Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\SFXHEAD.SFX			Jump to dropped file

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCMDX64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TC7ZIPIF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TOTALCMD64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\UNRAR64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPT64.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\SHARE_NT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCLZMA64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\WCMICONS.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCMDLZMA.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\wincmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\WCMZIP32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCMDX32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\NOCLOSE64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TOTALCMD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\NOCLOSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCMADM64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\CABRK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\UNRAR9X.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCUNZL64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\UNACEV2.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\SFXHEAD.SFX	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TC7Z.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\FRERES32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\UNRAR.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\WC32TO16.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TcUsbRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TC7Z64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCMADMIN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\WCMZIP64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	File created: C:\Program Files (x86)\TotalCommander\TCUNZLIB.DLL	Jump to dropped file

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCMDX64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TC7ZIPIF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TOTALCMD64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\UNRAR64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\CGLPT64.SYS	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\SHARE_NT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCLZMA64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCMDLZMA.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\WCMICONS.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\wincmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\WCMZIP32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCMDX32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\NOCLOSE64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TOTALCMD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCMADM64.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\NOCLOSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\CABRK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\UNRAR9X.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCUNZL64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\UNACEV2.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TC7Z.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\SFXHEAD.SFX	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\FRERES32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\UNRAR.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\WC32TO16.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TcUsbRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TC7Z64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCMADMIN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\WCMZIP64.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TotalCommander\TCUNZLIB.DLL	Jump to dropped file

Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_00409A19 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409A19
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_004044EA FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_004044EA
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040340F FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_0040340F
Source: C:\Users\user\Desktop\ojSIQVSgby.exe	Code function: 0_2_0040352A FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_0040352A

Source: HISTORY.TXT.0.dr

Binary or memory string: 28.04.10 Fixed: Crash when typing text in command line when packaged with Vmware ThinApp. Reason: auto-complete and auto-append (problem with thread local storage)

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00407F31 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,GetDlgItem,GetWindow,

0_2_00407F31

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00403FF2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00403FF2

Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ^Shell_TrayWndU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	Binary or memory string: Program Manager
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerprogmanU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	Binary or memory string: Shell_TrayWnd
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	Binary or memory string: ^Shell_TrayWndCLEANSWEEP_USEMON_CLASSU3_APP_DATA_PATH
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	Binary or memory string: progman
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerprogmanTMySpeedButtonshell_traywndbuttonU
Source: ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	Binary or memory string: shell_traywnd
Source: TOTALCMD64.EXE.0.dr	Binary or memory string: TabDragAcceptModeProgram ManagerprogmanTMySpeedButtonshell_traywndbuttonNT

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_00403DC8

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_00406128 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00406128

Source: C:\Users\user\Desktop\ojSIQVSgby.exe

Code function: 0_2_004029DA ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??3@YAXPAX@Z,??2@YAPAXI@Z,??_U@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,

0_2_004029DA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Windows Service	11 Masquerading	111 Input Capture	1 System Time Discovery	Remote Services	111 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ojSIQVSgby.exe	19%	ReversingLabs	Win32.Ransomware.Generic
ojSIQVSgby.exe	12%	Virustotal		Browse
ojSIQVSgby.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\TotalCommander\CABRK.DLL	7%	ReversingLabs
C:\Program Files (x86)\TotalCommander\CGLPT64.SYS	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\FRERES32.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\NOCLOSE.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\NOCLOSE64.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\SFXHEAD.SFX	2%	ReversingLabs
C:\Program Files (x86)\TotalCommander\SHARE_NT.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TC7Z.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TC7Z64.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TC7ZIPIF.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCLZMA64.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCMADM64.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCMADMIN.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCMDLZMA.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCMDX32.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCMDX64.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCUNZL64.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TCUNZLIB.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TOTALCMD.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TOTALCMD64.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\TcUsbRun.exe	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\UNACEV2.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\UNRAR.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\UNRAR64.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\UNRAR9X.DLL	4%	ReversingLabs
C:\Program Files (x86)\TotalCommander\WC32TO16.EXE	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\WCMICONS.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\WCMZIP32.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\WCMZIP64.DLL	0%	ReversingLabs
C:\Program Files (x86)\TotalCommander\wincmd.exe	4%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.ojSIQVSgby.exe.47b933e.16.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.ojSIQVSgby.exe.482369a.20.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.ojSIQVSgby.exe.46dec28.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.ojSIQVSgby.exe.4794b92.12.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.ghisler.com$SEARCH$.WC	0%	Avira URL Cloud	safe
http://www.totalcommander.hu/	0%	Avira URL Cloud	safe
http://www.hardtoc.com/archives/198)	0%	Avira URL Cloud	safe
http://anso.da.ru	0%	Avira URL Cloud	safe
http://www.totalcommander.hu/	0%	Virustotal		Browse
http://www.ghisler.comU	0%	Avira URL Cloud	safe
http://www.ghisler.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ghisler.com/plugins.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.ghisler.com	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.ghisler.com/reaktivieren.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://ocsp.thawte.com0	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	false	URL Reputation: safe	unknown
http://www.ghisler.comU	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ghisler.com/languages.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.google.com/search?q=%s	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.ghisler.com/plugins.htmU	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteCodeSigningCA.crl0	ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://buglist.jrsoftware.org/generated/entry0686.htm	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	false		high
http://www.hardtoc.com/archives/198)	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	false	Avira URL Cloud: safe	unknown
http://www.ghisler.com/	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, WCMD_DUT.INC.0.dr, TOTALCMD.INC.0.dr, WCMD_ROM.INC.0.dr, WCMD_ITA.INC.0.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	false		high
http://www.ghisler.com/strace.zip	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	false		high
http://www.ghisler.com/reactivate.htmhttp://www.ghisler.com/reaktivieren.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.ghisler.com/reactivate.htmhttp://www.ghisler.com/reaktivieren.htmU	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ghisler.com0	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326743950.00000000047A1000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.331029597.000000000521E000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326676130.0000000004761000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326572971.00000000046E6000.00000004.00000800.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326830151.00000000047C7000.00000004.00000800.00020000.00000000.sdmp, TCMDX64.EXE.0.dr, TcUsbRun.exe.0.dr, TOTALCMD64.EXE.0.dr, TCUNZLIB.DLL.0.dr, TCUNZL64.DLL.0.dr, TC7ZIPIF.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://bugs.freepascal.org/view.php?id=17280	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	false		high
http://www.ghisler.com/reactivate.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://www.ghisler.com$SEARCH$.WC	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false	Avira URL Cloud: safe	low
http://www.ghisler.com/)	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, WCMD_CZ.INC.0.dr	false		high
http://crl.thawte.com/ThawtePremiumServerCA.crl0	ojSIQVSgby.exe, 00000000.00000003.326169917.0000000006343000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.326435604.00000000064D0000.00000004.00001000.00020000.00000000.sdmp, ojSIQVSgby.exe, 00000000.00000003.332019569.00000000053FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.totalcommander.hu/	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ghisler.com/languages.htmU	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ghisler.com/plugins.htmhttp://www.ghisler.com/languages.htm	ojSIQVSgby.exe, 00000000.00000003.326914549.000000000481E000.00000004.00000800.00020000.00000000.sdmp, TOTALCMD64.EXE.0.dr	false		high
http://anso.da.ru	ojSIQVSgby.exe, 00000000.00000003.318483127.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, HISTORY.TXT.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	757790
Start date and time:	2022-12-01 08:56:45 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ojSIQVSgby.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.rans.spyw.winEXE@1/93@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.7% (good quality ratio 93.3%) Quality average: 85.4% Quality standard deviation: 26.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\TotalCommander\CABRK.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43008
Entropy (8bit):	6.342075429771477
Encrypted:	false
SSDEEP:	768:hxCyjTENKPb8y9RPSkOYwvc0mZTbZFxBYQ0bmDLlJtZED2unAsHLbDc:XRjwIPo4RqkxC++mP/EqcRY
MD5:	185BA4D8F2C49A0C2EBB6A368703DC1A
SHA1:	242EA2B2B8A6C0615947E0858D96A2F05CD2C1DA
SHA-256:	C56DD54229FCD4244BF9222A6B06391F23620B05F82B65AFA1AFFC4622865FBC
SHA-512:	2B13CE027C56649699D7CBC08D971184FC1E52035EB0F3CC06A3571A8CC6DC5B0CD32520C4C820977B0BFA55136938BE5CD7A7E6B762358263D788269171236E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!this is a Windows NT dynamic link library..$......PE..L....f.3.........................,................@.................................................. ..............................................................................................................................................BEGTEXT............................. ..`DGROUP..............................@....bss.............,.......................idata..............................@....edata..............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\CGLPT64.SYS

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23656
Entropy (8bit):	6.345306649357881
Encrypted:	false
SSDEEP:	384:GA7FnWcslGSRsy8WCL9T/SgcaWfQqVU4tCYJLu1M6jn4bC:Bn2lLCpm3Y4tLWMm4bC
MD5:	C6E5B7ECFB1AA7A104BC3C0C081E36E0
SHA1:	5490600BC334400B519401E961CD6EC1CBE30900
SHA-256:	0108B00762DE94C189224874DD064E6EC65EE8F3BFF65801A6FB8D25AF7DE617
SHA-512:	26DF27AD946E58469CBD19A8B85E4E6DD78B87DD51D5CE98382F1055AD470ACA60222831D8D851BCB9E3852A22CF2045821C52B69AEAAD437879971B5C50A9A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F..G...F..{=..F..{;..F..{+..F..{4..F..{:..F..{>..F.Rich.F.........PE..d...EA.K.........."......0..........lq.......................................................................................................r..(............`.......B..h............A...............................................@...............................text....&.......(.................. ..h.rdata.......@.......,..............@..H.data........P.......0..............@....pdata.......`.......2..............@..HINIT....:....p.......4.............. ....rsrc................<..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	MS-DOS executable, LE executable for MS Windows (VxD)
Category:	dropped
Size (bytes):	7259
Entropy (8bit):	3.5055883777083
Encrypted:	false
SSDEEP:	96:fX3N53RVs0y9dRYTeFxxKl/lBOWg1vzZy7TANzrvs:fX913gdRWYxQ57kc7TT
MD5:	7DF5AEB3ABF3762B75EC888819C53FB0
SHA1:	240E5590DFAB406E19C4AF7565DBF7ED39B53EF6
SHA-256:	1447FD7E408C368396F46466808399FFF3FF90B67D0FF7807DA4A746E0B77E6B
SHA-512:	909D69CA71F4D915FA2BEC9D4D42CDB2D5CB96CA03560212106311A2DA442ECBC813ADF476F75DD4F95B3955E548ACBCA39C41FBA81246EADE0EE59E6D6152FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[....vc..vc..vc..Vi..vc..vc..vc.Rich.vc.................LE..........................................L...........I...................................................-...........................L...........................................................L.......E ..........LCOD.............................CGLPT9X.................&..................................'.....9...../....'.....%..................._.'.....U.[.....+..T.'.....#.'......g...............'.........7............'...........'.........'.....Q.v...=......$........._.'.......G........'.......G.r.'..................'.....L.X........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14424
Entropy (8bit):	6.861955313232054
Encrypted:	false
SSDEEP:	384:KaMYS6sWi0Gydg/0ZL2l81YJLu1M6jn4bC:xsj7MNgZLWMm4bC
MD5:	C9503EED292DB41937C22F620FDAA39C
SHA1:	8C6EA207DDD385F63B2CD97B44921C26AFE9A7C1
SHA-256:	F39E2CD0F0A458E6012C97284BB636A785815353FF09E59DD5AB96C36E2EC5D0
SHA-512:	CC5BBA972DA5AC64040FAB8F24293AFF0CEEE691E728201A94BAD245BBC573F7B19755BEF07FF46A653B1CC9F73A2822CFD7D5983F76D58AB2409088438F6A98
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........N... ... ... ...!... ...3... ...&... .$..... .Rich.. .................PE..L......K....................`.......`............... ... ............................ ..........................................<...@...`...............h............................................................................................text............................... ..h.rdata..............................@..H.data.......@... ...@...............@...INIT........`.......`............... ....rsrc...`...@...`...@...............@..B.reloc.......... ...................@..B................U..E...u..E.SV.u.3.W.}...u...t.j.[.}..u..}..t.......0QP........tK.M4f.X..H..M .H..M$...M(.H..M,.H..M0f..H.t.f....p(.x,v..M..H0.M..H4P......_^[].0..U..SV.u...u..u..u.......f...Y.\.....0PV........tE.M.f.@....H.f.@.(...L....u....W.H..x(.....@..........P.........._^[]...V.t$..N\.FX...H..F%P..

C:\Program Files (x86)\TotalCommander\DEFAULT.BAR

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	977
Entropy (8bit):	4.920542620817799
Encrypted:	false
SSDEEP:	24:NWaub0ZgrTOJRFBkqapR04p59e2QoVnIcgj7:NWj0GrCDVIR0M59BQoRE7
MD5:	F103B23C658D801D5C31CB056BAFDC16
SHA1:	8DE136FC1DD6372B4EB357304C73EB55393BBA13
SHA-256:	8159C946398EEC59D8065342C06B957AE38165E664850FB57F5D9971CFFB7C21
SHA-512:	A4EDB8541EEA5FCB6411C59EE604304324AEA37E7D0CFC271FAF0F8BD044F93282D14C54168E355F59CCD81AD679C2F3CF4CD65DC5B22C6ED4CE6F160BEB1CD3
Malicious:	false
Reputation:	low
Preview:	[Buttonbar]..Buttoncount=26..button1=wcmicons.dll..cmd1=cm_Rereadsource..button2=..button3=wcmicons.dll,3..cmd3=cm_srcshort..button4=wcmicons.dll,4..cmd4=cm_srclong..button5=wcmicons.dll,26..cmd5=cm_SrcThumbs..button6=wcmicons.dll,51..cmd6=cm_SwitchSeparateTree..button7=..button8=wcmicons.dll,50..cmd8=cm_DirBranch..button9=..button10=wcmicons.dll,11..cmd10=cm_ExchangeSelection..button11=..button12=wcmicons.dll,18..cmd12=cm_GotoPreviousDir..button13=wcmicons.dll,19..cmd13=cm_GotoNextDir..button14=..button15=wcmicons.dll,30..cmd15=cm_PackFiles..button16=wcmicons.dll,31..cmd16=cm_UnpackFiles..button17=..button18=wcmicons.dll,16..cmd18=cm_FtpConnect..button19=wcmicons.dll,17..cmd19=cm_FtpNew..button20=..button21=wcmicons.dll,47..cmd21=cm_SearchFor..button22=wcmicons.dll,46..cmd22=cm_MultiRenameFiles..button23=wcmicons.dll,48..cmd23=cm_FileSync..button24=wcmicons.dll,45..cmd24=cm_CopyFullNamesToClip..button25=..button26=notepad.exe..cmd26=notepad.exe..menu26=Notepad..

C:\Program Files (x86)\TotalCommander\FRERES32.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.720607356753504
Encrypted:	false
SSDEEP:	96:nPnfoj5t8jc5pi1YRAdXHOtzg0D2M2STOBYlQ+KGthHNB:nPfoj5t82pi1YCdXHOtMeYwfKGthHN
MD5:	12EA15CEFC13310311727D9A036238E5
SHA1:	966F63824DBD4FDF5443CDF7275360C554FF6D57
SHA-256:	B1F4CE4B2B3E4C4A2F27FF3962AE20E8A556D904C33C9DA9B4E89C4771EA9A58
SHA-512:	990ACC8F3EFF8467C613E42E9AAE7DE7BAFCBF3B9F163AA21479C68BEFDBB355B17B9C973E0858BFE3DD0B3556A06D3D2F628F18701DC6FDF7E60FFAE73849D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................t........ ....`..................................................................P..X....@.......p.......................`..t...................................................................................CODE................................ ..`DATA......... ......................@...BSS.....l....0...........................idata.......@......................@....edata..X....P......................@..P.reloc..t....`......................@..P.rsrc........p......................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\HISTORY.TXT

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	541048
Entropy (8bit):	5.000068426363759
Encrypted:	false
SSDEEP:	6144:FxNcIz0YrgOFaMrsZ+bkR9AIlLZ0NnbQ9ctzTze:VGLZ0NbQ9Ee
MD5:	C6C7E250EA4F1E2B6E8B2D996909286D
SHA1:	1992820E6172A83123784AE4E1BAC86F00B5B60B
SHA-256:	FD25B5DB9CC85A26FF9478CAAC4D5B485869FD504A26E780D2FD97FF38D224C5
SHA-512:	B289DA769316E322CB947CFFF5DA67F15B9F35F4B14148356DFB203945CFAB5AE499E7AD9825C6E059E3E0698625233E8C5E4E44D9483AD75A53B7688A959E07
Malicious:	true
Reputation:	low
Preview:	26.08.15 Release Total Commander 8.52 final (32/64)..26.08.15 Fixed: 24x24 icon missing in 64-bit version (64)..26.08.15 Fixed: Crash caused by invalid TC start menu item OPENCUSTOMVIEW1 somename (note the '1' at the end) (32)..21.08.15 Fixed: Search function: Searching for UTF-8 byte order marker "." couldn't be stored in search history when using cyrillic or other non-latin locale (32/64)....19.08.15 Release Total Commander 8.52 release candidate 1 (32/64)..18.08.15 Fixed: Search function: Searching for UTF-8 byte order marker "." couldn't be stored in search history (32/64)..18.08.15 Fixed: drag&drop from file system plugin to archive subdirectory failed with error (32/64)..18.08.15 Fixed: F5 copy from file system plugin to archive subdirectory packed to root of ZIP (32/64)..18.08.15 Fixed: FTP download from list, http links, target already exists -> TC was hanging when "Rename" was chosen (32/64)..18.08.15 Fixed: Branch view, pack files to plugin with option "Create separate ar

C:\Program Files (x86)\TotalCommander\KEYBOARD.TXT

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.3227123740397975
Encrypted:	false
SSDEEP:	192:+V1c4p3LusvKn3nTC8NsYF0+FfoMIO16YhIO:WS4llO3Thb0Yz6YhIO
MD5:	DF2993D909B7511521FB2C1BDD21FD19
SHA1:	B6C6CE6DEA99A410F908AED458F23D6259C839B5
SHA-256:	FEEC1B2501A49EB61CA47472F51C52FCC23E4F01FE8FBEE2773C4CCC8D56929B
SHA-512:	B19C38F64E5ACA9D8CF5E17A051E6B9F3CC6080328BBFF965174CBAF8AB0DEA41F05E931B2333717F8F663E8B037CAD454F39DCC3AA0E35A60D2503609AF04E5
Malicious:	false
Preview:	Keyboard Layout of Total Commander..==================================....Key Action..~~~ ~~~~~~....F1 Help..F2 Reread source window..F3 List files..F4 Edit files..F5 Copy files..F6 Rename files..F7 Create directory..F8 or DEL Delete files to recycle bin /delete directly - according to configuration..F9 Activate menu above source window (left or right)..F10 Activate left menu or leave menu..ALT+F1 Change left drive..ALT+F2 Change right drive..ALT+F3 Use external viewer..ALT+SHIFT+F3 Start Lister and load file with internal viewer (no plugins or multimedia)..ALT+F4 Exit \| Minimize (with option MinimizeOnClose, see help)..ALT+F5 Pack selected files..ALT+SHIFT+F5 M

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	10904
Entropy (8bit):	6.182565009350998
Encrypted:	false
SSDEEP:	192:dFDcIOgHUXsxHww/fPTeQ2+HjTMaa/4Fsd+APCimQUKlsyAACafIw+87q+W2UUxP:GIwgje0Fa/4FtAPVmEfCaRT7H
MD5:	64B6D9B59FCA534EC9192FF277074EDA
SHA1:	A39CEF0AE652BCDA648F374FEF527FC5B021E35B
SHA-256:	9415E613E00E845AF5AC5FF75FD32EBA2A7769A0B1BAE58801C5CBDE35808ADD
SHA-512:	905F7349A8BBEB1EFF941A296582072F15033B09221057C9A020C46329FBCA34AB32BABC301EFB040887C04A90A66AD7DDB8D3D5B7132EB79E144F2FAA5F4DEF
Malicious:	false
Preview:	All="..."..Source="......."..Left="...."..Right="....."..FileOperations="......."..Configuration="...."..Network="...."..Misc="...."..ParallelPort="...."..Print="..."..Mark="..."..Security="..."..Clipboard="......"..FTP="FTP"..Navigation="...."..Help="...."..Window="...."..CommandLine="......"..Tools="...."..View="..."..User="......"..Tabs="..."..Custom column views=".........."..Sorting="...."..Commands with parameters="............"....300=".......: ........."..301=".......: ..."..302=".......: ......"..303=".......: ......."..304=".......: ....."..305="............"..306=".......: .....(......)"..307=".......: ......."..311=".......: .........."..312=".......: ......."..313=".......: ..........."..314=".......: ............"..321=".......: ..........."..322=".......: ..........."..323=".......: ........."..324=".......: .........."..325=".......: ......"..330=".......: ........"..331=".......: ..........."..332="...

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	54818
Entropy (8bit):	6.593451845622405
Encrypted:	false
SSDEEP:	1536:56CiVIhkXJ8p3ZovD8ZKgOaUXPJxIuZNqRUfOeFxz6B7yphv5hFQgUCV:5niV5434cVOfXweF0lohvJnUCV
MD5:	E46763D046317842AC0F055E00316412
SHA1:	D403D4CDB5C21DF6E0BF856F1696E53C02F87DE3
SHA-256:	4EFDCC2FD95650B89CA357C33C7BDBA5776453660F085F40864294CF7B3EA9F8
SHA-512:	4A449DE3E2B7686CF5D0744E772B9389D2488D0322FEB563CD3B1400C99BA3C1F83145662C6A6C638A654E365D1C8BBB6063807FF6835A37CE598D21EB06617B
Malicious:	false
Preview:	........ (Simplified Chinese)..codepage=936..0="... %s\n.......!"..1=".............(..: .doc;.txt)"..2="........"..3="........."..4="...(&D);......(&A);....(&S);...(&C)"..5="..(&O);.....(&A);....(&S);...(&C)"..6=".......... %s ..?"..7="............ %s ..?"..8="......... %i .....(..)..?"..9="................... %s ..?"..10=".................. %i .......?"..11="..... %s ......!\r........................?"..12=".............:\r%s\r.......?"..13="..(&O);.....(&A);....(&S)\t...(&C);.......(&D);.......(&K)"..14="......!"..15="....(&S);...(&C)"..16="............(..: *.txt), ...........(.. '<' ..., ..: <(a\|b))"..17="............!"..18="........."..19="........."..20="................:"..21=".....: "..22="...: "..23="...: "..24="........."..25=".....(&T)"..26="........(&F)"..27=".........(&M)"..28="............(&L)"..32="...........!"..33=" [........]"..34=" [..... %i ....., %i .......]".

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4669
Entropy (8bit):	5.944894153367901
Encrypted:	false
SSDEEP:	96:4L9Rlm3erDZZHQNspOUrnptvZzqIMpuCsgvqAVc:yb1jrBGIJyCA+
MD5:	9A7337FB4A0D25062A0852512AA9C42B
SHA1:	C49704C6A6E3658FE843D9A6B8ECF947FACAB99F
SHA-256:	0DDDB1157DE22FF58D500FAB961D4F54C618FE9972015C8D06C7B055EAE0B9B4
SHA-512:	EFCEDFD94D20079BB49B7E1248A6E650809F88D7DDD619007BCE740D8733CF063C56D336D974B5020B6FB5ED5927FB9C2E5EFE6229C7D03921BE5816B18F2543
Malicious:	false
Preview:	POPUP "...(&F)".. MENUITEM "........(&C)...", 502.. MENUITEM "......(&P)...\tAlt+F5", 508.. MENUITEM "......(&U)...\tAlt+F9", 509.. MENUITEM ".........(&I)\tAlt+Shift+F9", 518.. MENUITEM "..........(&Y)", 2022.. MENUITEM ".......(&A)...", 507.. MENUITEM ".......(...... Total Commander)(&L)...", 519.. MENUITEM "....(&.)...\tAlt+Enter", 510.. MENUITEM ".........(&O)...\tCtrl+L", 503.. MENUITEM "..........(&R)...\tCtrl+M", 2400.. MENUITEM "........(&N)...\tCtrl+Z", 2700.. POPUP "...(&T)".. MENUITEM "......(&L)...", 2027.. MENUITEM "......(...........)(&S)...", 2028.. MENUITEM ".......(&T)\tCtrl+F9", 504.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "......(&S)...", 560.. MENUITEM "......(&M)...", 561.. MENUITEM ".......(MIME/UUE/XXE ...)(&E)...", 562.. MENUITEM ".......(MIME/UUE/XXE/BinHex ...)(&D)...", 563.. MENUITEM "..........(CRC32/MD5/SHA1 ...)(&H)...", 564.. MENUITEM ".......(..........)(&V)", 565.. MENUITEM SEPARAT

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	17286
Entropy (8bit):	5.440077414628099
Encrypted:	false
SSDEEP:	384:FbSu0zBHN5ejXnulNVmATRy7hPXCmjjZ40IkIo59bNjf2467vZUUaMgOf:Fp0zBHN5ejXnulNVmATA7hPXCmXZDJxK
MD5:	4FECCAD019880F8933A0E117933AB0D0
SHA1:	ECEA2EEDEAA30C8E3998EF64D970BC2089A69982
SHA-256:	3F423A24049302E810839E8225C9F8BF5D9BA2EE7D2FADA0A0583C5D7BEF8BFE
SHA-512:	FA00CECCFF222CB4E01C0BE578AFDD8CB1D94D70B8E50F9A9D080A79DB23E8E4E99EAAFA74EE740D164CF9D680878ADE2112EFEFF4B72EA296644220B3B223A6
Malicious:	false
Preview:	All="V.e"..Source="Zdrojov. panel"..Left="Lev. panel"..Right="Prav. panel"..FileOperations="Pr.ce se soubory"..Configuration="Konfigurace"..Network="S."..Misc="R.zn."..ParallelPort="Paraleln. port"..Print="Tisk"..Mark="Vybrat"..Security="Zabezpe.en."..Clipboard="Schr.nka"..FTP="Protokol FTP"..Navigation="Navigace"..Help="N.pov.da"..Window="Okno"..CommandLine="P..kazov. ..dek"..Tools="N.stroje"..View="Vzhled"..User="Nab.dka Start"..Tabs="Z.lo.ky"..Custom column views="Vlastn. sloupce"..Sorting=".azen."..Commands with parameters="P..kazy s parametry"....300="Zdroj: Zobrazit - Koment..e Ctrl+Shift+F2"..301="Zdroj: Zobrazit - Seznam Ctrl+F1"..302="Zdroj: Zobrazit - Podrobnosti Ctrl+F2"..303="Zdroj: Stromov. struktura slo.ek Ctrl+F8"..304="Zdroj: N.hled Ctrl+Q"..305="Panely pod sebou nebo vedle sebe"..306="Zdroj: N.hled (bez dopl.k.)"..307="Zdroj: Vypnout n.hled"..311="Zdroj: Zobrazit - Programy Ctrl+F11"..312="Zdroj: Zobrazit - V.echny soubory Ctrl+F10"..313="Zdroj: Posledn. v.b.r"..314="

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (429), with CRLF line terminators
Category:	dropped
Size (bytes):	77077
Entropy (8bit):	5.600210001145553
Encrypted:	false
SSDEEP:	1536:yZoRjN7br8jKoq0cirByD50UcLzHYzdOD9l9x4yRXAFxLaw9ObOOWd2iGgWwmNGy:yZoHvr8jKfJ2i0UcLz4JOD9l9xHXAFVa
MD5:	FC4FA4462AD69DA72E08206D2D4F5A73
SHA1:	5120795BBE8EC9E507EE34F8B6505104ADAA15FE
SHA-256:	571F2BF238075A24F3A4121F768262FCD03C23841E191BD12B8EC94F9A1015BC
SHA-512:	08E8B0DA7A86C929187F15C74A4D8B0AAE41983D4B5A0F37991DE26DC3B33D7CBA65069EDE5BF0F5B2E32928E273BABE7BE118635FB71059F3D8E31D31377DCC
Malicious:	false
Preview:	.e.tina (Czech)..codepage=1250..0="P..stup k souboru %s byl odep.en."..1="Zadejte typ souboru (nap.. .doc;.txt):"..2="Zadejte n.zev nov. slo.ky:"..3="Parametry p..kazov.ho ..dku"..4="O&dstranit;&V.e;P.e&sko.it;S&torno"..5="&P.epsat;&V.e;P.e&sko.it;S&torno"..6="Opravdu chcete odstranit soubor %s?"..7="Opravdu chcete odstranit slo.ku %s?"..8="Opravdu chcete odstranit vybran. soubory a slo.ky (celkem %i)?"..9="Opravdu chcete z archivu odstranit polo.ku %s?"..10="Opravdu chcete z archivu odstranit vybran. soubory (celkem %i)?"..11="Slo.ka %s nen. pr.zdn..\rOpravdu ji chcete odstranit v.etn. v.ech soubor. a podslo.ek?"..12="C.l ji. existuje:\r%s\rChcete ho p.epsat?"..13="&P.epsat;P.epsat &v.e;P.e&sko.it\tS&torno;P.epsat pouze sta&r..;P.esko.it v.&e"..14="Akce byla zru.ena u.ivatelem."..15="P.&esko.it;S&torno"..16="Ur.ete typ soubor. (nap.. *.txt nebo regul.rn. v.raz se znakem '<' na za..tku), nap..: <(a\|b)"..17="V.b.ru neodpov.d. ..dn. polo.ka."..18="Roz...en. v.b.ru"..19="Z..en. v.b.ru".

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6257
Entropy (8bit):	5.465354226095325
Encrypted:	false
SSDEEP:	96:2ZaLZiW9wLX3fwTYoWTE99YDs69YSq1UATn/GtDY8K1:2Z89wLXITLWTEB69m1Ugnu5i
MD5:	9535F00EA81C589AE40EECA3C89EA0A4
SHA1:	DEC3351D428F83E483E7C5A9743892344DA1AD42
SHA-256:	F499C569F50594D436F3B3FE3F8B55E78D22719DE0BC557514332C815EF42593
SHA-512:	2B918C1A27A4E148A38B08AF6325F30DD7639327C58E9A8447869D1DDFB574C0BA0E2922C866EC74A4F8D81FB91C772C96BD5709AADAFA9A557C8F78ED462801
Malicious:	false
Preview:	POPUP "&Soubor".. MENUITEM "&Zm.na atribut....", cm_SetAttrib.. MENUITEM "&Komprimovat...\tAlt+F5", cm_PackFiles.. MENUITEM "E&xtrahovat...\tAlt+F9", cm_UnpackFiles.. MENUITEM "&Test archivu...\tAlt+Shift+F9", cm_TestArchive.. MENUITEM "Porovn&at podle obsahu...", cm_CompareFilesByContent.. MENUITEM "&P.idru.it...", cm_Associate.. MENUITEM "Vnit.n. p.idru.en. (jen program Tota&l Commander)...", cm_InternalAssociate.. MENUITEM "&Vlastnosti...\tAlt+Enter", cm_VersionInfo.. MENUITEM "&Obsazen. prostor...\tCtrl+L", cm_GetFileSpace.. MENUITEM "Hromadn. p.&ejmenov.n....\tCtrl+M", cm_MultiRenameFiles.. MENUITEM "Zm.&nit koment.....\tCtrl+Z", cm_EditComment.. POPUP "T&isk".. MENUITEM "&Seznam soubor....", cm_PrintDir.. MENUITEM "Seznam soubor. a &podslo.ek...", cm_PrintDirSub.. MENUITEM "&Obsah souboru\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "&Rozd.lit soubor...", cm_Split.. MENUITEM "&Slou.it soubory...", cm_Combine.. MENUITEM "Zak.dovat s

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	14770
Entropy (8bit):	5.228837679831929
Encrypted:	false
SSDEEP:	384:4bQkWmzJi+rSPSmPptuGGdeCSUIN3Av4gGWHOugct67:4bQkWmBmPpsjdegC3qHwct67
MD5:	9DF944AA4C18DF04B7B6E0B0322E144F
SHA1:	43E04FDE0CAA7A5036F2B53B55592A352B49F6D1
SHA-256:	26537E532977B49B2D9E83016F2A7FA138D863D7F00A461E9463DB2728D00F13
SHA-512:	619E0D056A1C3C0A9C63F02EC4F7A44804C6EA56781CA65E6C685184E94EE61773415B7835B2AC5B381923408331D2812B37233F3E5A7E29F4F1D0397775D548
Malicious:	false
Preview:	All="Alle kommandoer"..Source="Kilde"..Left="Venstre"..Right="H.jre"..FileOperations="Fil-operationer"..Configuration="Ops.tning"..Network="Netv.rk"..Misc="Diverse"..ParallelPort="Parallelport"..Print="Udskriv"..Mark="Marker"..Security="Sikkerhed"..Clipboard="Udklipsholder"..FTP="FTP"..Navigation="Navigation"..Help="Hj.lp"..Window="Vindue"..CommandLine="Kommandolinje"..Tools="Redskaber"..View="Vis"..User="Bruger"..Tabs="Faneblade"..Custom column views="Brugerbestemt visning"..Sorting="Sortering"..Commands with parameters="Kommandoer med parametre"....300="Kilde: Vis kommentarer"..301="Kilde: Vis kun filnavne"..302="Kilde: Vis alle fildetaljer"..303="Kilde: Vis Mappeoversigt"..304="Kilde: Hurtigvisning"..305="Vertikal visning"..306="Kilde: Hurtigvisning, uden plugins"..307="Kilde: Hurtigvisning fra"..311="Kilde: Vis programmer"..312="Kilde: Vis alle filer"..313="Kilde: Sidst valgt"..314="Kilde: Maske"..321="Kilde: Navne-sortering"..322="Kilde: Type-sortering"..323="Kilde: St.rrelse-sort

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (389), with CRLF line terminators
Category:	dropped
Size (bytes):	71252
Entropy (8bit):	5.3521098446111095
Encrypted:	false
SSDEEP:	1536:tk1Vfev/0FobCtXOetCfZpzIU9SeLKUwlrPeDmIhBvQWRK:W2X0F1tXpCD80GUwCmIPK
MD5:	36E37A0500E8A26AABF10883FFBC70E6
SHA1:	2E7B5FF37FA85EDDC68C52725CDD61D7A55D5AEC
SHA-256:	C072303A6D855938A2B08EA9EAAA2C3406B9293871D8C1E9374AC49B7259850E
SHA-512:	41DE4493A2D338DA0BD47E574A8CD0B44814A5443CFCFC0D95F4077D1F89A2889EDBA3514CB2CF06EAA0BD73C93BF7A2C0579536BADD3C6BB5BBABF557C25CBF
Malicious:	false
Preview:	Dansk..codepage=1252..0="Adgang n.gtet til filen\n%s !"..1="Angiv filtyper (f.eks. .doc;.txt)"..2="Ny mappe (directory):"..3="Kommandolinje parametre"..4="&Slet;&Alle;Spring &over;Af&bryd"..5="&Overskriv;&Alle;&Spring over;Af&bryd"..6="Er du sikker p., at du vil slette den valgte fil %s ?"..7="Er du sikker p., at du vil slette den valgte mappe %s ?"..8="Er du sikker p., at du vil slette de %i valgte filer/mapper?"..9="Er du sikker p., at du vil fjerne den valgte fil %s fra arkivet?"..10="Er du sikker p., at du vil fjerne de %i valgte filer fra arkivet?"..11="Mappen %s er ikke tom!\rVil du slette den med alle filer og undermapper?"..12="Destination findes allerede:\r%s\rVil du overskrive?"..13="&Overskriv;Overskriv &alle;&Spring over\tAf&bryd;Overskriv &.ldre;S&pring over alle"..14="Brugerafbrydelse!"..15="&Spring over;Af&bryd"..16="Angiv filtype:\nf.eks. *.txt - eller RegEx med '<' foran - f.eks <(a\|b)"..17="Ingen fundet!"..18="Udvid valg"..19="Indskr.nk valg"..20="Indtast navnet p.

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5755
Entropy (8bit):	5.364912353381522
Encrypted:	false
SSDEEP:	96:YKivCaP9HYqtWS/iyxHSY0ltqQdWT8CPws1lrM:YKtaP1ES/iyxYXWT9os1lo
MD5:	4E72757EC5B96EA3837DA9C091671901
SHA1:	1EC49D831893439C2A9869C62BA7A29C3071655B
SHA-256:	A7FBB3B1D58E30F8ABAF844A0EA7AE562D99F0ABA47E51CEF24172C933F08C5D
SHA-512:	5B6DD65A5BD0EBA59A2772B53EBF3B43C20F072788A4F45C101253722CEACFA9B2493455ECDBB900C3DBC45A3C8F63D571C37BBC4234BB021BF9B84640D088C1
Malicious:	false
Preview:	POPUP "&Fil"... MENUITEM "&.ndre attributter...", cm_SetAttrib.. MENUITEM "&Pak filer...\tAlt+F5", cm_PackFiles.. MENUITEM "&Udpak filer...\tAlt+F9", cm_UnpackFiles.. MENUITEM "Ko&ntroller arkiv(er)\tSkift+Alt+F9", cm_TestArchive.. MENUITEM "Sammenlign &indhold...", cm_CompareFilesByContent.. MENUITEM "Asso&cier...", cm_Associate.. MENUITEM "&Associer internt (kun Total Commander)...", 519.. MENUITEM "E&genskaber...\tAlt+Enter", cm_VersionInfo.. MENUITEM "B&eregn brugt plads...\tCtrl+L", cm_GetFileSpace.. MENUITEM "Multi-omd&.bning...\tCtrl+M", cm_MultiRenameFiles.. MENUITEM "Rediger &filkommentar\tCtrl+Z", 2700.. POPUP "Udsk&riv".. MENUITEM "Fil&liste...", cm_PrintDir.. MENUITEM "Filliste med &undermapper...", cm_PrintDirSub.. MENUITEM "Fil&indhold\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "&Opdel fil...", cm_Split.. MENUITEM "&Saml filer...", cm_Combine.. MENUITEM "&Kod fil (MIME, UUE, XXE)...", cm_Encode.. MENUITEM "&Dekod fil (

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	15506
Entropy (8bit):	5.187617079280539
Encrypted:	false
SSDEEP:	384:Rxk+8oIXY7H0KYM5soVkfa83poxrBcS7EExk9Qa31ei5xDqABnEsIkkV:RxD85S7GZ31zIABnzEV
MD5:	96242D4507EF46518AA5BC6A964567B6
SHA1:	02ECEFFF2DAD69F5A631105F7EDF0E561A8AC465
SHA-256:	11FBD28E8D58861A02CBD97A51F10D7B8BEE2CC7AE0A344973A0799937D899D9
SHA-512:	F8897B74A92B87EF0123AF5B3B524F8D382FECE53CCA8A70C8F3435AA2D2B8D7E73ECF8D5CCF9BEAD814DEB2A715D83824AC71FAE62BC142108D40D2CDA0709C
Malicious:	false
Preview:	All="Alle"..Source="Quelle"..Left="Links"..Right="Rechts"..FileOperations="DateiOperationen"..Configuration="Konfiguration"..Network="Netzwerk"..Misc="Diverses"..ParallelPort="ParallelPort"..Print="Drucken"..Mark="Markieren"..Security="Sicherheit"..Clipboard="Zwischenablage"..FTP="FTP"..Navigation="Navigation"..Help="Hilfe"..Window="Fenster"..CommandLine="Kommandozeile"..Tools="Tools"..View="Ansicht"..User="Benutzer"..Tabs="Tabs"..Custom column views="Benutzerdef. Ansichten"..Sorting="Sortieren"..Commands with parameters="Befehle mit Parametern"....300="Quelle: Zeige Kommentare"..301="Quelle: Nur Dateinamen"..302="Quelle: Alle Dateidetails"..303="Quelle: Verzeichnisbaum"..304="Quelle: Schnellansicht"..305="Dateifenster .bereinander"..306="Quelle: Schnellansicht, ohne Plugins"..307="Quelle: Schnellansicht aus"..311="Quelle: Nur Programme"..312="Quelle: Alle Dateien"..313="Quelle: Zuletzt gew.hlte"..314="Quelle: Benutzerdef. Typ"..321="Quelle: Sortiere nach Namen"..322="Quelle: Sortiere

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (407), with CRLF line terminators
Category:	dropped
Size (bytes):	77123
Entropy (8bit):	5.356992359209458
Encrypted:	false
SSDEEP:	1536:m3RUEKHfi8UoeVTHQwttLUdYWZFR4o82HY8ZkBlciEjmcL6uE6U8Xban/8WmvCyz:m3mE6KDUdioUNu5RvKjuRb
MD5:	4F78971CCE68ACC537623E04B13A8C29
SHA1:	DECFB83E1CFCC76E90C409DC9401CFA0D90F407D
SHA-256:	51FFC849F969630DD25F36A994A4D33B139B16688C7CCDA0012725D1FEDAC242
SHA-512:	D57BA528B453F0B2BA64FDC3F6E76E974ADB5BC4F5B63EACCA155546CDCB02CC02FD042E6C56E8FC8D4073880800C3DCDFB13BB15629BC42AAABCD30F4F73200
Malicious:	false
Preview:	Deutsch..codepage=1252..0="Zugriff verweigert auf Zieldatei\n%s!"..1="Dateiarten eingeben (z.B. .doc;.txt)"..2="Neuer Ordner (Verzeichnis)"..3="Kommandozeilenparameter"..4="&L.schen;&Alle;&.berspringen;A&bbrechen"..5=".ber&schreiben;&Alle;&.berspringen;A&bbrechen"..6="Soll die markierte Datei %s wirklich gel.scht werden?"..7="Soll das markierte Verzeichnis %s wirklich gel.scht werden?"..8="Sollen die %i markierten Dateien/Verzeichnisse wirklich gel.scht werden?"..9="Soll die markierte Datei %s wirklich aus der Archiv-Datei gel.scht werden?"..10="Sollen die %i markierten Dateien wirklich aus der Archiv-Datei gel.scht werden?"..11="Das Verzeichnis %s ist nicht leer!\nSoll es trotzdem inklusive Inhalt komplett gel.scht werden?"..12="Zieldatei existiert bereits:\r%s\rWollen Sie die Datei .berschreiben?"..13=".ber&schreiben;&Alle .berschreiben;&.berspringen\tA&bbrechen;Alle &.lteren .berschr.;Alle .bers&pringen"..14="Abbruch durch den Benutzer!"..15="&.berspringen;A&bbrechen"..16="Dateiar

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5679
Entropy (8bit):	5.337353848017106
Encrypted:	false
SSDEEP:	96:hdHU+7t/czxPMWlCuxvDHTvOD/Lbpsr+FYdOB:/UG0xUkvXMnOr+FR
MD5:	7F2D92D2400E83BF2EC7A0FE024D81D2
SHA1:	CDE077338480FF59EDD1698A86470B40EA8A35E0
SHA-256:	CAB7BBEB88B12DF50C838096F6D4F5FC37B94EE5557E2909F398A9EF203A774F
SHA-512:	EE79A6239B5281E83E85B5A1DD35035BA5C86AD047227B04DB85D452D0D1B526CEE7F3F6641E566783494F7960CDE22EB0771B5D65CF80923DE7819E9E83F9B9
Malicious:	false
Preview:	POPUP "&Dateien".. MENUITEM "&Dateiattribute .ndern...", cm_SetAttrib.. MENUITEM "&Packen...\tAlt+F5", cm_PackFiles.. MENUITEM "&Entpacken...\tAlt+F9", cm_UnpackFiles.. MENUITEM "&Teste Archiv(e)...\tAlt+Umschalt+F9", 518.. MENUITEM "&Vergleich nach Inhalt...", 2022.. MENUITEM "Ver&kn.pfen...", cm_associate.. MENUITEM "&Interne Verkn.pfungen (nur in Total Commander)...", 519.. MENUITEM "Eigen&schaften...\tAlt+Enter", cm_versioninfo.. MENUITEM "Speicher&bedarf ermitteln...\tStrg+L", cm_GetFileSpace.. MENUITEM "&Mehrfach-Umbenenn-Tool...\tStrg+M", 2400.. MENUITEM "Komme&ntar bearbeiten...\tStrg+Z", 2700.. POPUP "Dr&ucken".. MENUITEM "Datei&liste...", 2027.. MENUITEM "Dateiliste mit &Unterverzeichnissen...", 2028.. MENUITEM "&Datei-Inhalt\tStrg+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Datei &aufspalten...", 560.. MENUITEM "Dateien &zusammenf.gen...", 561.. MENUITEM "Datei &codieren (MIME,UUE,XXE)...", 562.. MENUITEM "Datei dec&odieren (MIME

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	15564
Entropy (8bit):	5.113844238432258
Encrypted:	false
SSDEEP:	384:/tLL7Pk8C1IVz0g0+GYhF9l94F0xHGewqKkpt9zw8qcpuxy/8FtMc5HSYSvHhDfC:/ZLLI8hw8lpZDa
MD5:	14C6D0007687F8B1D33D14AAC8A57E4C
SHA1:	0D459BCB753D05A1EAA835399C97EFD60564A8CE
SHA-256:	526F706566148BFB9519F778DCBD7588843A1A6A91ED076E4665AE5CCB15918D
SHA-512:	6BE658518FF8C14202B6EFC35D4114A2852E3B668CF5789B5EB2E1A5A374931D21028CF4A7CD32DFCEDE3A37135D256B3B84F7E356BE576F6393FC27749FE515
Malicious:	false
Preview:	All="Alles"..Source="Bron"..Left="Links"..Right="Rechts"..FileOperations="BestandsBewerkingen"..Configuration="Configuratie"..Network="Netwerk"..Misc="Diversen"..ParallelPort="ParallellePoort"..Print="Afdrukken"..Mark="Markeren"..Security="Beveiliging"..Clipboard="Klembord"..FTP="FTP"..Navigation="Navigatie"..Help="Help"..Window="Venster"..CommandLine="OpdrachtRegel"..Tools="Gereedschappen"..View="Beeld"..User="Gebruiker"..Tabs="Tabs"..Custom column views="Aangepaste kolommen"..Sorting="Sorteren"..Commands with parameters="Opdracht met parameters"....300="Bron: Commentaren tonen"..301="Bron: Alleen bestandsnamen"..302="Bron: Alle bestandsdetails"..303="Bron: Directory boom"..304="Bron: Voorbeeldvenster"..305="Bestandsvensters boven elkaar"..306="Bron: Voorbeeld, geen plug-ins"..307="Bron: Snelweergave uit"..311="Bron: Alleen programma's"..312="Bron: Alle bestanden"..313="Bron: Laatst geselecteerd"..314="Bron: Gebruikerstype selecteren"..321="Bron: Sorteren op naam"..322="Bron: Sorteren

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (422), with CRLF line terminators
Category:	dropped
Size (bytes):	76539
Entropy (8bit):	5.302790660243932
Encrypted:	false
SSDEEP:	1536:/fh5wnDfRGUlp7iOZHtfX8PR5vUitN/aTm0Uwt/x3iU/nj:/knD4UlwEtfXi5nXl0Uqbj
MD5:	1E25BD8E5961647FE56F6498D02B13CD
SHA1:	2B7409D7391C92862FFAB54CFDDA098CD0E5D938
SHA-256:	93A67C2CD64F0A5AF362F3E716837AE5483C4C910628EBFDC3815AE9E440372C
SHA-512:	5F056A996E3FE00DE223BBA40FF03935995C6A4B4F4074CE20CE06C982D46C2E8A01CC81581F61B610DC65C476EC365071FBCF942877330FE445FEE26159DB38
Malicious:	false
Preview:	Nederlands..codepage=1252..0="Toegang geweigerd tot bestand\n%s!"..1="Voer bestandstypen in (bv. .doc; .txt)"..2="Nieuwe map (directory)"..3="Opdrachtregelparameters"..4="&Wissen;A&lles;&Overslaan;&Annuleren"..5="Over&schrijven;A&lles;&Overslaan;&Annuleren"..6="Wil je het geselecteerde bestand %s echt wissen?"..7="Wil je de geselecteerde directory %s echt wissen?"..8="Wil je de %i geselecteerde bestanden/directory's echt wissen?"..9="Wil je het bestand %s echt uit het archief wissen?"..10="Wil je de %i geselecteerde bestanden echt uit het archief wissen?"..11="De directory %s is niet leeg!\rWil je deze met alle bestanden en subdirectory's wissen?"..12="Het bestand bestaat reeds:\r%s\rWil je het overschrijven?"..13="Over&schrijven;Alles Overs&chrijven;&Overslaan\t&Annuleren;Ou&dere overschrijven;Alles ov&erslaan"..14="Geannuleerd door gebruiker!"..15="&Overslaan;&Annuleren"..16="Specificeer bestandstype, bv. *.txt, of RegEx startend met '<', zoals <(a\|b)"..17="Geen overeenkomsten gevo

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5653
Entropy (8bit):	5.344613884657912
Encrypted:	false
SSDEEP:	96:2yNERoIWjQ/yOxIlM2NDbl2m3BvYZ08F3dwvmzagnD5XLBXe1:2jRoIZ6OxzWtV5+wBgD5XLBXE
MD5:	648DDCFC17794926B74BCE47848ED22E
SHA1:	C5A22813EDAC0BF3F10A40C22EAAE241E5EFF267
SHA-256:	9B92F5859F417B2E63C5FB3674DBF738115E922838CBBA5F3E9A47083C54201C
SHA-512:	D065563E854F3FF803CC4928126C50F7AE0ACB3AD54E521BE62BDC30E01CD1D5FC1BD62943CAD6BA4DCD5283B8BD416C74C1961D64A59A63F1F92399C16EC08C
Malicious:	false
Preview:	POPUP "&Bestand".. MENUITEM "Attributen &wijzigen...", cm_SetAttrib.. MENUITEM "&Inpakken...\tAlt+F5", cm_PackFiles.. MENUITEM "&Uitpakken...\tAlt+F9", cm_UnpackFiles.. MENUITEM "Archief &testen\tAlt+Shift+F9",518.. MENUITEM "&Vergelijken op inhoud...", 2022.. MENUITEM "Verbi&nden...", cm_associate.. MENUITEM "Interne verbindingen (A&lleen voor Total Commander)...", 519.. MENUITEM "Ei&genschappen...\tAlt+Enter", cm_versioninfo.. MENUITEM "&Benodigde ruimte berekenen...\tCtrl+L", cm_GetFileSpace.. MENUITEM "Uitgebreid &hernoemen...\tCtrl+M", 2400.. MENUITEM "C&ommentaar bewerken...\tCtrl+Z", 2700.. POPUP "Afd&rukken".. MENUITEM "Bestands&lijst...", 2027.. MENUITEM "Bestandslijst met &subdirectory's...", 2028.. MENUITEM "Bestandsin&houd\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Bestand &splitsen...", 560.. MENUITEM "Bestanden co&mbineren...", 561.. MENUITEM "B&estand coderen (MIME, UUE, XXE)...", 562.. MENUITEM "Bestand &decoderen (MI

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ESP.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	16115
Entropy (8bit):	5.077244066677247
Encrypted:	false
SSDEEP:	192:pi5QHilpRypnyjwrumFU5RYTCYZyXns1Eia4tEIr36rUrfArgrKJfFLJiRiPphWN:fCTOnZ36wrA8OVvhWQCj
MD5:	ACE2C9BABC27D5EFF0C85551E1A5F725
SHA1:	58346C170CA915269C977B8D57276C4E434E7E71
SHA-256:	9CD7C35D6049EC1E1131B0A8F3AEA5DA7B70FE07E6D2EBD3BA69591466889DAA
SHA-512:	801BA8F121BB817287CE32EFF7C8382DB23DAB62EA8077FED9B9FC5BD52D58AFDD48DE68B5805D7991E880E610286F5064F6DA37E96E466FC6564A2B1594AF7B
Malicious:	false
Preview:	All="Todo"..Source="Origen"..Left="Izquierda"..Right="Derecha"..FileOperations="Operaciones con Ficheros"..Configuration="Configuraci.n"..Network="Red"..Misc="Varios"..ParallelPort="Puerto Paralelo"..Print="Imprimir"..Mark="Seleccionar"..Security="Seguridad"..Clipboard="Portapapeles"..FTP="FTP"..Navigation="Navegaci.n"..Help="Ayuda"..Window="Ventana"..CommandLine="L.nea de Comandos"..Tools="Herramientas"..View="Ver"..User="Usuario"..Tabs="Pesta.as"..Custom column views="Vistas personalizadas"..Sorting="Orden"..Commands with parameters="Comandos con Par.metros"....300="Origen: Mostrar comentarios"..301="Origen: S.lo nombre de ficheros"..302="Origen: Todos los detalles"..303="Origen: .rbol de directorios"..304="Origen: Panel de vista r.pida"..305="Paneles uno sobre el otro"..306="Origen: Vista r.pida sin plug-ins"..307="Origen: Desactivar Vista R.pida"..311="Origen: S.lo programas"..312="Origen: Todos los ficheros"..313="Origen: .ltimo seleccionado"..314="Origen: Definido por el usuario"

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ESP.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (389), with CRLF line terminators
Category:	dropped
Size (bytes):	73431
Entropy (8bit):	5.293501366727019
Encrypted:	false
SSDEEP:	1536:9EFac19Ya86VuFphkJKQkLqbxCPzvhVaAdB2h7joPkihB:c9Yb0MbGKQaVVXdrB
MD5:	13CE2746C2EF57A93D773B8BECBEF45E
SHA1:	7137274529AFE4016A1F092F2420280A98D2D22B
SHA-256:	56C45421BEC21100E128582D6D7583F2FE9810A754E7707D52B97D585BDEE668
SHA-512:	6136ACF88D5D49F962230C992AA37B64362AF9FDE48EAB201747959BFCB8A8D060A39261C5E935C979241F9FE3FBD9A791AEB5FE810E8606F782EDCA78F94ADC
Malicious:	false
Preview:	Espa.ol (tradicional)..codepage=1252..0="Acceso denegado al fichero\n%s!"..1="Introduzca el tipo de fichero (Ej.: .doc;.txt)"..2="Nuevo directorio"..3="Par.metros de l.nea de comandos"..4="&Eliminar;&Todos;&Saltar;&Cancelar" ..5="&Reemplazar;&Todos;&Saltar;&Cancelar"..6=".Realmente quiere eliminar el fichero seleccionado %s?"..7=".Realmente quiere eliminar el directorio seleccionado %s?"..8=".Realmente quiere eliminar los %i ficheros/directorios seleccionados?"..9=".Realmente quiere eliminar el fichero seleccionado %s del archivo?"..10=".Realmente quiere eliminar los %i ficheros seleccionados?"..11="El directorio %s no est. vac.o!\r.Quiere eliminarlo con sus ficheros y subdirectorios?"..12="El destino ya existe:\r%s\r.Quiere reemplazarlo?"..13="&Reemplazar;Reemplazar &Todos;&Saltar\t&Cancelar;Reemplazar &anteriores;Sa&ltar todos"..14=".Cancelado por el usuario!"..15="&Saltar;&Cancelar"..16="Indique el tipode fichero, p.e. *.txt, o una RegEx con extra '<' como <(a\|b)"..17=".No se

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ESP.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	6368
Entropy (8bit):	5.033131758660272
Encrypted:	false
SSDEEP:	48:gEhsBBDL1BYsy/R8aat5sT7w2erqyAwtPyl9GRjvuJOBNoRlwIh1bHuWwe1jXozy:gBBPEE2WjtaPQuMuwLmrdAvIivphM
MD5:	75F011F5B90B3F6F5C4FC2D11E16914C
SHA1:	4D4BF59FB6278E971C516A65AB0F866B66DF6275
SHA-256:	7CF467AAC00F55E142949B34654F6A6913FB0C7FFDC85F669E14B64FD6C43179
SHA-512:	A3EB11AB83007119E253A3B4154A49D742CAED953CC0F3A090B1ACEF4AE454DC34058DC53760FE7E6E746B122636DFE8A0B7B110B64185F45F79ED5C4000E8D9
Malicious:	false
Preview:	POPUP "&Archivo".. MENUITEM "Cambiar atribut&os...", cm_SetAttrib.. MENUITEM "Com&primir...\tAlt+F5", cm_PackFiles.. MENUITEM "&Descomprimir...\tAlt+F9", cm_UnpackFiles.. MENUITEM "Compro&bar fichero(s)\tAlt+May.s+F9",518.. MENUITEM "Comparar por cont&enido...", 2022.. MENUITEM "&Asociar con...", cm_associate...MENUITEM "Asociaciones Internas (s.lo &Total Commander)...", 519.. MENUITEM "Informaci.n sobre el &fichero...\tAlt+Entrar", cm_versioninfo.. MENUITEM "Calcular el espacio &usado...", cm_GetFileSpace.. MENUITEM "&Renombrar seleccionados...\tCtrl+M", 2400.. MENUITEM "Editar come&ntario...\tCtrl+Z", 2700.. POPUP "&Imprimir".. MENUITEM "&Lista de ficheros...", 2027.. MENUITEM "Ficheros y &subdirs...", 2028.. MENUITEM "...este fichero\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Di&vidir fichero...", 560.. MENUITEM "Co&mbinar f

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_FRA.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	17675
Entropy (8bit):	5.125980818218572
Encrypted:	false
SSDEEP:	192:rN2BrLMvoScNUspVVLXHt9A9jUV7kTOa6a+ScwFuh0MWyF/hXO8Q7WNY2mT/fVu:GLMvovRVVB9A9joCWbhPWynXO+mU
MD5:	DC42FF8BA5E920E2EC14F9E27DF52DE8
SHA1:	ADD9B232ACCE006126E7FFA1A616366E6327A8C0
SHA-256:	8CBC8BEC00420117EB3A640B42498D158CDB2F11129B1E8B5CE690C937DF56C3
SHA-512:	D5942CC8BC1ACEF1852044FE172F9EB0F11F57F12E6B89D0DDD7E6DAE7828FA54A03C31F291B512F873925ABECAA186A12C49F973D43C90FAC54E7E864EF5792
Malicious:	false
Preview:	All="Tout"..Clipboard="Presse-papier"..CommandLine="Ligne de commande"..Configuration="Configuration"..Custom column views="Colonnes .Utilisateur."..FileOperations="Op.rations fichiers"..FTP="FTP"..Help="Aide"..Left="Gauche"..Mark="S.lection"..Misc="Divers"..Navigation="Navigation"..Network="R.seau"..ParallelPort="Port parall.le"..Print="Imprimer"..Right="Droite"..Security="S.curit."..Sorting="Tri"..Source="Source"..Tabs="Onglets"..Tools="Outils"..User="Utilisateur"..View="Affichage"..Window="Fen.tre"..Commands with parameters="Commandes . param.tres. N. interdits !"....-2="<R.pertoire> Aller au r.pertoire indiqu."..-3="<Nom_de_Fichier> Charger les onglets d'un fichier *.tab"..-4="<Nom_de_Fichier> Ajouter les onglets . ceux qui existent d.j."..-5="<Nom_de_la_connexion> Ouvrir une connexion FTP enregistr.e"..-6="<Nom_de_l'op.ration> Ouvrir une op.ration d'appariage enregistr.e"..-7="<Cha.ne_de_recherche> Ouvrir une op.ration de recherche stock.e"..-8="<Nom_de_Fichier> Ouvrir une barre

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_FRA.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	data
Category:	dropped
Size (bytes):	80972
Entropy (8bit):	5.338568807297442
Encrypted:	false
SSDEEP:	1536:LOwsUAke8/jozWqLaK5bImaUsshkVHBFTVJ2tIuSHCkH2b5aDdsn9bFSXiEKxXV7:AvQjsUXvSIuVIcQ7nP2
MD5:	C9E7289E07CD4D71B499D7D02D5FEEC5
SHA1:	96D5777CF1BDAE21861B59EF50A35B6A2D3F817A
SHA-256:	AC935A1DCDF6C86BB34CECA8BF0BEC356C65F2700BBF76F37FF8F7673907E4BF
SHA-512:	C4B6B1047A1C4732E094913EF6B55AE703B67CDE208F6B697F13FD06DCF626DD952985DD11C01D152851105B73A49C266175EC6A1F9EE30978E9157E7900C62C
Malicious:	false
Preview:	Fran.ais..codepage=1252..0="Acc.s refus. au fichier de destination\n%s!"..1="Types de fichiers (p. ex. .doc;.txt)"..2="Nouveau.x r.pertoire.s"..3="Param.tres en ligne de commande"..4="&Supprimer;&Tous;&NON;&Annuler"..5="&Remplacer;&Tous;&NON;&Annuler"..6="Voulez-vous vraiment supprimer le fichier choisi %s?"..7="Voulez-vous vraiment supprimer le r.pertoire choisi %s?"..8="Voulez-vous vraiment supprimer les %i fichiers/r.pertoires choisis?"..9="Voulez-vous vraiment supprimer le fichier choisi %s de l'archive?"..10="Voulez-vous vraiment supprimer les %i fichiers choisis de l'archive?"..11="Le r.pertoire %s n'est pas vide!\nVoulez-vous le supprimer enti.rement avec tous les fichiers?"..12="Fichier de destination existe d.j.:\r%s\rVoulez-vous .craser ce fichier?"..13="&Remplacer;Remplacer &tous;&Ignorer\t&Annuler;Remplacer ancie&n;I&gnorer tous"..14="Interruption par l'utilisateur!"..15="&Ignorer;&Annuler"..16="Indiquez le type de fichier (par exemple: *.txt)"..17="Pas de fichiers ad-hoc

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_FRA.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6065
Entropy (8bit):	5.3281512624251395
Encrypted:	false
SSDEEP:	96:rjmei5bmH3MqaHq+TvOjhKehiA7W3j7eB43qB7qYX4f1:rjucLsK0zQ43WWYX49
MD5:	151BC53568D018375B80D4E32AE6B7D3
SHA1:	55303F49A1D9B38ACA5184F7E87E1EF8EF31CE05
SHA-256:	CD209203D2ED1F4C87AC23D17A6CA546649CCCF7D28E9782A1BB36E6C85EEB09
SHA-512:	160FEE5FC9AF0D6E67094719F6E02AFDDECC8B2CA5D73FF576C27820A93D97F5999C17017695878887E069F931B51BC3B0E455B127A8855EF07C4808B0A3385E
Malicious:	false
Preview:	POPUP "&Fichiers".. MENUITEM "Changer les a&ttributs", cm_SetAttrib.. MENUITEM "&Compresser les fichiers...\tALT+F5", cm_PackFiles.. MENUITEM "&D.compresser les fichiers...\tALT+F9", cm_UnpackFiles.. MENUITEM "Te&ster Archive(s)...\tALT+MAJ+F9", 518.. MENUITEM "C&omparer par contenu...", 2022.. MENUITEM "Associer &.... : Association de Windows", cm_associate.. MENUITEM "Association i&nterne dans Total Commander seulement...", cm_InternalAssociate.. MENUITEM "In&formations fichier...\tALT+Entr.e", cm_versioninfo.. MENUITEM "Calculer l'&Espace occup. par les fichiers...\tCtrl+L", cm_GetFileSpace.. MENUITEM "O&util Renommer (par lots)\tCtrl+M", 2400.. MENUITEM ".diter &1 commentaire\tCtrl+Z", 2700.. POPUP "&Imprimer".. MENUITEM "&Liste de fichiers...", 2027.. MENUITEM "Liste fichiers avec &s-r.pertoire...", 2028.. MENUITEM "Con&tenu d'un fichier\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Fr&actionner fichier...", 560.. MENUITEM "Re-co&mbi

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_HUN.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	14445
Entropy (8bit):	5.387802684915872
Encrypted:	false
SSDEEP:	192:ccvwyRecfYlfgWgh89UVPlr8PYmKI/3DeNf7rw/PN9zpX8++VW01vVrvC2Kud/Vy:TvdecQtz2l4gmKI/DeNcPp8RTaEE
MD5:	2C59CD0103D641B1849328E722047FEE
SHA1:	E1CB2700A7EC001F48519330A02272AE7BB71584
SHA-256:	53A555A6FBC1381C3ECDE6FD432F0ACF18C53875F0761688E44BE33693BAB620
SHA-512:	A6D5D8B86B132B2FE60B5C7614076BE691EFA725555D22F9634CBBCB06D45EB76595608F739D719119A96E68D80CBB92681F98C435F0ABE62CFCD32E94F7B7B8
Malicious:	false
Preview:	All=".sszes"..Source="Forr.s"..Left="Bal"..Right="Jobb"..FileOperations="F.jlm.veletek"..Configuration="Be.ll.t.s"..Network="H.l.zat"..Misc="Egy.b"..ParallelPort="P.rhuzamos port"..Print="Nyomtat.s"..Mark="Kijel.l.s"..Security="Biztons.g"..Clipboard="V.g.lap"..FTP="FTP"..Navigation="Navig.ci."..Help="S.g."..Window="Ablak"..CommandLine="Parancssor"..Tools="Eszk.z.k"..View="N.zet"..User="Felhaszn.l."..Tabs="F.lek"..Custom column views="Egyedi oszlopn.zetek"..Sorting="Sorbarendez.s"..Commands with parameters="Parancs param.terekkel"....300="Forr.s: Megjegyz.s megjelen.t.se"..301="Forr.s: Csak a f.jl neve"..302="Forr.s: Minden f.jl adat"..303="Forr.s: mappalista"..304="Forr.s: Gyorsn.z.ke"..305="F.jlablakok egym.s felett"..306="Forr.s: Gyorsn.z.ke be.p.l. n.lk.l"..307="Forr.s: Gyorsn.zet ablak ki"..311="Forr.s: Csak programok"..312="Forr.s: Minden f.jl"..313="Forr.s: Utolj.ra kiv.lasztott"..314="Forr.s: Felhaszn.l.i t.pus v.laszt.s"..321="Forr.s: Rendez.s n.v szerint"..322="Forr.s: Rendez.

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_HUN.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (450), with CRLF line terminators
Category:	dropped
Size (bytes):	69835
Entropy (8bit):	5.585683903512039
Encrypted:	false
SSDEEP:	1536:3ISusf7Poko8h1l7ulFoNAPYlj4g9jg31b25eEzWA5zy:4SusbPo8hnuOr9U3OeEKgzy
MD5:	9F5D3E7BE863B9EADD4712AA1E68ECBB
SHA1:	B2103FE7255A46B1517DB7E009788C66B787B537
SHA-256:	096F8C7203B6BD70265CE2EE0F1D3C754A063EB8ACCED5106B64C2B90AA9C693
SHA-512:	0C1495D2CE5F0D5ACC398D13F5FA83317210CC761967C3184F674E1EB983825EFEDE2949A895AB04E2B71E7F5838E49CAA7B1360C32B24F9C2C9C26B614860B0
Malicious:	false
Preview:	Magyar (tegez.s)..codepage=1250..0="A hozz.f.r.s le van tiltva\n%s."..1="A mutatand. f.jlt.pus (pl. .doc; .txt stb.):"..2=".j mappa"..3="Parancssor-param.terek"..4="&T.rli;M&indet;&Kihagyja;&M.gse"..5="&Fel.l.rja;M&indet;&Kihagyja;&M.gse"..6="T.nyleg t.rl.d a(z) %s f.jlt?"..7="T.nyleg t.rl.d a(z) %s mapp.t?"..8="T.nyleg t.rl.d a(z) %i kijel.lt f.jlt/mapp.t?"..9="T.nyleg t.rl.d a(z) %s f.jlt a t.m.r.tett f.jlb.l?"..10="T.nyleg t.rl.d a(z) %i kijel.lt f.jlt a t.m.r.tett f.jlb.l?"..11="A(z) %s almappa nem .res.\rT.nyleg t.rl.d a f.jlokat .s az almapp.kat?"..12="A c.lf.jl m.r l.tezik:\r%s\rFel.l.rod?"..13="&Fel.l.rja;M&indet fel.l.rja;&Kihagyja\t&M.gse;A &r.gebbit fel.l.rja;Mind ki&hagyja"..14="Felhaszn.l.i megszak.t.s"..15="&Kihagyja;&M.gse"..16="F.jlt.pus meghat.roz.sa, pl. *.txt, vagy RegEx kezdve '<' jellel, pl. <(a\|b)"..17="Nincs ilyen!"..18="A kiv.laszt.s b.v.t.se"..19="A kiv.laszt.s sz.k.t.se"..20="A szerkesztend. f.jl neve:"..21="Fel.l.r: "..22=".j f.jl: "..23=".sszehasonl.t.s: "

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_HUN.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5760
Entropy (8bit):	5.532667868313393
Encrypted:	false
SSDEEP:	96:H5MhZTUcr0bvoqwYyAToH0GB9CZcs+Rjz2SYDI8:CZAfoqwYyKy2SzODl
MD5:	7E96B6340683D324F863DE790C0A958F
SHA1:	118DA2467AF25A6BB3A11429224B0E666C416FF3
SHA-256:	335A5D3B42C5E57E2636182BDD26A7D7A88F09628B0BB04CACDCEED4C907E797
SHA-512:	ED8A13B599EEDD3BC73B0BDFCAB7F3FD3F3B2F6E6C915121A9A0DED449210B49DD10B2368EFD1BA05A3CA09D5BAF9F64B08DE24AD20B687D02BBFD8F50007528
Malicious:	false
Preview:	POPUP "&F.jl".. MENUITEM "&Attrib.tumok m.dos.t.sa...", cm_SetAttrib.. MENUITEM "&Becsomagol.s...\tALT+F5", cm_PackFiles.. MENUITEM "K&icsomagol.s...\tALT+F9", cm_UnpackFiles.. MENUITEM "Csomagolt f.j&l tesztel.se...\tALT+SHIFT+F9", 518.. MENUITEM ".ss&zehasonl.t.s tartalomra...", 2022.. MENUITEM "&Hozz.rendel.s...", cm_associate.. MENUITEM "Bels. hozz.rendel.s (csak a Total Commanderben)...", 519 .. MENUITEM "&Verzi.-inform.ci....\tALT+ENTER", cm_versioninfo.. MENUITEM "Elfoglalt ter.let &sz.m.t.sa...\tCtrl+L", cm_GetFileSpace.. MENUITEM "Csopo&rtos .tnevez.s...\tCtrl+M", 2400.. MENUITEM "Gy&orsfeljegyz.s a f.jlhoz...\tCtrl+Z", 2700.. POPUP "Nyom&tat.s".. MENUITEM "F.jln.v&lista...", 2027.. MENUITEM "F.jln.vli&sta almapp.kkal...", 2028.. MENUITEM "F.jl tartalma\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "&F.jldarabol.s...", 560.. MENUITEM "F.jleg&yes.t.s...", 561.. MENUITEM "F.jlk&.dol.s (MIME,UUE,XXE)...", 562.. MENUITEM "F.jl&dek.

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ITA.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	15918
Entropy (8bit):	4.992379526975483
Encrypted:	false
SSDEEP:	384:fIBMiupf/9pmyCpMqRi9MVbukn89QsUM6IBzjjJD7MACzvZ6:fIBMiupX9pZCpMqRXVbuk8pUM6IBzjjX
MD5:	3E9F8255F5847999A3BB54E98CEA5380
SHA1:	A4B0380D68E01159FA8B4B610CFCDCA2078EF8CC
SHA-256:	24B181C6347980541E00424D38E0EC2D2BC8F5C99DD05883098A0A86294685D1
SHA-512:	4E43C8731E71413CFAB6C7EB755A0C7F05BB24600A487CEBFE1D38234C95A943314A36EB6D3B8FB3E273168055B8C5DD75E7FBEBE7CD3751648C076FD89FF67C
Malicious:	false
Preview:	300="Sorgente: Visualizza commenti"..301="Sorgente: Solo nomi file"..302="Sorgente: Tutti i dettagli dei file"..303="Sorgente: Albero delle cartelle"..304="Sorgente: Pannello vista breve"..305="Finestra File sopra ogni altra"..306="Sorgente: Vista breve, nessun plugin"..307="Sorgente: pannello visualizzazione semplifice disabilitato"..311="Sorgente: Solo programmi"..312="Sorgente: Tutti i file"..313="Sorgente: Ultimo selezionato"..314="Sorgente: Seleziona tipo utente"..321="Sorgente: Ordina per nome"..322="Sorgente: Ordina per estensione"..323="Sorgente: Ordina per dimensione"..324="Sorgente: Ordina per data"..325="Sorgente: Non ordinare"..330="Sorgente: Ordine inverso"..331="Sorgente: Apri elenco unit."..332="Sorgente: focus sul percorso"..269="Sorgente: Visualizza anteprime"..270="Sorgente: Men. visualizzazione personalizzata"....100="Sinistra: Visualizza : Ordina per"..101="Sinistra: Solo nomi file"..102="Sinistra: Tutti dettagli dei file"..103="Sinistra: Albero cartelle"..104="Sini

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ITA.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (403), with CRLF line terminators
Category:	dropped
Size (bytes):	76119
Entropy (8bit):	5.224691719795907
Encrypted:	false
SSDEEP:	1536:cV/EpfEGYfdP93dauH6ppq2/mmCtRcszx/r2sVEtEQucrBLRTd29KrXA9HNa7T0g:AGHYf5930uHYpq2/mZRcszx/r2yalTdP
MD5:	232AAFF09961E6C5AB7FD7A8541DA4E8
SHA1:	8931FF3B1B4B9CC939A6B86EA7DF8E3C4A12DF99
SHA-256:	8E71753A0A8EC8ED7E38C21D575AE69066728E213AA3CBBF85650E966FFDD778
SHA-512:	D897529B10ACD90C2A4C67A06306FCD38570E0E225D2E768FC673805E779A922DCF9F90666652CC0E2058C538C326F353467C25C9CE2A1A0AE76070763631838
Malicious:	false
Preview:	Italiano..codepage=1252..0="Accesso negato\n%s!"..1="Specifica il tipo di file (es. .doc; .txt)"..2="Nuova cartella"..3="Parametri linea di comando"..4="&Elimina;&Tutti;Tra&lascia;&Annulla"..5="&Sovrascrivi;&Tutti;Tra&lascia;&Annulla"..6="Eliminare il file selezionato %s ?"..7="Eliminare la cartella selezionata %s ?"..8="Eliminare %i file o le cartelle selezionati(e) ?"..9="Eliminare il file %s dall'archivio ?"..10="Eliminare i file %i selezionati dall'archivio?"..11="La cartella %s non . vuota !\rEliminarla con file e sottocartelle?"..12="Il file di destinazione esiste :\r%s\rSovrascrivere?"..13="&Sovrascrivi;Sovrascrivi &tutti;Tra&lascia\t&Annulla;Sovrascrivi &vecchi;T&ralascia tutti"..14="Stop utente!"..15="&Tralascia;&Annulla"..16="Specifica il tipo di file, es. *.txt, o RegEx con inizio '<', tipo <(a\|b)"..17="Nessuna corrispondenza trovata!"..18="Espandi selezione"..19="Riduci selezione"..20="File da modificare:"..21="Sovrascrivi: "..22="Con il file: "..23="Confronta: "..24="Dis

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ITA.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5793
Entropy (8bit):	5.335146512715791
Encrypted:	false
SSDEEP:	96:D/5v9PDrKnJWbhbOoYNlA4ZX81iC5wtkdJ11:D/517eJmh6NXX+iPkjP
MD5:	0EBA629251279F2035FF456CF4E62871
SHA1:	25211376734E8F278C15DD95929044245434DC28
SHA-256:	A0AC2CC8CA8E8C5140213420737DABA7A6B7B056D5E7B0874788FBEC420EC656
SHA-512:	5A14568A0707FCE3975DD96F1F915950DB6ADCFAA42EBF07BEC138F77DE7641D90783BB66A85FA66D9F2BD44D7979930F464F82639188C5DD09D09FDC5B0653F
Malicious:	false
Preview:	POPUP "&File".. MENUITEM "&Cambia attributi...", cm_SetAttrib.. MENUITEM "Com&primi...\t<Alt>+F5", cm_PackFiles.. MENUITEM "&Decomprimi...\t<Alt>+<F6>", cm_UnpackFiles.. MENUITEM "Te&st archivio(i)...\t<Alt>+<Maiusc>+<F9>", 518.. MENUITEM "C&onfronta per contenuto...", 2022.. MENUITEM "&Associa...", cm_associate.. MENUITEM "Associazione interna (so&lo per Total Commander)...", 519.. MENUITEM "Informazioni sulla &versione...\t<Alt>+<Invio>", cm_versioninfo.. MENUITEM "Calcola lo spazio &richiesto...", cm_GetFileSpace.. MENUITEM "Strumento multi ri&nomina...\t<Ctrl>+M", 2400.. MENUITEM "Modi&fica commenti...\t<Ctrl>+Z", 2700.. POPUP "S&tampa".. MENUITEM "&Lista file...", 2027.. MENUITEM "Lista file e &sotto cartelle...", 2028.. MENUITEM "Con&tenuti file\t<Ctrl>+<F9>", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "D&ividi...", 560.. MENUITEM "&Unisci...", 561.. MENUITEM "Codifica (&MIME,UUE,XXE)...", 562.. MENUITEM "Decodifica (MIME,UUE,&XXE,BinHex).

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_KOR.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	12484
Entropy (8bit):	6.044964924220925
Encrypted:	false
SSDEEP:	192:XYrxc+6wjG8mRa3tAkpqaWr5nZ76iYtfBBqntaufpE1JazQ2sreGfvIP8Q+IqUk1:I3v5cH6iYtfqtamE1FAP8Q+IVH23
MD5:	EA1F339C14C70877DB25F1CFB4E90463
SHA1:	58F546A564ED0BD8F1D690222999E965B4D5E635
SHA-256:	E719960B618CF2870D504A7C2956B982B95D30629D7E3D825B44473EE7D87D24
SHA-512:	86361465743883DF20EF13D6EAB0CFC4B1D55D401247B83E9681FDAFF900387560F5DFFBC53D22C8BEBC55F2A55BF2A98630C15089FCB311DF17CB9FD0203C92
Malicious:	false
Preview:	All="..."..Source="...."..Left="....."..Right="......."..FileOperations=".... ...."..Configuration="... ...."..Network="......"..Misc="..."..ParallelPort="..... ..."..Print="..."..Mark="...."..Security="...."..Clipboard="......."..FTP="FTP"..Navigation="..."..Help="...."..Window="....."..CommandLine=".... ... .."..Tools="...."..View="...."..User="..... ..."..Tabs=".... .."..Custom column views="..... .. ...."..Sorting="...."..Commands with parameters="......... .... ..."....300="....: ... ...."..301="....: ......"..302="....: ....."..303="....: .... ..."..304="....: .... ...."..305=".... ...."..306="....: ....... .... .... ...."..307="....: ....... ..."..311="....: .... ...."..312="....: ... ...."..313="....: .... ..... ...."..314="....: ..... ...."..321="....: ....."..322="....: ......"..323="....: ...."..324="....: ....."..325="....: .... ...."..330="....: .... ...."..331="....: ...... ... ...."..332="...

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_KOR.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	data
Category:	dropped
Size (bytes):	66153
Entropy (8bit):	6.325287137993168
Encrypted:	false
SSDEEP:	1536:GemFAi4k/nClje7zrLnwrRiuT6nBKSu3wRUznm97npYx+T+H:FoAiX/nCVezMFiddjUznmRpgq+H
MD5:	B79F070B9839B131FFDD8D296128CF61
SHA1:	B52C5018FE4DE7A25794F1CFCC5D5E32EC7C766A
SHA-256:	F27029BC5C52EA78748D7568254085282C8FA2439AB4920A3971AC71FB93DB63
SHA-512:	E257207EF35500F5AA582B2128E78F65E05F5AF05466A121EA8371D2A2CF0A361DF711E9CE3CD3939423414EE5EE48021648862EE473D63FD8D8B593EF01D5C3
Malicious:	false
Preview:	Korean(..... for 8.5)..codepage=949..0=".... ...... ...........\n%s!"..1=".... ...... ........(..: .doc;.txt)"..2=".. .... (....)"..3="... .. ... ...."..4="....(&D);... ....(&A);.....(&S);...(&C)"..5="......(&O);... ......(&A);.....(&S);...(&C)"..6="...... %s ...... ...... .........?"..7="...... %s ...... ...... .........?"..8="...... %i.... ..../...... ...... .........?"..9="...... %s...... .... ....... ...... .........?"..10="...... %i.... ...... .... ....... ...... .........?"..11="[%s]...... .. ...... .....!\r..... ...... ...... ...... .........?"..12="......... ... ........:\r%s\r.... ........?"..13="......(&O);... ......(&A);.....(&S)\t...(&C);.. .... ....(&D);... .....(&K)"..14="...... .... ..........!"..15=".....(&S);...(&C)"..16=".... .... ....(..: *.txt ... <(a\|b) ... '<' .. ....... .....)"..17="...... ....... ......!"..18="... ...."..19="... ...."..20="...... ..... ...:"..21="..

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_KOR.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5398
Entropy (8bit):	6.045178251801465
Encrypted:	false
SSDEEP:	96:WqlG+k5ysHLgavEJGRrzFHbS1NnaosXQbKBqYS:FmysMGEmF17X2SbS
MD5:	1783AA19A1D39409009941592668D058
SHA1:	9FF7BC26568A0FD0DAAA88F78870270AA96CDFFB
SHA-256:	F203D6E0C37C308FD7C36A16442D6255B664E96B293D68B021EC3B2FD28E27BB
SHA-512:	D2D6C000ACD8EDA6BF4BD80D64CA6F53DBA088A77BEF5413315AE18A29F5B776F45B04EF000CB1153BB254CF0C5BF4C1C07D052381725D8EF113F74D8AAD35E0
Malicious:	false
Preview:	POPUP "....(&F)".. MENUITEM "... ....(&C)...", cm_SetAttrib.. MENUITEM ".... ....(&P)...\tALT+F5", cm_PackFiles.. MENUITEM ".... ....(&U)...\tALT+F9", cm_UnpackFiles.. MENUITEM ".... .... ...(&I)\tALT+SHIFT+F9",518.. MENUITEM "........ .... ..(&Y)...", 2022.. MENUITEM "...... ....(&A)...", cm_associate.. MENUITEM "... ...... ....(&L) (.............)...", 519.. MENUITEM "... ....&...\tALT+ENTER", cm_versioninfo.. MENUITEM ".... .... ...(&O)...", cm_GetFileSpace.. MENUITEM "..... ... ....(&R)...\tCtrl+M", 2400.. MENUITEM "... ....(&N)...\tCtrl+Z", 2700.. POPUP "...(&T)".. MENUITEM ".... .... ...(&L)...", 2027.. MENUITEM ".... ...... ...... .... .... ...(&S)...", 2028.. MENUITEM ".... ....(&T)\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM ".... ....(&S)...", 560.. MENUITEM ".... ....(&M)...", 561.. MENUITEM ".... ....(&E), .....(MIME,UUE,XXE)...", 562.. MENUITEM ".... ....(&D), .....(MIME,UUE,XXE,BinHex)...", 563..

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_NOR.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (355), with CRLF line terminators
Category:	dropped
Size (bytes):	68519
Entropy (8bit):	5.318301812208896
Encrypted:	false
SSDEEP:	1536:IpMqAWe1FY7bUQVysA2GHEWhGZjXunYdzGv/6PeUcdRZW5ef:5qAWe1OXbmboj+Yk6Pwf
MD5:	86D6628D06BC66F793DF44925E1847FC
SHA1:	EAFA3838B5CBBE5433DC963693319FEB08D690E4
SHA-256:	AF53B1982B745761ED4604D0108C8BADD89048016A10A120A696C1DEF538F1DD
SHA-512:	4E7E10F6EA2A29838903EE470D23537EC26801F11B34214F1AB193CBB911BA4D9478AD65E573F4F4E67411071F82221147D456AB798824CB052EEC60EE98568D
Malicious:	false
Preview:	Norsk (Bokm.l)..codepage=1252..0="filen\n%s er skrivebeskyttet!"..1="Angi filtyper (f.eks. .doc;.txt)"..2="Ny mappe (katalog)"..3="Kommandolinjeparametere"..4="&Slett;&Alle;Hopp &over;Av&bryt"..5="&Erstatt;Erstatt &alle;&Hopp over;Av&bryt"..6="Vil du virkelig slette filen %s?"..7="Vil du virkelig slette mappen %s?"..8="Vil du virkelig slette de %i valgte filene/mappene?"..9="Vil du virkelig slette filen %s fra arkivet?"..10="Vil du virkelig slette de %i valgte filene fra arkivet?"..11="Mappen %s er ikke tom!\rVil du slette alle dens filer og undermapper?"..12="Destinasjon eksisterer allerede:\r%s\rVil du erstatte?"..13="&Erstatt;Erstatt &alle;&Hopp over\tAv&bryt;Erstatt alle e&ldre;H&opp over alle"..14="Avbrutt av bruker!"..15="&Hopp over;Av&bryt"..16="Angi filtype, f.eks. *.txt, eller RegEx som starter med '<', like <(a\|b)"..17="Ingen funnet!"..18="Utvid valg"..19="Innskrenk valg"..20="Filnavn som skal redigeres:"..21="Erstatt: "..22="Med fil: "..23="Sammenligning: "..24="Flyttbar d

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_NOR.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5359
Entropy (8bit):	5.395475690971009
Encrypted:	false
SSDEEP:	96:KmNwUoZKNV8C8bP2jy5fxJmksCEk3Si9B:KmyZJC8bz5f+3w3SU
MD5:	074071CEA75488A1E8169100F7729002
SHA1:	ACD1FFFD60B1FFBA1095F9B72BAB655605034A18
SHA-256:	589E2E5F9A8BA3791E15FC52AC51D9518B76612F8DB35F0338646267A92267B2
SHA-512:	6931BF436179F12BE05A4440F7B12E832069C0526C2A92C0746A83F2C4B161A10518AF18321AB48FB7B9D9A5ADBFC2FFABFDEBBA32F97B513EAF04C46769099B
Malicious:	false
Preview:	POPUP "&Fil".. MENUITEM "Endre attri&butter...", cm_SetAttrib.. MENUITEM "&Komprimer...\tALT+F5", cm_PackFiles.. MENUITEM "&Dekomprimer alle filene...\tALT+F9", cm_UnpackFiles.. MENUITEM "Test arki&v\tALT+SHIFT+F9",518.. MENUITEM "Sammenli&gn etter innhold...", 2022.. MENUITEM "&Assosier med...", cm_associate.. MENUITEM "Interne a&ssosiasjoner (kun for Total Commander)...", 519.. MENUITEM "Ege&nskaper...\tALT+ENTER", cm_versioninfo.. MENUITEM "Beregn brukt p&lass...", cm_GetFileSpace.. MENUITEM "D.&p om flere filer..\tCtrl+M",2400.. MENUITEM "Rediger k&ommentar...\tCtrl+Z", 2700.. POPUP "Sk&riv ut".. MENUITEM "Fil&liste...", 2027.. MENUITEM "Filliste med &undermap...", 2028.. MENUITEM "Filinn&hold\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Del f&il...", 560.. MENUITEM "Ko&mbiner filer...", 561.. MENUITEM "Kode &fil(MIME,UUE,&XXC)...", 562.. MENUITEM "Dekod&e fil (MIME,&UUE,XXC,BinHex)...", 563.. MENUITEM "Opprett sjekksumfil(e

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_POL.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (419), with CRLF line terminators
Category:	dropped
Size (bytes):	75226
Entropy (8bit):	5.572244367590967
Encrypted:	false
SSDEEP:	1536:eLg73NHZ4XyAZfwhVe9u6mIZBBdFk6Oj4xkXMeNJGlR2CVv14+rhZEPkT+u/8VR5:XkyyHZdWsWXP0L114inEPRuiwA
MD5:	9EF46DA2C0D3C16FBC9FAA0926BBA6C5
SHA1:	4841416D25D0B32C10812167D06FAEEC786E7799
SHA-256:	3722FBB826356DF8C69F61DFB2C122EAD261DFAB8871471381353ECBC0C9A3A6
SHA-512:	22B394FBEE442571C5BBFEE71DA024D7643505F96CFBAE2116BD957423C472ACA170730CF725EEB1179ECB3D988AF5285BD77E040614A7B36DBA7DD7D1ED13DF
Malicious:	false
Preview:	Polski..codepage=1250..0="Dost.p do pliku zabroniony \n%s!"..1="Wprowad. rodzaj plik.w (np. .doc;.txt)"..2="Nowy katalog (folder)"..3="Parametry wiersza polece."..4="&Usu.;&Wszystkie;&Pomi.;&Anuluj"..5="&Zast.p;&Wszystkie;&Pomi.;&Anuluj"..6="Czy rzeczywi.cie chcesz usun.. wybrany plik %s?"..7="Czy rzeczywi.cie chcesz usun.. wybrany katalog %s?"..8="Czy rzeczywi.cie chcesz usun.. %i wybranych plik.w/katalog.w?"..9="Czy rzeczywi.cie chcesz usun.. wybrany plik %s z archiwum?"..10="Czy rzeczywi.cie chcesz usun.. %i wybranych plik.w z archiwum?"..11="Katalog %s nie jest pusty!\rCzy chcesz usun.. go wraz ze wszystkimi jego plikami i podkatalogami?"..12="Docelowy element ju. istnieje:\r%s\rCzy chcesz go zast.pi.?"..13="&Zast.p;Zast.p &wszystkie;&Pomi.\t&Anuluj;Zast.p wszystkie &starsze;P&omi. wszystkie"..14="Przerwanie na .yczenie u.ytkownika"..15="&Pomi.;&Anuluj"..16="Wprowad. typ pliku, np. *.txt, lub wyra.enie regularne poprzedzone znakiem '<', np. <(a\|b)"..17="Nie znaleziono pasuj.cych!

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_POL.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5596
Entropy (8bit):	5.495439166312857
Encrypted:	false
SSDEEP:	96:itxv3IcBgiDVUHRBH+jYn+9lWR4G+YMhf9lN6N:itxfIcBJ0RBHHq8bYTu
MD5:	4CAD6617346AF7214B2CFBE4544D6564
SHA1:	A05E0B6FA18BBF435E66D5DF079C068C81173F46
SHA-256:	4B06DA95FF23D7B87E23B519F53A71F0B33D43F2497BA50BEBAA8FF80522D17E
SHA-512:	7829B8AA3A9366C8E44DB7BBADB003A40CBC82FAC43F6552E3F0E34E9766D8C55DB2BD5731604BC028159427C272597B852E42B7A630AB944FF9E0E840203403
Malicious:	false
Preview:	POPUP "Pli&ki".. MENUITEM "&Zmie. atrybuty...", cm_SetAttrib.. MENUITEM "S&pakuj...\tAlt+F5", cm_PackFiles.. MENUITEM "&Rozpakuj...\tAlt+F9", cm_UnpackFiles.. MENUITEM "Testuj arc&hiwum(a)\tAlt+Shift+F9",518.. MENUITEM "Por.w&naj wg zawarto.ci...", 2022.. MENUITEM "&Skojarz z...", cm_associate.. MENUITEM "Wewn.trzne sko&jarzenia Total Commandera...", 519.. MENUITEM "&W.a.ciwo.ci...\tAlt+Enter", cm_versioninfo.. MENUITEM "&Oblicz zajmowan. przestrze.", cm_GetFileSpace.. MENUITEM "Narz.dzie wielokro&tnej zamiany...\tCtrl+M", 2400.. MENUITEM "Edytuj ko&mentarz...\tCtrl+Z", 2700.. POPUP "&Drukuj".. MENUITEM "&List. plik.w...",2027.. MENUITEM "List. plik.w z &podkatalogami...", 2028.. MENUITEM "&Zawarto.. pliku pod kursorem\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Podzie&l plik...", 560.. MENUITEM "Sc&alaj pliki...", 561.. MENUITEM "Za&koduj plik(i) (MIME, UUE, XXE)...", 562.. MENUITEM "D&ekoduj plik(i) (MIME, UUE, XXE, BinHex)...", 563

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ROM.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	16349
Entropy (8bit):	5.122278658782224
Encrypted:	false
SSDEEP:	384:dY4peToNc7t/B8j/IjbQKYF+pT7BPqiO2W2mlnne+Y+3UYmXf016YnEdlEuUu:dYqooNc7t/aj/IjbQKYF+pT7BPqiO2WQ
MD5:	54C2B03138BC5CE43A51F1626D6B37D3
SHA1:	E52C87E9796A33F4D950DC08A22DFBD2DE0D3A6C
SHA-256:	6EFFD986E7698ACA186CE319826C37789960CD95EE3EB555A5916447C6659C91
SHA-512:	57EE408653C2C40582791558025E3A7432A679BD06A94CE4E353DCF9648068E86688ED206BC086CC3E6424B7776D7794C372894E12CF899E7995F5D650A6C019
Malicious:	false
Preview:	All="Afi.eaz._Tot"..Source="Sursa"..Left="St.nga"..Right="Dreapta"..FileOperations="Opera.ii_fi.iere"..Configuration="Configurare"..Network="Re.ea"..Misc="Alte_set.ri"..ParallelPort="Port_Paralel"..Print="Tip.rire"..Mark="Selec.ii"..Security="Securitate"..Clipboard="Clipboard"..FTP="FTP"..Navigation="Navigare"..Help="Ajutor"..Window="Fereastra"..CommandLine="Linia_de_Comand."..Tools="Instrumente"..View="Vizualizare"..User="Utilizator"..Tabs="File"..Custom column views="Coloane_personalizate"..Sorting="Sortare"..Commands with parameters="Comenzi_cu_parametri"....300="Sursa: Arat. comentariile"..301="Sursa: Doar numele fi.ierelor"..302="Sursa: Toate detaliile fi.ierelor"..303="Sursa: Arbore"..304="Sursa: Vizualizare rapid."..305="Ferestrele cu fi.iere una sub alta"..306="Sursa: Vizualizare rapid., f.r. module adi.ionale"..307="Sursa: .nchide fereastra 'Vizualizare rapid.'"..311="Sursa: Doar programele"..312="Sursa: Toate fi.ierele"..313="Sursa: Filtru personalizat, recent utilizat"..314=

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ROM.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (435), with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	82260
Entropy (8bit):	5.3476611030628
Encrypted:	false
SSDEEP:	1536:SibIAhDrOnuRkcogwhO6/FkpXJmRTh29bGHJPhTJuBy1ixuJkNxR//2UcLoH0Uas:ityiXyyiuMx92RDY9w/Sc12xaUr/p+g9
MD5:	ADB614B20B168B097A6227C4DBFA49C5
SHA1:	76D7D7E70648636DED91E2736EB0DFE639307356
SHA-256:	5EB38A2A81C25E2F8DC7EA3A6A2A73EEBEDFD1C2D338D6B9880DB9C4A7C582D4
SHA-512:	2FDE5AC5D6BE690B83E0D367705E9CDA00DA7E87D2B19D8BF74320D6E5CF1EBBF56691CB918A6D0FC6DE3CC93B605860EA164DCF00C2F5ED57CE0DB958F21397
Malicious:	false
Preview:	Rom.n. ver.8.5..codepage=1250..0="Acces interzis la fi.ierul:\n[%s]"..1="Tipuri de fi.iere (Ex: .doc ; .txt)"..2="Creare folder cu numele: \r[.pentru mai multe foldere, separa.i numele lor cu: \| ]"..3="Parametrii liniei de comand.:"..4=".&terge;To&ate;&Omite;&Renun.."..5="&Suprascrie;To&ate;&Omite;&Renun.."..6="Vre.i s. .terge.i fi.ierul selectat: \r[%s] ?"..7="Vre.i s. .terge.i folderul selectat: \r[%s] ?"..8="Vre.i s. .terge.i fi.ierele/folderele selectate? \rNum.r de fi.iere/foldere marcate: [%i]"..9="Vre.i s. .terge.i fi.ierul selectat: \r[%s] \rdin interiorul arhivei?"..10="Vre.i s. .terge.i fi.ierele selectate, din interiorul arhivei ? \rNum.r de fi.iere/foldere selectate:[%i]"..11="(Sub)folderul [%s] nu e gol!\rVre.i s. .terge.i acest folder .i din el toate fi.ierele .i (sub)folderele?"..12="Fi.ierul destina.ie exist. deja:\r[%s]\rSuprascrie.i ?"..13="&Suprascrie;Suprascrie To&ate;&Omite\t&Renun..;.nlocuire fi.iere &vechi;Omite &toate fi.ierele"..14=".ntrerupt de utilizator!"

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_ROM.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	6894
Entropy (8bit):	5.230093837173768
Encrypted:	false
SSDEEP:	192:C/R02ai7RmIpajG/TGTjE5GATmTWOrcX+:C/R02J7Rrpa6J55m/gu
MD5:	624171DC46D82BAABC0263EF9CA2BD77
SHA1:	1C01AE540F25D70D56FDA9FD89DE3D2179E01E1E
SHA-256:	83C6FE894F93DE41DEF6DA3B3AC55531684CC20DE9A46A506343F8635BDDB15A
SHA-512:	5BA1EBEC196CD196CFF50FB62901BC977576A920D9138807EFAFADA059A2166E2B5D8B01B0AA8AFF8AC812ACD2414647F643F244AE7C5CCF41689887F541C9DD
Malicious:	false
Preview:	; Meniu actualizat pentru Versiunea TC 7.50 ..POPUP "&Fi.iere".. MENUITEM "Schimbare &atribute.", cm_SetAttrib.. MENUITEM "&Comprimare.\tAlt+F5", cm_PackFiles.. MENUITEM "&Decomprimare.\tAlt+F9", cm_UnpackFiles.. MENUITEM "Verificare arhiv.\tAlt+Shift+F9",518.. MENUITEM "C&omparare prin con.inut.", 2022.. MENUITEM "Asocieri &Sistem.", cm_Associate.. MENUITEM "Asocieri &Interne (doar .n Total Commander).", 519.. MENUITEM "&Propriet..i.\tAlt+Enter ", cm_VersionInfo.. MENUITEM "Calculea&z. spa.iul ocupat.\tCtrl+L", cm_GetFileSpace.. MENUITEM "Redenumire &multipl.\tCtrl+M", cm_MultiRenameFiles.. MENUITEM "Creare/Editare come&ntariu.\tCtrl+Z", cm_EditComment.. POPUP "&Tip.rirea.".. MENUITEM "&listei de fi.iere.", cm_PrintDir.. MENUITEM "listei de fi.iere inclusiv &sub-folderele", cm_PrintDirSub.. MENUITEM "&con.inutului fi.ierului\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "&Frac.ionare fi.ier.", cm_Split.. MENUITEM "Recom&binare fi.iere

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_RUS.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15817
Entropy (8bit):	5.422762252386551
Encrypted:	false
SSDEEP:	384:7tHiEOpsYwyLfa1Ugejn9nZ/boX5s4sOPtDIbFZb:7tPe5Z86d
MD5:	822459916862FA8ACC9961D63D22BB1F
SHA1:	113E7F0D60E3902F483F2B7BA6511FF536E5F1BA
SHA-256:	DFB0705F93C31CB492DAA2721B256318FA09A4311F447E86F445D25D2A65D177
SHA-512:	126D330FA480710DB881E40A1F00747104BF8A91D2A42352A56DACD275931CD6D31267429E7B9BA1E31609B627D5D9685FB1AD0E8F955EDF9D4F4D20523773CE
Malicious:	false
Preview:	All="..."..Source="........"..Left="....."..Right="......"..FileOperations="........ . ......."..Configuration="........."..Network="...."..Misc="......"..ParallelPort="LPT/USB-...."..Print="......"..Mark="........."..Security="............"..Clipboard="..... ......"..FTP="FTP"..Navigation="........."..Help="......"..Window=".... ........."..CommandLine="......... ......"..Tools="..........."..View="..."..User=".... ......."..Tabs="......."..Custom column views="...... ......."..Sorting=".........."..Commands with parameters="....... . ..........."....300="........: ........ ..........."..301="........: ...... ..... ......"..302="........: ........"..303="........: ...... ........."..304="........: ....... ........"..305="...... .... ... ......"..306="........: ....... ........ ... ........"..307="........: ......... ....... ........"..311="........: ...... ........."..312="........: ... ....."..313="........: ......... ......... ......"..314="........: ...... ......"..321="........:

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_RUS.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (395), with CRLF, NEL line terminators
Category:	dropped
Size (bytes):	74989
Entropy (8bit):	5.695719447345472
Encrypted:	false
SSDEEP:	1536:AmHZh6RdZtO4FrFCt/Jxp/oVnzXHFLZyh/yFjVG8i01oVn55dwhQAp:AkZozrQ/NwN3hEh/Mvk5Yp
MD5:	644B7D5E0728C8102731EA89CC99D4A5
SHA1:	E978B960F73A4E4428C6AA446CA50F14D5DE5BA1
SHA-256:	A2926CF47F90151E26DDB7805090EB7B05F8573C78F029E675CCCC39476ABE7F
SHA-512:	9FC671947A32167E1EB8EA7424A1EBBF29F467DAEE98BFA4B0B0E4C64AFB1840739A51C9ED433B4A3BCACB40A5F0B825F4D26C558A51B526A4883A91DA325D86
Malicious:	false
Preview:	Russian (.......)..codepage=1251..0="... ......., ... ....\n%s\n... ............."..1="....... ..... ...... (......: s.doc;.tx?)"..2="....... ..... ....... (.....):"..3="......... ......... ......"..4="&.......;&...;&..........;&......"..5="&........;&...;&..........;&......"..6=".. ............. ...... .......\r.... \042%s\042 ?"..7=".. ............. ...... .......\r....... \042%s\042 ?"..8=".. ............. ...... .......\r......... ...../........ (%i ...)?"..9=".. ............. ...... .......\r.... \042%s\042 .. ......?"..10=".. ............. ...... .......\r......... ..... (%i ...) .. ......?"..11="....... \042%s\042\r........ ..... ./... ............\r.. ............. ...... ....... ... .......,\r.. ..... ....... . .............?"..12=".... \042%s\042\r... ........... ...... ... ........?"..13="&........;........ &...;&..........\t&......;........ ..... &......;.......... ..&."..14="........ .............."..15="&..........;&......"..16="....... ..... ...... (......: .txt;.doc

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_RUS.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5565
Entropy (8bit):	5.5131385030637805
Encrypted:	false
SSDEEP:	96:0hJEdo9REP39vMW82T+iasT+iFcV43bbHjYVVQV2/TB/zp:7pPbRgiGoP0VVK2/TL
MD5:	69EBAC1C85BB30177DD02C4E0413A255
SHA1:	12A8FFC43D0CBDCBF87DB52973096BD007C5BA2D
SHA-256:	395ADD51ABA3679EEC227D0FBB2832EB0A21C9A64B0F64AB8704798805307B55
SHA-512:	F5A9B82BD60BEB77E16B2A0BDF816837927CE70D0D3C9FD58077B2520271C141F6B0CD2DBEC5E1043B62D487D11E876CC62B5F8B806AC1C97F7B0648B23E315E
Malicious:	false
Preview:	POPUP "&.....".. MENUITEM "&........ ...........", $1F6.. MENUITEM "&............\tAlt+F5", $1FC.. MENUITEM "&..............\tAlt+F9", $1FD.. MENUITEM ".............. &.....(.)\tAlt+Shift+F9", $206.. MENUITEM "........ &.. ..............", $7E6.. MENUITEM "&....... . ..........", $1FB.. MENUITEM ".&......... .......... (...... . TC)...", $207.. MENUITEM "........ ...... ...&....\tAlt+Enter", $1FE.. MENUITEM ".......... .......... &.....\tCtrl+L", $1F7.. MENUITEM "&......... .................\tCtrl+M", $960.. MENUITEM "&........... . ........\tCtrl+Z", $A8C.. POPUP "..&....".. MENUITEM "&...... .........", $7EB.. MENUITEM "...... ...... . &................", $7EC.. MENUITEM "&.... (..........)\tCtrl+F9", $1F8.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM ".....&.. .......", $230.. MENUITEM "..&..... ........", $231.. MENUITEM ".........&. (MIME, UUE, XXE)...", $232.. MENUITEM "&............ (MIME, UUE, XXE, BinHex)

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SK.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (384), with CRLF line terminators
Category:	dropped
Size (bytes):	74115
Entropy (8bit):	5.62130670813331
Encrypted:	false
SSDEEP:	1536:9Wk5aVfy19mrH9PQ4BktG7Cv/KNsc4hHt0LMIPA9NkRhssYGWsH+/+fmjeF3BJyV:9WcaVfyGT9ISk871sZhHlxXx/GXZ9pA1
MD5:	6B4633C918A823F7119657A58FA4C0C0
SHA1:	78A7CADEE54A65D980140EBE157FA4F90213A877
SHA-256:	E478E15F23217BCD4A85FC926B417476C8A83503C4615614E7AF7A606DEBAACA
SHA-512:	29E7D34FD227660353AA7FAC3C80D006D039F14AD901EE1138252A4F330D4E474B6366E176068D0E90174FE1598F4A69004CD658882A2C504F15F4F11F61A55D
Malicious:	false
Preview:	Slovensk. (Slovak)..codepage=1250..0="Na s.bor\n%s bol zak.zan. pr.stup."..1="Zadajte typ s.boru (napr. .doc;.txt)"..2="Nov. prie.inok:"..3="Parametre pr.kazov.ho riadku"..4="&Odstr.ni.;&V.etko;Vy&necha.;&Zru.i."..5="P&rep.sa.;&V.etko;Vy&necha.;&Zru.i."..6="Naozaj chcete odstr.ni. s.bor %s?"..7="Naozaj chcete odstr.ni. prie.inok %s?"..8="Naozaj chcete odstr.ni. %i ozna.en. s.bory/prie.inky?"..9="Naozaj chcete odstr.ni. %s z arch.vu?"..10="Naozaj chcete odstr.ni. %i ozna.en. s.bory z arch.vu?"..11="Prie.inok .%s. nie je pr.zdny.\rNaozaj ho chcete odstr.ni. vr.tane v.etk.ch podprie.inkov a s.borov?"..12="Cie. u. existuje:\r%s\rChcete ho prep.sa.?"..13="P&rep.sa.;Prep.sa. &v.etko;Vy&necha.\t&Zru.i.;Prep.sa. v.etko st&ar.ie;Vyn&echa. v.etko"..14="Preru.en. pou..vate.om."..15="&Vynecha.;&Zru.i."..16="Zadajte typ s.boru, napr. *.txt alebo regul.rny v.raz (RegEx) za..naj.ci s .<., ako napr.klad <(a\|b)"..17="Nena.lo sa."..18="Roz..ren. v.ber"..19="Z..en. v.ber"..20="Zadajte n.zov s.boru, kto

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SK.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5729
Entropy (8bit):	5.561376096835826
Encrypted:	false
SSDEEP:	96:MvxAjj2NnDO4fQ5+z+6WfPT0wu1t3gfL+0gI1:Oin2NDHP+6WHT7u1gLg6
MD5:	BF8026549A065638D3649A1C11305C08
SHA1:	494C51AF71A0E8C1FE1766960DA0FA0D7A13ADCC
SHA-256:	213B7B9ABA26B70FAE9E6C439591B9A7244D530CEE35D7F64D14F15A5E7BA0A2
SHA-512:	8ECEF3450ED56B8571207121DC4CE342F7AB92732DD0A346D4934B30B50A54DE99BA2D778BCBC91E4A6E7FE7E88D1149A89B862557C9DF61F48BB99CE05C800A
Malicious:	false
Preview:	POPUP "&S.bor".. MENUITEM "Zmeni. atrib.t&y...", cm_SetAttrib.. MENUITEM "&Komprimova....\tALT+F5", cm_PackFiles.. MENUITEM "&Extrahova....\tALT+F9", cm_UnpackFiles.. MENUITEM "Testova. &arch.v(y)\tALT+SHIFT+F9",518.. MENUITEM "Porovna. pod.a o&bsahu...", 2022.. MENUITEM "&Priradi. k...", cm_associate.. MENUITEM "Vn.torn. prira&denia (iba pre TC)...", 519.. MENUITEM "&Vlastnosti...\tALT+ENTER", cm_versioninfo.. MENUITEM "Spo..ta. obsaden. &miesto...", cm_GetFileSpace.. MENUITEM "P&remenova. s.bory...\tCTRL+M", 2400.. MENUITEM "Upravi. kome&nt.r...\tCTRL+Z", 2700.. POPUP "&Tla.i.".. MENUITEM "Zoznam &s.borov...", 2027.. MENUITEM "Zoznam s.borov s &podprie.inkami...", 2028.. MENUITEM "O&bsah s.borov\tCTRL+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Rozdel&i. s.bor...", 560.. MENUITEM "Spo&ji. s.bory...", 561.. MENUITEM "&Zak.dova. s.bor (MIME,UUE,XXE)...", 562.. MENUITEM "Dek.dova. s.bor (MIME,UUE,&XXE,BinHex)...", 563.. MENUITEM "Vytvori. k

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SVN.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14755
Entropy (8bit):	5.162573468839223
Encrypted:	false
SSDEEP:	384:sRXW7PmBf6RrgQQSmPNPpLojjx9ikX9fTDqm0aZnCkImhyUd5WpY31y4BQA7KYuz:sRX4ml6FgtHNhLoj19io9rDcB4Q7
MD5:	B643CA7FAC4FFC3A834565A3E6FE75AF
SHA1:	7783B56DDBB255CB94E6C7DE2EB2ACF02A05B498
SHA-256:	A5EA4B0DB553E218084CB10F270046B733258D9F25AF7442624988460B6F8701
SHA-512:	0B924B0C7DC976C173C441607A71E6058EF944A9AC803D4CF0AE42B19E6192CEEC733E300C54170898D0C9EDFE0228C3D986C7BCEED81D149A08007BA34AFCE1
Malicious:	false
Preview:	All="Vse"..Source="Vir"..Left="Levo"..Right="Desno"..FileOperations="Operacije z datotekami"..Configuration="Nastavitve"..Network="Omre.je"..Misc="Razno"..ParallelPort="Paralelna vrata"..Print="Natisni"..Mark="Ozna.i"..Security="Varnost"..Clipboard="Odlo.i..e"..FTP="FTP stre.nik"..Navigation="Navigacija"..Help="Pomo."..Window="Okno"..CommandLine="Ukazna vrstica"..Tools="Orodja"..View="Prikaz"..User="Uporabnik"..Tabs="Zavihki"..Custom column views="Prikaz stolpcev po meri"..Sorting="Razvr..anje"..Commands with parameters="Ukazi s parametri"....300="Vir: Prika.i komentarje"..301="Vir: Samo imena datotek"..302="Vir: Vse podrobnosti datoteke"..303="Vir: Drevo map"..304="Vir: Okno Hitri pogled"..305="Okna datotek drugo nad drugim"..306="Vir: Hitri pogled, brez vti.nikov"..307="Vir: Izklj. okno Hitri pogled"..311="Vir: Samo programi"..312="Vir: Vse datoteke"..313="Vir: Zadnje izbrano"..314="Vir: Izberi vrsto uporabnika"..321="Vir: Razvr..aj po imenih"..322="Vir: Razvr..aj po kon.nicah"..323=

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SVN.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with very long lines (370), with CRLF line terminators
Category:	dropped
Size (bytes):	72635
Entropy (8bit):	5.3432396187073055
Encrypted:	false
SSDEEP:	1536:HhjYqfS/s4mBNdwF2grQiAC1yoJKX7yBczDGHv1rhElY11udN2:ups4mXdw4XiJKOczDIhhZ1udN2
MD5:	A6874C1FF1CD84756795BAEAF4E57518
SHA1:	BE3C6913BC936CC66771C065C70415C1D8D48B8C
SHA-256:	ED5FDF04CE0995B5A8233D21D17F12D6244A9082720E3EAF991EDAD2452973B3
SHA-512:	9687C458579C92B8EE8ACD7049D4FDB211A8B9767F6F8AF91C7D82383BBCA81D2574104309F57650938D6D255A37D6EAAB9DC6CB6C267C54929324E73DAA07DC
Malicious:	false
Preview:	Slovenski (Slovenian)..codepage=1250..0="Do datoteke \n%s ni dovoljen dostop!"..1="Izberite vrste datotek (npr.: .doc;.txt)"..2="Nova mapa"..3="Parametri ukazne vrstice"..4="I&zbri.i;Izbri.i &vse;&Presko.i;P&rekli.i"..5="&Prepi.i;&Vse;Pr&esko.i;P&rekli.i"..6="Ali res .elite izbrisati izbrano datoteko %s?"..7="Ali res .elite izbrisati izbrano mapo %s?"..8="Ali res .elite izbrisati %i izbranih datotek/map?"..9="Ali res .elite odstraniti izbrano datoteko %s iz arhiva?"..10="Ali res .elite odstraniti %i izbranih datotek iz arhiva?"..11="Mapa %s ni prazna!\rAli zares .elite izbrisati vse njene datoteke in podmape?"..12="Cilj .e obstaja:\r%s\rAli ga .elite prepisati?"..13="&Prepi.i;Prepi.i &vse;Pre&sko.i\tP&rekli.i;Prepi.i vse st&arej.e;Pres&ko.i vse"..14="Spro.ili ste prekinitev!"..15="&Presko.i;P&rekli.i"..16="Izberite vrsto datoteke npr. *.txt, ali RegEx z vodilno '<', kot <(a\|b)"..17="Ni najdenih ujemanj!"..18="Raz.irite izbor"..19="Zo.ite izbor"..20="Vpi.ite ime datoteke, ki jo .elite

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SVN.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Non-ISO extended-ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5620
Entropy (8bit):	5.396682754868976
Encrypted:	false
SSDEEP:	96:cIIETCPRdsOm9wSrAVCKUaDmSE00hTHP7:nHWPPsh8CKUOaJFD
MD5:	893F015CE73029363E0CF9874EF050EF
SHA1:	9739736CE3F2E55802B864396DCC577C6F6B2206
SHA-256:	14ED35942AB63AE8C474CEF18842E6971CACA4A8B877A5349B02D57199B3E6FE
SHA-512:	111D680FE63BE4E900E7C180AA4B9D149E598A4CBB392E584379A7AF4191CB3DE803811EF9F717A56ECBD331EDFE83B054A4E8568F024A355B024DFF47C7C132
Malicious:	false
Preview:	POPUP "&Datoteka".. MENUITEM "&Spremeni atribute...", cm_SetAttrib.. MENUITEM "Pakiraj iz&brane datoteke...\tALT+F5", cm_PackFiles.. MENUITEM "Razpak&iraj izbrane datoteke...\tALT+F9", cm_UnpackFiles.. MENUITEM "&Testiraj pakiran arhiv...\tALT+SHIFT+F9", 518.. MENUITEM "Primerjaj p&o vsebini...", 2022.. MENUITEM "&Zdru.i kon.nico s programom...", cm_associate.. MENUITEM "Notran&je zdru.itve (samo za Total Commander)...", 519.. MENUITEM "&Lastnosti...\tALT+ENTER", cm_versioninfo.. MENUITEM "Izr&a.unaj zaseden prostor...", cm_GetFileSpace.. MENUITEM "So.asno p&reimenuj ve. datotek...\tCtrl+M", 2400.. MENUITEM "Uredi &pripombo...\tCtrl+Z", 2700.. POPUP "Natis&ni".. MENUITEM "Se&znam datotek...", 2027.. MENUITEM "Seznam datotek s pod&mapami...", 2028.. MENUITEM "Vsebina dato&teke\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "Raz&deli datoteko", 560.. MENUITEM "Zdr&u.i datoteke", 561.. MENUITEM "Kodiraj datot&eko (MIME,UUE,XXE)...", 562.. MEN

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SWE.LNG

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with very long lines (354), with CRLF line terminators
Category:	dropped
Size (bytes):	69732
Entropy (8bit):	5.403000348186024
Encrypted:	false
SSDEEP:	1536:rkHrYcLnMQbYehqP9b3BCc3F1b6Oqds/3lmSCaeeSFG:rkH31bjsb3BCcV1WJS/tCpG
MD5:	3A656FE42364FF0C238585AE54B72888
SHA1:	D48419E6E96FB9FEB736BFA7289C240E98F520A1
SHA-256:	92734490A7F2CD6A8299F0E568DBB6007C34729079C22E377A12AE3CFE70F0A7
SHA-512:	9CF1233AC452C42B694CE83EF49E6AE8AE800EB7E0959D8D5D461FD5AD0A62977E4EED8EC5EAFE61D291F4385F556F9FB91AE89198F036388CD3DA321170F89E
Malicious:	false
Preview:	Svenska..codepage=1252..0=".tkomst nekad till filen\n%s!"..1="Ange filtyp (t.ex. .doc; .txt):"..2="Ny mapp:"..3="Kommandoradsparameter:"..4="&Ta bort;&Alla;&Hoppa .ver;Avbryt"..5="Skriv &.ver;&Alla;&Hoppa .ver;Avbryt"..6="Ska filen '%s' verkligen tas bort?"..7="Ska mappen %s verkligen tas bort?"..8="Ska de %i markerade filerna/mapparna verkligen tas bort?"..9="Ska '%s' verkligen tas bort ur arkivfilen?"..10="Ska de %i markerade filerna/mapparna verkligen tas bort ur arkivfilen?"..11="Mappen [%s] .r inte tom!\nVill du .nd. ta bort mappen med dess inneh.ll?"..12="Destinationsfilen\r'%s'\rfinns redan. Skriva .ver?"..13="&Skriv .ver;Skriv .ver &alla;&Hoppa .ver\tAvbryt;Skriv .ver &.ldre;Hoppa &.ver alla"..14="Anv.ndaravbrott!"..15="&Hoppa .ver;Avbryt"..16="Specificera filtypen (t.ex. *.txt, eller RegEx med inledande '<', som <(a\|b)):"..17="Hittar ingen s.dan!"..18="Ut.ka urval"..19="Reducera urval"..20="Ange namnet p. den fil som ska redigeras:"..21="Skriva .ver: "..22="med filen: "..23=

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_SWE.MNU

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	5523
Entropy (8bit):	5.379853209280516
Encrypted:	false
SSDEEP:	96:E6nhcbLXgdtwucm8wMg0SLsmci8twxgfPooM827:lnkktwucm8w/mmcfwx0PjMN
MD5:	3BD9BD9D78D7982F09675B095598DFDD
SHA1:	3A828A1ED965B89E282CC328E961FED8509904F9
SHA-256:	E0117CA6654709E29AF019E4579FDB1C19F3986125C48BC5BA10CDE2BF651B71
SHA-512:	C4B330C42FC741B44D20C0E4795328B77122D3AD271202097279CE3055E9DD76E1CFBA0385BA02C66C944B8C9D45E4397A3113A9DBBAEB193A55C5AF62B5BF86
Malicious:	false
Preview:	POPUP "&Arkiv".. MENUITEM "&.ndra attribut ...", cm_SetAttrib.. MENUITEM "&Packa fil(er) ...\tAlt+F5", cm_PackFiles.. MENUITEM "Packa upp fi&l(er) ...\tAlt+F9", cm_UnpackFiles.. MENUITEM "&Kontrollera arkivfil(er)\tAlt+Skift+F9",518.. MENUITEM "&J.mf.r filinneh.ll ...", 2022.. MENUITEM "Asso&ciera ...", cm_associate.. MENUITEM "&Interna associationer (endast Total Commander) ...", 519.. MENUITEM "&Egenskaper ...\tAlt+Enter", cm_versioninfo.. MENUITEM "U&tnyttjat utrymme ...\tCtrl+L", cm_GetFileSpace.. MENUITEM "&Massomd.pningsverktyg ...\tCtrl+M", 2400.. MENUITEM "Redigera komme&ntar ...\tCtrl+Z", 2700.. POPUP "Skriv &ut".. MENUITEM "&Fillista ...", 2027.. MENUITEM "Fillista med &undermappar ...", 2028.. MENUITEM "F&ilinneh.ll\tCtrl+F9", cm_PrintFile.. END_POPUP.. MENUITEM SEPARATOR.. MENUITEM "&Dela upp fil ...", 560.. MENUITEM "S.tt i&hop filer ...", 561.. MENUITEM "K&oda fil (MIME, UUE, XXE) ...", 562.. MENUITEM "Avkoda &fil (MIME, UUE, XXE, BinHex) ...",

C:\Program Files (x86)\TotalCommander\NO.BAR

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.6283511419515837
Encrypted:	false
SSDEEP:	3:B15QCVn:B153V
MD5:	D64147E3E4553D005C6A665713240B59
SHA1:	1E4ECFA73444AE0C8D41728C39C60CCE103AEBE3
SHA-256:	DE15D713F0E44679D299748636456707E756C54DD005D93B1943B67F6E61A13E
SHA-512:	6429182EE0DB8A680D5744BDFAE3F0597C2B7894CF52111218B6C36EC7BA4ABEDCDBCE3EEA4358980E51889571533D77F4C5407DC4B603301AD1F4F4C38F2C24
Malicious:	false
Preview:	[Buttonbar]..Buttoncount=0

C:\Program Files (x86)\TotalCommander\NOCLOSE.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	43312
Entropy (8bit):	4.661899653810805
Encrypted:	false
SSDEEP:	384:ji1oyzeQPLr6CtW0rqLzD6Lo9vyJlThr/6o/mnYPLg4eMs:u1oV6/NLgj6JZZ/6o/mB
MD5:	1701628DA46EFF04ACF8279D38AD8C2A
SHA1:	736A12D6CB57A1EC191D715202490A08BFB11644
SHA-256:	22C2AF4A996420682E57B978CED61E031F32B4E4EE7585382BDD531CA5C6CFA8
SHA-512:	8C8F9F68866153E78146778BE120D60BE5CEA57ED5B8ACA55F46A350167D42F71C477A9CF8158E2A99557C1597A56EAA40DF63C71B59A712A1809DA64CE0BC74
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T..T..T..._..T...^..T.p.Z...T...G..T..U..T...e..T.Rich.T.........................PE..L...o..U.................@...@...............P....@.................................k.......................................DT..(.......................0............................................................P...............................text...,9.......@.................. ..`.rdata.......P.......P..............@..@.data....*...`...0...`..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\NOCLOSE64.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53040
Entropy (8bit):	6.211936198852823
Encrypted:	false
SSDEEP:	768:GHhs1xq6gUnQl/nY1SGy13mGNdVtEoF4b+2RlzeX7V7P/TiNLlLtW9D5X:GH+T45bmGzV+bFRlCLV7/+LFtWj
MD5:	A75B8057ECFDC2C9B8440696B280377F
SHA1:	37F7E36E3AC9367A0E114C9780C80DE6F266B013
SHA-256:	31D815048959CAC77421072DC1A3CC5BA792E5E206F8AE7806E1FBBFE6315B05
SHA-512:	AEC2F354ED96336B748AB2529BEC98526D3EE48C08E45A7FDBAD603D61B70ACDE5F8DB3BC6E41CDAEA4129AD5F9C4FB346408450707AF5FE5D2BAA2B96CC75B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........LGEp".Ep".Ep".b._.Lp".b.O..p".3.Y.Fp".Ep#..p".b.L.Yp".b.Z.Dp".RichEp".................PE..d......U..........#......p...B.................@...............................................................................................(.......................0............................................................................................text....o.......p.................. ..`.rdata...%.......&...t..............@..@.data... !..........................@....pdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\REGISTER.RTF

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	Rich Text Format data, version 1, ANSI, default language ID 1033
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	5.181492976149537
Encrypted:	false
SSDEEP:	48:NBHi26fH2t9BQbLr07thtqt7tJtVtptIt7tvkMUPkDiYWqD3EklOLkmZk0FRIVqz:n/BQHqdi74T2FRIfaWJp2vqfzW8WAnS
MD5:	89BDC6AA4738763D422AE6F9DDD5A3AA
SHA1:	9507F65473F7A21BA0D02BBDFE0DAD30297FA815
SHA-256:	F011129DC7E9DBC25480DACD44E84098027884682D951E0336B254EC4A59D9B7
SHA-512:	4ECCEC88D369BE5B128EACCDC256077C9BBFD7F57EE450352BF55DA992102327C27ACBF85461BFAE07FE33CC0EBE7541706B4DA4CD7728723BD540F5188DC57F
Malicious:	false
Preview:	{\rtf1\ansi \deff4\deflang1033{\fonttbl{\f4\froman\fcharset0\fprq2 Times New Roman;}{\f5\fswiss\fcharset0\fprq2 Arial;}}{\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;..\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0;\red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;..\red192\green192\blue192;}{\stylesheet{\widctlpar \f4\fs20\lang1031 \snext0 Normal;}{\\cs10 \additive Default Paragraph Font;}}{\info{\author Christian Ghisler}{\operator Christian Ghisler}{\creatim\yr2013\mo8\dy27\hr11\min34}..{\revtim\yr2015\mo8\dy7\hr13\min54}{\version2}{\edmins0}{\nofpages1}{\nofwords225}{\nofchars1287}{\\company C. Ghisler & Co.}{\vern57431}}\margl1417\margr1417\margt1417\margb1134 \widowctrl\ftnbj\aenddoc\hyphhotz425\hyphcaps0 \fet0\sectd ..\linex0\headery709\footery709\colsx709 {\*\pnseclvl1\pnucrm\pn

C:\Program Files (x86)\TotalCommander\SFXHEAD.SFX

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	6.265264854861943
Encrypted:	false
SSDEEP:	768:uJpjqpvK620zUOO9fj3DFNEFOazaSrPlG6bWj7Do7WtLBocy6t:MjqpvKugOOp1NSvG+hWjn
MD5:	D979C67A7BBB229306A3211503AF1875
SHA1:	EBB798F6A16896C9219405DF0605A059700E2690
SHA-256:	4394138FA0B63AC1251C4ED0B1722F7A7BAAC92A67C50244562279FF5E3D8851
SHA-512:	EDF71D161251FC3D6F5628E53840CED9B5617913F1BAD5E84815C33A2DE24A6DFDEA9B3FC2DB5DBF9D168A574380D315993784FA2E341ECBF1EFAC443D053BB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................r.........`~............@..........................@...................@..............................(.... ..............................................................................................................CODE....Tq.......r.................. ..`DATA.................v..............@...BSS......=...........z...................idata..(............z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P........................................................................................................................................

C:\Program Files (x86)\TotalCommander\SHARE_NT.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	MS-DOS executable, NE for MS Windows 3.x (EXE)
Category:	dropped
Size (bytes):	2106
Entropy (8bit):	5.693324320077475
Encrypted:	false
SSDEEP:	48:Q16bvdaK+OGkhap0Xeo7c1tHKquhQhcLyLG+OCXOdLoQ6ya:Q1S4jkYp0X/CtHKfMdGBfY
MD5:	E94764E624677F9B05DF8C9752254387
SHA1:	3E8292B30662EAB2EF74E91F96715AE069942BF6
SHA-256:	DCB90F420EB46D9E2E5E30736F4603D0FF1CAF6360672CECAD8243F8F407CE0E
SHA-512:	A8CD5C2996D4C036C47142AF5E0186373826E4E4635AAB81C25CA673CD72FF47FD63D844909F999C1C6112B9C1D5AB4389C15506FA20EB18064D3CEFE4B95C5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................................................................................!..L.!..This program requires Microsoft Windows...$ NE....-............?..............@.X...............................P.....U.P.V.Y.K.I.j...................................0..........SHARE_NT...........%...USER.WNETGETCAPS.KERNEL.USER.KERNEL.USER....?.....?.F...?.i...?.....?.T...?.$...?.....?........................=..t........Wj..R.......W......\..Wh.............f......Wj..........W.....u...b.....d.......b.....d...j.......`..>`..tF.6`..6d..6b.......\...^..\...^.t%.6f.j..]..W..\...u..6f.h..j.j.j.......1............[...................&.......0.......=.......B...<...\...................2.......n............EU.....t2..2..6...>..............3.P......6.........t...]M..L.!Y[..3.3.,.......0..>2..t..L......0.....t8..@....t...&....PR.6,..<..P.V.......3.P.VPP...P.......@.,..L.!..(.....t.3

C:\Program Files (x86)\TotalCommander\SIZE!.TXT

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	602
Entropy (8bit):	4.742729948450531
Encrypted:	false
SSDEEP:	12:8IjUk9IjeTX24IjfaGlV58SU+1MrvinUEvUaeFlJdaqIjUkmWxIjUkh4BgzoiZz2:ZwkqKTX2Fh6MnUAU7jazwkmLwkyWoiZi
MD5:	9C46B722FA1FFAB6EAD573859ABB32BB
SHA1:	1EF031FDA4E902234D70D5967FC3CDC15B4FD35A
SHA-256:	2EA390F71ED637935463CFEB1E4B02BB83364A157E443644087E6D61DEAE12F7
SHA-512:	E8CE88E7DA343C4D1E5580511255AE69114D9BCAABC08279985B4B3C0178A53F59312B6CB625C5E31FAE94F3C3AD75A4826C4A6CE7E88BC6B48539BEBBD535B0
Malicious:	false
Preview:	Why is Total Commander >7.5 so much larger than Total Commander 7.0x?....Older versions of Total Commander were packed with the EXE packer UPX...This makes the program itself much smaller. Unfortunately some virus..scanners do not like packed executables. They either take an awful lot..of time to scan the program each time you try to start it, or they..report a suspicious file.....Therefore Total Commander >7.5 is no longer packed. If you need to run..Total Commander >7.5 from a floppy disk, you can get an UPX-packed EXE..(32-bit only) from our homepage:..http://www.ghisler.com/packed_download..

C:\Program Files (x86)\TotalCommander\TC7Z.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174080
Entropy (8bit):	6.279217790646268
Encrypted:	false
SSDEEP:	3072:xyljBP/VZjAISqyTFjoZAO1h7BTF1rJa//diUTTBXJxO8hlIhb0:xeBnVZ8w4toZAcLrJa/liSVHU
MD5:	31CAD6A3EDD1C32981AD6B565CBEAC94
SHA1:	9338978C85A9423EE2A38CBA027F79192D684F1B
SHA-256:	B8521ABDA09EC17DDAD36528C1BC50395DC8C5F7C11C026A5B3FF23110C54182
SHA-512:	02E198B8EF192DE55DB35AE00A16A80B3309A9373A596C20D617B43DD7159A635BC303F371859E704375521A1242D02754807E2E9DFEF63FFD06993B24C17D3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..P....................6...>..............._...........6...P...o.^.....o.j....................Rich............................PE..L....S.L...........!........................................................@.......................................@.......9..P...............................@.......................................................,............................text............................... ..`.rdata...@.......B..................@..@.data.......P...4...4..............@....sxdata..............h..............@....rsrc................j..............@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TC7Z64.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.124884744709508
Encrypted:	false
SSDEEP:	3072:/adnxv3ZKfmTwqNdVZ9uD/hKBfOZhpbQ4nvuXdl76duMD/CtQXdGT:/aFZZ1+KBAQAuqEad
MD5:	61159886854E26AE3C60F8576181DBFE
SHA1:	95AAD7A1807C1B9FB20821F1D12F6E2CF9646F20
SHA-256:	D2F0F629BB87AFD838E891D750A0FA52C63F28457E34A05FFE1DEA7202A64B5D
SHA-512:	CA91ECAD1B84333BCEF9390ABD93ED880A13C0ECA5A4ECD2CF0F914626F59CEA0FA70091B28322FF2245278C425554E21A38171DC81E2A6C1939D57AFB25F302
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...v..Mv..Mv..M.=.M...Mv..MF..M.=.M?..M.=.Me..M..?Mt..M.=.Mw..M.=.Mw..M.=.Mw..MRichv..M................PE..d....S.L.........." .........<...... ...............................................................................................@.......\...d....P....... .../...........p....................................................... ..@............................text............................... ..`.rdata..4.... ......................@..@.data....Q..........................@....pdata.../... ...0..................@..@.rsrc........P......................@..@.reloc..J....p......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TC7ZIPIF.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	5.0607150042966325
Encrypted:	false
SSDEEP:	768:7nTla0nWxzVGE058+buUGJTWr8Bo1s26F4obTBF/3Fo5tMoZ5m1Tk:bpaWewEpUMTg/1fo/Bo5ck
MD5:	4D7478BE9E1A2F0F25FAB9A7584B246A
SHA1:	B01D52B336F0C026F12FDF92232FAE5B58CE238F
SHA-256:	F7B6CA8413F47F8162EBB4C5CAFACE0543D2F5A36707C003BDE8C3671541E00C
SHA-512:	B4A3709FD0E6DC63BB41EE3812547F45A1B81743D6A5406AC5739EF8E29FCCB8074D048F105859E7000FD0011F0C21CE3FDFA3011D945BFACF7904F6DC128855
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..t9.y'9.y'9.y'd.r'1.y'..w'..y'd.s'..y'9.y'8.y'o.j'?.y'[.j'<.y'9.x'..y'..H'7.y'..}'8.y'Rich9.y'........PE..L....<.R...........!.................I....................................... .................................................<.......................................................................................<............................text.............................. ..`.rdata..@........ ..................@..@.data...d3.......0..................@....reloc..V........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCLZMA64.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103424
Entropy (8bit):	6.2226768960489816
Encrypted:	false
SSDEEP:	1536:4MC7KlwU5QS9B79j4flt+U9/45N6zgpX/vwhTjZgWPEeRi6PltLb+aJRw:4/2xaMB7wlF+jkGXHAaWPNiUltLe
MD5:	18241B8F4A08604951B57265770729BA
SHA1:	303458CE8CA8A5CC8AD09C02EBAB772772FB4A71
SHA-256:	AF938701CAE25F8348F7EC582D57B54043A05EFB8BBC2715C2812447C7D9440A
SHA-512:	2124FFE45F920072A513E176CE066893C7C3729BE1674020532619FD26BB9066F1C54B8F8D9D5DEC2DAB607F5E3922D7416F7D0E57403A72ECA4879DBF7F0B5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..g8..48..48..4.].4>..4.].4!..4N..4;..48..4`..4.].4c..4.].49..4.].49..4.].49..4Rich8..4........PE..d.....hT.........." ........f...... ................................................Q...............................................v.......o..(....................................................................................@..P............................text....(......................... ..`.rdata...8...@...:..................@..@.data....I...........h..............@....pdata...............z..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCMADM64.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	100656
Entropy (8bit):	6.29003418764086
Encrypted:	false
SSDEEP:	3072:g2+v32XXC6XYCZd/HpgZOKfGlI+6gjISPZsOeLRRmFfnfJRc:AvwCmTRgZO2ah6kZhtxfs
MD5:	B2D0F0F05AD1ECB87CA79383CE0959E4
SHA1:	FF3FD2D46512C3C5D60843C1CF5B58A072842BB3
SHA-256:	5334DE5E821392D00556C602A84A7761E308FF3DE99AC24544915A66E012A1D1
SHA-512:	A623B7046D537858DBD6F8578883BD53B548A4FD621E83305F3DB72EDE0D9022F9CB411B790B7B6DFEA4C88717173CC14612322B27404D84043B01726DEDBA77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..Mi.t.i.t.i.t..A..k.t.NC..`.t.NC..3.t.....`.t.i.u...t.NC..J.t.NC..h.t.NC..h.t.Richi.t.........PE..d......T..........#.................PE.........@............................................................................................;..d....................p..0...............................................................h............................text...n........................... ..`.rdata...7.......8..................@..@.data....'...P.......2..............@....pdata...............H..............@..@.rsrc................T..............@..@........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCMADMIN.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76080
Entropy (8bit):	5.338620092587175
Encrypted:	false
SSDEEP:	768:qJhnyVT9dRdKbTpBAzl6oq82xZHaiB93BMjPq64cZVL3mOoXLnBBi6YRKSFb:+hnyVrRgbTiwxMbqxcfLNoXLBs6KK6
MD5:	761A3E40D40BCD15490772A98370AE63
SHA1:	9BBAA13B7ED543AB80590001E090E8C40867738C
SHA-256:	9E9CA41DDB3539F2DA986AA1F091857046CD707A03F41A165736E5EF0D4CADCD
SHA-512:	AAE6F98E88B39A33D45F8D8250D26A39D42A5820810198F15FB4AA09AFA324204D4C1D5C1EDF722EDB1DAEA3FA54967741A7F7235670FD789BF27CFDF75B6F64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]?k..^...^...^..bB...^..D\|...^...B...^..D\|..@^..{A...^...^..i^...\|4..^...X...^..Rich.^..........................PE..L...%\.T.............................7............@.............................................................................d.......................0............................................................................................text............................... ..`.rdata........... ..................@..@.data....;.......@..................@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCMDLZMA.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	5.959922682160642
Encrypted:	false
SSDEEP:	1536:0YAFRFCFbkbrwZBXJx7HSqB+as3HkVUh6TkT4jl2Oo1EYN:0YADFCBkSXEas3HkVO6Z2Oo1E0
MD5:	550EB102AB3B300CEEC8008D1B1405BC
SHA1:	628F30E74316686D027353E1536767C8C0A3A979
SHA-256:	FFD5B4B3F7AE19F08E32612E499F4891EDF199C36E85966E3BE69E81FD34FE26
SHA-512:	470CDC66DF3A1715D68304C44D760D56EB408A3765AF1F3D4EF3783119CA51B46B94A3F612E3A1BF75BE8FB5800494A6C0543AD0379C998AF672B4054A384CC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z...;.E.;.E.;.E...E.;.E.'.E.;.E...E.;.E.$.E.;.E.;.E.;.Eh..E.;.E@=.E.;.Ex..E.;.ERich.;.E................PE..L.....hT...........!.........~.............................................................................................@...(....p...............................................................................................................text............................... ..`.rdata..z...........................@..@.data...lY.......,..................@....rsrc........p.......$..............@..@.reloc...............(..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCMDX32.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83840
Entropy (8bit):	5.238839726294346
Encrypted:	false
SSDEEP:	1536:VjhYKAWWQ8IdhyTHv6midnTlbKBx+6KKaC:V9NA/kM6muTlbyxZJn
MD5:	ACA2C5B784F0D402027042F24E5676FD
SHA1:	F61216B3A3B3BAA5C97C3B88B4D2B96E07D1152C
SHA-256:	2015B31CE5654FD86EA772A1562E7DE3052B29682ABFF7787C7BD8C13599D947
SHA-512:	2E7D020202CCF66CFAC3E42CDB90850FFC9C750F3D5B75F733A32F4A5652B768208C0C09B74578D57334735DB8FE0066C0407ABC93DED18C7ADC948FC7E1265C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.."p.lqp.lqp.lq..`qr.lq-.gqs.lq..bqg.lq-.fq..lqp.lqs.lq..3qq.lq...qr.lq..1q}.lqp.mq..lq..]qr.lq..jqq.lqRichp.lq........................PE..L...D..N.............................J............@..........................P.......(...............................................0...............0...............................................................................................text...3........................... ..`.rdata........... ..................@..@.data....Q.......@..................@....rsrc........0... ..................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCMDX64.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	118368
Entropy (8bit):	6.1496894917425475
Encrypted:	false
SSDEEP:	3072:88fYfD5uPPei3QAwoAxuNAiDObZOC2vZoaL1Ovx1XJd:1gflS/1zQWabZO5Ovxd3
MD5:	EF463B8B075A6E3F3F01A84C92B54DA6
SHA1:	1D56DD74A80008123F8DBE49D0A21E7C7E196042
SHA-256:	681CA62C6C6AA7BB5C0FEE46BC37DAAE6D8779459DC37ADBCDC1D93D346C1DDB
SHA-512:	D0F53619C18F17AF022E627E041A6952F3E1EDC21C6423577A9D5863307C7833FE5BD2D165E9846A68EC6B0644F9564004929BC8C245BC2F8DB55B382445E833
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........rb8...k...k...k..rk...k..qk...k..bk...k..ak...k.ak...k.wk...k...k...k..~k...k..pk...k..tk...kRich...k................PE..d......O..........#......&...........].........@....................................].......................................................<z..........x...............`............................................................@...............................text....$.......&.................. ..`.rdata..(I...@...J...*..............@..@.data....D...........t..............@....pdata..............................@..@.rsrc...x...........................@..@................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCUNZL64.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	136704
Entropy (8bit):	6.497516667665815
Encrypted:	false
SSDEEP:	3072:KRFQ/AZniwigYK3mxxvursBddnT5WWQTBfR3W+b7LPg0xc:KRmIZBYK3GxvurcXTcJTB534L
MD5:	A5F0FBE9EB05BA397E9EA5EFF71842D6
SHA1:	E70829532A2A7E9E40C1394BADB75EDBA539515C
SHA-256:	454BCEC8141EBD1DCAB0EBF01C95251E26EB6D5002B61BB77FC1F10C8FDE9DD4
SHA-512:	F23927706E985FF7A23986E0FE77E911203062A4412367411D0436D60ACCBF7455CA0185E9C3481B31B7C2A1AB9D4FBAA8B6FD8A70CA7C5CB7BD8D19FB3D7645
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lr$...w...w...w..bw...w..aw...w..gw...w...w...w..rw...w..qw...w..fw...w..dw...wRich...w........PE..d...,.mQ.........." .....F..........................................................................................................`.......T...(....`.......P...............p..H....................................................`..p............................text...zD.......F.................. ..`.rdata...v...`...x...J..............@..@.data...Pc.......$..................@....pdata.......P......................@..@.rsrc........`......................@..@.reloc..0....p......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TCUNZLIB.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.925104416717389
Encrypted:	false
SSDEEP:	1536:LemwYFVadP2jYG82q1zXTJ5Z36AVK4emnToIfMIOp9oM08U6V:LpoujE2gBH3/eSTBfCp9oMn7V
MD5:	AC7EEC3677D40E05B2FDC5E91585CEB1
SHA1:	85ABBB380A83EA31DA726C6E8139C71989809969
SHA-256:	5A844C23B6A5CFCB2E94F2E41FC4F632D47F56F3183C85345AD5A5F5F7CBD81C
SHA-512:	0BAEDDB70CA456D10677723736094C99B3DE3B88CC0E06F071403F520419D191918F578F6BC68D167FC74948342F51CE36EB2055A0C1CC2B6C4EC51B4BFAF8F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.[.6...6...6......6.......6......6.......6...)...6...6...6..l....6..l....6..\|....6..Rich.6..........PE..L...S.mQ...........!................................................................................................5.......0..(...............................\|....................................................................................text............................... ..`.rdata...6.......@..................@..@.data....x...@...P...@..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TOTALCMD.CHM

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	450063
Entropy (8bit):	7.985234862398248
Encrypted:	false
SSDEEP:	6144:T9dX8mYPnJ76TmNY7fonV2W+v2BwzVozQh1FFidVDzs07GfTPzHYMU46w:Bq5q7g2WyIOVLzIDzb70Pz4k/
MD5:	54C20C255764BEDB18934EC31CF59FA7
SHA1:	A5B148D7738D6BC16668701085EDCDEE81761BE4
SHA-256:	9D6CAD11B04EE911DF419DD4208B9331AEE2D0F8119244619FB337FB7CEF3ACA
SHA-512:	61ACD144E7387742EF9E5DBC522F40082731F92CB29D9C81ED5FC17FF24B69145FE736FAC76229E5D3F516E28303EBA451136BAE3DA3CD1E1846DBB6877F3140
Malicious:	false
Preview:	ITSF....`.........E........\|.{.......".....\|.{......."..`...............x.......T0.......0..............................ITSP....T...........................................j..].!......."..T...............PMGLB................/..../#IDXHDR..;.../#ITBITS..../#IVB..3.D./#STRINGS....[./#SYSTEM....../#TOPICS..;.0./#URLSTR...o.../#URLTBL...k.../#WINDOWS..o.D./$FIftiMain......1./$OBJINST..w.../about_box.htm...E.g./add_btnbar.htm...t.../add_buttons.htm...5.S./add_cmdline.htm.....Z./add_curdir.htm.../.c./add_drive.htm...;.../add_drivebuttons.htm...w.D./add_filelist.htm...K.6./add_filemask.htm.....5./add_freemem.htm...}.V./add_hothist.htm...K.~./add_markedfiles.htm...%.7./add_menu.htm...A.../add_root.htm... .h./add_srcdir.htm....."./add_tabstopheader.htm...[.../add_trgpath.htm...z.q./additional_licences.htm...,.1./address.htm...{.:./address_dutch.htm...X.^./address_south_africa.htm...].}./aes_encryption_information.htm...H.&./asp.htm...n.W./ASPLOGO2.gif....f./BTNBAR8B.gif...M.M./BUTTON_E.

C:\Program Files (x86)\TotalCommander\TOTALCMD.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4072280
Entropy (8bit):	6.58277044060218
Encrypted:	false
SSDEEP:	98304:9q2i7V7i0/5VIVWFHEBxA34RkCDtKnUPgNl/k6AqM:9+7J9XIVWxEBxA3KkKtyVkXt
MD5:	82FEF1BEE2C9A878077E9F55A4D0DE04
SHA1:	3418116509212343032594B96AB2F37586E2AE06
SHA-256:	EE07012B945A2C318B678465A6200B48F990A913B3A8D5B872B823D9A297EE3B
SHA-512:	B2B792F6C21433A7483A2ABD85B65D320130E3FCC2B5E8A18F0A83F70BE710B97A49C7DAE77ACA2246853764F217F6B018CD545F0869A2C721E3FFFBFECBF239
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................Z0.........`d0......p0...@.......................... A......{>..........@............................3..@...06.............(.>.0....04.............................. 4.....................................................CODE.....Y0......Z0................. ..`DATA....\|~...p0......^0.............@...BSS..........0.......0..................idata...@....3..B....0.............@....tls....(.....4...... 1..................rdata....... 4...... 1.............@..P.reloc.......04......"1.............@..P.rsrc........06...... 3.............@..P............. A.......>.............@..P........................................................................................................................................

C:\Program Files (x86)\TotalCommander\TOTALCMD.EXE.MANIFEST

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1530
Entropy (8bit):	5.277667479782908
Encrypted:	false
SSDEEP:	24:2dtYmvg9kjNtcyMPgVFKpzc3acBCMRA4+ANjO9N4s+brgg73z8:cO+g6ptN+6SFJ4s+bUg/8
MD5:	38AF5BA1863C528D1EDAAEB1366A7DBB
SHA1:	CB0D9E0BF7BF5C8FF1DFF92CD35D3DAFE6575141
SHA-256:	BA21ECDF036AC8FB458BB82D1D8073183DA622EE38BFDB8E659DE678F1B315F4
SHA-512:	1D41E82687B278B590AC4C68C121A7EE5ED9BE3755B86B60343E3C9D3E676548591FD40181B1797A5919A31925ECB3D3536B5555583AAFA5CA70E343BC10A7BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?> ..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..<assemblyIdentity processorArchitecture="x86" version="5.1.0.0" type="win32" name="Ghisler.Totalcmd.exe"/>.. <description>Total Commander 32</description>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel.. level="asInvoker".. uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> .. </application>.. </compat

C:\Program Files (x86)\TotalCommander\TOTALCMD.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22061
Entropy (8bit):	5.348885574457764
Encrypted:	false
SSDEEP:	384:q/7mXloZ91WnBGvx9f2gHmE3YhrWW3W+j4bTFsPZfo:E7mwcsvxtj3YvW+c1sPZg
MD5:	FFC01DFD690C92A4B6AA57ADAAB0B5CB
SHA1:	05C7C008DCBADC6B1BFE2D441560135C2C4A2E58
SHA-256:	EA30E956142DBE3F72067D7EFF33FA38DC03B76D2187C2ED46EF4882F2AADD8A
SHA-512:	B4B7410B0A93E197988249077901C53BADB68A381393B640E5BAEA2186625B6C944B6B6153CDAC9708C46E986FB2515ABD99097F435CCCD45C0AAD44D355BE90
Malicious:	false
Preview:	[________________Source________________]=0..cm_SrcComments=300;Source: Show comments..cm_SrcShort=301;Source: Only file names..cm_SrcLong=302;Source: All file details..cm_SrcTree=303;Source: Directory tree..cm_SrcQuickview=304;Source: Quick view panel..cm_VerticalPanels=305;File windows above each other..cm_SrcQuickInternalOnly=306;Source: Quick view, no plugins..cm_SrcHideQuickview=307;Source: Quick view panel off..cm_SrcExecs=311;Source: Only programs..cm_SrcAllFiles=312;Source: All files..cm_SrcUserSpec=313;Source: Last selected..cm_SrcUserDef=314;Source: Select user type..cm_SrcByName=321;Source: Sort by name..cm_SrcByExt=322;Source: Sort by extension..cm_SrcBySize=323;Source: Sort by size..cm_SrcByDateTime=324;Source: Sort by date..cm_SrcUnsorted=325;Source: Unsorted..cm_SrcNegOrder=330;Source: Reversed order..cm_SrcOpenDrives=331;Source: Open drive list..cm_SrcThumbs=269;Source: Thumbnail view..cm_SrcCustomViewMenu=270;Source: Custom view menu..cm_SrcPathFocus=332;Source: Put foc

C:\Program Files (x86)\TotalCommander\TOTALCMD64.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8166760
Entropy (8bit):	5.935277134015903
Encrypted:	false
SSDEEP:	98304:SiRYx8zCkVKqpmwWQO49JC5rSD2BLpd+8h:PRbzCxqpU42ddth
MD5:	13D2C828C310116A68740CA0A26607F9
SHA1:	3B98508B0225B7636E31F42F8D01A0ACD95D76E3
SHA-256:	EA38EA2599565FB1D94D23199B87F873DD78E3A32E53BBCC2B2D3FD0C1C82143
SHA-512:	DE6082C99B6B5A9D6B426E367808E320696A54FE1A5C9B0C9D14E144C539D16872D45E2B0691B0C6B0248C13E32842A6CEFF5EEECB7B64A40012178C4FA95E5F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........\|......./....3`.^..n.. ...0.........@.......................................}......................................................0z.......z.D...........8.\|.0...........................................................(Iz..............................text...`.^.......^................. ..`.data....n....^..p....^.............@....bss.... ....0v..........................CRT......... z.......v..................idata...i...0z..j... v.............@....rsrc...D.....z.......v.............@.../4....................\|.........................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\TOTALCMD64.EXE.MANIFEST

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1539
Entropy (8bit):	5.287445215369789
Encrypted:	false
SSDEEP:	24:JdtYmvg8jN3byMPgVFKpzc3acBCMRA4+ANjO9N4s+brggJ3z8:3O+g8p3++6SFJ4s+bUgp8
MD5:	BDB872737E222D3D28D922411EF7EF7D
SHA1:	42B1D3112598A125710D8ED418887ACA6BD6F484
SHA-256:	A68C07FD86ADEABB505354E44B1E846A5D5ABFFF0835046AD227E42C2D532573
SHA-512:	8772E793982DE2080B2B1A5E578D3F60D7C785821668ED46A24D99AEBD68240BC30397D41A084D7B7279F9A128BC7FD832D20796863EF5FF672FE1FE3F3DBD86
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?> ..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..<assemblyIdentity processorArchitecture="amd64" version="5.1.0.0" type="win32" name="Ghisler.Totalcmd64.exe"/>.. <description>Total Commander 64</description>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel.. level="asInvoker".. uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> .. </application>.. <

C:\Program Files (x86)\TotalCommander\TcUsbRun.exe

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	42880
Entropy (8bit):	5.286913178010045
Encrypted:	false
SSDEEP:	384:UOCTCVAXT5qxkoxhsCSyilxIVDqDN3onoRmIP3cg1qmAfINHShcooooooooOggg+:avFqJx1S0V2DponoRmycwqmj2xqLmOc
MD5:	6DCF3209449C0F18C4D5EC7873C3A5FC
SHA1:	D8B684D0A3434B5052B26C7A205FDA695BB14452
SHA-256:	3DD70DB72FDB1D87F1554416CC7BE0FE963CDB4955022E54E20999DA59172909
SHA-512:	09811C0A1884BE3354241214CDB1FF4D227A5FC97ADF0E59F722FA9D442D2B8BA13B29FD3A6F1E783FD07FC4903AB6982C3D476A68BD349711AD57B316C2330B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... 9.Nj.Nj.Nj..Bj..Njb.@j.Nj..Dj.Nj.Jj.Nj..]j.Nj..]j.Nj.Oj..Nj...j.Nj&.Hj..NjRich.Nj........PE..L....p.N.................0...P...............@....@.................................VU.......................................C.......`..8,...........................................................................@..4............................text...N'.......0.................. ..`.rdata.......@.......@..............@..@.data........P.......P..............@....rsrc...8,...`...0...`..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\UNACEV2.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77312
Entropy (8bit):	6.540049200957024
Encrypted:	false
SSDEEP:	1536:hZ7jJ13iy8Z781A9kJrVLaIYJqsghgRQquctDhyquYVuTXHze8I:i7OrUIeqZqu1TTex
MD5:	DE02C4D04088B69E64ECC30A3D9E22E5
SHA1:	A5F66D420B6A6EBB04242FB85CA462A99DBF89B6
SHA-256:	C9D28800E740A1569AEC8FE27DF10EF186D883F94CEC15A5C228826B45A24F9D
SHA-512:	32B22966ECEC433636F927DC7B27CF782271B36169A9FDD50AA99A4D8CF14496AC3948A3747B7B7680D2D472F6AF714E640B05C29194E8F2DB92B21619B09C11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!this is a Windows NT (own RTL) dynamic link library..$............PE..L...!8.C...........!......... ...J...l............@.................................................. ...............p..............................................................................................................................AUTO................................ ..`.idata..............................@...DGROUP..............................@....bss......... ...J.......................edata.......p......................@..@.reloc..............................@..B.rsrc................(..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\UNRAR.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	218712
Entropy (8bit):	6.595663142848699
Encrypted:	false
SSDEEP:	6144:XVv9VpbSSsEVvEYrmodO6ENJ+MMpRO8n8:N99sEVByomeMMpRZ8
MD5:	F471628F879F60F4AA9C670F3426A6F0
SHA1:	2FC8952D250092212B400FB339C5774AB9675DC8
SHA-256:	3AF99EB7826E0E0072D669AED62516B11591E4F15617FC136F3EF6326D17219D
SHA-512:	F56330DCCB7620C630FED14594C882EFCA51F28154BD11948075823BAC9C755A5741BA6344AC4925E7D916BEEE1576A6A66CB7A21B9CD2DA59FFE3DBE7528629
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.r.e...e...e...l...\|...l.......l...l...e.......l.......l...d...l...d...l...d...Riche...........................PE..L...h.?S...........!................l3....................................................@.............................p.......P....................>..X.......@...@...................................@............................................text............................... ..`.rdata...?.......@..................@..@.data...............................@....rsrc...............................@..@.reloc..h$.......&..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\UNRAR64.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	260184
Entropy (8bit):	6.350424436485143
Encrypted:	false
SSDEEP:	6144:ArQIbpC0faQgGogVfUq6om+iPLpdqMMYTmyCV9CmPV8/46M1:ArQIbdyQgG8q6GiTGxYTa/jPVwM1
MD5:	7AC9AB7ECEA88E2326F04D8CA2C2FF6D
SHA1:	A82791A425416F355E6C3CD167F2B576BFEAE835
SHA-256:	448B3DE89BDF22690D8287A018921FBA80FBA91BBE0E8B599F693F7D9F35F348
SHA-512:	5AC5AD9301B24516DCBE8F8F0B6103AC9A1E211C62E696F1D9744348831258E08D9E8AB730AA18E785BA408DB1FB85659D95ADAF4DF32FF5E120C1267C8A2E7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................B.......T.......R.........;.....E.......S.......U.......P.....Rich....................PE..d...k.?S.........." ................Hw....................................................@............................................r.......P............P..X)......X.......4....$............................................... ...............................text...Z........................... ..`.rdata..bz... ...\|..................@..@.data..............................@....pdata..X)...P...*..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\UNRAR9X.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	168448
Entropy (8bit):	6.4060014092194155
Encrypted:	false
SSDEEP:	3072:8K24vzk/R+xuK3HHIDwbC5lq62LEPVoK1F127oWmuFrkSQ6AG2L660zvW0Tp:83Ozk/R+xumbIqK9oKjjSQ612Ln0zvW0
MD5:	421FC844F5EBE260AF7B8E64DC9E8D62
SHA1:	60E295D69E2E6C0894B52C70CE6885551A549D84
SHA-256:	97D8E67484327FEB5F0F89E41C9E2AAE6D0FA38EE16F736A6059D58B4B5DA554
SHA-512:	2734E4DE8F35F96C8E099CE5F9D6BF0F5ADCE8368361CB0D35F010CA28791BF4CD8DE28D1A0B92AF139BB584123E515A56DDA00EE8A17B5DED5A7D029E1373A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L..._..H...........!.....0...................@....@..................................................................@.......0.......P.......................`.......................................................................................text....0.......(.................. ..`.data........@...@..................@....tls......... .......n..............@....idata.......0.......p..............@..@.edata.......@.......z..............@..@.rsrc........P.......\|..............@..@

C:\Program Files (x86)\TotalCommander\WC32TO16.EXE

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	MS-DOS executable, NE for MS Windows 3.x (EXE)
Category:	dropped
Size (bytes):	3328
Entropy (8bit):	5.021164170797693
Encrypted:	false
SSDEEP:	48:216tIIYrtr9p8wf8qvt4IpHNAkwpcTnHKquhQhcLyLG+OCXOdLB6Cb+EZC:21ZI69Cwfz4IpHipInHKfMdGBlHl
MD5:	552B40663B6F22377AF1809AF85711E3
SHA1:	DA36C67E744448D4E832E2A4C2040508BD8027EA
SHA-256:	7D29F43234520D06A8F90F5B1B016FC008E3916BA260A30AADACA20ADEDCBE88
SHA-512:	404E9087878DD995518318D5C1962BCB25AB14E0A110D4F2C7FB70E234F8E4EC0136302DF27189601CE1A39767A4E5715C121AE8785F305DB0DFE6AFC98865EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................................................................................!..L.!..This program requires Microsoft Windows...$ NE....-............}K.............@.`.d.p.z.........................P......P....V.P.V.....A........WC32TO16...............KERNEL.GDI.USER.KERNEL.USER....?.....?.....?.....?.F...?.T...?.$...?.....?.................................................................F......W.v..v.h........~..t>.Cq...............F..N..~..F.%....t..B.~..u..F..F..~..u..F..F..Cq........N..~.........F..F.%......u.@.F..F.......EU.......VW.F...1..F..F..F.=J.ut.F..V..F..V.F..F.t^.~.&..=..u.j.........G=..uB.~.&.E.&.U..F.V..~.~.F.&.5&.u.&.u.ZXP.~.&.u.&.u.XZP.~.....W.....=..u.j.......,.~..u..v..v..v..v..v.......F..V....F...F..V..F..V._^.f..]M........>...uY......j.j.h........2.j.......4.........:...<..$..W.......u.j..>..W.6...6..j...............6...6...6...6.

C:\Program Files (x86)\TotalCommander\WCMICONS.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	639360
Entropy (8bit):	4.2991279378943785
Encrypted:	false
SSDEEP:	6144:GebCIaPaikwGBwx2RX8wUqWnYemiqW1AY2Ayq:1haC0dcX0pnYemiLAY
MD5:	326060071EF65A79744D1B813F244A05
SHA1:	4748A79CE0A930ED575B3503FDE4871B53103BC2
SHA-256:	C7927522743294CA3193DBA7AFB3786BA423E18230DB640084B24AAF21554C6F
SHA-512:	B3B1ED8C5027B362D9E923325B5AF1B8E8C773E0012F77CF19E933E796187CFC7B3C4A95A71BA7E94C18B1B0244BFCE712E319328022699B44AFD56E51DAB03F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.o.m.o.m.o...i.l.o.2.e.l.o.Richm.o.........PE..L......:..........................................@.....................................................................................v............................................................................................................rsrc...v...........................@..@....................................................................(...........-...P.......................h...............................................................(.......@.......X.......p...............................................................0.......H.......`.......x....................................................... .......8... ...P...!...h...".......#.......$.......%.......&.......'.......(.......)...(...*...@...+...X...,...p...-.............../.......0.......1.......2.......3.......4...0...5...H...6...`...

C:\Program Files (x86)\TotalCommander\WCMICONS.INC

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1659
Entropy (8bit):	3.756129544222574
Encrypted:	false
SSDEEP:	48:K2KHaxo7hEe64Q/H2OyZY9J8nCIRRv0GkesLM:nK62Ce64Q/H2xCz8CaZxIM
MD5:	26BD37D2477DB03E4BD9E46B58B2A02E
SHA1:	DEE38F26DC52C0BD281856BF50941548D8F53385
SHA-256:	016B67F1F6E126B1EC2DEF24721D5B7B570751B5BE689445EAD85437955341E6
SHA-512:	F6B273355DBF36678400AE90D9C1F07915BBBEC4369EE66D99F6DE179118761003BB0722B68D1BFA81AFB0220D94C64C144491B2586F429DD1F1AAC5EEC1E05C
Malicious:	false
Preview:	// mappings internal command -> icon index;..[mappings];..69=26..70=52..100=21..101=3..102=4..103=2..104=22..106=22..107=22..111=12..112=13..113=24..114=25..121=5..122=6..123=8..124=7..125=9..130=10..169=26..170=52..200=21..201=3..202=4..203=2..204=22..206=22..207=22..211=12..212=13..213=24..214=25..221=5..222=6..223=8..224=7..225=9..230=10..269=26..270=52..300=21..301=3..302=4..303=2..304=22..305=23..306=22..307=22..311=12..312=13..313=24..314=25..321=5..322=6..323=8..324=7..325=9..330=10..477=34..478=34..479=34..480=34..481=34..482=34..483=56..484=34..485=34..486=34..487=34..488=34..489=34..490=34..491=34..492=34..494=34..495=34..496=34..497=34..498=14..499=34..500=1..501=47..545=47..502=33..504=38..508=30..509=31..512=53..513=54..516=34..518=60..521=39..522=40..523=44..525=11..527=41..529=42..530=43..531=37..532=86..533=35..534=35..535=37..536=35..537=72..540=0..550=16..551=17..559=74..560=68..561=69..562=66..563=67..565=61..570=18..571=19..573=18..574=19..610=55..700=34..903=27..90

C:\Program Files (x86)\TotalCommander\WCMZIP32.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123536
Entropy (8bit):	5.858623217663188
Encrypted:	false
SSDEEP:	1536:FfB2BGKuXp7/lQCM06WkUxLZTZpTya23JqMqqU+2bbbAV2/S2KPokKNguA:FfB2BGKu5r7M0X9WJqMqqDL2/KPoBg1
MD5:	78AB27B9290E9CD1BC2D403F9981AA5B
SHA1:	25DDA95C5F6FAD4E050E37C1539D49D6BCBD7E17
SHA-256:	F72460EA1F8ACD8667690768AFA2171C95D1A92C6D897ECE78EBD148346A9FD2
SHA-512:	450F3C975B349BECFF32A23BAD7A9490965B782C92F5DEE84229E6B6ECDF8AB1E15FB116AACA03A715D33A9F480814A1310E3F7391901539AFF91C696EE35D73
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!I.$e(awe(awe(aw8.jwd(aw.4owq(aw8.kw6(aw.7rw`(awe(`w4(aw..Qwj(aw..ewd(awRiche(aw........................PE..L...M..I...........!................L................................................G..............................pl......pf..<....................................................................................................................text...*........................... ..`.rdata..'^.......`..................@..@.data....f...p...@...p..............@....reloc..6........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\WCMZIP64.DLL

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	150392
Entropy (8bit):	6.449746663369943
Encrypted:	false
SSDEEP:	3072:VdUiOJ8LuR7dNAfvoJUUS7pYF6qBtc0LBMqqDL2/cNVLM9Ew:VdUiOWKdNCgNK0ByWKqqDL6Yw
MD5:	D190C477218CA4F66C3C7200D1A22062
SHA1:	548C94D8BD8FE6953AD907472BF8A89EB102B00E
SHA-256:	A802BC27FF55E3207F0C697AAA4107ABB249A3117721B0309A7405C74D653EBF
SHA-512:	6F8A2E9B030F6AF037AFFB55E2BB130B6815314F47D9FE821A60ABE8264EF5A10A411F356948184E0D61C630B45CD34655B1DCEC3924585D100845EC7C43B37D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._2..1a..1a..1a1;La..1a1;_a..1a``Ja..1a..0aw.1a1;\ad.1a1;Ka..1a1;Ia..1aRich..1a........PE..d......L.........." .....l..................................................................................................................P...<............p..8....6..x.......@....................................................................................text...nj.......l.................. ..`.rdata...............p..............@..@.data...xX..........................@....pdata..8....p......................@..@.rsrc................0..............@..@.reloc..~............2..............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\default.br2

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	data
Category:	dropped
Size (bytes):	21262
Entropy (8bit):	4.182461596090079
Encrypted:	false
SSDEEP:	192:gEDus+N+r14ZIoBTxIzoBTxIU+wAxdHsyW2Vh9CscQzbLH:UsZNSAx3H9Csc
MD5:	7C8123708721BFFB0A7D85447053D352
SHA1:	28E5745B233EB3A274E04344F3FEEF249D19E1CE
SHA-256:	26F14F58D9BE815B2985F0369C4956FA430C5AC85DCEB218D493F5329FBB6732
SHA-512:	24107C58146D2B656046BFDEEEB2C7A92D190F2247E95DD7EC4DEA6412E839D05EDE5C353F842FFD4AE22A44BFB2C8ED70EC9F427DCF4FFA1B1D0D20B8D7AE4C
Malicious:	false
Preview:	FS.......(...................@...........................\|?..0........................................................>..(............. ...........................R.......................R...R...R...R...........................R...R...........R...R...n...n...l...i...R...R...................R...z...R...R...t...q...q...n...n...j...g...g...R...............R...{...x...x...t...t...q...q...R...R...R...R...R...............R...\|...y...y...u...u...R...R...................R...R...........R...\|...\|...x...x...R...............................R...........R.......\|...\|...x...x...R.......................................R...R...R...R...R...R...R...R...................................................................R...R...R...R...R...R...R...R.......................................R...x...x...\|...\|.......R...........R...............................R...x...x...\|...\|...R...........R...R...................R...R...u...u...y...y...\|...R...............R...R...R...R...R...q...q...t...t...x...x...{...R........

C:\Program Files (x86)\TotalCommander\descript.ion

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2576
Entropy (8bit):	5.298105467996054
Encrypted:	false
SSDEEP:	48:6s7f/6ckckiG1RB6qRa9Gs9SNGi1subtjIYyjIeHO74yKH0it:B7H6ckckhjB6qFb1dbtj9yjoFKHPt
MD5:	D237C369B5AB6CFC6ABCD7571FB8F15D
SHA1:	FDB74402E2408C0AA03927E433164046790F7AB1
SHA-256:	B50E07A37426C232BAFB4114B8A8A8C9239FA2D7D33E3928748F6F1D5AC2DD07
SHA-512:	96DB46D5083F4674AD201C92218283A774568261D4B5E38AFDF69DDBA0709CEB46CE8B57CFF568691FCA18BA727A9E2FCE05E32E960B9F183722FD8C1C47904B
Malicious:	false
Preview:	CABRK.DLL CAB unpacker DLL..CGLPT64.SYS Parallel port driver for Windows XP/Vista/7 X64..CGLPT9X.VXD Parallel port driver for Windows 9x/ME..CGLPTNT.SYS Parallel port driver for Windows NT/2000/XP..DEFAULT.BAR Default button bar file..FRERES32.DLL Library to get free system resources on Windows 9x/ME..HISTORY.TXT History of all changes..LANGUAGE Additional Totalcmd languages can be found on our addons page on www.ghisler.com..NO.BAR Empty button bar file..NOCLOSE.EXE Used when launching command line program with Shift+Enter to keep the console open..NOCLOSE64.EXE Used when launching command line program with Shift+Enter to keep the console open..SFXHEAD.SFX Self extracting header for ZIP..SHARE_NT.EXE Helper tool to show share/unshare dialog on Windows NT..SIZE!.TXT Information about changed program size..TC7Z64.DLL 7ZIP unpacker DLL (64-bit)..TC7Z.DLL 7ZIP unpacker DLL..TC7ZIPIF.DLL Interface DLL to access 7zip DLL..TCLZMA64.DLL 64-bit LZMA packer/unpacker..TCMADM64.EXE Tool to copy/d

C:\Program Files (x86)\TotalCommander\wincmd.exe

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Category:	dropped
Size (bytes):	93719
Entropy (8bit):	6.50406533822925
Encrypted:	false
SSDEEP:	1536:fLUBZ37C+sASQIPdhf9VUk5LWuAxi8EcmrwfItmLZPnp538gS9d:TUBZ36A3AhfmuJewyPnb8zz
MD5:	14C1195C8F58555B2A57408392B42572
SHA1:	5700060A5FC584A9D0AF7AFA20FC6D2510B2F919
SHA-256:	236F2F99163A93672EDF4D7EAD313E6972D4BC9D57645C87A3C1C37D50E6BFE6
SHA-512:	2B1F7CA368996BF5ECF442202DD2C764E7E785B94CAF4A722ECDAF30E61CF22CA067DCAB860CC2CBABEC3059A0743D12BCF39337AEDF226A585F2760DBDFB3EF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9.o.9.o.9.o..a..1.o..a..*.o.9.n...o.'...<.o.0..8.o.0....o.0...8.o.'...8.o.0...8.o.Rich9.o.........PE..L.....J.....................\.............. ....@..........................P......7...............................P7..3....(..........\>..........................."............................................... ...............................text...\|........................... ..`.rdata....... ......................@..@.data........@.......$..............@....CRT.................&..............@..@.rsrc...\>.......@...(..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\TotalCommander\wincmd.key

Download File

Process:	C:\Users\user\Desktop\ojSIQVSgby.exe
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	7.748405055323462
Encrypted:	false
SSDEEP:	24:tj13Ac2EiUp3PBPdLBswmJXmxSaUAdSBzop285:t53Acbp/BQJk7FdSg285
MD5:	B85313A8482C8EC839A3AD76CEB5EBDB
SHA1:	BC8F96BD28AEA59770390BFCF4401D03DCEBC6FD
SHA-256:	09F2F28259FA5B959C896258ABF7815D50C24B73F1574BE1714C70D2C0E5DC3B
SHA-512:	D4F6294C44572F01BA54554CA88C1BA2522F3E035E09E855185CE04CD6B45BF850D487C7A6DF0C2F4AE58DA1C0004F6D5E25797CA4139526A5E06CD487BDA633
Malicious:	false
Preview:	ZyE.N8O.9.%jf.b.X.2y. `,..$..`e..N..B....d...1.O.@.;7.@.I..r.i....E.N.P.....#..T..0....l.......Z~.......}8lCu.......92....<.z.j8A.F...r.J.....5?&.1t......N5....<%.F4.Z......!...n(....p.wd..ks...C.......cy)x.8.....9......T.6Bs.....x\|%...A..#.....^...t....T..V...}....9X..MW..Q_.....)...=+..o...\|..B..-....w..G.T...^.J2..9]6.Z.....LPr......"....-...t.q......'.......a.GA.0..#...y..M.87......7......"..D.....)..9.\.T..bX...."....U...:..L..TO.h.....@....B.y../NH'.J.F....)f@.&..@%....}.w.L.Y..l9.ix.:u&...I.....9k.&.. .EqJ...zSzx>.2@P..u1._a/S...v....A....e.p.... ....H.2DS.'.?.!..fi../.k.H..B.>...d.........\|.W.._=M1....A......{.....kn.......#..R.Y.g...d ........F.b....e_.........!......7...t/LvX\|.x..,.+.o..QN..g.^....b.?Q..j.w8.c....}..YfZ..K......w7N.....o.......7..@L.(..o..a:....w..<Zs.R$..l..^.QPmo..).....>.o.........m..P.R.D.W.'h0..w..)<.D.hliCopyright . 1999 by Christian Ghisler, C. Ghisler & Co., all rights reserved. Unauthorized copying prohi

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997216376048819
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ojSIQVSgby.exe
File size:	5163027
MD5:	09e9517e74ee5c16b4820c017dbc63bf
SHA1:	46d178d9f1de23936c1278d8e4e8677829dd3221
SHA256:	2e9a89f602c794e320b72b0e9f5766ff920843b02963b8f1d11f905a5b89d113
SHA512:	6cfbecf869d4ce8401ed6c3f43edd3f932576b936d2e88e4451a9a43015f5399cf6261a9c2a1337e4180f295a1214cab2591f3c788038d74d134d32a1cb690d3
SSDEEP:	98304:X1Edh9jh9Vgf7s3inttChwyaEoyGZSH8FAr3Rj7AS/xIgQSPyjMw65Z1bfm:X1EDcASnttmFaByx8OB7dagJZl5ZFm
TLSH:	3536332576E216FDCD625BB434D032905AFAF3001F20AAC7E7810B1E6F558D7A3B6792
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...(D.W..........................................@..........................P......._...............................................0.....................

File Icon


Icon Hash:	d7b4a896f69a9a4a

Static PE Info

General

Entrypoint:	0x4193af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x57004428 [Sat Apr 2 22:14:00 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a1a66d588dcf1394354ebf6ec400c223

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C878h
push 00419540h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1ECh]
pop ecx
or dword ptr [00422B88h], FFFFFFFFh
or dword ptr [00422B8Ch], FFFFFFFFh
call dword ptr [0041A1F0h]
mov ecx, dword ptr [00420B6Ch]
mov dword ptr [eax], ecx
call dword ptr [0041A1F4h]
mov ecx, dword ptr [00420B68h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1F8h]
mov eax, dword ptr [eax]
mov dword ptr [00422B84h], eax
call 00007F66A8FB3672h
cmp dword ptr [0041E6E0h], ebx
jne 00007F66A8FB355Eh
push 00419538h
call dword ptr [0041A1FCh]
pop ecx
call 00007F66A8FB3644h
push 0041E074h
push 0041E070h
call 00007F66A8FB362Fh
mov eax, dword ptr [00420B64h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420B60h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A204h]
push 0041E06Ch
push 0041E000h
call 00007F66A8FB35FCh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cca4	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x14c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18d6a	0x18e00	False	0.5999725188442211	data	6.690824618038753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3fa0	0x4000	False	0.46051025390625	data	5.772102793505232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4b90	0x800	False	0.41162109375	data	3.6363601156539818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x14c0	0x1600	False	0.341796875	data	3.510467585885568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x231c0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536
RT_ICON	0x23828	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors
RT_ICON	0x23b10	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384
RT_ICON	0x23cf8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192
RT_GROUP_ICON	0x23e20	0x3e	data
RT_VERSION	0x23e60	0x350	data
RT_MANIFEST	0x241b0	0x309	ASCII text

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	ShellExecuteExW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHGetSpecialFolderPathW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetParent, ScreenToClient, CreateWindowExW, GetDesktopWindow, GetWindowTextLengthW, SetWindowPos, SetTimer, GetMessageW, CopyImage, KillTimer, CharUpperW, SendMessageW, ShowWindow, BringWindowToTop, wsprintfW, MessageBoxW, EndDialog, ReleaseDC, GetWindowDC, GetMenu, GetWindowLongW, GetClassNameA, wsprintfA, DispatchMessageW, SetWindowTextW, GetSysColor, DestroyWindow, MessageBoxA, GetKeyState, IsWindow, GetDlgItem, GetClientRect, GetSystemMetrics, SetWindowLongW, UnhookWindowsHookEx, SetFocus, SystemParametersInfoW, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, GetWindowTextW, GetWindowRect
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	SysAllocStringLen, VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	SetFileTime, SetEndOfFile, GetFileInformationByHandle, VirtualFree, GetModuleHandleA, WaitForMultipleObjects, VirtualAlloc, ReadFile, SetFilePointer, GetFileSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetEnvironmentVariableW, GetDriveTypeW, CreateFileW, LoadLibraryA, SetThreadLocale, GetSystemTimeAsFileTime, ExpandEnvironmentStringsW, CompareFileTime, WideCharToMultiByte, GetTempPathW, GetCurrentDirectoryW, GetEnvironmentVariableW, lstrcmpiW, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, GetModuleHandleW, FindFirstFileW, lstrcmpW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, GetStdHandle, WriteFile, lstrlenA, CreateDirectoryW, GetFileAttributesW, SetCurrentDirectoryW, GetLocalTime, SystemTimeToFileTime, CreateThread, GetExitCodeThread, Sleep, SetFileAttributesW, GetDiskFreeSpaceExW, SetLastError, GetTickCount, lstrlenW, ExitProcess, lstrcatW, GetProcAddress, CloseHandle, WaitForSingleObject, GetExitCodeProcess, GetQueuedCompletionStatus, ResumeThread, SetInformationJobObject, CreateIoCompletionPort, AssignProcessToJobObject, CreateJobObjectW, GetLastError, CreateProcessW, GetStartupInfoW, GetCommandLineW, GetStartupInfoA
MSVCRT.dll	_purecall, ??2@YAPAXI@Z, _wtol, memset, memmove, memcpy, _wcsnicmp, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, malloc, realloc, free, wcsstr, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, strncmp, wcsncmp, wcsncpy, strncpy, ??3@YAXPAX@Z

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: ojSIQVSgby.exePID: 4224, Parent PID: 3528

General

Target ID:	0
Start time:	08:57:44
Start date:	01/12/2022
Path:	C:\Users\user\Desktop\ojSIQVSgby.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ojSIQVSgby.exe
Imagebase:	0x400000
File size:	5163027 bytes
MD5 hash:	09E9517E74EE5C16B4820C017DBC63BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ojSIQVSgby.exePID: 4224, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.5%
Total number of Nodes:	1789
Total number of Limit Nodes:	50

Executed Functions

Function 00406128 Relevance: 197.1, APIs: 70, Strings: 42, Instructions: 1139
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00406128(void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t218;
				short* _t237;
				void* _t238;
				signed int _t239;
				signed int _t240;
				WCHAR* _t242;
				signed int _t243;
				signed int _t248;
				signed int _t251;
				signed int _t255;
				signed int _t256;
				signed int _t262;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t281;
				signed short _t283;
				intOrPtr _t287;
				signed short* _t289;
				signed int _t292;
				signed int _t293;
				void* _t294;
				short* _t299;
				long _t315;
				signed int _t322;
				signed short* _t328;
				signed int _t336;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t358;
				signed int _t360;
				signed int _t367;
				signed int _t383;
				short _t400;
				signed short* _t401;
				signed int _t402;
				intOrPtr _t406;
				intOrPtr _t409;
				signed int _t412;
				intOrPtr _t416;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t425;
				signed int _t429;
				signed int _t430;
				signed short _t431;
				signed int _t434;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed short _t445;
				void* _t446;
				void* _t452;
				signed int _t455;
				signed int _t456;
				intOrPtr _t484;
				intOrPtr _t492;
				signed int _t509;
				signed int _t510;
				intOrPtr _t546;
				intOrPtr _t558;
				void* _t573;
				signed int _t592;
				signed int _t594;
				signed char _t596;
				signed int _t598;
				signed int _t603;
				WCHAR* _t605;
				void* _t610;
				intOrPtr _t612;
				signed int _t614;
				signed int _t616;
				void* _t641;
				signed int _t647;
				intOrPtr _t650;
				intOrPtr _t658;
				intOrPtr _t660;
				intOrPtr _t665;
				intOrPtr _t666;
				void* _t676;
				signed int _t679;
				void* _t682;
				signed int _t684;
				signed int _t685;
				intOrPtr _t689;
				signed short* _t690;
				signed int _t696;
				signed int _t697;
				void* _t698;
				signed int _t701;
				signed int _t703;
				signed int _t704;
				WCHAR* _t705;
				unsigned int _t712;
				signed int _t714;
				void* _t720;
				void* _t722;
				void* _t723;
				void* _t725;
				void* _t728;

				_t626 = __edx;
				_t720 = _t722 - 0x68;
				_t723 = _t722 - 0x2d4;
				__imp__?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z(E00405B77, _t682, _t698, _t446);
				E0040391C(__edx); // executed
				 *(_t720 - 0x26c) = 0x114;
				if(GetVersionExW(_t720 - 0x26c) == 0 ||  *((intOrPtr*)(_t720 - 0x25c)) != 2) {
					L215:
					MessageBoxA(0, "Sorry, this program requires Microsoft Windows 2000 or later.", "7-Zip SFX", 0x10);
					_t218 = 0x14;
					goto L216;
				} else {
					_t731 =  *((intOrPtr*)(_t720 - 0x268)) - 5;
					if( *((intOrPtr*)(_t720 - 0x268)) < 5) {
						goto L215;
					}
					";!@InstallEnd@!" = 0x3b;
					";!@Install@!UTF-8!" = 0x3b;
					E00411B60(E00411B60(E00411B60(_t216, _t720 + 0x24), _t720 - 0x48), _t720 - 8); // executed
					E00405502(_t626); // executed
					E00411BE5(_t720 - 8, E0040310A(GetCommandLineW(), _t720 + 0x24));
					E00404666(_t720 - 8, _t682, _t731);
					_t684 =  *(_t720 - 8);
					E00405051(L"SfxVarModulePlatform", L"x86", _t731, 1);
					E00405051(L"SfxVarSystemPlatform", E00403FDD(_t731), _t731, 1);
					E00405051(L"SfxVarCmdLine0", GetCommandLineW(), _t731, 1);
					wsprintfW(E004042F3(_t720 + 0x24, _t230, 0x20), L"%d",  *0x41e730 & 0x0000ffff);
					_t725 = _t723 + 0xc;
					E004042D8(_t720 + 0x24);
					E00405051(L"SfxVarSystemLanguage",  *((intOrPtr*)(_t720 + 0x24)), _t731, 1);
					_t237 = E004057A2(_t684, L"sfxlang");
					if(_t237 == 0 ||  *_t237 != 0x3a) {
						L8:
						_t238 = E004057A2(_t684, L"sfxversion");
						_t736 = _t238;
						if(_t238 == 0) {
							_t239 = E004057A2(_t684, L"sfxwaitall");
							__eflags = _t239;
							if(_t239 == 0) {
								_t635 = L"sfxelevation";
								 *((char*)(_t720 + 0x67)) = 0;
								_t240 = E004057A2(_t684, L"sfxelevation");
								__eflags = _t240;
								if(_t240 != 0) {
									 *((char*)(_t720 + 0x67)) = 1;
									_t684 = _t240;
								}
								_t242 = E004042F3(0x41e844, _t635, 0x208); // executed
								_t243 = GetModuleFileNameW(0, _t242, 0x208);
								__eflags = _t243;
								if(_t243 != 0) {
									E004042D8(0x41e844);
									_t636 = L"sfxtest";
									_t701 = E004057A2(_t684, L"sfxtest");
									__eflags = _t701;
									if(_t701 == 0) {
										L66:
										E00411C48(0x41e794, 0x41e844);
										E00411C48(0x41e7ac, 0x41e844);
										_t248 = E004038FB(0x41e844, __eflags);
										__eflags = _t248;
										if(__eflags >= 0) {
											_t605 =  *0x41e794; // 0x56ea60
											 *0x41e798 = _t248;
											 *((short*)(_t248 + _t248 + _t605)) = 0;
											_t406 =  *0x41e844; // 0x2561c80
											_t38 = _t406 + 2; // 0x41e846
											E00411BE5(0x41e7ac, _t248 + _t248 + _t38);
											_t409 =  *0x41e844; // 0x2561c80
											_t40 = _t409 + 2; // 0x41e846
											E00411BE5(0x41e890, _t248 + _t248 + _t40);
											_t412 = E00411DFA(0x41e890, 0x2e);
											__eflags = _t412;
											if(_t412 > 0) {
												_t636 =  *0x41e890; // 0x2560a38
												__eflags = 0;
												 *0x41e894 = _t412;
												 *((short*)(_t636 + _t412 * 2)) = 0;
											}
											E00411C48(0x41e85c, 0x41e890);
											_t610 = 4;
											E00411CA3(0x41e85c, E00403DC8(_t610));
											_t416 =  *0x41e890; // 0x2560a38
											_t612 =  *0x41e85c; // 0x56edd8
											 *0x41e738 = _t416;
											 *0x41e760 = _t612;
											 *0x41e764 = _t416;
										}
										E00411BE5(0x41e850, E00403FDD(__eflags));
										_t452 = 0x41e7b8;
										_t251 = E0040130D(0x41e7b8, __eflags,  *0x41e844);
										__eflags = _t251;
										if(_t251 != 0) {
											E00405FEF(E00411743(_t251, _t720 + 0x58), 0x41e7a0);
											_t484 =  *0x41e7bc; // 0x5625d8
											_t637 = 0; // executed
											_t255 = E00405401(_t484, 0, __eflags, _t720 + 0x58); // executed
											_t703 = _t255;
											__eflags = _t703;
											if(_t703 == 0) {
												__eflags =  *0x41e8d8;
												if( *0x41e8d8 != 0) {
													L84:
													__eflags =  *0x41e8d8 - 4;
													if( *0x41e8d8 == 4) {
														L119:
														_push( *((intOrPtr*)(_t720 + 0x58)));
														L004191B0();
														goto L10;
													}
													_t256 =  *0x41e148; // 0x1
													_t704 = 0x41e148;
													while(1) {
														__eflags = _t256;
														if(__eflags == 0) {
															break;
														}
														wsprintfW(_t720 - 0xa0, L"SfxString%d", _t256);
														_t725 = _t725 + 0xc;
														_t637 = E00403DC8( *_t704);
														E00405051(_t720 - 0xa0, _t259, __eflags, 0); // executed
														_t704 = _t704 + 0x10;
														__eflags = _t704;
														_t256 =  *_t704;
													}
													_t488 = _t452;
													E004054E3(_t452, _t637, _t684);
													_t262 = E00401765(__eflags);
													 *(_t720 + 0x10) = _t262;
													__eflags = _t262;
													if(_t262 != 0) {
														E00405811(_t488);
														_t705 = E00405041();
														__eflags = _t705;
														if(__eflags == 0) {
															L101:
															E00405FEF(E00401341(_t452, __eflags), 0x41e7a0);
															_t492 =  *0x41e7bc; // 0x5625d8
															E00405401(_t492, 0, __eflags, 0); // executed
															E00405811(_t492);
															E004013A6();
															E00401765(__eflags);
															E00405811(_t452);
															__eflags =  *((char*)(_t720 + 0x67));
															if( *((char*)(_t720 + 0x67)) != 0) {
																L107:
																 *(_t720 + 0x3c) = 0;
																_t272 = E00405041();
																while(1) {
																	_t685 = _t272;
																	__eflags = _t685;
																	if(_t685 == 0) {
																		break;
																	}
																	E00411B84(_t720 + 0x40, _t685);
																	_t641 = 0x3d;
																	_t274 = E0041158D( *((intOrPtr*)(_t720 + 0x40)), _t641);
																	__eflags = _t274;
																	if(__eflags <= 0) {
																		_push( *((intOrPtr*)(_t720 + 0x40)));
																		L004191B0();
																		L113:
																		E00405E96(); // executed
																		__eflags =  *0x41e44c - 0xffffffff;
																		if( *0x41e44c == 0xffffffff) {
																			 *0x41e44c = 0;
																		}
																		__eflags =  *0x41e7cb; // 0x0
																		if(__eflags == 0) {
																			__eflags =  *0x41e7c9; // 0x0
																			if(__eflags != 0) {
																				 *0x41e44c =  *0x41e44c & 0xfffffeff;
																				__eflags =  *0x41e44c;
																			}
																			__imp__CoInitialize(0);
																			_t276 = E00405041();
																			__eflags = _t276;
																			if(_t276 != 0) {
																				E00411BE5(0x41e89c, _t276);
																				 *0x41e740 = 1;
																			}
																			E004055FF(0x41e89c);
																			_t278 = E00405041();
																			__eflags = _t278;
																			if(_t278 != 0) {
																				__imp___wtol(_t278);
																				 *0x41e780 = _t278;
																			}
																			__eflags =  *0x41e8e0; // 0x0
																			if(__eflags == 0) {
																				__eflags =  *0x41e8d8 - 3;
																				if(__eflags != 0) {
																					_t709 = 0x41aa3c;
																					E00405051(L"SfxVarApiPath", 0x41aa3c, __eflags, 0);
																					E00405E96();
																					_t281 = E00405041();
																					__eflags = _t281;
																					if(_t281 != 0) {
																						__eflags =  *0x41e7ca;
																						if( *0x41e7ca == 0) {
																							E00407474(0x41e868, 0);
																							_t665 =  *0x41e86c; // 0x5624f0
																							E00405051(L"SfxVarApiPath", _t665, __eflags, 0);
																							E00405E96();
																							E00411B84(_t720 + 0x30, 0x41aa3c);
																							E00407474(0x41e868, _t665);
																							_t666 =  *0x41e86c; // 0x5624f0
																							E0040235E(L"ExecuteOnLoad", _t666, 0x41aa3c, _t720 + 0x30, 0x41aa3c);
																							_push( *((intOrPtr*)(_t720 + 0x30)));
																							L004191B0();
																						}
																					}
																					E00408410(0x41e7f0);
																					while(1) {
																						_t283 = E00405041();
																						__eflags = _t283;
																						if(_t283 == 0) {
																							goto L142;
																						}
																						__eflags =  *0x41e7c9;
																						if( *0x41e7c9 != 0) {
																							goto L142;
																						}
																						_t558 =  *0x41e738; // 0x2560a38
																						_t350 = E00408C28(_t558, _t283);
																						__eflags = _t350;
																						if(_t350 == 0) {
																							_push( *((intOrPtr*)(_t720 + 0x58)));
																							L004191B0();
																							L165:
																							_push(5);
																							goto L22;
																						}
																						_t283 = GetKeyState(0x10);
																						__eflags = 0x00008000 & _t283;
																						if((0x00008000 & _t283) != 0) {
																							 *0x41e7c8 = 0x101;
																						}
																						__eflags =  *0x41e8c0;
																						if( *0x41e8c0 != 0) {
																							 *0x41e44c =  *0x41e44c & 0xffffff7f;
																							__eflags =  *0x41e44c;
																						}
																						L142:
																						E00411B60(_t283, _t720 + 0x4c);
																						__eflags =  *0x41e7c8;
																						if( *0x41e7c8 == 0) {
																							L152:
																							__eflags =  *(_t720 + 0x50);
																							 *((char*)(_t720 + 0x14)) = 0;
																							if( *(_t720 + 0x50) == 0) {
																								_t339 = E00405041();
																								__eflags = _t339;
																								if(_t339 != 0) {
																									E00411BE5(_t720 + 0x4c, L"ExecuteFile");
																									 *((char*)(_t720 + 0x14)) = 1;
																								}
																								__eflags =  *(_t720 + 0x50);
																								if( *(_t720 + 0x50) == 0) {
																									_t340 = E00405041();
																									__eflags = _t340;
																									if(_t340 != 0) {
																										E00411BE5(_t720 + 0x4c, L"RunProgram");
																									}
																								}
																							}
																							__eflags =  *0x41e7c8;
																							if( *0x41e7c8 != 0) {
																								L168:
																								__eflags =  *0x41e8a0;
																								if(__eflags != 0) {
																									E00411BBA(_t720 + 0x18, 0x41e89c);
																									E004055FF(_t720 + 0x18);
																									__eflags =  *(_t720 + 0x1c);
																									if( *(_t720 + 0x1c) != 0) {
																										E00411C48(0x41e89c, _t720 + 0x18);
																									}
																									_push( *((intOrPtr*)(_t720 + 0x18)));
																									 *0x41e740 = 1;
																									L004191B0();
																								} else {
																									E00411C48(0x41e89c, E0040439D(L"7ZipSfx.%03x", __eflags));
																									_push( *((intOrPtr*)(_t720 - 0x14)));
																									L004191B0();
																									 *0x41e740 = 0;
																								}
																								_t287 =  *0x41e89c; // 0x56dc08
																								_t509 =  *0x41e8a0; // 0x16
																								_t647 =  *(_t287 + _t509 * 2 - 2) & 0x0000ffff;
																								__eflags = _t647 - 0x5c;
																								if(_t647 == 0x5c) {
																									L175:
																									_t510 = _t509 - 1;
																									__eflags = 0;
																									 *0x41e8a0 = _t510;
																									 *((short*)(_t287 + _t510 * 2)) = 0;
																									goto L176;
																								} else {
																									__eflags = _t647 - 0x2f;
																									if(_t647 != 0x2f) {
																										L176:
																										__eflags =  *0x41e7c9;
																										if( *0x41e7c9 != 0) {
																											 *0x41e774 =  *0x41e774 | 0x00000003;
																											__eflags =  *0x41e774;
																										}
																										E00411B84(_t720 - 0x20, L"PreExtract");
																										_t289 =  *0x41e7c4; // 0x41a648
																										E004015EC(_t720 - 0x20,  *_t289 & 0x0000ffff);
																										_t649 = 0;
																										_t292 = E00405041();
																										__eflags = _t292;
																										if(_t292 != 0) {
																											__eflags =  *0x41e7ca;
																											if( *0x41e7ca == 0) {
																												E00407474(0x41e868, 0);
																												_t658 =  *0x41e86c; // 0x5624f0
																												E00405051(L"SfxVarApiPath", _t658, __eflags, 0);
																												E00405E96();
																												E00411B84(_t720 + 0x30, _t709);
																												_t328 =  *0x41e7c4; // 0x41a648
																												 *(_t720 - 0x24) = _t328;
																												E00407474(0x41e868, _t658);
																												_t649 =  *0x41e86c; // 0x5624f0
																												E0040235E(L"PreExtract", _t649,  *(_t720 - 0x24), _t720 + 0x30, _t709);
																												_push( *((intOrPtr*)(_t720 + 0x30)));
																												L004191B0();
																											}
																										}
																										__eflags =  *0x41e8d4;
																										if(__eflags != 0) {
																											_t293 = E00408D16(_t649);
																											__eflags = _t293;
																											if(_t293 != 0) {
																												goto L187;
																											}
																											_t322 = 0x80004005;
																											goto L185;
																										} else {
																											_t322 = E00402D99(0x41e89c, _t649, __eflags); // executed
																											L185:
																											__eflags = _t322;
																											if(_t322 == 0) {
																												L187:
																												_t294 = E00405E96();
																												__eflags =  *0x41e7ca;
																												if( *0x41e7ca == 0) {
																													L189:
																													E00411B60(E00411B60(_t294, _t720 + 0x40), _t720 + 4);
																													__eflags =  *0x41e7c8;
																													if( *0x41e7c8 == 0) {
																														E00401BE9(_t720 + 0x40);
																													}
																													_t455 = 0;
																													__eflags =  *(_t720 + 0x50);
																													if( *(_t720 + 0x50) != 0) {
																														_t650 =  *0x41e89c; // 0x56dc08
																														E0040235E( *((intOrPtr*)(_t720 + 0x4c)), _t650,  *0x41e7c4, _t720 + 0x40,  *(_t720 + 0x10));
																														goto L197;
																													} else {
																														__eflags =  *0x41e740 - _t455; // 0x1
																														if(__eflags != 0) {
																															L197:
																															__eflags =  *0x41e8d8 - _t455; // 0x0
																															if(__eflags == 0) {
																																E00405E96();
																																E00405A8B(E00405EEB, L"Shortcut", __eflags,  *0x41e7c4, 0xffffffff);
																																SetCurrentDirectoryW( *0x41e794);
																																E00405A8B(E00405A61, L"Delete", __eflags,  *0x41e7c4, 0xffffffff);
																																E00405B62();
																															}
																															_push( *(_t720 + 4));
																															L004191B0();
																															_push( *((intOrPtr*)(_t720 + 0x40)));
																															L004191B0();
																															L201:
																															__eflags =  *0x41e458 - 0xffffffff;
																															if( *0x41e458 != 0xffffffff) {
																																L204:
																																__eflags =  *0x41e458 - _t455; // 0x1
																																if(__eflags > 0) {
																																	_t709 = E00405041();
																																	__eflags = _t709 - _t455;
																																	if(_t709 != _t455) {
																																		__eflags =  *0x41e458 - 0x3e7; // 0x1
																																		if(__eflags > 0) {
																																			 *0x41e458 = 0x3e7;
																																		}
																																		E004076D3(_t720 - 0x98, 0, __eflags);
																																		 *((intOrPtr*)(_t720 - 0x98)) = "G]@";
																																		 *((intOrPtr*)(_t720 - 0x60)) = 0x7d5;
																																		E00407734(E00407A45(_t720 - 0x98, 0x11,  *0x41e738, _t709, _t455), _t720 - 0x98);
																																	}
																																}
																																L209:
																																__eflags =  *0x41e7ca;
																																if( *0x41e7ca == 0) {
																																	__eflags =  *0x41e8d8 - _t455; // 0x0
																																	if(__eflags == 0) {
																																		_t299 = E00405041();
																																		__eflags = _t299 - _t455;
																																		if(_t299 != _t455) {
																																			__eflags =  *_t299 - 0x31;
																																			if( *_t299 == 0x31) {
																																				E00411BBA(_t725, 0x41e844);
																																				E00405B8E(_t709);
																																			}
																																		}
																																	}
																																}
																																_push( *((intOrPtr*)(_t720 - 0x20)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x4c)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x58)));
																																L004191B0();
																																_push( *(_t720 - 8));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 - 0x48)));
																																L004191B0();
																																_push( *((intOrPtr*)(_t720 + 0x24)));
																																L004191B0();
																																_t218 = 0;
																																goto L216;
																															}
																															__eflags =  *0x41e7c9;
																															if( *0x41e7c9 != 0) {
																																goto L209;
																															}
																															 *0x41e458 = 1;
																															goto L204;
																														}
																														_t709 = L"setup.exe";
																														_t656 = E00411B08(_t720 - 0x3c, 0x41e89c, "\\");
																														E00411BE5(_t720 + 4,  *((intOrPtr*)(E00411B08(_t720 - 0x14, _t312, L"setup.exe"))));
																														_push( *((intOrPtr*)(_t720 - 0x14)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 - 0x3c)));
																														L004191B0();
																														_t315 = GetFileAttributesW( *(_t720 + 4));
																														__eflags = _t315 - 0xffffffff;
																														if(_t315 != 0xffffffff) {
																															_t689 =  *0x41e89c; // 0x56dc08
																															E00411B84(_t720 + 0x30, L"setup.exe");
																															E0040206F(_t720 + 0x30, _t689,  *((intOrPtr*)(_t720 + 0x14)), _t720 + 0x40,  *(_t720 + 0x10));
																															_push( *((intOrPtr*)(_t720 + 0x30)));
																															L004191B0();
																															goto L197;
																														}
																														E00405B62();
																														_push(0xf);
																														_push(0);
																														E0040976C(_t656);
																														_push( *(_t720 + 4));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x40)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 - 0x20)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x4c)));
																														L004191B0();
																														_push( *((intOrPtr*)(_t720 + 0x58)));
																														L004191B0();
																														_t725 = _t725 + 0x1c;
																														L35:
																														_push(7);
																														goto L22;
																													}
																												}
																												__eflags =  *0x41e740;
																												if( *0x41e740 != 0) {
																													_t455 = 0;
																													__eflags = 0;
																													goto L201;
																												}
																												goto L189;
																											}
																											E00405B62();
																											_push( *((intOrPtr*)(_t720 - 0x20)));
																											L004191B0();
																											_push( *((intOrPtr*)(_t720 + 0x4c)));
																											L004191B0();
																											_push( *((intOrPtr*)(_t720 + 0x58)));
																											L004191B0();
																											_t725 = _t725 + 0xc;
																											_push(8);
																											goto L22;
																										}
																									}
																									goto L175;
																								}
																							} else {
																								__eflags =  *0x41e7c9;
																								if( *0x41e7c9 != 0) {
																									goto L168;
																								}
																								_t336 =  *0x41e44c; // 0x0
																								__eflags = (_t336 & 0x000000c0) - 0x80;
																								if((_t336 & 0x000000c0) != 0x80) {
																									goto L168;
																								}
																								_t660 =  *0x41e748; // 0x56bb10
																								_t546 =  *0x41e754; // 0x56bae0
																								_t338 = E00408CC3(_t546, _t660);
																								__eflags = _t338;
																								if(_t338 != 0) {
																									goto L168;
																								}
																								_push( *((intOrPtr*)(_t720 + 0x4c)));
																								__eflags =  *0x41e784 - _t338; // 0x0
																								if(__eflags == 0) {
																									L004191B0();
																									_push( *((intOrPtr*)(_t720 + 0x58)));
																									L004191B0();
																									goto L165;
																								}
																								L004191B0();
																								continue;
																							}
																						}
																						_t690 =  *0x41e7c4; // 0x41a648
																						while(1) {
																							E00411BE5(_t720 + 0x4c, L"AutoInstall");
																							E004015EC(_t720 + 0x4c,  *_t690 & 0x0000ffff);
																							_t346 = E00405041();
																							__eflags = _t346;
																							if(_t346 == 0) {
																								break;
																							}
																							_t690 =  &(_t690[1]);
																							_t348 =  *_t690 & 0x0000ffff;
																							__eflags = _t348 - 0x30;
																							if(_t348 < 0x30) {
																								L147:
																								__eflags = _t348 - 0x61;
																								if(_t348 < 0x61) {
																									L149:
																									__eflags = _t348 - 0x41;
																									if(_t348 < 0x41) {
																										L151:
																										E00411BE5(_t720 + 0x4c, L"AutoInstall");
																										goto L152;
																									}
																									__eflags = _t348 - 0x5a;
																									if(_t348 <= 0x5a) {
																										continue;
																									}
																									goto L151;
																								}
																								__eflags = _t348 - 0x7a;
																								if(_t348 <= 0x7a) {
																									continue;
																								}
																								goto L149;
																							}
																							__eflags = _t348 - 0x39;
																							if(_t348 <= 0x39) {
																								continue;
																							}
																							goto L147;
																						}
																						E0040976C(0, 0, 0xe,  *((intOrPtr*)(_t720 + 0x4c)));
																						_push( *((intOrPtr*)(_t720 + 0x4c)));
																						L004191B0();
																						_push( *((intOrPtr*)(_t720 + 0x58)));
																						L004191B0();
																						_t725 = _t725 + 0x14;
																						_push(6);
																						goto L22;
																					}
																				}
																				_t358 = E00409F6B();
																				goto L128;
																			} else {
																				_t358 = E0040A049();
																				L128:
																				_t703 = _t358;
																				goto L73;
																			}
																		} else {
																			_t360 = E00405041();
																			_t710 = _t360;
																			__eflags = _t360;
																			if(__eflags == 0) {
																				_t573 = 0x18;
																				_t710 = E00403DC8(_t573);
																			}
																			E004076D3(_t720 - 0x9c, 0, __eflags);
																			 *((intOrPtr*)(_t720 - 0x9c)) = "G]@";
																			 *((intOrPtr*)(_t720 - 0x64)) = 0x7d6;
																			E00407734(E00407A45(_t720 - 0x9c, 0x11,  *0x41e738, _t710, 0), _t720 - 0x9c);
																			goto L119;
																		}
																	}
																	 *(_t720 + 0x44) = _t274;
																	 *((short*)( *((intOrPtr*)(_t720 + 0x40)) + _t274 + _t274)) = 0;
																	_t120 = _t685 + 2; // 0x2
																	E00405051( *((intOrPtr*)(_t720 + 0x40)), _t274 + _t274 + _t120, __eflags, 0);
																	_push( *((intOrPtr*)(_t720 + 0x40)));
																	_t122 = _t720 + 0x3c;
																	 *_t122 =  *(_t720 + 0x3c) + 1;
																	__eflags =  *_t122;
																	L004191B0();
																	_t272 = E00405041();
																}
																goto L113;
															}
															__eflags =  *0x41e774 & 0x00000004;
															if(( *0x41e774 & 0x00000004) == 0) {
																goto L107;
															}
															_t367 = E00403FF2();
															__eflags = _t367;
															if(_t367 != 0) {
																goto L107;
															}
															E00411B60(E00411B60(_t367, _t720 + 0x18), _t720 - 0x30);
															E00411B84(_t720 + 0x30, E0040310A(GetCommandLineW(), _t720 + 0x18));
															E00411A62(_t720 + 4, __eflags, E00411B08(_t720 - 0xac, E00411B08(_t720 - 0x3c, E00411B32(_t720 - 0x14, "\"", _t720 + 0x18), L"\" -"), L"sfxelevation"), 0x20);
															E00411BE5(_t720 - 0x30,  *((intOrPtr*)(E00411AEC(_t720 + 0x40, _t720 + 4, _t720 + 0x30))));
															_push( *((intOrPtr*)(_t720 + 0x40)));
															L004191B0();
															_push( *(_t720 + 4));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0xac)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x3c)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x14)));
															L004191B0();
															_t728 = _t725 + 0x14;
															SetProcessWorkingSetSize(GetCurrentProcess(), 0xffffffff, 0xffffffff);
															_push(0);
															_t676 = 2;
															_t383 = E00401CC0( *((intOrPtr*)(_t720 - 0x30)), _t676, __eflags);
															_push( *((intOrPtr*)(_t720 + 0x30)));
															__eflags = _t383;
															if(_t383 != 0) {
																L004191B0();
																_push( *((intOrPtr*)(_t720 - 0x30)));
																L004191B0();
																_push( *((intOrPtr*)(_t720 + 0x18)));
																L004191B0();
																_push( *((intOrPtr*)(_t720 + 0x58)));
																L004191B0();
																_t725 = _t728 + 0x10;
																goto L10;
															}
															L004191B0();
															_push( *((intOrPtr*)(_t720 - 0x30)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 + 0x18)));
															L004191B0();
															_push( *((intOrPtr*)(_t720 + 0x58)));
															L004191B0();
															_t725 = _t728 + 0x10;
															_push(0xb);
															goto L22;
														}
														E0040B1F0(_t720 - 0x158);
														E0040B440(_t720 - 0x158, _t705, lstrlenW(_t705) + _t385);
														E0040B6F0(_t720 - 0x158, _t720 - 0xcc);
														_t592 = 8;
														memcpy(_t720 - 0xf0, "123456789ABCDEFGHJKMNPQRSTUVWXYZ", _t592 << 2);
														_t725 = _t725 + 0xc;
														asm("movsb");
														_t594 = 0;
														__eflags = 0;
														do {
															_t679 =  *(_t720 + _t594 * 4 - 0xbc);
															 *(_t720 + _t594 * 4 - 0xcc) =  *(_t720 + _t594 * 4 - 0xcc) ^ _t679;
															_t594 = _t594 + 1;
															__eflags = _t594 - 4;
														} while (_t594 < 4);
														_t456 = 0;
														_t696 = 0;
														__eflags = 0;
														do {
															asm("cdq");
															_t679 = _t679 & 0x00000007;
															_t712 =  *(_t720 + (_t696 + _t679 >> 3) - 0xcc) & 0x000000ff;
															_t596 = _t696 & 0x80000007;
															__eflags = _t596;
															if(_t596 < 0) {
																_t596 = (_t596 - 0x00000001 | 0xfffffff8) + 1;
																__eflags = _t596;
															}
															_t714 = _t712 >> _t596 & 0x0000001f;
															__eflags = _t696;
															if(_t696 != 0) {
																asm("cdq");
																_t598 = 0x19;
																_t679 = _t696 % _t598;
																__eflags = _t679;
																if(_t679 == 0) {
																	_t400 = 0x2d;
																	 *((short*)(_t720 + _t456 * 2 - 0x88)) = _t400;
																	_t456 = _t456 + 1;
																	__eflags = _t456;
																}
															}
															 *((short*)(_t720 + _t456 * 2 - 0x88)) =  *((char*)(_t720 + _t714 - 0xf0));
															_t696 = _t696 + 5;
															_t456 = _t456 + 1;
															__eflags = _t696 - 0x7d;
														} while (_t696 < 0x7d);
														__eflags = 0;
														 *((short*)(_t720 + _t456 * 2 - 0x88)) = 0;
														E00411BE5(0x41e708, _t720 - 0x88);
														 *0x41e700 = 1;
														_t452 = 0x41e7b8;
														goto L101;
													}
													_push( *((intOrPtr*)(_t720 + 0x58)));
													L004191B0();
													_push(0x20);
													goto L22;
												}
												_t637 = L"sfxconfig";
												_t401 = E004057A2(_t684, L"sfxconfig");
												__eflags = _t401;
												if(_t401 == 0) {
													goto L84;
												}
												__eflags =  *_t401 - 0x3a;
												if( *_t401 == 0x3a) {
													_t401 =  &(_t401[1]);
													__eflags = _t401;
												}
												_t603 =  *_t401 & 0x0000ffff;
												__eflags = _t603;
												if(_t603 == 0) {
													goto L119;
												} else {
													while(1) {
														__eflags = _t603 - 0x20;
														if(_t603 > 0x20) {
															break;
														}
														_t401 =  &(_t401[1]);
														_t603 =  *_t401 & 0x0000ffff;
														__eflags = _t603;
														if(_t603 != 0) {
															continue;
														}
														break;
													}
													__eflags =  *_t401;
													if( *_t401 == 0) {
														goto L119;
													}
													_t680 = _t720 + 0x58;
													_t402 = E00406013(_t401, _t720 + 0x58);
													__eflags = _t402;
													if(_t402 != 0) {
														goto L119;
													}
													_push(0xa);
													_push(0);
													E0040976C(_t680);
													_push( *((intOrPtr*)(_t720 + 0x58)));
													L004191B0();
													_t725 = _t725 + 0xc;
													_push(4);
													goto L22;
												}
											}
											L73:
											_push( *((intOrPtr*)(_t720 + 0x58)));
											L004191B0();
											goto L18;
										} else {
											E0040976C(_t636, 1, 7,  *0x41e844);
											_t725 = _t725 + 0xc;
											_push(2);
											L22:
											_pop(_t703);
											goto L11;
										}
									}
									__eflags =  *_t701 - 0x3a;
									if( *_t701 == 0x3a) {
										_t614 =  *(_t701 + 2) & 0x0000ffff;
										_t697 = 0x20;
										_t419 = (_t614 | _t697) - 0x61;
										__eflags = _t419;
										if(_t419 == 0) {
											 *0x41e8d8 = 2;
											while(1) {
												L57:
												__eflags =  *_t701 - _t697;
												if( *_t701 <= _t697) {
													break;
												}
												_t701 = _t701 + 2;
												__eflags = _t701;
											}
											_t636 = L"sfxconfig";
											_t684 = _t701;
											_t420 = E004057A2(_t701, L"sfxconfig");
											__eflags = _t420;
											if(_t420 == 0) {
												goto L66;
											}
											__eflags =  *_t420 - 0x3a;
											if( *_t420 != 0x3a) {
												L63:
												_t616 =  *_t420 & 0x0000ffff;
												__eflags = _t616;
												if(_t616 != 0) {
													__eflags = _t616 - 0x20;
													if(_t616 > 0x20) {
														goto L64;
													}
													L62:
													_t420 = _t420 + 2;
													__eflags = _t420;
													goto L63;
												}
												L64:
												 *(_t720 + 0x28) =  *(_t720 + 0x28) & 0x00000000;
												 *((short*)( *((intOrPtr*)(_t720 + 0x24)))) = 0;
												_t636 = _t720 + 0x24;
												_t421 = E0040310A(_t420, _t720 + 0x24);
												__eflags =  *0x41e8d8 - 2;
												_t684 = _t421;
												if( *0x41e8d8 != 2) {
													E00411C48(0x41e844, _t720 + 0x24);
												}
												goto L66;
											}
											goto L62;
										}
										_t425 = _t419;
										__eflags = _t425;
										if(_t425 == 0) {
											__eflags =  *(_t701 + 4) - 0x63;
											 *0x41e8d8 = (0 |  *(_t701 + 4) == 0x00000063) + 3;
											goto L57;
										}
										_t429 = _t425 - 1;
										__eflags = _t429;
										if(_t429 == 0) {
											__eflags = _t614 - 0x44;
											if(_t614 != 0x44) {
												_t701 = _t701 + 4;
												__eflags = _t701;
												L49:
												 *0x41e8d4 =  *0x41e8d4 & 0x00000000;
												__eflags =  *_t701 - 0x3a;
												if( *_t701 != 0x3a) {
													L52:
													 *0x41e8d4 = 0xa;
													L53:
													 *0x41e8d8 = 1;
													goto L57;
												}
												_t26 = _t701 + 2; // -2
												_t430 = _t26;
												__imp___wtol(_t430);
												 *0x41e8d4 = _t430;
												__eflags = _t430 - 0xe10;
												if(_t430 > 0xe10) {
													goto L52;
												}
												__eflags = _t430;
												if(_t430 != 0) {
													goto L53;
												}
												goto L52;
											}
											__eflags =  *(_t701 + 4) - 0x3a;
											if( *(_t701 + 4) != 0x3a) {
												goto L21;
											}
											_t701 = _t701 + 6;
											while(1) {
												_t431 =  *_t701 & 0x0000ffff;
												__eflags = _t431 - _t697;
												if(_t431 <= _t697) {
													break;
												}
												__eflags = _t431 - 0x3a;
												if(_t431 == 0x3a) {
													break;
												}
												E004015EC(0x41e8dc, _t431 & 0x0000ffff);
												_t701 = _t701 + 2;
												__eflags = _t701;
											}
											__eflags =  *0x41e8e0;
											if( *0x41e8e0 != 0) {
												goto L49;
											}
											goto L21;
										}
										_t434 = _t429 - 0xb;
										__eflags = _t434;
										if(_t434 == 0) {
											__eflags =  *(_t701 + 4) - 0x3a;
											if( *(_t701 + 4) != 0x3a) {
												goto L10;
											}
											_t436 = ( *(_t701 + 6) & 0x0000ffff) - 0x31;
											__eflags = _t436;
											if(_t436 == 0) {
												_t703 = 1;
												goto L11;
											}
											_t437 = _t436 - 1;
											__eflags = _t437;
											if(_t437 == 0) {
												_t703 = 0x5b7;
												goto L11;
											}
											_t438 = _t437 - 1;
											__eflags = _t438;
											if(_t438 == 0) {
												_push(0x1f);
												goto L22;
											}
											_t439 = _t438 - 1;
											__eflags = _t439;
											if(_t439 == 0) {
												_t703 = 0x3fff;
												goto L11;
											}
											__eflags = _t439 != 1;
											if(_t439 != 1) {
												goto L10;
											}
											goto L35;
										}
										__eflags = _t434 != 7;
										if(_t434 != 7) {
											goto L21;
										} else {
											_t703 = 0x4f3c;
											goto L11;
										}
									}
									L21:
									_push(0x64);
									goto L22;
								} else {
									_t703 = 1;
									__eflags = 1;
									_push(6);
									_push(1);
									E0040976C(_t635);
									L18:
									goto L11;
								}
							} else {
								_t703 = E00402013(_t239, _t684);
								goto L11;
							}
						} else {
							E00405DA5(L"sfxversion", _t684, _t736);
							L10:
							_t703 = 0;
							L11:
							_push( *(_t720 - 8));
							L004191B0();
							_push( *((intOrPtr*)(_t720 - 0x48)));
							L004191B0();
							_push( *((intOrPtr*)(_t720 + 0x24)));
							L004191B0();
							_t218 = _t703;
							L216:
							return _t218;
						}
					} else {
						_t445 = _t237 + 2;
						__imp___wtol(_t445);
						_t16 = _t445 - 1; // -1
						if(_t16 <= 0xfffe) {
							 *0x41e730 = _t445;
						}
						do {
							_t684 = _t684 + 2;
						} while ( *_t684 > 0x20);
						goto L8;
					}
				}
			}

0x00406128
0x00406129
0x0040612d
0x0040613b
0x00406142
0x0040614e
0x00406160
0x004070f7
0x00407105
0x0040710d
0x00000000
0x00406173
0x00406173
0x0040617a
0x00000000
0x00000000
0x00406183
0x0040618a
0x004061a1
0x004061a6
0x004061c1
0x004061c9
0x004061ce
0x004061df
0x004061f1
0x00406200
0x0040621d
0x00406223
0x00406229
0x00406237
0x00406243
0x0040624a
0x00406277
0x0040627e
0x00406283
0x00406285
0x004062b7
0x004062bc
0x004062be
0x004062cb
0x004062d2
0x004062d6
0x004062db
0x004062dd
0x004062df
0x004062e3
0x004062e3
0x004062f3
0x004062fb
0x00406301
0x00406303
0x00406319
0x0040631e
0x0040632a
0x0040632c
0x0040632e
0x004064bf
0x004064ca
0x004064d7
0x004064de
0x004064e3
0x004064e5
0x004064eb
0x004064f1
0x004064fb
0x004064ff
0x00406504
0x0040650b
0x00406510
0x00406515
0x00406521
0x0040652a
0x0040652f
0x00406531
0x00406533
0x00406539
0x0040653b
0x00406540
0x00406540
0x0040654c
0x00406553
0x0040655c
0x00406561
0x00406566
0x0040656c
0x00406571
0x00406577
0x00406577
0x00406587
0x00406592
0x00406599
0x0040659e
0x004065a0
0x004065c8
0x004065cd
0x004065d7
0x004065d9
0x004065de
0x004065e0
0x004065e2
0x004065f1
0x004065f8
0x00406667
0x00406667
0x0040666e
0x00406a35
0x00406a35
0x00406a38
0x00000000
0x00406a3d
0x00406674
0x00406679
0x004066b1
0x004066b1
0x004066b3
0x00000000
0x00000000
0x0040668d
0x00406695
0x0040669f
0x004066a7
0x004066ac
0x004066ac
0x004066af
0x004066af
0x004066b6
0x004066b8
0x004066bd
0x004066c2
0x004066c5
0x004066c7
0x004066d9
0x004066ea
0x004066ec
0x004066ee
0x004067d8
0x004067e4
0x004067e9
0x004067f4
0x004067f9
0x00406800
0x00406805
0x0040680a
0x0040680f
0x00406813
0x00406950
0x00406950
0x0040695d
0x004069af
0x004069af
0x004069b1
0x004069b3
0x00000000
0x00000000
0x0040696a
0x00406974
0x00406975
0x0040697a
0x0040697c
0x004069b7
0x004069ba
0x004069c0
0x004069c0
0x004069c5
0x004069cc
0x004069ce
0x004069ce
0x004069d4
0x004069da
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a56
0x00406a63
0x00406a6d
0x00406a6f
0x00406a74
0x00406a79
0x00406a79
0x00406a82
0x00406a8e
0x00406a93
0x00406a95
0x00406a98
0x00406a9f
0x00406a9f
0x00406aa4
0x00406aaa
0x00406ab8
0x00406abf
0x00406ac8
0x00406ad6
0x00406adb
0x00406ae9
0x00406af3
0x00406af5
0x00406af7
0x00406afe
0x00406b02
0x00406b07
0x00406b14
0x00406b19
0x00406b22
0x00406b29
0x00406b2e
0x00406b3c
0x00406b41
0x00406b44
0x00406b49
0x00406afe
0x00406b4f
0x00406b54
0x00406b5b
0x00406b60
0x00406b62
0x00000000
0x00000000
0x00406b64
0x00406b6b
0x00000000
0x00000000
0x00406b6d
0x00406b75
0x00406b7a
0x00406b7c
0x00406cbc
0x00406cbf
0x00406cc4
0x00406cc5
0x00000000
0x00406cc5
0x00406b84
0x00406b8f
0x00406b92
0x00406b94
0x00406b94
0x00406b9d
0x00406ba4
0x00406ba6
0x00406ba6
0x00406ba6
0x00406bb0
0x00406bb3
0x00406bb8
0x00406bbf
0x00406c23
0x00406c23
0x00406c27
0x00406c2b
0x00406c36
0x00406c3b
0x00406c3d
0x00406c43
0x00406c48
0x00406c48
0x00406c4c
0x00406c50
0x00406c5b
0x00406c60
0x00406c62
0x00406c68
0x00406c68
0x00406c62
0x00406c50
0x00406c6d
0x00406c74
0x00406d02
0x00406d02
0x00406d09
0x00406d3d
0x00406d45
0x00406d4a
0x00406d4e
0x00406d56
0x00406d56
0x00406d5b
0x00406d5e
0x00406d65
0x00406d0b
0x00406d1e
0x00406d23
0x00406d26
0x00406d2b
0x00406d2b
0x00406d6a
0x00406d70
0x00406d76
0x00406d7b
0x00406d7e
0x00406d85
0x00406d85
0x00406d86
0x00406d88
0x00406d8e
0x00000000
0x00406d80
0x00406d80
0x00406d83
0x00406d92
0x00406d92
0x00406d99
0x00406d9b
0x00406d9b
0x00406d9b
0x00406dab
0x00406db0
0x00406dbc
0x00406dc4
0x00406dc6
0x00406dcb
0x00406dcd
0x00406dcf
0x00406dd6
0x00406dda
0x00406ddf
0x00406dec
0x00406df1
0x00406dfa
0x00406dff
0x00406e06
0x00406e09
0x00406e0e
0x00406e1e
0x00406e23
0x00406e26
0x00406e2b
0x00406dd6
0x00406e2c
0x00406e33
0x00406e41
0x00406e46
0x00406e48
0x00000000
0x00000000
0x00406e4a
0x00000000
0x00406e35
0x00406e3a
0x00406e4f
0x00406e4f
0x00406e51
0x00406e7a
0x00406e7a
0x00406e7f
0x00406e86
0x00406e95
0x00406ea0
0x00406ea5
0x00406eac
0x00406eb1
0x00406eb1
0x00406eb6
0x00406eb8
0x00406ebb
0x00406f87
0x00406f9a
0x00000000
0x00406ec1
0x00406ec1
0x00406ec7
0x00406f9f
0x00406f9f
0x00406fa5
0x00406fa7
0x00406fbe
0x00406fc9
0x00406fe1
0x00406fe6
0x00406fe6
0x00406feb
0x00406fee
0x00406ff3
0x00406ff6
0x00407001
0x00407001
0x00407008
0x0040701d
0x0040701d
0x00407023
0x00407031
0x00407033
0x00407035
0x0040703c
0x00407042
0x00407044
0x00407044
0x0040704f
0x00407064
0x0040706e
0x00407080
0x00407080
0x00407035
0x00407085
0x00407085
0x0040708c
0x0040708e
0x00407094
0x0040709d
0x004070a2
0x004070a4
0x004070a6
0x004070aa
0x004070b6
0x004070bb
0x004070bb
0x004070aa
0x004070a4
0x00407094
0x004070c0
0x004070c3
0x004070c8
0x004070cb
0x004070d0
0x004070d3
0x004070d8
0x004070db
0x004070e0
0x004070e3
0x004070e8
0x004070eb
0x004070f3
0x00000000
0x004070f3
0x0040700a
0x00407011
0x00000000
0x00000000
0x00407013
0x00000000
0x00407013
0x00406ecd
0x00406ee5
0x00406ef4
0x00406ef9
0x00406efc
0x00406f01
0x00406f04
0x00406f0e
0x00406f14
0x00406f17
0x00406f56
0x00406f60
0x00406f74
0x00406f79
0x00406f7c
0x00000000
0x00406f81
0x00406f19
0x00406f1e
0x00406f20
0x00406f21
0x00406f26
0x00406f29
0x00406f2e
0x00406f31
0x00406f36
0x00406f39
0x00406f3e
0x00406f41
0x00406f46
0x00406f49
0x00406f4e
0x00406399
0x00406399
0x00000000
0x00406399
0x00406ebb
0x00406e88
0x00406e8f
0x00406fff
0x00406fff
0x00000000
0x00406fff
0x00000000
0x00406e8f
0x00406e53
0x00406e58
0x00406e5b
0x00406e60
0x00406e63
0x00406e68
0x00406e6b
0x00406e70
0x00406e73
0x00000000
0x00406e73
0x00406e33
0x00000000
0x00406d83
0x00406c7a
0x00406c7a
0x00406c81
0x00000000
0x00000000
0x00406c83
0x00406c8d
0x00406c8f
0x00000000
0x00000000
0x00406c91
0x00406c97
0x00406c9d
0x00406ca2
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca9
0x00406caf
0x00406cf2
0x00406cf7
0x00406cfa
0x00000000
0x00406cff
0x00406cb1
0x00000000
0x00406cb6
0x00406c74
0x00406bc1
0x00406bc7
0x00406bcf
0x00406bdb
0x00406be5
0x00406bea
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf5
0x00406bf8
0x00406bfb
0x00406c02
0x00406c02
0x00406c05
0x00406c0c
0x00406c0c
0x00406c0f
0x00406c16
0x00406c1e
0x00000000
0x00406c1e
0x00406c11
0x00406c14
0x00000000
0x00000000
0x00000000
0x00406c14
0x00406c07
0x00406c0a
0x00000000
0x00000000
0x00000000
0x00406c0a
0x00406bfd
0x00406c00
0x00000000
0x00000000
0x00000000
0x00406c00
0x00406cd3
0x00406cd8
0x00406cdb
0x00406ce0
0x00406ce3
0x00406ce8
0x00406ceb
0x00000000
0x00406ceb
0x00406b54
0x00406ac1
0x00000000
0x00406aac
0x00406aac
0x00406ab1
0x00406ab1
0x00000000
0x00406ab1
0x004069dc
0x004069e3
0x004069e8
0x004069ea
0x004069ec
0x004069f0
0x004069f6
0x004069f6
0x004069fe
0x00406a14
0x00406a1e
0x00406a30
0x00000000
0x00406a30
0x004069da
0x00406981
0x00406988
0x00406990
0x00406994
0x00406999
0x0040699c
0x0040699c
0x0040699c
0x0040699f
0x004069aa
0x004069aa
0x00000000
0x004069b5
0x00406819
0x00406820
0x00000000
0x00000000
0x00406826
0x0040682b
0x0040682d
0x00000000
0x00000000
0x0040683e
0x00406857
0x00406894
0x004068ad
0x004068b2
0x004068b5
0x004068ba
0x004068bd
0x004068c2
0x004068c8
0x004068cd
0x004068d0
0x004068d5
0x004068d8
0x004068dd
0x004068eb
0x004068f4
0x004068f7
0x004068f8
0x004068fd
0x00406900
0x00406902
0x0040692b
0x00406930
0x00406933
0x00406938
0x0040693b
0x00406940
0x00406943
0x00406948
0x00000000
0x00406948
0x00406904
0x00406909
0x0040690c
0x00406911
0x00406914
0x00406919
0x0040691c
0x00406921
0x00406924
0x00000000
0x00406924
0x004066fa
0x00406711
0x00406722
0x00406729
0x00406735
0x00406735
0x00406737
0x00406738
0x00406738
0x0040673a
0x0040673a
0x00406748
0x0040674a
0x0040674b
0x0040674b
0x00406750
0x00406752
0x00406752
0x00406754
0x00406756
0x00406757
0x0040675f
0x00406769
0x00406769
0x0040676f
0x00406775
0x00406775
0x00406775
0x00406778
0x0040677b
0x0040677d
0x00406783
0x00406784
0x00406785
0x00406787
0x00406789
0x0040678d
0x0040678e
0x00406796
0x00406796
0x00406796
0x00406789
0x004067a0
0x004067a8
0x004067ab
0x004067ac
0x004067ac
0x004067b1
0x004067b3
0x004067c7
0x004067cc
0x004067d3
0x00000000
0x004067d3
0x004066c9
0x004066cc
0x004066d2
0x00000000
0x004066d2
0x004065fa
0x00406601
0x00406606
0x00406608
0x00000000
0x00000000
0x0040660a
0x0040660e
0x00406610
0x00406610
0x00406610
0x00406613
0x00406616
0x00406619
0x00000000
0x0040661f
0x0040661f
0x0040661f
0x00406623
0x00000000
0x00000000
0x00406625
0x00406628
0x0040662b
0x0040662e
0x00000000
0x00000000
0x00000000
0x0040662e
0x00406630
0x00406634
0x00000000
0x00000000
0x0040663a
0x0040663f
0x00406644
0x00406646
0x00000000
0x00000000
0x0040664c
0x0040664e
0x00406650
0x00406655
0x00406658
0x0040665d
0x00406660
0x00000000
0x00406660
0x00406619
0x004065e4
0x004065e4
0x004065e7
0x00000000
0x004065a2
0x004065ac
0x004065b1
0x004065b4
0x0040633c
0x0040633c
0x00000000
0x0040633c
0x004065a0
0x00406334
0x00406338
0x00406342
0x0040634a
0x0040634d
0x0040634d
0x00406350
0x00406454
0x00406463
0x00406463
0x00406463
0x00406466
0x00000000
0x00000000
0x00406460
0x00406460
0x00406460
0x00406468
0x0040646f
0x00406471
0x00406476
0x00406478
0x00000000
0x00000000
0x0040647a
0x0040647e
0x0040648b
0x0040648b
0x0040648e
0x00406491
0x00406482
0x00406486
0x00000000
0x00000000
0x00406488
0x00406488
0x00406488
0x00000000
0x00406488
0x00406493
0x00406496
0x0040649c
0x0040649f
0x004064a4
0x004064a9
0x004064b0
0x004064b2
0x004064ba
0x004064ba
0x00000000
0x004064b2
0x00000000
0x00406480
0x00406357
0x00406357
0x00406358
0x00406442
0x0040644d
0x00000000
0x0040644d
0x0040635e
0x0040635e
0x0040635f
0x004063bd
0x004063c0
0x004063ff
0x004063ff
0x00406402
0x00406402
0x00406409
0x0040640d
0x0040642a
0x0040642a
0x00406434
0x00406434
0x00000000
0x00406434
0x0040640f
0x0040640f
0x00406413
0x0040641a
0x0040641f
0x00406424
0x00000000
0x00000000
0x00406426
0x00406428
0x00000000
0x00000000
0x00000000
0x00406428
0x004063c2
0x004063c7
0x00000000
0x00000000
0x004063cd
0x004063e9
0x004063e9
0x004063ec
0x004063ef
0x00000000
0x00000000
0x004063d2
0x004063d6
0x00000000
0x00000000
0x004063e1
0x004063e6
0x004063e6
0x004063e6
0x004063f1
0x004063f8
0x00000000
0x00000000
0x00000000
0x004063fa
0x00406361
0x00406361
0x00406364
0x00406375
0x0040637a
0x00000000
0x00000000
0x00406384
0x00406384
0x00406387
0x004063b7
0x00000000
0x004063b7
0x00406389
0x00406389
0x0040638a
0x004063ab
0x00000000
0x004063ab
0x0040638c
0x0040638c
0x0040638d
0x004063a7
0x00000000
0x004063a7
0x0040638f
0x0040638f
0x00406390
0x0040639d
0x00000000
0x0040639d
0x00406392
0x00406393
0x00000000
0x00000000
0x00000000
0x00406393
0x00406366
0x00406369
0x00000000
0x0040636b
0x0040636b
0x00000000
0x0040636b
0x00406369
0x0040633a
0x0040633a
0x00000000
0x00406305
0x00406307
0x00406307
0x00406308
0x0040630a
0x0040630b
0x00406311
0x00000000
0x00406311
0x004062c0
0x004062c7
0x00000000
0x004062c7
0x00406287
0x00406287
0x0040628c
0x0040628c
0x0040628e
0x0040628e
0x00406291
0x00406296
0x00406299
0x0040629e
0x004062a1
0x004062a9
0x0040710e
0x00407115
0x00407115
0x00406252
0x00406252
0x00406256
0x0040625d
0x00406266
0x00406268
0x00406268
0x0040626e
0x0040626e
0x00406271
0x00000000
0x0040626e
0x0040624a

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 0040613B

Part of subcall function 0040391C: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
Part of subcall function 0040391C: CreateWindowExW.USER32 ref: 00403945
Part of subcall function 0040391C: GetDesktopWindow.USER32 ref: 00403951
Part of subcall function 0040391C: GetWindowRect.USER32 ref: 00403958
Part of subcall function 0040391C: SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
Part of subcall function 0040391C: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
Part of subcall function 0040391C: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
Part of subcall function 0040391C: DispatchMessageW.USER32 ref: 004039A3
Part of subcall function 0040391C: KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

GetVersionExW.KERNEL32(?,?,00000000), ref: 00406158
MessageBoxA.USER32 ref: 00407105

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00405502: LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
Part of subcall function 00405502: #17.COMCTL32(?,?,00000000), ref: 0040551E
Part of subcall function 00405502: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
Part of subcall function 00405502: wsprintfW.USER32 ref: 004055B7

GetCommandLineW.KERNEL32(?,00000000), ref: 004061B1

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046D9
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046F5
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 004046FD
Part of subcall function 00404666: ??3@YAXPAX@Z.MSVCRT ref: 00404768

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

GetCommandLineW.KERNEL32(00000001,00000001,00000001,00000000,?,00000000), ref: 004061F7

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

wsprintfW.USER32 ref: 0040621D

Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang,?,747149F0,?,00000001,00406248,00000001), ref: 004057E3
Part of subcall function 004057A2: lstrlenW.KERNEL32(sfxlang), ref: 004057E8

_wtol.MSVCRT(-00000002,00000001), ref: 00406256
??3@YAXPAX@Z.MSVCRT ref: 00406291
??3@YAXPAX@Z.MSVCRT ref: 00406299
??3@YAXPAX@Z.MSVCRT ref: 004062A1
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208,00000001), ref: 004062FB
_wtol.MSVCRT(-00000002), ref: 00406413

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

Part of subcall function 00405401: ??3@YAXPAX@Z.MSVCRT ref: 00405445

??3@YAXPAX@Z.MSVCRT ref: 004065E7
??3@YAXPAX@Z.MSVCRT ref: 00406658

Strings

SfxVarApiPath, xrefs: 00406AD1, 00406B0F, 00406DE7
`V, xrefs: 004064C5, 004064EB
hA, xrefs: 00406AEE
SfxString%d, xrefs: 00406687
sfxversion, xrefs: 00406277
SfxAuthor, xrefs: 004066E0
Shortcut, xrefs: 00406FB4
setup.exe, xrefs: 00406ECD, 00406ED2, 00406F5C
@V, xrefs: 004064CF
SfxVarSystemPlatform, xrefs: 004061EC
123456789ABCDEFGHJKMNPQRSTUVWXYZ, xrefs: 0040672A
PreExtract, xrefs: 00406DA2, 00406DA7
\A, xrefs: 00406545
AutoInstall, xrefs: 00406BC7, 00406C16
SetEnvironment, xrefs: 00406953
PA, xrefs: 00406582
DA, xrefs: 004062EB
sfxelevation, xrefs: 004062CB, 0040685C
HelpText, xrefs: 004069DE
x86, xrefs: 004061D5
sfxlang, xrefs: 0040623C
SfxVarSystemLanguage, xrefs: 00406232
sfxtest, xrefs: 0040631E
" -, xrefs: 00406861
HA, xrefs: 00406679
BeginPromptTimeout, xrefs: 00406A89
sfxwaitall, xrefs: 004062B0
ExecuteFile, xrefs: 00406C2D, 00406C3F
7-Zip SFX, xrefs: 004070F9
SfxVarCmdLine0, xrefs: 004061FB
sfxconfig, xrefs: 00406468, 004065FA
BeginPrompt, xrefs: 00406B56
ExecuteOnLoad, xrefs: 00406AE0
Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 004070FE
InstallPath, xrefs: 00406A5E
FinishMessage, xrefs: 00407027
SfxVarModulePlatform, xrefs: 004061DA
7ZipSfx.%03x, xrefs: 00406D0B
SelfDelete, xrefs: 00407098
DA, xrefs: 004064BF
RunProgram, xrefs: 00406C52, 00406C64
Delete, xrefs: 00406FD7

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$Window$??2@Message$CommandLineModuleTimer_wtollstrlenwsprintf$?_set_new_handler@@CreateDesktopDispatchFileFolderHandleKillLibraryLoadNamePathRectSpecialVersionmemcpywcsncpy
String ID: " -$123456789ABCDEFGHJKMNPQRSTUVWXYZ$7-Zip SFX$7ZipSfx.%03x$@V$AutoInstall$BeginPrompt$BeginPromptTimeout$Delete$DA$DA$ExecuteFile$ExecuteOnLoad$FinishMessage$HelpText$HA$InstallPath$PreExtract$PA$RunProgram$SelfDelete$SetEnvironment$SfxAuthor$SfxString%d$SfxVarApiPath$SfxVarCmdLine0$SfxVarModulePlatform$SfxVarSystemLanguage$SfxVarSystemPlatform$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$\A$`V$hA$setup.exe$sfxconfig$sfxelevation$sfxlang$sfxtest$sfxversion$sfxwaitall$x86
API String ID: 15977253-476106037
Opcode ID: 39a509271bc52836e8dc4654538a45f3584d5180c5ee5ccb76d01f5a4072b52b
Instruction ID: e0054388adb9e1051384cab39e182934ba2a11f09d439c537bece9ac8bb84f3b
Opcode Fuzzy Hash: 39a509271bc52836e8dc4654538a45f3584d5180c5ee5ccb76d01f5a4072b52b
Instruction Fuzzy Hash: 88929234A001059AEB15BB62DC55AEE3666EF40308F15803FFD06672E2DB3C9D91CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004029DA Relevance: 21.3, APIs: 14, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004029DA(signed int* _a4, long _a8, signed int* _a12, signed int _a16) {
				char _v16;
				signed int _v24;
				char _v28;
				long _v32;
				signed int _v36;
				short _v42;
				signed short _v44;
				signed int _v52;
				short _v58;
				signed int _v60;
				struct _SYSTEMTIME _v76;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t116;
				intOrPtr* _t119;
				intOrPtr* _t122;
				signed int _t123;
				intOrPtr* _t125;
				signed int _t126;
				intOrPtr* _t130;
				signed int _t131;
				signed int _t132;
				signed int _t136;
				signed int _t138;
				signed int _t141;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t154;
				signed int _t161;
				signed int _t171;
				intOrPtr _t184;
				signed int* _t211;
				intOrPtr* _t213;
				intOrPtr* _t218;
				signed int _t219;
				intOrPtr _t221;

				_t221 =  *0x41e8cc; // 0x0
				if(_t221 == 0) {
					 *_a12 = 0;
					__eflags = _a16;
					if(_a16 == 0) {
						_t218 = _a4;
						_t211 = _t218 + 0x20;
						_t108 =  *_t211;
						_a4 = _t211;
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 8))(_t108);
							 *_t211 = 0;
						}
						_v60 = 0;
						_v58 = 0;
						_t110 =  *0x41e7c0; // 0x562608
						_v52 = 0;
						_t111 =  *((intOrPtr*)( *_t110 + 0x18))(_t110, _a8, 3,  &_v60);
						__eflags = _t111;
						if(_t111 == 0) {
							E00411B60(_t111,  &_v16);
							__eflags = _v60;
							if(_v60 == 0) {
								L50:
								_t219 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218, 0x64);
								L51:
								_push(_v16);
								L004191B0();
								L52:
								goto L53;
							}
							__eflags = _v60 - 8;
							if(_v60 != 8) {
								goto L50;
							}
							E00411BE5( &_v16, _v52);
							_t119 = E00411AEC( &_v28, _t218 + 0xc,  &_v16);
							_t213 = _t218 + 0x24;
							E00411BE5(_t213,  *_t119);
							L004191B0();
							_v44 = 0;
							_v42 = 0;
							_t122 =  *0x41e7c0; // 0x562608
							_v36 = 0;
							_t123 =  *((intOrPtr*)( *_t122 + 0x18))(_t122, _a8, 9,  &_v44, _v28);
							_a16 = _t123;
							__eflags = _t123;
							if(_t123 == 0) {
								__eflags = _v44;
								if(_v44 != 0) {
									__eflags = _v44 - 0x13;
									if(_v44 == 0x13) {
										 *((intOrPtr*)(_t218 + 0x44)) = _v36;
										L20:
										_t125 =  *0x41e7c0; // 0x562608
										_t126 =  *((intOrPtr*)( *_t125 + 0x18))(_t125, _a8, 6,  &_v44);
										_a16 = _t126;
										__eflags = _t126;
										if(_t126 != 0) {
											goto L11;
										}
										__eflags = _v36;
										_t207 =  &_v44;
										 *(_t218 + 0x40) = 0 | _v36 != 0x00000000;
										_t130 =  *0x41e7c0; // 0x562608
										_t131 =  *((intOrPtr*)( *_t130 + 0x18))(_t130, _a8, 0xc,  &_v44);
										_a8 = _t131;
										__eflags = _t131;
										if(_t131 == 0) {
											_t132 = _v44 & 0x0000ffff;
											__eflags = _t132;
											if(_t132 == 0) {
												GetLocalTime( &_v76);
												_t170 = _t218 + 0x38;
												SystemTimeToFileTime( &_v76, _t218 + 0x38);
												L28:
												__eflags =  *(_t218 + 0x40);
												_t184 =  *_t213;
												if( *(_t218 + 0x40) == 0) {
													_t136 = E004044EA(_t184, _t170); // executed
													__eflags = _t136 - 0xffffffff;
													if(_t136 == 0xffffffff) {
														_t138 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x69, GetLastError());
														L17:
														_t219 = _t138;
														L18:
														E004114AA( &_v44);
														goto L51;
													}
													__eflags = _t136 - 1;
													if(_t136 == 1) {
														L31:
														E004114AA( &_v44);
														_push(_v16);
														L004191B0();
														_t219 = 0;
														goto L52;
													}
													_push(0x18); // executed
													L004191BC(); // executed
													_t171 = 0;
													__eflags = _t136;
													if(_t136 != 0) {
														 *((intOrPtr*)(_t136 + 4)) = 0;
														 *_t136 = 0x41ab9c;
														_t67 = _t136 + 8;
														 *_t67 =  *(_t136 + 8) | 0xffffffff;
														__eflags =  *_t67;
														_t171 = _t136;
													}
													 *(_t218 + 0x1c) = _t171;
													__eflags = _t171;
													if(_t171 != 0) {
														 *((intOrPtr*)( *_t171 + 4))(_t171);
													}
													_t141 =  *(_t218 + 0x1c);
													 *(_t141 + 0x10) =  *(_t141 + 0x10) & 0x00000000;
													 *(_t141 + 0x14) =  *(_t141 + 0x14) & 0x00000000;
													__eflags = E00411412( *_t213, 1);
													if(__eflags != 0) {
														L48:
														E004010F2(_a4, _t171);
														 *_a12 = _t171;
														E004114AA( &_v44);
														_push(_v16);
														L004191B0();
														E004114AA( &_v60);
														_t116 = 0;
														goto L54;
													} else {
														_a8 = GetLastError();
														E00411BBA( &_v28, _t213);
														_t149 = E004038FB( &_v28, __eflags);
														__eflags = _t149;
														if(_t149 >= 0) {
															_v24 = _t149;
															 *((short*)(_v28 + _t149 * 2)) = 0;
															_t150 = E00404772(_v28, _v28);
															__eflags = _t150;
															if(_t150 != 0) {
																_t151 =  *(_t218 + 0x1c);
																 *(_t151 + 0x10) =  *(_t151 + 0x10) & 0x00000000;
																 *(_t151 + 0x14) =  *(_t151 + 0x14) & 0x00000000;
																_t152 = E00411412( *_t213, 1);
																__eflags = _t152;
																if(_t152 != 0) {
																	_push(_v28);
																	L004191B0();
																	goto L48;
																}
																_t154 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x6a, GetLastError());
																L41:
																_push(_v28);
																_t219 = _t154;
																L004191B0();
																__eflags = _t171;
																if(_t171 != 0) {
																	 *((intOrPtr*)( *_t171 + 8))(_t171);
																}
																goto L18;
															}
															_t154 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218, 0x68);
															goto L41;
														}
														_t154 =  *((intOrPtr*)( *_t218 + 0x20))(_t218, 0x6a, _a8);
														goto L41;
													}
												}
												_t161 = E00404772(_t184, _t207); // executed
												__eflags = _t161;
												if(_t161 != 0) {
													goto L31;
												}
												_push(0x68);
												L16:
												_t138 =  *((intOrPtr*)( *_t218 + 0x1c))(_t218);
												goto L17;
											}
											__eflags = _t132 - 0x40;
											if(_t132 == 0x40) {
												_t170 = _t218 + 0x38;
												_t170->dwLowDateTime = _v36;
												_t170->dwHighDateTime = _v32;
												goto L28;
											}
											_push(0x66);
											goto L16;
										}
										E004114AA( &_v44);
										_push(_v16);
										L004191B0();
										_t219 = _a8;
										goto L52;
									}
									_push(0x65);
									goto L16;
								}
								 *((intOrPtr*)(_t218 + 0x44)) = 0;
								goto L20;
							}
							L11:
							E004114AA( &_v44);
							_push(_v16);
							L004191B0();
							_t219 = _a16;
							goto L52;
						} else {
							_t219 = _t111;
							L53:
							E004114AA( &_v60);
							_t116 = _t219;
							L54:
							return _t116;
						}
					}
					return 0;
				}
				return 0x80004004;
			}

0x004029e3
0x004029e9
0x004029f8
0x004029fa
0x004029fd
0x00402a07
0x00402a0b
0x00402a0e
0x00402a10
0x00402a13
0x00402a15
0x00402a1a
0x00402a1d
0x00402a1d
0x00402a2a
0x00402a2e
0x00402a32
0x00402a37
0x00402a3d
0x00402a40
0x00402a42
0x00402a4e
0x00402a53
0x00402a57
0x00402d08
0x00402d10
0x00402d12
0x00402d12
0x00402d15
0x00402d1a
0x00000000
0x00402d1a
0x00402a5d
0x00402a62
0x00000000
0x00000000
0x00402a6e
0x00402a7d
0x00402a84
0x00402a89
0x00402a91
0x00402aa2
0x00402aa6
0x00402aaa
0x00402aaf
0x00402ab5
0x00402ab8
0x00402abb
0x00402abd
0x00402ad7
0x00402adb
0x00402ae2
0x00402ae7
0x00402b03
0x00402b06
0x00402b06
0x00402b17
0x00402b1a
0x00402b1d
0x00402b1f
0x00000000
0x00000000
0x00402b23
0x00402b27
0x00402b33
0x00402b36
0x00402b3e
0x00402b41
0x00402b44
0x00402b46
0x00402b60
0x00402b64
0x00402b66
0x00402b88
0x00402b8e
0x00402b96
0x00402b9c
0x00402b9c
0x00402ba0
0x00402ba2
0x00402bcd
0x00402bd2
0x00402bd5
0x00402d00
0x00402af1
0x00402af1
0x00402af3
0x00402af6
0x00000000
0x00402af6
0x00402bdb
0x00402bde
0x00402bb4
0x00402bb7
0x00402bbc
0x00402bbf
0x00402bc4
0x00000000
0x00402bc4
0x00402be0
0x00402be2
0x00402be7
0x00402bea
0x00402bec
0x00402bee
0x00402bf1
0x00402bf7
0x00402bf7
0x00402bf7
0x00402bfb
0x00402bfb
0x00402bfd
0x00402c00
0x00402c02
0x00402c07
0x00402c07
0x00402c0c
0x00402c0f
0x00402c13
0x00402c22
0x00402c24
0x00402cc9
0x00402ccd
0x00402cd8
0x00402cda
0x00402cdf
0x00402ce2
0x00402ceb
0x00402cf0
0x00000000
0x00402c2a
0x00402c34
0x00402c37
0x00402c3f
0x00402c44
0x00402c46
0x00402c76
0x00402c79
0x00402c80
0x00402c85
0x00402c87
0x00402c95
0x00402c98
0x00402c9c
0x00402ca6
0x00402cab
0x00402cad
0x00402cc0
0x00402cc3
0x00000000
0x00402cc8
0x00402cbb
0x00402c53
0x00402c53
0x00402c56
0x00402c58
0x00402c5e
0x00402c60
0x00402c69
0x00402c69
0x00000000
0x00402c60
0x00402c8e
0x00000000
0x00402c8e
0x00402c50
0x00000000
0x00402c50
0x00402c24
0x00402ba4
0x00402ba9
0x00402bab
0x00000000
0x00000000
0x00402bad
0x00402aeb
0x00402aee
0x00000000
0x00402aee
0x00402b68
0x00402b6b
0x00402b77
0x00402b7a
0x00402b7f
0x00000000
0x00402b7f
0x00402b6d
0x00000000
0x00402b6d
0x00402b4b
0x00402b50
0x00402b53
0x00402b58
0x00000000
0x00402b58
0x00402ae9
0x00000000
0x00402ae9
0x00402add
0x00000000
0x00402add
0x00402abf
0x00402ac2
0x00402ac7
0x00402aca
0x00402acf
0x00000000
0x00402a44
0x00402a44
0x00402d1b
0x00402d1e
0x00402d23
0x00402d25
0x00000000
0x00402d26
0x00402a42
0x00000000
0x004029ff
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c00588021e254f98f184be71cdf85996bd3bc88c90d1d9bb6fd3d36593f32ba
Instruction ID: c1d5b1038281741182b59f060de7432f6867be05cbf439a176d126074f28f510
Opcode Fuzzy Hash: 6c00588021e254f98f184be71cdf85996bd3bc88c90d1d9bb6fd3d36593f32ba
Instruction Fuzzy Hash: A7B19271900205EFDB14DFA0D9889EE77B5BF08314F14846AF902BB2E1D778AD85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004044EA Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004044EA(WCHAR* __ecx, FILETIME* __edx) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t7;
				signed int _t8;
				intOrPtr _t9;
				FILETIME* _t20;

				_t20 = __edx; // executed
				_t7 = FindFirstFileW(__ecx,  &_v596); // executed
				if(_t7 != 0xffffffff) {
					_t8 = FindClose(_t7);
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						_t9 =  *0x41e778; // 0x0
						if(_t9 != 0) {
							if(_t9 != 2 || CompareFileTime( &(_v596.ftLastWriteTime), _t20) >= 0) {
								return 1;
							} else {
								goto L5;
							}
						}
						L5:
						return E004044BD();
					}
					SetLastError(0x10);
					return _t8 | 0xffffffff;
				}
				return 0;
			}

0x004044ff
0x00404501
0x0040450a
0x00404511
0x0040451e
0x0040452d
0x00404534
0x00404542
0x00000000
0x00000000
0x00000000
0x00000000
0x00404542
0x00404536
0x00000000
0x00404538
0x00404522
0x00000000
0x00404528
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,-00000001), ref: 00404501
FindClose.KERNEL32(00000000), ref: 00404511
SetLastError.KERNEL32(00000010), ref: 00404522

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction ID: 20dcc56be40bd9a2dd23ceebfaf1f9b55074e9165e79c80e0b63e8a94ab0599c
Opcode Fuzzy Hash: 2e532512729200e784fa90409b54c7fc6bc467fc79d1b687fbef4cf578feb42b
Instruction Fuzzy Hash: F1F081F1A00114B7DB206638AC49BA637A89BC1729F140A77EB26F11D0D77CC945955E

Uniqueness

Uniqueness Score: -1.00%

Function 00409A19 Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00409A19(void* __eax, WCHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t16;
				void* _t18;
				intOrPtr _t36;
				intOrPtr* _t38;

				_push(0x24);
				L004191BC();
				if(__eax == 0) {
					_t38 = 0;
				} else {
					_t38 = E00412603(__eax);
				}
				if(E004113D0(_a4) != 0) {
					_t36 = _a8;
					E004010F2(_t36, _t38);
					_t16 = FindFirstFileW(_a4,  &_v596); // executed
					if(_t16 == 0xffffffff) {
						if(_t38 != 0) {
							 *((intOrPtr*)( *_t38 + 0x14))(1);
						}
						_t18 = 1;
					} else {
						 *((intOrPtr*)(_t36 + 8)) = _v596.nFileSizeLow;
						 *((intOrPtr*)(_t36 + 0xc)) = _v596.nFileSizeHigh;
						FindClose(_t16); // executed
						_t18 = 0;
					}
					return _t18;
				} else {
					if(_t38 != 0) {
						 *((intOrPtr*)( *_t38 + 0x14))(1);
					}
					return 1;
				}
			}

0x00409a23
0x00409a25
0x00409a2d
0x00409a3a
0x00409a2f
0x00409a36
0x00409a36
0x00409a49
0x00409a5e
0x00409a64
0x00409a73
0x00409a7c
0x00409a9d
0x00409aa5
0x00409aa5
0x00409aaa
0x00409a7e
0x00409a84
0x00409a8e
0x00409a91
0x00409a97
0x00409a97
0x00000000
0x00409a4b
0x00409a4d
0x00409a55
0x00409a55
0x00000000
0x00409a5a

APIs

??2@YAPAXI@Z.MSVCRT ref: 00409A25
FindFirstFileW.KERNELBASE(0041E7B8,?,00000000,00000000,0041E7B8), ref: 00409A73
FindClose.KERNELBASE(00000000), ref: 00409A91

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Find$??2@CloseFileFirst
String ID:
API String ID: 4002974997-0
Opcode ID: f8154f6a90c2cf80a953c36b8969c0cb3972aabed34ab7164f85348f10c42f5d
Instruction ID: 793d1416ce16d4dbbc7bac0da152af532d808b73086aa34ee1095b61dd29bce3
Opcode Fuzzy Hash: f8154f6a90c2cf80a953c36b8969c0cb3972aabed34ab7164f85348f10c42f5d
Instruction Fuzzy Hash: 2A110631700111ABCB20AF24DC08AAF77A4AF45714F00443AFC46EB2D1D738DC428FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402446 Relevance: 3.0, APIs: 2, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402446(void* __ecx, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				union _ULARGE_INTEGER _v12;
				int _t13;
				WCHAR* _t20;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_push(__ecx);
				if(( *0x41e774 & 0x00000001) != 0) {
					L8:
					SendMessageW( *0x41e8c4, 0x8001, 0,  &_a8);
					__eflags = 0;
					return 0;
				}
				_t13 = GetDiskFreeSpaceExW( *0x41e89c,  &_v12, 0, 0); // executed
				if(_t13 == 0) {
					goto L8;
				}
				_t25 = _v8 - _a12;
				if(_t25 > 0) {
					goto L8;
				}
				if(_t25 < 0) {
					L5:
					_t20 = 0x2a;
					if(E004096FF(E00403DC8(_t20), _t22, _t26) == 1) {
						 *0x41e774 =  *0x41e774 | 0x00000001;
						__eflags =  *0x41e774;
						goto L8;
					}
					 *0x41e728 = 0x6a;
					return 0x80004005;
				}
				_t26 = _v12.LowPart - _a8;
				if(_v12.LowPart >= _a8) {
					goto L8;
				}
				goto L5;
			}

0x00402449
0x0040244a
0x00402452
0x004024aa
0x004024bb
0x004024c1
0x00000000
0x004024c1
0x00402462
0x0040246a
0x00000000
0x00000000
0x0040246f
0x00402472
0x00000000
0x00000000
0x00402474
0x0040247e
0x00402480
0x00402490
0x004024a3
0x004024a3
0x00000000
0x004024a3
0x00402492
0x00000000
0x0040249c
0x00402479
0x0040247c
0x00000000
0x00000000
0x00000000

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 00402462
SendMessageW.USER32(00008001,00000000,?), ref: 004024BB

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction ID: 8208958cd5f058e564b84d0c2d53d4d01197a59289713be1c569bcd397771c57
Opcode Fuzzy Hash: ab9cdcdd9b55208fec138a9dead6acff31393ca49536454abc1c7d8bd56cf985
Instruction Fuzzy Hash: EA014B34610204BAEB149B65DE4DF9A3BA9FB01724F108476F901EA1E0DABAE940CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004193AF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x41c878);
				_push(0x419540);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x422b88 =  *0x422b88 | 0xffffffff;
				 *0x422b8c =  *0x422b8c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x420b6c; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x420b68; // 0x0
				 *_t24 = _t47;
				 *0x422b84 = _adjust_fdiv;
				_t27 = E0041953B( *_adjust_fdiv);
				_t60 =  *0x41e6e0; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E00419538);
					_pop(_t47);
				}
				E00419526(_t27);
				_push(0x41e074);
				_push(0x41e070);
				L00419520();
				_t29 =  *0x420b64; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x41e074
				__getmainargs( &_v100, _t6,  &_v104,  *0x420b60,  &_v112);
				_push(0x41e06c);
				_push(0x41e000); // executed
				L00419520(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while( *_t54 > 0x20) {
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t54);
				_push(0);
				_push(GetModuleHandleA(0));
				_t40 = E00407118(_t47);
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041951A();
				return _t41;
			}

0x004193b2
0x004193b4
0x004193b9
0x004193c4
0x004193c5
0x004193d2
0x004193d7
0x004193dc
0x004193e3
0x004193ea
0x004193f1
0x004193f7
0x004193fd
0x004193ff
0x00419405
0x0041940b
0x00419414
0x00419419
0x0041941e
0x00419424
0x0041942b
0x00419431
0x00419431
0x00419432
0x00419437
0x0041943c
0x00419441
0x00419446
0x0041944b
0x0041945c
0x00419464
0x0041946a
0x0041946f
0x00419474
0x00419481
0x00419483
0x00419489
0x004194c5
0x004194ca
0x004194cb
0x004194cb
0x0041948b
0x0041948b
0x0041948b
0x0041948c
0x0041948f
0x00419491
0x0041949c
0x0041949e
0x0041949e
0x0041949f
0x0041949f
0x0041949c
0x004194a2
0x004194a6
0x00000000
0x00000000
0x004194ac
0x004194b3
0x004194bd
0x004194d2
0x004194bf
0x004194bf
0x004194bf
0x004194d3
0x004194d4
0x004194d5
0x004194dd
0x004194de
0x004194e3
0x004194e7
0x004194ed
0x004194f2
0x004194f4
0x004194f7
0x004194f8
0x004194f9
0x00419500

APIs

__set_app_type.MSVCRT ref: 004193DC
__p__fmode.MSVCRT ref: 004193F1
__p__commode.MSVCRT ref: 004193FF
__setusermatherr.MSVCRT ref: 0041942B
_initterm.MSVCRT ref: 00419441
__getmainargs.MSVCRT ref: 00419464
_initterm.MSVCRT ref: 00419474
GetStartupInfoA.KERNEL32(?), ref: 004194B3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004194D7
exit.KERNELBASE ref: 004194E7
_XcptFilter.MSVCRT ref: 004194F9

Strings

tA, xrefs: 0041945C, 0041945F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: tA
API String ID: 801014965-3672045730
Opcode ID: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction ID: 2bf29183f708790e43ece5c4b13c67657fe3397540b73bc69793bae2ed7e9e0f
Opcode Fuzzy Hash: dc2780e643d3aa43d0ff02281ab66ad3744fe9223783811662e40d569e6ea4b7
Instruction Fuzzy Hash: 9D41AAB5D44308AFCB21DFA5DC55AEA7FB8EB09314F20412FE841A7291D7785C82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402D99 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402D99(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v24;
				char* _v28;
				signed int _v32;
				short _v36;
				short _v40;
				intOrPtr* _v44;
				char _v56;
				char _v68;
				char _v80;
				signed int _v88;
				char _v92;
				short _v94;
				char _v96;
				char _v104;
				signed int _t93;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr* _t104;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed int _t119;
				char* _t132;
				intOrPtr _t147;
				void* _t175;
				signed int _t177;
				char* _t181;
				intOrPtr _t182;
				signed int _t186;
				intOrPtr _t190;
				intOrPtr _t191;

				_t175 = __edx;
				 *0x41e774 =  *0x41e774 & 0xfffffff7;
				_v44 = __ecx;
				_v40 = 0;
				_t93 = E00401341(0x41e7b8, __eflags);
				if(_t93 != 0) {
					__eflags =  *0x41e8d8 - 2;
					if( *0x41e8d8 == 2) {
						L9:
						_push(0x48);
						L004191BC();
						__eflags = _t93;
						if(_t93 == 0) {
							_v36 = 0;
						} else {
							_v36 = E00402671(_t93);
						}
						_t181 = L"ExtractMaskInclude";
						E00402D2C(_t181);
						_t132 = L"ExtractMaskExclude";
						E00402D2C(_t132);
						__eflags =  *0x41e774 & 0x00000020;
						_v28 = _t132;
						_v20 = _t181;
						if(( *0x41e774 & 0x00000020) != 0) {
							_v28 = _t181;
							_v20 = _t132;
						}
						_t96 = E00405041();
						__eflags = _t96;
						if(_t96 == 0) {
							E00411B60(E00411B60(_t96,  &_v104),  &_v92);
							E00411BE5( &_v104, _v20);
							E00411BE5( &_v92, 0x41abb8);
							E00402963( &_v104, 0x41e7a0, 0,  &_v104);
							_push(_v92);
							L004191B0();
							_push(_v104);
							L004191B0();
						}
						_t97 = E004011CA(0x41e7b8);
						_t177 = 4;
						_v32 = _t97;
						_t178 = _t97 * _t177 >> 0x20;
						_t98 = _t97 * _t177;
						_push( ~(0 | __eflags > 0x00000000) | _t98);
						L004191BC();
						_t182 = 0;
						_t186 = 0;
						_v24 = _t98;
						__eflags = _v32;
						if(_v32 <= 0) {
							L39:
							_t147 = _v36;
							 *((intOrPtr*)(_t147 + 0x30)) = _v24;
							 *(_t147 + 0x34) = _t186;
							__eflags = _t186;
							if(_t186 != 0) {
								_t102 = E0040284E(_t147, _t178,  *_v44); // executed
								_v40 = _t102;
							}
							_push(_v24);
							L004191B0();
							_t100 = _v40;
							L42:
							L43:
							return _t100;
						} else {
							do {
								_v88 = _v88 & 0;
								_t178 =  &_v96;
								_v96 = 0;
								_v94 = 0;
								_t104 =  *0x41e7c0; // 0x562608
								_t105 =  *((intOrPtr*)( *_t104 + 0x18))(_t104, _t182, 3,  &_v96);
								__eflags = _t105;
								if(_t105 != 0) {
									goto L38;
								}
								__eflags = _v96 - 8;
								if(_v96 != 8) {
									goto L38;
								}
								E00411B84( &_v56, _v88);
								_v16 = _v16 & 0x00000000;
								_t40 =  &_v12;
								 *_t40 = _v12 & 0x00000000;
								__eflags =  *_t40;
								do {
									_t178 =  &_v12;
									_t108 = E00405041();
									__eflags = _t108;
									if(_t108 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									E00411B84( &_v68, _t108);
									_t178 =  &_v56;
									_t118 = E0041200B( &_v68,  &_v56);
									_push(_v68);
									__eflags = _t118;
									_v5 = _t118 != 0;
									L004191B0();
									__eflags = _v5;
									if(_v5 != 0) {
										_t178 = _v28;
										_t119 = E00402577(_t182, _v28);
										__eflags = _t119;
										if(_t119 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
										_v16 = 1;
									}
									__eflags = _v16;
								} while (_v16 == 0);
								_v12 = _v12 & 0x00000000;
								__eflags = _v16;
								if(_v16 != 0) {
									L37:
									_push(_v56);
									L004191B0();
									goto L38;
								} else {
									goto L27;
								}
								do {
									L27:
									_t178 =  &_v12;
									_t109 = E00405041();
									__eflags = _t109;
									if(_t109 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									E00411B84( &_v80, _t109);
									_t178 =  &_v56;
									_t114 = E0041200B( &_v80,  &_v56);
									_push(_v80);
									__eflags = _t114;
									L004191B0();
									__eflags = _t132 & 0xffffff00 | _t114 != 0x00000000;
									if((_t132 & 0xffffff00 | _t114 != 0x00000000) != 0) {
										_t178 = _v20;
										_t115 = E00402577(_t182, _v20);
										__eflags = _t115;
										if(_t115 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
										_v16 = 1;
									}
									__eflags = _v16;
									_t132 = L"ExtractMaskExclude";
								} while (_v16 == 0);
								__eflags = _v16;
								if(_v16 == 0) {
									_t178 = _t132;
									_t110 = E004115B0(_t132);
									__eflags = _t110;
									if(_t110 == 0) {
										_t178 = L"ExtractMaskInclude";
										_t111 = E00402577(_t182, L"ExtractMaskInclude");
										__eflags = _t111;
										if(_t111 != 0) {
											 *((intOrPtr*)(_v24 + _t186 * 4)) = _t182;
											_t186 = _t186 + 1;
											__eflags = _t186;
										}
									}
								}
								goto L37;
								L38:
								E004114AA( &_v96);
								_t182 = _t182 + 1;
								__eflags = _t182 - _v32;
							} while (_t182 < _v32);
							goto L39;
						}
					}
					_t93 = E00404772( *__ecx, _t175); // executed
					__eflags = _t93;
					if(_t93 != 0) {
						goto L9;
					} else {
						_t100 = 0x80004005;
						goto L43;
					}
				}
				_t190 =  *0x41e700; // 0x0
				if(_t190 != 0) {
					L4:
					_push(0x13);
					L5:
					_pop(_t128);
					_push(0);
					E0040976C(_t175);
					_t100 = 0x80004005;
					goto L42;
				}
				_t191 =  *0x41e704; // 0x0
				if(_t191 != 0) {
					goto L4;
				} else {
					_push(8);
					goto L5;
				}
			}

0x00402d99
0x00402d9f
0x00402db4
0x00402db7
0x00402dba
0x00402dc1
0x00402dec
0x00402df3
0x00402e0a
0x00402e0a
0x00402e0c
0x00402e12
0x00402e14
0x00402e22
0x00402e16
0x00402e1d
0x00402e1d
0x00402e25
0x00402e2c
0x00402e31
0x00402e38
0x00402e3d
0x00402e44
0x00402e47
0x00402e4a
0x00402e4c
0x00402e4f
0x00402e4f
0x00402e57
0x00402e5c
0x00402e5e
0x00402e6b
0x00402e76
0x00402e83
0x00402e91
0x00402e96
0x00402e99
0x00402e9e
0x00402ea1
0x00402ea7
0x00402eaa
0x00402eb3
0x00402eb4
0x00402eb7
0x00402eb7
0x00402ec0
0x00402ec1
0x00402ec6
0x00402ec8
0x00402ecb
0x00402ece
0x00402ed1
0x0040302c
0x0040302c
0x00403032
0x00403035
0x00403038
0x0040303a
0x00403041
0x00403046
0x00403046
0x00403049
0x0040304c
0x00403051
0x00403054
0x00403055
0x00403059
0x00402ed7
0x00402ed7
0x00402ed9
0x00402edc
0x00402ee2
0x00402ee6
0x00402eea
0x00402ef3
0x00402ef6
0x00402ef8
0x00000000
0x00000000
0x00402efe
0x00402f03
0x00000000
0x00000000
0x00402f0f
0x00402f14
0x00402f18
0x00402f18
0x00402f18
0x00402f1c
0x00402f1f
0x00402f22
0x00402f27
0x00402f29
0x00000000
0x00000000
0x00402f2b
0x00402f32
0x00402f37
0x00402f3d
0x00402f42
0x00402f45
0x00402f47
0x00402f4b
0x00402f50
0x00402f55
0x00402f57
0x00402f5c
0x00402f61
0x00402f63
0x00402f68
0x00402f6b
0x00402f6b
0x00402f6b
0x00402f6c
0x00402f6c
0x00402f73
0x00402f73
0x00402f79
0x00402f7d
0x00402f81
0x00403011
0x00403011
0x00403014
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f87
0x00402f87
0x00402f8a
0x00402f8d
0x00402f92
0x00402f94
0x00000000
0x00000000
0x00402f96
0x00402f9d
0x00402fa2
0x00402fa8
0x00402fad
0x00402fb0
0x00402fb5
0x00402fbb
0x00402fbd
0x00402fbf
0x00402fc4
0x00402fc9
0x00402fcb
0x00402fd0
0x00402fd3
0x00402fd3
0x00402fd3
0x00402fd4
0x00402fd4
0x00402fdb
0x00402fdf
0x00402fdf
0x00402fe6
0x00402fea
0x00402fef
0x00402ff1
0x00402ff6
0x00402ff8
0x00402ffa
0x00403001
0x00403006
0x00403008
0x0040300d
0x00403010
0x00403010
0x00403010
0x00403008
0x00402ff8
0x00000000
0x0040301a
0x0040301d
0x00403022
0x00403023
0x00403023
0x00000000
0x00402ed7
0x00402ed1
0x00402df7
0x00402dfc
0x00402dfe
0x00000000
0x00402e00
0x00402e00
0x00000000
0x00402e00
0x00402dfe
0x00402dc3
0x00402dc9
0x00402dd7
0x00402dd7
0x00402dd9
0x00402dd9
0x00402ddb
0x00402ddc
0x00402de2
0x00000000
0x00402de2
0x00402dcb
0x00402dd1
0x00000000
0x00402dd3
0x00402dd3
0x00000000
0x00402dd3

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402E0C
??3@YAXPAX@Z.MSVCRT ref: 00402E99
??3@YAXPAX@Z.MSVCRT ref: 00402EA1
??2@YAPAXI@Z.MSVCRT ref: 00402EC1
??3@YAXPAX@Z.MSVCRT ref: 00402F4B
??3@YAXPAX@Z.MSVCRT ref: 00402FB5
??3@YAXPAX@Z.MSVCRT ref: 00403014
??3@YAXPAX@Z.MSVCRT ref: 0040304C

Strings

ExtractMaskExclude, xrefs: 00402E31, 00402FDF
PreExtract, xrefs: 00402DA8
ExtractMaskInclude, xrefs: 00402E25, 00402FFA

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@
String ID: ExtractMaskExclude$ExtractMaskInclude$PreExtract
API String ID: 4113381792-1386291556
Opcode ID: 8f858b53243f22e6ec3a451f02c0319cfefc6a0783070d4974822e09e98280d7
Instruction ID: 7269ace4ee49ce545d33163e420a246a4dc032d25f4e3fe66d88e93700a2274f
Opcode Fuzzy Hash: 8f858b53243f22e6ec3a451f02c0319cfefc6a0783070d4974822e09e98280d7
Instruction Fuzzy Hash: E1816B70E002099BDF14EFA2C955AEEBBB5AF44314F10406FE902BB2D1EB785D85CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040391C Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040391C(void* __edx) {
				struct tagRECT _v20;
				struct tagMSG _v48;
				struct HWND__* _t9;
				int _t21;
				int _t27;
				void* _t28;
				struct HWND__* _t29;

				_t28 = __edx;
				_t9 = CreateWindowExW(0x80, L"tooltips_class32", L"sfx", 0, 0, 0, 0, 0, 0, 0, GetModuleHandleW(0), 0); // executed
				_t29 = _t9;
				GetWindowRect(GetDesktopWindow(),  &_v20);
				asm("cdq");
				asm("cdq");
				_t21 = SetWindowPos(_t29, 0, _v20.right - _v20.left - _t28 >> 1, _v20.bottom - _v20.top - _t28 >> 1, 0, 0, 4);
				if(_t29 != 0) {
					SetTimer(_t29, 1, 1, 0); // executed
					GetMessageW( &_v48, 0, 0, 0);
					DispatchMessageW( &_v48);
					_t27 = KillTimer(_t29, 1);
					 *0x41e72c = _t29;
					return _t27;
				}
				return _t21;
			}

0x0040391c
0x00403945
0x0040394b
0x00403958
0x00403966
0x00403974
0x0040397c
0x00403984
0x0040398c
0x00403999
0x004039a3
0x004039ac
0x004039b2
0x00000000
0x004039b2
0x004039bb

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 00403928
CreateWindowExW.USER32 ref: 00403945
GetDesktopWindow.USER32 ref: 00403951
GetWindowRect.USER32 ref: 00403958
SetWindowPos.USER32(00000000,00000000,?,00406147,00000000,00000000,00000004), ref: 0040397C
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 0040398C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00403999
DispatchMessageW.USER32 ref: 004039A3
KillTimer.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00406147,?,00000000), ref: 004039AC

Strings

sfx, xrefs: 00403936
tooltips_class32, xrefs: 0040393B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Window$MessageTimer$CreateDesktopDispatchHandleKillModuleRect
String ID: sfx$tooltips_class32
API String ID: 3184818434-2224206080
Opcode ID: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction ID: bab660aaf1360166561ca95da768f7ace0d5693b3f23dfe4253bd0ab20d9046d
Opcode Fuzzy Hash: 1e623c50025d9644a4636d0dfc4539322a9a884a8d1c9db3723c20974edf1361
Instruction Fuzzy Hash: E411AC72902224BFCB109BB99C4CEEF3F7DEB49721F008020F605E2290CA749040CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 00415AA4 Relevance: 18.0, APIs: 12, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00415AA4(void* __ecx) {
				void* _t24;

				_push( *((intOrPtr*)(__ecx + 0xd8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xd0)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc4)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xb8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xac)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xa0)));
				L004191B0(); // executed
				_push( *((intOrPtr*)(__ecx + 0x94)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x88)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x7c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x70)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x64)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x58)));
				L004191B0(); // executed
				_pop(_t30);
				_push( *((intOrPtr*)(__ecx + 0x4c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				return _t24;
			}

0x00415aa8
0x00415aae
0x00415ab3
0x00415ab9
0x00415abe
0x00415ac4
0x00415ac9
0x00415acf
0x00415ad4
0x00415ada
0x00415adf
0x00415ae5
0x00415aea
0x00415af0
0x00415af5
0x00415afb
0x00415b00
0x00415b03
0x00415b08
0x00415b0b
0x00415b10
0x00415b13
0x00415b18
0x00415b1b
0x00415b26
0x004156aa
0x004156ad
0x004156b2
0x004156b5
0x004156ba
0x004156bd
0x004156c2
0x004156c5
0x004156ca
0x004156cd
0x004156d2
0x004156d5
0x004156da
0x004156dd
0x004156e2
0x004156e5
0x004156ea
0x004156ed
0x004156f2
0x004156f5
0x004156fa
0x004156fd
0x00415706

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415AAE
??3@YAXPAX@Z.MSVCRT ref: 00415AB9
??3@YAXPAX@Z.MSVCRT ref: 00415AC4
??3@YAXPAX@Z.MSVCRT ref: 00415ACF
??3@YAXPAX@Z.MSVCRT ref: 00415ADA
??3@YAXPAX@Z.MSVCRT ref: 00415AE5
??3@YAXPAX@Z.MSVCRT ref: 00415AF0
??3@YAXPAX@Z.MSVCRT ref: 00415AFB
??3@YAXPAX@Z.MSVCRT ref: 00415B03
??3@YAXPAX@Z.MSVCRT ref: 00415B0B
??3@YAXPAX@Z.MSVCRT ref: 00415B13
??3@YAXPAX@Z.MSVCRT ref: 00415B1B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ee5c647a9145366ad475bcc1a3065cb9f7a0338d0e16d6b021501088ffa184b4
Instruction ID: aedf86548abd3be3b1bfa100c5c76d75fd36fa784b4736098e5a7a93d74d5829
Opcode Fuzzy Hash: ee5c647a9145366ad475bcc1a3065cb9f7a0338d0e16d6b021501088ffa184b4
Instruction Fuzzy Hash: 29F05930110A11BAE6123732DC1ABDAB6B7AF40304F04442FF59B50435CB557CD1D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00414E08 Relevance: 11.0, APIs: 7, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00414E08() {
				void* __esi;
				signed int _t244;
				signed int _t248;
				signed int _t253;
				signed int _t257;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				intOrPtr _t296;
				signed int _t298;
				signed int _t299;
				signed int _t304;
				signed int _t306;
				signed int _t307;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t331;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t376;
				intOrPtr _t398;
				signed int _t404;
				signed int _t416;
				signed int _t423;
				intOrPtr _t425;
				signed int _t426;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t436;
				void* _t437;
				signed int _t439;
				signed int _t443;
				intOrPtr* _t445;
				void* _t447;

				L00419240();
				 *((intOrPtr*)(_t445 - 0x10)) = _t447 - 0xfffffffffffffff0;
				 *(_t445 - 4) = 0;
				_t428 =  *(_t445 + 0x7c);
				_t341 = _t428;
				 *(_t445 + 0x60) = _t341;
				if(_t428 != 0) {
					 *((intOrPtr*)( *_t428 + 4))(_t428);
				}
				 *((intOrPtr*)(_t445 + 0x24)) = 0;
				 *((intOrPtr*)(_t445 + 0x28)) = 0;
				 *(_t445 + 0x7f) =  *((intOrPtr*)(_t445 + 0x74)) == 0xffffffff;
				_t443 =  *(_t445 + 0x6c);
				if( *(_t445 + 0x7f) != 0) {
					 *((intOrPtr*)(_t445 + 0x74)) =  *((intOrPtr*)(_t443 + 0x6c));
				}
				if( *((intOrPtr*)(_t445 + 0x74)) != 0) {
					 *(_t445 + 0x1c) =  *(_t445 + 0x1c) | 0xffffffff;
					 *(_t445 + 0x18) = 0;
					_t429 = 0;
					__eflags = 0;
					while(1) {
						 *(_t445 + 0xc) = _t429;
						__eflags = _t429 -  *((intOrPtr*)(_t445 + 0x74));
						if(_t429 >=  *((intOrPtr*)(_t445 + 0x74))) {
							break;
						}
						__eflags =  *(_t445 + 0x7f);
						if( *(_t445 + 0x7f) == 0) {
							_t426 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t429 * 4);
						} else {
							_t426 = _t429;
						}
						_t331 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t426 * 4);
						 *(_t445 + 0x6c) = _t331;
						__eflags = _t331 - 0xffffffff;
						if(_t331 == 0xffffffff) {
							L21:
							_t429 = _t429 + 1;
							continue;
						} else {
							__eflags = _t331 -  *(_t445 + 0x1c);
							if(_t331 !=  *(_t445 + 0x1c)) {
								L16:
								_t416 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t331 * 4);
								 *(_t445 + 0x18) = _t416;
								L17:
								 *(_t445 + 0x38) = _t416;
								while(1) {
									__eflags =  *(_t445 + 0x38) - _t426;
									if( *(_t445 + 0x38) > _t426) {
										break;
									}
									 *((intOrPtr*)(_t445 + 0x24)) =  *((intOrPtr*)(_t445 + 0x24)) +  *((intOrPtr*)( *(_t445 + 0x38) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
									asm("adc [ebp+0x28], eax");
									 *(_t445 + 0x38) =  *(_t445 + 0x38) + 1;
									_t341 =  *(_t445 + 0x60);
									_t331 =  *(_t445 + 0x6c);
								}
								_t416 = _t426 + 1;
								 *(_t445 + 0x18) = _t416;
								 *(_t445 + 0x1c) = _t331;
								_t429 =  *(_t445 + 0xc);
								goto L21;
							}
							__eflags = _t426 - _t416;
							if(_t426 >= _t416) {
								goto L17;
							}
							goto L16;
						}
					}
					_t244 =  *((intOrPtr*)( *_t341 + 0xc))(_t341,  *((intOrPtr*)(_t445 + 0x24)),  *((intOrPtr*)(_t445 + 0x28)));
					__eflags = _t244;
					if(_t244 == 0) {
						_push(0x38);
						L004191BC();
						__eflags = _t244;
						if(_t244 == 0) {
							_t342 = 0;
							__eflags = 0;
						} else {
							_t342 = E004132F1(_t244);
						}
						 *(_t445 + 0x2c) = _t342;
						 *(_t445 + 0x54) = _t342;
						__eflags = _t342;
						if(_t342 != 0) {
							 *((intOrPtr*)( *_t342 + 4))(_t342);
						}
						_t431 =  *(_t445 + 0x60);
						E00413217(_t342, _t431);
						E004140DA(_t445 - 0x7c, __eflags, 1);
						 *(_t445 + 0x5c) =  *(_t445 + 0x5c) & 0x00000000;
						_t248 =  *((intOrPtr*)( *_t431))(_t431, 0x41a500, _t445 + 0x5c, 0);
						_push(0x38);
						L004191BC();
						__eflags = _t248;
						if(_t248 == 0) {
							_t248 = 0;
							__eflags = 0;
						} else {
							 *_t248 = 0x41c250;
							 *((intOrPtr*)(_t248 + 4)) = 0;
							 *_t248 = 0x41c75c;
							 *((intOrPtr*)(_t248 + 8)) = 0;
							 *((short*)(_t248 + 0xc)) = 0x100;
							 *((intOrPtr*)(_t248 + 0x30)) = 0;
						}
						_t432 = _t248;
						 *(_t445 + 0x3c) = _t432;
						 *(_t445 + 0x50) = _t432;
						__eflags = _t432;
						if(_t432 != 0) {
							 *((intOrPtr*)( *_t432 + 4))(_t432);
						}
						 *((intOrPtr*)(_t432 + 0x2c)) = _t443 + 0x10;
						_t73 = _t432 + 0x30; // 0x30
						E004010F2(_t73,  *(_t445 + 0x60));
						__eflags =  *(_t445 + 0x78);
						 *((char*)(_t432 + 0xc)) = 0 |  *(_t445 + 0x78) != 0x00000000;
						__eflags =  *(_t443 + 0x158);
						_t80 =  *(_t443 + 0x158) != 0;
						__eflags = _t80;
						 *((char*)(_t432 + 0xd)) = 0 | _t80;
						 *(_t445 + 0x44) = 0;
						while(1) {
							_t433 =  *(_t445 + 0x50);
							_t343 = E0041320C(_t342);
							__eflags = _t343;
							if(_t343 != 0) {
								break;
							}
							_t253 =  *(_t445 + 0x44);
							__eflags = _t253 -  *((intOrPtr*)(_t445 + 0x74));
							if(_t253 <  *((intOrPtr*)(_t445 + 0x74))) {
								 *((intOrPtr*)(_t445 + 0x30)) = 0;
								 *((intOrPtr*)(_t445 + 0x34)) = 0;
								 *((intOrPtr*)(_t445 + 0x10)) = 0;
								 *((intOrPtr*)(_t445 + 0x14)) = 0;
								__eflags =  *(_t445 + 0x7f);
								if( *(_t445 + 0x7f) == 0) {
									_t434 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t253 * 4);
								} else {
									_t434 = _t253;
								}
								_t344 =  *( *((intOrPtr*)(_t443 + 0x12c)) + _t434 * 4);
								 *(_t445 - 0x14) = _t344;
								 *(_t445 + 0x40) = 1;
								__eflags = _t344 - 0xffffffff;
								if(_t344 == 0xffffffff) {
									L70:
									asm("sbb ecx, ecx");
									_t257 = E00414DE3( *(_t445 + 0x3c), _t434,  !( ~( *(_t445 + 0x7f) & 0x000000ff)) &  *((intOrPtr*)(_t445 + 0x70)) +  *(_t445 + 0x44) * 0x00000004,  *(_t445 + 0x40));
									 *(_t445 + 0x44) =  *(_t445 + 0x44) +  *(_t445 + 0x40);
									__eflags = _t257;
									if(_t257 == 0) {
										_t259 =  *(_t445 + 0x3c);
										__eflags =  *(_t259 + 0x24);
										if( *(_t259 + 0x24) == 0) {
											L109:
											_t260 =  *(_t445 + 0x2c);
											 *((intOrPtr*)(_t260 + 0x28)) =  *((intOrPtr*)(_t260 + 0x28)) +  *((intOrPtr*)(_t445 + 0x30));
											asm("adc [eax+0x2c], ecx");
											 *((intOrPtr*)(_t260 + 0x20)) =  *((intOrPtr*)(_t260 + 0x20)) +  *((intOrPtr*)(_t445 + 0x10));
											asm("adc [eax+0x24], ecx");
											_t342 = _t260;
											continue;
										}
										 *(_t445 + 0x58) =  *(_t445 + 0x58) & 0x00000000;
										_t261 =  *(_t445 + 0x60);
										__eflags = _t261;
										if(_t261 != 0) {
											_t261 =  *((intOrPtr*)( *_t261))(_t261, 0x41a530, _t445 + 0x58);
										}
										 *(_t445 - 4) = 1;
										 *((char*)(_t445 + 0x7b)) = 0;
										 *((char*)(_t445 + 0x6f)) = 0;
										E00411B60(_t261, _t445);
										_t436 = E004142CC(_t445 - 0x7c, _t445 + 0x30, _t443, __eflags,  *((intOrPtr*)(_t443 + 0xc)),  *((intOrPtr*)(_t443 + 0x108)),  *((intOrPtr*)(_t443 + 0x10c)), _t443 + 0x10, _t344, _t445 + 0x30,  *(_t445 + 0x50),  *(_t445 + 0x54), 0,  *(_t445 + 0x58), _t445 + 0x7b, _t445 + 0x6f, _t445);
										__eflags = _t436 - 1;
										if(_t436 == 1) {
											L87:
											_t376 =  *(_t445 + 0x3c);
											__eflags =  *(_t376 + 0x24);
											 *((char*)(_t445 + 0x4f)) =  *(_t376 + 0x24) == 0;
											__eflags = _t436 - 1;
											_t209 = (0 | _t436 == 0x00000001) + 1; // 0x1
											_t437 = _t209;
											_t267 = E00414D71(_t376, _t437);
											 *(_t445 + 0x40) = _t267;
											__eflags = _t267;
											if(_t267 == 0) {
												__eflags =  *((char*)(_t445 + 0x4f));
												if( *((char*)(_t445 + 0x4f)) == 0) {
													L105:
													_push( *_t445);
													L004191B0();
													_t268 =  *(_t445 + 0x58);
													goto L106;
												}
												_t270 =  *(_t445 + 0x5c);
												__eflags = _t270;
												if(_t270 == 0) {
													goto L105;
												}
												_t436 =  *((intOrPtr*)( *_t270 + 0x14))(_t270, 2, _t344, _t437);
												__eflags = _t436;
												if(_t436 == 0) {
													goto L105;
												}
												goto L102;
											}
											_push( *_t445);
											L004191B0();
											_t284 =  *(_t445 + 0x58);
											__eflags = _t284;
											if(_t284 != 0) {
												 *((intOrPtr*)( *_t284 + 8))(_t284);
											}
											_t285 =  *(_t445 + 0x50);
											__eflags = _t285;
											if(_t285 != 0) {
												 *((intOrPtr*)( *_t285 + 8))(_t285);
											}
											_t286 =  *(_t445 + 0x5c);
											__eflags = _t286;
											if(_t286 != 0) {
												 *((intOrPtr*)( *_t286 + 8))(_t286);
											}
											E00414DA0(_t445 - 0x7c);
											_t288 =  *(_t445 + 0x54);
											__eflags = _t288;
											if(_t288 != 0) {
												 *((intOrPtr*)( *_t288 + 8))(_t288);
											}
											_t289 =  *(_t445 + 0x60);
											__eflags = _t289;
											if(_t289 != 0) {
												 *((intOrPtr*)( *_t289 + 8))(_t289);
											}
											_t278 =  *(_t445 + 0x40);
											goto L110;
										} else {
											__eflags = _t436 - 0x80004001;
											if(_t436 == 0x80004001) {
												goto L87;
											}
											__eflags = _t436;
											if(_t436 != 0) {
												L102:
												_push( *_t445);
												L004191B0();
												_t272 =  *(_t445 + 0x58);
												L103:
												__eflags = _t272;
												if(_t272 != 0) {
													 *((intOrPtr*)( *_t272 + 8))(_t272);
												}
												goto L71;
											}
											_t436 = E00414D71( *(_t445 + 0x3c), 2);
											_push( *_t445);
											L004191B0();
											_t268 =  *(_t445 + 0x58);
											__eflags = _t436;
											if(_t436 == 0) {
												L106:
												__eflags = _t268;
												if(_t268 != 0) {
													 *((intOrPtr*)( *_t268 + 8))(_t268);
												}
												_t230 = _t445 - 4;
												 *_t230 =  *(_t445 - 4) & 0x00000000;
												__eflags =  *_t230;
												goto L109;
											}
											goto L103;
										}
									}
									L71:
									_t273 =  *(_t445 + 0x50);
									__eflags = _t273;
									if(_t273 != 0) {
										 *((intOrPtr*)( *_t273 + 8))(_t273);
									}
									_t274 =  *(_t445 + 0x5c);
									__eflags = _t274;
									if(_t274 != 0) {
										 *((intOrPtr*)( *_t274 + 8))(_t274);
									}
									E00414DA0(_t445 - 0x7c);
									_t276 =  *(_t445 + 0x54);
									__eflags = _t276;
									if(_t276 != 0) {
										 *((intOrPtr*)( *_t276 + 8))(_t276);
									}
									_t277 =  *(_t445 + 0x60);
									__eflags = _t277;
									if(_t277 != 0) {
										 *((intOrPtr*)( *_t277 + 8))(_t277);
									}
									L24:
									_t278 = _t436;
									goto L110;
								} else {
									_t296 =  *((intOrPtr*)(_t443 + 0x18));
									_t398 =  *((intOrPtr*)(_t443 + 0x40));
									_t423 =  *(_t398 + 4 + _t344 * 4);
									 *((intOrPtr*)(_t445 + 0x10)) =  *((intOrPtr*)(_t296 + _t423 * 8)) -  *((intOrPtr*)(_t296 +  *(_t398 + _t344 * 4) * 8));
									asm("sbb edx, [eax+ecx*8+0x4]");
									 *((intOrPtr*)(_t445 + 0x14)) =  *((intOrPtr*)(_t296 + 4 + _t423 * 8));
									_t439 = _t434 + 1;
									__eflags = _t439;
									 *(_t445 + 0x20) = _t439;
									_t344 =  *(_t445 - 0x14);
									_t434 =  *( *((intOrPtr*)(_t443 + 0x128)) + _t344 * 4);
									_t298 =  *(_t445 + 0x44);
									while(1) {
										_t298 = _t298 + 1;
										 *(_t445 + 0x48) = _t298;
										__eflags = _t298 -  *((intOrPtr*)(_t445 + 0x74));
										if(_t298 >=  *((intOrPtr*)(_t445 + 0x74))) {
											break;
										}
										__eflags =  *(_t445 + 0x7f);
										if( *(_t445 + 0x7f) == 0) {
											_t404 =  *( *((intOrPtr*)(_t445 + 0x70)) + _t298 * 4);
										} else {
											_t404 = _t298;
										}
										_t425 =  *((intOrPtr*)(_t443 + 0x12c));
										__eflags =  *((intOrPtr*)(_t425 + _t404 * 4)) - _t344;
										if( *((intOrPtr*)(_t425 + _t404 * 4)) != _t344) {
											break;
										} else {
											__eflags = _t404 -  *(_t445 + 0x20);
											if(_t404 <  *(_t445 + 0x20)) {
												break;
											}
											 *(_t445 + 0x20) = _t404 + 1;
											continue;
										}
									}
									_t299 = _t298 -  *(_t445 + 0x44);
									__eflags = _t299;
									 *(_t445 + 0x40) = _t299;
									 *(_t445 + 0x48) = _t434;
									while(1) {
										__eflags =  *(_t445 + 0x48) -  *(_t445 + 0x20);
										if( *(_t445 + 0x48) >=  *(_t445 + 0x20)) {
											goto L70;
										}
										 *((intOrPtr*)(_t445 + 0x30)) =  *((intOrPtr*)(_t445 + 0x30)) +  *((intOrPtr*)( *(_t445 + 0x48) * 0x18 +  *((intOrPtr*)(_t443 + 0x68))));
										asm("adc [ebp+0x34], eax");
										 *(_t445 + 0x48) =  *(_t445 + 0x48) + 1;
									}
									goto L70;
								}
							}
							__eflags = _t433;
							if(_t433 != 0) {
								 *((intOrPtr*)( *_t433 + 8))(_t433);
							}
							_t304 =  *(_t445 + 0x5c);
							__eflags = _t304;
							if(_t304 != 0) {
								 *((intOrPtr*)( *_t304 + 8))(_t304);
							}
							E00414DA0(_t445 - 0x7c);
							_t306 =  *(_t445 + 0x54);
							__eflags = _t306;
							if(_t306 != 0) {
								 *((intOrPtr*)( *_t306 + 8))(_t306);
							}
							_t307 =  *(_t445 + 0x60);
							__eflags = _t307;
							if(_t307 != 0) {
								 *((intOrPtr*)( *_t307 + 8))(_t307);
							}
							goto L7;
						}
						__eflags = _t433;
						if(_t433 != 0) {
							 *((intOrPtr*)( *_t433 + 8))(_t433);
						}
						_t313 =  *(_t445 + 0x5c);
						__eflags = _t313;
						if(_t313 != 0) {
							 *((intOrPtr*)( *_t313 + 8))(_t313);
						}
						E00414DA0(_t445 - 0x7c);
						_t315 =  *(_t445 + 0x54);
						__eflags = _t315;
						if(_t315 != 0) {
							 *((intOrPtr*)( *_t315 + 8))(_t315);
						}
						_t316 =  *(_t445 + 0x60);
						__eflags = _t316;
						if(_t316 != 0) {
							 *((intOrPtr*)( *_t316 + 8))(_t316);
						}
						_t278 = _t343;
						goto L110;
					}
					 *((intOrPtr*)( *_t341 + 8))(_t341);
					goto L24;
				} else {
					if(_t428 != 0) {
						 *((intOrPtr*)( *_t428 + 8))(_t428);
					}
					L7:
					_t278 = 0;
					L110:
					 *[fs:0x0] =  *((intOrPtr*)(_t445 - 0xc));
					return _t278;
				}
			}

0x00414e11
0x00414e1c
0x00414e21
0x00414e24
0x00414e27
0x00414e29
0x00414e2e
0x00414e33
0x00414e33
0x00414e36
0x00414e39
0x00414e40
0x00414e44
0x00414e4b
0x00414e50
0x00414e50
0x00414e58
0x00414e6b
0x00414e6f
0x00414e72
0x00414e72
0x00414e74
0x00414e74
0x00414e77
0x00414e7a
0x00000000
0x00000000
0x00414e7c
0x00414e80
0x00414e89
0x00414e82
0x00414e82
0x00414e82
0x00414e92
0x00414e95
0x00414e98
0x00414e9b
0x00414ee7
0x00414ee7
0x00000000
0x00414e9d
0x00414e9d
0x00414ea0
0x00414ea6
0x00414eac
0x00414eaf
0x00414eb2
0x00414eb2
0x00414eb5
0x00414eb5
0x00414eb8
0x00000000
0x00000000
0x00414ec6
0x00414ecd
0x00414ed0
0x00414ed3
0x00414ed6
0x00414ed6
0x00414edb
0x00414ede
0x00414ee1
0x00414ee4
0x00000000
0x00414ee4
0x00414ea2
0x00414ea4
0x00000000
0x00000000
0x00000000
0x00414ea4
0x00414e9b
0x00414ef3
0x00414ef8
0x00414efa
0x00414f09
0x00414f0b
0x00414f11
0x00414f13
0x00414f20
0x00414f20
0x00414f15
0x00414f1c
0x00414f1c
0x00414f22
0x00414f25
0x00414f28
0x00414f2a
0x00414f2f
0x00414f2f
0x00414f34
0x00414f3a
0x00414f44
0x00414f49
0x00414f59
0x00414f5b
0x00414f5d
0x00414f65
0x00414f67
0x00414f86
0x00414f86
0x00414f69
0x00414f69
0x00414f6f
0x00414f72
0x00414f78
0x00414f7b
0x00414f81
0x00414f81
0x00414f88
0x00414f8a
0x00414f8d
0x00414f90
0x00414f92
0x00414f97
0x00414f97
0x00414f9d
0x00414fa3
0x00414fa6
0x00414faf
0x00414fb5
0x00414fba
0x00414fc0
0x00414fc0
0x00414fc3
0x00414fc6
0x00414fc9
0x00414fc9
0x00414fd3
0x00414fd5
0x00414fd7
0x00000000
0x00000000
0x00415019
0x0041501c
0x0041501f
0x00415065
0x00415068
0x0041506b
0x0041506e
0x00415071
0x00415074
0x0041507d
0x00415076
0x00415076
0x00415076
0x00415086
0x00415089
0x0041508c
0x00415093
0x00415096
0x0041512e
0x00415140
0x0041514b
0x00415155
0x00415158
0x0041515a
0x004151a1
0x004151a4
0x004151a8
0x00415322
0x00415325
0x00415328
0x0041532e
0x00415334
0x0041533a
0x0041533d
0x00000000
0x0041533d
0x004151ae
0x004151b2
0x004151b5
0x004151b7
0x004151c5
0x004151c5
0x004151c7
0x004151cb
0x004151cf
0x004151d6
0x00415213
0x00415215
0x00415218
0x0041524f
0x0041524f
0x00415252
0x00415256
0x0041525c
0x00415262
0x00415262
0x00415266
0x0041526b
0x0041526e
0x00415270
0x004152cc
0x004152d0
0x00415308
0x00415308
0x0041530b
0x00415311
0x00000000
0x00415311
0x004152d2
0x004152d5
0x004152d7
0x00000000
0x00000000
0x004152e3
0x004152e5
0x004152e7
0x00000000
0x00000000
0x00000000
0x004152e7
0x00415272
0x00415275
0x0041527b
0x0041527e
0x00415280
0x00415285
0x00415285
0x00415288
0x0041528b
0x0041528d
0x00415292
0x00415292
0x00415295
0x00415298
0x0041529a
0x0041529f
0x0041529f
0x004152a5
0x004152aa
0x004152ad
0x004152af
0x004152b4
0x004152b4
0x004152b7
0x004152ba
0x004152bc
0x004152c1
0x004152c1
0x004152c4
0x00000000
0x0041521a
0x0041521a
0x00415220
0x00000000
0x00000000
0x00415222
0x00415224
0x004152e9
0x004152e9
0x004152ec
0x004152f1
0x004152f5
0x004152f5
0x004152f7
0x00415300
0x00415300
0x00000000
0x004152f7
0x00415234
0x00415236
0x00415239
0x0041523f
0x00415242
0x00415244
0x00415314
0x00415314
0x00415316
0x0041531b
0x0041531b
0x0041531e
0x0041531e
0x0041531e
0x00000000
0x0041531e
0x00000000
0x0041524a
0x00415218
0x0041515c
0x0041515c
0x0041515f
0x00415161
0x00415166
0x00415166
0x00415169
0x0041516c
0x0041516e
0x00415173
0x00415173
0x00415179
0x0041517e
0x00415181
0x00415183
0x00415188
0x00415188
0x0041518b
0x0041518e
0x00415190
0x00415199
0x00415199
0x00414f02
0x00414f02
0x00000000
0x0041509c
0x0041509c
0x0041509f
0x004150a2
0x004150af
0x004150b6
0x004150ba
0x004150bd
0x004150bd
0x004150be
0x004150c7
0x004150ca
0x004150cd
0x004150d0
0x004150d0
0x004150d1
0x004150d4
0x004150d7
0x00000000
0x00000000
0x004150d9
0x004150dd
0x004150e6
0x004150df
0x004150df
0x004150df
0x004150e9
0x004150ef
0x004150f2
0x00000000
0x004150f4
0x004150f4
0x004150f7
0x00000000
0x00000000
0x004150fa
0x00000000
0x004150fa
0x004150f2
0x004150ff
0x004150ff
0x00415102
0x00415105
0x00415108
0x0041510b
0x0041510e
0x00000000
0x00000000
0x0041511c
0x00415126
0x00415129
0x00415129
0x00000000
0x00415108
0x00415096
0x00415021
0x00415023
0x00415028
0x00415028
0x0041502b
0x0041502e
0x00415030
0x00415035
0x00415035
0x0041503b
0x00415040
0x00415043
0x00415045
0x0041504a
0x0041504a
0x0041504d
0x00415050
0x00415052
0x0041505b
0x0041505b
0x00000000
0x00415052
0x00414fd9
0x00414fdb
0x00414fe0
0x00414fe0
0x00414fe3
0x00414fe6
0x00414fe8
0x00414fed
0x00414fed
0x00414ff3
0x00414ff8
0x00414ffb
0x00414ffd
0x00415002
0x00415002
0x00415005
0x00415008
0x0041500a
0x0041500f
0x0041500f
0x00415012
0x00000000
0x00415012
0x00414eff
0x00000000
0x00414e5a
0x00414e5c
0x00414e61
0x00414e61
0x00414e64
0x00414e64
0x00415420
0x00415423
0x00415431
0x00415431

APIs

_EH_prolog.MSVCRT ref: 00414E11
??2@YAPAXI@Z.MSVCRT ref: 00414F0B
??2@YAPAXI@Z.MSVCRT ref: 00414F5D
??3@YAXPAX@Z.MSVCRT ref: 00415239
??3@YAXPAX@Z.MSVCRT ref: 00415275
??3@YAXPAX@Z.MSVCRT ref: 004152EC
??3@YAXPAX@Z.MSVCRT ref: 0041530B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@$H_prolog
String ID:
API String ID: 417953191-0
Opcode ID: 5ae6475f3b5dae213934e1d90e18f3baad429a0926ac66236314a053213b9912
Instruction ID: e5ac9cdd0bbed24d41e0b9fd9aa7c31187e14acbe242ba4463aa1c93b9762be3
Opcode Fuzzy Hash: 5ae6475f3b5dae213934e1d90e18f3baad429a0926ac66236314a053213b9912
Instruction Fuzzy Hash: 64123B75600649DFCB14DF68C894AEA7BB5BF89304F24416EF81A8B351DB39EC81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404772 Relevance: 10.6, APIs: 7, Instructions: 133
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00404772(WCHAR* __ecx, struct _FILETIME* __edx) {
				signed int _v8;
				WCHAR* _v12;
				struct _FILETIME _v20;
				char _v32;
				signed int _t38;
				signed int _t41;
				signed int _t44;
				signed short _t48;
				signed char _t52;
				signed int _t60;
				signed int* _t66;
				void* _t67;
				WCHAR* _t78;
				signed int _t79;
				void* _t81;
				void* _t82;

				_t77 = __edx;
				_t66 = __ecx;
				_v12 = __ecx;
				_t38 = lstrlenW(__ecx);
				_t79 = _t38;
				_v8 = _t38;
				E00411B84( &_v32, _t66);
				_t78 = E004042F3( &_v32, _t77, 0);
				_t41 =  *(_t66 + _t79 * 2 - 2) & 0x0000ffff;
				if(_t41 == 0x5c || _t41 == 0x2f) {
					 *((short*)(_t78 + _t79 * 2 - 2)) = 0;
					_t79 = _t79 - 1;
					_v8 = _t79;
				}
				while(E0040317A(_t78) == 0) {
					while(_t79 > 0) {
						_t44 = _t78[_t79] & 0x0000ffff;
						if(_t44 == 0x2f || _t44 == 0x5c) {
							break;
						} else {
							_t79 = _t79 - 1;
							continue;
						}
					}
					if(_t79 == 0) {
						if(_v8 != 2) {
							L30:
							E0040976C(_t77, 1, 0xc, _t66);
							_push(_v32);
							L004191B0();
							return 0;
						}
						_t48 =  *_t66 | 0x00000020;
						if(_t48 < 0x61 || _t48 > 0x7a || _t66[0] != 0x3a) {
							goto L30;
						} else {
							_t81 = 1;
							L29:
							_push(_v32);
							L004191B0();
							return _t81;
						}
					}
					_t78[_t79] = 0;
				}
				GetSystemTimeAsFileTime( &_v20);
				_t52 = GetFileAttributesW(_t78); // executed
				if((_t52 & 0x00000010) != 0) {
					L13:
					while(E0040317A(_t78) != 0) {
						if(_t79 < _v8) {
							_t67 =  &(_t78[_t79]);
							memcpy(_t67, _v12 + _t79 * 2, _v8 - _t79 + 1);
							_t82 = _t82 + 0xc;
							if( *_t67 == 0) {
								L20:
								if(_t78[_t79] != 0) {
									_t60 = _t78[_t79] & 0x0000ffff;
									if(_t60 == 0x5c || _t60 == 0x2f) {
										goto L21;
									} else {
										L19:
										_t79 = _t79 + 1;
										goto L20;
									}
								}
								L21:
								_t78[_t79] = 0;
								continue;
							}
							goto L19;
						}
						_push(_v32);
						L004191B0();
						return 1;
					}
					E0040976C(_t77, 1, 0xc, _t78);
					L12:
					_t81 = 0;
					goto L29;
				}
				_t77 =  &_v20;
				if(E004044EA(_t78,  &_v20) == 0) {
					goto L13;
				}
				goto L12;
			}

0x00404772
0x0040477a
0x0040477e
0x00404781
0x0040478b
0x0040478d
0x00404790
0x0040479f
0x004047a1
0x004047a9
0x004047b2
0x004047b7
0x004047b8
0x004047b8
0x004047de
0x004047cc
0x004047bd
0x004047c4
0x00000000
0x004047cb
0x004047cb
0x00000000
0x004047cb
0x004047c4
0x004047d2
0x00404884
0x004048b0
0x004048b5
0x004048ba
0x004048bd
0x00000000
0x004048c5
0x00404889
0x00404891
0x00000000
0x004048a0
0x004048a2
0x004048a3
0x004048a3
0x004048a6
0x00000000
0x004048ac
0x00404891
0x004047da
0x004047da
0x004047ed
0x004047f4
0x004047fc
0x00000000
0x00404813
0x00404870
0x0040483b
0x0040483f
0x00404846
0x0040484c
0x0040485f
0x00404863
0x00404850
0x00404857
0x00000000
0x0040485e
0x0040485e
0x0040485e
0x00000000
0x0040485e
0x00404857
0x00404865
0x00404867
0x00000000
0x00404867
0x00000000
0x0040484e
0x00404872
0x00404875
0x00000000
0x0040487d
0x00404823
0x0040480c
0x0040480c
0x00000000
0x0040480c
0x004047fe
0x0040480a
0x00000000
0x00000000
0x00000000

APIs

lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
memcpy.MSVCRT ref: 0040483F
??3@YAXPAX@Z.MSVCRT ref: 00404875
??3@YAXPAX@Z.MSVCRT ref: 004048A6
??3@YAXPAX@Z.MSVCRT ref: 004048BD

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$FileTimememcpy$AttributesSystemlstrlenwcsncpy
String ID:
API String ID: 1217483450-0
Opcode ID: e8824e7337aa9ce3abd5236e3cb95cf7dcc064ec73295d4693e6b313caead59d
Instruction ID: 89c85a9677983eca3fd09eb0c7f4f9a8a3de002ff802481e92c4df94bfbc2cfd
Opcode Fuzzy Hash: e8824e7337aa9ce3abd5236e3cb95cf7dcc064ec73295d4693e6b313caead59d
Instruction Fuzzy Hash: F5411ABA900151EADB207BA59841ABF76B4EF85704F548837EA02F32C1E73C8D4283DD

Uniqueness

Uniqueness Score: -1.00%

Function 00405502 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00405502(void* __edx) {
				short _v96;
				char _v620;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t16;
				char* _t18;
				WCHAR* _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				WCHAR* _t25;
				WCHAR* _t26;
				WCHAR* _t27;
				WCHAR* _t28;
				void* _t34;
				void* _t35;
				void* _t36;

				 *0x41e75c = LoadLibraryA("kernel32");
				__imp__#17();
				E00403D6D(E00418D50());
				_t22 = 3;
				_t11 = E00403DC8(_t22);
				_t23 = 0x28;
				 *0x41e760 = _t11;
				_t12 = E00403DC8(_t23);
				_t24 = 2;
				 *0x41e74c = _t12;
				_t13 = E00403DC8(_t24);
				_t25 = 5;
				 *0x41e738 = _t13;
				_t14 = E00403DC8(_t25);
				_t26 = 0x15;
				 *0x41e73c = _t14;
				_t15 = E00403DC8(_t26);
				_t27 = 0x16;
				 *0x41e754 = _t15;
				_t16 = E00403DC8(_t27);
				_t28 = 0x17;
				 *0x41e748 = _t16;
				 *0x41e744 = E00403DC8(_t28);
				 *0x41e758 = 0;
				 *0x41e750 = 0;
				_t34 = 0;
				do {
					_t18 =  &_v620;
					__imp__SHGetSpecialFolderPathW(0, _t18, _t34, 0); // executed
					_t38 = _t18;
					if(_t18 != 0) {
						wsprintfW( &_v96, L"SfxFolder%02d", _t34);
						_t36 = _t36 + 0xc;
						_t18 = E00405051( &_v96,  &_v620, _t38, 1); // executed
						_t35 = 0;
						do {
							_t40 =  *((intOrPtr*)(_t35 + 0x41e45c)) - _t34;
							if( *((intOrPtr*)(_t35 + 0x41e45c)) == _t34) {
								_t6 = _t35 + 0x41e460; // 0x41ba7c
								_t18 = E00405051( *_t6,  &_v620, _t40, 0);
							}
							_t35 = _t35 + 8;
						} while (_t35 < 0x28);
					}
					_t34 = _t34 + 1;
				} while (_t34 < 0x40);
				return _t18;
			}

0x00405519
0x0040551e
0x00405529
0x00405530
0x00405531
0x00405538
0x00405539
0x0040553e
0x00405545
0x00405546
0x0040554b
0x00405552
0x00405553
0x00405558
0x0040555f
0x00405560
0x00405565
0x0040556c
0x0040556d
0x00405572
0x00405579
0x0040557a
0x00405586
0x0040558b
0x00405591
0x00405597
0x00405599
0x0040559b
0x004055a3
0x004055a9
0x004055ab
0x004055b7
0x004055bd
0x004055cb
0x004055d0
0x004055d2
0x004055d2
0x004055d8
0x004055da
0x004055e7
0x004055e7
0x004055ec
0x004055ef
0x004055d2
0x004055f4
0x004055f5
0x004055fe

APIs

LoadLibraryA.KERNEL32(kernel32,?,?,00000000), ref: 00405513
#17.COMCTL32(?,?,00000000), ref: 0040551E

Part of subcall function 00403D6D: GetUserDefaultUILanguage.KERNEL32(0040552E,?,?,00000000), ref: 00403D77

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403EBA
Part of subcall function 00403DC8: _wtol.MSVCRT(?), ref: 00403F57
Part of subcall function 00403DC8: MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,00000000), ref: 004055A3
wsprintfW.USER32 ref: 004055B7

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

Strings

SfxFolder%02d, xrefs: 004055B1
kernel32, xrefs: 0040550E

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$ErrorLast$??2@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLibraryLoadLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: SfxFolder%02d$kernel32
API String ID: 2610933736-229743753
Opcode ID: f4dae4404625ef9a2948513a0aa761a6c12f33f3973d9d946afd58ea3797b650
Instruction ID: fb37d50bbeb3418e991456411a156af5b0a8a8317b04918dd84ef7d62563be16
Opcode Fuzzy Hash: f4dae4404625ef9a2948513a0aa761a6c12f33f3973d9d946afd58ea3797b650
Instruction Fuzzy Hash: 02219076950304AAE720AF77BC4AECA7BA8EF44705F10853FF415A61D0DA384984CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040284E Relevance: 6.1, APIs: 4, Instructions: 99
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0040284E(void* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t12;
				void* _t13;
				long _t16;
				int _t18;
				intOrPtr _t23;
				void* _t29;
				void* _t34;

				_t29 = __edx;
				_push(__ecx);
				_t34 = __ecx;
				E0040242A(__ecx, _a4);
				 *0x41e724 = _t34;
				 *0x41e728 = 0; // executed
				_t12 = CreateThread(0, 0, E00402734, _t34, 0,  &_v8); // executed
				 *0x41e720 = _t12;
				if(_t12 != 0) {
					if( *0x41e770 != 2) {
						E00408D16(_t29);
						_t12 =  *0x41e720; // 0x330
					}
					WaitForSingleObject(_t12, 0xffffffff);
					_t12 =  *0x41e720; // 0x330
				}
				_t23 =  *0x41e728; // 0x0
				 *0x41e8c4 = 0;
				if(_t23 == 0) {
					_a4 = 0;
					__eflags =  *0x41e8cc; // 0x0
					if(__eflags != 0) {
						goto L27;
					} else {
						__eflags = _t12;
						if(_t12 == 0) {
							L20:
							__eflags = (_a4 & 0x80070000) - 0x80070000;
							if((_a4 & 0x80070000) == 0x80070000) {
								_t16 = _a4 & 0x0000ffff;
								__eflags = _t16 - 0xe;
								if(_t16 != 0xe) {
									L25:
									SetLastError(_t16);
									_push(_a4);
									_push(0x22);
									_push(1);
									goto L26;
								} else {
									__eflags =  *0x41e774 - 0xffffffff;
									if( *0x41e774 != 0xffffffff) {
										goto L25;
									}
								}
							} else {
								_push(_a4);
								_push(0x21);
								goto L22;
							}
							goto L27;
						} else {
							_t18 = GetExitCodeThread(_t12,  &_a4); // executed
							__eflags = _t18;
							if(_t18 == 0) {
								goto L20;
							} else {
								__eflags = _a4;
								if(_a4 != 0) {
									goto L20;
								} else {
									_t13 = 0;
								}
							}
						}
					}
				} else {
					if(_t23 == 1) {
						_push(0x11);
						goto L14;
					} else {
						if(_t23 == 2) {
							_push(0x13);
							goto L14;
						} else {
							if(_t23 == 3) {
								_push(0x12);
								L14:
								_push(0);
								E0040976C(_t29);
							} else {
								if(_t23 <= 0x67 || _t23 > 0x6b) {
									_push(_t23);
									_push(0x14);
									L22:
									_push(0);
									L26:
									E0040976C(_t29);
								}
							}
						}
					}
					L27:
					_t13 = 0x80004005;
				}
				return _t13;
			}

0x0040284e
0x00402851
0x00402857
0x00402859
0x0040286d
0x00402873
0x00402879
0x0040287f
0x00402886
0x0040288f
0x00402891
0x00402896
0x00402896
0x0040289e
0x004028a4
0x004028a4
0x004028a9
0x004028af
0x004028b7
0x004028ef
0x004028f2
0x004028f8
0x00000000
0x004028fa
0x004028fa
0x004028fc
0x00402916
0x00402920
0x00402922
0x0040292f
0x00402934
0x00402937
0x00402942
0x00402943
0x00402949
0x0040294c
0x0040294e
0x00000000
0x00402939
0x00402939
0x00402940
0x00000000
0x00000000
0x00402940
0x00402924
0x00402924
0x00402927
0x00000000
0x00402927
0x00000000
0x004028fe
0x00402903
0x00402909
0x0040290b
0x00000000
0x0040290d
0x0040290d
0x00402910
0x00000000
0x00402912
0x00402912
0x00402912
0x00402910
0x0040290b
0x004028fc
0x004028b9
0x004028bc
0x004028e3
0x00000000
0x004028be
0x004028c1
0x004028df
0x00000000
0x004028c3
0x004028c6
0x004028db
0x004028e5
0x004028e5
0x004028e6
0x004028c8
0x004028cb
0x004028d6
0x004028d7
0x00402929
0x00402929
0x00402950
0x00402950
0x00402955
0x004028cb
0x004028c6
0x004028c1
0x00402958
0x00402958
0x00402958
0x00402960

APIs

CreateThread.KERNELBASE ref: 00402879
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 0040289E
GetExitCodeThread.KERNELBASE(00000000,0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402903
SetLastError.KERNEL32(0041AA3C,?,00403046,?,PreExtract,0041AA3C,0041E868), ref: 00402943

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction ID: 8b2ec0040d8b5e9cc765cc96d666c658be7f578e6807eca23fde730058974b68
Opcode Fuzzy Hash: 84fee42053e057f3378805e89464497ff8e350c1136537873458d8e55eef0d4b
Instruction Fuzzy Hash: 8C31277A300201BADF356B11DE4DABB3B58FB85350F24823BF911B62D0D6B88881D71E

Uniqueness

Uniqueness Score: -1.00%

Function 00411604 Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00411604(void** __ecx, void* _a4) {
				void* _v0;
				void* _v20;
				void* _t14;
				void* _t16;
				void* _t19;
				void* _t21;
				void* _t22;
				void** _t23;
				void* _t26;
				void* _t27;
				void** _t28;
				void** _t29;

				_t23 = __ecx;
				_t26 = _a4;
				_t28 = __ecx;
				if(_t26 < __ecx[1] || _t26 >= 0x40000000) {
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ac;
					L00419360();
					asm("int3");
					_t21 = _v20;
					_push(_t28);
					_push(_t26);
					_t29 = _t23;
					if(_t21 >= 0x40000000) {
						_push(0x41c9d4);
						_push( &_v0);
						_v0 = 0x13329ac;
						L00419360();
					}
					_t11 = _t21 + 1; // 0x13329ad
					_t14 = _t11;
					_push(_t14);
					L004191BC();
					_t27 = _t14;
					 *_t27 = 0;
					_push( *_t29);
					L004191B0();
					 *_t29 = _t27;
					_t29[2] = _t21;
					return _t14;
				} else {
					_t16 = _t26 + 1;
					_push(_t16); // executed
					L004191BC(); // executed
					_t22 = _t16;
					_t19 = memcpy(_t22,  *__ecx, __ecx[1] + 1);
					_push( *_t28);
					L004191B0();
					_t28[2] = _t26;
					 *_t28 = _t22;
					return _t19;
				}
			}

0x00411604
0x0041160a
0x0041160d
0x00411612
0x0041164a
0x00411652
0x00411653
0x0041165a
0x0041165f
0x00411664
0x00411667
0x00411668
0x00411669
0x00411671
0x00411673
0x0041167b
0x0041167c
0x00411683
0x00411683
0x00411688
0x00411688
0x0041168b
0x0041168c
0x00411691
0x00411693
0x00411696
0x00411698
0x0041169f
0x004116a2
0x004116a8
0x0041161c
0x0041161c
0x0041161f
0x00411620
0x00411625
0x0041162f
0x00411634
0x00411636
0x0041163e
0x00411642
0x00411647
0x00411647

APIs

??2@YAPAXI@Z.MSVCRT ref: 00411620
memcpy.MSVCRT ref: 0041162F
??3@YAXPAX@Z.MSVCRT ref: 00411636
_CxxThrowException.MSVCRT(005625D8,0041C9D4), ref: 0041165A

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 43ceb3f0376f0d42f7d42f7dc783a6b0baf027df109bcb22aebe24c954cbc46a
Instruction ID: acb851cd5d6ec94b4642c442a788d7ea64d5cf8d2888cb5aee67fa9e3068b209
Opcode Fuzzy Hash: 43ceb3f0376f0d42f7d42f7dc783a6b0baf027df109bcb22aebe24c954cbc46a
Instruction Fuzzy Hash: D4F0B4B2100209BFD720AF5ACC81DDAF7EEFF54358714442FF99A83511D235A8C08BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040317A Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040317A(WCHAR* __ecx) {
				int _t2;
				long _t5;
				signed char _t6;
				WCHAR* _t9;

				_t9 = __ecx;
				_t2 = CreateDirectoryW(__ecx, 0); // executed
				if(_t2 != 0) {
					L7:
					return 1;
				}
				_t5 = GetLastError();
				if(_t5 == 0xb7) {
					_t6 = GetFileAttributesW(_t9); // executed
					if(_t6 == 0xffffffff || (_t6 & 0x00000010) != 0) {
						goto L7;
					} else {
						SetLastError(0xb7);
						L3:
						return 0;
					}
				}
				SetLastError(_t5);
				goto L3;
			}

0x0040317c
0x00403181
0x00403189
0x004031b8
0x00000000
0x004031ba
0x0040318b
0x00403198
0x004031a6
0x004031af
0x00000000
0x004031b5
0x0040319b
0x0040319b
0x00000000
0x004031a1
0x004031af
0x0040319b
0x00000000

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,-00000001,004047E5,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract), ref: 00403181
GetLastError.KERNEL32(?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040318B
SetLastError.KERNEL32(000000B7,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 0040319B
GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004031A6

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction ID: a90d619ace12dcc58cec56a8214a7704fd14c1b401374c1c4e5215055585a3f3
Opcode Fuzzy Hash: 8433fba26e05a83753d4dc70028e505715306c94392b2ab9b50cde710c697177
Instruction Fuzzy Hash: DDE092301451107AE6101F34AC0C6BB3A5C9B9EB23F184576F402E82D0D73C4906012A

Uniqueness

Uniqueness Score: -1.00%

Function 00405E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00405E96() {
				WCHAR* _v16;
				int _t9;
				intOrPtr _t10;
				intOrPtr _t15;
				signed int _t20;
				void* _t21;
				void* _t22;

				_t20 = 0;
				_t21 =  *0x41e78c - _t20; // 0xa0
				if(_t21 > 0) {
					do {
						_t10 =  *0x41e788; // 0x2565d78
						E00411BBA( &_v16,  *((intOrPtr*)(_t10 + _t20 * 4)) + 0xc);
						E0040562E( &_v16, _t21);
						_t15 =  *0x41e788; // 0x2565d78
						_t9 = SetEnvironmentVariableW( *( *(_t15 + _t20 * 4)), _v16); // executed
						_push(_v16);
						L004191B0();
						_t20 = _t20 + 1;
						_t22 = _t20 -  *0x41e78c; // 0xa0
					} while (_t22 < 0);
				}
				return _t9;
			}

0x00405e9d
0x00405e9f
0x00405ea5
0x00405ea7
0x00405ea7
0x00405eb6
0x00405ebe
0x00405ec3
0x00405ed0
0x00405ed6
0x00405ed9
0x00405ede
0x00405ee0
0x00405ee0
0x00405ea7
0x00405eea

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

SetEnvironmentVariableW.KERNELBASE(?,00000000,?,SetEnvironment,00000000,?,00000000), ref: 00405ED0
??3@YAXPAX@Z.MSVCRT ref: 00405ED9

Strings

SetEnvironment, xrefs: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@EnvironmentVariablememcpy
String ID: SetEnvironment
API String ID: 357128876-360490078
Opcode ID: c6c75c7f5417405cc391aeffaf327f9aca37ab4b6936cf9318fd33f69bac45c7
Instruction ID: 5015d73053f31e41eb786119d6f7a2c70dc77ac034249f383db117d4599dd948
Opcode Fuzzy Hash: c6c75c7f5417405cc391aeffaf327f9aca37ab4b6936cf9318fd33f69bac45c7
Instruction Fuzzy Hash: 6FF01236900114AFDB11EF95FC41CCEB775EB143047408179E961A71B2DB35A955CF8D

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00403FB2() {
				signed short _v40;
				_Unknown_base(*)()* _t3;

				_t3 = GetProcAddress( *0x41e75c, "GetNativeSystemInfo");
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3( &_v40); // executed
					return _v40 & 0x0000ffff;
				}
			}

0x00403fc3
0x00403fcb
0x00403fdc
0x00403fcd
0x00403fd1
0x00403fd8
0x00403fd8

APIs

GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

Strings

GetNativeSystemInfo, xrefs: 00403FB8

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: AddressInfoNativeProcSystem
String ID: GetNativeSystemInfo
API String ID: 2220751540-3949249589
Opcode ID: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction ID: 809e6a6de965d18d48b39f8f4e00aed40c1c5cd8ab5549a1552232fcd34172b3
Opcode Fuzzy Hash: deffbf9ad2f06d67f5a7a96eac976a7a49d3226baf58badd71ca99372c048d5e
Instruction Fuzzy Hash: 0ED0A72070020566CB059FB1AD059DB77F89A086487100170E803F00D0EA79DD90D365

Uniqueness

Uniqueness Score: -1.00%

Function 00417EA2 Relevance: 4.7, APIs: 3, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00417EA2(void* __ecx, intOrPtr* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v32;
				intOrPtr* _t106;
				void* _t148;
				char _t151;
				intOrPtr _t152;
				intOrPtr* _t179;
				void* _t181;

				_t179 = _a4;
				E0041563D(_t179);
				 *((intOrPtr*)(_t179 + 0xe8)) =  *((intOrPtr*)(__ecx + 0x40));
				_t106 =  *((intOrPtr*)(__ecx + 0x44));
				 *((intOrPtr*)(_t179 + 0xec)) = _t106;
				_t151 =  *((intOrPtr*)(__ecx + 0x56));
				_t181 = __ecx - 1;
				_push(_t181);
				 *((char*)(_t179 + 0xe0)) = _t151;
				_t152 =  *((intOrPtr*)(_t181 + 0x57));
				_t148 = 0;
				asm("fisttp dword [eax+0xe18f]");
				 *_t106 =  *_t106 + _t106;
				 *_t106 =  *_t106;
				asm("lahf");
				asm("loopne 0x2");
				 *_t106 =  *_t106 + _t106;
				 *_t179 =  *_t179 + _t152;
				 *_t106 =  *_t106 + _t106;
				 *0x4E8B6046 =  *((intOrPtr*)(0x4e8b6046)) + _t152;
			}

0x00417eab
0x00417eb2
0x00417eba
0x00417ec0
0x00417ec3
0x00417ec9
0x00417eca
0x00417ecb
0x00417ecc
0x00417ed2
0x00417ed5
0x00417ed6
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee2
0x00417ee6
0x00417ee8

APIs

Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT ref: 0041566D
Part of subcall function 0041563D: ??3@YAXPAX@Z.MSVCRT ref: 0041567E

??2@YAPAXI@Z.MSVCRT ref: 0041800B
??3@YAXPAX@Z.MSVCRT ref: 00418029
??3@YAXPAX@Z.MSVCRT ref: 00418170

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: 80d287eee1cd80979ba983d9fd2f1c3c519cb4f24e169f7b2dc21dcf56883bb2
Instruction ID: cc61e8b391bfb9a68098a7a85693b93431bc851093f7dc7a68c56b28134787d6
Opcode Fuzzy Hash: 80d287eee1cd80979ba983d9fd2f1c3c519cb4f24e169f7b2dc21dcf56883bb2
Instruction Fuzzy Hash: 75917E30A0464AEFCF14DFA5C480AEEFBB1BF08304F10852EE45593351DB79AA95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004163FE Relevance: 4.6, APIs: 3, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004163FE(void* __ecx, void* __eflags, intOrPtr* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				void* __esi;
				signed int _t44;
				void* _t46;
				intOrPtr* _t48;
				signed int _t49;
				void* _t50;
				signed int _t53;
				signed int _t54;
				void* _t56;
				intOrPtr* _t58;
				void* _t60;
				signed int _t64;
				signed int _t66;
				signed int _t69;
				signed int _t73;
				signed int _t81;
				signed int _t84;
				void* _t85;
				void* _t88;
				void* _t98;
				signed int _t101;
				void* _t103;
				signed int _t105;
				void* _t106;
				void* _t107;

				_t60 = __ecx;
				_t98 = __ecx + 0x50;
				_t44 = E00413818(0x20); // executed
				if(_t44 == 0) {
					if(E0041610D(_t98) == 0) {
						_t46 = _a8;
						__eflags = _t46;
						if(_t46 == 0) {
							L7:
							_push(0x8000); // executed
							L004191BC(); // executed
							_v24 = _v24 & 0x00000000;
							_t7 =  &_v20;
							 *_t7 = _v20 & 0x00000000;
							__eflags =  *_t7;
							_t88 = _t46;
							_v12 = _t88;
							_t64 = 8;
							memcpy(_t88, _t98, _t64 << 2);
							_t107 = _t106 + 0xc;
							while(1) {
								_t66 = _a8;
								_t81 = 0x7fe0;
								__eflags = _t66;
								if(_t66 == 0) {
									goto L13;
								}
								_t53 =  *_t66 - _v24;
								asm("sbb ecx, [ebp-0x10]");
								__eflags =  *(_t66 + 4);
								if(__eflags > 0) {
									goto L13;
								} else {
									if(__eflags < 0) {
										L12:
										_t81 = _t53;
										__eflags = _t53;
										if(_t53 == 0) {
											L30:
											_t101 = 1;
											__eflags = 1;
										} else {
											goto L13;
										}
									} else {
										__eflags = _t53 - 0x7fe0;
										if(_t53 >= 0x7fe0) {
											goto L13;
										} else {
											goto L12;
										}
									}
								}
								L31:
								_push(_v12);
								L004191B0();
								_t44 = _t101;
								goto L3;
								L13:
								_t48 = _a4;
								_v8 = _v8 & 0x00000000;
								_t49 =  *((intOrPtr*)( *_t48 + 0xc))(_t48, _v12 + 0x20, _t81,  &_v8);
								__eflags = _t49;
								if(_t49 != 0) {
									L33:
									_t101 = _t49;
								} else {
									_t69 = _v8;
									__eflags = _t69;
									if(_t69 == 0) {
										goto L30;
									} else {
										_t84 = 0;
										__eflags = 0;
										while(1) {
											_t50 = _v12;
											_t103 = _t50 + _t84 + 1;
											_t85 = _t50 + _t69;
											__eflags = _t103 - _t85;
											if(_t103 > _t85) {
												break;
											} else {
												goto L17;
											}
											while(1) {
												L17:
												__eflags =  *_t103 - 0x37;
												if( *_t103 == 0x37) {
													break;
												}
												__eflags =  *(_t103 + 1) - 0x37;
												if( *(_t103 + 1) == 0x37) {
													_t103 = _t103 + 1;
												} else {
													__eflags =  *(_t103 + 2) - 0x37;
													if( *(_t103 + 2) == 0x37) {
														_t103 = _t103 + 2;
													} else {
														__eflags =  *(_t103 + 3) - 0x37;
														if( *(_t103 + 3) == 0x37) {
															_t103 = _t103 + 3;
															__eflags = _t103;
														} else {
															_t103 = _t103 + 4;
															__eflags = _t103 - _t85;
															if(_t103 <= _t85) {
																continue;
															} else {
															}
														}
													}
												}
												break;
											}
											__eflags = _t103 - _t85;
											if(_t103 > _t85) {
												break;
											} else {
												_v16 = _t103 - _t50;
												_t54 = E0041610D(_t103);
												__eflags = _t54;
												if(_t54 != 0) {
													_t73 = 8;
													_t56 = memcpy(_t60 + 0x50, _t103, _t73 << 2);
													asm("adc ecx, [ebp-0x10]");
													 *((intOrPtr*)(_t60 + 0x40)) =  *((intOrPtr*)(_t60 + 0x40)) + _t56 + _v24;
													_t58 = _a4;
													asm("adc [ebx+0x44], ecx");
													_t105 =  *((intOrPtr*)(_t60 + 0x40)) + 0x20;
													__eflags = _t105;
													asm("adc edi, ecx");
													_t49 =  *((intOrPtr*)( *_t58 + 0x10))(_t58, _t105,  *((intOrPtr*)(_t60 + 0x44)), 0, 0);
													goto L33;
												} else {
													_t69 = _v8;
													_t84 = _v16;
													continue;
												}
											}
											goto L31;
										}
										_v24 = _v24 + _t69;
										asm("adc dword [ebp-0x10], 0x0");
										memmove(_t50, _t50 + _t69, 0x20);
										_t107 = _t107 + 0xc;
										continue;
									}
								}
								goto L31;
							}
						} else {
							__eflags =  *_t46 |  *(_t46 + 4);
							if(( *_t46 |  *(_t46 + 4)) != 0) {
								goto L7;
							} else {
								_t44 = 1;
							}
						}
					} else {
						_t44 = 0;
					}
				}
				L3:
				return _t44;
			}

0x00416405
0x0041640b
0x00416412
0x00416419
0x00416422
0x0041642c
0x0041642f
0x00416431
0x0041643f
0x00416440
0x00416445
0x0041644a
0x0041644e
0x0041644e
0x0041644e
0x00416453
0x00416457
0x0041645a
0x0041645b
0x0041645b
0x00416462
0x00416462
0x00416465
0x00416467
0x00416469
0x00000000
0x00000000
0x0041646d
0x00416473
0x00416476
0x00416478
0x00000000
0x0041647a
0x0041647a
0x00416480
0x00416480
0x00416482
0x00416484
0x00416524
0x00416526
0x00416526
0x00000000
0x00000000
0x00000000
0x0041647c
0x0041647c
0x0041647e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041647e
0x0041647a
0x00416527
0x00416527
0x0041652a
0x00416530
0x00000000
0x0041648a
0x0041648a
0x0041648f
0x004164a0
0x004164a3
0x004164a5
0x0041656b
0x0041656b
0x004164ab
0x004164ab
0x004164ae
0x004164b0
0x00000000
0x004164b2
0x004164b2
0x004164b2
0x004164b4
0x004164b4
0x004164b7
0x004164bb
0x004164be
0x004164c0
0x00000000
0x00000000
0x00000000
0x00000000
0x004164c2
0x004164c2
0x004164c2
0x004164c5
0x00000000
0x00000000
0x004164c7
0x004164cb
0x004164e2
0x004164cd
0x004164cd
0x004164d1
0x004164e5
0x004164d3
0x004164d3
0x004164d7
0x004164ea
0x004164ea
0x004164d9
0x004164d9
0x004164dc
0x004164de
0x00000000
0x00000000
0x004164e0
0x004164de
0x004164d7
0x004164d1
0x00000000
0x004164cb
0x004164ed
0x004164ef
0x00000000
0x004164f1
0x004164f5
0x004164f8
0x004164fd
0x004164ff
0x0041653d
0x00416541
0x00416548
0x0041654b
0x00416551
0x00416554
0x0041655f
0x0041655f
0x00416563
0x00416568
0x00000000
0x00416501
0x00416501
0x00416504
0x00000000
0x00416504
0x004164ff
0x00000000
0x004164ef
0x00416509
0x0041650e
0x00416516
0x0041651c
0x00000000
0x0041651c
0x004164b0
0x00000000
0x004164a5
0x00416433
0x00416435
0x00416438
0x00000000
0x0041643a
0x0041643c
0x0041643c
0x00416438
0x00416424
0x00416424
0x00416424
0x00416422
0x00416426
0x00416429

APIs

??2@YAPAXI@Z.MSVCRT ref: 00416445
memmove.MSVCRT ref: 00416516
??3@YAXPAX@Z.MSVCRT ref: 0041652A

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 05b4c57d5140810a10383e9374dc27765931f05c1586b926c1ce6de0da5761ff
Instruction ID: e46483b1e26eb5a1fabff0b355717e6b670c62617ced1e5d33f235f132d045da
Opcode Fuzzy Hash: 05b4c57d5140810a10383e9374dc27765931f05c1586b926c1ce6de0da5761ff
Instruction Fuzzy Hash: 2351B372A00111ABDF28CE58D944AEF77B5EB44344F26805EEC0AA7245D778ED81C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E67 Relevance: 4.6, APIs: 3, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404E67(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v32;
				char _v44;
				char _v56;
				void* _t46;
				void* _t54;
				char** _t61;
				void* _t67;
				char** _t74;
				void* _t79;
				char* _t102;
				char* _t105;
				void* _t107;
				char** _t108;
				char** _t109;

				_t107 = __edx;
				_v8 = __ecx;
				_t46 = E00403FB2(); // executed
				if(_t46 == 0) {
					_v20 = "x86";
					_v16 = "i386";
					goto L5;
				} else {
					_t114 = _t46 - 9;
					if(_t46 == 9) {
						_v20 = "x64";
						_v16 = "amd64";
						L5:
						_v12 = 0;
					} else {
						_v20 = 0;
					}
				}
				E00411743(E00411743(E00411743(_t46,  &_v56),  &_v44),  &_v32);
				_t79 = 0;
				E00404048(0, 0,  &_v56,  &_v44);
				_t54 = E004031BE(_v8, _v56, _t114, _v44,  &_v32); // executed
				if(_t54 != 0) {
					_t79 = 1;
				}
				E004117FD(_t107,  &_v32);
				_t102 = _v20;
				_t108 =  &_v20;
				while(1) {
					_push( &_v44);
					_push( &_v56);
					_t117 = _t102;
					if(_t102 == 0) {
						break;
					}
					E00404048(0, _t102);
					_t61 = E004031BE(_v8, _v56, __eflags, _v44,  &_v32); // executed
					__eflags = _t61;
					if(_t61 != 0) {
						__eflags =  *(_t107 + 4);
						if(__eflags != 0) {
							E00411846(_t107, "\r\n");
						}
						E0041187C(_t107, __eflags,  &_v32);
						_t79 = 1;
					}
					_t108 =  &(_t108[1]);
					__eflags = _t108;
					_t102 =  *_t108;
				}
				E00404048( *0x41e730 & 0x0000ffff, _t102);
				_t67 = E004031BE(_v8, _v56, _t117, _v44,  &_v32); // executed
				_t118 = _t67;
				if(_t67 != 0) {
					_t79 = 1;
				}
				E0041187C(_t107, _t118,  &_v32);
				_t105 = _v20;
				_t109 =  &_v20;
				while(_t105 != 0) {
					E00404048( *0x41e730 & 0x0000ffff, _t105,  &_v56,  &_v44);
					_t74 = E004031BE(_v8, _v56, __eflags, _v44,  &_v32); // executed
					__eflags = _t74;
					if(_t74 != 0) {
						__eflags =  *(_t107 + 4);
						if(__eflags != 0) {
							E00411846(_t107, "\r\n");
						}
						E0041187C(_t107, __eflags,  &_v32);
						_t79 = 1;
					}
					_t109 =  &(_t109[1]);
					__eflags = _t109;
					_t105 =  *_t109;
				}
				_push(_v32);
				L004191B0();
				_push(_v44);
				L004191B0();
				_push(_v56);
				L004191B0();
				return _t79;
			}

0x00404e70
0x00404e72
0x00404e75
0x00404e7e
0x00404e9a
0x00404ea1
0x00000000
0x00404e80
0x00404e80
0x00404e83
0x00404e8a
0x00404e91
0x00404ea8
0x00404ea8
0x00404e85
0x00404e85
0x00404e85
0x00404e83
0x00404ebe
0x00404ecf
0x00404ed1
0x00404ee3
0x00404eea
0x00404eec
0x00404eec
0x00404ef4
0x00404ef9
0x00404efc
0x00404f42
0x00404f45
0x00404f49
0x00404f4a
0x00404f4c
0x00000000
0x00000000
0x00404f03
0x00404f15
0x00404f1a
0x00404f1c
0x00404f1e
0x00404f22
0x00404f2b
0x00404f2b
0x00404f36
0x00404f3b
0x00404f3b
0x00404f3d
0x00404f3d
0x00404f40
0x00404f40
0x00404f55
0x00404f67
0x00404f6c
0x00404f6e
0x00404f70
0x00404f70
0x00404f78
0x00404f7d
0x00404f80
0x00404fd3
0x00404f94
0x00404fa6
0x00404fab
0x00404fad
0x00404faf
0x00404fb3
0x00404fbc
0x00404fbc
0x00404fc7
0x00404fcc
0x00404fcc
0x00404fce
0x00404fce
0x00404fd1
0x00404fd1
0x00404fd7
0x00404fda
0x00404fdf
0x00404fe2
0x00404fe7
0x00404fea
0x00404ff8

APIs

Part of subcall function 00403FB2: GetProcAddress.KERNEL32(GetNativeSystemInfo), ref: 00403FC3
Part of subcall function 00403FB2: GetNativeSystemInfo.KERNELBASE(?,?,?,00403FE2,004061EA,00000001,00000001,00000000,?,00000000), ref: 00403FD1

??3@YAXPAX@Z.MSVCRT ref: 00404FDA
??3@YAXPAX@Z.MSVCRT ref: 00404FE2
??3@YAXPAX@Z.MSVCRT ref: 00404FEA

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$AddressInfoNativeProcSystem
String ID:
API String ID: 3731959171-0
Opcode ID: e33e23fc289f79d23e08bae7f67791b5ba76fbc04eab8e4b74e67f056a4a3a19
Instruction ID: 186da13b794c0488880814f39f9d3c8b5d3938503a91300c0f4d7e9b813a1536
Opcode Fuzzy Hash: e33e23fc289f79d23e08bae7f67791b5ba76fbc04eab8e4b74e67f056a4a3a19
Instruction Fuzzy Hash: D8411EB1D0100AABCF05EF91D9519EEB77AAF84308B14802BE61177291DB3D9E46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040261B Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040261B(void** __ecx) {
				unsigned int _t13;
				void* _t15;
				signed int _t16;
				void* _t19;
				signed int _t30;
				signed int _t33;
				void** _t35;
				void* _t38;

				_t35 = __ecx;
				_t1 =  &(_t35[2]); // 0xb8
				_t13 =  *_t1;
				_t38 = __ecx[1] - _t13;
				if(_t38 == 0) {
					_t4 = _t13 + 1; // 0xb9
					_t33 = (_t13 >> 2) + _t4;
					_t30 = 4;
					_t15 = _t33 * _t30;
					_push( ~(0 | _t38 > 0x00000000) | _t15); // executed
					L004191BC(); // executed
					_t19 = _t15;
					_t11 =  &(_t35[1]); // 0xa0
					_t16 =  *_t11;
					if(_t16 != 0) {
						_t16 = memcpy(_t19,  *__ecx, _t16 << 2);
					}
					_push( *_t35);
					L004191B0();
					_t35[2] = _t33;
					 *_t35 = _t19;
					return _t16;
				}
				return _t13;
			}

0x0040261c
0x0040261e
0x0040261e
0x00402621
0x00402624
0x0040262d
0x0040262d
0x00402635
0x00402638
0x00402641
0x00402642
0x00402647
0x00402649
0x00402649
0x0040264f
0x00402658
0x0040265d
0x00402660
0x00402662
0x00402668
0x0040266c
0x00000000
0x0040266e
0x00402670

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402642
memcpy.MSVCRT ref: 00402658
??3@YAXPAX@Z.MSVCRT ref: 00402662

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@memcpy
String ID:
API String ID: 1695611338-0
Opcode ID: b63e4eb1c4a93b9b0a09f8d85fb1a8228d141093d194b50108ce7310c666aaab
Instruction ID: 3128898482240f30860ec0696dad7cac5071265099a7425bdad65f2bee3c1790
Opcode Fuzzy Hash: b63e4eb1c4a93b9b0a09f8d85fb1a8228d141093d194b50108ce7310c666aaab
Instruction Fuzzy Hash: 27F0B4722002016BE7345A2DEC5A867F3D9EF88314714493FF58BD66D5DA759C808618

Uniqueness

Uniqueness Score: -1.00%

Function 00411917 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00411917(signed int* __ecx, signed int _a4) {
				signed int _t13;
				signed int _t16;
				signed int _t24;
				signed int _t26;
				signed int* _t27;
				void* _t28;

				_t16 = _a4;
				_t27 = __ecx;
				_t28 = _t16 - 0x40000000;
				if(_t28 >= 0) {
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ad;
					L00419360();
				}
				_t24 = 2;
				_t4 = _t16 + 1; // 0x13329ae
				_t13 = _t4 * _t24;
				_push( ~(0 | _t28 > 0x00000000) | _t13); // executed
				L004191BC(); // executed
				_t26 = _t13;
				 *_t26 = 0;
				_push( *_t27);
				L004191B0();
				 *_t27 = _t26;
				_t27[2] = _t16;
				return 0;
			}

0x0041191b
0x00411920
0x00411922
0x00411928
0x0041192a
0x00411932
0x00411933
0x0041193a
0x0041193a
0x00411943
0x00411944
0x00411947
0x00411950
0x00411951
0x00411956
0x0041195a
0x0041195d
0x0041195f
0x00411966
0x00411969
0x0041196f

APIs

_CxxThrowException.MSVCRT(013329AD,0041C9D4), ref: 0041193A
??2@YAPAXI@Z.MSVCRT ref: 00411951
??3@YAXPAX@Z.MSVCRT ref: 0041195F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@ExceptionThrow
String ID:
API String ID: 414134242-0
Opcode ID: d5e9e71626710055a40bb0868ba1c42c4ff7af0dbc0a279177b6b2bf64096602
Instruction ID: c621846103c8ddcb65026c60fb07db005e1f9199828ea9e7cb675591bcc0e13e
Opcode Fuzzy Hash: d5e9e71626710055a40bb0868ba1c42c4ff7af0dbc0a279177b6b2bf64096602
Instruction Fuzzy Hash: 0EF0E9731102057FD7049F2AD8869DAF7EDEF44354B20803FF549C6150D63198C0876C

Uniqueness

Uniqueness Score: -1.00%

Function 00415D30 Relevance: 4.5, APIs: 3, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00415D30(void* __eax, void* __ecx) {

				_push( *((intOrPtr*)(__ecx + 0x11c)));
				L004191B0(); // executed
				_push( *((intOrPtr*)(__ecx + 0x118)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x108)));
				L004191B0();
				_pop(_t34);
				_push( *((intOrPtr*)(__ecx + 0xd8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xd0)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc4)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xb8)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xac)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xa0)));
				L004191B0(); // executed
				_push( *((intOrPtr*)(__ecx + 0x94)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x88)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x7c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x70)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x64)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x58)));
				L004191B0(); // executed
				_pop(_t36);
				_push( *((intOrPtr*)(__ecx + 0x4c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				return __eax;
			}

0x00415d33
0x00415d39
0x00415d3e
0x00415d44
0x00415d49
0x00415d4f
0x00415d59
0x00415aa8
0x00415aae
0x00415ab3
0x00415ab9
0x00415abe
0x00415ac4
0x00415ac9
0x00415acf
0x00415ad4
0x00415ada
0x00415adf
0x00415ae5
0x00415aea
0x00415af0
0x00415af5
0x00415afb
0x00415b00
0x00415b03
0x00415b08
0x00415b0b
0x00415b10
0x00415b13
0x00415b18
0x00415b1b
0x00415b26
0x004156aa
0x004156ad
0x004156b2
0x004156b5
0x004156ba
0x004156bd
0x004156c2
0x004156c5
0x004156ca
0x004156cd
0x004156d2
0x004156d5
0x004156da
0x004156dd
0x004156e2
0x004156e5
0x004156ea
0x004156ed
0x004156f2
0x004156f5
0x004156fa
0x004156fd
0x00415706

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415D39
??3@YAXPAX@Z.MSVCRT ref: 00415D44
??3@YAXPAX@Z.MSVCRT ref: 00415D4F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 8a3a0fc4c3cea85da8b42a7490f166ff463695d42afaefd4c1fb1d8e787c7585
Instruction ID: 746a3b8063290cb8a27dd3b0efd85bc8f020a2dfa1b48a4722d0d1985bc733d5
Opcode Fuzzy Hash: 8a3a0fc4c3cea85da8b42a7490f166ff463695d42afaefd4c1fb1d8e787c7585
Instruction Fuzzy Hash: A3D01231540511A7D6163621DC176D9B6739F40304F08043FF59B51165DF952CD197CC

Uniqueness

Uniqueness Score: -1.00%

Function 004031BE Relevance: 3.9, APIs: 3, Instructions: 125
stringCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004031BE(intOrPtr* __ecx, CHAR* __edx, void* __eflags, CHAR* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				CHAR* _v32;
				int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr* _v52;
				void _v4148;
				intOrPtr* _t66;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr* _t81;
				char _t83;
				intOrPtr* _t86;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t104;
				int _t108;
				void* _t111;
				void* _t112;

				_t86 = __ecx;
				E00419210(0x1030, __ecx);
				_t104 = _t86;
				_v32 = __edx;
				_v52 = _t104;
				 *((intOrPtr*)( *_t104 + 0x10))(_t104, 0, 0, 0, 0);
				_t66 = _a8;
				 *((intOrPtr*)(_t66 + 4)) = 0;
				 *((char*)( *_t66)) = 0;
				_v20 = lstrlenA(_v32);
				_v36 = lstrlenA(_a4);
				_t108 = 0;
				_v5 = 0;
				_v28 = 0;
				_v24 = 0;
				while(1) {
					L2:
					_push( &_v48);
					_push(0x1000 - _t108);
					_push(_t111 + _t108 - 0x1030);
					_push(_t104); // executed
					if( *((intOrPtr*)( *_t104 + 0xc))() != 0) {
						break;
					}
					_t73 = _v48;
					if(_t73 == 0) {
						break;
					}
					_t74 = _t73 + _t108;
					_v44 = _t74;
					_v16 = 0;
					_v12 =  &_v4148;
					while(1) {
						L5:
						_t92 = _v16;
						_t99 = _t74;
						if(_v5 == 0) {
							break;
						}
						if(_t92 > _t99 - _v36) {
							L14:
							_v28 = _v28 + _t92;
							_t108 = _t74 - _t92;
							asm("adc [ebp-0x14], ebx");
							memmove( &_v4148, _t111 + _t92 - 0x1030, _t108);
							_t112 = _t112 + 0xc;
							if(_v24 > 0 || _v28 > 0x100000) {
								return 0 |  *((intOrPtr*)(_a8 + 4)) != 0x00000000;
							} else {
								_t104 = _v52;
								goto L2;
							}
						}
						_t81 = _v12;
						asm("repe cmpsb");
						if(0 == 0) {
							return 1;
						}
						_t83 =  *_t81;
						_v40 = _t83;
						if(_t83 == 0) {
							goto L18;
						}
						E00403087(_a8, _v40);
						_v16 = _v16 + 1;
						_v12 = _v12 + 1;
						_t74 = _v44;
					}
					if(_t92 > _t99 - _v20) {
						goto L14;
					}
					asm("repe cmpsb");
					if(0 != 0) {
						_v16 = _v16 + 1;
						_v12 = _v12 + 1;
					} else {
						_t95 = _v20;
						_v16 = _v16 + _t95;
						_v12 = _v12 + _t95;
						_v5 = 1;
					}
					goto L5;
				}
				L18:
				return 0;
			}

0x004031be
0x004031c6
0x004031d3
0x004031d9
0x004031dc
0x004031df
0x004031e2
0x004031ee
0x004031f3
0x004031fa
0x004031ff
0x00403202
0x00403204
0x00403207
0x0040320a
0x00403212
0x00403212
0x00403217
0x0040321f
0x00403227
0x00403228
0x0040322e
0x00000000
0x00000000
0x00403234
0x00403239
0x00000000
0x00000000
0x0040323f
0x00403247
0x0040324a
0x0040324d
0x00403250
0x00403250
0x00403250
0x00403253
0x00403258
0x00000000
0x00000000
0x0040325f
0x004032c6
0x004032c8
0x004032cb
0x004032d4
0x004032e0
0x004032e6
0x004032ec
0x00000000
0x0040320f
0x0040320f
0x00000000
0x0040320f
0x004032ec
0x00403261
0x0040326e
0x00403270
0x00000000
0x00403308
0x00403276
0x00403278
0x0040327d
0x00000000
0x00000000
0x00403289
0x0040328e
0x00403291
0x00403294
0x00403294
0x0040329e
0x00000000
0x00000000
0x004032ab
0x004032ad
0x004032be
0x004032c1
0x004032af
0x004032af
0x004032b2
0x004032b5
0x004032b8
0x004032b8
0x00000000
0x004032ad
0x0040330c
0x00000000

APIs

lstrlenA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,005625D8,00000000,?,00404EE8,?,?,?,?,?), ref: 004031F5
lstrlenA.KERNEL32(005625D8,?,00000000,00000000,00000000,00000000,?,005625D8,00000000,?,00404EE8,?,?,?,?,?), ref: 004031FD
memmove.MSVCRT ref: 004032E0

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: lstrlen$memmove
String ID:
API String ID: 1832346882-0
Opcode ID: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction ID: 6402f2dcb6e7945984cbe825a7499a6737a03c255d7b5dcfc401763690269d5e
Opcode Fuzzy Hash: d3b4572a5035ea254cd94ab5b5b1443f4ae13b851958d648fafb26d562424527
Instruction Fuzzy Hash: 48410371D00258AFCB14DFA9C8948EEBFB9FF48351F1480AAE815B7245D7389E85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004111BB Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004111BB(void** __ecx, long _a4, long _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				long _t11;
				intOrPtr* _t13;
				void* _t14;
				long _t23;

				_push(__ecx);
				_v8 = _a8;
				_t11 = SetFilePointer( *__ecx, _a4,  &_v8, _a12); // executed
				_t23 = _t11;
				if(_t23 != 0xffffffff || GetLastError() == 0) {
					asm("adc edx, eax");
					_t13 = _a16;
					 *_t13 = 0 + _t23;
					 *((intOrPtr*)(_t13 + 4)) = _v8;
					_t14 = 1;
				} else {
					_t14 = 0;
				}
				return _t14;
			}

0x004111be
0x004111c8
0x004111d7
0x004111dd
0x004111e2
0x004111fb
0x004111fd
0x00411200
0x00411202
0x00411205
0x004111ee
0x004111ee
0x004111ee
0x00411209

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 004111D7
GetLastError.KERNEL32(?,?,?,?), ref: 004111E4

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction ID: cdad48c5939bcc49fa85d80ef965e6b95473a265ce0d2249c6c6cde8a06b51fe
Opcode Fuzzy Hash: 30d92e823d37ce749e0f7cd4d34f4784bcb9e104199bba823438aa63f853fc4d
Instruction Fuzzy Hash: 1BF09A71600218AF8F00CF68DC049DB7BE9AF09324B148269E91AD7360E630DE55EB65

Uniqueness

Uniqueness Score: -1.00%

Function 004076D3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004076D3(char** __ecx, void* __edx, void* __eflags) {
				void* _t8;
				int _t15;
				void* _t20;
				char** _t24;
				signed int _t26;
				signed int _t27;

				_t20 = __edx;
				_t24 = __ecx;
				 *__ecx = "G]@";
				E00411B60(_t8,  &(__ecx[0xf]));
				__ecx[1] = 0;
				__ecx[2] = 0;
				__ecx[4] = 0;
				__ecx[3] = 0;
				__ecx[7] = 0x18;
				__ecx[0xe] = 0;
				_t26 =  *0x41e8ac; // 0x280
				if(_t26 == 0) {
					_t27 =  *0x41e8b0; // 0x1e0
					if(_t27 == 0) {
						GetSystemMetrics(0x10); // executed
						asm("cdq");
						 *0x41e8ac = 0 - _t20 >> 1;
						_t15 = GetSystemMetrics(0x11);
						asm("cdq");
						 *0x41e8b0 = _t15 - _t20 >> 1;
					}
				}
				return _t24;
			}

0x004076d3
0x004076d4
0x004076d9
0x004076df
0x004076e6
0x004076e9
0x004076ec
0x004076ef
0x004076f2
0x004076f9
0x004076fc
0x00407702
0x00407704
0x0040770a
0x00407715
0x00407717
0x0040771e
0x00407723
0x00407725
0x0040772a
0x0040772f
0x0040770a
0x00407733

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

KiUserCallbackDispatcher.NTDLL ref: 00407715
GetSystemMetrics.USER32 ref: 00407723

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 145748454-0
Opcode ID: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction ID: 717b70004c9186839aecef00c0b16e534ce711e486b0d128d54a4644bfe03861
Opcode Fuzzy Hash: 479bd63978f28fe7566e90bf22cf9ab23cd4c2d010775e76fc726262a7908e22
Instruction Fuzzy Hash: A6F017B4A047058FD3A4EF7AA9402C6BAE5BB58300705C93FD986C7690E7B4B445DF89

Uniqueness

Uniqueness Score: -1.00%

Function 004042F3 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004042F3(signed int* __ecx, void* __edx, signed int _a4) {
				int _v12;
				wchar_t* _v16;
				wchar_t* _t12;
				int _t17;
				wchar_t** _t18;

				_t18 = __ecx;
				E00411BBA( &_v16, __ecx);
				_t8 = _a4;
				_t17 = _v12;
				_t12 = _v16;
				if(_a4 >  *((intOrPtr*)(__ecx + 8))) {
					E00411917(__ecx, _t8); // executed
				}
				wcsncpy( *_t18, _t12, _t17);
				_push(_v16);
				L004191B0();
				return  *_t18;
			}

0x004042fb
0x00404302
0x00404307
0x0040430a
0x0040430d
0x00404313
0x00404318
0x00404318
0x00404321
0x00404327
0x0040432c
0x0040433a

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

wcsncpy.MSVCRT ref: 00404321
??3@YAXPAX@Z.MSVCRT ref: 0040432C

Part of subcall function 00411917: _CxxThrowException.MSVCRT(013329AD,0041C9D4), ref: 0041193A
Part of subcall function 00411917: ??2@YAPAXI@Z.MSVCRT ref: 00411951
Part of subcall function 00411917: ??3@YAXPAX@Z.MSVCRT ref: 0041195F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemcpywcsncpy
String ID:
API String ID: 3798114178-0
Opcode ID: fb98cf7c81c7f830505253552c246850b8fcb6ef4328eadea5089d1272178010
Instruction ID: e4b503d843455e4c7bed93abd486b9fcfac02a85a0f9d020e70ade58da263fc1
Opcode Fuzzy Hash: fb98cf7c81c7f830505253552c246850b8fcb6ef4328eadea5089d1272178010
Instruction Fuzzy Hash: 0CF0A076E00014BBDB10AB59DC45C9EB7BDDF85354B10406AF991A3322D731BE90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407171 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407171(void** __ecx) {
				void* _t1;
				int _t3;
				long _t4;
				signed int* _t7;

				_t7 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0) {
					L4:
					 *_t7 =  *_t7 & 0x00000000;
					return 0;
				}
				_t3 = FindCloseChangeNotification(_t1); // executed
				if(_t3 != 0) {
					goto L4;
				}
				_t4 = GetLastError();
				if(_t4 != 0) {
					return _t4;
				} else {
					return _t4 + 1;
				}
			}

0x00407172
0x00407174
0x00407178
0x00407192
0x00407192
0x00000000
0x00407195
0x0040717b
0x00407183
0x00000000
0x00000000
0x00407185
0x0040718d
0x00407198
0x0040718f
0x00407191
0x00407191

APIs

FindCloseChangeNotification.KERNELBASE ref: 0040717B
GetLastError.KERNEL32 ref: 00407185

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction ID: 7524d8466beb45fe17ee677bdba99b749b9283a1bf838bd9c5283ef0b8d4f745
Opcode Fuzzy Hash: ead0b55b2ff90a578750a1408e92beac7d58b39fc771555b91704b17d1c49430
Instruction Fuzzy Hash: 07D09E316192116BEB605E79B8087A726D8BF00761B15C47AA441D63C5EA78DC42465A

Uniqueness

Uniqueness Score: -1.00%

Function 004191C2 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 004191CF
__dllonexit.MSVCRT ref: 004191E5

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 857932782fbfd3e5608b86d36b9e9192911267ae5c294eb4983a1bf46a2caa49
Instruction ID: 1a651b6f8714b1f0f7d6ab7df4158665d5e0780d4d4d26085a3012ed1205fa6f
Opcode Fuzzy Hash: 857932782fbfd3e5608b86d36b9e9192911267ae5c294eb4983a1bf46a2caa49
Instruction Fuzzy Hash: DFC022B0242202BBCA001F10BD0A8A53F11A750733FF0C32AF069100F0C3B91820BA0B

Uniqueness

Uniqueness Score: -1.00%

Function 00413D81 Relevance: 2.6, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413D81(signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t48;
				signed int* _t49;
				intOrPtr _t50;
				struct _CRITICAL_SECTION* _t56;
				signed int _t57;

				_t57 = _a4;
				_t56 =  *((intOrPtr*)(_t57 + 8)) + 0x18;
				EnterCriticalSection(_t56);
				_t33 =  *((intOrPtr*)(_t57 + 8));
				_t43 =  *((intOrPtr*)(_t57 + 0x10));
				_t50 =  *((intOrPtr*)(_t57 + 0x14));
				if(_t43 !=  *((intOrPtr*)(_t33 + 0x10)) || _t50 !=  *((intOrPtr*)(_t33 + 0x14))) {
					_t34 =  *((intOrPtr*)(_t33 + 8));
					_t35 =  *((intOrPtr*)( *_t34 + 0x10))(_t34, _t43, _t50, 0, 0, _t40);
					if(_t35 == 0) {
						_t36 =  *((intOrPtr*)(_t57 + 8));
						 *((intOrPtr*)(_t36 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
						 *((intOrPtr*)(_t36 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
						goto L5;
					}
					goto L3;
				} else {
					L5:
					_a4 = _a4 & 0x00000000;
					_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + 8));
					_t35 =  *((intOrPtr*)( *_t38 + 0xc))(_t38, _a8, _a12,  &_a4);
					 *((intOrPtr*)(_t57 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10)) + _a4;
					_t48 =  *((intOrPtr*)(_t57 + 8));
					asm("adc dword [esi+0x14], 0x0");
					 *((intOrPtr*)(_t48 + 0x10)) =  *((intOrPtr*)(_t57 + 0x10));
					 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t57 + 0x14));
					_t49 = _a16;
					if(_t49 != 0) {
						 *_t49 = _a4;
					}
					L3:
					LeaveCriticalSection(_t56);
					return _t35;
				}
			}

0x00413d85
0x00413d8c
0x00413d90
0x00413d96
0x00413d99
0x00413d9c
0x00413da2
0x00413da9
0x00413db6
0x00413dbc
0x00413dd2
0x00413dd5
0x00413ddb
0x00000000
0x00413ddb
0x00000000
0x00413dde
0x00413dde
0x00413dde
0x00413de5
0x00413df5
0x00413dfb
0x00413dfe
0x00413e04
0x00413e08
0x00413e0e
0x00413e11
0x00413e16
0x00413e1b
0x00413e1b
0x00413dbe
0x00413dc1
0x00413dcc
0x00413dcc

APIs

EnterCriticalSection.KERNEL32(?), ref: 00413D90
LeaveCriticalSection.KERNEL32(?), ref: 00413DC1

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction ID: 574acab8dc6da0f92556d3d590f48fbb046e393e5bca8a27cda65f89530e78df
Opcode Fuzzy Hash: 896c1087cd7bbb7dc627c9ffcc443e77ad22d141fa8ddf54c665425f9ae04d73
Instruction Fuzzy Hash: ED2116752007049FCB28CF55E884AA7B7B9FF88711B148A5DE85A8B761C371F941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415BE2 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00415BE2() {
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t56;
				intOrPtr* _t57;
				void* _t66;
				intOrPtr* _t67;
				void* _t78;
				intOrPtr* _t80;
				void* _t82;
				intOrPtr* _t83;
				void* _t85;
				void* _t87;

				L00419240();
				 *((intOrPtr*)(_t85 - 0x10)) = _t87 - 0x88;
				 *(_t85 - 4) = 0;
				_t83 =  *((intOrPtr*)(_t85 + 8));
				 *((intOrPtr*)( *_t83 + 0x10))(_t83, _t78, _t82, _t66);
				 *(_t85 - 4) = 1;
				_t67 =  *((intOrPtr*)(_t85 + 0x14));
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67 + 4))(_t67);
				}
				 *((intOrPtr*)(_t85 + 0x14)) = 0;
				_t91 = _t67;
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67))(_t67, 0x41a530, _t85 + 0x14);
				}
				 *((intOrPtr*)(_t85 - 0x94)) = 0;
				 *((intOrPtr*)(_t85 - 0x90)) = 0;
				 *((char*)(_t85 - 0x1c)) = 1;
				 *((char*)(_t83 + 0x140)) = 0;
				_push( *((intOrPtr*)(_t85 + 0x10)));
				_t80 = E00416828(_t85 - 0x94, _t91,  *((intOrPtr*)(_t85 + 0xc)));
				if(_t80 == 0) {
					 *((char*)(_t83 + 0x140)) = 1;
					_push(_t83 + 0x14c);
					_push(_t83 + 0x149);
					_push(_t83 + 0x148);
					_push( *((intOrPtr*)(_t85 + 0x14)));
					_push(_t83 + 0x10);
					_t47 = E0041817D(_t85 - 0x94); // executed
					_t80 = _t47;
					__eflags = _t80;
					if(_t80 != 0) {
						goto L5;
					} else {
						E004010F2(_t83 + 0xc,  *((intOrPtr*)(_t85 + 0xc)));
						_t56 =  *((intOrPtr*)(_t85 - 0x94));
						__eflags = _t56;
						if(_t56 != 0) {
							 *((intOrPtr*)( *_t56 + 8))(_t56);
						}
						_t57 =  *((intOrPtr*)(_t85 + 0x14));
						__eflags = _t57;
						if(_t57 != 0) {
							 *((intOrPtr*)( *_t57 + 8))(_t57);
						}
						__eflags = _t67;
						if(_t67 != 0) {
							 *((intOrPtr*)( *_t67 + 8))(_t67);
						}
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t50 = 0;
					}
				} else {
					L5:
					_t48 =  *((intOrPtr*)(_t85 - 0x94));
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 + 8))(_t48);
					}
					_t49 =  *((intOrPtr*)(_t85 + 0x14));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49 + 8))(_t49);
					}
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 8))(_t67);
					}
					_t50 = _t80;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t50;
			}

0x00415be7
0x00415bf5
0x00415bfa
0x00415bfd
0x00415c03
0x00415c06
0x00415c0a
0x00415c0f
0x00415c14
0x00415c14
0x00415c17
0x00415c1a
0x00415c1c
0x00415c2a
0x00415c2a
0x00415c2c
0x00415c32
0x00415c38
0x00415c3c
0x00415c43
0x00415c54
0x00415c58
0x00415c88
0x00415c95
0x00415c9c
0x00415ca3
0x00415ca4
0x00415caa
0x00415cb1
0x00415cb6
0x00415cb8
0x00415cba
0x00000000
0x00415cbc
0x00415cc2
0x00415cc7
0x00415ccd
0x00415ccf
0x00415cd4
0x00415cd4
0x00415cd7
0x00415cda
0x00415cdc
0x00415ce1
0x00415ce1
0x00415ce4
0x00415ce6
0x00415ceb
0x00415ceb
0x00415cee
0x00415cf2
0x00415cf2
0x00415c5a
0x00415c5a
0x00415c5a
0x00415c62
0x00415c67
0x00415c67
0x00415c6a
0x00415c6f
0x00415c74
0x00415c74
0x00415c79
0x00415c7e
0x00415c7e
0x00415c81
0x00415c81
0x00415d18
0x00415d23

APIs

_EH_prolog.MSVCRT ref: 00415BE7

Part of subcall function 0041817D: _EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction ID: f396f6b083a0fa58f5464e9653f63b5c42f30b53b93fa251e57ee2b7c9474d42
Opcode Fuzzy Hash: 9b468c4666b132781755553e503f48ddc8162a130e10772a6baf9a03058fb964
Instruction Fuzzy Hash: A7417B31600709DFCB21DF64C884BDAB7A8AF84304F14449AE40ADB211EB79ED85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00405401 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00405401(intOrPtr __ecx, char __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				intOrPtr* _v16;
				char _v20;
				void* _t11;
				void* _t15;
				intOrPtr _t19;
				void* _t34;

				_t34 = __eflags;
				_v8 = __edx;
				E00411743(_t11,  &_v20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ecx);
				 *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0x10))();
				_t15 = E00404E67(__ecx,  &_v20, _t34); // executed
				if(_t15 != 0 || _v8 != 0) {
					__eflags = _v16;
					if(__eflags == 0) {
						L8:
						_t25 = _a4;
						__eflags = _a4;
						if(_a4 != 0) {
							E004117FD(_t25,  &_v20);
						}
						goto L4;
					}
					_t19 = E00405112( &_v20, 0, __eflags);
					__eflags = _t19;
					if(_t19 != 0) {
						goto L8;
					}
					_push(4);
					goto L3;
				} else {
					_push(9);
					_push(0);
					E0040976C( &_v20);
					_push(3);
					L3:
					_pop(0);
					L4:
					_push(_v20);
					L004191B0();
					return 0;
				}
			}

0x00405401
0x0040540e
0x00405411
0x0040541a
0x0040541b
0x0040541c
0x0040541d
0x0040541e
0x0040541f
0x00405427
0x0040542e
0x00405453
0x00405456
0x0040546a
0x0040546a
0x0040546d
0x0040546f
0x00405475
0x00405475
0x00000000
0x0040546f
0x0040545d
0x00405462
0x00405464
0x00000000
0x00000000
0x00405466
0x00000000
0x00405435
0x00405435
0x00405437
0x00405438
0x0040543f
0x00405441
0x00405441
0x00405442
0x00405442
0x00405445
0x00405450
0x00405450

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FDA
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FE2
Part of subcall function 00404E67: ??3@YAXPAX@Z.MSVCRT ref: 00404FEA

??3@YAXPAX@Z.MSVCRT ref: 00405445

Part of subcall function 0040976C: wvsprintfW.USER32(?,00000000,?), ref: 0040978F
Part of subcall function 0040976C: GetLastError.KERNEL32 ref: 004097A0
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,005625D8), ref: 004097C8
Part of subcall function 0040976C: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,005625D8), ref: 004097DD
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F0
Part of subcall function 0040976C: lstrlenW.KERNEL32(?), ref: 004097F7
Part of subcall function 0040976C: ??2@YAPAXI@Z.MSVCRT ref: 0040980C
Part of subcall function 0040976C: lstrcpyW.KERNEL32 ref: 00409822
Part of subcall function 0040976C: lstrcpyW.KERNEL32 ref: 00409834
Part of subcall function 0040976C: ??3@YAXPAX@Z.MSVCRT ref: 0040983E
Part of subcall function 0040976C: LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@FormatMessagelstrcpylstrlen$ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 3247304187-0
Opcode ID: cd8bd020aafe0a279b7ff26cb5164b8360062cd19d23274223983880e3c8463f
Instruction ID: c8cfcf64f4d727165aa460a5e60b04b55843b987d0c6720e9ddf697575640f7a
Opcode Fuzzy Hash: cd8bd020aafe0a279b7ff26cb5164b8360062cd19d23274223983880e3c8463f
Instruction Fuzzy Hash: CD019271504619AEEF10AA6598C1AFF7368EB0034CF10447FF612372C2DA795D898E5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041817D Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041817D(void* __ecx) {
				void* _t17;
				intOrPtr _t26;
				void* _t31;
				intOrPtr _t33;

				_t23 = __ecx;
				L00419240();
				_push(__ecx);
				 *((intOrPtr*)(_t31 - 0x10)) = _t33;
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				_t26 =  *((intOrPtr*)(_t31 + 8));
				_t17 = E00417EA2(__ecx, _t26,  *((intOrPtr*)(_t31 + 0xc)),  *((intOrPtr*)(_t31 + 0x10)),  *((intOrPtr*)(_t31 + 0x14)),  *((intOrPtr*)(_t31 + 0x18))); // executed
				if( *((char*)(__ecx + 0x3c)) != 0) {
					 *((char*)(_t26 + 0x132)) = 1;
				}
				if(_t17 != 0x80004001) {
					 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
					return _t17;
				} else {
					E00415EDA(_t23);
					 *((char*)( *((intOrPtr*)(_t31 + 8)) + 0x136)) = 1;
					 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
					return E004181D6;
				}
			}

0x0041817d
0x00418182
0x00418187
0x0041818b
0x00418190
0x004181a0
0x004181a4
0x004181ad
0x004181af
0x004181af
0x004181bb
0x004181dc
0x004181e7
0x004181bd
0x004181bd
0x004181c5
0x004181cc
0x004181d5
0x004181d5

APIs

_EH_prolog.MSVCRT ref: 00418182

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction ID: 41c31309152594a5cdc9a94e22e8fdd470941a79d1f82a5d583071a5725c450b
Opcode Fuzzy Hash: afbb77ebcebef81e2cf385e1134c7783f6bd7d92ebd3f59a0857a247aa1f2ec6
Instruction Fuzzy Hash: 77F0FF32400248FFDB21CF88C845BDEBBB1EF40324F04865EF80562250C3BDAA90CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004026DD Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004026DD(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t25;

				_t13 = _a8;
				if(_t13 == 0) {
					_t25 = _a4;
					if( *(_t25 + 0x20) != 0) {
						E00411282(_t25 + 0x38);
					}
					_t14 =  *(_t25 + 0x20);
					if(_t14 != 0) {
						 *((intOrPtr*)( *_t14 + 8))(_t14);
						 *(_t25 + 0x20) =  *(_t25 + 0x20) & 0x00000000;
					}
					if( *((intOrPtr*)(_t25 + 0x18)) != 0) {
						SetFileAttributesW( *(_t25 + 0x24),  *(_t25 + 0x44)); // executed
					}
					return 0;
				}
				 *0x41e728 = _t13;
				return 0x80004005;
			}

0x004026dd
0x004026e3
0x004026f2
0x004026fa
0x00402706
0x00402706
0x0040270b
0x00402710
0x00402715
0x00402718
0x00402718
0x00402720
0x00402728
0x00402728
0x00000000
0x00402730
0x004026e5
0x00000000

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00402728

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction ID: bda90a93fc5a79562ae67f98b1e8df01e77ba5ebef7748c498c118ca2824b36e
Opcode Fuzzy Hash: e30c021431c8dc767e28d2db58534a27e2d4e67a42e3bcdc1a5b57926e33b774
Instruction Fuzzy Hash: C4F01731100601DBDB61DF69C988B97B7F4BF48345F04492EE48AE76E0D7B9E885CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00411292 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00411292(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x41e628; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x00411292
0x00411295
0x00411296
0x0041129e
0x004112a0
0x004112a0
0x004112a3
0x004112b5
0x004112c3
0x004112c9

APIs

WriteFile.KERNELBASE(00000008,00000000,?,00000000,00000000,00000008,?,004112EE,00000000,?,00000000,00000000,00000000,?,004124B8,?), ref: 004112B5

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction ID: 0023b8de25620b55143802bd0f89cc8c2b593093c471a7488b0b9917581c8630
Opcode Fuzzy Hash: 3823a46a90e705b780842d9b9d1914895d37d3d957bde1875c21ce7738ae9c40
Instruction Fuzzy Hash: F0E0E575A41209FFDB00CF95D801BDE7BF9EB48354F50C069F9189A260D379AA50DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00411359 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411359(signed int* __ecx, void* __eflags, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t8;
				signed int _t9;
				signed int* _t13;

				_t13 = __ecx;
				_t8 = E0041115B(__ecx);
				if(_t8 != 0) {
					_t9 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
					 *_t13 = _t9;
					return _t9 & 0xffffff00 | _t9 != 0xffffffff;
				}
				return _t8;
			}

0x0041135d
0x0041135f
0x00411366
0x0041137b
0x00411386
0x00000000
0x00411388
0x0041138d

APIs

Part of subcall function 0041115B: FindCloseChangeNotification.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

CreateFileW.KERNELBASE(0041E7B8,00409A47,00000000,00000000,0041E7B8,004113DB,00000000,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD), ref: 0041137B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction ID: 7f7215a53688679663676b47c899f3015bbad9dd6bad72367c24d06892668cc0
Opcode Fuzzy Hash: 80b8b5df33a30570d28e0a343dc471cf771b25124c2d66bbf4d53c6fd93a2205
Instruction Fuzzy Hash: 70E08632000219BBCF111FA49C02BCA3F66AF09360F104626FB11561F1C776C4B0AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041883F Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041883F(intOrPtr __ecx) {
				void* _t9;
				void* _t14;
				void* _t19;
				intOrPtr _t21;

				L00419240();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t19 - 0x10)) = _t21;
				 *((intOrPtr*)(_t19 - 0x14)) = __ecx;
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				_t9 = E004184FC(__ecx, _t14, 0); // executed
				 *(_t19 - 4) =  *(_t19 - 4) | 0xffffffff;
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return _t9;
			}

0x00418844
0x00418849
0x0041884a
0x0041884e
0x00418851
0x00418854
0x0041885a
0x0041885f
0x00418866
0x00418871

APIs

_EH_prolog.MSVCRT ref: 00418844

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction ID: 85b5f634bb3876c881f9a369785aad2c034a51649cb27cc2246a7d4990ba049a
Opcode Fuzzy Hash: 6dcfb0b3f8ff67c5fe89e3e4baa8ae41fa6805a61c95a6512c09056436acd5ff
Instruction Fuzzy Hash: 7BE08671900214ABD7149B8AC8077DEBB78EB40765F10425FF01162280D7782E008568

Uniqueness

Uniqueness Score: -1.00%

Function 004071A3 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004071A3(intOrPtr* __ecx, void* __edx, char _a4) {

				__imp___beginthreadex(0, 0, __edx, _a4, 0,  &_a4); // executed
				 *__ecx = 0;
				return E0040715E(0);
			}

0x004071b6
0x004071c1
0x004071ca

APIs

_beginthreadex.MSVCRT ref: 004071B6

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: _beginthreadex
String ID:
API String ID: 3014514943-0
Opcode ID: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction ID: 2aa1260f39b219495775a5a96dce83a8c9144485e5dc473d2f94c266e6d0d9a7
Opcode Fuzzy Hash: 0249f964b4c06bf6ddaf9ed2643bfe3927903dc7b70e5f300a9eb7fd59aeab1f
Instruction Fuzzy Hash: 73D05EB29002087FDB00AFA4DC05CBB7A9CDA45260700843ABD48CB301E5729E6087E5

Uniqueness

Uniqueness Score: -1.00%

Function 00411222 Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00411222(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x00411225
0x00411226
0x00411238
0x00411246
0x0041124c

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 00411238

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction ID: 592777a0cbf9ed61c554e453f95aac0b5ff3b8d945bf09df7fedf92081e1879d
Opcode Fuzzy Hash: 39bbe8b1e9019e7b2d5fad33dac547c7575ae00130540e2fd0b68d00fb51dad4
Instruction Fuzzy Hash: 14E0EC75201208FFDB01CF90CD01FDE7BBEEB49758F208058E90496160C7769A20EB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041115B Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041115B(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0041115c
0x0041115e
0x00411163
0x00411177
0x0041117a
0x00411165
0x00411166
0x0041116e
0x00411174
0x00000000
0x00411170
0x00411173
0x00411173
0x0041116e

APIs

FindCloseChangeNotification.KERNELBASE(0041E7B8,00000014,00411364,00000000,?,004113AA,0041E7B8,80000000,00000000,00000000,00000000,004113CD,00000000,0041E7B8,00000003,00000080), ref: 00411166

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction ID: 054d9df42e2342d198a541279ff18f785dd1647d9572a3c5038800ec3afc9341
Opcode Fuzzy Hash: 07fcbf98cd6418257f68abd7a88b9ae89250d8f7ef7824f403ab4521d4148bf0
Instruction Fuzzy Hash: 0FD01231144521668A641F3C78485D273D86E07330731175AF1B0C33F0D3648CC34654

Uniqueness

Uniqueness Score: -1.00%

Function 00411265 Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00411265(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x00411273
0x0041127b
0x0041127f

APIs

SetFileTime.KERNELBASE(?,?,?,?,0041128F,00000000,00000000,?,0040270B,?), ref: 00411273

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction ID: 14e9d413570242a207ede0755a0e187765c1d7efe63821fc46ad5d1f7ad43643
Opcode Fuzzy Hash: 5e2c3f4fd95572551ce7389ed7a8d0418e4bf28c6d4fd737443a5967939eb4fb
Instruction Fuzzy Hash: 23C04C36159105FFCF020FB0CC04C1ABFA2BB99311F10C918B159C4070C7328038EB02

Uniqueness

Uniqueness Score: -1.00%

Function 004191C3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 004191CF

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: _onexit
String ID:
API String ID: 572287377-0
Opcode ID: 48837c0521fbecc17d6ee07b3f6a267320efd1aba5eb5955c623cdeff6951d1a
Instruction ID: 778c79cf90d092554f1cb830e8a390e88a3e661b3811335a0444426046a09963
Opcode Fuzzy Hash: 48837c0521fbecc17d6ee07b3f6a267320efd1aba5eb5955c623cdeff6951d1a
Instruction Fuzzy Hash: E1B01275003000FBCF051F40ED0888D7F21EB44322B20C465F00A81031C7328430BB06

Uniqueness

Uniqueness Score: -1.00%

Function 00401341 Relevance: 1.3, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401341(void* __ecx, void* __eflags) {
				intOrPtr* _t9;
				intOrPtr* _t10;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t23;
				void* _t25;

				_t25 = __ecx;
				_t9 = E004011CA(__ecx);
				if(_t9 == 0) {
					_push(0xc);
					L004191BC();
					if(_t9 == 0) {
						_t23 = 0;
					} else {
						 *((intOrPtr*)(_t9 + 4)) = 0x41c250;
						 *((intOrPtr*)(_t9 + 8)) = 0;
						 *_t9 = 0x41a5f0;
						 *((intOrPtr*)(_t9 + 4)) = 0x41a5e0;
						_t23 = _t9;
					}
					_t4 = _t25 + 4; // 0x5625d8
					_t10 =  *_t4;
					 *((intOrPtr*)( *_t10 + 0x10))(_t10, 0, 0, 0, 0);
					_t6 = _t25 + 8; // 0x562608
					_t12 =  *_t6;
					_t7 = _t25 + 4; // 0x5625d8
					_t13 =  *((intOrPtr*)( *_t12 + 0xc))(_t12,  *_t7, 0x41ba98, _t23);
					asm("sbb al, al");
					return  ~_t13 + 1;
				} else {
					return 1;
				}
			}

0x00401342
0x00401344
0x0040134b
0x00401352
0x00401354
0x0040135e
0x0040137b
0x00401360
0x00401360
0x00401367
0x0040136a
0x00401370
0x00401377
0x00401377
0x0040137d
0x0040137d
0x00401387
0x0040138a
0x0040138a
0x0040138d
0x0040139a
0x0040139f
0x004013a5
0x0040134d
0x00401350
0x00401350

APIs

??2@YAPAXI@Z.MSVCRT ref: 00401354

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: cc3bab8da8374e2612e1de8916ac955e32d0819bb3d2e40bab94f9b8b3e489fa
Instruction ID: 9b740768f600bbd434f173913778787e3c0435d902e00cab9e4412b019abca16
Opcode Fuzzy Hash: cc3bab8da8374e2612e1de8916ac955e32d0819bb3d2e40bab94f9b8b3e489fa
Instruction Fuzzy Hash: 7FF02270104210AFD7188B65D84EC97B7E8EF85320305C4AEF81ACB3A1D778EC82C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 004122B3 Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004122B3(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr* _a16) {
				void* _t12;
				signed int _t13;
				signed int _t15;
				intOrPtr* _t20;
				intOrPtr _t24;

				_t24 = _a4;
				_push( &_a12);
				_t12 = E0041124F(_t24 + 0x14, _a8, _a12); // executed
				_t20 = _a16;
				if(_t20 != 0) {
					 *_t20 = _a12;
				}
				if(_t12 != 0) {
					return 0;
				}
				_t13 = GetLastError();
				__eflags =  *(_t24 + 0x1c);
				if( *(_t24 + 0x1c) != 0) {
					return  *((intOrPtr*)( *( *(_t24 + 0x1c))))( *((intOrPtr*)(_t24 + 0x20)), _t13);
				}
				__eflags = _t13;
				if(__eflags == 0) {
					return 0x80004005;
				}
				if(__eflags > 0) {
					_t15 = _t13 & 0x0000ffff | 0x80070000;
					__eflags = _t15;
					return _t15;
				}
				return _t13;
			}

0x004122b7
0x004122bd
0x004122c7
0x004122cc
0x004122d1
0x004122d6
0x004122d6
0x004122da
0x00000000
0x004122dc
0x004122e0
0x004122e6
0x004122ea
0x00000000
0x004122f5
0x004122f9
0x004122fb
0x00000000
0x004122fd
0x00412304
0x0041230b
0x0041230b
0x00000000
0x0041230b
0x00412312

APIs

GetLastError.KERNEL32(?,?,?), ref: 004122E0

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction ID: 6d5529d2897140aadd979f9f6666313ec97981f96f3cf44ff7ecc7f719b31ebf
Opcode Fuzzy Hash: d509e3b73838843a45d009e079e0ca887772c46ed55d806236c8cbc1e203ec92
Instruction Fuzzy Hash: 3AF06D7120020ADBCB248E64C900AFB7765FF00314F10496AED16D6660D3BDE8A6DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411972 Relevance: 1.3, APIs: 1, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E00411972(signed int* __ecx, void* __eflags, signed int _a4) {
				signed int _t12;
				signed int _t19;
				signed int _t21;

				_t21 = _a4;
				 *__ecx =  *__ecx & 0x00000000;
				_t19 = 2;
				_t12 = (_t21 + 1) * _t19;
				_push( ~(0 | __eflags > 0x00000000) | _t12); // executed
				L004191BC(); // executed
				__ecx[1] = _t21;
				__ecx[2] = _t21;
				 *__ecx = _t12;
				return _t12;
			}

0x00411974
0x0041197a
0x00411981
0x00411985
0x0041198e
0x0041198f
0x00411995
0x00411998
0x0041199c
0x0041199f

APIs

??2@YAPAXI@Z.MSVCRT ref: 0041198F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e76ca8283bca056c9e11813ba6639715687bfc46d2aaafc1486a8ae111247908
Instruction ID: c6dd757af0c1ba279d4dea7c6a80b7e4f73fa27ff16b3e9179e8d8f42dc612cd
Opcode Fuzzy Hash: e76ca8283bca056c9e11813ba6639715687bfc46d2aaafc1486a8ae111247908
Instruction Fuzzy Hash: ABE01D735052015FD3248F2DD507657F7E9DFD0320F14C52FD596C7290DB74A4818554

Uniqueness

Uniqueness Score: -1.00%

Function 00402963 Relevance: 1.3, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402963(void* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t3;
				void* _t9;
				void* _t10;

				_t9 = __edx;
				_push(0x18);
				_t10 = __ecx; // executed
				L004191BC(); // executed
				if(__eax == 0) {
					_t3 = 0;
				} else {
					_t3 = E004025AB(__eax, _a4);
				}
				return E004027AC(_t10, _t9, _t3);
			}

0x00402963
0x00402964
0x00402966
0x00402968
0x00402970
0x0040297f
0x00402972
0x00402978
0x00402978
0x0040298a

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402968

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 0ff7525446d3e4eb81a6196f1d1764e26671874c856a9aad507146e1b99962d7
Instruction ID: 3c4924e632bf8de9284e3dfcfd8e31cb7db5e3eb6efac072798042e24d92b66a
Opcode Fuzzy Hash: 0ff7525446d3e4eb81a6196f1d1764e26671874c856a9aad507146e1b99962d7
Instruction Fuzzy Hash: 26D0A96270421232DA542136192A9AF04850BA1324B04083FBC09BA2D0DDBCCC82929D

Uniqueness

Uniqueness Score: -1.00%

Function 00418E90 Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418E90(long __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = VirtualAlloc(0, __ecx, 0x1000, 4); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418e92
0x00418ea1
0x00418ea7
0x00418e94
0x00418e96
0x00418e96

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,004126A3), ref: 00418EA1

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction ID: 571c065075a9a1381f58638ba6fca5ee0bdf2100e8ed77eb0067926671c236e0
Opcode Fuzzy Hash: cfd591f57166502c3996eeb52ba497cf8e1c0d4e19f98a0caefb48489f851d59
Instruction Fuzzy Hash: C3B012B07E234035FE684F204C0BFE729106344B5BF10806CB305E80C4EBD45440501D

Uniqueness

Uniqueness Score: -1.00%

Function 00418E60 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418E60(int __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = malloc(__ecx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418e62
0x00418e68
0x00418e71
0x00418e64
0x00418e66
0x00418e66

APIs

malloc.MSVCRT ref: 00418E68

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction ID: e2a553e11ccdc75bfd9e09a2a759721d75f2ab5807daf84bd34e7484f2f3f46e
Opcode Fuzzy Hash: e711c72adcf938b8c65d85f746aed726eb56a957d15baed71f8ebda879dc1b73
Instruction Fuzzy Hash: 47B012B011210106DE1C03343C040973150274070BBC049BDB402C0211FB2EC024500F

Uniqueness

Uniqueness Score: -1.00%

Function 00418ED0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418ED0(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00418ed2
0x00418ed8
0x00418ee1
0x00418ed4
0x00418ed6
0x00418ed6

APIs

malloc.MSVCRT ref: 00418ED8

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction ID: 93b00212a99b6a082cadc79a1e30e4f7e8762bb5dbef7d3919aab0975435a3d9
Opcode Fuzzy Hash: 5141d728e474e7521a368291e8f18d83c3acb210d46f4bca5788423dd7cb6c14
Instruction Fuzzy Hash: DCB012A890118102DA0403343C04093317277D070B7C4C8F9A401C0215FF3DC038600E

Uniqueness

Uniqueness Score: -1.00%

Function 00418EB0 Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418EB0(void* __ecx) {
				void* _t1;
				int _t2;

				if(__ecx != 0) {
					_t2 = VirtualFree(__ecx, 0, 0x8000); // executed
					return _t2;
				}
				return _t1;
			}

0x00418eb2
0x00418ebc
0x00000000
0x00418ebc
0x00418ec2

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0041269C), ref: 00418EBC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction ID: 0e3cf457c684582be7836cc479f2286583ff41d20b64db86ad3597c1f4fbeca2
Opcode Fuzzy Hash: 98c2aa6179cb7425aeb67d4f545a5e2afc36e1fc0ccae7b31786c0746bb73036
Instruction Fuzzy Hash: D2B0127074230022ED3807110D05B9716001700702F10801C3205A40C08B9DA404450C

Uniqueness

Uniqueness Score: -1.00%

Function 00418E80 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?,0040FF00), ref: 00418E81

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction ID: 274342a45a8081fe27f7bdb5d6c884acc69a6842209db99ac87ec0640da087f0
Opcode Fuzzy Hash: e67894145b99b58128abb99e60c4f0f8425ba21e255e0df04cc2fc7601b1b592
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00418EF1 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00418EF1

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction ID: 1f3b28ff6c5a90f3ca056b026900e47eaa4da2a5162f9c1f96bfe5ec7c3f15e6
Opcode Fuzzy Hash: e74c70c6999e5317b9509654f16dd5251969b965aacf69294b6ffea9f9e2b663
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405811 Relevance: 40.4, APIs: 3, Strings: 20, Instructions: 185
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00405811(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t14;
				WCHAR* _t15;
				signed short* _t16;
				signed int _t18;
				void* _t24;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				signed int _t31;
				signed int _t35;
				intOrPtr _t41;
				intOrPtr _t45;
				void* _t68;
				void* _t73;
				void* _t76;
				intOrPtr _t98;
				void* _t99;
				intOrPtr* _t104;

				_push(__ecx);
				_t98 = E00405041();
				if(_t98 != 0) {
					E00411BE5(0x41e85c, _t98);
					_t73 = 4;
					E00411CA3(0x41e85c, E00403DC8(_t73));
					_t41 =  *0x41e85c; // 0x56edd8
					 *0x41e760 = _t41;
					E00411BE5(0x41e884, _t98);
					_t76 = 0x29;
					E00411CA3(0x41e884, E00403DC8(_t76));
					_t45 =  *0x41e884; // 0x561218
					 *0x41e74c = _t45;
					 *0x41e738 = _t98;
				}
				_t12 = E00405041();
				if(_t12 != 0) {
					 *0x41e760 = _t12;
				}
				_t13 = E00405041();
				if(_t13 != 0) {
					 *0x41e74c = _t13;
				}
				_t14 = E00405041();
				if(_t14 != 0) {
					 *0x41e73c = _t14;
				}
				_t15 = E00405041();
				if(_t15 != 0 && lstrcmpiW(_t15, L"no") == 0) {
					 *0x41e770 = 2;
				}
				_t16 = E00405041();
				_t99 = 0x30;
				if(_t16 != 0) {
					_t35 =  *_t16 & 0x0000ffff;
					if(_t35 >= _t99 && _t35 <= 0x32) {
						 *0x41e770 = _t35 - _t99;
					}
				}
				if(E00405041() != 0) {
					E004056E9(_t17);
				}
				_v8 = _v8 & 0x00000000;
				while(1) {
					_t18 = E00405041();
					if(_t18 == 0) {
						break;
					}
					_v8 = _v8 + 1;
					E004056A4(_t18);
				}
				_v8 = _v8 & _t18;
				while(E00405041() != 0) {
					_v8 = _v8 + 1;
					E004056CB(_t20);
				}
				 *0x41e750 = E00405041();
				 *0x41e758 = E00405041();
				_t24 = E00405041();
				_t104 = __imp___wtol;
				if(_t24 != 0) {
					 *0x41e450 =  *_t104(_t24);
				}
				_t25 = E00405041();
				if(_t25 != 0) {
					 *0x41e454 =  *_t104(_t25);
				}
				_t26 = E00405041();
				if(_t26 != 0) {
					 *0x41e754 = _t26;
				}
				_t27 = E00405041();
				if(_t27 != 0) {
					 *0x41e748 = _t27;
				}
				_t28 = E00405041();
				if(_t28 != 0) {
					 *0x41e744 = _t28;
				}
				_t29 = E00405041();
				if(_t29 == 0) {
					_t29 =  *0x41e738; // 0x2560a38
				}
				 *0x41e764 = _t29;
				_t30 = E00405041();
				if(_t30 == 0) {
					_t68 = 0x2c;
					_t30 = E00403DC8(_t68);
				}
				 *0x41e768 = _t30;
				_t31 = E00405041();
				if(_t31 != 0) {
					_t31 =  *_t31 & 0x0000ffff;
					if(_t31 >= _t99 && _t31 <= 0x39) {
						_t31 = _t31 - _t99;
						 *0x41e76c = _t31;
					}
				}
				return _t31;
			}

0x00405814
0x00405823
0x00405827
0x00405831
0x00405838
0x00405841
0x00405846
0x00405853
0x00405858
0x0040585f
0x00405868
0x0040586d
0x00405872
0x00405877
0x00405877
0x00405884
0x0040588b
0x0040588d
0x0040588d
0x00405899
0x004058a0
0x004058a2
0x004058a2
0x004058ae
0x004058b5
0x004058b7
0x004058b7
0x004058c3
0x004058ca
0x004058dc
0x004058dc
0x004058ed
0x004058f4
0x004058f7
0x004058f9
0x004058ff
0x00405908
0x00405908
0x004058ff
0x0040591b
0x0040591f
0x0040591f
0x00405924
0x00405939
0x0040593e
0x00405945
0x00000000
0x00000000
0x0040592f
0x00405934
0x00405934
0x00405947
0x0040595b
0x00405951
0x00405956
0x00405956
0x0040597c
0x0040598d
0x00405992
0x00405997
0x0040599f
0x004059a5
0x004059a5
0x004059b1
0x004059b8
0x004059be
0x004059be
0x004059ca
0x004059d1
0x004059d3
0x004059d3
0x004059df
0x004059e6
0x004059e8
0x004059e8
0x004059f4
0x004059fb
0x004059fd
0x004059fd
0x00405a09
0x00405a10
0x00405a12
0x00405a12
0x00405a1e
0x00405a23
0x00405a2a
0x00405a2e
0x00405a2f
0x00405a2f
0x00405a3b
0x00405a40
0x00405a47
0x00405a49
0x00405a4f
0x00405a56
0x00405a58
0x00405a58
0x00405a4f
0x00405a60

APIs

lstrcmpiW.KERNEL32(00000000,0041BACC,?,0041E138,?,?,004066DE,?,00000000), ref: 004058D2
_wtol.MSVCRT(00000000,?,0041E138,?,?,004066DE,?), ref: 004059A2
_wtol.MSVCRT(00000000,?,0041E138,?,?,004066DE,?), ref: 004059BB

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00403DC8: GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
Part of subcall function 00403DC8: wsprintfW.USER32 ref: 00403E28
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E42
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403E5D
Part of subcall function 00403DC8: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
Part of subcall function 00403DC8: GetLastError.KERNEL32 ref: 00403E77
Part of subcall function 00403DC8: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
Part of subcall function 00403DC8: ??3@YAXPAX@Z.MSVCRT ref: 00403E9C
Part of subcall function 00403DC8: SetLastError.KERNEL32(?), ref: 00403EC3
Part of subcall function 00403DC8: lstrlenA.KERNEL32(0041B930), ref: 00403EF9
Part of subcall function 00403DC8: ??2@YAPAXI@Z.MSVCRT ref: 00403F14
Part of subcall function 00403DC8: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46

Part of subcall function 004056CB: _wtol.MSVCRT(00000000,00000030,GUIFlags,00405939,?,0041E138,?,?,004066DE,?), ref: 00405668

Strings

Progress, xrefs: 004058BE
OverwriteMode, xrefs: 0040590F
PasswordText, xrefs: 00405A19
ExtractTitle, xrefs: 004058A9
ExtractPathWidth, xrefs: 004059AC
WarningTitle, xrefs: 00405894
ExtractDialogWidth, xrefs: 00405988
MiscFlags, xrefs: 0040594A
GUIMode, xrefs: 004058E8
ExtractPathTitle, xrefs: 004059C5
ExtractDialogText, xrefs: 00405977
VolumeNameStyle, xrefs: 00405A36
\A, xrefs: 00405829
ExtractPathText, xrefs: 004059DA
GUIFlags, xrefs: 00405928
PasswordTitle, xrefs: 00405A04
ExtractCancelText, xrefs: 0040596B
ErrorTitle, xrefs: 0040587F
CancelPrompt, xrefs: 004059EF
Title, xrefs: 00405819

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ErrorLast$??2@_wtol$??3@EnvironmentVariablelstrcmpimemcpy$InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$PasswordText$PasswordTitle$Progress$Title$VolumeNameStyle$WarningTitle$\A
API String ID: 730802180-3281108388
Opcode ID: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction ID: b5e5bdf9c584833b01f0c934a091df39086854388a50827319ec31f510801f87
Opcode Fuzzy Hash: 4833a71524584f7b56f0bf71057d22a1d3a203c273a0d2e7db0efd1fbdcbf9ec
Instruction Fuzzy Hash: 68514DB5B01A0087FB18EB7799115AB66DADF84358704C43B9815E73D2FF3C89818E5D

Uniqueness

Uniqueness Score: -1.00%

Function 00403DC8 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 148
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403DC8(WCHAR* __ecx) {
				WCHAR* _v8;
				long _v12;
				long _v16;
				short _v104;
				short _v168;
				WCHAR* _t52;
				short* _t55;
				WCHAR* _t60;
				int _t61;
				WCHAR* _t65;
				long _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				int _t71;
				intOrPtr* _t73;
				char* _t78;
				WCHAR* _t79;
				signed int _t94;
				signed int _t96;
				int _t101;
				WCHAR* _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t107;

				_t79 = __ecx;
				_t103 = 0;
				_v8 = __ecx;
				_t107 =  *0x41e148; // 0x1
				if(_t107 == 0) {
					L4:
					_t104 = _t103 << 4;
					if( *((intOrPtr*)(_t104 + 0x41e148)) != 0) {
						_v16 = GetLastError();
						wsprintfW( &_v104, L"SfxString%d", _v8);
						_v12 = GetEnvironmentVariableW( &_v104, 0, 0);
						__eflags = GetLastError();
						if(__eflags != 0) {
							L17:
							SetLastError(_v16);
							_t28 = _t104 + 0x41e154; // 0x0
							_t52 =  *_t28;
							__eflags = _t52;
							if(_t52 == 0) {
								_t29 = _t104 + 0x41e14c; // 0x41b930
								_t78 =  *_t29;
								__eflags =  *(_t104 + 0x41e150) - _t52;
								if(__eflags != 0) {
									__eflags = E00403D6D(_t52) -  *0x41ba18; // 0x419
									if(__eflags == 0) {
										_t31 = _t104 + 0x41e150; // 0x41b848
										_t78 =  *_t31;
									}
								}
								_t32 = lstrlenA(_t78) + 1; // 0x1
								_t101 = _t32;
								_t94 = 2;
								_t33 = _t101 + 2; // 0x3
								_t55 = _t33 * _t94;
								_push( ~(0 | __eflags > 0x00000000) | _t55);
								L004191BC();
								__eflags =  *0x41e10c - 0xffffffff;
								 *(_t104 + 0x41e154) = _t55;
								if( *0x41e10c == 0xffffffff) {
									 *0x41e10c =  *0x41e10c & 0x00000000;
									_t60 = GetLocaleInfoW( *0x41e730 & 0x0000ffff, 0x1004,  &_v168, 0x1f);
									__eflags = _t60;
									if(_t60 > 0) {
										_t61 =  &_v168;
										__imp___wtol(_t61);
										 *0x41e10c = _t61;
									}
								}
								_t43 = _t101 + 1; // 0x2
								_t44 = _t104 + 0x41e154; // 0x0
								MultiByteToWideChar( *0x41e10c, 0, _t78, _t101,  *_t44, _t43);
								_t45 = _t104 + 0x41e154; // 0x0
								_t52 =  *_t45;
							}
							return _t52;
						}
						_t96 = 2;
						_t65 = (_v12 + 2) * _t96;
						_push( ~(0 | __eflags > 0x00000000) | _t65);
						L004191BC();
						_v8 = _t65;
						_t67 = GetEnvironmentVariableW( &_v104, _t65, _v12 + 1);
						__eflags = _t67 - _v12;
						if(_t67 > _v12) {
							L14:
							_push(_v8);
							L15:
							L004191B0();
							L16:
							goto L17;
						}
						_t68 = GetLastError();
						__eflags = _t68;
						if(_t68 != 0) {
							goto L14;
						}
						_t20 = _t104 + 0x41e154; // 0x0
						_t69 =  *_t20;
						__eflags = _t69;
						if(_t69 == 0) {
							 *(_t104 + 0x41e154) = _v8;
							goto L17;
						}
						_t102 = _v8;
						_t71 = lstrcmpiW(_t69, _t102);
						__eflags = _t71;
						if(_t71 == 0) {
							_push(_t102);
							goto L15;
						}
						_t22 = _t104 + 0x41e154; // 0x0
						_push( *_t22);
						L004191B0();
						 *(_t104 + 0x41e154) = _t102;
						goto L16;
					}
					return 0x41aa3c;
				} else {
					_t73 = 0x41e148;
					while( *_t73 != _t79) {
						_t103 = _t103 + 1;
						_t2 = (_t103 << 4) + 0x41e148; // 0x30000000
						_t73 = _t2;
						if( *_t73 != 0) {
							continue;
						}
						goto L4;
					}
					goto L4;
				}
			}

0x00403dc8
0x00403dd5
0x00403dd7
0x00403dda
0x00403de0
0x00403dfb
0x00403dfb
0x00403e04
0x00403e1c
0x00403e28
0x00403e3f
0x00403e44
0x00403e46
0x00403ec0
0x00403ec3
0x00403ec9
0x00403ec9
0x00403ecf
0x00403ed1
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403eea
0x00403ef0
0x00403ef2
0x00403ef2
0x00403ef2
0x00403ef0
0x00403eff
0x00403eff
0x00403f06
0x00403f07
0x00403f0a
0x00403f13
0x00403f14
0x00403f19
0x00403f21
0x00403f27
0x00403f29
0x00403f46
0x00403f4c
0x00403f4e
0x00403f50
0x00403f57
0x00403f5e
0x00403f5e
0x00403f4e
0x00403f63
0x00403f67
0x00403f77
0x00403f7d
0x00403f7d
0x00403f7d
0x00000000
0x00403f83
0x00403e52
0x00403e53
0x00403e5c
0x00403e5d
0x00403e69
0x00403e70
0x00403e72
0x00403e75
0x00403eb7
0x00403eb7
0x00403eba
0x00403eba
0x00403ebf
0x00000000
0x00403ebf
0x00403e77
0x00403e79
0x00403e7b
0x00000000
0x00000000
0x00403e7d
0x00403e7d
0x00403e83
0x00403e85
0x00403eaf
0x00000000
0x00403eaf
0x00403e87
0x00403e8c
0x00403e92
0x00403e94
0x00403ea9
0x00000000
0x00403ea9
0x00403e96
0x00403e96
0x00403e9c
0x00403ea1
0x00000000
0x00403ea1
0x00000000
0x00403de2
0x00403de2
0x00403de7
0x00403deb
0x00403df1
0x00403df1
0x00403df9
0x00000000
0x00000000
0x00000000
0x00403df9
0x00000000
0x00403de7

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00403E17
wsprintfW.USER32 ref: 00403E28
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00403E3D
GetLastError.KERNEL32 ref: 00403E42
??2@YAPAXI@Z.MSVCRT ref: 00403E5D
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00403E70
GetLastError.KERNEL32 ref: 00403E77
lstrcmpiW.KERNEL32(00000000,00000000), ref: 00403E8C
??3@YAXPAX@Z.MSVCRT ref: 00403E9C
??3@YAXPAX@Z.MSVCRT ref: 00403EBA
SetLastError.KERNEL32(?), ref: 00403EC3
lstrlenA.KERNEL32(0041B930), ref: 00403EF9
??2@YAPAXI@Z.MSVCRT ref: 00403F14
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00403F46
_wtol.MSVCRT(?), ref: 00403F57
MultiByteToWideChar.KERNEL32(00000000,0041B930,00000001,00000000,00000002), ref: 00403F77

Strings

SfxString%d, xrefs: 00403E22
HA, xrefs: 00403DE2

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: HA$SfxString%d
API String ID: 2117570002-4175495882
Opcode ID: 53473d18f83b3e9ee352ae200f21e549cb759a1ec37be7ee9584cc68109366a3
Instruction ID: 826b4a115549d6cfa4e8bf1551a429c7e3dac2c77e478b686eb9c33c06818d2c
Opcode Fuzzy Hash: 53473d18f83b3e9ee352ae200f21e549cb759a1ec37be7ee9584cc68109366a3
Instruction Fuzzy Hash: E0518F75A00205BFDB209F65DD499ABBBBCEF44301B10853BE906E6290E738AE54CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004048CC Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 263
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004048CC(signed short* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v20;
				char _v24;
				char _v36;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v104;
				char _v108;
				char _v120;
				char _v644;
				signed int _t99;
				signed short* _t101;
				signed short* _t106;
				char* _t108;
				void* _t119;
				void* _t125;
				void* _t129;
				char* _t133;
				intOrPtr* _t134;
				intOrPtr* _t136;
				intOrPtr* _t138;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				intOrPtr* _t146;
				intOrPtr* _t148;
				intOrPtr* _t150;
				signed int _t158;
				signed short* _t159;
				signed short* _t164;
				intOrPtr* _t174;
				signed short _t176;
				signed int _t179;
				signed short* _t237;
				void* _t238;

				_t174 = __imp___wtol;
				_t237 = __ecx;
				_t99 =  *__ecx & 0x0000ffff;
				if(_t99 < 0x30 || _t99 > 0x39) {
					_t176 = 0x20;
					_t101 = (_t99 | _t176) - 0x64;
					__eflags = _t101;
					if(_t101 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t16 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t16 & 0xfffffff7) + 0x19;
						__eflags = _t106;
						goto L11;
					}
					_t159 = _t101 - 0xc;
					__eflags = _t159;
					if(_t159 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t12 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t12 & 0xffffffeb) + 0x17;
						goto L11;
					}
					_t164 = _t159 - 3;
					__eflags = _t164;
					if(_t164 == 0) {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t8 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t8 & 0xfffffff5) + 0x16;
						goto L11;
					}
					__eflags = _t164 != 1;
					if(_t164 != 1) {
						goto L37;
					} else {
						__eflags = (_t237[1] | _t176) - 0x75;
						_t4 = (0 | (_t237[1] | _t176) != 0x00000075) - 1; // -1
						_t106 = (_t4 & 0xffffffef) + 0x18;
						goto L11;
					}
				} else {
					_t106 =  *_t174(__ecx);
					L11:
					while(1) {
						_t179 =  *_t237 & 0x0000ffff;
						if(_t179 == 0x2c) {
							break;
						}
						__eflags = _t179;
						if(_t179 == 0) {
							L36:
							L37:
							return 0;
						}
						_t237 =  &(_t237[1]);
						__eflags = _t237;
					}
					_t108 =  &_v644;
					__imp__SHGetSpecialFolderPathW(0, _t108, _t106, 0);
					if(_t108 != 0) {
						E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B60(E00411B84( &_v36,  &_v644),  &_v48),  &_v84),  &_v72),  &_v96),  &_v24),  &_v108),  &_v60),  &_v120);
						_t119 = E0040358B(_t237,  &_v48);
						if(_v44 != 0) {
							_t125 = E0040358B(E0040358B(E0040358B(E0040358B(E0040358B(E0040358B(_t119,  &_v84),  &_v72),  &_v96),  &_v24),  &_v108),  &_v60);
							_t232 =  &_v120;
							E0040358B(_t125,  &_v120);
							_t238 =  *_t174(_v120);
							_t246 = _v20;
							if(_v20 == 0) {
								E00411BE5( &_v24, _v48 + 2 + E004038FB( &_v48, _t246) * 2);
								_t158 = E00411DFA( &_v24, 0x2e);
								if(_t158 >= 0) {
									_t232 = _v24;
									_v20 = _t158;
									 *((short*)(_v24 + _t158 * 2)) = 0;
								}
							}
							E004015EC( &_v36, 0x5c);
							_t249 = _v68;
							if(_v68 != 0) {
								E00411CE3( &_v36, _t249,  &_v72);
								E004015EC( &_v36, 0x5c);
							}
							_t129 = E00404772(_v36, _t232);
							_t250 = _t129;
							if(_t129 != 0) {
								E00411CE3( &_v36, _t250,  &_v24);
								E00411CA3( &_v36, L".lnk");
								_t133 =  &_v8;
								_v8 = 0;
								__imp__CoCreateInstance(0x41c85c, 0, 1, 0x41c80c, _t133);
								if(_t133 >= 0) {
									_t134 = _v8;
									_v12 = 0;
									 *((intOrPtr*)( *_t134 + 0x50))(_t134, _v48);
									if(_v92 != 0) {
										_t150 = _v8;
										 *((intOrPtr*)( *_t150 + 0x1c))(_t150, _v96);
									}
									if(_v80 != 0) {
										_t148 = _v8;
										 *((intOrPtr*)( *_t148 + 0x2c))(_t148, _v84);
									}
									if(_v104 != 0) {
										_t146 = _v8;
										 *((intOrPtr*)( *_t146 + 0x24))(_t146, _v108);
									}
									if(_v56 != 0) {
										_t144 = _v8;
										 *((intOrPtr*)( *_t144 + 0x44))(_t144, _v60, _t238);
									}
									_t136 = _v8;
									_push( &_v12);
									_push(0x41c83c);
									_push(_t136);
									if( *((intOrPtr*)( *_t136))() >= 0) {
										_t140 = _v12;
										 *((intOrPtr*)( *_t140 + 0x18))(_t140, _v36, 1);
										_t142 = _v12;
										 *((intOrPtr*)( *_t142 + 8))(_t142);
									}
									_t138 = _v8;
									 *((intOrPtr*)( *_t138 + 8))(_t138);
								}
							}
						}
						_push(_v120);
						L004191B0();
						_push(_v60);
						L004191B0();
						_push(_v108);
						L004191B0();
						_push(_v24);
						L004191B0();
						_push(_v96);
						L004191B0();
						_push(_v72);
						L004191B0();
						_push(_v84);
						L004191B0();
						_push(_v48);
						L004191B0();
						_push(_v36);
						L004191B0();
					}
					goto L36;
				}
			}

0x004048d6
0x004048dd
0x004048df
0x004048e5
0x004048f7
0x004048fa
0x004048fa
0x004048fd
0x0040496a
0x00404971
0x00404977
0x00404977
0x00000000
0x00404977
0x004048ff
0x004048ff
0x00404902
0x0040494f
0x00404956
0x0040495c
0x00000000
0x0040495c
0x00404904
0x00404904
0x00404907
0x00404934
0x0040493b
0x00404941
0x00000000
0x00404941
0x00404909
0x0040490a
0x00000000
0x00404910
0x00404919
0x00404920
0x00404926
0x00000000
0x00404926
0x004048ec
0x004048ed
0x0040497a
0x0040498b
0x0040498b
0x00404991
0x00000000
0x00000000
0x0040497f
0x00404982
0x00404bd6
0x00404bd8
0x00404bdc
0x00404bdc
0x00404988
0x00404988
0x00404988
0x00404995
0x0040499d
0x004049a5
0x004049f5
0x004049ff
0x00404a07
0x00404a44
0x00404a49
0x00404a4e
0x00404a59
0x00404a5b
0x00404a5e
0x00404a73
0x00404a7d
0x00404a84
0x00404a86
0x00404a8b
0x00404a8e
0x00404a8e
0x00404a84
0x00404a97
0x00404a9c
0x00404a9f
0x00404aa8
0x00404ab2
0x00404ab2
0x00404aba
0x00404abf
0x00404ac1
0x00404ace
0x00404adb
0x00404ae0
0x00404af1
0x00404af4
0x00404afc
0x00404b02
0x00404b08
0x00404b0e
0x00404b14
0x00404b16
0x00404b1f
0x00404b1f
0x00404b25
0x00404b27
0x00404b30
0x00404b30
0x00404b36
0x00404b38
0x00404b41
0x00404b41
0x00404b47
0x00404b49
0x00404b53
0x00404b53
0x00404b56
0x00404b5e
0x00404b5f
0x00404b64
0x00404b69
0x00404b6b
0x00404b76
0x00404b79
0x00404b7f
0x00404b7f
0x00404b82
0x00404b88
0x00404b88
0x00404afc
0x00404ac1
0x00404b8b
0x00404b8e
0x00404b93
0x00404b96
0x00404b9b
0x00404b9e
0x00404ba3
0x00404ba6
0x00404bab
0x00404bae
0x00404bb3
0x00404bb6
0x00404bbb
0x00404bbe
0x00404bc3
0x00404bc6
0x00404bcb
0x00404bce
0x00404bd3
0x00000000
0x004049a5

APIs

_wtol.MSVCRT ref: 004048ED
SHGetSpecialFolderPathW.SHELL32(00000000,?,-0000001A,00000000), ref: 0040499D
_wtol.MSVCRT(?,?), ref: 00404A56
CoCreateInstance.OLE32(0041C85C,00000000,00000001,0041C80C,?,.lnk,?,0000005C), ref: 00404AF4
??3@YAXPAX@Z.MSVCRT ref: 00404B8E
??3@YAXPAX@Z.MSVCRT ref: 00404B96
??3@YAXPAX@Z.MSVCRT ref: 00404B9E
??3@YAXPAX@Z.MSVCRT ref: 00404BA6
??3@YAXPAX@Z.MSVCRT ref: 00404BAE
??3@YAXPAX@Z.MSVCRT ref: 00404BB6
??3@YAXPAX@Z.MSVCRT ref: 00404BBE
??3@YAXPAX@Z.MSVCRT ref: 00404BC6
??3@YAXPAX@Z.MSVCRT ref: 00404BCE

Strings

.lnk, xrefs: 00404AD3

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: c721ed3c7db78f09b0b39f967557b55226c4473dfce0b9a6e1cdd11550fe16c3
Instruction ID: 83a2d305c882314969b83a1368edb940d706b9a9cbb686142cff4198cf257129
Opcode Fuzzy Hash: c721ed3c7db78f09b0b39f967557b55226c4473dfce0b9a6e1cdd11550fe16c3
Instruction Fuzzy Hash: 8891B375900109ABCF04EFA5CC959EEB779BF84304B60457EF502B71A1EB39AE85CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004142CC Relevance: 24.7, APIs: 16, Instructions: 696
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E004142CC(signed int __ecx, void* __edx, void* __esi, void* __eflags) {
				void* __edi;
				signed int _t328;
				signed int _t340;
				signed int _t343;
				intOrPtr _t344;
				signed int _t345;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t365;
				signed int _t367;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed int _t384;
				signed int _t386;
				signed int _t388;
				signed int _t392;
				signed int _t396;
				signed int _t400;
				signed int* _t403;
				signed int _t406;
				signed int _t409;
				signed int _t411;
				signed int _t415;
				signed int _t419;
				signed int _t420;
				intOrPtr* _t421;
				signed int _t426;
				signed int _t430;
				short* _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				unsigned int _t442;
				signed int _t447;
				signed int _t456;
				signed int _t459;
				signed int _t460;
				signed int _t462;
				intOrPtr _t465;
				signed int _t466;
				signed int _t467;
				intOrPtr _t468;
				void* _t469;
				intOrPtr _t477;
				signed int _t478;
				intOrPtr* _t481;
				signed int _t503;
				signed int _t526;
				signed int _t529;
				signed int _t544;
				signed int _t554;
				intOrPtr _t560;
				void* _t571;
				intOrPtr _t573;
				signed int _t574;
				signed int _t576;
				signed int _t589;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				intOrPtr* _t594;
				signed int _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				signed int _t601;
				signed int _t602;
				void* _t605;
				signed int _t606;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				short* _t612;
				intOrPtr _t614;
				intOrPtr _t615;
				void* _t616;
				signed int* _t617;
				void* _t619;

				_t571 = __edx;
				_t617 = _t619 - 0x44;
				_t459 = _t617[0x16];
				_t589 = _t617[0x17];
				_t617[0xf] = __ecx;
				_t328 = _t589 << 2;
				_t617[0xc] = _t328;
				_t617[8] =  *((intOrPtr*)(_t459 + 8)) +  *( *((intOrPtr*)(_t459 + 0x30)) + _t328) * 8;
				 *((intOrPtr*)(_t617 - 0x18)) = 0;
				 *(_t617 - 0x14) = 0;
				 *((intOrPtr*)(_t617 - 0x10)) = 0;
				 *((intOrPtr*)(_t617 - 0xc)) = 0;
				 *((intOrPtr*)(_t617 - 8)) = 0;
				 *((intOrPtr*)(_t617 - 4)) = 0;
				E00416CB7(_t459, __eflags, _t589, _t617 - 0x18);
				 *_t617 =  *( *((intOrPtr*)(_t459 + 0x34)) + _t589) & 0x000000ff;
				if( *(_t617 - 0x14) <= 0x20) {
					_push(__esi);
					E00413A8C(_t617 - 0x7c);
					 *((intOrPtr*)(_t617 - 0x3c)) = 0;
					 *((intOrPtr*)(_t617 - 0x38)) = 0;
					 *((intOrPtr*)(_t617 - 0x34)) = 0;
					E00414008(_t617 - 0x7c, _t617 - 0x7c, _t571, _t617 - 0x18, __eflags);
					_t340 = E004183C8(_t617 - 0x7c, _t571, _t589);
					__eflags = _t340;
					if(_t340 != 0) {
						_t343 = ( *( *((intOrPtr*)(_t459 + 0x34)) + _t589) & 0x000000ff) +  *(_t617[0xc] +  *((intOrPtr*)(_t459 + 0x2c)));
						_t477 =  *((intOrPtr*)(_t459 + 0x28));
						_t573 =  *((intOrPtr*)(_t477 + _t343 * 8));
						_t344 =  *((intOrPtr*)(_t477 + 4 + _t343 * 8));
						_t478 = _t617[0x18];
						_t617[0x17] = 1;
						__eflags = _t478;
						if(_t478 == 0) {
							L15:
							_t601 = _t617[0xf];
							__eflags =  *_t601;
							if( *_t601 == 0) {
								L17:
								_t345 =  *(_t601 + 0x5c);
								__eflags = _t345;
								if(_t345 != 0) {
									_t345 =  *((intOrPtr*)( *_t345 + 8))(_t345);
									_t54 = _t601 + 0x5c;
									 *_t54 =  *(_t601 + 0x5c) & 0x00000000;
									__eflags =  *_t54;
								}
								_push(0x84);
								L004191BC();
								__eflags = _t345;
								if(__eflags == 0) {
									_t346 = 0;
									__eflags = 0;
								} else {
									_t346 = E00414215(_t345, __eflags, 0);
								}
								 *(_t601 + 0x54) = _t346;
								E004010F2(_t601 + 0x5c, _t346);
								_t348 =  *(_t601 + 0x54);
								__eflags = _t348;
								if(_t348 == 0) {
									_t481 = 0;
									__eflags = 0;
								} else {
									_t481 = _t348 + 4;
								}
								_t574 = _t617 - 0x7c;
								 *((intOrPtr*)(_t601 + 0x58)) = _t481;
								_t350 =  *((intOrPtr*)( *_t481))(_t574);
								_t590 = 0;
								__eflags = _t350;
								if(_t350 == 0) {
									_t617[0x10] = 0;
									__eflags =  *(_t617 - 0x14);
									if(__eflags <= 0) {
										L36:
										E00413AEC(_t601 + 4, __eflags, _t617 - 0x7c);
										E004139AE(_t601 + 0x44, _t617 - 0x3c);
										 *_t601 = 1;
										L37:
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0x10))();
										_t358 =  *(_t617[0xc] +  *((intOrPtr*)(_t459 + 0x2c)));
										_t591 = 0;
										_t617[0xa] = 0;
										 *(_t617 - 0x2c) = _t358;
										_t617[0xd] = 0;
										__eflags =  *(_t617 - 0x14);
										if( *(_t617 - 0x14) <= 0) {
											L76:
											__eflags = _t617[0x19] - _t591;
											if(_t617[0x19] != _t591) {
												__eflags = _t617[0x17];
												_t223 = _t617[0x17] == 0;
												__eflags = _t223;
												_t358 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0xc))((_t574 & 0xffffff00 | _t223) & 0x000000ff);
											}
											_push(0x30);
											_t617[2] = _t591;
											_t617[3] = _t591;
											_t617[4] = _t591;
											L004191BC();
											__eflags = _t358 - _t591;
											if(_t358 == _t591) {
												_t359 = 0;
												__eflags = 0;
											} else {
												_t359 = E00413E1F(_t358);
											}
											_t617[0x16] = _t359;
											__eflags = _t359 - _t591;
											if(_t359 != _t591) {
												 *((intOrPtr*)( *_t359 + 4))(_t359);
											}
											__eflags =  *((intOrPtr*)(_t617 - 4)) - 1;
											_t460 = _t617[0x13];
											if( *((intOrPtr*)(_t617 - 4)) <= 1) {
												L99:
												_t617[0x1d] = _t591;
												__eflags =  *((intOrPtr*)(_t617 - 4)) - _t591;
												if( *((intOrPtr*)(_t617 - 4)) <= _t591) {
													L113:
													E00413A3E( &(_t617[0x13]), _t617[3]);
													__eflags = _t617[3];
													_t592 = _t617[0x13];
													if(_t617[3] <= 0) {
														L116:
														__eflags = _t617[0x19];
														if(_t617[0x19] == 0) {
															_push(_t592);
															L004191B0();
															_t361 = _t617[0x16];
															__eflags = _t361;
															if(_t361 != 0) {
																_t361 =  *((intOrPtr*)( *_t361 + 8))(_t361);
															}
															E004014A8(_t361,  &(_t617[2]));
															L10:
															_t602 = 0x80004005;
															goto L5;
														}
														_t462 = 0;
														_t617[0x13] = 0;
														__eflags = _t617[0x1a];
														if(_t617[0x1a] != 0) {
															_push( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)) + 0x60)));
															_t374 = E004184BF( *((intOrPtr*)(_t601 + 0x58)));
															__eflags = _t374;
															if(_t374 == 0) {
																_push(0xc);
																L004191BC();
																__eflags = _t374;
																if(_t374 == 0) {
																	_t375 = 0;
																	__eflags = 0;
																} else {
																	_t375 = E00413BE7(_t374, _t617[0x1a]);
																}
																E004010F2( &(_t617[0x13]), _t375);
																_t462 = _t617[0x13];
															}
														}
														_t617[0x18] = _t617[0x19];
														_t367 = _t462;
														__eflags = _t462;
														if(_t462 == 0) {
															_t367 = _t617[0x1a];
														}
														_t602 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t601 + 0x58)))) + 0x18))(_t592,  &(_t617[0x18]), _t367);
														__eflags = _t462;
														if(_t462 != 0) {
															 *((intOrPtr*)( *_t462 + 8))(_t462);
														}
														_push(_t592);
														L004191B0();
														L121:
														_t370 = _t617[0x16];
														__eflags = _t370;
														if(_t370 != 0) {
															_t370 =  *((intOrPtr*)( *_t370 + 8))(_t370);
														}
														E004014A8(_t370,  &(_t617[2]));
														goto L5;
													}
													_t576 = _t617[3];
													_t377 = _t592;
													_t503 = _t617[2] - _t592;
													__eflags = _t503;
													do {
														 *_t377 =  *((intOrPtr*)( *((intOrPtr*)(_t503 + _t377))));
														_t377 = _t377 + 4;
														_t576 = _t576 - 1;
														__eflags = _t576;
													} while (_t576 != 0);
													goto L116;
												} else {
													goto L100;
												}
												do {
													L100:
													_t378 = _t617[8];
													_t617[0x18] = _t617[0x18] & 0x00000000;
													_t594 = _t378 + _t617[0x1d] * 8;
													_t605 =  *_t594 + _t617[0x14];
													_t465 =  *((intOrPtr*)(_t594 + 4));
													asm("adc ebx, [ebp+0x54]");
													__eflags =  *((intOrPtr*)(_t617 - 4)) - 1;
													if( *((intOrPtr*)(_t617 - 4)) != 1) {
														_push(0x20);
														L004191BC();
														__eflags = _t378;
														if(_t378 == 0) {
															_t268 =  &(_t617[0x17]);
															 *_t268 = _t617[0x17] & 0x00000000;
															__eflags =  *_t268;
														} else {
															 *(_t378 + 4) =  *(_t378 + 4) & 0x00000000;
															 *_t378 = 0x41c6e8;
															 *(_t378 + 0x18) =  *(_t378 + 0x18) & 0x00000000;
															_t617[0x17] = _t378;
														}
														E0040CBC0( &(_t617[0x18]), _t617[0x17]);
														_push(_t465);
														_t380 = E00413D5A(_t617[0x17], _t617[0x16], _t605);
														goto L107;
													}
													_t388 = _t617[0x13];
													_t602 =  *((intOrPtr*)( *_t388 + 0x10))(_t388, _t605, _t465, 0, 0);
													__eflags = _t602;
													if(_t602 != 0) {
														goto L121;
													}
													_t380 = E0040CBC0( &(_t617[0x18]), _t617[0x13]);
													L107:
													_push(0x28);
													L004191BC();
													_t606 = 0;
													__eflags = _t380;
													if(_t380 != 0) {
														 *((intOrPtr*)(_t380 + 4)) = 0;
														 *_t380 = 0x41c6f8;
														 *((intOrPtr*)(_t380 + 8)) = 0;
														_t606 = _t380;
													}
													E0040CBC0(E00418703(_t380,  &(_t617[2])), _t606);
													_t278 = _t606 + 8; // 0x8
													E0040CBC0(_t278, _t617[0x18]);
													_t384 = _t617[8];
													_t466 = _t617[0x1d];
													asm("sbb eax, [edi+0x4]");
													 *(_t606 + 0x18) =  *(_t606 + 0x18) & 0x00000000;
													 *(_t606 + 0x1c) =  *(_t606 + 0x1c) & 0x00000000;
													 *((intOrPtr*)(_t606 + 0x14)) =  *((intOrPtr*)(_t384 + 0xc + _t466 * 8));
													_t386 = _t617[0x18];
													 *((intOrPtr*)(_t606 + 0x10)) =  *((intOrPtr*)(_t384 + 8 + _t466 * 8)) -  *_t594;
													 *((char*)(_t606 + 0x20)) = 0;
													__eflags = _t386;
													if(_t386 != 0) {
														 *((intOrPtr*)( *_t386 + 8))(_t386);
													}
													_t467 = _t466 + 1;
													_t617[0x1d] = _t467;
													__eflags = _t467 -  *((intOrPtr*)(_t617 - 4));
												} while (_t467 <  *((intOrPtr*)(_t617 - 4)));
												_t601 = _t617[0xf];
												goto L113;
											} else {
												_t392 = _t617[8];
												asm("adc eax, [ebp+0x54]");
												_t595 =  *((intOrPtr*)( *_t460 + 0x10))(_t460,  *_t392 + _t617[0x14],  *((intOrPtr*)(_t392 + 4)), 0, _t617[0x16] + 0x10);
												__eflags = _t595;
												if(_t595 == 0) {
													E004010F2(_t617[0x16] + 8, _t460);
													_t591 = 0;
													__eflags = 0;
													goto L99;
												}
												_t396 = _t617[0x16];
												__eflags = _t396;
												if(_t396 != 0) {
													_t396 =  *((intOrPtr*)( *_t396 + 8))(_t396);
												}
												E004014A8(_t396,  &(_t617[2]));
												L88:
												_t602 = _t595;
												goto L5;
											}
										}
										_t400 = _t358 << 3;
										__eflags = _t400;
										_t617[6] = 0;
										_t617[5] = _t400;
										do {
											_t608 =  *((intOrPtr*)(_t617 - 0x18)) + _t617[6];
											_t617[1] = _t608;
											_t403 =  *((intOrPtr*)( *( *(_t617[0xf] + 0x58)) + 8))(_t617[0xd]);
											_t526 =  *_t403;
											__eflags = _t526;
											if(_t526 == 0) {
												_t596 = _t403[1];
												_t617[7] = _t596;
											} else {
												_t596 = _t526;
												_t617[7] = _t526;
											}
											_t617[9] = _t617[9] & 0x00000000;
											 *((intOrPtr*)( *_t596))(_t596, 0x41a450,  &(_t617[9]));
											_t406 = _t617[9];
											__eflags = _t406;
											if(_t406 == 0) {
												L50:
												_t617[0xb] = _t617[0xb] & 0x00000000;
												 *((intOrPtr*)( *_t596))(_t596, 0x41a4f0,  &(_t617[0xb]));
												_t529 = _t617[0xb];
												__eflags = _t529;
												if(_t529 == 0) {
													L60:
													_t409 = _t617[7];
													_t617[0x10] = _t617[0x10] & 0x00000000;
													 *((intOrPtr*)( *_t409))(_t409, 0x41a470,  &(_t617[0x10]));
													_t411 = _t617[0x10];
													__eflags = _t411;
													if(_t411 == 0) {
														L64:
														_t609 =  *(_t617[1] + 0x10);
														_t617[1] = _t609;
														E00413A13( &(_t617[0xc]), _t609);
														E00413A3E(_t617 - 0x30, _t609);
														_t468 =  *((intOrPtr*)(_t617 - 0x30));
														_t597 = 0;
														__eflags = _t609;
														if(_t609 == 0) {
															L71:
															_t415 = _t617[0x18];
															__eflags = _t415;
															if(_t415 == 0) {
																L73:
																_t415 =  *((intOrPtr*)(_t617[0x16] + 0x28)) + _t617[5];
																__eflags = _t415;
																goto L74;
															}
															__eflags = _t617[0xd] -  *((intOrPtr*)(_t617 - 0x58));
															if(_t617[0xd] ==  *((intOrPtr*)(_t617 - 0x58))) {
																goto L74;
															}
															goto L73;
														}
														_t610 = _t617[0xc];
														do {
															_t419 = E00413BA9(_t617 - 0x18, _t617[0xa]);
															__eflags = _t419;
															if(_t419 < 0) {
																_t420 = E00413B85(_t617 - 0x18, _t617[0xa]);
																__eflags = _t420;
																if(_t420 < 0) {
																	_push(_t468);
																	L004191B0();
																	_push(_t617[0xc]);
																	L004191B0();
																	goto L4;
																}
																_t421 = _t617[8] + _t420 * 8;
																_t544 =  *((intOrPtr*)(_t421 + 8)) -  *_t421;
																__eflags = _t544;
																asm("sbb edx, [eax+0x4]");
																 *_t610 = _t544;
																 *((intOrPtr*)(_t610 + 4)) =  *((intOrPtr*)(_t421 + 0xc));
																 *(_t468 + _t597 * 4) = _t610;
																goto L70;
															}
															 *(_t468 + _t597 * 4) =  *((intOrPtr*)(_t617[0x16] + 0x28)) + ( *((intOrPtr*)( *((intOrPtr*)(_t617 - 0x10)) + 4 + _t419 * 8)) +  *(_t617 - 0x2c)) * 8;
															L70:
															_t597 = _t597 + 1;
															_t610 = _t610 + 8;
															_t617[0xa] = _t617[0xa] + 1;
															__eflags = _t597 - _t617[1];
														} while (_t597 < _t617[1]);
														goto L71;
													}
													__eflags = _t617[0x17];
													_t602 =  *((intOrPtr*)( *_t411 + 0xc))(_t411, 0 | _t617[0x17] != 0x00000000);
													_t426 = _t617[0x10];
													__eflags = _t602;
													if(_t602 != 0) {
														goto L81;
													}
													__eflags = _t426;
													if(_t426 != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L64;
												}
												 *(_t617[0x1d]) = 1;
												_t430 = _t617[0x1c];
												_t598 = 0;
												__eflags = _t430;
												if(_t430 == 0) {
													 *((intOrPtr*)( *_t529 + 8))(_t529);
													goto L4;
												}
												_t617[0xe] = 0;
												_t602 =  *((intOrPtr*)( *_t430 + 0xc))(_t430,  &(_t617[0xe]));
												__eflags = _t602;
												if(_t602 != 0) {
													__imp__#6(_t617[0xe]);
													_t426 = _t617[0xb];
													__eflags = _t426;
													goto L82;
												}
												_t611 = _t617[0x1f];
												 *(_t617[0x1e]) = 1;
												_t435 =  *_t611;
												 *(_t611 + 4) = 0;
												 *_t435 = 0;
												__eflags = _t617[0xe];
												if(_t617[0xe] != 0) {
													_t435 = E00411BE5(_t611, _t617[0xe]);
													_t598 =  *(_t611 + 4);
												}
												_t469 = _t598 + _t598;
												_push(_t469);
												L004191BC();
												_t554 = 0;
												_t612 = _t435;
												__eflags = _t598;
												if(_t598 == 0) {
													L57:
													_t436 = _t617[0xb];
													_t437 =  *((intOrPtr*)( *_t436 + 0xc))(_t436, _t612, _t469);
													_t595 = _t437;
													L004191B0();
													__imp__#6(_t617[0xe], _t612);
													_t438 = _t617[0xb];
													__eflags = _t595;
													if(_t595 != 0) {
														__eflags = _t438;
														if(_t438 != 0) {
															 *((intOrPtr*)( *_t438 + 8))(_t438);
														}
														goto L88;
													}
													__eflags = _t438;
													if(_t438 != 0) {
														 *((intOrPtr*)( *_t438 + 8))(_t438);
													}
													goto L60;
												} else {
													do {
														_t442 =  *(_t617[0xe] + _t554 * 2) & 0x0000ffff;
														 *(_t612 + _t554 * 2) = _t442;
														 *((char*)(_t612 + 1 + _t554 * 2)) = _t442 >> 8;
														_t554 = _t554 + 1;
														__eflags = _t554 - _t598;
													} while (_t554 < _t598);
													goto L57;
												}
											} else {
												_t560 =  *((intOrPtr*)(_t608 + 0xc));
												__eflags = _t560 - 0xffffffff;
												if(_t560 > 0xffffffff) {
													 *((intOrPtr*)( *_t406 + 8))(_t406);
													goto L4;
												}
												_t602 =  *((intOrPtr*)( *_t406 + 0xc))(_t406,  *((intOrPtr*)(_t608 + 8)), _t560);
												__eflags = _t602 - 0x80070057;
												if(_t602 == 0x80070057) {
													_t602 = 0x80004001;
												}
												_t426 = _t617[9];
												__eflags = _t602;
												if(_t602 != 0) {
													L81:
													__eflags = _t426;
													L82:
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L5;
												} else {
													__eflags = _t426;
													if(_t426 != 0) {
														 *((intOrPtr*)( *_t426 + 8))(_t426);
													}
													goto L50;
												}
											}
											L74:
											_t574 =  *( *(_t617[0xf] + 0x58));
											 *((intOrPtr*)(_t574 + 0x14))(_t617[0xd], _t415, _t468);
											_push(_t468);
											L004191B0();
											_push(_t617[0xc]);
											L004191B0();
											_t617[0xd] = _t617[0xd] + 1;
											_t358 = _t617[0xd];
											_t617[5] = _t617[5] + 8;
											_t617[6] = _t617[6] + 0x18;
											__eflags = _t358 -  *(_t617 - 0x14);
										} while (_t358 <  *(_t617 - 0x14));
										_t601 = _t617[0xf];
										_t591 = 0;
										__eflags = 0;
										goto L76;
									} else {
										goto L28;
									}
									while(1) {
										L28:
										_t614 =  *((intOrPtr*)(_t617 - 0x18));
										 *(_t617 - 0x28) =  *(_t617 - 0x28) & 0x00000000;
										 *(_t617 - 0x24) =  *(_t617 - 0x24) & 0x00000000;
										_t447 = E004120C1(0, _t617 - 0x28, __eflags,  *((intOrPtr*)(_t614 + _t590)),  *((intOrPtr*)(_t614 + _t590 + 4)));
										_t617[7] = _t447;
										__eflags = _t447;
										if(_t447 != 0) {
											break;
										}
										_t615 =  *((intOrPtr*)(_t614 + _t590 + 0x10));
										__eflags = _t615 - 1;
										if(_t615 != 1) {
											__eflags =  *(_t617 - 0x24);
											if( *(_t617 - 0x24) == 0) {
												L31:
												E0041212C(_t617 - 0x28);
												goto L4;
											}
											__eflags =  *((intOrPtr*)(_t617 - 0x1c)) - _t615;
											if( *((intOrPtr*)(_t617 - 0x1c)) != _t615) {
												goto L31;
											}
											L34:
											_t574 = _t617 - 0x28;
											 *((intOrPtr*)( *( *(_t617[0xf] + 0x58)) + 4))(_t574);
											E0041212C(_t617 - 0x28);
											_t617[0x10] = _t617[0x10] + 1;
											_t590 = _t590 + 0x18;
											__eflags = _t617[0x10] -  *(_t617 - 0x14);
											if(__eflags < 0) {
												continue;
											} else {
												_t601 = _t617[0xf];
												goto L36;
											}
										}
										__eflags =  *(_t617 - 0x28) - _t447;
										if( *(_t617 - 0x28) != _t447) {
											goto L34;
										}
										goto L31;
									}
									E0041212C(_t617 - 0x28);
									_t602 = _t617[7];
									goto L5;
								} else {
									_t602 = _t350;
									L5:
									_push( *((intOrPtr*)(_t617 - 0x3c)));
									L004191B0();
									E00413ABD(_t617 - 0x7c);
									E00414189(_t617 - 0x18, _t602);
									_t365 = _t602;
									goto L2;
								}
							}
							_t574 = _t601 + 4;
							_t456 = E00413C65(_t617 - 0x7c, _t478, _t574);
							__eflags = _t456;
							if(_t456 != 0) {
								goto L37;
							}
							goto L17;
						}
						_t616 =  *_t478;
						_t478 =  *(_t478 + 4);
						__eflags = _t478 - _t344;
						if(__eflags < 0) {
							__eflags = _t616 - _t573;
							L12:
							if(__eflags != 0) {
								L14:
								_t617[0x17] = 0;
								goto L15;
							}
							_t617[0x17] = 1;
							__eflags = _t478 - _t344;
							if(_t478 == _t344) {
								goto L15;
							}
							goto L14;
						}
						if(__eflags > 0) {
							goto L10;
						}
						__eflags = _t616 - _t573;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L10;
					}
					L4:
					_t602 = 0x80004001;
					goto L5;
				} else {
					E00414189(_t617 - 0x18, __esi);
					_t365 = 0x80004001;
					L2:
					return _t365;
				}
			}

0x004142cc
0x004142cd
0x004142d8
0x004142dc
0x004142df
0x004142e7
0x004142ea
0x004142f6
0x004142fb
0x004142fe
0x00414301
0x00414304
0x00414307
0x0041430a
0x00414314
0x00414324
0x00414327
0x0041433f
0x00414343
0x0041434a
0x0041434d
0x00414350
0x00414359
0x00414361
0x00414366
0x00414368
0x0041439a
0x0041439d
0x004143a0
0x004143a3
0x004143a7
0x004143aa
0x004143ae
0x004143b0
0x004143d8
0x004143d8
0x004143db
0x004143de
0x004143f3
0x004143f3
0x004143f6
0x004143f8
0x004143fd
0x00414400
0x00414400
0x00414400
0x00414400
0x00414404
0x00414409
0x0041440f
0x00414411
0x0041441e
0x0041441e
0x00414413
0x00414417
0x00414417
0x00414424
0x00414427
0x0041442c
0x0041442f
0x00414431
0x00414438
0x00414438
0x00414433
0x00414433
0x00414433
0x0041443a
0x0041443d
0x00414443
0x00414445
0x00414447
0x00414449
0x00414452
0x00414455
0x00414458
0x004144cf
0x004144d6
0x004144e2
0x004144e7
0x004144ea
0x004144ef
0x004144f8
0x004144fb
0x004144fd
0x00414500
0x00414503
0x00414506
0x00414509
0x00414788
0x00414788
0x0041478b
0x0041478d
0x00414796
0x00414796
0x0041479d
0x0041479d
0x004147a0
0x004147a2
0x004147a5
0x004147a8
0x004147ab
0x004147b1
0x004147b3
0x0041481d
0x0041481d
0x004147b5
0x004147b7
0x004147b7
0x0041481f
0x00414822
0x00414824
0x00414829
0x00414829
0x0041482c
0x00414830
0x00414833
0x0041487f
0x0041487f
0x00414882
0x00414885
0x00414983
0x00414989
0x0041498e
0x00414992
0x00414995
0x004149ae
0x004149ae
0x004149b2
0x00414a43
0x00414a44
0x00414a49
0x00414a4d
0x00414a4f
0x00414a54
0x00414a54
0x00414a5a
0x004143c1
0x004143c1
0x00000000
0x004143c1
0x004149b8
0x004149ba
0x004149bd
0x004149c0
0x004149c5
0x004149c8
0x004149cd
0x004149cf
0x004149d1
0x004149d3
0x004149d9
0x004149db
0x00414a03
0x00414a03
0x004149dd
0x004149e2
0x004149e2
0x00414a09
0x00414a0e
0x00414a0e
0x004149cf
0x00414a14
0x00414a17
0x00414a19
0x00414a1b
0x00414a1d
0x00414a1d
0x00414a2e
0x00414a30
0x00414a32
0x00414a37
0x00414a37
0x00414a3a
0x00414a3b
0x004149e9
0x004149e9
0x004149ec
0x004149ee
0x004149f3
0x004149f3
0x004149f9
0x00000000
0x004149f9
0x0041499a
0x0041499d
0x0041499f
0x0041499f
0x004149a1
0x004149a6
0x004149a8
0x004149ab
0x004149ab
0x004149ab
0x00000000
0x00000000
0x00000000
0x00000000
0x0041488b
0x0041488b
0x0041488b
0x00414891
0x00414895
0x0041489a
0x0041489d
0x004148a0
0x004148a3
0x004148a7
0x004148cf
0x004148d1
0x004148d7
0x004148d9
0x004148ee
0x004148ee
0x004148ee
0x004148db
0x004148db
0x004148df
0x004148e5
0x004148e9
0x004148e9
0x004148f8
0x00414900
0x00414905
0x00000000
0x00414905
0x004148a9
0x004148b8
0x004148ba
0x004148bc
0x00000000
0x00000000
0x004148c8
0x0041490a
0x0041490a
0x0041490c
0x00414911
0x00414914
0x00414916
0x00414918
0x0041491b
0x00414921
0x00414924
0x00414924
0x00414931
0x00414939
0x0041493c
0x00414941
0x00414944
0x00414951
0x00414954
0x00414958
0x0041495c
0x0041495f
0x00414962
0x00414965
0x00414969
0x0041496b
0x00414970
0x00414970
0x00414973
0x00414974
0x00414977
0x00414977
0x00414980
0x00000000
0x00414835
0x0041483e
0x00414849
0x00414854
0x00414856
0x00414858
0x00414878
0x0041487d
0x0041487d
0x00000000
0x0041487d
0x0041485a
0x0041485d
0x0041485f
0x00414864
0x00414864
0x0041486a
0x00414801
0x00414801
0x00000000
0x00414801
0x00414833
0x0041450f
0x0041450f
0x00414512
0x00414515
0x00414518
0x00414521
0x00414529
0x0041452c
0x0041452f
0x00414531
0x00414533
0x0041454c
0x0041454f
0x00414535
0x00414535
0x00414537
0x00414537
0x00414554
0x00414562
0x00414564
0x00414567
0x00414569
0x004145a6
0x004145a8
0x004145b6
0x004145b8
0x004145bb
0x004145bd
0x0041466c
0x0041466c
0x00414671
0x0041467f
0x00414681
0x00414684
0x00414686
0x004146ae
0x004146b1
0x004146b8
0x004146bb
0x004146c4
0x004146c9
0x004146cc
0x004146ce
0x004146d0
0x00414734
0x00414734
0x00414737
0x00414739
0x00414743
0x00414749
0x00414749
0x00000000
0x00414749
0x0041473e
0x00414741
0x00000000
0x00000000
0x00000000
0x00414741
0x004146d2
0x004146d5
0x004146db
0x004146e0
0x004146e2
0x00414702
0x00414707
0x00414709
0x00414808
0x00414809
0x0041480e
0x00414811
0x00000000
0x00414817
0x00414712
0x00414718
0x00414718
0x0041471d
0x00414720
0x00414722
0x00414725
0x00000000
0x00414725
0x004146f7
0x00414728
0x00414728
0x00414729
0x0041472c
0x0041472f
0x0041472f
0x00000000
0x004146d5
0x0041468c
0x00414697
0x00414699
0x0041469c
0x0041469e
0x00000000
0x00000000
0x004146a4
0x004146a6
0x004146ab
0x004146ab
0x00000000
0x004146a6
0x004145c6
0x004145c9
0x004145cc
0x004145ce
0x004145d0
0x004147df
0x00000000
0x004147df
0x004145dd
0x004145e3
0x004145e5
0x004145e7
0x004147ea
0x004147f0
0x004147f3
0x00000000
0x004147f3
0x004145f0
0x004145f3
0x004145f6
0x004145fa
0x004145fd
0x00414600
0x00414603
0x0041460a
0x0041460f
0x0041460f
0x00414612
0x00414615
0x00414616
0x0041461c
0x0041461e
0x00414620
0x00414622
0x0041463a
0x0041463a
0x00414642
0x00414646
0x00414648
0x00414651
0x00414657
0x0041465a
0x0041465c
0x004147f7
0x004147f9
0x004147fe
0x004147fe
0x00000000
0x004147f9
0x00414662
0x00414664
0x00414669
0x00414669
0x00000000
0x00414624
0x00414624
0x00414627
0x0041462b
0x00414631
0x00414635
0x00414636
0x00414636
0x00000000
0x00414624
0x0041456b
0x0041456b
0x0041456e
0x00414571
0x004147c1
0x00000000
0x004147c1
0x00414582
0x00414584
0x0041458a
0x0041458c
0x0041458c
0x00414591
0x00414594
0x00414596
0x004147c9
0x004147c9
0x004147cb
0x004147cb
0x004147d4
0x004147d4
0x00000000
0x0041459c
0x0041459c
0x0041459e
0x004145a3
0x004145a3
0x00000000
0x0041459e
0x00414596
0x0041474c
0x00414752
0x00414759
0x0041475c
0x0041475d
0x00414762
0x00414765
0x0041476a
0x0041476d
0x00414770
0x00414774
0x0041477a
0x0041477a
0x00414783
0x00414786
0x00414786
0x00000000
0x00000000
0x00000000
0x00000000
0x0041445a
0x0041445a
0x0041445a
0x0041445d
0x00414461
0x00414471
0x00414476
0x00414479
0x0041447b
0x00000000
0x00000000
0x00414481
0x00414485
0x00414488
0x0041449c
0x004144a0
0x0041448f
0x00414492
0x00000000
0x00414492
0x004144a2
0x004144a5
0x00000000
0x00000000
0x004144a7
0x004144af
0x004144b3
0x004144b9
0x004144be
0x004144c4
0x004144c7
0x004144ca
0x00000000
0x004144cc
0x004144cc
0x00000000
0x004144cc
0x004144ca
0x0041448a
0x0041448d
0x00000000
0x00000000
0x00000000
0x0041448d
0x0041453f
0x00414544
0x00000000
0x0041444b
0x0041444b
0x0041436f
0x0041436f
0x00414372
0x0041437b
0x00414383
0x00414388
0x00000000
0x0041438a
0x00414449
0x004143e0
0x004143e6
0x004143eb
0x004143ed
0x00000000
0x00000000
0x00000000
0x004143ed
0x004143b2
0x004143b4
0x004143b7
0x004143b9
0x004143c8
0x004143ca
0x004143ca
0x004143d4
0x004143d4
0x00000000
0x004143d4
0x004143cc
0x004143d0
0x004143d2
0x00000000
0x00000000
0x00000000
0x004143d2
0x004143bb
0x00000000
0x00000000
0x004143bd
0x004143bf
0x00000000
0x00000000
0x00000000
0x004143bf
0x0041436a
0x0041436a
0x00000000
0x00414329
0x0041432c
0x00414331
0x00414336
0x0041433c
0x0041433c

APIs

Part of subcall function 00416CB7: _CxxThrowException.MSVCRT(?,0041C9D4), ref: 00416CFF

??3@YAXPAX@Z.MSVCRT ref: 00414372

Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT ref: 0041418F
Part of subcall function 00414189: ??3@YAXPAX@Z.MSVCRT ref: 00414197

??2@YAPAXI@Z.MSVCRT ref: 00414409
??2@YAPAXI@Z.MSVCRT ref: 00414616
??3@YAXPAX@Z.MSVCRT ref: 00414648
SysFreeString.OLEAUT32(?), ref: 00414651
??3@YAXPAX@Z.MSVCRT ref: 0041475D
??3@YAXPAX@Z.MSVCRT ref: 00414765
??2@YAPAXI@Z.MSVCRT ref: 004147AB
SysFreeString.OLEAUT32(?), ref: 004147EA

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@$FreeString$ExceptionThrow
String ID:
API String ID: 3050852170-0
Opcode ID: df0634a2fd8873a05269928fc73e1080aacfbae2404e68989a71398f861edbf4
Instruction ID: 63c1d7170cb7f9ccbcc5f7ed3098d04a866bf1aea97f2543f5bdc1a1635b749d
Opcode Fuzzy Hash: df0634a2fd8873a05269928fc73e1080aacfbae2404e68989a71398f861edbf4
Instruction Fuzzy Hash: 82525671A00209DFCB14DF64C894AEE7BB5BF88318F25415AF8169B351DB39ED81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004039F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004039F0(CHAR* __ecx, CHAR* __edx, intOrPtr* _a4) {
				struct HINSTANCE__* _v8;
				CHAR* _v12;
				CHAR* _v16;
				short _v80;
				struct HINSTANCE__* _t14;
				void* _t16;
				struct HRSRC__* _t28;
				_Unknown_base(*)()* _t29;
				intOrPtr* _t35;

				_v12 = __edx;
				_v16 = __ecx;
				_t14 = GetModuleHandleW(0);
				_v8 = _t14;
				_t28 = FindResourceExA(_t14, _v16, _v12,  *0x41e730 & 0x0000ffff);
				if(_t28 != 0) {
					L2:
					_t35 = _a4;
					if(_t35 != 0) {
						 *_t35 = SizeofResource(_v8, _t28);
					}
					_t16 = LoadResource(_v8, _t28);
					if(_t16 == 0) {
						L6:
						if( *0x41e734 != 0) {
							L10:
							return 0;
						}
						 *0x41e734 = 1;
						_t29 = GetProcAddress( *0x41e75c, "SetProcessPreferredUILanguages");
						wsprintfW( &_v80, L"%04X%c%04X%c",  *0x41e730 & 0x0000ffff, 0, 0x409, 0);
						if(_t29 != 0) {
							L9:
							 *_t29(4,  &_v80, 0);
							goto L10;
						}
						_t29 = GetProcAddress( *0x41e75c, "SetThreadPreferredUILanguages");
						if(_t29 == 0) {
							goto L10;
						}
						goto L9;
					} else {
						return LockResource(_t16);
					}
				}
				_t28 = FindResourceExA(_v8, _v16, _v12, 0x409);
				if(_t28 == 0) {
					goto L6;
				}
				goto L2;
			}

0x004039fb
0x004039fe
0x00403a01
0x00403a18
0x00403a21
0x00403a2a
0x00403a3e
0x00403a3e
0x00403a43
0x00403a4f
0x00403a4f
0x00403a55
0x00403a5d
0x00403a68
0x00403a6f
0x00403ad0
0x00000000
0x00403ad0
0x00403a82
0x00403a90
0x00403aa6
0x00403ab1
0x00403ac6
0x00403ace
0x00000000
0x00403ace
0x00403ac0
0x00403ac4
0x00000000
0x00000000
0x00000000
0x00403a5f
0x00000000
0x00403a60
0x00403a5d
0x00403a38
0x00403a3c
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
SizeofResource.KERNEL32(?,00000000), ref: 00403A49
LoadResource.KERNEL32(?,00000000), ref: 00403A55
LockResource.KERNEL32(00000000), ref: 00403A60
GetProcAddress.KERNEL32(SetProcessPreferredUILanguages), ref: 00403A8C
wsprintfW.USER32 ref: 00403AA6
GetProcAddress.KERNEL32(SetThreadPreferredUILanguages), ref: 00403ABE

Strings

%04X%c%04X%c, xrefs: 00403AA0
SetThreadPreferredUILanguages, xrefs: 00403AB3
SetProcessPreferredUILanguages, xrefs: 00403A77

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Resource$AddressFindProc$HandleLoadLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages
API String ID: 2090077119-3413765421
Opcode ID: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction ID: ed0741534da578f5e66d3de38586fa322f1091544de9e69cad048277579e345e
Opcode Fuzzy Hash: 8f248b3f3ccdae2e627c25948350bafec117c70763480a7fd32ce54566ccef8a
Instruction Fuzzy Hash: C2214175A01308BBDB119FA5DD45BAE7FBCEB04701F108036FA40A22A1E7B59E50DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040340F Relevance: 18.1, APIs: 12, Instructions: 91
filestringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0040340F(WCHAR* __ecx, void* __edx, void* __eflags) {
				WCHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				void* _t26;
				int _t29;
				int _t36;
				int _t37;
				int _t44;
				WCHAR* _t45;
				void* _t54;

				_t54 = __edx;
				_t45 = __ecx;
				E00411B84( &_v16, __ecx);
				E00411CA3( &_v16, 0x41abcc);
				_t26 = FindFirstFileW(_v16,  &_v612);
				_v20 = _t26;
				if(_t26 == 0xffffffff) {
					L11:
					SetCurrentDirectoryW( *0x41e794);
					if(SetFileAttributesW(_t45, 0) == 0 || RemoveDirectoryW(_t45) == 0) {
						goto L14;
					} else {
						_push(_v16);
						L004191B0();
						_t29 = 1;
					}
				} else {
					do {
						E00411BE5( &_v16, _t45);
						E004015EC( &_v16, 0x5c);
						E00411CA3( &_v16,  &(_v612.cFileName));
						if((_v612.dwFileAttributes & 0x00000010) == 0) {
							_t36 = SetFileAttributesW(_v16, 0);
							__eflags = _t36;
							if(_t36 == 0) {
								goto L14;
							} else {
								_t37 = DeleteFileW(_v16);
								goto L8;
							}
						} else {
							if(lstrcmpW( &(_v612.cFileName), 0x41abc8) == 0) {
								goto L9;
							} else {
								_t44 = lstrcmpW( &(_v612.cFileName), 0x41abc0);
								_t61 = _t44;
								if(_t44 == 0) {
									goto L9;
								} else {
									_t37 = E0040340F(_v16, _t54, _t61);
									L8:
									if(_t37 == 0) {
										L14:
										_push(_v16);
										L004191B0();
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L9;
									}
								}
							}
						}
						goto L15;
						L9:
					} while (FindNextFileW(_v20,  &_v612) != 0);
					FindClose(_v20);
					goto L11;
				}
				L15:
				return _t29;
			}

0x0040340f
0x0040341a
0x00403421
0x0040342e
0x0040343d
0x00403449
0x0040344f
0x004034ed
0x004034f3
0x00403500
0x00000000
0x0040350d
0x0040350d
0x00403510
0x00403517
0x00403517
0x00403455
0x0040345b
0x0040345f
0x00403469
0x00403478
0x00403484
0x004034b9
0x004034bb
0x004034bd
0x00000000
0x004034bf
0x004034c2
0x00000000
0x004034c2
0x00403486
0x00403496
0x00000000
0x00403498
0x004034a4
0x004034a6
0x004034a8
0x00000000
0x004034aa
0x004034ad
0x004034c8
0x004034ca
0x0040351a
0x0040351a
0x0040351d
0x00403522
0x00403522
0x00000000
0x00000000
0x00000000
0x004034ca
0x004034a8
0x00403496
0x00000000
0x004034cc
0x004034dc
0x004034e7
0x00000000
0x004034e7
0x00403524
0x00403529

APIs

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

FindFirstFileW.KERNEL32(?,?,0041ABCC,?,00000000,?,00000000), ref: 0040343D
lstrcmpW.KERNEL32(?,0041ABC8,?,0000005C,?), ref: 00403492
lstrcmpW.KERNEL32(?,0041ABC0), ref: 004034A4
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?), ref: 004034B9
DeleteFileW.KERNEL32(?), ref: 004034C2
FindNextFileW.KERNEL32(?,00000010), ref: 004034D6
FindClose.KERNEL32(?), ref: 004034E7
SetCurrentDirectoryW.KERNEL32 ref: 004034F3
SetFileAttributesW.KERNEL32(?,00000000), ref: 004034FC
RemoveDirectoryW.KERNEL32(?), ref: 00403503
??3@YAXPAX@Z.MSVCRT ref: 00403510

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 0040351D

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: File$??3@Findmemcpy$AttributesDirectorylstrcmp$??2@CloseCurrentDeleteFirstNextRemove
String ID:
API String ID: 1254520193-0
Opcode ID: 7a0cc52987e10b306273168bc7b1450918bc92346f95d027ca190b23946f7533
Instruction ID: 184ccade124785ef3e2e24a1a723902e2d1148a2b40179e28e9aacba309f937e
Opcode Fuzzy Hash: 7a0cc52987e10b306273168bc7b1450918bc92346f95d027ca190b23946f7533
Instruction Fuzzy Hash: BC31AE31A05109BADB12AFB1ED49FEE7B7CAF00315F1041B7A512B11E1EB78AF50CA18

Uniqueness

Uniqueness Score: -1.00%

Function 0040976C Relevance: 16.6, APIs: 11, Instructions: 94
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040976C(void* __edx, short _a4, WCHAR* _a8, char _a12) {
				char* _v8;
				long _v12;
				short _v2060;
				WCHAR* _t28;
				long _t32;
				int _t36;
				WCHAR* _t38;
				WCHAR* _t41;
				WCHAR* _t50;
				char* _t52;
				short _t62;
				void* _t65;
				signed int _t66;
				signed int _t69;
				long _t75;

				_t65 = __edx;
				_t28 = E00403DC8(_a8);
				_t52 =  &_a12;
				_v8 = _t52;
				wvsprintfW( &_v2060, _t28, _t52);
				if(_a4 == 0) {
					L4:
					return E00409686( &_v2060, _t65);
				}
				_t32 = GetLastError();
				_v12 = _t32;
				if(FormatMessageW(0x1100, 0, _t32,  *0x41e730 & 0x0000ffff,  &_a4, 0,  &_v8) != 0) {
					L3:
					_t69 = lstrlenW( &_v2060);
					_t36 = lstrlenW(_a4);
					_t37 = _t36 + _t69 + 2;
					_t66 = 2;
					_t38 = (_t36 + _t69 + 2) * _t66;
					_push( ~(0 | _t75 > 0x00000000) | _t38);
					L004191BC();
					_t50 = _t38;
					lstrcpyW(_t50,  &_v2060);
					_t62 = 0xa;
					_t41 =  &(_t50[_t69]);
					 *_t41 = _t62;
					lstrcpyW( &(_t41[1]), _a4);
					E00409686(_t50, _t37 * _t66 >> 0x20);
					_push(_t50);
					L004191B0();
					return LocalFree(_a4);
				}
				_t75 = FormatMessageW(0x1100, 0, _v12, 0,  &_a4, 0,  &_v8);
				if(_t75 == 0) {
					goto L4;
				}
				goto L3;
			}

0x0040976c
0x0040977b
0x00409780
0x0040978c
0x0040978f
0x0040979a
0x0040984f
0x00000000
0x00409855
0x004097a0
0x004097c5
0x004097cc
0x004097e3
0x004097f5
0x004097f7
0x004097fd
0x00409801
0x00409802
0x0040980b
0x0040980c
0x00409817
0x00409822
0x00409826
0x00409827
0x0040982a
0x00409834
0x00409838
0x0040983d
0x0040983e
0x00000000
0x00409847
0x004097df
0x004097e1
0x00000000
0x00000000
0x00000000

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040978F
GetLastError.KERNEL32 ref: 004097A0
FormatMessageW.KERNEL32(00001100,00000000,00000000,?,?,00000000,005625D8), ref: 004097C8
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,005625D8), ref: 004097DD
lstrlenW.KERNEL32(?), ref: 004097F0
lstrlenW.KERNEL32(?), ref: 004097F7
??2@YAPAXI@Z.MSVCRT ref: 0040980C
lstrcpyW.KERNEL32 ref: 00409822
lstrcpyW.KERNEL32 ref: 00409834
??3@YAXPAX@Z.MSVCRT ref: 0040983E
LocalFree.KERNEL32(?), ref: 00409847

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: b2030270bde81b4daa43bdf2f577ff0132095ed7036c45623ff638920c9a2ac7
Instruction ID: ce60ff98e11a79a3a696769abfe051056d5f9fd39bbc67ce90a5294729797a98
Opcode Fuzzy Hash: b2030270bde81b4daa43bdf2f577ff0132095ed7036c45623ff638920c9a2ac7
Instruction Fuzzy Hash: 22216476900118FFDB14AFA1DC85DEE7BBCEF08354F00847AF90597191EA349E848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004178D6 Relevance: 11.0, APIs: 7, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E004178D6(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, short _a12, signed int _a16, intOrPtr _a20, char _a24, signed int _a28, signed int _a32, signed int _a36, signed int _a40, signed int _a44, void* _a48, signed int _a52, signed int _a56, signed int _a60, signed int _a64, signed int _a68, signed int _a72, signed int _a76, signed int _a80, intOrPtr _a84, signed int _a88, signed int _a92, signed int _a96, void* _a100, signed int _a108, signed int _a112, unsigned int _a116, signed int _a120, signed int _a124) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v104;
				char _v117;
				void* _v176;
				char _v1308606084;
				void* __ebx;
				signed int __edi;
				signed int* __esi;
				void* __ebp;
				void* _t373;
				signed int _t376;
				signed int _t386;
				signed int _t390;
				signed int _t395;
				signed int _t396;
				signed int _t401;
				intOrPtr* _t404;
				signed int _t405;
				signed int _t406;
				void* _t407;
				void* _t409;
				signed int _t413;
				void* _t417;
				signed int _t420;
				signed int _t434;
				void* _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				intOrPtr* _t457;
				signed int _t458;
				signed int _t461;
				signed int _t463;
				signed int _t475;
				signed int _t482;
				signed int _t494;
				unsigned int _t496;
				void* _t500;
				signed int _t517;
				signed int _t537;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t557;
				signed int _t560;
				signed int _t563;
				signed int _t565;
				signed int _t567;
				intOrPtr* _t569;
				intOrPtr* _t570;
				signed int _t572;
				intOrPtr* _t577;
				signed int _t578;
				void* _t580;
				signed int _t581;

				_t551 = __edx;
				_t578 =  &_v104;
				_t581 = _t580 - 0x90;
				_t572 = __ecx;
				_t373 = E00416087( *((intOrPtr*)(__ecx + 0x38)));
				_t482 = _a108;
				if(_t373 != 2) {
					_t563 = 0;
					__eflags = 0;
				} else {
					_t563 = 0;
					_t587 = __edx;
					if(__edx == 0) {
						E00416899(__ecx, __edx, _t587, _t482 + 0xe0);
						_t373 = E00416087( *(_t572 + 0x38));
					}
				}
				_a72 = _t563;
				_a76 = _t563;
				_a80 = _t563;
				if(_t373 != 3) {
					L9:
					_a36 = _t563;
					_a40 = _t563;
					_a44 = _t563;
					_v44 = _t563;
					_v40 = _t563;
					_v36 = _t563;
					_v32 = _t563;
					_v28 = _t563;
					_v24 = _t563;
					__eflags = _t373 - 4;
					if(_t373 == 4) {
						__eflags = _t551 - _t563;
						if(__eflags == 0) {
							_t569 = _t482 + 0xf8;
							E004175D3(_t482, _t572, _t551, _t572, __eflags,  &_a72, _t569, _t482,  &_a36,  &_v44);
							 *_t569 =  *_t569 +  *((intOrPtr*)(_t482 + 0xf0));
							asm("adc [edi+0x4], eax");
							_t373 = E00416087( *(_t572 + 0x38));
							_t563 = 0;
							__eflags = 0;
						}
					}
					 *(_t482 + 0x5c) = _t563;
					__eflags = _t373 - 5;
					if(__eflags != 0) {
						L85:
						E00416630(_t482, _t482, _t551, __eflags);
						_push(_v32);
						L004191B0();
						_push(_v44);
						L004191B0();
						_push(_a36);
						L004191B0();
						E0041673C( &_a72);
						_t376 = 0;
						__eflags = 0;
						goto L86;
					} else {
						__eflags = _t551 - _t563;
						if(__eflags == 0) {
							_a108 = E004160BB( *(_t572 + 0x38), _t551, _t572, __eflags);
							E00416309(_t482 + 0x58, _t377);
							 *(_t482 + 0x5c) = _a108;
							E004166F2(_t482 + 0x108, _t551, 9, _t563);
							E004166F2(_t482 + 0x108, _t551, 6, _t563);
							__eflags = _a108 - _t563;
							if(__eflags > 0) {
								__eflags = _v40 - _t563;
								if(__eflags != 0) {
									E004166F2(_t482 + 0x108, _t551, 0xa, _t563);
								}
							}
							_t565 = _a108;
							_a60 = 0;
							_a64 = 0;
							_a68 = 0;
							E004167C5( &_a60, _t565, __eflags);
							_a24 = 0;
							_a28 = 0;
							_a32 = 0;
							_a48 = 0;
							_a52 = 0;
							_a56 = 0;
							_a124 = 0;
							while(1) {
								L67:
								_t386 = E00416087( *(_t572 + 0x38));
								_t494 =  *(_t572 + 0x38);
								_a92 = _t386;
								__eflags = _t386 | _t551;
								_a96 = _t551;
								if((_t386 | _t551) == 0) {
									break;
								}
								_a84 = E00416087(_t494);
								_t389 =  *(_t572 + 0x38);
								_t496 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
								_a88 = _t551;
								_t551 = 0;
								__eflags = _a88;
								if(__eflags > 0) {
									L87:
									_t390 = E00415EBA(_t496, _t565);
									__eflags =  *((intOrPtr*)(_t496 + _t390 * 2)) - _t565;
									if( *((intOrPtr*)(_t496 + _t390 * 2)) != _t565) {
										asm("lock mov eax, [esi+0x64]");
										_v8 = _t390;
										_v4 =  *((intOrPtr*)(_t572 + 0x68));
										_a8 =  *((intOrPtr*)(_t572 + 0x6c));
										asm("adc ecx, ebx");
										_v20 = _t551;
										 *((intOrPtr*)(_t565 + 0xf0)) =  *((intOrPtr*)(_t572 + 0x40)) + 0x20;
										 *(_t565 + 0xf4) = _t496;
										 *((intOrPtr*)(_t565 + 0x128)) = 0x20;
										 *(_t565 + 0x12c) = _t482;
										 *(_t565 + 0x130) = _t482;
										__eflags = _v16 - _t482;
										if(__eflags < 0) {
											L118:
											_t395 = 0;
											__eflags = 0;
											goto L119;
										} else {
											if(__eflags > 0) {
												L106:
												__eflags = _v4 - 0x40000000;
												if(__eflags > 0) {
													goto L118;
												} else {
													if(__eflags < 0) {
														L109:
														_t395 = _v8 | _v4;
														__eflags = _t395;
														if(_t395 != 0) {
															__eflags =  *((intOrPtr*)(_t565 + 0x134)) - _t482;
															if( *((intOrPtr*)(_t565 + 0x134)) == _t482) {
																 *(_t565 + 0x130) = 1;
															}
															asm("adc ecx, ebx");
															 *((intOrPtr*)(_t572 + 0x70)) =  *((intOrPtr*)(_t572 + 0x70)) + _v8 + 0x20;
															asm("adc [esi+0x74], ecx");
															_t401 = _v8 + _t551;
															_t552 = _v4;
															asm("adc edx, [ebp-0x10]");
															_v28 = _t401;
															asm("adc ecx, ebx");
															 *((intOrPtr*)(_t565 + 0x128)) = _t401 + 0x20;
															 *(_t565 + 0x12c) = _t552;
															_t500 =  *((intOrPtr*)(_t572 + 0x48)) -  *((intOrPtr*)(_t565 + 0xf0));
															asm("sbb eax, [edi+0xf4]");
															__eflags =  *((intOrPtr*)(_t572 + 0x4c)) - _t552;
															if(__eflags > 0) {
																L121:
																_t404 =  *_t572;
																_t396 =  *((intOrPtr*)( *_t404 + 0x10))(_t404, _v20, _v16, 1, _t482);
																__eflags = _t396 - _t482;
																if(_t396 == _t482) {
																	_t405 = _v8;
																	__eflags = _t405 - _t405;
																	if(_t405 != _t405) {
																		L124:
																		_t396 = 0x8007000e;
																	} else {
																		__eflags = _t482 - _v4;
																		if(_t482 == _v4) {
																			_push(_v8);
																			L004191BC();
																			_v28 = _t405;
																			_t406 = E00413818(_v8); // executed
																			__eflags = _t406 - _t482;
																			if(_t406 == _t482) {
																				_t554 = _v8;
																				_t504 = _v28;
																				_t407 = E00418D30(_v28, _t554);
																				__eflags = _t407 - _a8;
																				if(_t407 != _a8) {
																					L129:
																					E00415EBA(_t504, _t565);
																				}
																				__eflags =  *((intOrPtr*)(_t565 + 0x134)) - _t482;
																				if( *((intOrPtr*)(_t565 + 0x134)) == _t482) {
																					 *((char*)(_t565 + 0x131)) = 1;
																				}
																				_push(_t482);
																				_v16 = _t482;
																				E004163AA( &_v20, _t572, _v28, _v8);
																				_t504 =  *(_t572 + 0x38);
																				_v12 = _t482;
																				_v8 = _t482;
																				_v4 = _t482;
																				_t409 = E00416087( *(_t572 + 0x38));
																				__eflags = _t409 - 1;
																				if(_t409 != 1) {
																					L134:
																					__eflags = _t409 - 0x17;
																					if(_t409 != 0x17) {
																						goto L129;
																					} else {
																						__eflags = _t554 - _t482;
																						if(__eflags != 0) {
																							goto L129;
																						} else {
																							_push(_a24);
																							_push(_a20);
																							_t504 = _t572;
																							_push(_a16);
																							_t413 = E004176DE(_t572, _t554, __eflags,  *((intOrPtr*)(_t565 + 0xf0)),  *(_t565 + 0xf4), _t565 + 0x100,  &_v12, _a12);
																							_a8 = _t413;
																							__eflags = _t413 - _t482;
																							if(_t413 == _t482) {
																								__eflags = _v8 - _t482;
																								if(_v8 != _t482) {
																									__eflags = _v8 - 1;
																									if(_v8 > 1) {
																										goto L129;
																									} else {
																										E00415EF3( &_v20);
																										E004163D4(_t572,  *_v12);
																										_t504 =  *(_t572 + 0x38);
																										_t417 = E00416087( *(_t572 + 0x38));
																										__eflags = _t417 - 1;
																										if(_t417 != 1) {
																											goto L129;
																										} else {
																											__eflags = _t554 - _t482;
																											if(_t554 != _t482) {
																												goto L129;
																											} else {
																												goto L143;
																											}
																										}
																									}
																								} else {
																									E0041673C( &_v12);
																									E00415EF3( &_v20);
																									goto L127;
																								}
																							} else {
																								E0041673C( &_v12);
																								E00415EF3( &_v20);
																								_t482 = _a8;
																								goto L127;
																							}
																						}
																					}
																				} else {
																					__eflags = _t554 - _t482;
																					if(_t554 == _t482) {
																						L143:
																						 *(_t565 + 0x130) = 1;
																						 *((intOrPtr*)(_t565 + 0x120)) =  *((intOrPtr*)(_t572 + 0x70));
																						 *((intOrPtr*)(_t565 + 0x124)) =  *((intOrPtr*)(_t572 + 0x74));
																						_t420 = E004178D6(_t572, _t554, _t565, _a12, _a16, _a20, _a24);
																						E0041673C( &_v12);
																						E00415EF3( &_v20);
																						_push(_v28);
																						L004191B0();
																						_t396 = _t420;
																					} else {
																						goto L134;
																					}
																				}
																			} else {
																				_t482 = _t406;
																				L127:
																				_push(_v28);
																				L004191B0();
																				_t396 = _t482;
																			}
																		} else {
																			goto L124;
																		}
																	}
																}
															} else {
																if(__eflags < 0) {
																	L117:
																	 *((char*)(_t565 + 0x133)) = 1;
																	goto L118;
																} else {
																	__eflags = _t500 - _v28;
																	if(_t500 >= _v28) {
																		goto L121;
																	} else {
																		goto L117;
																	}
																}
															}
														} else {
															__eflags = _t551 | _v16;
															if((_t551 | _v16) != 0) {
																L119:
																_t396 = _t395 + 1;
																__eflags = _t396;
															} else {
																 *(_t565 + 0x130) = 1;
															}
														}
													} else {
														__eflags = _v8 - _t482;
														if(_v8 > _t482) {
															goto L118;
														} else {
															goto L109;
														}
													}
												}
											} else {
												__eflags = _t551 - _t482;
												if(_t551 < _t482) {
													goto L118;
												} else {
													goto L106;
												}
											}
										}
									} else {
										_t517 = _t496 + 1;
										_t260 = _t572 - 0x1bffbe84;
										 *_t260 =  *(_t572 - 0x1bffbe84) + _t517;
										__eflags =  *_t260;
										if( *_t260 != 0) {
											L96:
											 *(_t565 + 0xec) = _t390;
											_t517 =  *((intOrPtr*)(_t572 + 0x56));
											goto L97;
										} else {
											_t262 =  &_v1308606084;
											 *_t262 = _v1308606084 + _t517;
											__eflags =  *_t262;
											if( *_t262 < 0) {
												L97:
												_t572 = _t572 - 1;
												__eflags = _t572;
												_push(_t572);
												 *(_t565 + 0xe0) = _t517;
												goto L98;
											} else {
												_t264 = _t565 - 0x3fffbe84;
												 *_t264 =  *(_t565 - 0x3fffbe84) + _t551;
												__eflags =  *_t264;
												if( *_t264 != 0) {
													L98:
													_t517 =  *((intOrPtr*)(_t572 + 0x57));
													_t482 = 0;
													__eflags = 0;
													goto L99;
												} else {
													_t556 = _t551 + _t551;
													__eflags = _t556;
													if(_t556 < 0) {
														L99:
														asm("fisttp dword [eax+0xe18f]");
														goto L100;
													} else {
														_t557 = _t556 + _t556;
														__eflags = _t557;
														if(_t557 < 0) {
															L100:
															 *_t390 =  *_t390 + _t390;
															 *_t390 =  *_t390 + _t482;
															asm("lahf");
															asm("loopne 0x2");
															 *_t390 =  *_t390 + _t390;
															__eflags =  *_t390;
														} else {
															_t266 = _t482 - 0x40ffbe84;
															 *_t266 =  *(_t482 - 0x40ffbe84) + _t557;
															__eflags =  *_t266;
															if( *_t266 >= 0) {
																_t268 =  &_v117;
																 *_t268 = _v117 + _t557;
																__eflags =  *_t268;
																_push(_t578);
																_t578 = _t581;
																_t581 = _t581 - 0x1c;
																_push(_t482);
																_push(_t572);
																_push(_t565);
																_t565 =  *(_t578 + 8);
																_t572 = _t517;
																E0041563D(_t565);
																 *((intOrPtr*)(_t565 + 0xe8)) =  *((intOrPtr*)(_t572 + 0x40));
																_t390 =  *(_t572 + 0x44);
																goto L96;
															}
														}
													}
												}
											}
										}
										 *_t565 =  *_t565 + _t517;
										__eflags = _t578;
										 *_t390 =  *_t390 + _t390;
										_t278 = _t482 + 0x4e8b6046;
										 *_t278 =  *(_t482 + 0x4e8b6046) + _t517;
										__eflags =  *_t278;
									}
									return _t396;
								} else {
									if(__eflags < 0) {
										L21:
										_push(1);
										_a4 = _t551;
										E004163AA(_t578, _t572,  *((intOrPtr*)(_t389 + 8)) +  *_t389, _a84);
										_t565 = 0;
										__eflags = _a96;
										if(__eflags > 0) {
											L64:
											 *((char*)(_t482 + 0x135)) = 1;
											 *((intOrPtr*)( *(_t572 + 0x38) + 8)) =  *((intOrPtr*)( *(_t572 + 0x38) + 4));
											goto L65;
										} else {
											if(__eflags < 0) {
												L24:
												_t434 = _a92 + 0xfffffff2;
												__eflags = _t434 - 0xb;
												if(__eflags > 0) {
													goto L64;
												} else {
													switch( *((intOrPtr*)(_t434 * 4 +  &M00417E72))) {
														case 0:
															__eax =  &_a60;
															__ecx = __esi;
															__eax = E004168E5(__esi, __edx, _a108,  &_a60);
															__eax = 0;
															_a124 = __edi;
															__eflags = _a64 - __edi;
															if(__eflags > 0) {
																do {
																	__ecx = _a60;
																	__eflags =  *((char*)(__ecx + __eax));
																	if( *((char*)(__ecx + __eax)) != 0) {
																		_t156 =  &_a124;
																		 *_t156 = _a124 + 1;
																		__eflags =  *_t156;
																	}
																	__eax = __eax + 1;
																	__eflags = __eax - _a64;
																} while (__eflags < 0);
															}
															__edi = _a124;
															 &_a24 = E004167C5( &_a24, __edi, __eflags);
															 &_a48 = E004167C5( &_a48, __edi, __eflags);
															goto L35;
														case 1:
															__eax =  &_a24;
															goto L48;
														case 2:
															__eax =  &_a48;
															L48:
															__ecx = __esi;
															__eax = E004168E5(__ecx, __edx, _a124, __eax);
															goto L35;
														case 3:
															_v16 = _t565;
															E004167E7( &_v20, _t551, _t578, __eflags, _t572,  &_a72);
															_t565 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
															E0040BCC0(_t482 + 0xd0, _t565);
															E00415F69( *(_t572 + 0x38),  *((intOrPtr*)(_t482 + 0xd0)), _t565);
															E004161F4(_t482 + 0xd8, __eflags,  *(_t482 + 0x5c) + 1);
															_t551 = 0;
															_t443 = 0;
															_a116 = 0;
															_a112 = 0;
															__eflags =  *(_t482 + 0x5c);
															if( *(_t482 + 0x5c) <= 0) {
																L32:
																_t551 = _t551 >> 1;
																 *( *((intOrPtr*)(_t482 + 0xd8)) + _t443 * 4) = _t551;
																__eflags = _a116 - _t565;
																if(_a116 != _t565) {
																	 *((char*)(_t572 + 0x3c)) = 1;
																}
																E00415EF3( &_v20);
																goto L35;
															} else {
																do {
																	_a120 = _a120 & 0x00000000;
																	_t447 =  *((intOrPtr*)(_t482 + 0xd0)) + _t551;
																	_t496 = _t565 - _t551 >> 1;
																	__eflags = _t496;
																	if(_t496 != 0) {
																		while(1) {
																			_t551 = _a120;
																			__eflags =  *((short*)(_t447 + _t551 * 2));
																			if( *((short*)(_t447 + _t551 * 2)) == 0) {
																				goto L30;
																			}
																			_a120 = _a120 + 1;
																			__eflags = _a120 - _t496;
																			if(_a120 < _t496) {
																				continue;
																			}
																			goto L30;
																		}
																	}
																	L30:
																	__eflags = _a120 - _t496;
																	if(_a120 == _t496) {
																		goto L87;
																	} else {
																		goto L31;
																	}
																	goto L144;
																	L31:
																	_t448 = _a112;
																	 *( *((intOrPtr*)(_t482 + 0xd8)) + _t448 * 4) = _a116 >> 1;
																	_t443 = _t448 + 1;
																	_t551 = _a116 + 2 + _a120 * 2;
																	_a116 = _t551;
																	_a112 = _t443;
																	__eflags = _t443 -  *(_t482 + 0x5c);
																} while (_t443 <  *(_t482 + 0x5c));
																goto L32;
															}
															goto L144;
														case 4:
															__eax = __ebx + 0x64;
															goto L51;
														case 5:
															__eax = __ebx + 0x7c;
															goto L51;
														case 6:
															__eax = __ebx + 0x94;
															goto L51;
														case 7:
															__eax =  &_v12;
															__ecx = __esi;
															_v12 = __edi;
															_v8 = __edi;
															_v4 = __edi;
															E00416933(__esi, __edx, __edi, __ebp, __eflags,  *((intOrPtr*)(__ebx + 0x5c)),  &_v12) =  &_a72;
															__ecx =  &_a8;
															_a12 = __di;
															__eax = E004167E7( &_a8, __edx, __ebp, __eflags, __esi,  &_a72);
															_a120 = __edi;
															__eflags = _a108 - __edi;
															if(_a108 > __edi) {
																_a116 = __edi;
																do {
																	__edi =  *(__ebx + 0x58);
																	__eax = _v12;
																	__ecx = _a120;
																	__edi =  *(__ebx + 0x58) + _a116;
																	__al =  *((intOrPtr*)(_v12 + _a120));
																	 *((char*)(__edi + 0x13)) = __al;
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx =  *((intOrPtr*)(__esi + 0x38));
																		 *((intOrPtr*)(__edi + 8)) = E004160D1( *((intOrPtr*)(__esi + 0x38)));
																	}
																	_a120 = _a120 + 1;
																	__eax = _a120;
																	_a116 = _a116 + 0x18;
																	__eflags = _a120 - _a108;
																} while (_a120 < _a108);
															}
															__ecx =  &_a8;
															__eax = E00415EF3( &_a8);
															_push(_v12);
															L004191B0();
															_pop(__ecx);
															goto L35;
														case 8:
															goto L64;
														case 9:
															__eax = __ebx + 0xac;
															L51:
															__ecx = __esi;
															 &_a72 = E0041697E(__ecx, __edx, __eflags,  &_a72,  &_a72, _a108);
															L35:
															E004166F2(_t482 + 0x108, _t551, _a92, _a96);
															goto L65;
														case 0xa:
															_a16 = __edi;
															__eflags = _a88 - __edi;
															if(__eflags >= 0) {
																if(__eflags > 0) {
																	L58:
																	__ecx =  *((intOrPtr*)(__esi + 0x38));
																	__eax = E00415F52(__ecx, __edi);
																	__eflags = __al;
																	if(__al != 0) {
																		 *((char*)(__esi + 0x3c)) = 1;
																	}
																	_a16 = _a16 + 1;
																	asm("adc edi, 0x0");
																	__eflags = __edi - _a88;
																} else {
																	__eflags = _a84 - __edi;
																	if(_a84 > __edi) {
																		goto L58;
																		do {
																			do {
																				goto L58;
																			} while (__eflags < 0);
																			if(__eflags <= 0) {
																				goto L62;
																			}
																			goto L65;
																			L62:
																			__eax = _a84;
																			__eflags = _a16 - _a84;
																		} while (_a16 < _a84);
																	}
																}
															}
															L65:
															_t496 =  *((intOrPtr*)( *(_t572 + 0x38) + 4)) -  *((intOrPtr*)( *(_t572 + 0x38) + 8));
															__eflags = _t496;
															if(_t496 != 0) {
																goto L87;
															} else {
																E00415EF3(_t578);
																goto L67;
															}
															goto L144;
													}
												}
											} else {
												__eflags = _a92 - 0x40000000;
												if(_a92 > 0x40000000) {
													goto L64;
												} else {
													goto L24;
												}
											}
										}
									} else {
										__eflags = _a84 - _t496;
										if(_a84 > _t496) {
											goto L87;
										} else {
											goto L21;
										}
									}
								}
								goto L144;
							}
							E00416087(_t494);
							__eflags = _a108 - _a124 - _a40;
							if(_a108 - _a124 != _a40) {
								E00415EDA(_t494);
							}
							_t537 = _a48;
							_t567 = 0;
							_t452 = 0;
							_a116 = 0;
							__eflags = _a124;
							if(_a124 > 0) {
								do {
									__eflags =  *((char*)(_t537 + _t452));
									if( *((char*)(_t537 + _t452)) != 0) {
										_t199 =  &_a116;
										 *_t199 = _a116 + 1;
										__eflags =  *_t199;
									}
									_t452 = _t452 + 1;
									__eflags = _t452 - _a124;
								} while (_t452 < _a124);
							}
							_a120 = _t567;
							__eflags = _a108 - _t567;
							if(__eflags > 0) {
								_t454 = _a24 - _t537;
								__eflags = _t454;
								_a112 = _t537;
								_a124 = _t567;
								_a88 = _t454;
								do {
									_t577 =  *((intOrPtr*)(_t482 + 0x58)) + _a124;
									_t455 = _a60;
									__eflags =  *((char*)(_t455 + _a120));
									_t456 = _t455 & 0xffffff00 |  *((char*)(_t455 + _a120)) == 0x00000000;
									 *(_t577 + 0x10) = _t456;
									 *((intOrPtr*)(_t577 + 0xc)) = 0;
									__eflags = _t456;
									if(_t456 == 0) {
										_t457 = _a112;
										_t560 = _a88;
										__eflags =  *(_t560 + _t457);
										 *((char*)(_t577 + 0x11)) = _t560 & 0xffffff00 |  *(_t560 + _t457) == 0x00000000;
										_t551 =  *_t457;
										_t458 = _t457 + 1;
										__eflags = _t458;
										_a96 =  *_t457;
										_a112 = _t458;
										 *_t577 = 0;
										 *((intOrPtr*)(_t577 + 4)) = 0;
										 *((char*)(_t577 + 0x12)) = 0;
									} else {
										_t461 = _a36;
										 *((char*)(_t577 + 0x11)) = 0;
										_a96 = 0;
										 *_t577 =  *((intOrPtr*)(_t461 + _t567 * 8));
										 *((intOrPtr*)(_t577 + 4)) =  *((intOrPtr*)(_t461 + 4 + _t567 * 8));
										_t463 = E0041638F( &_v44, _t567);
										 *((char*)(_t577 + 0x12)) = _t463;
										__eflags = _t463;
										if(_t463 != 0) {
											 *((intOrPtr*)(_t577 + 0xc)) =  *((intOrPtr*)(_v32 + _t567 * 4));
										}
										_t567 = _t567 + 1;
									}
									__eflags = _a116;
									if(_a116 != 0) {
										E0041671B(_t482 + 0xc4, _a96);
									}
									_a120 = _a120 + 1;
									_a124 = _a124 + 0x18;
									__eflags = _a120 - _a108;
								} while (__eflags < 0);
							}
							_push(_a48);
							L004191B0();
							_push(_a24);
							L004191B0();
							_push(_a60);
							L004191B0();
							_t581 = _t581 + 0xc;
						}
						goto L85;
					}
				} else {
					_t589 = _t551 - _t563;
					if(_t551 != _t563) {
						goto L9;
					} else {
						_push(_a124);
						_push(_a120);
						_t570 = _t482 + 0x100;
						_push(_a116);
						_t475 = E004176DE(_t572, _t551, _t589,  *((intOrPtr*)(_t482 + 0xf0)),  *((intOrPtr*)(_t482 + 0xf4)), _t570,  &_a72, _a112);
						_a108 = _t475;
						if(_t475 == 0) {
							 *_t570 =  *_t570 +  *((intOrPtr*)(_t482 + 0xf0));
							asm("adc [edi+0x4], eax");
							_t373 = E00416087( *(_t572 + 0x38));
							_t563 = 0;
							__eflags = 0;
							goto L9;
						} else {
							E0041673C( &_a72);
							_t376 = _a108;
							L86:
							return _t376;
						}
					}
				}
				L144:
			}

0x004178d6
0x004178d7
0x004178db
0x004178e3
0x004178e9
0x004178ee
0x004178f4
0x00417914
0x00417914
0x004178f6
0x004178f6
0x004178f8
0x004178fa
0x00417905
0x0041790d
0x0041790d
0x004178fa
0x00417916
0x00417919
0x0041791c
0x00417922
0x00417984
0x00417984
0x00417987
0x0041798a
0x0041798d
0x00417990
0x00417993
0x00417996
0x00417999
0x0041799c
0x0041799f
0x004179a2
0x004179a4
0x004179a6
0x004179b1
0x004179be
0x004179c9
0x004179d1
0x004179d7
0x004179dc
0x004179dc
0x004179dc
0x004179a6
0x004179de
0x004179e1
0x004179e4
0x00417e35
0x00417e37
0x00417e3c
0x00417e3f
0x00417e44
0x00417e47
0x00417e4c
0x00417e4f
0x00417e5a
0x00417e5f
0x00417e5f
0x00000000
0x004179ea
0x004179ea
0x004179ec
0x004179fe
0x00417a01
0x00417a12
0x00417a15
0x00417a23
0x00417a28
0x00417a2b
0x00417a2d
0x00417a30
0x00417a3b
0x00417a3b
0x00417a30
0x00417a40
0x00417a45
0x00417a48
0x00417a4b
0x00417a51
0x00417a58
0x00417a5b
0x00417a5e
0x00417a61
0x00417a64
0x00417a67
0x00417a6a
0x00417d1d
0x00417d1d
0x00417d20
0x00417d25
0x00417d28
0x00417d2b
0x00417d2d
0x00417d30
0x00000000
0x00000000
0x00417a77
0x00417a7a
0x00417a80
0x00417a83
0x00417a86
0x00417a88
0x00417a8b
0x00417e6b
0x00417e6b
0x00417e72
0x00417e76
0x00417ef4
0x00417ef8
0x00417efe
0x00417f04
0x00417f0d
0x00417f0f
0x00417f12
0x00417f18
0x00417f1e
0x00417f28
0x00417f2e
0x00417f34
0x00417f37
0x00417fd6
0x00417fd6
0x00417fd6
0x00000000
0x00417f3d
0x00417f3d
0x00417f47
0x00417f47
0x00417f4e
0x00000000
0x00417f54
0x00417f54
0x00417f5b
0x00417f5e
0x00417f5e
0x00417f61
0x00417f71
0x00417f77
0x00417f79
0x00417f79
0x00417f89
0x00417f8b
0x00417f91
0x00417f94
0x00417f96
0x00417f99
0x00417f9c
0x00417fa4
0x00417fa6
0x00417fac
0x00417fb5
0x00417fbe
0x00417fc4
0x00417fc6
0x00417fe0
0x00417fe0
0x00417fee
0x00417ff1
0x00417ff3
0x00417ff5
0x00417ff8
0x00417ffa
0x00418001
0x00418001
0x00417ffc
0x00417ffc
0x00417fff
0x00418008
0x0041800b
0x00418018
0x0041801b
0x00418020
0x00418022
0x00418033
0x00418036
0x00418039
0x0041803e
0x00418041
0x00418043
0x00418043
0x00418043
0x00418048
0x0041804e
0x00418050
0x00418050
0x00418057
0x00418061
0x00418066
0x0041806b
0x0041806e
0x00418071
0x00418074
0x00418077
0x0041807c
0x0041807f
0x00418089
0x00418089
0x0041808c
0x00000000
0x0041808e
0x0041808e
0x00418090
0x00000000
0x00418092
0x00418092
0x00418098
0x0041809b
0x0041809d
0x004180b7
0x004180bc
0x004180bf
0x004180c1
0x004180db
0x004180de
0x004180f5
0x004180f9
0x00000000
0x004180ff
0x00418102
0x00418110
0x00418115
0x00418118
0x0041811d
0x00418120
0x00000000
0x00418126
0x00418126
0x00418128
0x00000000
0x00000000
0x00000000
0x00000000
0x00418128
0x00418120
0x004180e0
0x004180e3
0x004180eb
0x00000000
0x004180eb
0x004180c3
0x004180c6
0x004180ce
0x004180d3
0x00000000
0x004180d3
0x004180c1
0x00418090
0x00418081
0x00418081
0x00418083
0x0041812e
0x00418131
0x00418141
0x00418150
0x00418156
0x00418160
0x00418168
0x0041816d
0x00418170
0x00418176
0x00000000
0x00000000
0x00000000
0x00418083
0x00418024
0x00418024
0x00418026
0x00418026
0x00418029
0x0041802f
0x0041802f
0x00000000
0x00000000
0x00000000
0x00417fff
0x00417ffa
0x00417fc8
0x00417fc8
0x00417fcf
0x00417fcf
0x00000000
0x00417fca
0x00417fca
0x00417fcd
0x00000000
0x00000000
0x00000000
0x00000000
0x00417fcd
0x00417fc8
0x00417f63
0x00417f63
0x00417f66
0x00417fd8
0x00417fd8
0x00417fd8
0x00417f68
0x00417f68
0x00417f68
0x00417f66
0x00417f56
0x00417f56
0x00417f59
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f59
0x00417f54
0x00417f3f
0x00417f3f
0x00417f41
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f41
0x00417f3d
0x00417e78
0x00417e78
0x00417e79
0x00417e79
0x00417e79
0x00417e7f
0x00417ec2
0x00417ec3
0x00417ec9
0x00000000
0x00417e81
0x00417e81
0x00417e81
0x00417e81
0x00417e87
0x00417eca
0x00417eca
0x00417eca
0x00417ecb
0x00417ecc
0x00000000
0x00417e89
0x00417e89
0x00417e89
0x00417e89
0x00417e8f
0x00417ed2
0x00417ed2
0x00417ed5
0x00417ed5
0x00000000
0x00417e91
0x00417e91
0x00417e91
0x00417e93
0x00417ed6
0x00417ed6
0x00000000
0x00417e95
0x00417e95
0x00417e95
0x00417e97
0x00417eda
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee1
0x00417e99
0x00417e99
0x00417e99
0x00417e99
0x00417e9f
0x00417ea1
0x00417ea1
0x00417ea1
0x00417ea2
0x00417ea3
0x00417ea5
0x00417ea8
0x00417ea9
0x00417eaa
0x00417eab
0x00417eae
0x00417eb2
0x00417eba
0x00417ec0
0x00000000
0x00417ec0
0x00417e9f
0x00417e97
0x00417e93
0x00417e8f
0x00417e87
0x00417ee2
0x00417ee4
0x00417ee6
0x00417ee8
0x00417ee8
0x00417ee8
0x00417ee8
0x00417fdd
0x00417a91
0x00417a91
0x00417a9c
0x00417aa1
0x00417aa6
0x00417aaf
0x00417ab4
0x00417ab6
0x00417ab9
0x00417cf6
0x00417cf6
0x00417d03
0x00000000
0x00417abf
0x00417abf
0x00417ace
0x00417ad1
0x00417ad4
0x00417ad7
0x00000000
0x00417add
0x00417add
0x00000000
0x00417c39
0x00417c40
0x00417c42
0x00417c47
0x00417c49
0x00417c4c
0x00417c4f
0x00417c51
0x00417c51
0x00417c54
0x00417c58
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5d
0x00417c5e
0x00417c5e
0x00417c51
0x00417c63
0x00417c69
0x00417c71
0x00000000
0x00000000
0x00417c7b
0x00000000
0x00000000
0x00417c8e
0x00417c7e
0x00417c82
0x00417c84
0x00000000
0x00000000
0x00417aec
0x00417af0
0x00417afb
0x00417b05
0x00417b14
0x00417b24
0x00417b29
0x00417b2b
0x00417b2d
0x00417b30
0x00417b33
0x00417b36
0x00417b8e
0x00417b94
0x00417b96
0x00417b99
0x00417b9c
0x00417b9e
0x00417b9e
0x00417ba5
0x00000000
0x00417b38
0x00417b38
0x00417b3e
0x00417b46
0x00417b48
0x00417b48
0x00417b4a
0x00417b4c
0x00417b4c
0x00417b4f
0x00417b54
0x00000000
0x00000000
0x00417b56
0x00417b59
0x00417b5c
0x00000000
0x00000000
0x00000000
0x00417b5c
0x00417b4c
0x00417b5e
0x00417b5e
0x00417b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417b67
0x00417b6a
0x00417b75
0x00417b7e
0x00417b7f
0x00417b83
0x00417b86
0x00417b89
0x00417b89
0x00000000
0x00417b38
0x00000000
0x00000000
0x00417cad
0x00000000
0x00000000
0x00417cb2
0x00000000
0x00000000
0x00417cb7
0x00000000
0x00000000
0x00417bc0
0x00417bc7
0x00417bc9
0x00417bcc
0x00417bcf
0x00417bd7
0x00417bdc
0x00417bdf
0x00417be3
0x00417be8
0x00417beb
0x00417bee
0x00417bf0
0x00417bf3
0x00417bf3
0x00417bf6
0x00417bf9
0x00417bfc
0x00417bff
0x00417c02
0x00417c05
0x00417c07
0x00417c09
0x00417c11
0x00417c11
0x00417c14
0x00417c17
0x00417c1a
0x00417c1e
0x00417c1e
0x00417bf3
0x00417c23
0x00417c26
0x00417c2b
0x00417c2e
0x00417c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c93
0x00417c99
0x00417c9c
0x00417ca3
0x00417baa
0x00417bb6
0x00000000
0x00000000
0x00417cbf
0x00417cc2
0x00417cc5
0x00417cc7
0x00417cce
0x00417cce
0x00417cd1
0x00417cd6
0x00417cd8
0x00417cda
0x00417cda
0x00417cde
0x00417ce2
0x00417ce5
0x00417cc9
0x00417cc9
0x00417ccc
0x00000000
0x00417cce
0x00417cce
0x00000000
0x00000000
0x00417cea
0x00000000
0x00000000
0x00000000
0x00417cec
0x00417cec
0x00417cef
0x00417cef
0x00417cf4
0x00417ccc
0x00417cc7
0x00417d06
0x00417d0c
0x00417d0c
0x00417d0f
0x00000000
0x00417d15
0x00417d18
0x00000000
0x00417d18
0x00000000
0x00000000
0x00417add
0x00417ac1
0x00417ac1
0x00417ac8
0x00000000
0x00000000
0x00000000
0x00000000
0x00417ac8
0x00417abf
0x00417a93
0x00417a93
0x00417a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00417a96
0x00417a91
0x00000000
0x00417a8b
0x00417d36
0x00417d41
0x00417d44
0x00417d46
0x00417d46
0x00417d4b
0x00417d4e
0x00417d50
0x00417d52
0x00417d55
0x00417d58
0x00417d5a
0x00417d5a
0x00417d5e
0x00417d60
0x00417d60
0x00417d60
0x00417d60
0x00417d63
0x00417d64
0x00417d64
0x00417d5a
0x00417d69
0x00417d6c
0x00417d6f
0x00417d78
0x00417d78
0x00417d7a
0x00417d7d
0x00417d80
0x00417d83
0x00417d86
0x00417d89
0x00417d8f
0x00417d93
0x00417d98
0x00417d9b
0x00417d9e
0x00417da0
0x00417dd3
0x00417dd6
0x00417dd9
0x00417ddf
0x00417de2
0x00417de4
0x00417de4
0x00417de5
0x00417de8
0x00417deb
0x00417ded
0x00417df0
0x00417da2
0x00417da2
0x00417da5
0x00417da8
0x00417dae
0x00417db8
0x00417dbb
0x00417dc0
0x00417dc3
0x00417dc5
0x00417dcd
0x00417dcd
0x00417dd0
0x00417dd0
0x00417df3
0x00417df7
0x00417e02
0x00417e02
0x00417e07
0x00417e0d
0x00417e11
0x00417e11
0x00417d83
0x00417e1a
0x00417e1d
0x00417e22
0x00417e25
0x00417e2a
0x00417e2d
0x00417e32
0x00417e32
0x00000000
0x004179ec
0x00417924
0x00417924
0x00417926
0x00000000
0x00417928
0x00417928
0x0041792e
0x00417931
0x00417937
0x0041794d
0x00417952
0x00417957
0x0041796f
0x00417977
0x0041797d
0x00417982
0x00417982
0x00000000
0x00417959
0x0041795c
0x00417961
0x00417e61
0x00417e68
0x00417e68
0x00417957
0x00417926
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314d70a19d0831455035ad50c8cc50dccd0fa0e07e1c2c14f708c3b4a5277d31
Instruction ID: ebec2df155031d12abf2e074bfb409115379ff2ce8712d3ba73aff140c7f857e
Opcode Fuzzy Hash: 314d70a19d0831455035ad50c8cc50dccd0fa0e07e1c2c14f708c3b4a5277d31
Instruction Fuzzy Hash: 9B122871904248DFCF25DF69C9809ED7BF5BF48304F24816AF81687262DB39E985CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407F31 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F31(void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HWND__* _t3;
				CHAR* _t11;
				void* _t13;
				struct HWND__* _t14;
				struct HWND__* _t16;

				_t13 = __ecx;
				_t2 = LoadLibraryA("uxtheme");
				if(_t2 != 0) {
					_t3 = GetProcAddress(_t2, "SetWindowTheme");
					_t16 = _t3;
					if(_t16 == 0) {
						L7:
						return _t3;
					}
					_t3 = GetWindow( *(_t13 + 4), 5);
					_t14 = _t3;
					if(_t14 == 0) {
						L6:
						goto L7;
					}
					_t11 = " ";
					do {
						_t16->i(_t14, _t11, _t11);
						_t3 = GetWindow(_t14, 2);
						_t14 = _t3;
					} while (_t14 != 0);
					goto L6;
				}
				return _t2;
			}

0x00407f37
0x00407f39
0x00407f41
0x00407f4a
0x00407f50
0x00407f54
0x00407f83
0x00000000
0x00407f83
0x00407f63
0x00407f65
0x00407f69
0x00407f82
0x00000000
0x00407f82
0x00407f6c
0x00407f71
0x00407f74
0x00407f79
0x00407f7b
0x00407f7d
0x00000000
0x00407f81
0x00407f85

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00409204,000004B1,00000000,?,?,?,?,?,0040932F), ref: 00407F39
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407F4A
GetWindow.USER32(?,00000005), ref: 00407F63
GetWindow.USER32(00000000,00000002), ref: 00407F79

Strings

SetWindowTheme, xrefs: 00407F44
uxtheme, xrefs: 00407F32

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 324724604-1369271589
Opcode ID: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction ID: 0bc065bbacf3197a1a27c387b1263c95b7af90742e8dbe1cc94099e7c33b47a7
Opcode Fuzzy Hash: bbf6c28a0305b89c0b96370cc3dca5fcce94809b387f971642420f3a6618e0a6
Instruction Fuzzy Hash: 7AF0A732F4A72633C232176A6C48F9B6A5CDF46B61B054176FD04F7281DA6DEC4041EE

Uniqueness

Uniqueness Score: -1.00%

Function 00408E84 Relevance: 7.5, APIs: 5, Instructions: 47
threadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00408E84(void* __ecx, void* __edx) {
				char _v16;
				short _v528;
				void* _t23;
				WCHAR* _t42;
				void* _t50;
				void* _t51;
				long _t63;

				_t38 = __ecx;
				_t50 = __ecx;
				 *((intOrPtr*)(__ecx + 0x48)) =  *((intOrPtr*)(__ecx + 0x48)) - 1;
				_t63 =  *0x41e8b8; // 0x0
				if(_t63 == 0) {
					__eax = GetCurrentThreadId();
					 *0x41e8b8 = __eax;
				}
				__eflags =  *0x41e8bc; // 0x0
				if(__eflags == 0) {
					 *0x41e8bc = SetWindowsHookExW(2, E00408E56, 0, GetCurrentThreadId());
				}
				__eflags =  *(_t50 + 0x48);
				if( *(_t50 + 0x48) != 0) {
					_t38 = _t50;
					_pop(_t50);
					_pop(0);
					_push(0);
					_push(_t50);
					_t51 = _t38;
					E00411BBA( &_v16, _t51 + 0x3c);
					if( *((intOrPtr*)(_t51 + 0x48)) > 0) {
						_t42 = 0x1d;
						wsprintfW( &_v528, L" (%d%s)",  *((intOrPtr*)(_t51 + 0x48)), E00403DC8(_t42));
						E00411CA3( &_v16,  &_v528);
					}
					_t23 = E00407A0F(GetDlgItem( *(_t51 + 4),  *(_t51 + 0x4c)), _v16);
					_push(_v16);
					L004191B0();
					return _t23;
				} else {
					 *0x41e8c0 = 1;
					__eflags =  *((intOrPtr*)(_t50 + 0x4c)) - 0x4b4;
					_t17 =  *((intOrPtr*)(_t50 + 0x4c)) != 0x4b4;
					__eflags = _t17;
					return EndDialog( *(_t50 + 4), 0 | _t17);
				}
			}

0x00408e84
0x00408e8d
0x00408e8f
0x00408e9b
0x00408ea1
0x00408ea3
0x00408eb0
0x00408eb0
0x00408eb5
0x00408ebb
0x00408eca
0x00408eca
0x00408ecf
0x00408ed2
0x00408efa
0x00408efc
0x00408efd
0x0040842d
0x00408436
0x00408437
0x00408440
0x00408449
0x0040844d
0x00408463
0x00408476
0x00408476
0x0040848e
0x00408493
0x00408496
0x0040849e
0x00408ed4
0x00408ed6
0x00408ee0
0x00408ee7
0x00408ee7
0x00408ef8
0x00408ef8

APIs

GetCurrentThreadId.KERNEL32 ref: 00408EA3
SetWindowsHookExW.USER32(00000007,Function_00008DCA,00000000,00000000), ref: 00408EAE
GetCurrentThreadId.KERNEL32 ref: 00408EBD
SetWindowsHookExW.USER32(00000002,Function_00008E56,00000000,00000000), ref: 00408EC8
EndDialog.USER32(?,00000000), ref: 00408EEE

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: CurrentHookThreadWindows$Dialog
String ID:
API String ID: 1967849563-0
Opcode ID: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction ID: cda5ca9ca78aa2d930f050b6f2645aeb07f6ea8f0f9f92c422e756f156d8528b
Opcode Fuzzy Hash: 3691de3e333e7b092baece99aba207316cf4cb990635e7b2a6dbd410fbca133d
Instruction Fuzzy Hash: 7F01ADB1600228DFE2107F5BEC44AB2F7ECEB55362B11803FE645D21E1CBB658409B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040352A Relevance: 6.0, APIs: 4, Instructions: 35
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040352A(WCHAR* __ecx) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t5;
				int _t10;
				void* _t15;
				WCHAR* _t16;

				_t16 = __ecx;
				if( *0x41e8d8 == 0) {
					_t5 = FindFirstFileW(__ecx,  &_v596);
					__eflags = _t5 - 0xffffffff;
					if(_t5 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t5);
					__eflags = _v596.dwFileAttributes & 0x00000010;
					if(__eflags != 0) {
						return E0040340F(_t16, _t15, __eflags);
					}
					_t10 = SetFileAttributesW(_t16, 0);
					__eflags = _t10;
					if(_t10 == 0) {
						return 0;
					}
					return DeleteFileW(_t16);
				}
				L1:
				return 1;
			}

0x0040353b
0x0040353d
0x0040354c
0x00403552
0x00403555
0x00000000
0x00000000
0x00403558
0x0040355e
0x00403565
0x00000000
0x00403583
0x0040356a
0x00403570
0x00403572
0x00000000
0x0040357d
0x00000000
0x00403575
0x0040353f
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040354C
FindClose.KERNEL32(00000000), ref: 00403558
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040356A
DeleteFileW.KERNEL32(?), ref: 00403575

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirst
String ID:
API String ID: 3319113142-0
Opcode ID: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction ID: c6e9444eb262c84b595320cc7ffe2d3aedaf421e5fcd45af1c9d17f800727631
Opcode Fuzzy Hash: 6a61d0b2e63efd2324cefb0b8d0b17696f742564a21834292023f6db47524a43
Instruction Fuzzy Hash: 01F05E30901564B6DB212F315C48BAA3EACAF01327F54497AE842F11E0D7788B47869E

Uniqueness

Uniqueness Score: -1.00%

Function 00403FF2 Relevance: 4.5, APIs: 3, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00403FF2() {
				void* _v8;
				char _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				int _t13;

				_v12 = 0;
				_v8 = 0;
				_v20.Value = 0;
				_v16 = 0x500;
				_t13 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8);
				if(_t13 != 0) {
					__imp__CheckTokenMembership(0, _v8,  &_v12);
					FreeSid(_v8);
					return _v12;
				}
				return _t13;
			}

0x00404012
0x00404015
0x00404018
0x0040401b
0x00404021
0x00404029
0x00404033
0x0040403c
0x00000000
0x00404042
0x00404047

APIs

AllocateAndInitializeSid.ADVAPI32(0040682B,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0041E7B8,0040682B), ref: 00404021
CheckTokenMembership.ADVAPI32(00000000,00000000,?), ref: 00404033
FreeSid.ADVAPI32(00000000), ref: 0040403C

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction ID: 897e3d853c979f7ca1e9d36a2150445fe5287065c6dcae09f62a90d6d31b286d
Opcode Fuzzy Hash: b1a85781bd9880e8be0b06bd7447c5e118f4662a7265e0280068f0d854aaaee3
Instruction Fuzzy Hash: 35F0DAB5900208FBDB00DFD5DD89ADEBBBCFB08344F504469A605E2191D3709A149B15

Uniqueness

Uniqueness Score: -1.00%

Function 0040B440 Relevance: 4.0, APIs: 3, Instructions: 230
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E0040B440(intOrPtr* __ecx, void* __edx, int _a4) {
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				signed int _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				int _t140;
				signed int _t142;
				signed int _t144;
				signed int _t148;
				void* _t155;
				intOrPtr* _t158;
				int _t177;
				intOrPtr* _t180;
				intOrPtr* _t184;
				intOrPtr* _t191;
				signed int _t205;
				signed int _t225;
				void* _t240;
				void* _t275;

				_t158 = __ecx;
				_t177 = _a4;
				_t222 = __edx;
				_v100 = __ecx;
				if(_t177 == 0) {
					L17:
					return _t140;
				} else {
					_t142 =  *(__ecx + 0x20) & 0x0000003f;
					 *(__ecx + 0x20) =  *(__ecx + 0x20) + _t177;
					asm("adc dword [ebx+0x24], 0x0");
					_t240 = 0x40 - _t142;
					if(0x40 <= _t177) {
						_a4 = _t177 - 0x40;
						memcpy(_t142 + __ecx + 0x28, __edx, 0x40);
						_t275 =  &_v124 + 0xc;
						_v116 = _t222 + _t240;
						while(1) {
							_t144 = 0;
							_t180 = _t158 + 0x30;
							do {
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x4c + _t144 * 4)) =  *((intOrPtr*)(_t180 - 8));
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x50 + _t144 * 4)) =  *((intOrPtr*)(_t180 - 4));
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x54 + _t144 * 4)) =  *_t180;
								asm("bswap edx");
								 *((intOrPtr*)(_t275 + 0x58 + _t144 * 4)) =  *((intOrPtr*)(_t180 + 4));
								_t144 = _t144 + 4;
								_t180 = _t180 + 0x10;
							} while (_t144 < 0x10);
							_v96 =  *_t158;
							_v92 =  *((intOrPtr*)(_t158 + 4));
							_v88 =  *((intOrPtr*)(_t158 + 8));
							_v84 =  *((intOrPtr*)(_t158 + 0xc));
							_v80 =  *((intOrPtr*)(_t158 + 0x10));
							_v76 =  *((intOrPtr*)(_t158 + 0x14));
							_t205 = 0;
							_v72 =  *((intOrPtr*)(_t158 + 0x18));
							_v68 =  *((intOrPtr*)(_t158 + 0x1c));
							_v120 = 0;
							do {
								_t225 = 1;
								_t184 =  &_v64;
								_v112 = 1;
								_t48 = _t225 - 5; // -4
								_t148 = _t48;
								_v108 = _t184;
								_v124 = 0x41c150 + _t205 * 4;
								_v104 = 0x10;
								do {
									if(_t205 != 0) {
										_t55 = _t225 - 3; // -2
										asm("ror ebx, 0x12");
										asm("ror ebp, 0x7");
										asm("ror esi, 0x13");
										asm("ror ebp, 0x11");
										 *_t184 =  *_t184 + ( *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t225 & 0x0000000f) * 4) >> 0x00000003) + ( *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) ^  *(_t275 + 0x4c + (_t55 & 0x0000000f) * 4) >> 0x0000000a) +  *((intOrPtr*)(_t275 + 0x4c + (_t225 + 0xfffffff8 & 0x0000000f) * 4));
									}
									_t65 = _t148 + 2; // -2
									_t69 = _t148 + 3; // -1
									asm("ror ebx, 0x19");
									asm("ror ebp, 0xb");
									asm("ror ebp, 0x6");
									_t70 = _t148 + 1; // -3
									_t191 = _t275 + 0x2c + (_t69 & 0x00000007) * 4;
									 *_t191 =  *_t191 + (( *(_t275 + 0x2c + (_t70 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t65 & 0x00000007) * 4)) &  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t65 & 0x00000007) * 4)) + ( *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t148 & 0x00000007) * 4)) +  *_t184 +  *_v124;
									_t78 = _t148 - 1; // -5
									 *((intOrPtr*)(_t275 + 0x2c + (_t78 & 0x00000007) * 4)) =  *((intOrPtr*)(_t275 + 0x2c + (_t78 & 0x00000007) * 4)) +  *_t191;
									_t88 = _t148 - 4; // -8
									_v124 = _v124 + 4;
									_t94 = _t148 - 3; // -7
									asm("ror edi, 0x16");
									asm("ror ebx, 0xd");
									asm("ror ebx, 0x2");
									_t98 = _t148 - 2; // -6
									_t205 = _v120;
									 *_t191 =  *_t191 + ( *(_t275 + 0x2c + (_t88 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4) ^  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4)) + ( *(_t275 + 0x2c + (_t98 & 0x00000007) * 4) & ( *(_t275 + 0x2c + (_t94 & 0x00000007) * 4) |  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4)) |  *(_t275 + 0x2c + (_t94 & 0x00000007) * 4) &  *(_t275 + 0x2c + (_t88 & 0x00000007) * 4));
									_t225 = _v112 + 1;
									_t184 = _v108 + 4;
									_t148 = _t148 - 1;
									_t105 =  &_v104;
									 *_t105 = _v104 - 1;
									_v112 = _t225;
									_v108 = _t184;
								} while ( *_t105 != 0);
								_t205 = _t205 + 0x10;
								_v120 = _t205;
							} while (_t205 < 0x40);
							_t158 = _v100;
							 *_t158 =  *_t158 + _v96;
							 *((intOrPtr*)(_t158 + 4)) =  *((intOrPtr*)(_t158 + 4)) + _v92;
							 *((intOrPtr*)(_t158 + 0xc)) =  *((intOrPtr*)(_t158 + 0xc)) + _v84;
							 *((intOrPtr*)(_t158 + 8)) =  *((intOrPtr*)(_t158 + 8)) + _v88;
							 *((intOrPtr*)(_t158 + 0x10)) =  *((intOrPtr*)(_t158 + 0x10)) + _v80;
							 *((intOrPtr*)(_t158 + 0x18)) =  *((intOrPtr*)(_t158 + 0x18)) + _v72;
							_t140 = _a4;
							 *((intOrPtr*)(_t158 + 0x14)) =  *((intOrPtr*)(_t158 + 0x14)) + _v76;
							 *((intOrPtr*)(_t158 + 0x1c)) =  *((intOrPtr*)(_t158 + 0x1c)) + _v68;
							if(_t140 >= 0x40) {
								_a4 = _t140 - 0x40;
								_t155 = memcpy(_t158 + 0x28, _v116, 0x10 << 2);
								_t275 = _t275 + 0xc;
								_v116 = _t155;
								continue;
							}
							if(_t140 != 0) {
								_t140 = memcpy(_t158 + 0x28, _v116, _t140);
							}
							goto L17;
						}
					} else {
						return memcpy(_t142 + __ecx + 0x28, __edx, _t177);
					}
				}
			}

0x0040b444
0x0040b446
0x0040b44e
0x0040b450
0x0040b456
0x0040b6e8
0x0040b6ed
0x0040b45c
0x0040b45f
0x0040b462
0x0040b46b
0x0040b46f
0x0040b473
0x0040b491
0x0040b49e
0x0040b4a3
0x0040b4a8
0x0040b4b0
0x0040b4b0
0x0040b4b2
0x0040b4b5
0x0040b4b8
0x0040b4ba
0x0040b4c1
0x0040b4c3
0x0040b4c9
0x0040b4cb
0x0040b4d2
0x0040b4d4
0x0040b4d8
0x0040b4db
0x0040b4de
0x0040b4eb
0x0040b4f2
0x0040b4f9
0x0040b500
0x0040b507
0x0040b50e
0x0040b512
0x0040b514
0x0040b518
0x0040b51c
0x0040b520
0x0040b520
0x0040b525
0x0040b530
0x0040b534
0x0040b534
0x0040b537
0x0040b53b
0x0040b53f
0x0040b547
0x0040b549
0x0040b558
0x0040b562
0x0040b565
0x0040b571
0x0040b576
0x0040b58c
0x0040b58c
0x0040b59b
0x0040b5a7
0x0040b5ad
0x0040b5b0
0x0040b5b7
0x0040b5be
0x0040b5d6
0x0040b5da
0x0040b5de
0x0040b5e4
0x0040b5ec
0x0040b5f6
0x0040b5fb
0x0040b607
0x0040b60c
0x0040b613
0x0040b618
0x0040b628
0x0040b632
0x0040b63c
0x0040b63d
0x0040b640
0x0040b641
0x0040b641
0x0040b645
0x0040b649
0x0040b649
0x0040b653
0x0040b656
0x0040b65a
0x0040b663
0x0040b66b
0x0040b671
0x0040b678
0x0040b687
0x0040b68a
0x0040b68d
0x0040b698
0x0040b69f
0x0040b6a2
0x0040b6a8
0x0040b6ad
0x0040b6c5
0x0040b6c5
0x0040b6c7
0x00000000
0x0040b6c7
0x0040b6d3
0x0040b6df
0x0040b6e4
0x00000000
0x0040b6e7
0x0040b475
0x0040b48a
0x0040b48a
0x0040b473

APIs

memcpy.MSVCRT ref: 0040B47C
memcpy.MSVCRT ref: 0040B49E

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction ID: 4ae693c08babda449d8f98831bc38807ceb3bc3cdeca2b2b28de7c60d0623c83
Opcode Fuzzy Hash: bc90ae24330184fdc1e542b8686ee53d0af4dcd7369474ae96014b3e614f3809
Instruction Fuzzy Hash: 9F916DB29043008FC318DF59D88498BB7E1FFC8314F1A8A6EE9489B355E375E955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040F320 Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040F320(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t344 =  *(_t351 + 0x28);
														_t206 = (_t298 << 7) +  *((intOrPtr*)(_t351 + 0x14)) + 0x360;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}

0x0040f327
0x0040f32d
0x0040f330
0x0040f333
0x0040f338
0x0040f33b
0x0040f34e
0x0040f353
0x0040f35c
0x0040f366
0x0040f38e
0x0040f393
0x0040f39a
0x0040f526
0x0040f52a
0x0040f52e
0x0040f530
0x0040f53a
0x0040f544
0x0040f560
0x0040f565
0x0040f56c
0x0040f58b
0x0040f58d
0x0040f58f
0x0040f597
0x0040f5a5
0x0040f5c1
0x0040f5c6
0x0040f5c9
0x0040f5cf
0x0040f638
0x0040f63c
0x0040f63e
0x0040f648
0x0040f652
0x0040f66e
0x0040f673
0x0040f67a
0x0040f680
0x0040f688
0x0040f68a
0x0040f692
0x0040f6ae
0x0040f6b3
0x0040f6b8
0x00000000
0x0040f6ba
0x0040f6ba
0x0040f6ba
0x00000000
0x0040f694
0x0040f698
0x00000000
0x0040f69e
0x0040f6a4
0x0040f6a7
0x0040f6aa
0x00000000
0x0040f6aa
0x0040f698
0x0040f67c
0x0040f67c
0x00000000
0x0040f67c
0x0040f654
0x0040f658
0x00000000
0x0040f65e
0x0040f664
0x0040f667
0x0040f669
0x0040f66a
0x00000000
0x0040f66a
0x0040f658
0x0040f5d1
0x0040f5d9
0x0040f5dd
0x0040f5e1
0x0040f5e9
0x0040f607
0x0040f60c
0x0040f611
0x0040f6be
0x0040f6be
0x0040f6c0
0x0040f6c2
0x0040f6c6
0x0040f6ca
0x0040f6d2
0x00000000
0x0040f617
0x0040f61d
0x0040f635
0x00000000
0x00000000
0x00000000
0x0040f61d
0x0040f5eb
0x0040f5ef
0x00000000
0x0040f5f5
0x0040f5f8
0x0040f600
0x0040f602
0x0040f603
0x00000000
0x0040f603
0x0040f5ef
0x0040f5e9
0x0040f5a7
0x0040f5ab
0x00000000
0x0040f5b1
0x0040f5b7
0x0040f5ba
0x0040f5bd
0x00000000
0x0040f5bd
0x0040f5ab
0x0040f56e
0x0040f56e
0x0040f570
0x0040f578
0x0040f57e
0x0040f6d8
0x0040f6d8
0x0040f6e1
0x0040f6fd
0x0040f702
0x0040f705
0x0040f70b
0x0040f721
0x0040f725
0x0040f727
0x0040f72f
0x0040f74b
0x0040f750
0x0040f755
0x0040f76d
0x0040f76f
0x0040f771
0x0040f777
0x0040f77c
0x0040f757
0x0040f759
0x0040f75e
0x0040f760
0x0040f767
0x0040f767
0x00000000
0x0040f731
0x0040f735
0x00000000
0x0040f73b
0x0040f741
0x0040f744
0x0040f746
0x0040f747
0x00000000
0x0040f747
0x0040f735
0x0040f70d
0x0040f70f
0x0040f711
0x0040f715
0x0040f717
0x0040f784
0x0040f784
0x00000000
0x0040f790
0x0040f796
0x0040f7b2
0x0040f7bb
0x0040f7c0
0x0040f7c8
0x0040f7ca
0x0040f7cc
0x0040f7c2
0x0040f7c2
0x0040f7c4
0x0040f7c4
0x0040f7d0
0x0040f7d6
0x0040f7e0
0x0040f7e7
0x00000000
0x0040f7ed
0x0040f7f0
0x0040f7f2
0x0040f7f2
0x0040f7fb
0x0040f802
0x0040f809
0x0040f810
0x0040f810
0x0040f81a
0x00000000
0x0040f81c
0x0040f820
0x00000000
0x0040f826
0x0040f82d
0x0040f830
0x0040f832
0x00000000
0x0040f832
0x0040f820
0x00000000
0x0040f833
0x0040f838
0x0040f83d
0x0040f845
0x0040f847
0x0040f849
0x0040f83f
0x0040f83f
0x0040f841
0x0040f841
0x0040f84d
0x0040f852
0x0040f858
0x00000000
0x0040f85e
0x0040f862
0x0040f866
0x0040f885
0x0040f889
0x0040f890
0x0040f896
0x00000000
0x0040f898
0x0040f89a
0x00000000
0x0040f8a0
0x0040f8a7
0x0040f8aa
0x0040f8ac
0x00000000
0x0040f8ac
0x0040f89a
0x00000000
0x0040f8ad
0x0040f8ad
0x0040f8b9
0x0040f8bb
0x0040f8bb
0x0040f8c8
0x0040f8cc
0x00000000
0x0040f868
0x0040f87f
0x0040f8d1
0x0040f8d1
0x0040f8e0
0x0040f8e4
0x0040f8ee
0x00000000
0x0040f8f0
0x0040f8f4
0x00000000
0x0040f8fa
0x0040f901
0x0040f904
0x0040f906
0x00000000
0x0040f906
0x0040f8f4
0x00000000
0x0040f907
0x0040f90c
0x0040f911
0x0040f919
0x0040f91b
0x0040f91d
0x0040f913
0x0040f913
0x0040f915
0x0040f915
0x0040f921
0x0040f921
0x00000000
0x0040f924
0x0040f866
0x0040f858
0x0040f7d8
0x0040f7d8
0x00000000
0x0040f7d8
0x0040f798
0x0040f79c
0x00000000
0x0040f7a2
0x0040f7a8
0x0040f7ab
0x0040f7ae
0x00000000
0x0040f7ae
0x0040f79c
0x00000000
0x0040f796
0x0040f790
0x0040f6e3
0x0040f6e7
0x00000000
0x0040f6ed
0x0040f6f3
0x0040f6f6
0x0040f6f9
0x00000000
0x0040f6f9
0x0040f6e7
0x0040f6e1
0x0040f546
0x0040f54a
0x00000000
0x0040f550
0x0040f556
0x0040f559
0x0040f55b
0x0040f55c
0x00000000
0x0040f55c
0x0040f54a
0x0040f3a0
0x0040f3a0
0x0040f3af
0x0040f3b3
0x0040f3bb
0x0040f3c0
0x0040f3c2
0x0040f3c2
0x0040f3f2
0x0040f3f2
0x0040f3f9
0x0040f48c
0x0040f48f
0x0040f494
0x0040f49b
0x0040f496
0x0040f496
0x0040f496
0x0040f4a4
0x0040f4a8
0x0040f4ad
0x0040f4b2
0x0040f4b6
0x0040f4ba
0x0040f4bc
0x0040f4ca
0x0040f4d4
0x00000000
0x00000000
0x0040f4d6
0x0040f4de
0x00000000
0x0040f4e4
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x00000000
0x0040f4f0
0x00000000
0x0040f4f4
0x0040f4f9
0x0040f500
0x0040f50a
0x0040f50c
0x0040f50e
0x0040f502
0x0040f502
0x0040f504
0x0040f506
0x0040f506
0x0040f512
0x0040f51a
0x00000000
0x0040f520
0x0040f520
0x00000000
0x0040f520
0x00000000
0x0040f51a
0x0040f3ff
0x0040f3ff
0x0040f410
0x0040f414
0x0040f41e
0x00000000
0x0040f420
0x0040f420
0x0040f428
0x00000000
0x0040f42e
0x0040f434
0x0040f437
0x0040f43a
0x00000000
0x0040f43a
0x0040f428
0x00000000
0x0040f43e
0x0040f443
0x0040f448
0x0040f450
0x0040f452
0x0040f454
0x0040f44a
0x0040f44a
0x0040f44c
0x0040f44c
0x0040f458
0x0040f460
0x0040f460
0x0040f468
0x0040f468
0x0040f46c
0x0040f472
0x0040f489
0x00000000
0x00000000
0x00000000
0x0040f472
0x0040f3f9
0x0040f368
0x0040f368
0x0040f370
0x0040f384
0x0040f387
0x0040f38a
0x00000000
0x0040f375
0x0040f375
0x0040f37b
0x0040f37b
0x0040f370
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction ID: 462305fb0b224e09127741abaf40dbbd09e9997c9276ae30905a80483bc5e455
Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
Instruction Fuzzy Hash: AD020772A042114BD728CE28C580279BBE2FBC5350F110A3FE896A7AD4D778994DCB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6A0 Relevance: .3, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A6A0(intOrPtr* __eax, signed int* __ecx) {
				signed int* _t167;
				unsigned int _t169;
				unsigned int _t176;
				unsigned int _t209;
				unsigned int _t216;
				unsigned int _t230;
				unsigned int _t234;
				signed int* _t275;
				unsigned int _t290;
				unsigned int _t306;
				unsigned int _t316;
				unsigned int _t319;
				signed int _t326;
				signed int _t335;
				void* _t432;

				_t319 =  *(__eax + 0x14) ^ __ecx[1];
				_t169 =  *(__eax + 0x1c) ^ __ecx[3];
				_t234 =  *(__eax + 0x10) ^  *__ecx;
				 *((intOrPtr*)(_t432 + 0x10)) =  *__eax;
				_t209 =  *(__eax + 0x18) ^ __ecx[2];
				 *(_t432 + 0x30) = _t209;
				 *(_t432 + 0x14) = _t209 >> 0x00000008 & 0x000000ff;
				 *(_t432 + 0x34) = _t169;
				_t216 =  *(0x4201f0 + (_t169 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 +  *(_t432 + 0x14) * 4) ^  *(0x4205f0 + (_t234 >> 0x18) * 4) ^  *(0x41f9f0 + (_t319 & 0x000000ff) * 4) ^  *(__eax + 0x24);
				_t306 =  *(0x4201f0 + (_t209 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t319 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t169 >> 0x18) * 4) ^  *(0x41f9f0 + (_t234 & 0x000000ff) * 4) ^  *(__eax + 0x20);
				_t167 = __eax + 0x20;
				_t326 =  *(0x4201f0 + (_t319 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t234 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + ( *(_t432 + 0x30) >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x34) & 0x000000ff) * 4) ^ _t167[3];
				_t176 =  *(0x41fdf0 + (_t169 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t234 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t319 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x30) & 0x000000ff) * 4) ^ _t167[2];
				_t52 = _t432 + 0x10;
				 *_t52 =  *((intOrPtr*)(_t432 + 0x10)) - 1;
				 *(_t432 + 0x1c) = _t216;
				 *(_t432 + 0x24) = _t326;
				if( *_t52 != 0) {
					do {
						_t290 =  *(0x4201f0 + (_t326 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t176 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t306 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x1c) & 0x000000ff) * 4) ^ _t167[5];
						_t335 =  *(0x41fdf0 + (_t326 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t306 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + ( *(_t432 + 0x1c) >> 0x18) * 4) ^  *(0x41f9f0 + (_t176 & 0x000000ff) * 4) ^ _t167[6];
						_t230 =  *(0x4201f0 + (_t176 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t216 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t326 >> 0x18) * 4) ^  *(0x41f9f0 + (_t306 & 0x000000ff) * 4) ^ _t167[4];
						 *(_t432 + 0x14) = _t306 >> 0x00000008 & 0x000000ff;
						_t316 =  *(0x4201f0 + ( *(_t432 + 0x1c) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 +  *(_t432 + 0x14) * 4) ^  *(0x4205f0 + (_t176 >> 0x18) * 4) ^  *(0x41f9f0 + ( *(_t432 + 0x24) & 0x000000ff) * 4) ^ _t167[7];
						_t167 =  &(_t167[8]);
						 *(_t432 + 0x18) =  *(0x4201f0 + (_t335 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t290 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t316 >> 0x18) * 4) ^  *(0x41f9f0 + (_t230 & 0x000000ff) * 4) ^  *_t167;
						 *(_t432 + 0x1c) =  *(0x4201f0 + (_t316 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t335 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t230 >> 0x18) * 4) ^  *(0x41f9f0 + (_t290 & 0x000000ff) * 4) ^ _t167[1];
						_t216 =  *(_t432 + 0x1c);
						_t306 =  *(_t432 + 0x18);
						_t326 =  *(0x4201f0 + (_t290 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41fdf0 + (_t230 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t335 >> 0x18) * 4) ^  *(0x41f9f0 + (_t316 & 0x000000ff) * 4) ^ _t167[3];
						_t176 =  *(0x41fdf0 + (_t316 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4201f0 + (_t230 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4205f0 + (_t290 >> 0x18) * 4) ^  *(0x41f9f0 + (_t335 & 0x000000ff) * 4) ^ _t167[2];
						_t137 = _t432 + 0x10;
						 *_t137 =  *((intOrPtr*)(_t432 + 0x10)) - 1;
						 *(_t432 + 0x24) = _t326;
					} while ( *_t137 != 0);
				}
				 *( *(_t432 + 0x3c)) = ((( *((_t176 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t326 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t216 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t306 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[4];
				( *(_t432 + 0x3c))[1] = ((( *((_t326 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t306 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t176 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t216 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[5];
				_t275 =  *(_t432 + 0x3c);
				_t275[2] = ((( *((_t306 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t216 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t326 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t176 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[6];
				_t275[3] = ((( *((_t216 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t176 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t306 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t326 & 0x000000ff) + 0x41c040) & 0x000000ff) ^ _t167[7];
				return _t167;
			}

0x0040a6b2
0x0040a6b5
0x0040a6b8
0x0040a6bc
0x0040a6c3
0x0040a705
0x0040a71d
0x0040a74e
0x0040a752
0x0040a75a
0x0040a7bc
0x0040a7d9
0x0040a7dc
0x0040a7df
0x0040a7df
0x0040a7e3
0x0040a7e7
0x0040a7eb
0x0040a7f1
0x0040a8a3
0x0040a8b7
0x0040a8c3
0x0040a8d2
0x0040a905
0x0040a942
0x0040a949
0x0040a992
0x0040a9e1
0x0040a9fe
0x0040aa12
0x0040aa14
0x0040aa17
0x0040aa17
0x0040aa1b
0x0040aa1b
0x0040a7f1
0x0040aa7a
0x0040aad2
0x0040ab26
0x0040ab30
0x0040ab79
0x0040ab80

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction ID: 83bfa8493028414e067c23257a90e250144b075ccba9c150ccd2a674e287ec71
Opcode Fuzzy Hash: 84f162616a20772e74dd71631627c3c9c1bca9b9439662ba305608b213246b3c
Instruction Fuzzy Hash: 9CD1F77199436B4FD354EF8DEC8163677A2AF88300F4A8234CA541B363D6387917DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB8 Relevance: .2, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0040EBB8(unsigned int __eax, void* __ebx, signed int __edx, signed int __esi) {
				unsigned int _t502;
				unsigned int _t503;
				unsigned int _t504;
				unsigned int _t505;
				unsigned int _t506;
				unsigned int _t507;
				unsigned int _t508;
				unsigned int _t509;
				unsigned int _t516;
				unsigned int _t517;
				unsigned int _t518;
				unsigned int _t519;
				unsigned int _t520;
				unsigned int _t525;
				unsigned int _t526;
				unsigned int _t527;
				unsigned int _t528;
				unsigned int _t529;
				unsigned int _t530;
				unsigned int _t531;
				unsigned int _t532;
				unsigned int _t533;
				unsigned int _t534;
				unsigned int _t535;
				unsigned int _t536;
				unsigned int _t537;
				unsigned int _t538;
				unsigned int _t539;
				unsigned int _t540;
				unsigned int _t541;
				unsigned int _t542;
				unsigned int _t543;
				unsigned int _t544;
				unsigned int _t545;
				unsigned int _t546;
				unsigned int _t547;
				unsigned int _t548;
				unsigned int _t549;
				signed int _t552;
				signed char* _t553;
				signed int _t554;
				signed int _t555;
				intOrPtr _t562;
				void* _t563;
				signed int _t565;
				signed int _t567;
				signed int _t577;
				unsigned int _t581;
				signed int _t584;
				signed short* _t587;
				unsigned int _t588;
				signed int _t591;
				signed short* _t594;
				unsigned int _t595;
				signed int _t598;
				signed short* _t601;
				unsigned int _t602;
				signed int _t605;
				signed short* _t608;
				unsigned int _t609;
				signed int _t612;
				signed short* _t615;
				unsigned int _t616;
				signed int _t619;
				signed short* _t622;
				unsigned int _t623;
				unsigned int _t648;
				unsigned int _t651;
				signed int _t655;
				unsigned int _t658;
				unsigned int _t660;
				signed int _t662;
				signed int _t667;
				signed int _t672;
				unsigned int _t675;
				void* _t679;
				intOrPtr _t681;
				void* _t684;
				signed int _t685;
				void* _t687;
				signed int _t690;
				signed char _t695;
				void* _t696;
				unsigned int _t697;
				signed int _t699;
				unsigned int _t700;
				unsigned int _t702;
				unsigned int _t704;
				unsigned int _t710;
				unsigned int _t721;
				signed int _t724;
				unsigned int _t725;
				signed char* _t732;
				signed char* _t734;
				unsigned int _t738;
				signed int _t741;
				unsigned int _t742;
				signed char* _t749;
				signed char* _t751;
				unsigned int _t755;
				signed int _t761;
				signed int _t762;
				signed int _t770;
				signed int _t774;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				unsigned int _t788;
				unsigned int _t793;
				signed int _t795;
				unsigned int _t796;
				unsigned int _t798;
				unsigned int _t800;
				unsigned int _t802;
				unsigned int _t804;
				unsigned int _t806;
				unsigned int _t808;
				signed int _t812;
				signed int _t814;
				unsigned int _t817;
				unsigned int _t820;
				unsigned int _t824;
				unsigned int _t829;
				signed short* _t836;
				signed char* _t840;
				char* _t847;
				unsigned int _t849;
				signed int _t851;
				unsigned int _t852;
				unsigned int _t854;
				unsigned int _t856;
				unsigned int _t858;
				unsigned int _t860;
				signed int _t865;
				signed int _t868;
				unsigned int _t873;
				unsigned int _t878;
				unsigned int _t883;
				unsigned int _t888;
				signed char* _t913;
				unsigned int _t916;
				void* _t918;
				void* _t919;
				unsigned int _t936;
				intOrPtr _t940;
				signed char* _t941;
				signed int _t951;
				signed int _t952;
				signed int _t953;
				signed int _t954;
				signed int _t955;
				signed int _t956;
				signed int _t957;
				signed int _t961;
				unsigned int _t964;
				signed int _t967;
				signed int _t973;
				signed char* _t975;
				signed int _t977;
				unsigned int _t980;
				unsigned int _t985;
				unsigned int _t990;
				unsigned int _t995;
				unsigned int _t1000;
				unsigned int _t1005;
				unsigned int _t1010;
				unsigned int _t1015;
				signed int _t1018;
				signed int _t1024;
				signed int _t1062;
				unsigned int _t1063;
				unsigned int _t1065;
				signed int _t1069;
				void* _t1074;
				unsigned int _t1079;
				unsigned int _t1084;
				unsigned int _t1089;
				unsigned int _t1094;
				unsigned int _t1099;
				unsigned int _t1104;
				signed char* _t1109;
				void* _t1110;
				signed int _t1111;
				signed int _t1113;
				unsigned int _t1148;
				unsigned int _t1152;
				unsigned int _t1157;
				unsigned int _t1170;
				unsigned int _t1174;
				unsigned int _t1179;
				signed char* _t1186;
				signed char* _t1192;
				intOrPtr _t1198;
				signed short* _t1199;
				void* _t1207;
				short* _t1208;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				unsigned int _t1225;
				signed int _t1269;
				intOrPtr _t1272;
				signed int _t1273;
				signed int _t1274;
				void* _t1275;
				signed int _t1276;
				void* _t1277;
				intOrPtr _t1280;
				void* _t1284;
				void* _t1285;
				void* _t1286;
				void* _t1287;
				void* _t1288;
				void* _t1289;
				signed int _t1290;
				signed int _t1294;
				signed int _t1295;
				void* _t1300;
				void* _t1306;
				void* _t1307;
				unsigned int _t1317;
				signed int _t1320;
				unsigned int _t1323;
				signed int _t1328;
				unsigned int _t1331;
				signed int _t1336;
				unsigned int _t1339;
				signed int _t1344;
				unsigned int _t1347;
				signed int _t1352;
				unsigned int _t1355;
				signed int _t1360;
				unsigned int _t1363;
				void* _t1368;
				void* _t1418;
				void* _t1419;
				void* _t1420;
				void* _t1421;
				void* _t1422;
				void* _t1423;
				char _t1424;
				void* _t1426;

				_t1213 = __esi;
				_t812 = __edx;
				_t502 = __eax;
				while(1) {
					L155:
					_t1275 = _t1274 + _t1274;
					_t675 =  *(_t836 + _t1275 + 0x204) & 0x0000ffff;
					if(_t509 < 0x1000000) {
						_t509 = _t509 << 8;
						_t1213 = _t1213 << 0x00000008 |  *_t553 & 0x000000ff;
						_t553 =  &(_t553[1]);
					}
					_t1069 = (_t509 >> 0xb) * _t675;
					if(_t1213 >= _t1069) {
						_t509 = _t509 - _t1069;
						_t1213 = _t1213 - _t1069;
						_t675 = _t675 - (_t675 >> 5);
						 *(_t836 + _t1275 + 0x204) = _t675;
						_t1274 = _t1275 + 1;
					} else {
						_t509 = _t1069;
						 *(_t836 + _t1275 + 0x204) = (0x800 - _t675 >> 5) + _t675;
					}
					if(_t1274 < 0x100) {
						continue;
					}
					L161:
					 *(_t1426 + 0x10) = _t553;
					_t1276 = _t1274 - 0xf0;
					while(1) {
						_t554 =  *(_t1426 + 0x10);
						while(1) {
							L163:
							 *(_t1426 + 0x30) = _t1276;
							if( *(_t1426 + 0x20) < 0xc) {
								goto L237;
							}
							L164:
							_t685 = _t1276;
							if(_t1276 >= 4) {
								_t685 = 3;
							}
							_t687 = (_t685 << 7) +  *((intOrPtr*)(_t1426 + 0x2c)) + 0x360;
							_t849 =  *(_t687 + 2) & 0x0000ffff;
							if(_t509 < 0x1000000) {
								_t509 = _t509 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1079 = (_t509 >> 0xb) * _t849;
							if(_t1213 >= _t1079) {
								_t516 = _t509 - _t1079;
								_t1213 = _t1213 - _t1079;
								 *(_t687 + 2) = _t849 - (_t849 >> 5);
								_t851 = 3;
							} else {
								_t516 = _t1079;
								 *(_t687 + 2) = (0x800 - _t849 >> 5) + _t849;
								_t851 = 2;
							}
							_t1285 = _t851 + _t851;
							_t852 =  *(_t687 + _t1285) & 0x0000ffff;
							if(_t516 < 0x1000000) {
								_t516 = _t516 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1084 = (_t516 >> 0xb) * _t852;
							if(_t1213 >= _t1084) {
								_t517 = _t516 - _t1084;
								_t1213 = _t1213 - _t1084;
								 *(_t687 + _t1285) = _t852 - (_t852 >> 5);
								_t1285 = _t1285 + 1;
							} else {
								_t517 = _t1084;
								 *(_t687 + _t1285) = (0x800 - _t852 >> 5) + _t852;
							}
							_t1286 = _t1285 + _t1285;
							_t854 =  *(_t687 + _t1286) & 0x0000ffff;
							if(_t517 < 0x1000000) {
								_t517 = _t517 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1089 = (_t517 >> 0xb) * _t854;
							if(_t1213 >= _t1089) {
								_t518 = _t517 - _t1089;
								_t1213 = _t1213 - _t1089;
								 *(_t687 + _t1286) = _t854 - (_t854 >> 5);
								_t1286 = _t1286 + 1;
							} else {
								_t518 = _t1089;
								 *(_t687 + _t1286) = (0x800 - _t854 >> 5) + _t854;
							}
							_t1287 = _t1286 + _t1286;
							_t856 =  *(_t687 + _t1287) & 0x0000ffff;
							if(_t518 < 0x1000000) {
								_t518 = _t518 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1094 = (_t518 >> 0xb) * _t856;
							if(_t1213 >= _t1094) {
								_t519 = _t518 - _t1094;
								_t1213 = _t1213 - _t1094;
								 *(_t687 + _t1287) = _t856 - (_t856 >> 5);
								_t1287 = _t1287 + 1;
							} else {
								_t519 = _t1094;
								 *(_t687 + _t1287) = (0x800 - _t856 >> 5) + _t856;
							}
							_t1288 = _t1287 + _t1287;
							_t858 =  *(_t687 + _t1288) & 0x0000ffff;
							if(_t519 < 0x1000000) {
								_t519 = _t519 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								_t554 = _t554 + 1;
								 *(_t1426 + 0x10) = _t554;
							}
							_t1099 = (_t519 >> 0xb) * _t858;
							if(_t1213 >= _t1099) {
								_t520 = _t519 - _t1099;
								_t1213 = _t1213 - _t1099;
								 *(_t687 + _t1288) = _t858 - (_t858 >> 5);
								_t1288 = _t1288 + 1;
							} else {
								_t520 = _t1099;
								 *(_t687 + _t1288) = (0x800 - _t858 >> 5) + _t858;
							}
							_t1289 = _t1288 + _t1288;
							_t860 =  *(_t687 + _t1289) & 0x0000ffff;
							if(_t520 < 0x1000000) {
								_t520 = _t520 << 8;
								_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
								 *(_t1426 + 0x10) = _t554 + 1;
							}
							_t1104 = (_t520 >> 0xb) * _t860;
							if(_t1213 >= _t1104) {
								_t509 = _t520 - _t1104;
								_t1213 = _t1213 - _t1104;
								 *(_t687 + _t1289) = _t860 - (_t860 >> 5);
								_t1289 = _t1289 + 1;
							} else {
								_t509 = _t1104;
								 *(_t687 + _t1289) = (0x800 - _t860 >> 5) + _t860;
							}
							_t1290 = _t1289 - 0x40;
							if(_t1290 < 4) {
								L231:
								 *(_t1426 + 0x48) =  *(_t1426 + 0x44);
								 *(_t1426 + 0x40) =  *(_t1426 + 0x34);
								_t690 =  *(_t1426 + 0x4c);
								 *(_t1426 + 0x44) =  *(_t1426 + 0x40);
								_t439 = _t1290 + 1; // -296
								 *(_t1426 + 0x34) = _t439;
								if(_t690 != 0) {
									if(_t1290 >= _t690) {
										 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) =  *(_t1426 + 0x24);
										return 1;
									} else {
										goto L236;
									}
								} else {
									if(_t1290 <  *(_t1426 + 0x28)) {
										L236:
										_t1276 =  *(_t1426 + 0x30);
										asm("sbb ecx, ecx");
										_t675 = (_t690 & 0xfffffffd) + 0xa;
										 *(_t1426 + 0x20) = _t675;
										goto L237;
									} else {
										 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) =  *(_t1426 + 0x24);
										L234:
										return 1;
									}
								}
							} else {
								_t865 = _t1290;
								_t695 = (_t1290 >> 1) - 1;
								_t1294 = _t1290 & 0x00000001 | 0x00000002;
								 *(_t1426 + 0x1c) = _t695;
								if(_t865 >= 0xe) {
									_t1109 =  *(_t1426 + 0x10);
									_t696 = _t695 - 4;
									do {
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *_t1109 & 0x000000ff;
											_t1109 =  &(_t1109[1]);
										}
										_t509 = _t509 >> 1;
										_t1225 = _t1213 - _t509;
										_t868 =  ~(_t1225 >> 0x1f);
										_t1294 = _t868 + 1 + _t1294 * 2;
										_t1213 = _t1225 + (_t868 & _t509);
										_t696 = _t696 - 1;
									} while (_t696 != 0);
									_t562 =  *((intOrPtr*)(_t1426 + 0x2c));
									_t697 =  *(_t562 + 0x646) & 0x0000ffff;
									_t1295 = _t1294 << 4;
									 *(_t1426 + 0x10) = _t1109;
									if(_t509 < 0x1000000) {
										_t913 = _t1109;
										_t509 = _t509 << 8;
										_t1213 = _t1213 << 0x00000008 |  *_t913 & 0x000000ff;
										 *(_t1426 + 0x10) =  &(_t913[1]);
									}
									_t873 = (_t509 >> 0xb) * _t697;
									if(_t1213 >= _t873) {
										_t525 = _t509 - _t873;
										_t1213 = _t1213 - _t873;
										 *(_t562 + 0x646) = _t697 - (_t697 >> 5);
										_t699 = 3;
										_t1295 = _t1295 | 0x00000001;
									} else {
										_t525 = _t873;
										 *(_t562 + 0x646) = (0x800 - _t697 >> 5) + _t697;
										_t699 = 2;
									}
									_t1110 = _t699 + _t699;
									_t700 =  *(_t1110 + _t562 + 0x644) & 0x0000ffff;
									if(_t525 < 0x1000000) {
										_t525 = _t525 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t878 = (_t525 >> 0xb) * _t700;
									if(_t1213 >= _t878) {
										_t526 = _t525 - _t878;
										_t1213 = _t1213 - _t878;
										 *(_t1110 + _t562 + 0x644) = _t700 - (_t700 >> 5);
										_t1110 = _t1110 + 1;
										_t1295 = _t1295 | 0x00000002;
									} else {
										_t526 = _t878;
										 *(_t1110 + _t562 + 0x644) = (0x800 - _t700 >> 5) + _t700;
									}
									_t1111 = _t1110 + _t1110;
									_t702 =  *(_t1111 + _t562 + 0x644) & 0x0000ffff;
									if(_t526 < 0x1000000) {
										_t526 = _t526 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t883 = (_t526 >> 0xb) * _t702;
									if(_t1213 >= _t883) {
										_t527 = _t526 - _t883;
										_t1213 = _t1213 - _t883;
										 *(_t1111 + _t562 + 0x644) = _t702 - (_t702 >> 5);
										_t1111 = _t1111 + 1;
										_t1295 = _t1295 | 0x00000004;
									} else {
										_t527 = _t883;
										 *(_t1111 + _t562 + 0x644) = (0x800 - _t702 >> 5) + _t702;
									}
									_t704 =  *(_t562 + 0x644 + _t1111 * 2) & 0x0000ffff;
									if(_t527 < 0x1000000) {
										_t527 = _t527 << 8;
										_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
										 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
									}
									_t888 = (_t527 >> 0xb) * _t704;
									if(_t1213 >= _t888) {
										_t509 = _t527 - _t888;
										_t1213 = _t1213 - _t888;
										 *(_t562 + 0x644 + _t1111 * 2) = _t704 - (_t704 >> 5);
										_t1290 = _t1295 | 0x00000008;
									} else {
										_t509 = _t888;
										 *(_t562 + 0x644 + _t1111 * 2) = (0x800 - _t704 >> 5) + _t704;
									}
									if(_t1290 == 0xffffffff) {
										 *(_t1426 + 0x30) =  *(_t1426 + 0x30) + 0x112;
										 *(_t1426 + 0x20) =  *(_t1426 + 0x20) - 0xc;
										L253:
										_t840 =  *(_t1426 + 0x10);
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *_t840 & 0x000000ff;
											_t840 =  &(_t840[1]);
										}
										_t681 =  *((intOrPtr*)(_t1426 + 0x60));
										 *(_t681 + 0x1c) = _t509;
										 *(_t681 + 0x18) = _t840;
										 *(_t681 + 0x24) =  *(_t1426 + 0x24);
										 *(_t681 + 0x48) =  *(_t1426 + 0x30);
										 *(_t681 + 0x38) =  *(_t1426 + 0x34);
										 *(_t681 + 0x2c) =  *(_t1426 + 0x28);
										 *(_t681 + 0x20) = _t1213;
										 *(_t681 + 0x40) =  *(_t1426 + 0x44);
										 *(_t681 + 0x3c) =  *(_t1426 + 0x3c);
										 *(_t681 + 0x34) =  *(_t1426 + 0x1c);
										 *(_t681 + 0x44) =  *(_t1426 + 0x40);
										return 0;
									} else {
										goto L231;
									}
								} else {
									_t1290 = _t1294 << _t695;
									_t1113 = 1;
									 *(_t1426 + 0x48) = 1;
									_t563 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0x55e + (_t1290 - _t865) * 2;
									do {
										_t916 =  *(_t563 + _t1113 * 2) & 0x0000ffff;
										if(_t509 < 0x1000000) {
											_t509 = _t509 << 8;
											_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
											 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
										}
										_t710 = (_t509 >> 0xb) * _t916;
										if(_t1213 >= _t710) {
											_t509 = _t509 - _t710;
											_t1213 = _t1213 - _t710;
											_t1290 = _t1290 |  *(_t1426 + 0x48);
											 *(_t563 + _t1113 * 2) = _t916 - (_t916 >> 5);
											_t1113 = _t1113 + _t1113 + 1;
										} else {
											_t509 = _t710;
											 *(_t563 + _t1113 * 2) = (0x800 - _t916 >> 5) + _t916;
											_t1113 = _t1113 + _t1113;
										}
										 *(_t1426 + 0x48) =  *(_t1426 + 0x48) << 1;
										_t389 = _t1426 + 0x1c;
										 *_t389 =  *(_t1426 + 0x1c) - 1;
									} while ( *_t389 != 0);
									goto L231;
								}
							}
							L258:
							L237:
							_t555 =  *(_t1426 + 0x24);
							_t1277 = _t1276 + 2;
							_t1074 =  *((intOrPtr*)(_t1426 + 0x64)) - _t555;
							if(_t1074 == 0) {
								 *( *((intOrPtr*)(_t1426 + 0x60)) + 0x24) = _t555;
								return 1;
							} else {
								if(_t1074 >= _t1277) {
									_t1074 = _t1277;
								}
								asm("sbb ecx, ecx");
								 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + _t1074;
								_t679 = (_t675 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) + _t555;
								 *(_t1426 + 0x30) = _t1277 - _t1074;
								if(_t1074 >  *(_t1426 + 0x3c) - _t679) {
									_t1280 =  *((intOrPtr*)(_t1426 + 0x38));
									do {
										 *((char*)(_t555 + _t1280)) =  *((intOrPtr*)(_t679 + _t1280));
										_t679 = _t679 + 1;
										_t555 = _t555 + 1;
										if(_t679 ==  *(_t1426 + 0x3c)) {
											_t679 = 0;
										}
										_t1074 = _t1074 - 1;
									} while (_t1074 != 0);
									 *(_t1426 + 0x24) = _t555;
								} else {
									_t847 =  *((intOrPtr*)(_t1426 + 0x38)) + _t555;
									_t1284 = _t679 - _t555;
									_t684 = _t847 + _t1074;
									 *(_t1426 + 0x24) = _t555 + _t1074;
									do {
										 *_t847 =  *((intOrPtr*)(_t847 + _t1284));
										_t847 = _t847 + 1;
									} while (_t847 != _t684);
									L249:
									while( *(_t1426 + 0x24) <  *((intOrPtr*)(_t1426 + 0x64)) &&  *(_t1426 + 0x10) <  *((intOrPtr*)(_t1426 + 0x68))) {
										_t1062 =  *(_t1426 + 0x20);
										_t812 =  *(_t1426 + 0x58);
										_t552 =  *(_t1426 + 0x28) & _t812;
										_t814 =  *((intOrPtr*)(_t1426 + 0x2c)) + ((_t1062 << 4) + _t552) * 2;
										_t648 =  *_t814 & 0x0000ffff;
										if(_t502 < 0x1000000) {
											_t502 = _t502 << 8;
											_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
											 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
										}
										_t1269 = (_t502 >> 0xb) * _t648;
										if(_t1213 >= _t1269) {
											_t503 = _t502 - _t1269;
											_t1214 = _t1213 - _t1269;
											 *_t814 = _t648 - (_t648 >> 5);
											_t651 =  *( *((intOrPtr*)(_t1426 + 0x2c)) + 0x180 + _t1062 * 2) & 0x0000ffff;
											if(_t503 < 0x1000000) {
												_t941 =  *(_t1426 + 0x10);
												_t503 = _t503 << 8;
												_t1214 = _t1214 << 0x00000008 |  *_t941 & 0x000000ff;
												 *(_t1426 + 0x10) =  &(_t941[1]);
											}
											_t817 = (_t503 >> 0xb) * _t651;
											if(_t1214 >= _t817) {
												_t1272 =  *((intOrPtr*)(_t1426 + 0x2c));
												_t504 = _t503 - _t817;
												_t1213 = _t1214 - _t817;
												 *((short*)(_t1272 + 0x180 + _t1062 * 2)) = _t651 - (_t651 >> 5);
												if( *(_t1426 + 0x4c) != 0 ||  *(_t1426 + 0x28) != 0) {
													_t820 =  *(_t1272 + 0x198 + _t1062 * 2) & 0x0000ffff;
													if(_t504 < 0x1000000) {
														_t504 = _t504 << 8;
														_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
														 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
													}
													_t655 = (_t504 >> 0xb) * _t820;
													if(_t1213 >= _t655) {
														_t505 = _t504 - _t655;
														_t1215 = _t1213 - _t655;
														 *(_t1272 + 0x198 + _t1062 * 2) = _t820 - (_t820 >> 5);
														_t658 =  *(_t1272 + 0x1b0 + _t1062 * 2) & 0x0000ffff;
														if(_t505 < 0x1000000) {
															_t505 = _t505 << 8;
															_t1215 = _t1215 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
															 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
														}
														_t824 = (_t505 >> 0xb) * _t658;
														if(_t1215 >= _t824) {
															_t506 = _t505 - _t824;
															_t1216 = _t1215 - _t824;
															 *(_t1272 + 0x1b0 + _t1062 * 2) = _t658 - (_t658 >> 5);
															_t660 =  *(_t1272 + 0x1c8 + _t1062 * 2) & 0x0000ffff;
															if(_t506 < 0x1000000) {
																_t506 = _t506 << 8;
																_t1216 = _t1216 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
																 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
															}
															_t829 = (_t506 >> 0xb) * _t660;
															if(_t1216 >= _t829) {
																_t507 = _t506 - _t829;
																_t1216 = _t1216 - _t829;
																 *(_t1272 + 0x1c8 + _t1062 * 2) = _t660 - (_t660 >> 5);
																_t662 =  *(_t1426 + 0x48);
																 *(_t1426 + 0x48) =  *(_t1426 + 0x44);
															} else {
																_t507 = _t829;
																_t662 =  *(_t1426 + 0x44);
																 *(_t1272 + 0x1c8 + _t1062 * 2) = (0x800 - _t660 >> 5) + _t660;
															}
															 *(_t1426 + 0x44) =  *(_t1426 + 0x40);
														} else {
															_t507 = _t824;
															_t662 =  *(_t1426 + 0x40);
															 *(_t1272 + 0x1b0 + _t1062 * 2) = (0x800 - _t658 >> 5) + _t658;
														}
														_t1273 =  *(_t1426 + 0x20);
														 *(_t1426 + 0x40) =  *(_t1426 + 0x34);
														 *(_t1426 + 0x34) = _t662;
														goto L117;
													} else {
														_t1198 = _t1272;
														_t1273 =  *(_t1426 + 0x20);
														 *((short*)(_t1198 + 0x198 + _t1273 * 2)) = (0x800 - _t820 >> 5) + _t820;
														_t1199 = _t1198 + ((_t1273 + 0xf << 4) + _t552) * 2;
														_t936 =  *_t1199 & 0x0000ffff;
														_t534 = _t655;
														if(_t655 < 0x1000000) {
															_t534 = _t655 << 8;
															_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
															 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
														}
														_t755 = (_t534 >> 0xb) * _t936;
														if(_t1213 >= _t755) {
															_t507 = _t534 - _t755;
															_t1216 = _t1213 - _t755;
															_t662 = _t936 >> 5;
															 *_t1199 = _t936 - _t662;
															L117:
															asm("sbb ecx, ecx");
															 *(_t1426 + 0x20) = (_t662 & 0xfffffffd) + 0xb;
															_t836 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0xa68;
															goto L118;
														} else {
															_t509 = _t755;
															 *_t1199 = (0x800 - _t936 >> 5) + _t936;
															_t761 =  *(_t1426 + 0x24);
															asm("sbb ebx, ebx");
															 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + 1;
															 *((char*)(_t761 +  *((intOrPtr*)(_t1426 + 0x38)))) =  *((intOrPtr*)((_t552 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) + _t761 +  *((intOrPtr*)(_t1426 + 0x38))));
															_t762 = _t761 + 1;
															 *(_t1426 + 0x24) = _t762;
															asm("sbb ecx, ecx");
															 *(_t1426 + 0x20) = (_t762 & 0xfffffffe) + 0xb;
															continue;
														}
													}
												} else {
													goto L234;
												}
											} else {
												_t507 = _t817;
												_t940 =  *((intOrPtr*)(_t1426 + 0x2c));
												 *((short*)(_t940 + 0x180 + _t1062 * 2)) = (0x800 - _t651 >> 5) + _t651;
												 *(_t1426 + 0x20) = _t1062 + 0xc;
												_t836 = _t940 + 0x664;
												L118:
												_t1063 =  *_t836 & 0x0000ffff;
												if(_t507 < 0x1000000) {
													_t751 =  *(_t1426 + 0x10);
													_t507 = _t507 << 8;
													_t1216 = _t1216 << 0x00000008 |  *_t751 & 0x000000ff;
													 *(_t1426 + 0x10) =  &(_t751[1]);
												}
												_t667 = (_t507 >> 0xb) * _t1063;
												if(_t1216 >= _t667) {
													_t508 = _t507 - _t667;
													_t1217 = _t1216 - _t667;
													 *_t836 = _t1063 - (_t1063 >> 5);
													_t1065 = _t836[1] & 0x0000ffff;
													if(_t508 < 0x1000000) {
														_t734 =  *(_t1426 + 0x10);
														_t508 = _t508 << 8;
														_t1217 = _t1217 << 0x00000008 |  *_t734 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t734[1]);
													}
													_t672 = (_t508 >> 0xb) * _t1065;
													if(_t1217 >= _t672) {
														_t553 =  *(_t1426 + 0x10);
														_t509 = _t508 - _t672;
														_t1213 = _t1217 - _t672;
														_t836[1] = _t1065 - (_t1065 >> 5);
														_t1274 = 1;
														do {
															goto L155;
														} while (_t1274 < 0x100);
														goto L161;
													} else {
														_t565 = _t552 + _t552;
														_t836[1] = (0x800 - _t1065 >> 5) + _t1065;
														_t1148 =  *(_t836 + 0x106 + _t565 * 8) & 0x0000ffff;
														_t918 = _t836 + 0x104 + _t565 * 8;
														_t528 = _t672;
														if(_t672 < 0x1000000) {
															_t528 = _t672 << 8;
															_t732 =  *(_t1426 + 0x10);
															_t1217 = _t1217 << 0x00000008 |  *_t732 & 0x000000ff;
															 *(_t1426 + 0x10) =  &(_t732[1]);
														}
														_t721 = (_t528 >> 0xb) * _t1148;
														if(_t1217 >= _t721) {
															_t529 = _t528 - _t721;
															_t1217 = _t1217 - _t721;
															 *((short*)(_t918 + 2)) = _t1148 - (_t1148 >> 5);
															_t724 = 3;
														} else {
															_t529 = _t721;
															 *((short*)(_t918 + 2)) = (0x800 - _t1148 >> 5) + _t1148;
															_t724 = 2;
														}
														_t554 =  *(_t1426 + 0x10);
														_t1300 = _t724 + _t724;
														_t725 =  *(_t918 + _t1300) & 0x0000ffff;
														if(_t529 < 0x1000000) {
															_t529 = _t529 << 8;
															_t1217 = _t1217 << 0x00000008 |  *_t554 & 0x000000ff;
															_t554 = _t554 + 1;
															 *(_t1426 + 0x10) = _t554;
														}
														_t1152 = (_t529 >> 0xb) * _t725;
														if(_t1217 >= _t1152) {
															_t530 = _t529 - _t1152;
															_t1213 = _t1217 - _t1152;
															 *(_t918 + _t1300) = _t725 - (_t725 >> 5);
															_t1300 = _t1300 + 1;
														} else {
															_t530 = _t1152;
															 *(_t918 + _t1300) = (0x800 - _t725 >> 5) + _t725;
														}
														_t1276 = _t1300 + _t1300;
														_t675 =  *(_t918 + _t1276) & 0x0000ffff;
														if(_t530 < 0x1000000) {
															_t530 = _t530 << 8;
															_t1213 = _t1213 << 0x00000008 |  *_t554 & 0x000000ff;
															_t554 = _t554 + 1;
															 *(_t1426 + 0x10) = _t554;
														}
														_t1157 = (_t530 >> 0xb) * _t675;
														if(_t1213 >= _t1157) {
															_t509 = _t530 - _t1157;
															_t1213 = _t1213 - _t1157;
															_t675 = _t675 - (_t675 >> 5);
															 *(_t918 + _t1276) = _t675;
															_t1276 = _t1276 + 1;
														} else {
															_t509 = _t1157;
															 *(_t918 + _t1276) = (0x800 - _t675 >> 5) + _t675;
														}
													}
												} else {
													_t567 = _t552 + _t552;
													 *_t836 = (0x800 - _t1063 >> 5) + _t1063;
													_t1170 =  *(_t836 + 6 + _t567 * 8) & 0x0000ffff;
													_t919 = _t836 + 4 + _t567 * 8;
													_t531 = _t667;
													if(_t667 < 0x1000000) {
														_t531 = _t667 << 8;
														_t749 =  *(_t1426 + 0x10);
														_t1216 = _t1216 << 0x00000008 |  *_t749 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t749[1]);
													}
													_t738 = (_t531 >> 0xb) * _t1170;
													if(_t1216 >= _t738) {
														_t532 = _t531 - _t738;
														_t1216 = _t1216 - _t738;
														 *((short*)(_t919 + 2)) = _t1170 - (_t1170 >> 5);
														_t741 = 3;
													} else {
														_t532 = _t738;
														 *((short*)(_t919 + 2)) = (0x800 - _t1170 >> 5) + _t1170;
														_t741 = 2;
													}
													_t1306 = _t741 + _t741;
													_t742 =  *(_t919 + _t1306) & 0x0000ffff;
													if(_t532 < 0x1000000) {
														_t1192 =  *(_t1426 + 0x10);
														_t532 = _t532 << 8;
														_t1216 = _t1216 << 0x00000008 |  *_t1192 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t1192[1]);
													}
													_t1174 = (_t532 >> 0xb) * _t742;
													if(_t1216 >= _t1174) {
														_t533 = _t532 - _t1174;
														_t1213 = _t1216 - _t1174;
														 *(_t919 + _t1306) = _t742 - (_t742 >> 5);
														_t1306 = _t1306 + 1;
													} else {
														_t533 = _t1174;
														 *(_t919 + _t1306) = (0x800 - _t742 >> 5) + _t742;
													}
													_t1307 = _t1306 + _t1306;
													_t675 =  *(_t919 + _t1307) & 0x0000ffff;
													if(_t533 < 0x1000000) {
														_t1186 =  *(_t1426 + 0x10);
														_t533 = _t533 << 8;
														_t1213 = _t1213 << 0x00000008 |  *_t1186 & 0x000000ff;
														 *(_t1426 + 0x10) =  &(_t1186[1]);
													}
													_t1179 = (_t533 >> 0xb) * _t675;
													if(_t1213 >= _t1179) {
														_t509 = _t533 - _t1179;
														_t1213 = _t1213 - _t1179;
														_t675 = _t675 - (_t675 >> 5);
														 *(_t919 + _t1307) = _t675;
														_t1276 = _t1307 + 1 - 8;
													} else {
														_t509 = _t1179;
														 *(_t919 + _t1307) = (0x800 - _t675 >> 5) + _t675;
														_t1276 = _t1307 - 8;
													}
													_t554 =  *(_t1426 + 0x10);
												}
												L163:
												 *(_t1426 + 0x30) = _t1276;
												if( *(_t1426 + 0x20) < 0xc) {
													goto L237;
												}
											}
										} else {
											 *_t814 = (0x800 - _t648 >> 5) + _t648;
											_t1207 =  *((intOrPtr*)(_t1426 + 0x2c)) + 0xe6c;
											_t535 = _t1269;
											if( *(_t1426 + 0x28) != 0 ||  *(_t1426 + 0x4c) != 0) {
												_t770 =  *(_t1426 + 0x24);
												if(_t770 == 0) {
													_t770 =  *(_t1426 + 0x3c);
												}
												_t814 = ((( *(_t770 +  *((intOrPtr*)(_t1426 + 0x38)) - 1) & 0x000000ff) >> 8 -  *(_t1426 + 0x50)) + (( *(_t1426 + 0x28) &  *(_t1426 + 0x54)) <<  *(_t1426 + 0x50))) * 0x600;
												_t1207 = _t1207 + _t814;
											}
											_t774 =  *(_t1426 + 0x20);
											 *(_t1426 + 0x28) =  *(_t1426 + 0x28) + 1;
											_t577 =  *(_t1426 + 0x10);
											if(_t774 >= 7) {
												asm("sbb edx, edx");
												 *(_t1426 + 0x20) =  *(_t1426 + 0x20) - (_t814 & 0xfffffffd) + 6;
												asm("sbb ebx, ebx");
												_t951 = ( *((_t577 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) +  *(_t1426 + 0x24) +  *((intOrPtr*)(_t1426 + 0x38))) & 0x000000ff) + ( *((_t577 &  *(_t1426 + 0x3c)) -  *(_t1426 + 0x34) +  *(_t1426 + 0x24) +  *((intOrPtr*)(_t1426 + 0x38))) & 0x000000ff);
												_t780 = _t951 & 0x00000100;
												_t581 =  *(_t1207 + 0x202 + _t780 * 2) & 0x0000ffff;
												if(_t1269 < 0x1000000) {
													_t535 = _t1269 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1317 = (_t535 >> 0xb) * _t581;
												if(_t1213 >= _t1317) {
													_t536 = _t535 - _t1317;
													_t1213 = _t1213 - _t1317;
													 *(_t1207 + 0x202 + _t780 * 2) = _t581 - (_t581 >> 5);
													_t1320 = 3;
												} else {
													_t536 = _t1317;
													 *(_t1207 + 0x202 + _t780 * 2) = (0x800 - _t581 >> 5) + _t581;
													_t1320 = 2;
													_t780 =  !_t780;
												}
												_t781 = _t780 & 0x00000100;
												_t952 = _t951 + _t951;
												_t584 = _t781 & _t952;
												 *(_t1426 + 0x1c) = _t584;
												_t587 = _t1207 + (_t584 + _t781 + _t1320) * 2;
												 *(_t1426 + 0x18) = _t587;
												_t588 =  *_t587 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1320;
												if(_t536 < 0x1000000) {
													_t536 = _t536 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1323 = (_t536 >> 0xb) * _t588;
												if(_t1213 >= _t1323) {
													_t537 = _t536 - _t1323;
													_t1213 = _t1213 - _t1323;
													_t782 = _t781 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t588 - (_t588 >> 5);
													_t1328 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t537 = _t1323;
													 *( *(_t1426 + 0x18)) = (0x800 - _t588 >> 5) + _t588;
													_t1328 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t782 = _t781 &  !( *(_t1426 + 0x1c));
												}
												_t953 = _t952 + _t952;
												_t591 = _t782 & _t953;
												 *(_t1426 + 0x1c) = _t591;
												_t594 = _t1207 + (_t591 + _t782 + _t1328) * 2;
												 *(_t1426 + 0x18) = _t594;
												_t595 =  *_t594 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1328;
												if(_t537 < 0x1000000) {
													_t537 = _t537 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1331 = (_t537 >> 0xb) * _t595;
												if(_t1213 >= _t1331) {
													_t538 = _t537 - _t1331;
													_t1213 = _t1213 - _t1331;
													_t783 = _t782 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t595 - (_t595 >> 5);
													_t1336 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t538 = _t1331;
													 *( *(_t1426 + 0x18)) = (0x800 - _t595 >> 5) + _t595;
													_t1336 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t783 = _t782 &  !( *(_t1426 + 0x1c));
												}
												_t954 = _t953 + _t953;
												_t598 = _t783 & _t954;
												 *(_t1426 + 0x1c) = _t598;
												_t601 = _t1207 + (_t598 + _t783 + _t1336) * 2;
												 *(_t1426 + 0x18) = _t601;
												_t602 =  *_t601 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1336;
												if(_t538 < 0x1000000) {
													_t538 = _t538 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1339 = (_t538 >> 0xb) * _t602;
												if(_t1213 >= _t1339) {
													_t539 = _t538 - _t1339;
													_t1213 = _t1213 - _t1339;
													_t784 = _t783 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t602 - (_t602 >> 5);
													_t1344 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t539 = _t1339;
													 *( *(_t1426 + 0x18)) = (0x800 - _t602 >> 5) + _t602;
													_t1344 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t784 = _t783 &  !( *(_t1426 + 0x1c));
												}
												_t955 = _t954 + _t954;
												_t605 = _t784 & _t955;
												 *(_t1426 + 0x1c) = _t605;
												_t608 = _t1207 + (_t605 + _t784 + _t1344) * 2;
												 *(_t1426 + 0x18) = _t608;
												_t609 =  *_t608 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1344;
												if(_t539 < 0x1000000) {
													_t539 = _t539 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1347 = (_t539 >> 0xb) * _t609;
												if(_t1213 >= _t1347) {
													_t540 = _t539 - _t1347;
													_t1213 = _t1213 - _t1347;
													_t785 = _t784 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t609 - (_t609 >> 5);
													_t1352 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t540 = _t1347;
													 *( *(_t1426 + 0x18)) = (0x800 - _t609 >> 5) + _t609;
													_t1352 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t785 = _t784 &  !( *(_t1426 + 0x1c));
												}
												_t956 = _t955 + _t955;
												_t612 = _t785 & _t956;
												 *(_t1426 + 0x1c) = _t612;
												_t615 = _t1207 + (_t612 + _t785 + _t1352) * 2;
												 *(_t1426 + 0x18) = _t615;
												_t616 =  *_t615 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1352;
												if(_t540 < 0x1000000) {
													_t540 = _t540 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1355 = (_t540 >> 0xb) * _t616;
												if(_t1213 >= _t1355) {
													_t541 = _t540 - _t1355;
													_t1213 = _t1213 - _t1355;
													_t786 = _t785 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t616 - (_t616 >> 5);
													_t1360 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t541 = _t1355;
													 *( *(_t1426 + 0x18)) = (0x800 - _t616 >> 5) + _t616;
													_t1360 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t786 = _t785 &  !( *(_t1426 + 0x1c));
												}
												_t957 = _t956 + _t956;
												_t619 = _t786 & _t957;
												 *(_t1426 + 0x1c) = _t619;
												_t622 = _t1207 + (_t619 + _t786 + _t1360) * 2;
												 *(_t1426 + 0x18) = _t622;
												_t623 =  *_t622 & 0x0000ffff;
												 *(_t1426 + 0x14) = _t1360;
												if(_t541 < 0x1000000) {
													_t541 = _t541 << 8;
													_t1213 = _t1213 << 0x00000008 |  *( *(_t1426 + 0x10)) & 0x000000ff;
													 *(_t1426 + 0x10) =  *(_t1426 + 0x10) + 1;
												}
												_t1363 = (_t541 >> 0xb) * _t623;
												if(_t1213 >= _t1363) {
													_t542 = _t541 - _t1363;
													_t1213 = _t1213 - _t1363;
													_t787 = _t786 &  *(_t1426 + 0x1c);
													 *( *(_t1426 + 0x18)) = _t623 - (_t623 >> 5);
													_t1368 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14) + 1;
												} else {
													_t542 = _t1363;
													 *( *(_t1426 + 0x18)) = (0x800 - _t623 >> 5) + _t623;
													_t1368 =  *(_t1426 + 0x14) +  *(_t1426 + 0x14);
													_t787 = _t786 &  !( *(_t1426 + 0x1c));
												}
												_t961 = (_t957 + _t957 & _t787) + _t787 + _t1368;
												_t788 =  *(_t1207 + _t961 * 2) & 0x0000ffff;
												_t1208 = _t1207 + _t961 * 2;
												if(_t542 < 0x1000000) {
													_t975 =  *(_t1426 + 0x10);
													_t542 = _t542 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t975 & 0x000000ff;
													 *(_t1426 + 0x10) =  &(_t975[1]);
												}
												_t964 = (_t542 >> 0xb) * _t788;
												if(_t1213 >= _t964) {
													_t509 = _t542 - _t964;
													_t1213 = _t1213 - _t964;
													_t967 =  *(_t1426 + 0x24);
													 *_t1208 = _t788 - (_t788 >> 5);
													 *((char*)(_t967 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1368 + _t1368 + 1;
													 *(_t1426 + 0x24) = _t967 + 1;
												} else {
													_t509 = _t964;
													 *_t1208 = (0x800 - _t788 >> 5) + _t788;
													_t973 =  *(_t1426 + 0x24);
													 *((char*)(_t973 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1368 + _t1368;
													 *(_t1426 + 0x24) = _t973 + 1;
												}
											} else {
												_t977 = _t774;
												if(_t774 >= 4) {
													_t977 = 3;
												}
												 *(_t1426 + 0x20) = _t774 - _t977;
												_t793 =  *(_t1207 + 2) & 0x0000ffff;
												if(_t1269 < 0x1000000) {
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													_t535 = _t1269 << 8;
													 *(_t1426 + 0x10) = _t577;
												}
												_t980 = (_t535 >> 0xb) * _t793;
												if(_t1213 >= _t980) {
													_t543 = _t535 - _t980;
													_t1213 = _t1213 - _t980;
													 *(_t1207 + 2) = _t793 - (_t793 >> 5);
													_t795 = 3;
												} else {
													_t543 = _t980;
													 *(_t1207 + 2) = (0x800 - _t793 >> 5) + _t793;
													_t795 = 2;
												}
												_t1418 = _t795 + _t795;
												_t796 =  *(_t1207 + _t1418) & 0x0000ffff;
												if(_t543 < 0x1000000) {
													_t543 = _t543 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t985 = (_t543 >> 0xb) * _t796;
												if(_t1213 >= _t985) {
													_t544 = _t543 - _t985;
													_t1213 = _t1213 - _t985;
													 *(_t1207 + _t1418) = _t796 - (_t796 >> 5);
													_t1418 = _t1418 + 1;
												} else {
													_t544 = _t985;
													 *(_t1207 + _t1418) = (0x800 - _t796 >> 5) + _t796;
												}
												_t1419 = _t1418 + _t1418;
												_t798 =  *(_t1207 + _t1419) & 0x0000ffff;
												if(_t544 < 0x1000000) {
													_t544 = _t544 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t990 = (_t544 >> 0xb) * _t798;
												if(_t1213 >= _t990) {
													_t545 = _t544 - _t990;
													_t1213 = _t1213 - _t990;
													 *(_t1207 + _t1419) = _t798 - (_t798 >> 5);
													_t1419 = _t1419 + 1;
												} else {
													_t545 = _t990;
													 *(_t1207 + _t1419) = (0x800 - _t798 >> 5) + _t798;
												}
												_t1420 = _t1419 + _t1419;
												_t800 =  *(_t1207 + _t1420) & 0x0000ffff;
												if(_t545 < 0x1000000) {
													_t545 = _t545 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t995 = (_t545 >> 0xb) * _t800;
												if(_t1213 >= _t995) {
													_t546 = _t545 - _t995;
													_t1213 = _t1213 - _t995;
													 *(_t1207 + _t1420) = _t800 - (_t800 >> 5);
													_t1420 = _t1420 + 1;
												} else {
													_t546 = _t995;
													 *(_t1207 + _t1420) = (0x800 - _t800 >> 5) + _t800;
												}
												_t1421 = _t1420 + _t1420;
												_t802 =  *(_t1207 + _t1421) & 0x0000ffff;
												if(_t546 < 0x1000000) {
													_t546 = _t546 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1000 = (_t546 >> 0xb) * _t802;
												if(_t1213 >= _t1000) {
													_t547 = _t546 - _t1000;
													_t1213 = _t1213 - _t1000;
													 *(_t1207 + _t1421) = _t802 - (_t802 >> 5);
													_t1421 = _t1421 + 1;
												} else {
													_t547 = _t1000;
													 *(_t1207 + _t1421) = (0x800 - _t802 >> 5) + _t802;
												}
												_t1422 = _t1421 + _t1421;
												_t804 =  *(_t1207 + _t1422) & 0x0000ffff;
												if(_t547 < 0x1000000) {
													_t547 = _t547 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1005 = (_t547 >> 0xb) * _t804;
												if(_t1213 >= _t1005) {
													_t548 = _t547 - _t1005;
													_t1213 = _t1213 - _t1005;
													 *(_t1207 + _t1422) = _t804 - (_t804 >> 5);
													_t1422 = _t1422 + 1;
												} else {
													_t548 = _t1005;
													 *(_t1207 + _t1422) = (0x800 - _t804 >> 5) + _t804;
												}
												_t1423 = _t1422 + _t1422;
												_t806 =  *(_t1207 + _t1423) & 0x0000ffff;
												if(_t548 < 0x1000000) {
													_t548 = _t548 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													_t577 = _t577 + 1;
													 *(_t1426 + 0x10) = _t577;
												}
												_t1010 = (_t548 >> 0xb) * _t806;
												if(_t1213 >= _t1010) {
													_t549 = _t548 - _t1010;
													_t1213 = _t1213 - _t1010;
													 *(_t1207 + _t1423) = _t806 - (_t806 >> 5);
													_t1423 = _t1423 + 1;
												} else {
													_t549 = _t1010;
													 *(_t1207 + _t1423) = (0x800 - _t806 >> 5) + _t806;
												}
												_t1424 = _t1423 + _t1423;
												_t808 =  *(_t1207 + _t1424) & 0x0000ffff;
												if(_t549 < 0x1000000) {
													_t549 = _t549 << 8;
													_t1213 = _t1213 << 0x00000008 |  *_t577 & 0x000000ff;
													 *(_t1426 + 0x10) = _t577 + 1;
												}
												_t1015 = (_t549 >> 0xb) * _t808;
												if(_t1213 >= _t1015) {
													_t509 = _t549 - _t1015;
													_t1213 = _t1213 - _t1015;
													_t1018 =  *(_t1426 + 0x24);
													 *(_t1207 + _t1424) = _t808 - (_t808 >> 5);
													 *((char*)(_t1018 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1424 + 1;
													 *(_t1426 + 0x24) = _t1018 + 1;
												} else {
													_t509 = _t1015;
													 *(_t1207 + _t1424) = (0x800 - _t808 >> 5) + _t808;
													_t1024 =  *(_t1426 + 0x24);
													 *((char*)(_t1024 +  *((intOrPtr*)(_t1426 + 0x38)))) = _t1424;
													 *(_t1426 + 0x24) = _t1024 + 1;
												}
											}
											continue;
										}
										goto L258;
									}
									goto L253;
								}
								goto L249;
							}
							goto L258;
						}
					}
					L155:
					_t1275 = _t1274 + _t1274;
					_t675 =  *(_t836 + _t1275 + 0x204) & 0x0000ffff;
					if(_t509 < 0x1000000) {
						_t509 = _t509 << 8;
						_t1213 = _t1213 << 0x00000008 |  *_t553 & 0x000000ff;
						_t553 =  &(_t553[1]);
					}
					_t1069 = (_t509 >> 0xb) * _t675;
					if(_t1213 >= _t1069) {
						_t509 = _t509 - _t1069;
						_t1213 = _t1213 - _t1069;
						_t675 = _t675 - (_t675 >> 5);
						 *(_t836 + _t1275 + 0x204) = _t675;
						_t1274 = _t1275 + 1;
					} else {
						_t509 = _t1069;
						 *(_t836 + _t1275 + 0x204) = (0x800 - _t675 >> 5) + _t675;
					}
				}
			}

0x0040ebb8
0x0040ebb8
0x0040ebb8
0x0040ebc0
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x0040ebcf
0x0040ebd7
0x0040ebda
0x0040ebdc
0x0040ebdc
0x0040ebe2
0x0040ebe7
0x0040ec01
0x0040ec03
0x0040ec0a
0x0040ec0c
0x0040ec14
0x0040ebe9
0x0040ebe9
0x0040ebf7
0x0040ebf7
0x0040ec1b
0x00000000
0x00000000
0x0040ec1d
0x0040ec1d
0x0040ec21
0x0040ec27
0x0040ec27
0x0040ec2b
0x0040ec2b
0x0040ec30
0x0040ec34
0x00000000
0x00000000
0x0040ec3a
0x0040ec3a
0x0040ec3f
0x0040ec41
0x0040ec41
0x0040ec4d
0x0040ec54
0x0040ec5d
0x0040ec65
0x0040ec68
0x0040ec6a
0x0040ec6b
0x0040ec6b
0x0040ec74
0x0040ec79
0x0040ec94
0x0040ec96
0x0040ec9f
0x0040eca3
0x0040ec7b
0x0040ec7b
0x0040ec89
0x0040ec8d
0x0040ec8d
0x0040eca8
0x0040ecab
0x0040ecb4
0x0040ecbc
0x0040ecbf
0x0040ecc1
0x0040ecc2
0x0040ecc2
0x0040eccb
0x0040ecd0
0x0040ece6
0x0040ece8
0x0040ecf1
0x0040ecf5
0x0040ecd2
0x0040ecd2
0x0040ece0
0x0040ece0
0x0040ecf6
0x0040ecf8
0x0040ed01
0x0040ed09
0x0040ed0c
0x0040ed0e
0x0040ed0f
0x0040ed0f
0x0040ed18
0x0040ed1d
0x0040ed33
0x0040ed35
0x0040ed3e
0x0040ed42
0x0040ed1f
0x0040ed1f
0x0040ed2d
0x0040ed2d
0x0040ed43
0x0040ed45
0x0040ed4e
0x0040ed56
0x0040ed59
0x0040ed5b
0x0040ed5c
0x0040ed5c
0x0040ed65
0x0040ed6a
0x0040ed80
0x0040ed82
0x0040ed8b
0x0040ed8f
0x0040ed6c
0x0040ed6c
0x0040ed7a
0x0040ed7a
0x0040ed90
0x0040ed92
0x0040ed9b
0x0040eda3
0x0040eda6
0x0040eda8
0x0040eda9
0x0040eda9
0x0040edb2
0x0040edb7
0x0040edcd
0x0040edcf
0x0040edd8
0x0040eddc
0x0040edb9
0x0040edb9
0x0040edc7
0x0040edc7
0x0040eddd
0x0040eddf
0x0040ede8
0x0040edf0
0x0040edf3
0x0040edf6
0x0040edf6
0x0040edff
0x0040ee04
0x0040ee1a
0x0040ee1c
0x0040ee25
0x0040ee29
0x0040ee06
0x0040ee06
0x0040ee14
0x0040ee14
0x0040ee2a
0x0040ee30
0x0040f09a
0x0040f0a2
0x0040f0aa
0x0040f0ae
0x0040f0b2
0x0040f0b6
0x0040f0b9
0x0040f0bf
0x0040f0e3
0x0040f218
0x0040f224
0x00000000
0x00000000
0x00000000
0x0040f0c1
0x0040f0c5
0x0040f0e9
0x0040f0ee
0x0040f0f2
0x0040f0f7
0x0040f0fa
0x00000000
0x0040f0c7
0x0040f0cf
0x0040f0d2
0x0040f0de
0x0040f0de
0x0040f0c5
0x0040ee36
0x0040ee38
0x0040ee3f
0x0040ee40
0x0040ee43
0x0040ee4a
0x0040eed6
0x0040eeda
0x0040eee0
0x0040eee5
0x0040eeed
0x0040eef0
0x0040eef2
0x0040eef2
0x0040eef3
0x0040eef5
0x0040eefc
0x0040eefe
0x0040ef04
0x0040ef06
0x0040ef06
0x0040ef09
0x0040ef0d
0x0040ef14
0x0040ef17
0x0040ef20
0x0040ef22
0x0040ef2a
0x0040ef2d
0x0040ef30
0x0040ef30
0x0040ef39
0x0040ef3e
0x0040ef5c
0x0040ef5e
0x0040ef67
0x0040ef6e
0x0040ef73
0x0040ef40
0x0040ef40
0x0040ef4e
0x0040ef55
0x0040ef55
0x0040ef76
0x0040ef79
0x0040ef86
0x0040ef92
0x0040ef95
0x0040ef97
0x0040ef97
0x0040efa0
0x0040efa5
0x0040efbf
0x0040efc1
0x0040efca
0x0040efd2
0x0040efd3
0x0040efa7
0x0040efa7
0x0040efb5
0x0040efb5
0x0040efd6
0x0040efd8
0x0040efe5
0x0040eff1
0x0040eff4
0x0040eff6
0x0040eff6
0x0040efff
0x0040f004
0x0040f01e
0x0040f020
0x0040f029
0x0040f031
0x0040f032
0x0040f006
0x0040f006
0x0040f014
0x0040f014
0x0040f035
0x0040f042
0x0040f04e
0x0040f051
0x0040f053
0x0040f053
0x0040f05c
0x0040f061
0x0040f07b
0x0040f07d
0x0040f086
0x0040f08e
0x0040f063
0x0040f063
0x0040f071
0x0040f071
0x0040f094
0x0040f198
0x0040f1a0
0x0040f1a5
0x0040f1a5
0x0040f1ae
0x0040f1b6
0x0040f1b9
0x0040f1bb
0x0040f1bb
0x0040f1bc
0x0040f1c0
0x0040f1c7
0x0040f1ce
0x0040f1d5
0x0040f1dc
0x0040f1e4
0x0040f1eb
0x0040f1ee
0x0040f1f6
0x0040f1fe
0x0040f201
0x0040f20a
0x00000000
0x00000000
0x00000000
0x0040ee50
0x0040ee50
0x0040ee52
0x0040ee57
0x0040ee63
0x0040ee70
0x0040ee70
0x0040ee79
0x0040ee85
0x0040ee88
0x0040ee8a
0x0040ee8a
0x0040ee93
0x0040ee98
0x0040eeb0
0x0040eeb2
0x0040eebb
0x0040eebf
0x0040eec3
0x0040ee9a
0x0040ee9a
0x0040eea8
0x0040eeac
0x0040eeac
0x0040eec7
0x0040eecb
0x0040eecb
0x0040eecb
0x00000000
0x0040eed1
0x0040ee4a
0x00000000
0x0040f0fe
0x0040f102
0x0040f106
0x0040f109
0x0040f10b
0x0040f22e
0x0040f23a
0x0040f111
0x0040f113
0x0040f115
0x0040f115
0x0040f11f
0x0040f125
0x0040f12f
0x0040f133
0x0040f139
0x0040f15c
0x0040f160
0x0040f163
0x0040f166
0x0040f167
0x0040f16c
0x0040f16e
0x0040f16e
0x0040f170
0x0040f170
0x0040f173
0x0040f13b
0x0040f141
0x0040f145
0x0040f147
0x0040f14a
0x0040f150
0x0040f153
0x0040f155
0x0040f156
0x00000000
0x0040f177
0x0040f18b
0x0040f18f
0x0040dea5
0x0040deb2
0x0040deb5
0x0040debd
0x0040deca
0x0040decd
0x0040decf
0x0040decf
0x0040ded8
0x0040dedd
0x0040e665
0x0040e667
0x0040e670
0x0040e677
0x0040e684
0x0040e686
0x0040e690
0x0040e693
0x0040e696
0x0040e696
0x0040e69f
0x0040e6a4
0x0040e6d2
0x0040e6d6
0x0040e6d8
0x0040e6e6
0x0040e6ee
0x0040e6fb
0x0040e708
0x0040e714
0x0040e717
0x0040e719
0x0040e719
0x0040e722
0x0040e727
0x0040e7e1
0x0040e7e3
0x0040e7ec
0x0040e7f4
0x0040e801
0x0040e80d
0x0040e810
0x0040e812
0x0040e812
0x0040e81b
0x0040e820
0x0040e841
0x0040e843
0x0040e84c
0x0040e854
0x0040e861
0x0040e86d
0x0040e870
0x0040e872
0x0040e872
0x0040e87b
0x0040e880
0x0040e89e
0x0040e8a0
0x0040e8ad
0x0040e8b5
0x0040e8b9
0x0040e882
0x0040e882
0x0040e890
0x0040e894
0x0040e894
0x0040e8c1
0x0040e822
0x0040e822
0x0040e830
0x0040e834
0x0040e834
0x0040e8c9
0x0040e8cd
0x0040e8d1
0x00000000
0x0040e72d
0x0040e73b
0x0040e73d
0x0040e741
0x0040e751
0x0040e754
0x0040e757
0x0040e75f
0x0040e764
0x0040e770
0x0040e772
0x0040e772
0x0040e77b
0x0040e780
0x0040e7ce
0x0040e7d0
0x0040e7d4
0x0040e7d9
0x0040e8d5
0x0040e8dc
0x0040e8e4
0x0040e8e8
0x00000000
0x0040e782
0x0040e782
0x0040e794
0x0040e797
0x0040e7a1
0x0040e7a7
0x0040e7b2
0x0040e7b5
0x0040e7b6
0x0040e7bd
0x0040e7c5
0x00000000
0x0040e7c5
0x0040e780
0x00000000
0x00000000
0x00000000
0x0040e6a6
0x0040e6b0
0x0040e6b2
0x0040e6b8
0x0040e6c3
0x0040e6c7
0x0040e8ee
0x0040e8ee
0x0040e8f6
0x0040e8f8
0x0040e902
0x0040e905
0x0040e908
0x0040e908
0x0040e911
0x0040e916
0x0040ea40
0x0040ea42
0x0040ea4b
0x0040ea4e
0x0040ea57
0x0040ea59
0x0040ea63
0x0040ea66
0x0040ea69
0x0040ea69
0x0040ea72
0x0040ea77
0x0040eb9e
0x0040eba2
0x0040eba4
0x0040ebad
0x0040ebb1
0x0040ebc0
0x00000000
0x00000000
0x00000000
0x0040ea7d
0x0040ea89
0x0040ea8b
0x0040ea8f
0x0040ea97
0x0040ea9e
0x0040eaa6
0x0040eaab
0x0040eaad
0x0040eab7
0x0040eaba
0x0040eaba
0x0040eac3
0x0040eac8
0x0040eae3
0x0040eae5
0x0040eaee
0x0040eaf2
0x0040eaca
0x0040eaca
0x0040ead8
0x0040eadc
0x0040eadc
0x0040eaf7
0x0040eafb
0x0040eafe
0x0040eb07
0x0040eb0f
0x0040eb12
0x0040eb14
0x0040eb15
0x0040eb15
0x0040eb1e
0x0040eb23
0x0040eb39
0x0040eb3b
0x0040eb44
0x0040eb48
0x0040eb25
0x0040eb25
0x0040eb33
0x0040eb33
0x0040eb49
0x0040eb4b
0x0040eb54
0x0040eb5c
0x0040eb5f
0x0040eb61
0x0040eb62
0x0040eb62
0x0040eb6b
0x0040eb70
0x0040eb89
0x0040eb8b
0x0040eb92
0x0040eb94
0x0040eb98
0x0040eb72
0x0040eb72
0x0040eb80
0x0040eb80
0x0040eb70
0x0040e91c
0x0040e928
0x0040e92a
0x0040e92d
0x0040e932
0x0040e936
0x0040e93e
0x0040e943
0x0040e945
0x0040e94f
0x0040e952
0x0040e952
0x0040e95b
0x0040e960
0x0040e97b
0x0040e97d
0x0040e986
0x0040e98a
0x0040e962
0x0040e962
0x0040e970
0x0040e974
0x0040e974
0x0040e98f
0x0040e992
0x0040e99b
0x0040e99d
0x0040e9a7
0x0040e9aa
0x0040e9ad
0x0040e9ad
0x0040e9b6
0x0040e9bb
0x0040e9d1
0x0040e9d3
0x0040e9dc
0x0040e9e0
0x0040e9bd
0x0040e9bd
0x0040e9cb
0x0040e9cb
0x0040e9e1
0x0040e9e3
0x0040e9ec
0x0040e9ee
0x0040e9f8
0x0040e9fb
0x0040e9fe
0x0040e9fe
0x0040ea07
0x0040ea0c
0x0040ea28
0x0040ea2a
0x0040ea31
0x0040ea33
0x0040ea38
0x0040ea0e
0x0040ea0e
0x0040ea1c
0x0040ea20
0x0040ea20
0x0040ec27
0x0040ec27
0x0040ec2b
0x0040ec30
0x0040ec34
0x00000000
0x00000000
0x0040ec34
0x0040dee3
0x0040deef
0x0040def6
0x0040df01
0x0040df03
0x0040df0c
0x0040df12
0x0040df14
0x0040df14
0x0040df3c
0x0040df42
0x0040df42
0x0040df44
0x0040df48
0x0040df4c
0x0040df53
0x0040e211
0x0040e21f
0x0040e229
0x0040e23b
0x0040e23f
0x0040e245
0x0040e253
0x0040e258
0x0040e265
0x0040e267
0x0040e267
0x0040e270
0x0040e275
0x0040e296
0x0040e298
0x0040e2a1
0x0040e2a9
0x0040e277
0x0040e277
0x0040e285
0x0040e28d
0x0040e292
0x0040e292
0x0040e2ae
0x0040e2b4
0x0040e2b8
0x0040e2ba
0x0040e2c2
0x0040e2c5
0x0040e2c9
0x0040e2cc
0x0040e2d5
0x0040e2e2
0x0040e2e5
0x0040e2e7
0x0040e2e7
0x0040e2f0
0x0040e2f5
0x0040e31c
0x0040e31e
0x0040e32b
0x0040e32f
0x0040e337
0x0040e2f7
0x0040e2f7
0x0040e309
0x0040e316
0x0040e318
0x0040e318
0x0040e33b
0x0040e33f
0x0040e341
0x0040e349
0x0040e34c
0x0040e350
0x0040e353
0x0040e35c
0x0040e369
0x0040e36c
0x0040e36e
0x0040e36e
0x0040e377
0x0040e37c
0x0040e3a3
0x0040e3a5
0x0040e3b2
0x0040e3b6
0x0040e3be
0x0040e37e
0x0040e37e
0x0040e390
0x0040e39d
0x0040e39f
0x0040e39f
0x0040e3c2
0x0040e3c6
0x0040e3c8
0x0040e3d0
0x0040e3d3
0x0040e3d7
0x0040e3da
0x0040e3e3
0x0040e3f0
0x0040e3f3
0x0040e3f5
0x0040e3f5
0x0040e3fe
0x0040e403
0x0040e42a
0x0040e42c
0x0040e439
0x0040e43d
0x0040e445
0x0040e405
0x0040e405
0x0040e417
0x0040e424
0x0040e426
0x0040e426
0x0040e449
0x0040e44d
0x0040e44f
0x0040e457
0x0040e45a
0x0040e45e
0x0040e461
0x0040e46a
0x0040e477
0x0040e47a
0x0040e47c
0x0040e47c
0x0040e485
0x0040e48a
0x0040e4b1
0x0040e4b3
0x0040e4c0
0x0040e4c4
0x0040e4cc
0x0040e48c
0x0040e48c
0x0040e49e
0x0040e4ab
0x0040e4ad
0x0040e4ad
0x0040e4d0
0x0040e4d4
0x0040e4d6
0x0040e4de
0x0040e4e1
0x0040e4e5
0x0040e4e8
0x0040e4f1
0x0040e4fe
0x0040e501
0x0040e503
0x0040e503
0x0040e50c
0x0040e511
0x0040e538
0x0040e53a
0x0040e547
0x0040e54b
0x0040e553
0x0040e513
0x0040e513
0x0040e525
0x0040e532
0x0040e534
0x0040e534
0x0040e557
0x0040e55b
0x0040e55d
0x0040e565
0x0040e568
0x0040e56c
0x0040e56f
0x0040e578
0x0040e585
0x0040e588
0x0040e58a
0x0040e58a
0x0040e593
0x0040e598
0x0040e5bf
0x0040e5c1
0x0040e5ce
0x0040e5d2
0x0040e5da
0x0040e59a
0x0040e59a
0x0040e5ac
0x0040e5b9
0x0040e5bb
0x0040e5bb
0x0040e5e4
0x0040e5e6
0x0040e5ea
0x0040e5f2
0x0040e5f4
0x0040e5fe
0x0040e601
0x0040e604
0x0040e604
0x0040e60d
0x0040e612
0x0040e63e
0x0040e640
0x0040e649
0x0040e64d
0x0040e658
0x0040e65c
0x0040e614
0x0040e614
0x0040e622
0x0040e625
0x0040e631
0x0040e635
0x0040e635
0x0040df59
0x0040df59
0x0040df5e
0x0040df60
0x0040df60
0x0040df67
0x0040df6b
0x0040df75
0x0040df80
0x0040df82
0x0040df83
0x0040df85
0x0040df85
0x0040df8e
0x0040df93
0x0040dfae
0x0040dfb0
0x0040dfb9
0x0040dfbd
0x0040df95
0x0040df95
0x0040dfa3
0x0040dfa7
0x0040dfa7
0x0040dfc2
0x0040dfc5
0x0040dfce
0x0040dfd6
0x0040dfd9
0x0040dfdb
0x0040dfdc
0x0040dfdc
0x0040dfe5
0x0040dfea
0x0040e000
0x0040e002
0x0040e00b
0x0040e00f
0x0040dfec
0x0040dfec
0x0040dffa
0x0040dffa
0x0040e010
0x0040e012
0x0040e01b
0x0040e023
0x0040e026
0x0040e028
0x0040e029
0x0040e029
0x0040e032
0x0040e037
0x0040e04d
0x0040e04f
0x0040e058
0x0040e05c
0x0040e039
0x0040e039
0x0040e047
0x0040e047
0x0040e05d
0x0040e05f
0x0040e068
0x0040e070
0x0040e073
0x0040e075
0x0040e076
0x0040e076
0x0040e07f
0x0040e084
0x0040e09a
0x0040e09c
0x0040e0a5
0x0040e0a9
0x0040e086
0x0040e086
0x0040e094
0x0040e094
0x0040e0aa
0x0040e0ac
0x0040e0b5
0x0040e0bd
0x0040e0c0
0x0040e0c2
0x0040e0c3
0x0040e0c3
0x0040e0cc
0x0040e0d1
0x0040e0e7
0x0040e0e9
0x0040e0f2
0x0040e0f6
0x0040e0d3
0x0040e0d3
0x0040e0e1
0x0040e0e1
0x0040e0f7
0x0040e0f9
0x0040e102
0x0040e10a
0x0040e10d
0x0040e10f
0x0040e110
0x0040e110
0x0040e119
0x0040e11e
0x0040e134
0x0040e136
0x0040e13f
0x0040e143
0x0040e120
0x0040e120
0x0040e12e
0x0040e12e
0x0040e144
0x0040e146
0x0040e14f
0x0040e157
0x0040e15a
0x0040e15c
0x0040e15d
0x0040e15d
0x0040e166
0x0040e16b
0x0040e181
0x0040e183
0x0040e18c
0x0040e190
0x0040e16d
0x0040e16d
0x0040e17b
0x0040e17b
0x0040e191
0x0040e193
0x0040e19c
0x0040e1a4
0x0040e1a7
0x0040e1aa
0x0040e1aa
0x0040e1b3
0x0040e1b8
0x0040e1e3
0x0040e1e5
0x0040e1ee
0x0040e1f2
0x0040e1fd
0x0040e201
0x0040e1ba
0x0040e1ba
0x0040e1c8
0x0040e1cc
0x0040e1d6
0x0040e1da
0x0040e1da
0x0040e1b8
0x00000000
0x0040df53
0x00000000
0x0040dedd
0x00000000
0x0040f177
0x00000000
0x0040f139
0x00000000
0x0040f10b
0x0040ec2b
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x0040ebcf
0x0040ebd7
0x0040ebda
0x0040ebdc
0x0040ebdc
0x0040ebe2
0x0040ebe7
0x0040ec01
0x0040ec03
0x0040ec0a
0x0040ec0c
0x0040ec14
0x0040ebe9
0x0040ebe9
0x0040ebf7
0x0040ebf7
0x0040ec15

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction ID: 8b43415f725c52400ea32066e58f3de959199fbb7ac6094870e9ab37e3e6cffc
Opcode Fuzzy Hash: 1ef3a85183e3002fe42a0a148796e2a0343b3df6179ef6736291ebe652a2f59b
Instruction Fuzzy Hash: 2481DA73A0C32547D7288A1AC980225B6E3FBD1340F174A3FE4A99B3C0E6798956C789

Uniqueness

Uniqueness Score: -1.00%

Function 004127FC Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction ID: 1df73540e4c2d79fb10e79e5b8cb1a3a58f6520a6752a808dce565b5e6951a96
Opcode Fuzzy Hash: 123209dfbf82470405aa8cb44f036b459c122f4087a2a39e6df564f031e137c1
Instruction Fuzzy Hash: CC51D872B006189F8F24CE5582405E773E5AB84764B1A857ED949DF310E3B4FCE297D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B230 Relevance: .2, Instructions: 174
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E0040B230(intOrPtr* _a4) {
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _t123;
				signed int _t128;
				intOrPtr* _t129;
				intOrPtr* _t148;
				intOrPtr* _t153;
				intOrPtr* _t160;
				intOrPtr* _t166;
				signed int _t167;
				signed int _t187;
				void* _t223;

				_t223 =  &_v116;
				_t166 = _a4;
				_t123 = 0;
				_t2 = _t166 + 0x30; // 0x30
				_t148 = _t2;
				do {
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x44 + _t123 * 4)) =  *((intOrPtr*)(_t148 - 8));
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x48 + _t123 * 4)) =  *((intOrPtr*)(_t148 - 4));
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x4c + _t123 * 4)) =  *_t148;
					asm("bswap esi");
					 *((intOrPtr*)(_t223 + 0x50 + _t123 * 4)) =  *((intOrPtr*)(_t148 + 4));
					_t123 = _t123 + 4;
					_t148 = _t148 + 0x10;
				} while (_t123 < 0x10);
				_v96 =  *_t166;
				_v92 =  *((intOrPtr*)(_t166 + 4));
				_v88 =  *((intOrPtr*)(_t166 + 8));
				_v84 =  *((intOrPtr*)(_t166 + 0xc));
				_v80 =  *((intOrPtr*)(_t166 + 0x10));
				_v76 =  *((intOrPtr*)(_t166 + 0x14));
				_t167 = 0;
				_v72 =  *((intOrPtr*)(_t166 + 0x18));
				_v68 =  *((intOrPtr*)(_t166 + 0x1c));
				_v112 = 0;
				do {
					_t187 = 1;
					_t153 =  &_v64;
					_v108 = 1;
					_t38 = _t187 - 5; // -4
					_t128 = _t38;
					_v104 = _t153;
					_v116 = 0x41c150 + _t167 * 4;
					_v100 = 0x10;
					do {
						if(_t167 != 0) {
							_t42 = _t187 - 3; // -2
							asm("ror ebx, 0x13");
							asm("ror ebp, 0x11");
							asm("ror edx, 0x12");
							asm("ror ebp, 0x7");
							 *_t153 =  *_t153 + ( *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t42 & 0x0000000f) * 4) >> 0x0000000a) + ( *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) ^  *(_t223 + 0x44 + (_t187 & 0x0000000f) * 4) >> 0x00000003) +  *((intOrPtr*)(_t223 + 0x44 + (_t187 + 0xfffffff8 & 0x0000000f) * 4));
						}
						_t55 = _t128 + 2; // -2
						_t59 = _t128 + 3; // -1
						asm("ror ebx, 0x19");
						asm("ror ebp, 0xb");
						asm("ror ebp, 0x6");
						_t60 = _t128 + 1; // -3
						_t160 = _t223 + 0x24 + (_t59 & 0x00000007) * 4;
						 *_t160 =  *_t160 + ( *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4)) + (( *(_t223 + 0x24 + (_t60 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t55 & 0x00000007) * 4)) &  *(_t223 + 0x24 + (_t128 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t55 & 0x00000007) * 4)) +  *_v116 +  *_t153;
						_t68 = _t128 - 1; // -5
						 *((intOrPtr*)(_t223 + 0x24 + (_t68 & 0x00000007) * 4)) =  *((intOrPtr*)(_t223 + 0x24 + (_t68 & 0x00000007) * 4)) +  *_t160;
						_t78 = _t128 - 4; // -8
						_v116 = _v116 + 4;
						_t84 = _t128 - 3; // -7
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t88 = _t128 - 2; // -6
						_t167 = _v112;
						 *_t160 =  *_t160 + ( *(_t223 + 0x24 + (_t78 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4) ^  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4)) + ( *(_t223 + 0x24 + (_t88 & 0x00000007) * 4) & ( *(_t223 + 0x24 + (_t84 & 0x00000007) * 4) |  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4)) |  *(_t223 + 0x24 + (_t84 & 0x00000007) * 4) &  *(_t223 + 0x24 + (_t78 & 0x00000007) * 4));
						_t187 = _v108 + 1;
						_t153 = _v104 + 4;
						_t128 = _t128 - 1;
						_t95 =  &_v100;
						 *_t95 = _v100 - 1;
						_v108 = _t187;
						_v104 = _t153;
					} while ( *_t95 != 0);
					_t167 = _t167 + 0x10;
					_v112 = _t167;
				} while (_t167 < 0x40);
				_t129 = _a4;
				 *_t129 =  *_t129 + _v96;
				 *((intOrPtr*)(_t129 + 4)) =  *((intOrPtr*)(_t129 + 4)) + _v92;
				 *((intOrPtr*)(_t129 + 8)) =  *((intOrPtr*)(_t129 + 8)) + _v88;
				 *((intOrPtr*)(_t129 + 0xc)) =  *((intOrPtr*)(_t129 + 0xc)) + _v84;
				 *((intOrPtr*)(_t129 + 0x10)) =  *((intOrPtr*)(_t129 + 0x10)) + _v80;
				 *((intOrPtr*)(_t129 + 0x14)) =  *((intOrPtr*)(_t129 + 0x14)) + _v76;
				 *((intOrPtr*)(_t129 + 0x18)) =  *((intOrPtr*)(_t129 + 0x18)) + _v72;
				 *((intOrPtr*)(_t129 + 0x1c)) =  *((intOrPtr*)(_t129 + 0x1c)) + _v68;
				return _t129;
			}

0x0040b234
0x0040b230
0x0040b23a
0x0040b23c
0x0040b23c
0x0040b240
0x0040b243
0x0040b245
0x0040b24c
0x0040b24e
0x0040b254
0x0040b256
0x0040b25d
0x0040b25f
0x0040b263
0x0040b266
0x0040b269
0x0040b273
0x0040b27a
0x0040b281
0x0040b288
0x0040b28f
0x0040b296
0x0040b29d
0x0040b29f
0x0040b2a3
0x0040b2a7
0x0040b2b0
0x0040b2b0
0x0040b2b5
0x0040b2c0
0x0040b2c4
0x0040b2c4
0x0040b2c7
0x0040b2cb
0x0040b2cf
0x0040b2d7
0x0040b2d9
0x0040b2db
0x0040b2f2
0x0040b2f5
0x0040b301
0x0040b306
0x0040b31c
0x0040b31c
0x0040b32b
0x0040b337
0x0040b33d
0x0040b340
0x0040b347
0x0040b34c
0x0040b364
0x0040b36a
0x0040b36e
0x0040b374
0x0040b37c
0x0040b386
0x0040b38b
0x0040b397
0x0040b39c
0x0040b3a3
0x0040b3a8
0x0040b3b8
0x0040b3c2
0x0040b3cc
0x0040b3cd
0x0040b3d0
0x0040b3d1
0x0040b3d1
0x0040b3d5
0x0040b3d9
0x0040b3d9
0x0040b3e3
0x0040b3e6
0x0040b3ea
0x0040b3f3
0x0040b3fe
0x0040b404
0x0040b40b
0x0040b412
0x0040b41d
0x0040b420
0x0040b42b
0x0040b42e
0x0040b438

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction ID: e58164fe841b3d27413a749a66db9a62c92b149f99bc5724522e02b37cf73634
Opcode Fuzzy Hash: fd5b2c6ed38590160cc8fb173a0877a6425f0538a0edd97a68ed25e58d07123f
Instruction Fuzzy Hash: 447139B1A083058FC348DF49D48895AF3E1FFC8318F198A6DE9889B351D771E955CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5F0 Relevance: .1, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040C5F0(intOrPtr __ecx, void* __edx, intOrPtr _a4, unsigned int* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _t43;
				unsigned int _t44;
				signed int _t48;
				intOrPtr _t52;
				signed char _t63;
				signed int _t64;
				signed char _t77;
				signed int* _t81;
				unsigned int _t84;
				void* _t86;
				unsigned int _t88;
				signed int _t91;
				intOrPtr _t97;
				void* _t98;

				_t97 = __ecx;
				_t84 = 0;
				_t88 =  *_a8 & 0x00000007;
				_v8 = __ecx;
				if(__edx >= 5) {
					_a4 = _a4 + 5;
					_t52 = __edx - 4 + __ecx;
					_v4 = _t52;
					while(1) {
						_t81 = _t84 + _t97;
						if(_t81 >= _t52) {
							goto L7;
						}
						L5:
						while(( *_t81 & 0x000000fe) != 0xe8) {
							_t81 =  &(_t81[0]);
							if(_t81 < _t52) {
								continue;
							}
							goto L7;
						}
						L7:
						_t63 = _t81 - _t84 - _t97;
						_t86 = _t81 - _t97;
						if(_t81 < _t52) {
							if(_t63 <= 2) {
								_t91 = _t88 >> _t63;
								if(_t91 == 0 || _t91 <= 4 && _t91 != 3 && ((( &(_t81[0]))[_t91 >> 1] & 0x000000ff) + 0x00000001 & 0x000000fe) != 0) {
									goto L10;
								} else {
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
									continue;
								}
							} else {
								_t91 = 0;
								L10:
								_t64 = _t81[1] & 0x000000ff;
								if((_t64 + 0x00000001 & 0x000000fe) != 0) {
									_t97 = _v8;
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
								} else {
									_t43 = _t81[0] & 0x000000ff | ((_t64 << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008;
									_t98 = _t86 + _a4;
									_t84 = _t86 + 5;
									if(_a12 == 0) {
										_t44 = _t43 - _t98;
									} else {
										_t44 = _t43 + _t98;
									}
									if(_t91 != 0) {
										_t77 = (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006);
										if(((_t44 >> _t77) + 0x00000001 & 0x000000fe) == 0) {
											_t48 = _t44 ^ (0x00000100 << _t77) - 0x00000001;
											if(_a12 == 0) {
												_t44 = _t48 - _t98;
											} else {
												_t44 = _t48 + _t98;
											}
										}
										_t52 = _v4;
										_t88 = 0;
									}
									_t97 = _v8;
									_t81[0] = _t44;
									_t81[0] = _t44 >> 8;
									_t81[0] = _t44 >> 0x10;
									_t81[1] =  ~(_t44 >> 0x00000018 & 0x00000001);
								}
								while(1) {
									_t81 = _t84 + _t97;
									if(_t81 >= _t52) {
										goto L7;
									}
									goto L5;
								}
							}
						}
						if(_t63 <= 2) {
							 *_a8 = _t88 >> _t63;
							return _t86;
						} else {
							 *_a8 = 0;
							return _t86;
						}
						goto L30;
					}
				} else {
					return 0;
				}
				L30:
			}

0x0040c5fc
0x0040c5fe
0x0040c600
0x0040c603
0x0040c60a
0x0040c617
0x0040c620
0x0040c622
0x0040c626
0x0040c626
0x0040c62b
0x00000000
0x00000000
0x00000000
0x0040c630
0x0040c63a
0x0040c63d
0x00000000
0x00000000
0x00000000
0x0040c63d
0x0040c63f
0x0040c645
0x0040c647
0x0040c64b
0x0040c654
0x0040c697
0x0040c69b
0x00000000
0x0040c6b5
0x0040c6b8
0x0040c6ba
0x00000000
0x0040c6ba
0x0040c656
0x0040c656
0x0040c658
0x0040c658
0x0040c661
0x0040c71c
0x0040c723
0x0040c725
0x0040c667
0x0040c680
0x0040c686
0x0040c689
0x0040c691
0x0040c6c0
0x0040c693
0x0040c693
0x0040c693
0x0040c6c4
0x0040c6cf
0x0040c6d7
0x0040c6e1
0x0040c6e8
0x0040c6ee
0x0040c6ea
0x0040c6ea
0x0040c6ea
0x0040c6e8
0x0040c6f0
0x0040c6f4
0x0040c6f4
0x0040c6f6
0x0040c6ff
0x0040c702
0x0040c711
0x0040c714
0x0040c714
0x0040c626
0x0040c626
0x0040c62b
0x00000000
0x00000000
0x00000000
0x0040c62b
0x0040c626
0x0040c654
0x0040c72f
0x0040c74d
0x0040c754
0x0040c731
0x0040c73a
0x0040c741
0x0040c741
0x00000000
0x0040c72f
0x0040c60e
0x0040c614
0x0040c614
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: 2512ae077ffb6cc5c0a98d06df2ad874ef365c90d639dd9bc8b4382b2321abdd
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: 36413633A04266CBC7248F2C88D417AF790ABD5214F094B7FD996A73C2D2369D49C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA90 Relevance: .1, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0040BA90() {
				char _t25;
				signed int _t30;
				signed int _t43;
				signed int _t44;
				void* _t51;
				signed int _t60;
				signed int _t63;
				signed int _t69;
				signed int _t71;
				signed int _t83;
				signed int _t98;
				signed int _t99;
				signed int _t123;
				signed int _t127;
				signed int _t130;
				signed int _t133;

				_t25 = 0;
				do {
					_t1 = _t25 + 0x41c040; // 0x7b777c63
					 *((char*)(( *_t1 & 0x000000ff) + 0x41e8e8)) = _t25;
					_t25 = _t25 + 1;
				} while (_t25 < 0x100);
				_t130 = 0;
				do {
					_t3 = _t130 + 0x41c040; // 0x7b777c63
					_t63 =  *_t3 & 0x000000ff;
					asm("sbb eax, eax");
					_t30 = ( ~(_t63 & 0x80) & 0x0000001b ^ _t63 + _t63) & 0x000000ff;
					_t123 = _t30 ^ _t63;
					 *(0x41f9f0 + _t130 * 4) = ((_t123 << 0x00000008 | _t63) << 0x00000008 | _t63) << 0x00000008 | _t30;
					_t7 = _t130 + 0x41e8e8; // 0xd56a0952
					_t133 =  *_t7 & 0x000000ff;
					_t83 = _t63 << 8;
					 *(0x4205f0 + _t130 * 4) = ((_t30 << 0x00000008 | _t123) << 0x00000008 | _t63) << 0x00000008 | _t63;
					asm("sbb eax, eax");
					 *(0x4201f0 + _t130 * 4) = ((_t83 | _t30) << 0x00000008 | _t123) << 0x00000008 | _t63;
					_t43 = ( ~(_t133 & 0x80) & 0x0000001b ^ _t133 + _t133) & 0x000000ff;
					asm("sbb ecx, ecx");
					_t69 = ( ~(_t43 & 0x80) & 0x0000001b ^ _t43 + _t43) & 0x000000ff;
					asm("sbb edx, edx");
					_t98 = ( ~(_t69 & 0x80) & 0x0000001b ^ _t69 + _t69) & 0x000000ff;
					 *(0x41fdf0 + _t130 * 4) = ((_t83 | _t63) << 0x00000008 | _t30) << 0x00000008 | _t123;
					_t99 = _t98 ^ _t69;
					_t127 = _t98 ^ _t43 ^ _t133;
					_t44 = _t43 ^ _t99;
					_t60 = _t98 ^ _t133;
					_t71 = _t99 ^ _t133;
					 *(0x41e9e8 + _t130 * 4) = ((_t127 << 0x00000008 | _t71) << 0x00000008 | _t60) << 0x00000008 | _t44;
					 *(0x41ede8 + _t130 * 4) = ((_t71 << 0x00000008 | _t60) << 0x00000008 | _t44) << 0x00000008 | _t127;
					 *(0x41f1e8 + _t130 * 4) = ((_t60 << 0x00000008 | _t44) << 0x00000008 | _t127) << 0x00000008 | _t71;
					 *(0x41f5e8 + _t130 * 4) = ((_t44 << 0x00000008 | _t127) << 0x00000008 | _t71) << 0x00000008 | _t60;
					_t130 = _t130 + 1;
				} while (_t130 < 0x100);
				 *0x4209f0 = 0x40b070;
				 *0x41f9ec = E0040B0D0;
				 *0x41f9e8 = E0040B160;
				_t51 = E00419160();
				if(_t51 != 0) {
					 *0x4209f0 = 0x419860;
					 *0x41f9ec = E00419710;
					 *0x41f9e8 = 0x4198d0;
					return _t51;
				}
				return _t51;
			}

0x0040ba90
0x0040ba92
0x0040ba92
0x0040ba99
0x0040ba9f
0x0040baa0
0x0040baab
0x0040bab0
0x0040bab0
0x0040bab0
0x0040bac1
0x0040bacb
0x0040bad2
0x0040bae5
0x0040baec
0x0040baec
0x0040baf5
0x0040bb1c
0x0040bb31
0x0040bb33
0x0040bb43
0x0040bb52
0x0040bb5c
0x0040bb6c
0x0040bb76
0x0040bb7e
0x0040bb87
0x0040bb8b
0x0040bb8f
0x0040bb93
0x0040bb95
0x0040bba6
0x0040bbbe
0x0040bbe5
0x0040bbec
0x0040bbf3
0x0040bbf4
0x0040bc00
0x0040bc0a
0x0040bc14
0x0040bc1e
0x0040bc29
0x0040bc2b
0x0040bc35
0x0040bc3f
0x00000000
0x0040bc3f
0x0040bc49

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction ID: dd20adac85c5117443e66756b5ec49ccb88ee33e59fa4e887385627a91a44c63
Opcode Fuzzy Hash: 73730e3d9151fbadbdc16631f016a2ea510cfbdbc37b2b029a2882c1c2214c2e
Instruction Fuzzy Hash: 2A41F771B609200AF308CF678C891A67FC3D7C9346744C23DD565CA6D9DABDC447C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4E0 Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040A4E0(signed int* __edx) {
				signed int _t35;
				signed int _t37;
				signed int _t38;
				signed int* _t39;
				signed int* _t40;
				unsigned int _t47;
				signed int _t48;
				signed int* _t49;
				signed int* _t50;
				signed int _t54;
				signed int _t77;
				signed int _t85;
				unsigned int _t86;
				void* _t94;

				_t50 = __edx;
				_t47 =  *(_t94 + 0xc);
				_t86 = _t47 + 0x1c;
				_t48 = _t47 >> 2;
				_t35 = (_t48 >> 1) + 3;
				_t85 = 0;
				 *(_t94 + 0xc) = _t86;
				 *_t49 = _t35;
				if(_t48 == 0) {
					L2:
					if(_t85 >= _t86) {
						return _t35;
					}
					 *((intOrPtr*)(_t94 + 0x14)) = _t49 + 0x10 + (_t85 - _t48) * 4;
					do {
						_t37 = _t85;
						_t38 = _t37 / _t48;
						_t54 = _t37 % _t48;
						_t77 =  *(_t49 + 0xc + _t85 * 4);
						if(_t54 != 0) {
							if(_t48 > 6 && _t54 == 4) {
								_t77 =  *((_t77 & 0x000000ff) + 0x41c040) & 0x000000ff | (( *((_t77 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff | ( *((_t77 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t77 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008;
							}
						} else {
							_t18 = _t38 + 0x41c140; // 0x4020100
							_t86 =  *(_t94 + 0x10);
							_t77 =  *((_t77 >> 0x00000008 & 0x000000ff) + 0x41c040) & 0x000000ff ^  *_t18 & 0x000000ff | ((( *((_t77 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t77 >> 0x18) + 0x41c040) & 0x000000ff) << 0x00000008 |  *((_t77 >> 0x00000010 & 0x000000ff) + 0x41c040) & 0x000000ff) << 0x00000008;
						}
						_t39 =  *(_t94 + 0x18);
						 *(_t49 + 0x10 + _t85 * 4) =  *_t39 ^ _t77;
						_t85 = _t85 + 1;
						_t40 =  &(_t39[1]);
						 *(_t94 + 0x18) = _t40;
					} while (_t85 < _t86);
					return _t40;
				} else {
					goto L1;
				}
				do {
					L1:
					_t35 =  *_t50;
					 *(_t49 + 0x10 + _t85 * 4) = _t35;
					_t85 = _t85 + 1;
					_t50 =  &(_t50[1]);
				} while (_t85 < _t48);
				goto L2;
			}

0x0040a4e0
0x0040a4e2
0x0040a4e7
0x0040a4ea
0x0040a4f2
0x0040a4f5
0x0040a4f7
0x0040a4fb
0x0040a4ff
0x0040a50f
0x0040a511
0x0040a604
0x0040a604
0x0040a51f
0x0040a524
0x0040a526
0x0040a528
0x0040a528
0x0040a52a
0x0040a530
0x0040a590
0x0040a5e1
0x0040a5e1
0x0040a532
0x0040a532
0x0040a580
0x0040a589
0x0040a589
0x0040a5e3
0x0040a5eb
0x0040a5ef
0x0040a5f0
0x0040a5f3
0x0040a5f7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a501
0x0040a501
0x0040a501
0x0040a503
0x0040a507
0x0040a508
0x0040a50b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction ID: 8f6eb64d06b658f293c5b46dbe98da55d8e186e99a2fb9da9eaca93df92f0056
Opcode Fuzzy Hash: 6d6b9b754f9b189d92509bd9194e6262c08822d317c9229910bcc5669ef11d2d
Instruction Fuzzy Hash: A7316872A047A646E310DE1ECC80263BBD3BFC5205F088276D4945B78BD539D4128295

Uniqueness

Uniqueness Score: -1.00%

Function 004198C3 Relevance: .1, Instructions: 92
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E004198C3(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v13;
				intOrPtr _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t13;
				void* _t17;

				_t13 = __edx;
				_t6 = _a4;
				asm("movdqa xmm6, [ecx]");
				 *( &_v13 << 4) = 1;
				_v8 = 0;
				_v4 = 0;
				_v0 = 0;
				_t17 =  ~( *(__ecx + 0x10) << 5) + 0x20;
				while(1) {
					_t6 = _t6 - 4;
					if(_t6 < 0) {
						break;
					}
					asm("movdqa xmm7, [ebp]");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm0, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm1, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm2, xmm6");
					asm("paddq xmm6, xmm7");
					asm("movdqa xmm3, xmm6");
					_t8 = _t17;
					asm("movdqa xmm7, [ebx+ecx-0x20]");
					asm("pxor xmm0, xmm7");
					asm("pxor xmm1, xmm7");
					asm("pxor xmm2, xmm7");
					asm("pxor xmm3, xmm7");
					asm("movdqa xmm7, [ebx+ecx-0x10]");
					asm("aesenc xmm0, xmm7");
					asm("aesenc xmm1, xmm7");
					asm("aesenc xmm2, xmm7");
					asm("aesenc xmm3, xmm7");
					do {
						asm("movdqa xmm7, [ebx+ecx]");
						asm("aesenc xmm0, xmm7");
						asm("aesenc xmm1, xmm7");
						asm("aesenc xmm2, xmm7");
						asm("aesenc xmm3, xmm7");
						asm("movdqa xmm7, [ebx+ecx+0x10]");
						asm("aesenc xmm0, xmm7");
						asm("aesenc xmm1, xmm7");
						asm("aesenc xmm2, xmm7");
						asm("aesenc xmm3, xmm7");
						_t8 = _t8 + 0x20;
					} while (_t8 != 0);
					asm("movdqa xmm7, [ebx+ecx]");
					asm("aesenclast xmm0, xmm7");
					asm("aesenclast xmm1, xmm7");
					asm("aesenclast xmm2, xmm7");
					asm("aesenclast xmm3, xmm7");
					asm("pxor xmm0, [edx]");
					asm("pxor xmm1, [edx+0x10]");
					asm("pxor xmm2, [edx+0x20]");
					asm("pxor xmm3, [edx+0x30]");
					asm("movdqa [edx], xmm0");
					asm("movdqa [edx+0x10], xmm1");
					asm("movdqa [edx+0x20], xmm2");
					asm("movdqa [edx+0x30], xmm3");
					_t13 = _t13 + 0x40;
				}
				_t7 = _t6 + 4;
				while(1) {
					_t7 = _t7 - 1;
					if(_t7 < 0) {
						break;
					}
					asm("paddq xmm6, [ebp]");
					_t9 = _t17;
					asm("movdqa xmm0, [ebx+ecx-0x20]");
					asm("pxor xmm0, xmm6");
					asm("aesenc xmm0, [ebx+ecx-0x10]");
					do {
						asm("aesenc xmm0, [ebx+ecx]");
						asm("aesenc xmm0, [ebx+ecx+0x10]");
						_t9 = _t9 + 0x20;
					} while (_t9 != 0);
					asm("aesenclast xmm0, [ebx+ecx]");
					asm("pxor xmm0, [edx]");
					asm("movdqa [edx], xmm0");
					_t13 = _t13 + 0x10;
				}
				asm("movdqa [esi+ecx-0x40], xmm6");
				return _t7;
			}

0x004198c3
0x004198d3
0x004198dd
0x004198ed
0x004198f4
0x004198fb
0x00419902
0x0041990d
0x004199f1
0x004199f1
0x004199f4
0x00000000
0x00000000
0x00419920
0x00419925
0x00419929
0x0041992d
0x00419931
0x00419935
0x00419939
0x0041993d
0x00419941
0x00419945
0x00419947
0x0041994d
0x00419951
0x00419955
0x00419959
0x0041995d
0x00419963
0x00419968
0x0041996d
0x00419972
0x00419977
0x00419977
0x0041997c
0x00419981
0x00419986
0x0041998b
0x00419990
0x00419996
0x0041999b
0x004199a0
0x004199a5
0x004199aa
0x004199aa
0x004199af
0x004199b4
0x004199b9
0x004199be
0x004199c3
0x004199c8
0x004199cc
0x004199d1
0x004199d6
0x004199db
0x004199df
0x004199e4
0x004199e9
0x004199ee
0x004199ee
0x004199fa
0x00419a3a
0x00419a3a
0x00419a3d
0x00000000
0x00000000
0x004199ff
0x00419a04
0x00419a06
0x00419a0c
0x00419a10
0x00419a17
0x00419a17
0x00419a1d
0x00419a24
0x00419a24
0x00419a29
0x00419a2f
0x00419a33
0x00419a37
0x00419a37
0x00419a3f
0x00419a48

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: 0c79d8c59d00a78f9440f3aa51eedcdd78ab10b5fc93e450dee24b4d7cd4d7bf
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 1341A561C14B9652EB224F7CC842272B320BFAB244F00D75AFDD179963FB3269846655

Uniqueness

Uniqueness Score: -1.00%

Function 00418D50 Relevance: .1, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00418D50() {
				void* _t38;
				signed int _t39;
				signed int _t73;

				_t73 = 0;
				do {
					 *(0x420b80 + _t73 * 4) =  !((( !((( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t73 & 0x00000001) - 1) & 0xedb88320 ^ _t73 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t73 = _t73 + 1;
				} while (_t73 < 0x100);
				while(_t73 < 0x800) {
					_t39 =  *(0x420780 + _t73 * 4);
					_t73 = _t73 + 1;
					 *(0x420b7c + _t73 * 4) = _t39 >> 0x00000008 ^  *(0x420b80 + (_t39 & 0x000000ff) * 4);
				}
				 *0x420b74 = 0x419630;
				 *0x422b80 = 0x419630;
				 *0x420b70 = 0x419550;
				_t38 = E00419060();
				if(_t38 == 0) {
					 *0x422b80 = 0x419550;
					return _t38;
				}
				return _t38;
			}

0x00418d50
0x00418d52
0x00418de0
0x00418de7
0x00418de8
0x00418dfa
0x00418e00
0x00418e19
0x00418e1a
0x00418e21
0x00418e2e
0x00418e33
0x00418e38
0x00418e42
0x00418e49
0x00418e4b
0x00000000
0x00418e4b
0x00418e55

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction ID: 51037b27fab7abe5882109eaafdaafd36d1536c3e678e8b13c54931181ec04f6
Opcode Fuzzy Hash: 4f676c29db07d748d27b39d428b6e09ec32336efd2a80984568a862303c1556d
Instruction Fuzzy Hash: D9211D7E370D0607A76C8B6DAD336B925C2E344348BC8A53DE14BC62D1EF6C9895C64D

Uniqueness

Uniqueness Score: -1.00%

Function 00419551 Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00419551(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

0x00419551
0x00419554
0x00419556
0x0041955a
0x00419560
0x00419566
0x0041956e
0x00419571
0x0041957a
0x0041957e
0x0041957f
0x00000000
0x00000000
0x00000000
0x0041957f
0x00419584
0x0041958a
0x0041958c
0x00419593
0x00419596
0x00419598
0x0041959b
0x004195a0
0x004195a4
0x004195ae
0x004195b8
0x004195cf
0x004195fb
0x004195fd
0x004195fd
0x00419602
0x00419605
0x0041960b
0x00000000
0x0041960d
0x00419611
0x00419614
0x0041961d
0x00419621
0x00419621
0x00419628
0x00419628
0x00419584
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: a7cdcc9f98ce9dbc60a73427d99236a85b447d866e4190eca6a24d33d7e231e4
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: E421D33290062557CB02CE6EE4945A7F3A2FBD436AF174727ED8463290C628AC54C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041962B Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041962B(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}

0x0041962b
0x00419634
0x00419636
0x0041963a
0x00419640
0x00419646
0x0041964e
0x00419651
0x0041965a
0x0041965e
0x0041965f
0x00000000
0x00000000
0x00000000
0x0041965f
0x00419664
0x0041966a
0x0041966c
0x00419673
0x00419676
0x00419678
0x00419680
0x004196d6
0x004196dd
0x004196dd
0x004196e2
0x004196e5
0x004196eb
0x00000000
0x004196ed
0x004196f1
0x004196f4
0x004196fd
0x00419701
0x00419701
0x00419708
0x00419708
0x00419664
0x00000000

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 97b97acb8ff96b1b4e43437944a1cf665e1ec4585e0b194a145c9dbb8504525b
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 6F21297251442587C701DF5DE4986B7B3E1FFD4319F678A37D9818B180C638DC85D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DCA Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 196
threadprocesssynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401DCA(void* __ecx, void* __edx, void* __eflags) {
				void* _t58;
				void* _t83;
				void* _t88;
				int _t100;
				void* _t131;
				void* _t138;
				void* _t139;
				long _t140;
				intOrPtr* _t142;
				void* _t144;
				void* _t148;

				_t148 = __eflags;
				_t142 = _t144 - 0x74;
				_t131 = __ecx;
				_t138 = __edx;
				E00411B60(E00411B60(_t58, _t142 + 0x30), _t142 + 0x3c);
				E0040310A(GetCommandLineW(), _t142 + 0x30);
				E00411A62(_t142 + 0xc, _t148, E00411B08(_t142, E00411B08(_t142 - 0xc, E00411B32(_t142 - 0x18, "\"", _t142 + 0x30), L"\" -"), L"sfxwaitall"), 0x3a);
				E00411A62(_t142 + 0x24, _t148, _t142 + 0xc,  *(_t142 + 0x7c) + 0x30);
				E00411A62(_t142 + 0x18, _t148, _t142 + 0x24, 0x20);
				E00411A62(_t142 + 0x5c, _t148, _t142 + 0x18, 0x22);
				E00411BE5(_t142 + 0x3c,  *((intOrPtr*)(E00411B08(_t142 - 0x24, E00411B08(_t142 - 0x30, E00411B08(_t142 - 0x3c, _t142 + 0x5c, _t131), L"\" "), _t138))));
				_push( *((intOrPtr*)(_t142 - 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x5c)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 + 0xc)));
				L004191B0();
				_push( *_t142);
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(_t142 - 0x18)));
				L004191B0();
				 *(_t142 - 0x80) = 0x44;
				GetStartupInfoW(_t142 - 0x80);
				_t83 = CreateProcessW(0,  *(_t142 + 0x3c), 0, 0, 1, 0x1000004, 0,  *0x41e89c, _t142 - 0x80, _t142 + 0x48);
				if(_t83 != 0) {
					_t139 = 0;
					__imp__CreateJobObjectW(0, 0);
					 *(_t142 + 0x7c) = _t83;
					__eflags = _t83;
					if(_t83 == 0) {
						L9:
						ResumeThread( *(_t142 + 0x4c));
						WaitForSingleObject( *(_t142 + 0x48), 0xffffffff);
						L10:
						CloseHandle( *(_t142 + 0x4c));
						_t88 = GetExitCodeProcess( *(_t142 + 0x48), _t142 + 0x6c);
						__eflags = _t88;
						if(_t88 == 0) {
							 *(_t142 + 0x6c) = GetLastError();
						}
						CloseHandle( *(_t142 + 0x48));
						__eflags = _t139;
						if(_t139 != 0) {
							CloseHandle(_t139);
						}
						__eflags =  *(_t142 + 0x7c);
						if( *(_t142 + 0x7c) != 0) {
							CloseHandle( *(_t142 + 0x7c));
						}
						_t140 =  *(_t142 + 0x6c);
						L2:
						_push( *(_t142 + 0x3c));
						L004191B0();
						_push( *((intOrPtr*)(_t142 + 0x30)));
						L004191B0();
						return _t140;
					}
					__imp__AssignProcessToJobObject(_t83,  *(_t142 + 0x48));
					__eflags = _t83;
					if(_t83 == 0) {
						goto L9;
					}
					_t139 = CreateIoCompletionPort(0xffffffff, 0, 1, 0);
					__eflags = _t139;
					if(_t139 == 0) {
						goto L9;
					}
					 *((intOrPtr*)(_t142 + 0x60)) = 1;
					 *(_t142 + 0x64) = _t139;
					__imp__SetInformationJobObject( *(_t142 + 0x7c), 7, _t142 + 0x60, 8);
					ResumeThread( *(_t142 + 0x4c));
					while(1) {
						_t100 = GetQueuedCompletionStatus(_t139, _t142 + 0x70, _t142 + 0x68, _t142 + 0x58, 0xffffffff);
						__eflags = _t100;
						if(_t100 == 0) {
							goto L9;
						}
						__eflags =  *(_t142 + 0x70) - 4;
						if( *(_t142 + 0x70) == 4) {
							goto L10;
						}
					}
					goto L9;
				}
				_t140 = GetLastError();
				goto L2;
			}

0x00401dca
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de7
0x00401df7
0x00401e31
0x00401e44
0x00401e52
0x00401e60
0x00401e90
0x00401e95
0x00401e98
0x00401e9d
0x00401ea0
0x00401ea5
0x00401ea8
0x00401ead
0x00401eb0
0x00401eb5
0x00401eb8
0x00401ebd
0x00401ec0
0x00401ec5
0x00401ec8
0x00401ecd
0x00401ed0
0x00401ed5
0x00401ed8
0x00401edd
0x00401ee0
0x00401eec
0x00401ef3
0x00401f19
0x00401f21
0x00401f4b
0x00401f4d
0x00401f53
0x00401f56
0x00401f58
0x00401fbc
0x00401fbf
0x00401fca
0x00401fd0
0x00401fd9
0x00401fe2
0x00401fe8
0x00401fea
0x00401ff2
0x00401ff2
0x00401ff8
0x00401ffa
0x00401ffc
0x00401fff
0x00401fff
0x00402001
0x00402004
0x00402009
0x00402009
0x0040200b
0x00401f2b
0x00401f2b
0x00401f2e
0x00401f33
0x00401f36
0x00401f46
0x00401f46
0x00401f5e
0x00401f64
0x00401f66
0x00000000
0x00000000
0x00401f73
0x00401f75
0x00401f77
0x00000000
0x00000000
0x00401f84
0x00401f87
0x00401f8a
0x00401f93
0x00401fa7
0x00401fb6
0x00401fb8
0x00401fba
0x00000000
0x00000000
0x00401fa1
0x00401fa5
0x00000000
0x00000000
0x00401fa5
0x00000000
0x00401fa7
0x00401f29
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC

Part of subcall function 00411A62: memcpy.MSVCRT ref: 00411A87

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 00401E98
??3@YAXPAX@Z.MSVCRT ref: 00401EA0
??3@YAXPAX@Z.MSVCRT ref: 00401EA8
??3@YAXPAX@Z.MSVCRT ref: 00401EB0
??3@YAXPAX@Z.MSVCRT ref: 00401EB8
??3@YAXPAX@Z.MSVCRT ref: 00401EC0
??3@YAXPAX@Z.MSVCRT ref: 00401EC8
??3@YAXPAX@Z.MSVCRT ref: 00401ED0
??3@YAXPAX@Z.MSVCRT ref: 00401ED8
??3@YAXPAX@Z.MSVCRT ref: 00401EE0
GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3
CreateProcessW.KERNEL32 ref: 00401F19
GetLastError.KERNEL32 ref: 00401F23
??3@YAXPAX@Z.MSVCRT ref: 00401F2E
??3@YAXPAX@Z.MSVCRT ref: 00401F36
CreateJobObjectW.KERNEL32 ref: 00401F4D
AssignProcessToJobObject.KERNEL32 ref: 00401F5E
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000001,00000000), ref: 00401F6D
SetInformationJobObject.KERNEL32 ref: 00401F8A
ResumeThread.KERNEL32(?), ref: 00401F93
GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,000000FF), ref: 00401FB6
ResumeThread.KERNEL32(?), ref: 00401FBF
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401FCA
CloseHandle.KERNEL32(?), ref: 00401FD9
GetExitCodeProcess.KERNEL32 ref: 00401FE2
GetLastError.KERNEL32 ref: 00401FEC
CloseHandle.KERNEL32(?), ref: 00401FF8
CloseHandle.KERNEL32(00000000), ref: 00401FFF
CloseHandle.KERNEL32(?), ref: 00402009

Strings

" -, xrefs: 00401E01
sfxwaitall, xrefs: 00401DFC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$CloseHandleObject$CreateProcess$??2@CompletionErrorLastResumeThreadmemcpy$AssignCodeCommandExitInfoInformationLinePortQueuedSingleStartupStatusWait
String ID: " -$sfxwaitall
API String ID: 1989023053-3991362806
Opcode ID: e566511f3f1244429912e64f5e11129c17e8f6d4cb8a3e64d9f7237c38a092ff
Instruction ID: 5297b6db97987cb25ecf0bcc30189225a2ece590cb556cf519fd76e88c7d76d0
Opcode Fuzzy Hash: e566511f3f1244429912e64f5e11129c17e8f6d4cb8a3e64d9f7237c38a092ff
Instruction Fuzzy Hash: 21615A32500109BFDF11AF61DC45DEE7BB9AF04348F14813AFA12A21B1EB39AD95CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B8E Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 145
fileCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405B8E(void* __esi, WCHAR* _a4) {
				long _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				long _v24;
				char _v28;
				WCHAR* _v40;
				char _v52;
				void* _t42;
				short _t44;
				short _t45;
				int _t66;
				void* _t72;
				signed int _t74;
				void* _t99;

				_t99 = __esi;
				_t42 = _a4;
				if( *((short*)(_t42 + 2)) != 0x3a) {
					L11:
					_push(_t42);
					goto L12;
				} else {
					_t3 = _t42 + 4; // 0x120e8
					_t74 =  *_t3 & 0x0000ffff;
					if(_t74 == 0x5c || _t74 == 0x2f) {
						_v16 =  *_t42;
						_t44 = 0x3a;
						_v14 = _t44;
						_t45 = 0x5c;
						_v12 = _t45;
						_v10 = 0;
						_t42 = GetDriveTypeW( &_v16);
						if(_t42 == 3) {
							E0040439D(L"7ZSfx%03x.cmd", __eflags);
							_t42 = CreateFileW(_v40, 0x40000000, 0, 0, 2, 0x80, 0);
							_t72 = _t42;
							__eflags = _t72 - 0xffffffff;
							if(_t72 == 0xffffffff) {
								L9:
								_push(_v40);
								L004191B0();
								_push(_a4);
								L004191B0();
								goto L13;
							} else {
								_push(_t99);
								E00411B60(_t42,  &_v28);
								E00411BE5( &_v28, L":Repeat\r\n");
								E00411CA3( &_v28, L"del \"");
								E00411CE3( &_v28, __eflags,  &_a4);
								E00411CA3( &_v28, L"\"\r\n");
								E00411CA3( &_v28, L"if exist \"");
								E00411CE3( &_v28, __eflags,  &_a4);
								E00411CA3( &_v28, L"\" goto Repeat\r\n");
								E00411CA3( &_v28, L"del \"");
								E00411CE3( &_v28, __eflags,  &_v40);
								E00411CA3( &_v28, L"\"\r\n");
								_t66 = WriteFile(_t72,  *(E00404473( &_v52,  &_v28, __eflags, 1)), _v24,  &_v8, 0);
								_push(_v52);
								L004191B0();
								CloseHandle(_t72);
								__eflags = _t66;
								if(_t66 == 0) {
									L10:
									_t42 = E0040352A(_v40);
									_push(_v28);
									L004191B0();
									_push(_v40);
									L004191B0();
									_push(_a4);
									L004191B0();
								} else {
									__eflags = _v8 - _v24;
									if(_v8 != _v24) {
										goto L10;
									} else {
										SetFileAttributesW(_a4, 0);
										_t42 = ShellExecuteW(0, L"open", _v40, 0, 0, 0);
										_push(_v28);
										L004191B0();
										goto L9;
									}
								}
							}
						} else {
							_push(_a4);
							L12:
							L004191B0();
							L13:
						}
					} else {
						goto L11;
					}
				}
				return _t42;
			}

0x00405b8e
0x00405b91
0x00405b9e
0x00405d3a
0x00405d3a
0x00000000
0x00405ba4
0x00405ba4
0x00405ba4
0x00405bab
0x00405bbb
0x00405bbf
0x00405bc0
0x00405bc6
0x00405bc7
0x00405bcd
0x00405bd5
0x00405bde
0x00405bf0
0x00405c09
0x00405c0f
0x00405c11
0x00405c14
0x00405d02
0x00405d02
0x00405d05
0x00405d0a
0x00405d0d
0x00000000
0x00405c1a
0x00405c1a
0x00405c1e
0x00405c2b
0x00405c39
0x00405c45
0x00405c53
0x00405c60
0x00405c6c
0x00405c79
0x00405c82
0x00405c8e
0x00405c97
0x00405cb8
0x00405cbe
0x00405cc3
0x00405cca
0x00405cd0
0x00405cd3
0x00405d15
0x00405d18
0x00405d1d
0x00405d20
0x00405d25
0x00405d28
0x00405d2d
0x00405d30
0x00405cd5
0x00405cd8
0x00405cdb
0x00000000
0x00405cdd
0x00405ce1
0x00405cf3
0x00405cf9
0x00405cfc
0x00000000
0x00405d01
0x00405cdb
0x00405cd3
0x00405be0
0x00405be0
0x00405d3b
0x00405d3b
0x00405d40
0x00405d40
0x00000000
0x00000000
0x00000000
0x00405bab
0x00405d44

APIs

GetDriveTypeW.KERNEL32(?,PreExtract,00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract), ref: 00405BD5

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405C09
WriteFile.KERNEL32(00000000,?,?,0041E844,00000000,00000001,",?,del "," goto Repeat,004070C0,if exist ",",004070C0,del ",:Repeat), ref: 00405CB8
??3@YAXPAX@Z.MSVCRT ref: 00405CC3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CCA
SetFileAttributesW.KERNEL32(004070C0,00000000,?,?,?,?,?,?,?,?,?,004070C0,0041E844,PreExtract,0041E89C,00000000), ref: 00405CE1
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00405CF3
??3@YAXPAX@Z.MSVCRT ref: 00405CFC
??3@YAXPAX@Z.MSVCRT ref: 00405D05
??3@YAXPAX@Z.MSVCRT ref: 00405D0D

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411CE3: memcpy.MSVCRT ref: 00411D06

Part of subcall function 00404473: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00000000,0041E080,00562510,004016D0,0000FDE9,00562510), ref: 004044A6

??3@YAXPAX@Z.MSVCRT ref: 00405D20
??3@YAXPAX@Z.MSVCRT ref: 00405D28
??3@YAXPAX@Z.MSVCRT ref: 00405D30
??3@YAXPAX@Z.MSVCRT ref: 00405D3B

Strings

PreExtract, xrefs: 00405B9D
7ZSfx%03x.cmd, xrefs: 00405BE8
:Repeat, xrefs: 00405C23
", xrefs: 00405C4A, 00405C4F, 00405C93
del ", xrefs: 00405C30, 00405C35, 00405C7E
" goto Repeat, xrefs: 00405C71
open, xrefs: 00405CED
if exist ", xrefs: 00405C58

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$File$memcpy$??2@AttributesPathTemp$ByteCharCloseCreateDriveExecuteHandleMultiShellTypeWideWritewsprintf
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$PreExtract$del "$if exist "$open
API String ID: 1368565367-2062918900
Opcode ID: 0c86575d6fb5ae679da9a41abb2e0f71b1a769f89626936326f29099c5335130
Instruction ID: e7338ad49e5ec867d94482016769a831fa3651e0b874e5bd32b93c107b1fbaea
Opcode Fuzzy Hash: 0c86575d6fb5ae679da9a41abb2e0f71b1a769f89626936326f29099c5335130
Instruction Fuzzy Hash: BE415031904004BADB05EBA1DC5ADEF7B75EF45304F10806BF602B61A5EB786EC5CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408F3F Relevance: 36.3, APIs: 24, Instructions: 265
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408F3F(void* __edx) {
				struct HWND__* _v4;
				struct HWND__* _v8;
				void* __ecx;
				signed int _t45;
				signed int _t51;
				long _t53;
				signed int _t67;
				void* _t71;
				void* _t75;
				long _t91;
				int _t95;
				int _t96;
				struct HWND__* _t102;
				struct HWND__* _t103;
				struct HWND__* _t104;
				long _t107;
				intOrPtr* _t108;
				void* _t111;
				void* _t113;
				void* _t126;
				void* _t129;
				void* _t133;
				void* _t135;
				intOrPtr* _t140;
				int _t143;
				long _t147;

				_t135 = __edx;
				_t140 = _t108;
				 *0x41e784 = 0;
				if(( *0x41e44c & 0x00000200) == 0) {
					_v8 = LoadIconW(GetModuleHandleW(0), 0x65);
					_t95 = GetSystemMetrics(0x32);
					_t96 = GetSystemMetrics(0x31);
					_t107 = LoadImageW(GetModuleHandleW(0), 0x65, 1, _t96, _t95, 0);
					if(_t107 == 0) {
						_t107 = _v8;
					}
					SendMessageW( *(_t140 + 4), 0x80, 1, _v8);
					SendMessageW( *(_t140 + 4), 0x80, 0, _t107);
				}
				if(( *0x41e44c & 0x00004000) != 0) {
					_v8 = GetDlgItem( *(_t140 + 4), 0x4b2);
					_v4 = GetDlgItem( *(_t140 + 4), 0x4b2);
					SetWindowLongW(_v4, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) | 0x00000080);
					_v4 = GetDlgItem( *(_t140 + 4), 0x4b5);
					_v8 = GetDlgItem( *(_t140 + 4), 0x4b5);
					_t91 = GetWindowLongW(_v4, 0xfffffff0) | 0x00000080;
					_t147 = _t91;
					SetWindowLongW(_v8, 0xfffffff0, _t91);
				}
				E00407A0F(GetDlgItem( *(_t140 + 4), 0x4b2),  *((intOrPtr*)(_t140 + 0x10)));
				E00408056(_t140, _t147,  *((intOrPtr*)(_t140 + 0xc)));
				_t45 =  *(_t140 + 8) & 0x00000003;
				if(_t45 == 0) {
					_t111 = 0x1b;
					E00408618(_t140, 0x4b3, E00403DC8(_t111));
					_push(0x1c);
					goto L14;
				} else {
					_t71 = _t45 - 1;
					if(_t71 == 0) {
						_t126 = 0x19;
						E00408618(_t140, 0x4b3, E00403DC8(_t126));
						E00407ABB(_t140, 0x4b4, 0);
						L15:
						if( *((intOrPtr*)(_t140 + 0x38)) == 0) {
							_t51 =  *(_t140 + 8) & 0x0000001c;
							__eflags = _t51 - 4;
							if(_t51 == 4) {
								_push(0x65);
								_push(GetModuleHandleW(0));
								L39:
								_t53 = LoadIconW();
								__eflags = _t53;
								if(_t53 == 0) {
									L41:
									 *((intOrPtr*)(_t140 + 0x30)) = 0;
									E00407ABB(_t140, 0x4b1, 0);
									L42:
									__eflags =  *0x41e44c & 0x00000008;
									if(( *0x41e44c & 0x00000008) == 0) {
										E00407F31(_t140);
									}
									 *((intOrPtr*)( *_t140 + 0x28))();
									 *((intOrPtr*)( *_t140 + 0x24))();
									L45:
									E004079B1(_t140, _t135);
									return 0;
								}
								 *((intOrPtr*)(_t140 + 0x30)) = 1;
								SendMessageW(GetDlgItem( *(_t140 + 4), 0x4b1), 0x172, 1, _t53);
								goto L42;
							}
							__eflags = _t51 - 8;
							if(_t51 == 8) {
								_push(0x7f02);
								L34:
								_push(0);
								goto L39;
							}
							__eflags = _t51 - 0xc;
							if(_t51 == 0xc) {
								_push(0x7f01);
								goto L34;
							}
							__eflags = _t51 - 0x10;
							if(_t51 == 0x10) {
								_push(0x7f04);
								goto L34;
							}
							__eflags = _t51 - 0x14;
							if(_t51 != 0x14) {
								goto L41;
							}
							_push(0x7f03);
							goto L34;
						}
						_t143 = 5;
						_t102 = GetWindow( *(_t140 + 4), _t143);
						while(_t102 != 0) {
							E00404C1B(_t102);
							_t102 = GetWindow(_t102, 2);
						}
						while(1) {
							L19:
							_t103 = GetWindow( *(_t140 + 4), _t143);
							while(_t103 != 0) {
								_t67 = E00404C8C(_t103);
								__eflags = _t67;
								if(_t67 != 0) {
									goto L19;
								}
								_t103 = GetWindow(_t103, 2);
							}
							_t104 = GetWindow( *(_t140 + 4), _t143);
							while(_t104 != 0) {
								E00403C19(_t104);
								_t104 = GetWindow(_t104, 2);
							}
							if(( *0x41e44c & 0x00000008) == 0) {
								E00407F31(_t140);
							}
							goto L45;
						}
					}
					_t75 = _t71 - 1;
					if(_t75 == 0) {
						_t129 = 0x1a;
						E00408618(_t140, 0x4b4, E00403DC8(_t129));
						E00407ABB(_t140, 0x4b3, 0);
						E00407894(_t140, 0x4b4);
						goto L15;
					}
					if(_t75 != 1) {
						goto L15;
					}
					_t133 = 0x19;
					E00408618(_t140, 0x4b3, E00403DC8(_t133));
					_push(0x1a);
					L14:
					_pop(_t113);
					E00408618(_t140, 0x4b4, E00403DC8(_t113));
					goto L15;
				}
			}

0x00408f3f
0x00408f4f
0x00408f51
0x00408f5d
0x00408f7c
0x00408f80
0x00408f85
0x00408f97
0x00408f9b
0x00408f9d
0x00408f9d
0x00408fb1
0x00408fba
0x00408fba
0x00408fd1
0x00408fdd
0x00408fe9
0x00408ffc
0x00409014
0x00409020
0x0040902a
0x0040902a
0x00409033
0x00409033
0x00409045
0x0040904f
0x0040905c
0x0040905e
0x004090d9
0x004090e7
0x004090ec
0x00000000
0x00409060
0x00409060
0x00409061
0x004090b5
0x004090c3
0x004090d0
0x00409101
0x00409104
0x00409177
0x0040917a
0x0040917d
0x004091b0
0x004091b9
0x004091ba
0x004091ba
0x004091c0
0x004091c2
0x004091e4
0x004091ec
0x004091ef
0x004091f4
0x004091f4
0x004091fb
0x004091ff
0x004091ff
0x00409208
0x0040920f
0x00409212
0x00409214
0x00409221
0x00409221
0x004091d6
0x004091dc
0x00000000
0x004091dc
0x0040917f
0x00409182
0x004091a9
0x00409198
0x00409198
0x00000000
0x00409198
0x00409184
0x00409187
0x004091a2
0x00000000
0x004091a2
0x00409189
0x0040918c
0x0040919b
0x00000000
0x0040919b
0x0040918e
0x00409191
0x00000000
0x00000000
0x00409193
0x00000000
0x00409193
0x0040910e
0x00409121
0x0040911f
0x00409117
0x00409121
0x00409121
0x00409127
0x00409127
0x0040913d
0x0040913b
0x0040912f
0x00409134
0x00409136
0x00000000
0x00000000
0x0040913d
0x0040913d
0x00409155
0x00409153
0x0040914b
0x00409155
0x00409155
0x00409162
0x0040916a
0x0040916a
0x00000000
0x00409162
0x00409127
0x00409063
0x00409064
0x00409088
0x00409097
0x004090a4
0x004090ac
0x00000000
0x004090ac
0x00409067
0x00000000
0x00000000
0x0040906f
0x0040907d
0x00409082
0x004090ee
0x004090ee
0x004090fc
0x00000000
0x004090fc

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
LoadIconW.USER32 ref: 00408F6C
GetSystemMetrics.USER32 ref: 00408F80
GetSystemMetrics.USER32 ref: 00408F85
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
LoadImageW.USER32 ref: 00408F91
SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA

Part of subcall function 00408618: GetDlgItem.USER32 ref: 00408629
Part of subcall function 00408618: GetWindowTextLengthW.USER32(00000000), ref: 0040862C
Part of subcall function 00408618: GetDlgItem.USER32 ref: 00408641

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32 ref: 00408FD7
GetDlgItem.USER32 ref: 00408FE1
GetWindowLongW.USER32(?,000000F0), ref: 00408FED
SetWindowLongW.USER32 ref: 00408FFC
GetDlgItem.USER32 ref: 0040900A
GetDlgItem.USER32 ref: 00409018
GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
SetWindowLongW.USER32 ref: 00409033
GetDlgItem.USER32 ref: 00409040
GetWindow.USER32(?,00000005), ref: 0040911F
GetWindow.USER32(?,00000005), ref: 0040913B
GetWindow.USER32(?,00000005), ref: 00409153
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,00000000,?,?,?,?,?,0040932F), ref: 004091B3
LoadIconW.USER32 ref: 004091BA
GetDlgItem.USER32 ref: 004091D9
SendMessageW.USER32(00000000), ref: 004091DC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ItemWindow$Long$HandleLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 4137352925-0
Opcode ID: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction ID: 55e12659e9cef202b758582d1d7e0fb50da9d044521ae722c1703057fdaec8c6
Opcode Fuzzy Hash: ce9f75e029d06e7367fd13abbf1c97b27e9b6aa4c7e0128f4e9ec34cf0a6066f
Instruction Fuzzy Hash: DD71D5703447067BEA256B218D4AF2F3A99DB84704F10483EF652BA2D3CB7DDC019A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00404C8C Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 115
windowlibrarystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404C8C(struct HWND__* __ecx) {
				struct HWND__* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v28;
				long _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				int _v52;
				int _v56;
				char _v120;
				signed char _t30;
				struct HWND__* _t33;
				struct HMENU__* _t36;
				struct HWND__* _t53;
				struct HWND__* _t67;

				_t67 = __ecx;
				if(GetClassNameA(__ecx,  &_v120, 0x40) == 0 || lstrcmpiA( &_v120, "STATIC") != 0) {
					L5:
					return 0;
				} else {
					_t30 = GetWindowLongW(_t67, 0xfffffff0);
					_t71 = _t30 & 0x0000000e;
					if((_t30 & 0x0000000e) != 0) {
						goto L5;
					}
					E00404BDD( &_v28, _t67, _t71);
					if(E0040386E(_v28, L"{\\rtf", 5) == 0) {
						_t33 = GetParent(_t67);
						_v8 = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							goto L4;
						}
						LoadLibraryA("riched20");
						E004039BC(_t67,  &_v56);
						_t36 = GetMenu(_t67);
						SetThreadLocale(0x419);
						_t53 = CreateWindowExW(0, L"RichEdit20W", 0x41aa3c, 0x50000804, _v56, _v52, _v48 - _v56, _v44 - _v52, _v8, _t36, 0, 0);
						__eflags = _t53;
						if(__eflags == 0) {
							goto L4;
						}
						DestroyWindow(_t67);
						SendMessageW(_t53, 0x459, 0x22, 0);
						SendMessageW(_t53, 0x443, 0, GetSysColor(0xf));
						_v12 = 0xfde9;
						_v16 = 0;
						E00404473( &_v40,  &_v28, __eflags, 0xfde9);
						SendMessageW(_t53, 0x461,  &_v16, _v40);
						_push(_v40);
						L004191B0();
						_push(_v28);
						L004191B0();
						return _t53;
					}
					L4:
					_push(_v28);
					L004191B0();
					goto L5;
				}
			}

0x00404c9a
0x00404ca6
0x00404cee
0x00000000
0x00404cbb
0x00404cbe
0x00404cc4
0x00404cc6
0x00000000
0x00000000
0x00404ccd
0x00404ce3
0x00404cf6
0x00404cfe
0x00404d01
0x00404d03
0x00000000
0x00000000
0x00404d0a
0x00404d15
0x00404d1b
0x00404d28
0x00404d5e
0x00404d60
0x00404d62
0x00000000
0x00000000
0x00404d65
0x00404d7a
0x00404d8c
0x00404d9a
0x00404d9d
0x00404da0
0x00404db2
0x00404db4
0x00404db7
0x00404dbc
0x00404dbf
0x00000000
0x00404dc6
0x00404ce5
0x00404ce5
0x00404ce8
0x00000000
0x00404ced

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00404C9E
lstrcmpiA.KERNEL32(?,STATIC,?,?,00000040), ref: 00404CB1
GetWindowLongW.USER32(?,000000F0), ref: 00404CBE

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32 ref: 00404C04

??3@YAXPAX@Z.MSVCRT ref: 00404CE8
GetParent.USER32 ref: 00404CF6
LoadLibraryA.KERNEL32(riched20,?,00000005,?,000000F0,?,?,00000040), ref: 00404D0A
GetMenu.USER32 ref: 00404D1B
SetThreadLocale.KERNEL32(00000419,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D28
CreateWindowExW.USER32 ref: 00404D58
DestroyWindow.USER32(?,?,?,00000005,?,000000F0,?,?,00000040), ref: 00404D65
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00404D7A
GetSysColor.USER32(0000000F), ref: 00404D7E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00404D8C
SendMessageW.USER32(00000000,00000461,?,?), ref: 00404DB2
??3@YAXPAX@Z.MSVCRT ref: 00404DB7
??3@YAXPAX@Z.MSVCRT ref: 00404DBF

Strings

STATIC, xrefs: 00404CA8
RichEdit20W, xrefs: 00404D52
riched20, xrefs: 00404D05
{\rtf, xrefs: 00404CD7

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Window$??3@MessageSend$Text$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 3514532227-2281146334
Opcode ID: e72aaa8312c17fcdb26c405245bda3f747dc04445d0e783caa9bb71e4a574178
Instruction ID: 47a03a17b0e693a7b9506e1f1950c79874d349430206e003879b4e45598c68c3
Opcode Fuzzy Hash: e72aaa8312c17fcdb26c405245bda3f747dc04445d0e783caa9bb71e4a574178
Instruction Fuzzy Hash: 4131C271A02119BFDB01ABA1DD49EEF7B7DEF44704F10402AF601B2291DB794E508B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040206F Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040206F(signed int* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, signed int _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v120;
				void* _t55;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				signed int _t75;
				long _t77;
				long _t80;
				signed int _t88;
				signed int _t149;
				signed int* _t151;
				signed int _t152;
				signed int _t155;
				signed int _t156;
				void* _t157;

				_t151 = __ecx;
				_t159 = 0;
				_v20 = __edx;
				_v12 = 0;
				E00411B60(_t55,  &_v32);
				E0040433D( &_v120, __edx, 0, _v20);
				_v16 = 0;
				_v5 = 0;
				E0040562E(_t151, 0);
				_t152 =  *_t151;
				while(1) {
					L1:
					_t59 = E00404139(_t152, _t159, 0);
					_t159 = _t59;
					if(_t59 != 0) {
						break;
					}
					_t60 = E00404139(_t152, __eflags, 0);
					__eflags = _t60;
					if(__eflags != 0) {
						_v12 = _v12 | 0x00000001;
						_t152 = _t60;
						continue;
					}
					_t61 = E00404139(_t152, __eflags, 0);
					__eflags = _t61;
					if(__eflags != 0) {
						_t152 = _t61;
						__eflags =  *0x41e740; // 0x1
						if(__eflags != 0) {
							L10:
							_v12 = _v12 | 0x00010000;
						}
						continue;
						L11:
						_t63 = E00404139(_t152, __eflags, 2);
						_t149 = _t63;
						__eflags = _t149;
						if(__eflags != 0) {
							__eflags =  *0x41e458 - 0xffffffff;
							if(__eflags == 0) {
								_t156 = _t152 + 4;
								__eflags = _t156;
								__imp___wtol(_t156);
								 *0x41e458 = _t63;
							}
							_t152 = _t149;
							continue;
						}
						_t64 = E00404139(_t152, __eflags, 3);
						__eflags = _t64;
						if(__eflags != 0) {
							L17:
							_t152 = _t64;
							continue;
						}
						_t64 = E00404139(_t152, __eflags, 3);
						__eflags = _t64;
						if(__eflags != 0) {
							goto L17;
						}
						_t65 = E004041BE(_t152, __eflags);
						__eflags = _t65;
						if(__eflags != 0) {
							_t152 = _t65;
							_v16 = 1;
							continue;
						}
						_t66 = E00404226(_t152, __eflags);
						__eflags = _t66;
						if(__eflags != 0) {
							_t152 = _t66;
							_v16 = 2;
							continue;
						}
						_t150 = "\"";
						__eflags = _a4;
						if(_a4 == 0) {
							E00411C48( &_v32, _a8);
							goto L29;
						} else {
							__eflags =  *_t152 - 0x22;
							if( *_t152 == 0x22) {
								E00411BE5( &_v32, _t152);
							} else {
								E00411BE5( &_v32, "\"");
								E00411CA3( &_v32, _t152);
								E00411CA3( &_v32, "\"");
							}
							_t152 = E00405041();
							__eflags = _t152;
							if(_t152 != 0) {
								E00411CA3( &_v32, " ");
								L29:
								_t68 = E00411CA3( &_v32, _t152);
							}
						}
						E00411B60(_t68,  &_v56);
						E00411B84( &_v44, E0040310A(_v32,  &_v56));
						E0040562E( &_v56, __eflags);
						__eflags =  *0x41e8d8; // 0x0
						if(__eflags == 0) {
							_t75 = E00401C91(_v16);
							__eflags = _t75;
							if(_t75 == 0) {
								goto L42;
							} else {
								_t155 = _a12;
								__eflags =  *_t155;
								if(__eflags != 0) {
									E00411CA3( &_v44, _t155);
									while(1) {
										__eflags =  *_t155;
										if(__eflags == 0) {
											goto L36;
										}
										_t155 = _t155 + 2;
										__eflags = _t155;
									}
								}
								L36:
								E0040562E( &_v44, __eflags);
								__eflags = _v5;
								if(__eflags != 0) {
									_t144 = _v44;
									_t77 = E00401DCA(_v56, _v44, __eflags, _v12);
									__eflags = _t77;
									if(_t77 != 0) {
										SetLastError(_t77);
										goto L44;
									} else {
										goto L41;
									}
								} else {
									E00411B84( &_v68,  *((intOrPtr*)(E00411AEC( &_v80, E00411B08( &_v92, E00411B32( &_v104, _t150,  &_v56), L"\" "),  &_v44))));
									_push(_v80);
									L004191B0();
									_push(_v92);
									L004191B0();
									_push(_v104);
									L004191B0();
									_t144 = _v12;
									_t157 = _t157 + 0xc;
									_t88 = E00401CC0(_v68, _v12, __eflags, _v20);
									_push(_v68);
									__eflags = _t88;
									if(_t88 == 0) {
										L004191B0();
										L44:
										__eflags =  *0x41e774 & 0x00000010;
										if(( *0x41e774 & 0x00000010) == 0) {
											L46:
											E0040976C(_t144, 1, 0x10, _v32);
										} else {
											_t80 = GetLastError();
											__eflags = _t80 - 0x4c7;
											if(_t80 != 0x4c7) {
												goto L46;
											}
										}
										E00405B62();
										_push(9);
										_pop(1);
									} else {
										L004191B0();
										L41:
										E00401C35();
										goto L42;
									}
								}
							}
						}
						_push(_v44);
						L004191B0();
						_push(_v56);
						L004191B0();
						E004030B1( &_v120);
						_push(_v32);
						L004191B0();
						return 1;
					}
					_t62 = E00404139(_t152, __eflags, 0);
					__eflags = _t62;
					if(__eflags != 0) {
						_t152 = _t62;
						goto L10;
					}
					goto L11;
				}
				_t152 = _t59;
				_v5 = 1;
				goto L1;
			}

0x00402077
0x00402079
0x0040207f
0x00402082
0x00402085
0x00402090
0x00402097
0x0040209a
0x0040209d
0x004020a2
0x004020a4
0x004020a4
0x004020ac
0x004020b1
0x004020b3
0x00000000
0x00000000
0x004020c5
0x004020ca
0x004020cc
0x004020ce
0x004020d2
0x00000000
0x004020d2
0x004020de
0x004020e3
0x004020e5
0x004020e7
0x004020e9
0x004020ef
0x00402106
0x00402106
0x00402106
0x00000000
0x0040210f
0x00402118
0x0040211d
0x0040211f
0x00402121
0x00402123
0x0040212a
0x0040212c
0x0040212c
0x00402130
0x00402137
0x00402137
0x0040213c
0x00000000
0x0040213c
0x0040214c
0x00402151
0x00402153
0x00402167
0x00402167
0x00000000
0x00402167
0x0040215e
0x00402163
0x00402165
0x00000000
0x00000000
0x00402170
0x00402175
0x00402177
0x00402179
0x0040217b
0x00000000
0x0040217b
0x00402189
0x0040218e
0x00402190
0x00402192
0x00402194
0x00000000
0x00402194
0x004021a0
0x004021a8
0x004021ab
0x004021f7
0x00000000
0x004021ad
0x004021ad
0x004021b1
0x004021ce
0x004021b3
0x004021b4
0x004021bd
0x004021c6
0x004021c6
0x004021df
0x004021e1
0x004021e3
0x004021ed
0x004021fc
0x00402200
0x00402200
0x004021e3
0x00402208
0x0040221c
0x00402224
0x00402229
0x0040222f
0x00402238
0x0040223d
0x0040223f
0x00000000
0x00402245
0x00402245
0x00402248
0x0040224b
0x00402251
0x0040225b
0x0040225b
0x0040225e
0x00000000
0x00000000
0x00402258
0x00402258
0x00402258
0x0040225b
0x00402260
0x00402263
0x00402268
0x0040226b
0x004022e5
0x004022eb
0x004022f0
0x004022f2
0x004022ff
0x00000000
0x00000000
0x00000000
0x00000000
0x0040226d
0x0040229d
0x004022a2
0x004022a5
0x004022aa
0x004022ad
0x004022b2
0x004022b5
0x004022ba
0x004022c0
0x004022c6
0x004022cb
0x004022ce
0x004022d0
0x004022da
0x00402305
0x00402305
0x0040230c
0x0040231b
0x00402322
0x0040230e
0x0040230e
0x00402314
0x00402319
0x00000000
0x00000000
0x00402319
0x0040232a
0x0040232f
0x00402331
0x004022d2
0x004022d2
0x004022f4
0x004022f4
0x00000000
0x004022f4
0x004022d0
0x0040226b
0x0040223f
0x00402332
0x00402335
0x0040233a
0x0040233d
0x00402347
0x0040234c
0x0040234f
0x0040235b
0x0040235b
0x004020fb
0x00402100
0x00402102
0x00402104
0x00000000
0x00402104
0x00000000
0x00402102
0x004020b5
0x004020b7
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0041E89C,?,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040435B
Part of subcall function 0040433D: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00402095,00000000,0041E89C,?,00000000), ref: 0040436E

_wtol.MSVCRT(?,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 00402130

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004022A5
??3@YAXPAX@Z.MSVCRT ref: 004022AD
??3@YAXPAX@Z.MSVCRT ref: 004022B5
??3@YAXPAX@Z.MSVCRT ref: 004022D2
??3@YAXPAX@Z.MSVCRT ref: 004022DA

Part of subcall function 00401DCA: GetCommandLineW.KERNEL32(0041A9F0,00000000,00000000), ref: 00401DEC
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401E98
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EA0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EA8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EB0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EB8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EC0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EC8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401ED0
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401ED8
Part of subcall function 00401DCA: ??3@YAXPAX@Z.MSVCRT ref: 00401EE0
Part of subcall function 00401DCA: GetStartupInfoW.KERNEL32(?,00000022,?,00000020,?,?,00000000,0000003A,?," -,sfxwaitall), ref: 00401EF3

SetLastError.KERNEL32(00000000,?,00000000,?,?,00000003,00000003,00000002,00000000,00000000,00000000,00000000,00000000,0041E89C,?,00000000), ref: 004022FF
GetLastError.KERNEL32(00000000,0041E89C,?,00000000), ref: 0040230E
??3@YAXPAX@Z.MSVCRT ref: 00402335
??3@YAXPAX@Z.MSVCRT ref: 0040233D
??3@YAXPAX@Z.MSVCRT ref: 0040234F

Strings

ExecuteParameters, xrefs: 004021D5
waitall, xrefs: 004020A5
del, xrefs: 00402157
nowait, xrefs: 004020D7
forcenowait, xrefs: 004020F4
hidcon, xrefs: 004020BE
shc, xrefs: 00402145

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy$??2@$CurrentDirectoryErrorLast$CommandInfoLineStartup_wtol
String ID: ExecuteParameters$del$forcenowait$hidcon$nowait$shc$waitall
API String ID: 3919891259-4019298132
Opcode ID: ab93e4e1c81fb8d04f5218336e0690b5fd4563398a4e50450c9fbd8beacf1c30
Instruction ID: bb106943ed3ca53a05403cb5435deaebd1a3063295b86531880bb6a0f43f7546
Opcode Fuzzy Hash: ab93e4e1c81fb8d04f5218336e0690b5fd4563398a4e50450c9fbd8beacf1c30
Instruction Fuzzy Hash: 2381C171E04115ABCB15BBA1D9595EE77B5AF40308F24403FE602772E1EABC1D82D78E

Uniqueness

Uniqueness Score: -1.00%

Function 00403AD9 Relevance: 31.6, APIs: 21, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403AD9(void* __ecx) {
				struct HDC__* _v8;
				struct HDC__* _v12;
				void* _v16;
				int _v20;
				void* _v24;
				void* _v28;
				int _v44;
				int _v48;
				void _v52;
				struct HDC__* _t37;
				int _t38;
				int _t39;
				int _t62;
				struct HDC__* _t63;

				_v16 = __ecx;
				_t37 = GetWindowDC(0);
				_v8 = _t37;
				_t38 = GetDeviceCaps(_t37, 0x58);
				if(_t38 < 1) {
					_t38 = 0x60;
				}
				_t39 = MulDiv(_t38, 0x64, 0x60);
				if(_t39 < 0x76) {
					if(_t39 <= 0x91) {
						ReleaseDC(0, _v8);
						return CopyImage(_v16, 0, 0, 0, 0);
					}
					goto L6;
				} else {
					if(_t39 > 0x91) {
						L6:
						_push(3);
						_v12 = 2;
						L7:
						_pop(_t62);
						GetObjectW(_v16, 0x18,  &_v52);
						_v24 = MulDiv(_v48, _t62, _v12);
						_v20 = MulDiv(_v44, _t62, _v12);
						_v12 = CreateCompatibleDC(_v8);
						_t63 = CreateCompatibleDC(_v8);
						_v16 = SelectObject(_v12, _v16);
						_v28 = SelectObject(_t63, CreateCompatibleBitmap(_v8, _v24, _v20));
						SetStretchBltMode(_t63, 4);
						StretchBlt(_t63, 0, 0, _v24, _v20, _v12, 0, 0, _v48, _v44, 0xcc0020);
						_v24 = GetCurrentObject(_t63, 7);
						SelectObject(_v12, _v16);
						SelectObject(_t63, _v28);
						DeleteDC(_v12);
						DeleteDC(_t63);
						ReleaseDC(0, _v8);
						return _v24;
					}
					_push(4);
					_v12 = 3;
					goto L7;
				}
			}

0x00403ae5
0x00403ae8
0x00403af1
0x00403af4
0x00403afd
0x00403b01
0x00403b01
0x00403b0d
0x00403b12
0x00403b2b
0x00403c01
0x00000000
0x00403c0e
0x00000000
0x00403b14
0x00403b19
0x00403b31
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b44
0x00403b56
0x00403b68
0x00403b70
0x00403b81
0x00403b88
0x00403b9e
0x00403ba1
0x00403bc0
0x00403bd2
0x00403bd8
0x00403bde
0x00403be9
0x00403bec
0x00403bf2
0x00000000
0x00403bf8
0x00403b1b
0x00403b1d
0x00000000
0x00403b1d

APIs

GetWindowDC.USER32(00000000), ref: 00403AE8
GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
GetObjectW.GDI32(?,00000018,?), ref: 00403B44
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
CreateCompatibleDC.GDI32(?), ref: 00403B6B
CreateCompatibleDC.GDI32(?), ref: 00403B73
SelectObject.GDI32(00000002,?), ref: 00403B83
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
SelectObject.GDI32(00000000,00000000), ref: 00403B99
SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
SelectObject.GDI32(00000002,?), ref: 00403BD8
SelectObject.GDI32(00000000,?), ref: 00403BDE
DeleteDC.GDI32(00000002), ref: 00403BE9
DeleteDC.GDI32(00000000), ref: 00403BEC
ReleaseDC.USER32 ref: 00403BF2
ReleaseDC.USER32 ref: 00403C01
CopyImage.USER32 ref: 00403C0E

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction ID: a0072e5f292db19c94c8224914de7ba953a02d223df6358cf2059d22beae88df
Opcode Fuzzy Hash: 82980da23295317485c8058d9f32326a8285abc7e5f11a3e30116cecc0f103df
Instruction Fuzzy Hash: AE410675C01218BFDF129FE1DC49EEEBF79EB08365F108066F600B2161C7764A60AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401765 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401765(void* __eflags) {
				signed short* _v8;
				WCHAR* _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				void* _t65;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				WCHAR* _t92;
				WCHAR* _t95;
				WCHAR* _t96;
				WCHAR* _t97;
				signed int _t99;
				WCHAR* _t103;
				signed short* _t105;
				signed int _t106;
				signed int _t107;
				signed short* _t108;
				signed int _t143;
				signed int _t150;
				char _t151;
				WCHAR* _t164;
				WCHAR* _t167;

				_t167 =  *0x41e7cc; // 0x562510
				E00411B60(_t65,  &_v24);
				_v8 = _t167;
				_v12 =  &(_t167[lstrlenW(_t167)]);
				_t69 =  *_t167 & 0x0000ffff;
				while(_t69 != 0) {
					__eflags = _t69 - 0x20;
					if(_t69 <= 0x20) {
						_t6 =  &_v8;
						 *_t6 =  &(_v8[1]);
						__eflags =  *_t6;
						_t69 =  *_v8 & 0x0000ffff;
						continue;
					}
					L6:
					while( *_t167 <= 0x20) {
						while(1) {
							_t70 =  *_t167 & 0x0000ffff;
							if(_t70 == 0) {
								break;
							}
							__eflags = _t70 - 0x20;
							if(_t70 <= 0x20) {
								_t167 =  &(_t167[1]);
								__eflags = _t167;
								continue;
							}
							break;
						}
						_t71 =  *_t167 & 0x0000ffff;
						if(_t71 == 0x2f || _t71 == 0x2d) {
							if(_t167[1] == 0x21) {
								_t164 = _t167;
								_t167 =  &(_t167[2]);
								__eflags = _t164;
								if(_t164 == 0) {
									goto L67;
								}
								goto L68;
							} else {
								_t10 =  &(_t167[1]); // 0x562510
								if(E004030D4(_t10, L"ai") == 0) {
									_t12 =  &(_t167[1]); // 0x562510
									__eflags = E004030D4(_t12, L"om");
									if(__eflags == 0) {
										_t14 =  &(_t167[1]); // 0x562510
										_t92 = E004030D4(_t14, L"gm");
										__eflags = _t92;
										if(_t92 == 0) {
											_t17 =  &(_t167[1]); // 0x562510
											__eflags = E004030D4(_t17, L"gf");
											if(__eflags == 0) {
												_t19 =  &(_t167[1]); // 0x562510
												__eflags = E004030D4(_t19, L"mf");
												if(__eflags == 0) {
													_t21 =  &(_t167[1]); // 0x562510
													_t95 = E004030D4(_t21, L"sd");
													__eflags = _t95;
													if(_t95 == 0) {
														_t24 =  &(_t167[1]); // 0x562510
														_t96 = E004030D4(_t24, L"nr");
														__eflags = _t96;
														if(_t96 == 0) {
															_t26 =  &(_t167[1]); // 0x562510
															_t97 = E004030D4(_t26, L"fm");
															__eflags = _t97;
															if(_t97 == 0) {
																_t28 =  &(_t167[1]); // 0x562510
																__eflags = E004030D4(_t28, L"bpt");
																if(__eflags == 0) {
																	_t99 = _t167[1] & 0x0000ffff;
																	__eflags = _t99 - 0x70;
																	if(_t99 == 0x70) {
																		L65:
																		E00411B60(_t99,  &_v36);
																		_t35 =  &(_t167[2]); // 0x562512
																		_t38 = E0040310A(_t35,  &_v36) - 2; // -2
																		_t167 = _t38;
																		E00411BE5(0x41e708, _v36);
																		_push(_v36);
																		 *0x41e700 = 1;
																		L004191B0();
																		continue;
																	} else {
																		__eflags = _t99 - 0x50;
																		if(_t99 == 0x50) {
																			goto L65;
																		} else {
																			__eflags = _t99 - 0x79;
																			if(_t99 == 0x79) {
																				L55:
																				__eflags = _t167[2] - 0x20;
																				if(_t167[2] > 0x20) {
																					goto L57;
																				} else {
																					 *0x41e7c9 = 1;
																					continue;
																				}
																			} else {
																				__eflags = _t99 - 0x59;
																				if(_t99 != 0x59) {
																					L57:
																					__eflags = _t99 - 0x3f;
																					if(_t99 == 0x3f) {
																						L60:
																						__eflags = _t167[2] - 0x20;
																						if(_t167[2] > 0x20) {
																							goto L62;
																						} else {
																							 *0x41e7cb = 1;
																							continue;
																						}
																					} else {
																						__eflags = _t99 - 0x68;
																						if(_t99 == 0x68) {
																							goto L60;
																						} else {
																							__eflags = _t99 - 0x48;
																							if(_t99 != 0x48) {
																								L62:
																								_t33 =  &(_t167[1]); // 0x562510
																								_t103 = E0040161A(_t33);
																								__eflags = _t103;
																								if(_t103 == 0) {
																									goto L67;
																								} else {
																									__eflags = _t103 - 1;
																									if(_t103 == 1) {
																										_t167 = 0;
																										__eflags = 0;
																									} else {
																										_t167 = _t103;
																										continue;
																									}
																								}
																							} else {
																								goto L60;
																							}
																						}
																					}
																				} else {
																					goto L55;
																				}
																			}
																		}
																	}
																} else {
																	_t29 =  &(_t167[4]); // 0x562516
																	_t163 = _t29;
																	goto L50;
																}
															} else {
																_t27 =  &(_t167[3]); // 0x562514
																_t105 = _t27;
																_t143 =  *_t105 & 0x0000ffff;
																__eflags = _t143 - 0x30;
																if(_t143 < 0x30) {
																	goto L67;
																} else {
																	__eflags = _t143 - 0x39;
																	if(_t143 > 0x39) {
																		goto L67;
																	} else {
																		__imp___wtol(_t105);
																		 *0x41e458 = _t105;
																		continue;
																	}
																}
															}
														} else {
															__eflags = _t167[3] - 0x20;
															if(_t167[3] > 0x20) {
																goto L67;
															} else {
																 *0x41e7ca = 1;
																continue;
															}
														}
													} else {
														_t22 =  &(_t167[3]); // 0x562514
														_t163 = _t22;
														_t106 =  *_t22 & 0x0000ffff;
														__eflags = _t106 - 0x30;
														if(_t106 == 0x30) {
															L39:
															__eflags = _t167[4] - 0x20;
															if(__eflags > 0) {
																goto L67;
															} else {
																goto L50;
															}
														} else {
															__eflags = _t106 - 0x31;
															if(_t106 != 0x31) {
																goto L67;
															} else {
																goto L39;
															}
														}
													}
												} else {
													_t20 =  &(_t167[3]); // 0x562514
													_t163 = _t20;
													goto L50;
												}
											} else {
												_t18 =  &(_t167[3]); // 0x562514
												_t163 = _t18;
												goto L50;
											}
										} else {
											_t15 =  &(_t167[3]); // 0x562514
											_t163 = _t15;
											_t107 =  *_t15 & 0x0000ffff;
											__eflags = _t107 - 0x30;
											if(_t107 < 0x30) {
												goto L67;
											} else {
												__eflags = _t107 - 0x32;
												if(_t107 > 0x32) {
													goto L67;
												} else {
													__eflags = _t167[4] - 0x20;
													if(__eflags > 0) {
														goto L67;
													} else {
														goto L50;
													}
												}
											}
										}
									} else {
										_t13 =  &(_t167[3]); // 0x562514
										_t163 = _t13;
										L50:
										E0040170F(_t163, __eflags);
										continue;
									}
								} else {
									_t11 =  &(_t167[3]); // 0x562514
									_t108 = _t11;
									_t150 =  *_t108 & 0x0000ffff;
									if(_t150 < 0x30 || _t150 > 0x39) {
										if(_t150 < 0x61 || _t150 > 0x7a) {
											if(_t150 < 0x41 || _t150 > 0x5a) {
												__eflags = _t150 - 0x20;
												if(_t150 > 0x20) {
													goto L67;
												} else {
													 *0x41e7c4 = 0x41a648;
													goto L22;
												}
											} else {
												goto L21;
											}
										} else {
											goto L21;
										}
									} else {
										L21:
										 *0x41e7c4 = _t108;
										L22:
										 *0x41e7c8 = 0x101;
										continue;
									}
								}
							}
						} else {
							L67:
							_t164 = _t167;
							L68:
							__eflags = _v8 - _t164;
							if(__eflags == 0) {
								_t151 = 0x41aa3c;
							} else {
								E00411B84( &_v60, _v8);
								E00411A27( &_v48, _t164 - _v8 >> 1,  &_v60);
								E00411BE5( &_v24, _v48);
								_push(_v48);
								L004191B0();
								_push(_v60);
								L004191B0();
								E00411E5D( &_v24);
								E00411E26( &_v24);
								_t151 = _v24;
							}
							E00405051(L"SfxVarCmdLine1", _t151, __eflags, 1);
							E00411B84( &_v48, _t167);
							E00411A27( &_v60, _v12 - _t167 >> 1,  &_v48);
							E00411BE5( &_v24, _v60);
							_push(_v60);
							L004191B0();
							_push(_v48);
							L004191B0();
							E00411E5D( &_v24);
							E00411E26( &_v24);
							E00405051(L"SfxVarCmdLine2", _v24, __eflags, 1);
						}
						_push(_v24);
						L004191B0();
						return _t167;
					}
					_t167 =  &(_t167[1]);
					__eflags = _t167;
					goto L6;
				}
				goto L6;
			}

0x0040176c
0x00401776
0x0040177c
0x00401788
0x0040178b
0x004017a0
0x00401790
0x00401794
0x00401796
0x00401796
0x00401796
0x0040179d
0x00000000
0x0040179d
0x00000000
0x004017aa
0x004017bb
0x004017bb
0x004017c1
0x00000000
0x00000000
0x004017b2
0x004017b6
0x004017b8
0x004017b8
0x00000000
0x004017b8
0x00000000
0x004017b6
0x004017c3
0x004017c9
0x004017d9
0x00401a2f
0x00401a31
0x00401a34
0x00401a36
0x00000000
0x00000000
0x00000000
0x004017df
0x004017e4
0x004017ee
0x0040183e
0x00401846
0x00401848
0x0040185c
0x0040185f
0x00401864
0x00401866
0x0040189a
0x004018a2
0x004018a4
0x004018b8
0x004018c0
0x004018c2
0x004018d6
0x004018d9
0x004018de
0x004018e0
0x0040190d
0x00401910
0x00401915
0x00401917
0x00401935
0x00401938
0x0040193d
0x0040193f
0x00401970
0x00401978
0x0040197a
0x0040198e
0x00401992
0x00401995
0x004019f7
0x004019fa
0x004019ff
0x00401a12
0x00401a12
0x00401a15
0x00401a1a
0x00401a1d
0x00401a24
0x00000000
0x00401997
0x00401997
0x0040199a
0x00000000
0x0040199c
0x0040199c
0x0040199f
0x004019a6
0x004019a6
0x004019ab
0x00000000
0x004019ad
0x004019ad
0x00000000
0x004019ad
0x004019a1
0x004019a1
0x004019a4
0x004019b9
0x004019b9
0x004019bc
0x004019c8
0x004019c8
0x004019cd
0x00000000
0x004019cf
0x004019cf
0x00000000
0x004019cf
0x004019be
0x004019be
0x004019c1
0x00000000
0x004019c3
0x004019c3
0x004019c6
0x004019db
0x004019db
0x004019de
0x004019e3
0x004019e5
0x00000000
0x004019e7
0x004019e7
0x004019ea
0x00401a8e
0x00401a8e
0x004019f0
0x004019f0
0x00000000
0x004019f0
0x004019ea
0x00000000
0x00000000
0x00000000
0x004019c6
0x004019c1
0x00000000
0x00000000
0x00000000
0x004019a4
0x0040199f
0x0040199a
0x0040197c
0x0040197c
0x0040197c
0x00000000
0x0040197f
0x00401941
0x00401941
0x00401941
0x00401944
0x00401947
0x0040194a
0x00000000
0x00401950
0x00401950
0x00401953
0x00000000
0x00401959
0x0040195a
0x00401961
0x00000000
0x00401961
0x00401953
0x0040194a
0x00401919
0x00401919
0x0040191e
0x00000000
0x00401924
0x00401924
0x00000000
0x00401924
0x0040191e
0x004018e2
0x004018e2
0x004018e2
0x004018e5
0x004018e8
0x004018eb
0x004018f6
0x004018f6
0x004018fb
0x00000000
0x00401901
0x00000000
0x00401901
0x004018ed
0x004018ed
0x004018f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004018f0
0x004018eb
0x004018c4
0x004018c4
0x004018c4
0x00000000
0x004018c7
0x004018a6
0x004018a6
0x004018a6
0x00000000
0x004018a9
0x00401868
0x00401868
0x00401868
0x0040186b
0x0040186e
0x00401871
0x00000000
0x00401877
0x00401877
0x0040187a
0x00000000
0x00401880
0x00401880
0x00401885
0x00000000
0x0040188b
0x00000000
0x0040188b
0x00401885
0x0040187a
0x00401871
0x0040184a
0x0040184a
0x0040184a
0x00401984
0x00401984
0x00000000
0x00401984
0x004017f0
0x004017f0
0x004017f0
0x004017f3
0x004017f9
0x00401803
0x0040180d
0x00401824
0x00401827
0x00000000
0x0040182d
0x0040182d
0x00000000
0x0040182d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401814
0x00401814
0x00401814
0x00401819
0x00401819
0x00000000
0x00401819
0x004017f9
0x004017ee
0x00401a38
0x00401a38
0x00401a38
0x00401a3a
0x00401a3a
0x00401a3d
0x00401a9f
0x00401a3f
0x00401a45
0x00401a57
0x00401a62
0x00401a67
0x00401a6a
0x00401a6f
0x00401a72
0x00401a7c
0x00401a84
0x00401a89
0x00401a89
0x00401aab
0x00401ab4
0x00401ac8
0x00401ad3
0x00401ad8
0x00401adb
0x00401ae0
0x00401ae3
0x00401aed
0x00401af5
0x00401b04
0x00401b04
0x00401a90
0x00401a93
0x00401a9e
0x00401a9e
0x004017a7
0x004017a7
0x00000000
0x004017a7
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

lstrlenW.KERNEL32(00562510,?,0041E138,?,?,?,?,?,?,?,?,?,?,?,004066C2,?), ref: 0040177F

Part of subcall function 004030D4: lstrlenW.KERNEL32(0041AA80,?,0056250E,?,0041E7B8,004017EC), ref: 004030E3
Part of subcall function 004030D4: lstrlenW.KERNEL32(00562510,?,0041E7B8,004017EC,?,?,?,?,?,?,?,?,?,?,?,004066C2), ref: 004030E8
Part of subcall function 004030D4: _wcsnicmp.MSVCRT ref: 004030F1

_wtol.MSVCRT(00562514,?,?,?,?,?,?,?,?,?,?,?,004066C2,?,00000000), ref: 0040195A
??3@YAXPAX@Z.MSVCRT ref: 00401A24
??3@YAXPAX@Z.MSVCRT ref: 00401A6A
??3@YAXPAX@Z.MSVCRT ref: 00401A93
??3@YAXPAX@Z.MSVCRT ref: 00401A72

Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050B8
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C1
Part of subcall function 00405051: ??3@YAXPAX@Z.MSVCRT ref: 004050C9

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 00411A27: memcpy.MSVCRT ref: 00411A4A

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

??3@YAXPAX@Z.MSVCRT ref: 00401ADB
??3@YAXPAX@Z.MSVCRT ref: 00401AE3

Strings

SfxVarCmdLine2, xrefs: 00401AFF
OverwriteMode, xrefs: 0040184D
bpt, xrefs: 0040196B
GUIFlags, xrefs: 004018A9
SfxVarCmdLine1, xrefs: 00401AA6
SelfDelete, xrefs: 00401901
MiscFlags, xrefs: 004018C7
BeginPromptTimeout, xrefs: 0040197F
GUIMode, xrefs: 0040188B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$lstrlenmemcpy$??2@$_wcsnicmp_wtol
String ID: BeginPromptTimeout$GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete$SfxVarCmdLine1$SfxVarCmdLine2$bpt
API String ID: 2996597252-1537130225
Opcode ID: d5b0f9fab561e24eddb431938d2a50c2d68c525f52e00fe27273dd9bf14e2848
Instruction ID: 802da4c3352fe68454c51109ac8192462bb21426cb5da7d8071438425f36007c
Opcode Fuzzy Hash: d5b0f9fab561e24eddb431938d2a50c2d68c525f52e00fe27273dd9bf14e2848
Instruction Fuzzy Hash: 2FA19231A012018ADB28EB52C5555FEB7B5AF41344B64C43FE842B32F5EB3CAA85C75E

Uniqueness

Uniqueness Score: -1.00%

Function 0040941A Relevance: 28.6, APIs: 19, Instructions: 149
windowcomtimeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040941A(void* __edx, void* __eflags) {
				int _v4;
				char _v8;
				void* __ecx;
				intOrPtr _t30;
				intOrPtr* _t33;
				signed int _t44;
				struct HMENU__* _t49;
				signed int _t53;
				intOrPtr _t62;
				void* _t71;
				intOrPtr _t74;
				signed int _t83;

				_t71 = __edx;
				_t74 = _t62;
				 *0x41e8c4 =  *(_t74 + 4);
				 *0x41e8c8 = _t74;
				E00407ABB(_t62, 0x4b8, 1);
				SendMessageW(GetDlgItem( *(_t74 + 4), 0x4b8), 0x401, 0, 0x75300000);
				_t30 =  *0x41e750; // 0x0
				if(_t30 != 0) {
					E00407EBB(_t74, _t71, 0x4b4, _t30);
					E00407A0F(GetDlgItem( *(_t74 + 4), 0x4b4),  *0x41e750);
				}
				if(( *0x41e44c & 0x00000004) != 0) {
					E00407ABB(_t74, 0x4b5, 1);
					_t53 = GetWindowLongW(GetDlgItem( *(_t74 + 4), 0x4b5), 0xfffffff0);
					SetWindowLongW(GetDlgItem( *(_t74 + 4), 0x4b5), 0xfffffff0, _t53 | 0x00000001);
					E00408287(_t74);
				}
				if( *0x41e770 == 1) {
					E00407ABB(_t74, 0x4b4, 0);
					_t49 = GetSystemMenu( *(_t74 + 4), 0);
					if(_t49 != 0) {
						EnableMenuItem(_t49, 0xf060, 1);
					}
				}
				SetFocus(GetDlgItem( *(_t74 + 4), 0x4b4));
				_t83 =  *0x41e8d4; // 0x0
				if(_t83 != 0) {
					 *((intOrPtr*)(_t74 + 0x68)) = 0;
					 *((intOrPtr*)(_t74 + 0x6c)) = 0;
					 *((intOrPtr*)(_t74 + 0x60)) = 0x64;
					 *((intOrPtr*)(_t74 + 0x64)) = 0;
					_t44 =  *0x41e8d4; // 0x0
					SetTimer( *(_t74 + 4), 1, _t44 * 0xa, 0);
				}
				_t33 = _t74 + 0x70;
				 *_t33 = 0;
				if(( *0x41e44c & 0x00002000) == 0) {
					__imp__CoCreateInstance(0x41c84c, 0, 1, 0x41bfe4, _t33);
					if(_t33 == 0) {
						E0040826E(_t74, 1);
					}
				}
				if( *0x41e770 == 1 && IsWindow(GetDlgItem( *(_t74 + 4), 2)) != 0) {
					EnableWindow(GetDlgItem( *(_t74 + 4), 2), 0);
				}
				_t89 =  *0x41e44c & 0x00000004;
				if(( *0x41e44c & 0x00000004) == 0) {
					ShowWindow(GetDlgItem( *(_t74 + 4), 0x4b5), 0);
				}
				_v8 = 0;
				_v4 = 0;
				E00408946(_t74, _t71, _t89,  &_v8);
				return E00408F3F(_t71);
			}

0x0040941a
0x00409420
0x0040942d
0x00409432
0x00409438
0x00409456
0x0040945c
0x00409468
0x0040946e
0x00409482
0x00409482
0x00409493
0x0040949a
0x004094a8
0x004094bb
0x004094c3
0x004094c3
0x004094cf
0x004094d6
0x004094e1
0x004094e9
0x004094f3
0x004094f3
0x004094e9
0x00409500
0x00409508
0x0040950e
0x00409510
0x00409513
0x00409516
0x0040951d
0x00409520
0x0040952f
0x0040952f
0x00409535
0x00409538
0x00409544
0x00409554
0x0040955c
0x00409562
0x00409562
0x0040955c
0x0040956e
0x0040958b
0x0040958b
0x00409591
0x00409598
0x004095a2
0x004095a2
0x004095af
0x004095b3
0x004095b7
0x004095c9

APIs

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

GetDlgItem.USER32 ref: 00409447
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00409456
GetDlgItem.USER32 ref: 0040947D

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

Part of subcall function 00408946: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E
Part of subcall function 00408946: GetDlgItem.USER32 ref: 004089A2
Part of subcall function 00408946: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
Part of subcall function 00408946: wsprintfW.USER32 ref: 004089CF
Part of subcall function 00408946: GetDlgItem.USER32 ref: 004089ED
Part of subcall function 00408946: ??3@YAXPAX@Z.MSVCRT ref: 00408A7B

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32 ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

GetDlgItem.USER32 ref: 004094A3
GetWindowLongW.USER32(00000000,000000F0), ref: 004094A8
GetDlgItem.USER32 ref: 004094B8
SetWindowLongW.USER32 ref: 004094BB
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004094E1
EnableMenuItem.USER32 ref: 004094F3
GetDlgItem.USER32 ref: 004094FD
SetFocus.USER32(00000000), ref: 00409500
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040952F
CoCreateInstance.OLE32(0041C84C,00000000,00000001,0041BFE4,?), ref: 00409554
GetDlgItem.USER32 ref: 00409575
IsWindow.USER32(00000000), ref: 00409578
GetDlgItem.USER32 ref: 00409588
EnableWindow.USER32(00000000), ref: 0040958B
GetDlgItem.USER32 ref: 0040959F
ShowWindow.USER32(00000000), ref: 004095A2

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Item$Window$Long$MessageSend$System$EnableHandleLoadMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTextTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 957878288-0
Opcode ID: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction ID: 91ef2c87c7f5044bd2a8179c9000c8a4a1c30ad634a6280c3a66f42eddf6a5f2
Opcode Fuzzy Hash: 7faac37edcd208d7f3d635246ce9092851c04d018622aa74b3308d040a587b32
Instruction Fuzzy Hash: 794175B4604708BBEA216F26DD49F5B7B9DEB40B04F04843DF955A22E1CB79AC10CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405112 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00405112(intOrPtr* __ecx, intOrPtr __edx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v36;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v88;
				wchar_t* _v100;
				void* __edi;
				void* _t76;
				void* _t86;
				WCHAR* _t88;
				intOrPtr _t89;
				WCHAR* _t90;
				intOrPtr _t92;
				WCHAR* _t96;
				WCHAR* _t99;
				intOrPtr _t100;
				WCHAR* _t104;
				WCHAR* _t105;
				WCHAR* _t110;
				WCHAR* _t111;
				char _t113;
				intOrPtr _t115;
				signed int _t117;
				WCHAR* _t122;
				char _t133;
				signed int _t140;
				char _t142;
				WCHAR* _t154;
				signed int _t162;
				intOrPtr* _t165;
				void* _t167;
				signed int _t168;
				WCHAR* _t169;
				WCHAR** _t170;
				WCHAR* _t171;
				void* _t173;

				_v8 = _v8 & 0x00000000;
				_t165 = __ecx;
				_v12 = __edx;
				E00411743(_t76,  &_v40);
				L49:
				while(E00403339( &_v8, _t165) != 0) {
					while(1) {
						_v20 = _t133;
						__eflags = E00403315(_t133);
						if(__eflags != 0) {
							break;
						}
						__eflags = _t133 - 0x3d;
						if(__eflags == 0) {
							break;
						}
						E00403087( &_v52, _v20);
						_t122 =  &(_t122[0]);
						__eflags = _t122;
						_t133 =  *((intOrPtr*)(_t167 + _t122));
					}
					E00411C48( &_v100, E0040442E( &_v64,  &_v52, __eflags, 0xfde9));
					_push(_v64);
					L004191B0();
					_push(_v52);
					L004191B0();
					__eflags = _t122;
					if(_t122 == 0) {
						_t162 = _v8;
						L53:
						_t86 = E004045C9(_t165, _t162, _v12);
						_push(_v88);
						L004191B0();
						_push(_v100);
						L004191B0();
						_push(_v40);
						L004191B0();
						return _t86;
					}
					_v8 = _t122 + _v8;
					_t163 = _t165;
					_t88 = E00403339( &_v8, _t165);
					__eflags = _t88;
					if(_t88 == 0) {
						L52:
						_t162 = _v16;
						goto L53;
					}
					_t89 =  *_t165;
					_t140 = _v8;
					__eflags =  *((char*)(_t140 + _t89)) - 0x3d;
					if( *((char*)(_t140 + _t89)) != 0x3d) {
						goto L52;
					}
					_v8 = _v8 + 1;
					_t90 = E00403339( &_v8, _t163);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L52;
					}
					_t168 = _v8;
					_t92 =  *((intOrPtr*)(_t168 +  *_t165));
					__eflags = _t92 - 0x22;
					if(_t92 == 0x22) {
						_t169 = _t168 + 1;
						_v36 = _v36 & 0x00000000;
						_v8 = _t169;
						 *_v40 = 0;
						while(1) {
							L29:
							_t96 = strncmp( *_t165 + _t169, "{\\rtf", 5);
							_t173 = _t173 + 0xc;
							__eflags = _t96;
							if(_t96 != 0) {
								goto L28;
							} else {
								break;
							}
							while(1) {
								L28:
								_t99 = strncmp( *_t165 + _t169, "{\\rtf", 5);
								_t173 = _t173 + 0xc;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L29;
								}
								__eflags = _t169 -  *((intOrPtr*)(_t165 + 4));
								if(_t169 >=  *((intOrPtr*)(_t165 + 4))) {
									goto L52;
								}
								_t100 =  *_t165;
								_t142 =  *((intOrPtr*)(_t100 + _t169));
								_t169 =  &(_t169[0]);
								_v28 = _t142;
								_v8 = _t169;
								__eflags = _t142 - 0x22;
								if(__eflags == 0) {
									L39:
									_t164 =  &_v40;
									E00411C48( &_v88, E0040442E( &_v76,  &_v40, __eflags, 0xfde9));
									_push(_v76);
									L004191B0();
									E00404666( &_v88, _t165, __eflags);
									_t104 = lstrcmpW(_v100, L"SetEnvironment");
									__eflags = _t104;
									if(_t104 != 0) {
										L41:
										__eflags =  *0x41e110;
										_t170 = 0x41e110;
										if( *0x41e110 == 0) {
											L45:
											_t164 = 0;
											_t105 = E00404FF9(_v100, 0);
											__eflags = _t105;
											if(_t105 == 0) {
												L47:
												E00402963( &_v100, 0x41e7a0, _t164,  &_v100);
												L48:
												_push(_v88);
												L004191B0();
												_push(_v100);
												L004191B0();
												goto L49;
											}
											_t64 =  &(_t105[6]); // 0xc
											E00411BE5(_t64, _v88);
											goto L48;
										} else {
											goto L42;
										}
										while(1) {
											L42:
											_t110 = wcsncmp(_v100,  *_t170, lstrlenW( *_t170));
											_t173 = _t173 + 0xc;
											__eflags = _t110;
											if(_t110 == 0) {
												break;
											}
											_t170 =  &(_t170[1]);
											__eflags =  *_t170;
											if( *_t170 != 0) {
												continue;
											}
											break;
										}
										__eflags =  *_t170;
										if( *_t170 != 0) {
											goto L47;
										}
										goto L45;
									}
									_t164 = 0x3d;
									_t111 = E0041158D(_v88,  &_v40);
									__eflags = _t111;
									if(_t111 <= 0) {
										goto L52;
									}
									goto L41;
								}
								__eflags = _t142 - 0x5c;
								if(_t142 != 0x5c) {
									_push(_v28);
									L26:
									_t153 =  &_v40;
									L27:
									E00403087(_t153);
									continue;
								}
								_t113 =  *((intOrPtr*)(_t100 + _t169));
								_t169 =  &(_t169[0]);
								_v24 = _t113;
								_v8 = _t169;
								__eflags = _t113 - 0x22;
								if(_t113 == 0x22) {
									_push(0x22);
									goto L26;
								}
								__eflags = _t113 - _t142;
								if(_t113 == _t142) {
									_push(0x5c);
									goto L26;
								}
								__eflags = _t113 - 0x6e;
								if(_t113 == 0x6e) {
									_push(0xa);
									goto L26;
								}
								_t153 =  &_v40;
								__eflags = _t113 - 0x74;
								if(_t113 == 0x74) {
									_push(9);
									goto L27;
								}
								E00403087( &_v40, 0x5c);
								_push(_v24);
								goto L26;
							}
						}
						while(1) {
							_t115 =  *_t165;
							_t154 =  *(_t115 + _t169);
							__eflags = _t154;
							if(_t154 == 0) {
								break;
							}
							__eflags = _t154 - 0x22;
							if(_t154 == 0x22) {
								break;
							}
							__eflags = _t154 - 0x5c;
							if(_t154 == 0x5c) {
								__eflags =  *((char*)(_t115 +  &(_t169[0]))) - 0x22;
								if( *((char*)(_t115 +  &(_t169[0]))) == 0x22) {
									_t169 =  &(_t169[0]);
									__eflags = _t169;
								}
							}
							_t117 =  *(_t115 + _t169) & 0x000000ff;
							_t169 =  &(_t169[0]);
							__eflags = _t169;
							_v8 = _t169;
							E00403087( &_v40, _t117);
						}
						__eflags =  *((char*)(_t169 +  *_t165));
						if(__eflags != 0) {
							_t171 =  &(_t169[0]);
							__eflags = _t171;
							_v8 = _t171;
						}
						goto L39;
					}
					__eflags = _t92 - 0x2d;
					if(_t92 != 0x2d) {
						goto L52;
					}
					E004050D6(_v100);
					_v8 = _t168 + 1;
					goto L48;
				}
				_push(_v40);
				L004191B0();
				return 1;
			}

0x00405118
0x0040511f
0x00405124
0x00405127
0x00000000
0x004053ac
0x0040516d
0x0040516f
0x00405177
0x00405179
0x00000000
0x00000000
0x00405159
0x0040515c
0x00000000
0x00000000
0x00405164
0x00405169
0x00405169
0x0040516a
0x0040516a
0x0040518f
0x00405194
0x00405197
0x0040519c
0x0040519f
0x004051a6
0x004051a8
0x004053cb
0x004053d3
0x004053d8
0x004053dd
0x004053e2
0x004053e7
0x004053ea
0x004053ef
0x004053f2
0x00000000
0x004053f9
0x004051ae
0x004051b4
0x004051b6
0x004051bb
0x004051bd
0x004053d0
0x004053d0
0x00000000
0x004053d0
0x004051c3
0x004051c5
0x004051c8
0x004051cc
0x00000000
0x00000000
0x004051d2
0x004051d8
0x004051dd
0x004051df
0x00000000
0x00000000
0x004051e7
0x004051ea
0x004051ed
0x004051ef
0x00405213
0x00405214
0x00405218
0x0040521b
0x0040529c
0x0040529c
0x004052a8
0x004052aa
0x004052ad
0x004052af
0x00000000
0x00000000
0x00000000
0x00000000
0x00405287
0x00405287
0x00405293
0x00405295
0x00405298
0x0040529a
0x00000000
0x00000000
0x00405220
0x00405223
0x00000000
0x00000000
0x00405229
0x0040522b
0x0040522e
0x0040522f
0x00405232
0x00405235
0x00405238
0x004052eb
0x004052f0
0x004052ff
0x00405304
0x00405307
0x00405310
0x0040531d
0x00405323
0x00405325
0x0040533a
0x0040533a
0x00405341
0x00405346
0x00405371
0x00405374
0x00405376
0x0040537b
0x0040537d
0x0040538c
0x00405395
0x0040539a
0x0040539a
0x0040539d
0x004053a2
0x004053a5
0x00000000
0x004053ab
0x00405382
0x00405385
0x00000000
0x00000000
0x00000000
0x00000000
0x00405348
0x00405348
0x00405357
0x0040535d
0x00405360
0x00405362
0x00000000
0x00000000
0x00405364
0x00405367
0x0040536a
0x00000000
0x00000000
0x00000000
0x0040536a
0x0040536c
0x0040536f
0x00000000
0x00000000
0x00000000
0x0040536f
0x0040532c
0x0040532d
0x00405332
0x00405334
0x00000000
0x00000000
0x00000000
0x00405334
0x0040523e
0x00405241
0x0040527c
0x0040527f
0x0040527f
0x00405282
0x00405282
0x00000000
0x00405282
0x00405243
0x00405246
0x00405247
0x0040524a
0x0040524d
0x0040524f
0x00405278
0x00000000
0x00405278
0x00405251
0x00405253
0x00405274
0x00000000
0x00405274
0x00405255
0x00405257
0x00405270
0x00000000
0x00405270
0x00405259
0x0040525c
0x0040525e
0x0040526c
0x00000000
0x0040526c
0x00405262
0x00405267
0x00000000
0x00405267
0x00405287
0x004052d6
0x004052d6
0x004052d8
0x004052db
0x004052dd
0x00000000
0x00000000
0x004052b3
0x004052b6
0x00000000
0x00000000
0x004052b8
0x004052bb
0x004052bd
0x004052c2
0x004052c4
0x004052c4
0x004052c4
0x004052c2
0x004052c5
0x004052c9
0x004052c9
0x004052ce
0x004052d1
0x004052d1
0x004052e1
0x004052e5
0x004052e7
0x004052e7
0x004052e8
0x004052e8
0x00000000
0x004052e5
0x004051f1
0x004051f3
0x00000000
0x00000000
0x004051fc
0x00405202
0x00000000
0x00405202
0x004053be
0x004053c1
0x00000000

APIs

Part of subcall function 00411743: ??2@YAPAXI@Z.MSVCRT ref: 0041174B

??3@YAXPAX@Z.MSVCRT ref: 00405197
??3@YAXPAX@Z.MSVCRT ref: 0040519F
??3@YAXPAX@Z.MSVCRT ref: 0040539D
??3@YAXPAX@Z.MSVCRT ref: 004053A5
??3@YAXPAX@Z.MSVCRT ref: 004053C1
??3@YAXPAX@Z.MSVCRT ref: 004053E2
??3@YAXPAX@Z.MSVCRT ref: 004053EA
??3@YAXPAX@Z.MSVCRT ref: 004053F2

Strings

{\rtf, xrefs: 0040528D, 004052A2
SetEnvironment, xrefs: 00405315

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@
String ID: SetEnvironment${\rtf
API String ID: 4113381792-318139784
Opcode ID: f10d3ac46c504be4cd3bf0c813f21dde7811faca3e73dbb4176365e72b4ad94b
Instruction ID: 77d8a904bf1d7ff1cd0baf4dd30aa615c8c5e0bf9e93a58920d719d6b3547280
Opcode Fuzzy Hash: f10d3ac46c504be4cd3bf0c813f21dde7811faca3e73dbb4176365e72b4ad94b
Instruction Fuzzy Hash: 1C91BC30900609ABDB15DBA1C855BEFBBB1EF14304F2400ABE942772D2DB785E45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00403C19 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121
windowcommemoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403C19(struct HWND__* __ecx) {
				int _v8;
				long _v12;
				void* _v16;
				struct HWND__* _v20;
				void* _v24;
				int _v40;
				int _v44;
				void _v48;
				char _v112;
				char* _t41;
				intOrPtr* _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t53;
				void* _t57;
				void* _t67;
				struct HWND__* _t68;

				_t68 = __ecx;
				_v20 = __ecx;
				if(GetClassNameA(__ecx,  &_v112, 0x40) == 0 || lstrcmpiA( &_v112, "STATIC") != 0 || (GetWindowLongW(_t68, 0xfffffff0) & 0x0000000e) == 0) {
					L13:
					return 0;
				} else {
					_t57 = E004039F0("IMAGES", GetMenu(_t68),  &_v12);
					if(_t57 == 0 || _v12 < 0x10) {
						goto L13;
					} else {
						_t67 = GlobalAlloc(0x40, _v12);
						if(_t67 == 0) {
							goto L13;
						}
						memcpy(_t67, _t57, _v12);
						__imp__CoInitialize(0);
						_t41 =  &_v16;
						__imp__CreateStreamOnHGlobal(_t67, 0, _t41);
						if(_t41 != 0 || _v16 == 0) {
							GlobalFree(_t67);
							goto L13;
						} else {
							__imp__#418(_v16, 0, 0, 0x41c82c,  &_v24);
							_t44 = _v16;
							 *((intOrPtr*)( *_t44 + 8))(_t44);
							GlobalFree(_t67);
							_t47 = _v24;
							if(_t47 == 0) {
								goto L13;
							}
							_v8 = 0;
							 *((intOrPtr*)( *_t47 + 0xc))(_t47,  &_v8);
							_t62 = _v8;
							if(_v8 != 0) {
								_t53 = E00403AD9(_t62);
								_v8 = _t53;
								GetObjectW(_t53, 0x18,  &_v48);
								SetWindowPos(_v20, 0, 0, 0, _v44, _v40, 6);
								SendMessageW(_v20, 0x172, 0, _v8);
							}
							_t49 = _v24;
							 *((intOrPtr*)( *_t49 + 8))(_t49);
							return 1;
						}
					}
				}
			}

0x00403c27
0x00403c2b
0x00403c36
0x00403d66
0x00000000
0x00403c64
0x00403c7b
0x00403c81
0x00000000
0x00403c91
0x00403c9c
0x00403ca0
0x00000000
0x00000000
0x00403cab
0x00403cb4
0x00403cba
0x00403cc0
0x00403cc8
0x00403d60
0x00000000
0x00403cd7
0x00403ce5
0x00403ceb
0x00403cf1
0x00403cf5
0x00403cfb
0x00403d00
0x00000000
0x00000000
0x00403d06
0x00403d0c
0x00403d0f
0x00403d14
0x00403d16
0x00403d22
0x00403d25
0x00403d39
0x00403d4b
0x00403d4b
0x00403d51
0x00403d57
0x00000000
0x00403d5c
0x00403cc8
0x00403c81

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00403C2E
lstrcmpiA.KERNEL32(?,STATIC,?,?,00000040), ref: 00403C45
GetWindowLongW.USER32(?,000000F0), ref: 00403C56
GetMenu.USER32 ref: 00403C69

Part of subcall function 004039F0: GetModuleHandleW.KERNEL32(00000000), ref: 00403A01
Part of subcall function 004039F0: FindResourceExA.KERNEL32(00000000,?,?), ref: 00403A1F
Part of subcall function 004039F0: FindResourceExA.KERNEL32(?,?,?,00000409), ref: 00403A36
Part of subcall function 004039F0: SizeofResource.KERNEL32(?,00000000), ref: 00403A49
Part of subcall function 004039F0: LoadResource.KERNEL32(?,00000000), ref: 00403A55
Part of subcall function 004039F0: LockResource.KERNEL32(00000000), ref: 00403A60

GlobalAlloc.KERNEL32(00000040,00000010,?,?,000000F0,?,?,00000040), ref: 00403C96
memcpy.MSVCRT ref: 00403CAB
CoInitialize.OLE32(00000000), ref: 00403CB4
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00403CC0
OleLoadPicture.OLEAUT32(?,00000000,00000000,0041C82C,?), ref: 00403CE5
GlobalFree.KERNEL32 ref: 00403CF5

Part of subcall function 00403AD9: GetWindowDC.USER32(00000000), ref: 00403AE8
Part of subcall function 00403AD9: GetDeviceCaps.GDI32(00000000,00000058), ref: 00403AF4
Part of subcall function 00403AD9: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00403B0D
Part of subcall function 00403AD9: GetObjectW.GDI32(?,00000018,?), ref: 00403B44
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B51
Part of subcall function 00403AD9: MulDiv.KERNEL32(?,00000003,00000002), ref: 00403B5D
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B6B
Part of subcall function 00403AD9: CreateCompatibleDC.GDI32(?), ref: 00403B73
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403B83
Part of subcall function 00403AD9: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403B91
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,00000000), ref: 00403B99
Part of subcall function 00403AD9: SetStretchBltMode.GDI32(00000000,00000004), ref: 00403BA1
Part of subcall function 00403AD9: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000002,00000000,00000000,?,?,00CC0020), ref: 00403BC0
Part of subcall function 00403AD9: GetCurrentObject.GDI32(00000000,00000007), ref: 00403BC9
Part of subcall function 00403AD9: SelectObject.GDI32(00000002,?), ref: 00403BD8
Part of subcall function 00403AD9: SelectObject.GDI32(00000000,?), ref: 00403BDE
Part of subcall function 00403AD9: DeleteDC.GDI32(00000002), ref: 00403BE9
Part of subcall function 00403AD9: DeleteDC.GDI32(00000000), ref: 00403BEC
Part of subcall function 00403AD9: ReleaseDC.USER32 ref: 00403BF2

GetObjectW.GDI32(00000000,00000018,?), ref: 00403D25
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 00403D39
SendMessageW.USER32(?,00000172,00000000,?), ref: 00403D4B
GlobalFree.KERNEL32 ref: 00403D60

Strings

STATIC, xrefs: 00403C3C
IMAGES, xrefs: 00403C71

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction ID: 960f2b80fa602a6c7041f941df52aa7033470e9d81684b1270c43c97e0f3439f
Opcode Fuzzy Hash: e5ee765c26b043088857a6b86632b5a939f6bbfc1f2247f6f7eb73e9a60df1c7
Instruction Fuzzy Hash: 28416D71A01218BBCB219FA4CC48DEFBF7DEF09751F108066F515B2290D7398A51DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407BD3 Relevance: 27.3, APIs: 18, Instructions: 297
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00407BD3(void* __ecx, int __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				int _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				int _v32;
				struct tagRECT _v48;
				intOrPtr _t116;
				int _t118;
				int _t120;
				struct HWND__* _t131;
				int _t139;
				void* _t166;
				signed int _t168;
				int _t210;
				struct HWND__* _t211;
				long _t215;
				intOrPtr _t219;
				intOrPtr _t225;
				int _t231;
				int _t234;
				int _t235;
				void* _t239;

				_t234 = __edx;
				_t239 = __ecx;
				_v28 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				if((GetWindowLongW(GetDlgItem( *(__ecx + 4), 0x4b3), 0xfffffff0) & 0x10000000) != 0) {
					E00407A29(_t239, 0x4b3,  &_v48);
					_v28 = 0x4b3;
					_v16 = _v48.right.x - _v48.left;
					_v24 = _v48.bottom - _v48.top;
				}
				if((GetWindowLongW(GetDlgItem( *(_t239 + 4), 0x4b4), 0xfffffff0) & 0x10000000) != 0) {
					E00407A29(_t239, 0x4b4,  &_v48);
					_v28 = 0x4b4;
					_v8 = _v48.right.x - _v48.left;
					_v24 = _v48.bottom - _v48.top;
				}
				_t219 = _v16;
				_t116 = _v8;
				if(_t219 > 0 && _t116 > 0) {
					if(_t116 <= _t219) {
						_v8 = _t219;
						_t116 = _t219;
					} else {
						_v16 = _t116;
						_t219 = _t116;
					}
				}
				if(_v28 == 0) {
					L15:
					_t118 = _v12 + 0x1a;
					if(_t118 >  *(_t239 + 0x14)) {
						 *(_t239 + 0x14) = _t118;
					}
					_v12 = _t118 - 0x1a;
					_t120 = GetSystemMetrics(0x10);
					_v32 = GetSystemMetrics(0x11);
					 *(_t239 + 0x14) =  *(_t239 + 0x14) + GetSystemMetrics(8);
					 *(_t239 + 0x18) =  *(_t239 + 0x18) + GetSystemMetrics(7);
					asm("cdq");
					_t210 = _t120 -  *(_t239 + 0x14) - _t234 >> 1;
					asm("cdq");
					_v20 = _v32 -  *(_t239 + 0x18) - _t234 >> 1;
					_t131 = GetParent( *(_t239 + 4));
					_v32 = _t131;
					if(_t131 != 0) {
						GetClientRect(_t131,  &_v48);
						ClientToScreen(_v32,  &_v48);
						ClientToScreen(_v32,  &(_v48.right));
						_t215 = _v48.left;
						_t235 =  *(_t239 + 0x14);
						_t231 = _v48.top;
						_v20 = _t231;
						if(_v48.right.x - _t215 > _t235) {
							asm("cdq");
							_t215 = (_v48.right.x - _t235 - _t215 - _t235 >> 1) + _v48.left;
						}
						_t234 =  *(_t239 + 0x18);
						if(_v48.bottom - _t231 > _t234) {
							asm("cdq");
							_v20 = (_v48.bottom - _t234 - _t231 - _t234 >> 1) + _t231;
						}
						_t210 = _t215 + 0xa;
						_v20 = _v20 + 0xa;
					}
					SetWindowPos( *(_t239 + 4), 0, _t210, _v20,  *(_t239 + 0x14),  *(_t239 + 0x18), 4);
					_t211 = 0;
					if( *((intOrPtr*)(_t239 + 0x30)) == 0) {
						E00407BA4(_t239, 0x4b2, 0xc, 0xa,  *((intOrPtr*)(_t239 + 0x28)) + 1,  *((intOrPtr*)(_t239 + 0x2c)) + 1, 0);
					} else {
						SetWindowPos(GetDlgItem( *(_t239 + 4), 0x4b1), 0, 0xc, 0xc, 0, 0, 5);
						E00407A29(_t239, 0x4b1,  &_v48);
						_t225 =  *((intOrPtr*)(_t239 + 0x2c));
						_t166 = 2;
						_v48.bottom = _v48.bottom + _t166 - _v48.top;
						if(_t225 >= _v48.bottom) {
							_t168 = 0;
						} else {
							asm("cdq");
							_t168 = _v48.bottom - _t225 - _t234 >> 1;
						}
						E00407BA4(_t239, 0x4b2, _v48.right.x + 0xb, _t168 + 0xa,  *((intOrPtr*)(_t239 + 0x28)) + 1, _t225 + 1, 0);
						_t211 = 0;
					}
					if(_v28 != _t211) {
						GetClientRect( *(_t239 + 4),  &_v48);
						if(_v16 == _t211 || _v8 == _t211) {
							_push(1);
							_push(_t211);
							_push(_t211);
							_push(_v48.bottom - _v24 - 0xa);
							asm("cdq");
							_push(_v48.right.x - _v12 - _t234 >> 1);
							_push(_v28);
						} else {
							asm("cdq");
							E00407BA4(_t239, 0x4b3, _v48.right.x - _v12 - _t234 >> 1, _v48.bottom - _v24 - 0xa, _v16, _v24, _t211);
							E00407A29(_t239, 0x4b3,  &_v48);
							_push(0);
							_push(_v24);
							_push(_v8);
							_push(_v48.top);
							_push(_v48.right.x + 0xa);
							_push(0x4b4);
						}
						E00407BA4(_t239);
					}
					 *(_t239 + 0x14) =  *(_t239 + 0x14) - GetSystemMetrics(8);
					_t139 = GetSystemMetrics(7);
					 *(_t239 + 0x18) =  *(_t239 + 0x18) - _t139;
					return _t139;
				} else {
					if(_t219 == 0) {
						L13:
						_v12 = _t116;
						goto L15;
					}
					if(_t116 == 0) {
						_v12 = _t219;
						goto L15;
					}
					_t116 = _t116 + _t219 + 0xa;
					goto L13;
				}
			}

0x00407bd3
0x00407be9
0x00407bef
0x00407bf2
0x00407bf5
0x00407bf8
0x00407c0b
0x00407c14
0x00407c1f
0x00407c22
0x00407c2b
0x00407c2b
0x00407c47
0x00407c50
0x00407c5b
0x00407c5e
0x00407c67
0x00407c67
0x00407c6a
0x00407c6d
0x00407c72
0x00407c7a
0x00407c83
0x00407c86
0x00407c7c
0x00407c7c
0x00407c7f
0x00407c7f
0x00407c7a
0x00407c8c
0x00407ca2
0x00407ca5
0x00407cab
0x00407cad
0x00407cad
0x00407cbb
0x00407cbe
0x00407cc8
0x00407ccd
0x00407cd4
0x00407cdf
0x00407cea
0x00407cec
0x00407cf1
0x00407cf4
0x00407cfa
0x00407cff
0x00407d06
0x00407d19
0x00407d22
0x00407d24
0x00407d2a
0x00407d2d
0x00407d32
0x00407d37
0x00407d40
0x00407d47
0x00407d47
0x00407d4d
0x00407d54
0x00407d5d
0x00407d64
0x00407d64
0x00407d67
0x00407d6a
0x00407d6a
0x00407d7f
0x00407d85
0x00407d8a
0x00407e10
0x00407d8c
0x00407da5
0x00407db2
0x00407db7
0x00407dbc
0x00407dc0
0x00407dc6
0x00407dd4
0x00407dc8
0x00407dcd
0x00407dd0
0x00407dd0
0x00407df1
0x00407df6
0x00407df6
0x00407e18
0x00407e25
0x00407e2e
0x00407e8a
0x00407e8c
0x00407e90
0x00407e91
0x00407e98
0x00407e9d
0x00407e9e
0x00407e35
0x00407e53
0x00407e5a
0x00407e66
0x00407e6e
0x00407e70
0x00407e76
0x00407e79
0x00407e7c
0x00407e7d
0x00407e7d
0x00407ea3
0x00407ea3
0x00407eac
0x00407eb1
0x00407eb3
0x00407eba
0x00407c8e
0x00407c90
0x00407c9a
0x00407c9a
0x00000000
0x00407c9a
0x00407c94
0x00407c9f
0x00000000
0x00407c9f
0x00407c96
0x00000000
0x00407c96

APIs

GetDlgItem.USER32 ref: 00407BFB
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C00
GetDlgItem.USER32 ref: 00407C37
GetWindowLongW.USER32(00000000,000000F0), ref: 00407C3C
GetSystemMetrics.USER32 ref: 00407CBE
GetSystemMetrics.USER32 ref: 00407CC4
GetSystemMetrics.USER32 ref: 00407CCB
GetSystemMetrics.USER32 ref: 00407CD2
GetParent.USER32(?), ref: 00407CF4
GetClientRect.USER32 ref: 00407D06
ClientToScreen.USER32(?,?), ref: 00407D19
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000004), ref: 00407D7F
GetDlgItem.USER32 ref: 00407D9E
SetWindowPos.USER32(00000000), ref: 00407DA5
GetClientRect.USER32 ref: 00407E25

Part of subcall function 00407BA4: GetDlgItem.USER32 ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

ClientToScreen.USER32(?,?), ref: 00407D22

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

GetSystemMetrics.USER32 ref: 00407EAA
GetSystemMetrics.USER32 ref: 00407EB1

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: MetricsSystem$ItemWindow$Client$LongRectScreen$Parent
String ID:
API String ID: 2671006076-0
Opcode ID: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction ID: 7001ee707cf972b195794562609621f769ecf2f41514bcadc40e6201da9538ee
Opcode Fuzzy Hash: 4741c276581009abfc9ca523c20e9ec6d8d94d55c1504a4e144b8b0e00fc264d
Instruction Fuzzy Hash: 3CA11A71E04209AFDB10CFBDCD85AAEBBF9EF48704F148529E505F2291D778E9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 004176DE Relevance: 19.9, APIs: 13, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004176DE(signed int __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, short _a12, signed int _a16, intOrPtr _a20, char _a24, signed int _a28, signed int _a32, unsigned int _a36, unsigned int _a40, unsigned int _a44, void* _a48, signed int _a52, signed int _a56, unsigned int _a60, unsigned int _a64, unsigned int _a68, signed int _a72, signed int _a76, signed int _a80, signed int _a84, signed int _a88, signed int _a92, signed int _a96, char _a100, intOrPtr* _a104, signed int _a108, signed int _a112, unsigned int _a116, signed int _a120, signed int _a124) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v92;
				char _v117;
				char _v148;
				signed int _v408;
				void* _v460;
				char _v1308606084;
				void* __ebx;
				signed int __edi;
				signed int* __esi;
				void* __ebp;
				signed int _t471;
				intOrPtr _t472;
				signed int _t478;
				signed int _t479;
				signed int _t484;
				signed int _t485;
				void* _t495;
				void* _t497;
				signed int _t500;
				signed int _t510;
				signed int _t514;
				signed int _t519;
				signed int _t520;
				signed int _t525;
				intOrPtr* _t528;
				signed int _t529;
				signed int _t530;
				void* _t531;
				void* _t533;
				signed int _t537;
				void* _t541;
				signed int _t543;
				signed int _t557;
				void* _t575;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				intOrPtr* _t580;
				signed int _t581;
				unsigned int _t584;
				signed int _t586;
				signed int _t598;
				signed int _t609;
				signed int _t618;
				signed int _t632;
				signed int _t641;
				unsigned int _t643;
				void* _t647;
				signed int _t664;
				signed int _t684;
				signed int _t704;
				signed int _t706;
				signed int _t708;
				signed int _t709;
				signed int _t712;
				signed int _t715;
				signed int _t716;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				intOrPtr* _t724;
				intOrPtr* _t725;
				void* _t726;
				signed int _t727;
				signed int _t729;
				intOrPtr* _t734;
				intOrPtr* _t735;
				signed int _t737;
				void* _t739;
				void* _t740;
				signed int _t743;
				void* _t749;

				_t749 = __eflags;
				_t735 =  &_v92;
				_t740 = _t739 - 0xec;
				_push(_t726);
				_t715 = __ecx;
				_a76 = __ecx;
				E00415A5E( &_v52);
				_a60 = 0;
				_a64 = 0;
				_a68 = 0;
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a48 = 0;
				_a52 = 0;
				_a56 = 0;
				E004175D3(0, __ecx, __edx, _t726, _t749, 0, _a104,  &_v52,  &_a60,  &_a36);
				_t467 = E004140DA( &_v148, _t749,  *(_t715 + 0x78) & 0x000000ff);
				_t727 = 0;
				_a84 = 0;
				if(_v48 > 0) {
					while(1) {
						_a80 = E00416AC0(_t467, _a108);
						_t471 = ( *( *_t735 + _t727) & 0x000000ff) +  *((intOrPtr*)(_v8 + _t727 * 4));
						_t618 = _v12;
						_t716 =  *(_t618 + _t471 * 8);
						_t472 =  *((intOrPtr*)(_t618 + 4 + _t471 * 8));
						__eflags = _t716 - _t716;
						if(_t716 != _t716) {
							break;
						}
						__eflags = 0 - _t472;
						if(0 != _t472) {
							break;
						} else {
							_t479 = E0040BCC0(_a80, _t716);
							_push(0x14);
							L004191BC();
							__eflags = _t479;
							if(_t479 == 0) {
								_t727 = 0;
								__eflags = 0;
							} else {
								 *((intOrPtr*)(_t479 + 4)) = 0;
								 *_t479 = 0x41c7d8;
								_t727 = _t479;
							}
							__eflags = _t727;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t727 + 4))(_t727);
							}
							 *((intOrPtr*)(_t727 + 8)) =  *_a80;
							 *((intOrPtr*)(_t727 + 0x10)) = 0;
							 *(_t727 + 0xc) = _t716;
							asm("adc ecx, [ebp+0x64]");
							_t484 = E004142CC( &_v148,  *_a104 + _a96, _t727, __eflags,  *_a76,  *_a104 + _a96,  *((intOrPtr*)(_a104 + 4)),  &_v52, _a84, 0, _t727, 0, 0, _a112, _a116, _a120, _a124);
							_a72 = _t484;
							__eflags = _t484;
							if(_t484 != 0) {
								L17:
								 *((intOrPtr*)( *_t727 + 8))(_t727);
								E00414DA0( &_v148);
								_push(_a48);
								L004191B0();
								_push(_a36);
								L004191B0();
								_push(_a60);
								L004191B0();
								E004156A7( &_v52);
								_t478 = _a72;
								goto L2;
							} else {
								_t485 = E0041638F( &_v40, _a84);
								__eflags = _t485;
								if(_t485 == 0) {
									L14:
									 *((intOrPtr*)( *_t727 + 8))(_t727);
									_a84 = _a84 + 1;
									_t467 = _a84;
									__eflags = _a84 - _v48;
									if(_a84 < _v48) {
										_t727 = _a84;
										continue;
									} else {
										_t715 = _a76;
										goto L1;
									}
								} else {
									_t703 = _t716;
									_a80 = _v28 + _a84 * 4;
									_t495 = E00418D30( *_a80, _t703);
									_t632 = _a80;
									__eflags = _t495 -  *_t632;
									if(_t495 !=  *_t632) {
										E00415EBA(_t632, _t716);
										asm("int3");
										_push(_t735);
										_t737 = _t740 - 0x64;
										_t743 = _t740 - 0x90;
										_push(0);
										_push(_t727);
										_t729 = _t632;
										_push(_t716);
										_t497 = E00416087( *(_t729 + 0x38));
										_t609 = _a108;
										__eflags = _t497 - 2;
										if(_t497 != 2) {
											_t718 = 0;
											__eflags = 0;
										} else {
											_t718 = 0;
											__eflags = _t703;
											if(__eflags == 0) {
												E00416899(_t729, _t703, __eflags, _t609 + 0xe0);
												_t497 = E00416087( *(_t729 + 0x38));
											}
										}
										_a72 = _t718;
										_a76 = _t718;
										_a80 = _t718;
										__eflags = _t497 - 3;
										if(_t497 != 3) {
											L28:
											_a36 = _t718;
											_a40 = _t718;
											_a44 = _t718;
											_v44 = _t718;
											_v40 = _t718;
											_v36 = _t718;
											_v32 = _t718;
											_v28 = _t718;
											_v24 = _t718;
											__eflags = _t497 - 4;
											if(_t497 == 4) {
												__eflags = _t703 - _t718;
												if(__eflags == 0) {
													_t724 = _t609 + 0xf8;
													E004175D3(_t609, _t729, _t703, _t729, __eflags,  &_a72, _t724, _t609,  &_a36,  &_v44);
													 *_t724 =  *_t724 +  *((intOrPtr*)(_t609 + 0xf0));
													asm("adc [edi+0x4], eax");
													_t497 = E00416087( *(_t729 + 0x38));
													_t718 = 0;
													__eflags = 0;
												}
											}
											 *(_t609 + 0x5c) = _t718;
											__eflags = _t497 - 5;
											if(__eflags != 0) {
												L104:
												E00416630(_t609, _t609, _t703, __eflags);
												_push(_v32);
												L004191B0();
												_push(_v44);
												L004191B0();
												_push(_a36);
												L004191B0();
												E0041673C( &_a72);
												_t500 = 0;
												__eflags = 0;
												goto L105;
											} else {
												__eflags = _t703 - _t718;
												if(__eflags == 0) {
													_a108 = E004160BB( *(_t729 + 0x38), _t703, _t729, __eflags);
													E00416309(_t609 + 0x58, _t501);
													 *(_t609 + 0x5c) = _a108;
													E004166F2(_t609 + 0x108, _t703, 9, _t718);
													E004166F2(_t609 + 0x108, _t703, 6, _t718);
													__eflags = _a108 - _t718;
													if(__eflags > 0) {
														__eflags = _v40 - _t718;
														if(__eflags != 0) {
															E004166F2(_t609 + 0x108, _t703, 0xa, _t718);
														}
													}
													_t720 = _a108;
													_a60 = 0;
													_a64 = 0;
													_a68 = 0;
													E004167C5( &_a60, _t720, __eflags);
													_a24 = 0;
													_a28 = 0;
													_a32 = 0;
													_a48 = 0;
													_a52 = 0;
													_a56 = 0;
													_a124 = 0;
													while(1) {
														L86:
														_t510 = E00416087( *(_t729 + 0x38));
														_t641 =  *(_t729 + 0x38);
														_a92 = _t510;
														__eflags = _t510 | _t703;
														_a96 = _t703;
														if((_t510 | _t703) == 0) {
															break;
														}
														_a84 = E00416087(_t641);
														_t513 =  *(_t729 + 0x38);
														_t643 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
														_a88 = _t703;
														_t703 = 0;
														__eflags = _a88;
														if(__eflags > 0) {
															L106:
															_t514 = E00415EBA(_t643, _t720);
															__eflags =  *((intOrPtr*)(_t643 + _t514 * 2)) - _t720;
															if( *((intOrPtr*)(_t643 + _t514 * 2)) != _t720) {
																asm("lock mov eax, [esi+0x64]");
																_v8 = _t514;
																_v4 =  *((intOrPtr*)(_t729 + 0x68));
																_a8 =  *((intOrPtr*)(_t729 + 0x6c));
																asm("adc ecx, ebx");
																_v20 = _t703;
																 *((intOrPtr*)(_t720 + 0xf0)) =  *((intOrPtr*)(_t729 + 0x40)) + 0x20;
																 *(_t720 + 0xf4) = _t643;
																 *((intOrPtr*)(_t720 + 0x128)) = 0x20;
																 *(_t720 + 0x12c) = _t609;
																 *(_t720 + 0x130) = _t609;
																__eflags = _v16 - _t609;
																if(__eflags < 0) {
																	L137:
																	_t519 = 0;
																	__eflags = 0;
																	goto L138;
																} else {
																	if(__eflags > 0) {
																		L125:
																		__eflags = _v4 - 0x40000000;
																		if(__eflags > 0) {
																			goto L137;
																		} else {
																			if(__eflags < 0) {
																				L128:
																				_t519 = _v8 | _v4;
																				__eflags = _t519;
																				if(_t519 != 0) {
																					__eflags =  *((intOrPtr*)(_t720 + 0x134)) - _t609;
																					if( *((intOrPtr*)(_t720 + 0x134)) == _t609) {
																						 *(_t720 + 0x130) = 1;
																					}
																					asm("adc ecx, ebx");
																					 *((intOrPtr*)(_t729 + 0x70)) =  *((intOrPtr*)(_t729 + 0x70)) + _v8 + 0x20;
																					asm("adc [esi+0x74], ecx");
																					_t525 = _v8 + _t703;
																					_t704 = _v4;
																					asm("adc edx, [ebp-0x10]");
																					_v28 = _t525;
																					asm("adc ecx, ebx");
																					 *((intOrPtr*)(_t720 + 0x128)) = _t525 + 0x20;
																					 *(_t720 + 0x12c) = _t704;
																					_t647 =  *((intOrPtr*)(_t729 + 0x48)) -  *((intOrPtr*)(_t720 + 0xf0));
																					asm("sbb eax, [edi+0xf4]");
																					__eflags =  *((intOrPtr*)(_t729 + 0x4c)) - _t704;
																					if(__eflags > 0) {
																						L140:
																						_t528 =  *_t729;
																						_t520 =  *((intOrPtr*)( *_t528 + 0x10))(_t528, _v20, _v16, 1, _t609);
																						__eflags = _t520 - _t609;
																						if(_t520 == _t609) {
																							_t529 = _v8;
																							__eflags = _t529 - _t529;
																							if(_t529 != _t529) {
																								L143:
																								_t520 = 0x8007000e;
																							} else {
																								__eflags = _t609 - _v4;
																								if(_t609 == _v4) {
																									_push(_v8);
																									L004191BC();
																									_v28 = _t529;
																									_t530 = E00413818(_v8); // executed
																									__eflags = _t530 - _t609;
																									if(_t530 == _t609) {
																										_t706 = _v8;
																										_t651 = _v28;
																										_t531 = E00418D30(_v28, _t706);
																										__eflags = _t531 - _a8;
																										if(_t531 != _a8) {
																											L148:
																											E00415EBA(_t651, _t720);
																										}
																										__eflags =  *((intOrPtr*)(_t720 + 0x134)) - _t609;
																										if( *((intOrPtr*)(_t720 + 0x134)) == _t609) {
																											 *((char*)(_t720 + 0x131)) = 1;
																										}
																										_push(_t609);
																										_v16 = _t609;
																										E004163AA( &_v20, _t729, _v28, _v8);
																										_t651 =  *(_t729 + 0x38);
																										_v12 = _t609;
																										_v8 = _t609;
																										_v4 = _t609;
																										_t533 = E00416087( *(_t729 + 0x38));
																										__eflags = _t533 - 1;
																										if(_t533 != 1) {
																											L153:
																											__eflags = _t533 - 0x17;
																											if(_t533 != 0x17) {
																												goto L148;
																											} else {
																												__eflags = _t706 - _t609;
																												if(__eflags != 0) {
																													goto L148;
																												} else {
																													_push(_a24);
																													_push(_a20);
																													_t651 = _t729;
																													_push(_a16);
																													_t537 = E004176DE(_t729, _t706, __eflags,  *((intOrPtr*)(_t720 + 0xf0)),  *(_t720 + 0xf4), _t720 + 0x100,  &_v12, _a12);
																													_a8 = _t537;
																													__eflags = _t537 - _t609;
																													if(_t537 == _t609) {
																														__eflags = _v8 - _t609;
																														if(_v8 != _t609) {
																															__eflags = _v8 - 1;
																															if(_v8 > 1) {
																																goto L148;
																															} else {
																																E00415EF3( &_v20);
																																E004163D4(_t729,  *_v12);
																																_t651 =  *(_t729 + 0x38);
																																_t541 = E00416087( *(_t729 + 0x38));
																																__eflags = _t541 - 1;
																																if(_t541 != 1) {
																																	goto L148;
																																} else {
																																	__eflags = _t706 - _t609;
																																	if(_t706 != _t609) {
																																		goto L148;
																																	} else {
																																		goto L162;
																																	}
																																}
																															}
																														} else {
																															E0041673C( &_v12);
																															E00415EF3( &_v20);
																															goto L146;
																														}
																													} else {
																														E0041673C( &_v12);
																														E00415EF3( &_v20);
																														_t609 = _a8;
																														goto L146;
																													}
																												}
																											}
																										} else {
																											__eflags = _t706 - _t609;
																											if(_t706 == _t609) {
																												L162:
																												_push(_a24);
																												 *(_t720 + 0x130) = 1;
																												_push(_a20);
																												_push(_a16);
																												 *((intOrPtr*)(_t720 + 0x120)) =  *((intOrPtr*)(_t729 + 0x70));
																												_push(_a12);
																												_t543 =  *(_t729 + 0x74);
																												_push(_t720);
																												 *(_t720 + 0x124) = _t543;
																												L19();
																												E0041673C( &_v12);
																												E00415EF3( &_v20);
																												_push(_v28);
																												L004191B0();
																												_t520 = _t543;
																											} else {
																												goto L153;
																											}
																										}
																									} else {
																										_t609 = _t530;
																										L146:
																										_push(_v28);
																										L004191B0();
																										_t520 = _t609;
																									}
																								} else {
																									goto L143;
																								}
																							}
																						}
																					} else {
																						if(__eflags < 0) {
																							L136:
																							 *((char*)(_t720 + 0x133)) = 1;
																							goto L137;
																						} else {
																							__eflags = _t647 - _v28;
																							if(_t647 >= _v28) {
																								goto L140;
																							} else {
																								goto L136;
																							}
																						}
																					}
																				} else {
																					__eflags = _t703 | _v16;
																					if((_t703 | _v16) != 0) {
																						L138:
																						_t520 = _t519 + 1;
																						__eflags = _t520;
																					} else {
																						 *(_t720 + 0x130) = 1;
																					}
																				}
																			} else {
																				__eflags = _v8 - _t609;
																				if(_v8 > _t609) {
																					goto L137;
																				} else {
																					goto L128;
																				}
																			}
																		}
																	} else {
																		__eflags = _t703 - _t609;
																		if(_t703 < _t609) {
																			goto L137;
																		} else {
																			goto L125;
																		}
																	}
																}
															} else {
																_t664 = _t643 + 1;
																_t348 = _t729 - 0x1bffbe84;
																 *_t348 =  *(_t729 - 0x1bffbe84) + _t664;
																__eflags =  *_t348;
																if( *_t348 != 0) {
																	L115:
																	 *(_t720 + 0xec) = _t514;
																	_t664 =  *((intOrPtr*)(_t729 + 0x56));
																	goto L116;
																} else {
																	_t350 =  &_v1308606084;
																	 *_t350 = _v1308606084 + _t664;
																	__eflags =  *_t350;
																	if( *_t350 < 0) {
																		L116:
																		_t729 = _t729 - 1;
																		__eflags = _t729;
																		_push(_t729);
																		 *(_t720 + 0xe0) = _t664;
																		goto L117;
																	} else {
																		_t352 = _t720 - 0x3fffbe84;
																		 *_t352 =  *(_t720 - 0x3fffbe84) + _t703;
																		__eflags =  *_t352;
																		if( *_t352 != 0) {
																			L117:
																			_t664 =  *((intOrPtr*)(_t729 + 0x57));
																			_t609 = 0;
																			__eflags = 0;
																			goto L118;
																		} else {
																			_t708 = _t703 + _t703;
																			__eflags = _t708;
																			if(_t708 < 0) {
																				L118:
																				asm("fisttp dword [eax+0xe18f]");
																				goto L119;
																			} else {
																				_t709 = _t708 + _t708;
																				__eflags = _t709;
																				if(_t709 < 0) {
																					L119:
																					 *_t514 =  *_t514 + _t514;
																					 *_t514 =  *_t514 + _t609;
																					asm("lahf");
																					asm("loopne 0x2");
																					 *_t514 =  *_t514 + _t514;
																					__eflags =  *_t514;
																				} else {
																					_t354 = _t609 - 0x40ffbe84;
																					 *_t354 =  *(_t609 - 0x40ffbe84) + _t709;
																					__eflags =  *_t354;
																					if( *_t354 >= 0) {
																						_t356 =  &_v117;
																						 *_t356 = _v117 + _t709;
																						__eflags =  *_t356;
																						_push(_t737);
																						_t737 = _t743;
																						_t743 = _t743 - 0x1c;
																						_push(_t609);
																						_push(_t729);
																						_push(_t720);
																						_t720 = _v408;
																						_t729 = _t664;
																						E0041563D(_t720);
																						 *((intOrPtr*)(_t720 + 0xe8)) =  *((intOrPtr*)(_t729 + 0x40));
																						_t514 =  *(_t729 + 0x44);
																						goto L115;
																					}
																				}
																			}
																		}
																	}
																}
																 *_t720 =  *_t720 + _t664;
																__eflags = _t737;
																 *_t514 =  *_t514 + _t514;
																_t366 = _t609 + 0x4e8b6046;
																 *_t366 =  *(_t609 + 0x4e8b6046) + _t664;
																__eflags =  *_t366;
															}
															return _t520;
														} else {
															if(__eflags < 0) {
																L40:
																_push(1);
																_a4 = _t703;
																E004163AA(_t737, _t729,  *((intOrPtr*)(_t513 + 8)) +  *_t513, _a84);
																_t720 = 0;
																__eflags = _a96;
																if(__eflags > 0) {
																	L83:
																	 *((char*)(_t609 + 0x135)) = 1;
																	 *((intOrPtr*)( *(_t729 + 0x38) + 8)) =  *((intOrPtr*)( *(_t729 + 0x38) + 4));
																	goto L84;
																} else {
																	if(__eflags < 0) {
																		L43:
																		_t557 = _a92 + 0xfffffff2;
																		__eflags = _t557 - 0xb;
																		if(__eflags > 0) {
																			goto L83;
																		} else {
																			switch( *((intOrPtr*)(_t557 * 4 +  &M00417E72))) {
																				case 0:
																					__eax =  &_a60;
																					__ecx = __esi;
																					__eax = E004168E5(__esi, __edx, _a108,  &_a60);
																					__eax = 0;
																					_a124 = __edi;
																					__eflags = _a64 - __edi;
																					if(__eflags > 0) {
																						do {
																							__ecx = _a60;
																							__eflags =  *((char*)(__ecx + __eax));
																							if( *((char*)(__ecx + __eax)) != 0) {
																								_t244 =  &_a124;
																								 *_t244 = _a124 + 1;
																								__eflags =  *_t244;
																							}
																							__eax = __eax + 1;
																							__eflags = __eax - _a64;
																						} while (__eflags < 0);
																					}
																					__edi = _a124;
																					 &_a24 = E004167C5( &_a24, __edi, __eflags);
																					 &_a48 = E004167C5( &_a48, __edi, __eflags);
																					goto L54;
																				case 1:
																					__eax =  &_a24;
																					goto L67;
																				case 2:
																					__eax =  &_a48;
																					L67:
																					__ecx = __esi;
																					__eax = E004168E5(__ecx, __edx, _a124, __eax);
																					goto L54;
																				case 3:
																					_v16 = _t720;
																					E004167E7( &_v20, _t703, _t737, __eflags, _t729,  &_a72);
																					_t720 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
																					E0040BCC0(_t609 + 0xd0, _t720);
																					E00415F69( *(_t729 + 0x38),  *((intOrPtr*)(_t609 + 0xd0)), _t720);
																					E004161F4(_t609 + 0xd8, __eflags,  *(_t609 + 0x5c) + 1);
																					_t703 = 0;
																					_t566 = 0;
																					_a116 = 0;
																					_a112 = 0;
																					__eflags =  *(_t609 + 0x5c);
																					if( *(_t609 + 0x5c) <= 0) {
																						L51:
																						_t703 = _t703 >> 1;
																						 *( *((intOrPtr*)(_t609 + 0xd8)) + _t566 * 4) = _t703;
																						__eflags = _a116 - _t720;
																						if(_a116 != _t720) {
																							 *((char*)(_t729 + 0x3c)) = 1;
																						}
																						E00415EF3( &_v20);
																						goto L54;
																					} else {
																						do {
																							_a120 = _a120 & 0x00000000;
																							_t570 =  *((intOrPtr*)(_t609 + 0xd0)) + _t703;
																							_t643 = _t720 - _t703 >> 1;
																							__eflags = _t643;
																							if(_t643 != 0) {
																								while(1) {
																									_t703 = _a120;
																									__eflags =  *((short*)(_t570 + _t703 * 2));
																									if( *((short*)(_t570 + _t703 * 2)) == 0) {
																										goto L49;
																									}
																									_a120 = _a120 + 1;
																									__eflags = _a120 - _t643;
																									if(_a120 < _t643) {
																										continue;
																									}
																									goto L49;
																								}
																							}
																							L49:
																							__eflags = _a120 - _t643;
																							if(_a120 == _t643) {
																								goto L106;
																							} else {
																								goto L50;
																							}
																							goto L163;
																							L50:
																							_t571 = _a112;
																							 *( *((intOrPtr*)(_t609 + 0xd8)) + _t571 * 4) = _a116 >> 1;
																							_t566 = _t571 + 1;
																							_t703 = _a116 + 2 + _a120 * 2;
																							_a116 = _t703;
																							_a112 = _t566;
																							__eflags = _t566 -  *(_t609 + 0x5c);
																						} while (_t566 <  *(_t609 + 0x5c));
																						goto L51;
																					}
																					goto L163;
																				case 4:
																					__eax = __ebx + 0x64;
																					goto L70;
																				case 5:
																					__eax = __ebx + 0x7c;
																					goto L70;
																				case 6:
																					__eax = __ebx + 0x94;
																					goto L70;
																				case 7:
																					__eax =  &_v12;
																					__ecx = __esi;
																					_v12 = __edi;
																					_v8 = __edi;
																					_v4 = __edi;
																					E00416933(__esi, __edx, __edi, __ebp, __eflags,  *((intOrPtr*)(__ebx + 0x5c)),  &_v12) =  &_a72;
																					__ecx =  &_a8;
																					_a12 = __di;
																					__eax = E004167E7( &_a8, __edx, __ebp, __eflags, __esi,  &_a72);
																					_a120 = __edi;
																					__eflags = _a108 - __edi;
																					if(_a108 > __edi) {
																						_a116 = __edi;
																						do {
																							__edi =  *(__ebx + 0x58);
																							__eax = _v12;
																							__ecx = _a120;
																							__edi =  *(__ebx + 0x58) + _a116;
																							__al =  *((intOrPtr*)(_v12 + _a120));
																							 *((char*)(__edi + 0x13)) = __al;
																							__eflags = __al;
																							if(__al != 0) {
																								__ecx =  *((intOrPtr*)(__esi + 0x38));
																								 *((intOrPtr*)(__edi + 8)) = E004160D1( *((intOrPtr*)(__esi + 0x38)));
																							}
																							_a120 = _a120 + 1;
																							__eax = _a120;
																							_a116 = _a116 + 0x18;
																							__eflags = _a120 - _a108;
																						} while (_a120 < _a108);
																					}
																					__ecx =  &_a8;
																					__eax = E00415EF3( &_a8);
																					_push(_v12);
																					L004191B0();
																					_pop(__ecx);
																					goto L54;
																				case 8:
																					goto L83;
																				case 9:
																					__eax = __ebx + 0xac;
																					L70:
																					__ecx = __esi;
																					 &_a72 = E0041697E(__ecx, __edx, __eflags,  &_a72,  &_a72, _a108);
																					L54:
																					E004166F2(_t609 + 0x108, _t703, _a92, _a96);
																					goto L84;
																				case 0xa:
																					_a16 = __edi;
																					__eflags = _a88 - __edi;
																					if(__eflags >= 0) {
																						if(__eflags > 0) {
																							L77:
																							__ecx =  *((intOrPtr*)(__esi + 0x38));
																							__eax = E00415F52(__ecx, __edi);
																							__eflags = __al;
																							if(__al != 0) {
																								 *((char*)(__esi + 0x3c)) = 1;
																							}
																							_a16 = _a16 + 1;
																							asm("adc edi, 0x0");
																							__eflags = __edi - _a88;
																						} else {
																							__eflags = _a84 - __edi;
																							if(_a84 > __edi) {
																								goto L77;
																								do {
																									do {
																										goto L77;
																									} while (__eflags < 0);
																									if(__eflags <= 0) {
																										goto L81;
																									}
																									goto L84;
																									L81:
																									__eax = _a84;
																									__eflags = _a16 - _a84;
																								} while (_a16 < _a84);
																							}
																						}
																					}
																					L84:
																					_t643 =  *((intOrPtr*)( *(_t729 + 0x38) + 4)) -  *((intOrPtr*)( *(_t729 + 0x38) + 8));
																					__eflags = _t643;
																					if(_t643 != 0) {
																						goto L106;
																					} else {
																						E00415EF3(_t737);
																						goto L86;
																					}
																					goto L163;
																			}
																		}
																	} else {
																		__eflags = _a92 - 0x40000000;
																		if(_a92 > 0x40000000) {
																			goto L83;
																		} else {
																			goto L43;
																		}
																	}
																}
															} else {
																__eflags = _a84 - _t643;
																if(_a84 > _t643) {
																	goto L106;
																} else {
																	goto L40;
																}
															}
														}
														goto L163;
													}
													E00416087(_t641);
													__eflags = _a108 - _a124 - _a40;
													if(_a108 - _a124 != _a40) {
														E00415EDA(_t641);
													}
													_t684 = _a48;
													_t722 = 0;
													_t575 = 0;
													_a116 = 0;
													__eflags = _a124;
													if(_a124 > 0) {
														do {
															__eflags =  *((char*)(_t684 + _t575));
															if( *((char*)(_t684 + _t575)) != 0) {
																_t287 =  &_a116;
																 *_t287 = _a116 + 1;
																__eflags =  *_t287;
															}
															_t575 = _t575 + 1;
															__eflags = _t575 - _a124;
														} while (_t575 < _a124);
													}
													_a120 = _t722;
													__eflags = _a108 - _t722;
													if(__eflags > 0) {
														_t577 = _a24 - _t684;
														__eflags = _t577;
														_a112 = _t684;
														_a124 = _t722;
														_a88 = _t577;
														do {
															_t734 =  *((intOrPtr*)(_t609 + 0x58)) + _a124;
															_t578 = _a60;
															__eflags =  *((char*)(_t578 + _a120));
															_t579 = _t578 & 0xffffff00 |  *((char*)(_t578 + _a120)) == 0x00000000;
															 *(_t734 + 0x10) = _t579;
															 *((intOrPtr*)(_t734 + 0xc)) = 0;
															__eflags = _t579;
															if(_t579 == 0) {
																_t580 = _a112;
																_t712 = _a88;
																__eflags =  *(_t712 + _t580);
																 *((char*)(_t734 + 0x11)) = _t712 & 0xffffff00 |  *(_t712 + _t580) == 0x00000000;
																_t703 =  *_t580;
																_t581 = _t580 + 1;
																__eflags = _t581;
																_a96 =  *_t580;
																_a112 = _t581;
																 *_t734 = 0;
																 *((intOrPtr*)(_t734 + 4)) = 0;
																 *((char*)(_t734 + 0x12)) = 0;
															} else {
																_t584 = _a36;
																 *((char*)(_t734 + 0x11)) = 0;
																_a96 = 0;
																 *_t734 =  *((intOrPtr*)(_t584 + _t722 * 8));
																 *((intOrPtr*)(_t734 + 4)) =  *((intOrPtr*)(_t584 + 4 + _t722 * 8));
																_t586 = E0041638F( &_v44, _t722);
																 *((char*)(_t734 + 0x12)) = _t586;
																__eflags = _t586;
																if(_t586 != 0) {
																	 *((intOrPtr*)(_t734 + 0xc)) =  *((intOrPtr*)(_v32 + _t722 * 4));
																}
																_t722 = _t722 + 1;
															}
															__eflags = _a116;
															if(_a116 != 0) {
																E0041671B(_t609 + 0xc4, _a96);
															}
															_a120 = _a120 + 1;
															_a124 = _a124 + 0x18;
															__eflags = _a120 - _a108;
														} while (__eflags < 0);
													}
													_push(_a48);
													L004191B0();
													_push(_a24);
													L004191B0();
													_push(_a60);
													L004191B0();
													_t743 = _t743 + 0xc;
												}
												goto L104;
											}
										} else {
											__eflags = _t703 - _t718;
											if(__eflags != 0) {
												goto L28;
											} else {
												_push(_a124);
												_push(_a120);
												_t725 = _t609 + 0x100;
												_push(_a116);
												_t598 = E004176DE(_t729, _t703, __eflags,  *((intOrPtr*)(_t609 + 0xf0)),  *((intOrPtr*)(_t609 + 0xf4)), _t725,  &_a72, _a112);
												_a108 = _t598;
												__eflags = _t598;
												if(_t598 == 0) {
													 *_t725 =  *_t725 +  *((intOrPtr*)(_t609 + 0xf0));
													asm("adc [edi+0x4], eax");
													_t497 = E00416087( *(_t729 + 0x38));
													_t718 = 0;
													__eflags = 0;
													goto L28;
												} else {
													E0041673C( &_a72);
													_t500 = _a108;
													L105:
													__eflags =  &_a100;
													return _t500;
												}
											}
										}
									} else {
										goto L14;
									}
								}
							}
						}
						goto L163;
					}
					E00415EDA(_t618);
					goto L17;
				} else {
					L1:
					 *((intOrPtr*)(_t715 + 0x70)) =  *((intOrPtr*)(_t715 + 0x70)) +  *((intOrPtr*)(_v44 + _v52 * 8));
					asm("adc [edi+0x74], eax");
					E00414DA0( &_v148);
					_push(_a48);
					L004191B0();
					_push(_a36);
					L004191B0();
					_push(_a60);
					L004191B0();
					E004156A7( &_v52);
					_t478 = 0;
					L2:
					return _t478;
				}
				L163:
			}

0x004176de
0x004176df
0x004176e3
0x004176ea
0x004176ec
0x004176f1
0x004176f4
0x0041770d
0x00417710
0x00417713
0x00417716
0x00417719
0x0041771c
0x0041771f
0x00417722
0x00417725
0x00417728
0x00417738
0x0041773d
0x0041773f
0x00417745
0x00417797
0x004177a2
0x004177ac
0x004177af
0x004177b2
0x004177b5
0x004177b9
0x004177bb
0x00000000
0x00000000
0x004177c1
0x004177c3
0x00000000
0x004177c9
0x004177cd
0x004177d2
0x004177d4
0x004177da
0x004177dc
0x004177eb
0x004177eb
0x004177de
0x004177de
0x004177e1
0x004177e7
0x004177e7
0x004177ed
0x004177ef
0x004177f4
0x004177f4
0x0041780b
0x00417818
0x0041781f
0x0041782a
0x00417838
0x0041783d
0x00417840
0x00417842
0x00417894
0x00417897
0x004178a0
0x004178a5
0x004178a8
0x004178ad
0x004178b0
0x004178b5
0x004178b8
0x004178c3
0x004178c8
0x00000000
0x00417844
0x0041784a
0x0041784f
0x00417851
0x00417872
0x00417875
0x00417878
0x0041787b
0x0041787e
0x00417881
0x00417794
0x00000000
0x00417887
0x00417887
0x00000000
0x00417887
0x00417853
0x00417861
0x00417863
0x00417866
0x0041786b
0x0041786e
0x00417870
0x004178d0
0x004178d5
0x004178d6
0x004178d7
0x004178db
0x004178e1
0x004178e2
0x004178e3
0x004178e8
0x004178e9
0x004178ee
0x004178f1
0x004178f4
0x00417914
0x00417914
0x004178f6
0x004178f6
0x004178f8
0x004178fa
0x00417905
0x0041790d
0x0041790d
0x004178fa
0x00417916
0x00417919
0x0041791c
0x0041791f
0x00417922
0x00417984
0x00417984
0x00417987
0x0041798a
0x0041798d
0x00417990
0x00417993
0x00417996
0x00417999
0x0041799c
0x0041799f
0x004179a2
0x004179a4
0x004179a6
0x004179b1
0x004179be
0x004179c9
0x004179d1
0x004179d7
0x004179dc
0x004179dc
0x004179dc
0x004179a6
0x004179de
0x004179e1
0x004179e4
0x00417e35
0x00417e37
0x00417e3c
0x00417e3f
0x00417e44
0x00417e47
0x00417e4c
0x00417e4f
0x00417e5a
0x00417e5f
0x00417e5f
0x00000000
0x004179ea
0x004179ea
0x004179ec
0x004179fe
0x00417a01
0x00417a12
0x00417a15
0x00417a23
0x00417a28
0x00417a2b
0x00417a2d
0x00417a30
0x00417a3b
0x00417a3b
0x00417a30
0x00417a40
0x00417a45
0x00417a48
0x00417a4b
0x00417a51
0x00417a58
0x00417a5b
0x00417a5e
0x00417a61
0x00417a64
0x00417a67
0x00417a6a
0x00417d1d
0x00417d1d
0x00417d20
0x00417d25
0x00417d28
0x00417d2b
0x00417d2d
0x00417d30
0x00000000
0x00000000
0x00417a77
0x00417a7a
0x00417a80
0x00417a83
0x00417a86
0x00417a88
0x00417a8b
0x00417e6b
0x00417e6b
0x00417e72
0x00417e76
0x00417ef4
0x00417ef8
0x00417efe
0x00417f04
0x00417f0d
0x00417f0f
0x00417f12
0x00417f18
0x00417f1e
0x00417f28
0x00417f2e
0x00417f34
0x00417f37
0x00417fd6
0x00417fd6
0x00417fd6
0x00000000
0x00417f3d
0x00417f3d
0x00417f47
0x00417f47
0x00417f4e
0x00000000
0x00417f54
0x00417f54
0x00417f5b
0x00417f5e
0x00417f5e
0x00417f61
0x00417f71
0x00417f77
0x00417f79
0x00417f79
0x00417f89
0x00417f8b
0x00417f91
0x00417f94
0x00417f96
0x00417f99
0x00417f9c
0x00417fa4
0x00417fa6
0x00417fac
0x00417fb5
0x00417fbe
0x00417fc4
0x00417fc6
0x00417fe0
0x00417fe0
0x00417fee
0x00417ff1
0x00417ff3
0x00417ff5
0x00417ff8
0x00417ffa
0x00418001
0x00418001
0x00417ffc
0x00417ffc
0x00417fff
0x00418008
0x0041800b
0x00418018
0x0041801b
0x00418020
0x00418022
0x00418033
0x00418036
0x00418039
0x0041803e
0x00418041
0x00418043
0x00418043
0x00418043
0x00418048
0x0041804e
0x00418050
0x00418050
0x00418057
0x00418061
0x00418066
0x0041806b
0x0041806e
0x00418071
0x00418074
0x00418077
0x0041807c
0x0041807f
0x00418089
0x00418089
0x0041808c
0x00000000
0x0041808e
0x0041808e
0x00418090
0x00000000
0x00418092
0x00418092
0x00418098
0x0041809b
0x0041809d
0x004180b7
0x004180bc
0x004180bf
0x004180c1
0x004180db
0x004180de
0x004180f5
0x004180f9
0x00000000
0x004180ff
0x00418102
0x00418110
0x00418115
0x00418118
0x0041811d
0x00418120
0x00000000
0x00418126
0x00418126
0x00418128
0x00000000
0x00000000
0x00000000
0x00000000
0x00418128
0x00418120
0x004180e0
0x004180e3
0x004180eb
0x00000000
0x004180eb
0x004180c3
0x004180c6
0x004180ce
0x004180d3
0x00000000
0x004180d3
0x004180c1
0x00418090
0x00418081
0x00418081
0x00418083
0x0041812e
0x0041812e
0x00418131
0x00418138
0x0041813e
0x00418141
0x00418147
0x0041814a
0x0041814d
0x00418150
0x00418156
0x00418160
0x00418168
0x0041816d
0x00418170
0x00418176
0x00000000
0x00000000
0x00000000
0x00418083
0x00418024
0x00418024
0x00418026
0x00418026
0x00418029
0x0041802f
0x0041802f
0x00000000
0x00000000
0x00000000
0x00417fff
0x00417ffa
0x00417fc8
0x00417fc8
0x00417fcf
0x00417fcf
0x00000000
0x00417fca
0x00417fca
0x00417fcd
0x00000000
0x00000000
0x00000000
0x00000000
0x00417fcd
0x00417fc8
0x00417f63
0x00417f63
0x00417f66
0x00417fd8
0x00417fd8
0x00417fd8
0x00417f68
0x00417f68
0x00417f68
0x00417f66
0x00417f56
0x00417f56
0x00417f59
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f59
0x00417f54
0x00417f3f
0x00417f3f
0x00417f41
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f41
0x00417f3d
0x00417e78
0x00417e78
0x00417e79
0x00417e79
0x00417e79
0x00417e7f
0x00417ec2
0x00417ec3
0x00417ec9
0x00000000
0x00417e81
0x00417e81
0x00417e81
0x00417e81
0x00417e87
0x00417eca
0x00417eca
0x00417eca
0x00417ecb
0x00417ecc
0x00000000
0x00417e89
0x00417e89
0x00417e89
0x00417e89
0x00417e8f
0x00417ed2
0x00417ed2
0x00417ed5
0x00417ed5
0x00000000
0x00417e91
0x00417e91
0x00417e91
0x00417e93
0x00417ed6
0x00417ed6
0x00000000
0x00417e95
0x00417e95
0x00417e95
0x00417e97
0x00417eda
0x00417eda
0x00417edc
0x00417ede
0x00417edf
0x00417ee1
0x00417ee1
0x00417e99
0x00417e99
0x00417e99
0x00417e99
0x00417e9f
0x00417ea1
0x00417ea1
0x00417ea1
0x00417ea2
0x00417ea3
0x00417ea5
0x00417ea8
0x00417ea9
0x00417eaa
0x00417eab
0x00417eae
0x00417eb2
0x00417eba
0x00417ec0
0x00000000
0x00417ec0
0x00417e9f
0x00417e97
0x00417e93
0x00417e8f
0x00417e87
0x00417ee2
0x00417ee4
0x00417ee6
0x00417ee8
0x00417ee8
0x00417ee8
0x00417ee8
0x00417fdd
0x00417a91
0x00417a91
0x00417a9c
0x00417aa1
0x00417aa6
0x00417aaf
0x00417ab4
0x00417ab6
0x00417ab9
0x00417cf6
0x00417cf6
0x00417d03
0x00000000
0x00417abf
0x00417abf
0x00417ace
0x00417ad1
0x00417ad4
0x00417ad7
0x00000000
0x00417add
0x00417add
0x00000000
0x00417c39
0x00417c40
0x00417c42
0x00417c47
0x00417c49
0x00417c4c
0x00417c4f
0x00417c51
0x00417c51
0x00417c54
0x00417c58
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5a
0x00417c5d
0x00417c5e
0x00417c5e
0x00417c51
0x00417c63
0x00417c69
0x00417c71
0x00000000
0x00000000
0x00417c7b
0x00000000
0x00000000
0x00417c8e
0x00417c7e
0x00417c82
0x00417c84
0x00000000
0x00000000
0x00417aec
0x00417af0
0x00417afb
0x00417b05
0x00417b14
0x00417b24
0x00417b29
0x00417b2b
0x00417b2d
0x00417b30
0x00417b33
0x00417b36
0x00417b8e
0x00417b94
0x00417b96
0x00417b99
0x00417b9c
0x00417b9e
0x00417b9e
0x00417ba5
0x00000000
0x00417b38
0x00417b38
0x00417b3e
0x00417b46
0x00417b48
0x00417b48
0x00417b4a
0x00417b4c
0x00417b4c
0x00417b4f
0x00417b54
0x00000000
0x00000000
0x00417b56
0x00417b59
0x00417b5c
0x00000000
0x00000000
0x00000000
0x00417b5c
0x00417b4c
0x00417b5e
0x00417b5e
0x00417b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00417b67
0x00417b6a
0x00417b75
0x00417b7e
0x00417b7f
0x00417b83
0x00417b86
0x00417b89
0x00417b89
0x00000000
0x00417b38
0x00000000
0x00000000
0x00417cad
0x00000000
0x00000000
0x00417cb2
0x00000000
0x00000000
0x00417cb7
0x00000000
0x00000000
0x00417bc0
0x00417bc7
0x00417bc9
0x00417bcc
0x00417bcf
0x00417bd7
0x00417bdc
0x00417bdf
0x00417be3
0x00417be8
0x00417beb
0x00417bee
0x00417bf0
0x00417bf3
0x00417bf3
0x00417bf6
0x00417bf9
0x00417bfc
0x00417bff
0x00417c02
0x00417c05
0x00417c07
0x00417c09
0x00417c11
0x00417c11
0x00417c14
0x00417c17
0x00417c1a
0x00417c1e
0x00417c1e
0x00417bf3
0x00417c23
0x00417c26
0x00417c2b
0x00417c2e
0x00417c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00417c93
0x00417c99
0x00417c9c
0x00417ca3
0x00417baa
0x00417bb6
0x00000000
0x00000000
0x00417cbf
0x00417cc2
0x00417cc5
0x00417cc7
0x00417cce
0x00417cce
0x00417cd1
0x00417cd6
0x00417cd8
0x00417cda
0x00417cda
0x00417cde
0x00417ce2
0x00417ce5
0x00417cc9
0x00417cc9
0x00417ccc
0x00000000
0x00417cce
0x00417cce
0x00000000
0x00000000
0x00417cea
0x00000000
0x00000000
0x00000000
0x00417cec
0x00417cec
0x00417cef
0x00417cef
0x00417cf4
0x00417ccc
0x00417cc7
0x00417d06
0x00417d0c
0x00417d0c
0x00417d0f
0x00000000
0x00417d15
0x00417d18
0x00000000
0x00417d18
0x00000000
0x00000000
0x00417add
0x00417ac1
0x00417ac1
0x00417ac8
0x00000000
0x00000000
0x00000000
0x00000000
0x00417ac8
0x00417abf
0x00417a93
0x00417a93
0x00417a96
0x00000000
0x00000000
0x00000000
0x00000000
0x00417a96
0x00417a91
0x00000000
0x00417a8b
0x00417d36
0x00417d41
0x00417d44
0x00417d46
0x00417d46
0x00417d4b
0x00417d4e
0x00417d50
0x00417d52
0x00417d55
0x00417d58
0x00417d5a
0x00417d5a
0x00417d5e
0x00417d60
0x00417d60
0x00417d60
0x00417d60
0x00417d63
0x00417d64
0x00417d64
0x00417d5a
0x00417d69
0x00417d6c
0x00417d6f
0x00417d78
0x00417d78
0x00417d7a
0x00417d7d
0x00417d80
0x00417d83
0x00417d86
0x00417d89
0x00417d8f
0x00417d93
0x00417d98
0x00417d9b
0x00417d9e
0x00417da0
0x00417dd3
0x00417dd6
0x00417dd9
0x00417ddf
0x00417de2
0x00417de4
0x00417de4
0x00417de5
0x00417de8
0x00417deb
0x00417ded
0x00417df0
0x00417da2
0x00417da2
0x00417da5
0x00417da8
0x00417dae
0x00417db8
0x00417dbb
0x00417dc0
0x00417dc3
0x00417dc5
0x00417dcd
0x00417dcd
0x00417dd0
0x00417dd0
0x00417df3
0x00417df7
0x00417e02
0x00417e02
0x00417e07
0x00417e0d
0x00417e11
0x00417e11
0x00417d83
0x00417e1a
0x00417e1d
0x00417e22
0x00417e25
0x00417e2a
0x00417e2d
0x00417e32
0x00417e32
0x00000000
0x004179ec
0x00417924
0x00417924
0x00417926
0x00000000
0x00417928
0x00417928
0x0041792e
0x00417931
0x00417937
0x0041794d
0x00417952
0x00417955
0x00417957
0x0041796f
0x00417977
0x0041797d
0x00417982
0x00417982
0x00000000
0x00417959
0x0041795c
0x00417961
0x00417e61
0x00417e64
0x00417e68
0x00417e68
0x00417957
0x00417926
0x00000000
0x00000000
0x00000000
0x00417870
0x00417851
0x00417842
0x00000000
0x004177c3
0x0041788f
0x00000000
0x00417747
0x00417747
0x00417750
0x0041775d
0x00417760
0x00417765
0x00417768
0x0041776d
0x00417770
0x00417775
0x00417778
0x00417783
0x00417788
0x0041778a
0x00417791
0x00417791
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 00417768
??3@YAXPAX@Z.MSVCRT ref: 00417770
??3@YAXPAX@Z.MSVCRT ref: 00417778

Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156AD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156B5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156BD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156C5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156CD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156D5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156DD
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156E5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156ED
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156F5
Part of subcall function 004156A7: ??3@YAXPAX@Z.MSVCRT ref: 004156FD

??2@YAPAXI@Z.MSVCRT ref: 004177D4

Part of subcall function 00414DA0: ??3@YAXPAX@Z.MSVCRT ref: 00414DB3

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: b1fa7e244e0e6645b5d3477a7d4a882caf3b46f8ddbbb2e402a5d42addf932cd
Instruction ID: e009749836a5b8c521700d779fd130da81b0f30b20586917bece67503c0bf7cf
Opcode Fuzzy Hash: b1fa7e244e0e6645b5d3477a7d4a882caf3b46f8ddbbb2e402a5d42addf932cd
Instruction Fuzzy Hash: 91F117719002499FCB25DF69C8809EE7BF6BF48344F14406EF81997262DB39E985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408190 Relevance: 16.6, APIs: 11, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408190(void* __edx, long _a4, int _a8, int _a12, int _a16) {
				struct tagRECT _v20;
				_Unknown_base(*)()* _t29;
				int _t34;
				struct HWND__* _t55;
				void* _t56;
				long _t57;
				struct HDC__* _t61;

				_t56 = __edx;
				_t55 = _a4;
				_t57 = GetWindowLongW(GetParent(_t55), 0xffffffeb);
				if(_t57 != 0) {
					_t29 =  *(_t57 + 0x54);
					_a4 = _a4 & 0x00000000;
					if(_t29 != 0) {
						_a4 = CallWindowProcW(_t29, _t55, _a8, _a12, _a16);
					}
					_a12 = GetSystemMetrics(0x31);
					_a16 = GetSystemMetrics(0x32);
					_t34 = _a8;
					if(_t34 == 0) {
						SetWindowLongW(_t55, 0xfffffffc,  *(_t57 + 0x54));
					} else {
						if(_t34 == 0xd) {
							_t61 = GetWindowDC(_t55);
							GetWindowRect(_t55,  &_v20);
							asm("cdq");
							asm("cdq");
							DrawIconEx(_t61, _v20.right - _v20.left - _a12 - _t56 >> 1, _v20.bottom - _v20.top - _a16 - _t56 >> 1,  *(_t57 + 0x50), _a12, _a16, 0, 0, 3);
							ReleaseDC(_t55, _t61);
						}
					}
					return _a4;
				}
				return DefWindowProcW(_t55, _a8, _a12, _a16);
			}

0x00408190
0x00408197
0x004081ab
0x004081af
0x004081c6
0x004081c9
0x004081cf
0x004081e2
0x004081e2
0x004081f2
0x004081f7
0x004081fe
0x004081ff
0x0040825e
0x00408201
0x00408204
0x0040820d
0x00408214
0x0040822c
0x00408241
0x00408248
0x00408250
0x00408250
0x00408204
0x00000000
0x00408267
0x00000000

APIs

GetParent.USER32(?), ref: 0040819E
GetWindowLongW.USER32(00000000), ref: 004081A5
DefWindowProcW.USER32(?,?,?,?), ref: 004081BB
CallWindowProcW.USER32(?,?,?,?,?), ref: 004081DC
GetSystemMetrics.USER32 ref: 004081EE
GetSystemMetrics.USER32 ref: 004081F5
GetWindowDC.USER32(?), ref: 00408207
GetWindowRect.USER32 ref: 00408214
DrawIconEx.USER32 ref: 00408248
ReleaseDC.USER32 ref: 00408250

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction ID: f279ad638593bb0c02c28414326814beda2d9d37ba4553b1ab7b6853af478c25
Opcode Fuzzy Hash: 83057c79f2c88d391f1805632dc92285a4e3022d2fadc16537eed77f9a906b47
Instruction Fuzzy Hash: 08310A7650120ABFDB019FB8DE48EEF3B69FB08351F008525FA11E6291CB75D920DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004156A7 Relevance: 16.5, APIs: 11, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004156A7(void* __ecx) {
				void* _t12;

				_push( *((intOrPtr*)(__ecx + 0x4c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x3c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				return _t12;
			}

0x004156aa
0x004156ad
0x004156b2
0x004156b5
0x004156ba
0x004156bd
0x004156c2
0x004156c5
0x004156ca
0x004156cd
0x004156d2
0x004156d5
0x004156da
0x004156dd
0x004156e2
0x004156e5
0x004156ea
0x004156ed
0x004156f2
0x004156f5
0x004156fa
0x004156fd
0x00415706

APIs

??3@YAXPAX@Z.MSVCRT ref: 004156AD
??3@YAXPAX@Z.MSVCRT ref: 004156B5
??3@YAXPAX@Z.MSVCRT ref: 004156BD
??3@YAXPAX@Z.MSVCRT ref: 004156C5
??3@YAXPAX@Z.MSVCRT ref: 004156CD
??3@YAXPAX@Z.MSVCRT ref: 004156D5
??3@YAXPAX@Z.MSVCRT ref: 004156DD
??3@YAXPAX@Z.MSVCRT ref: 004156E5
??3@YAXPAX@Z.MSVCRT ref: 004156ED
??3@YAXPAX@Z.MSVCRT ref: 004156F5
??3@YAXPAX@Z.MSVCRT ref: 004156FD

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 56f2017fb21b6fe6cec828308e1c2387824303fbe1ce4d12887c109082f89c99
Instruction ID: 89fa2ea9e7dfd86616dbeeb867654c6fb378e0e89a7fbb9e23d32919dde88c48
Opcode Fuzzy Hash: 56f2017fb21b6fe6cec828308e1c2387824303fbe1ce4d12887c109082f89c99
Instruction Fuzzy Hash: 66F0EE314115127EEB623B23DD1B9867AB3BF04718358552EF84710C3ADB567CE1DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 004095CA Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095CA(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				int _v20;
				int _v24;
				intOrPtr _v32;
				char _v40;
				void* _t44;

				_t44 = __ecx;
				E00409278(__ecx, __edx, __eflags);
				E00407ABB(_t44, 0x4b7, 0);
				E00407A29(_t44, 0x4b7,  &_v40);
				E00407A29(_t44, 0x4b7,  &_v24);
				DestroyWindow(GetDlgItem( *(_t44 + 4), 0x4b7));
				CreateWindowExA(0x200, "Edit", 0x41ae2a, 0x500100a0, _v24, _v20, _v32 - _v24, _v12 - _v20,  *(_t44 + 4), 0x4b7, 0, 0);
				_v8 = SendMessageW( *(_t44 + 4), 0x31, 0, 0);
				SendMessageW(GetDlgItem( *(_t44 + 4), 0x4b7), 0x30, _v8, 1);
				SetFocus(GetDlgItem( *(_t44 + 4), 0x4b6));
				return 0;
			}

0x004095d3
0x004095d5
0x004095e4
0x004095f0
0x004095fd
0x0040960f
0x00409645
0x0040965f
0x0040966c
0x00409679
0x00409685

APIs

Part of subcall function 00409278: memset.MSVCRT ref: 004092CA
Part of subcall function 00409278: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
Part of subcall function 00409278: SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
Part of subcall function 00409278: GetDlgItem.USER32 ref: 00409311
Part of subcall function 00409278: SetWindowLongW.USER32 ref: 0040931F

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

GetDlgItem.USER32 ref: 0040960C
DestroyWindow.USER32(00000000), ref: 0040960F
CreateWindowExA.USER32 ref: 00409645
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00409655
GetDlgItem.USER32 ref: 00409662
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0040966C
GetDlgItem.USER32 ref: 00409676
SetFocus.USER32(00000000), ref: 00409679

Strings

Edit, xrefs: 0040963B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Item$Window$MessageSend$CreateDestroyDirectoryFileFocusInfoLongShowSystemmemset
String ID: Edit
API String ID: 1904772019-554135844
Opcode ID: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction ID: 8a86f020cb998119f4c04dc0e8788b762e1a6262d45705b8329d94c27ff92963
Opcode Fuzzy Hash: 0be7facc3e4f8ba872de67d6a079024a8f22cb4c18f1c79b82132ec26fa154f1
Instruction Fuzzy Hash: EB115171A40208BBDB119BE5CD49FAFBBBDEF89B04F10442AF611F6190C675AD108B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040985F Relevance: 15.1, APIs: 10, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040985F(void* __ecx, void* __edx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				struct HWND__* _t55;
				void* _t71;

				_t71 = __ecx;
				_v12 = E00408F3F(__edx);
				E00407ABB(__ecx, 0x4b3, 0);
				E00407ABB(__ecx, 0x4b4, 0);
				E00407A29(__ecx, 0x4b3,  &_v36);
				_v20.x = _v36.left;
				_v20.y = _v36.top;
				ClientToScreen( *(_t71 + 4),  &_v20);
				GetWindowRect( *(_t71 + 4),  &_v36);
				SetWindowPos( *(_t71 + 4), 0, 0, 0, _v36.right - _v36.left, _v20.y - _v36.top, 6);
				SetWindowLongW( *(_t71 + 4), 0xfffffff0, 0x800000);
				SetWindowLongW( *(_t71 + 4), 0xffffffec, 8);
				GetWindowRect( *(_t71 + 4),  &_v36);
				E00407BA4(_t71, 0x4b2, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top, 4);
				_v8 = GetDlgItem( *(_t71 + 4), 0x4b2);
				_t55 = GetDlgItem( *(_t71 + 4), 0x4b2);
				SetWindowLongW(_t55, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) | 0x10000201);
				return _v12;
			}

0x00409868
0x0040987a
0x0040987d
0x0040988a
0x00409896
0x0040989e
0x004098a4
0x004098ae
0x004098c1
0x004098d9
0x004098ef
0x004098f8
0x00409901
0x0040991f
0x00409932
0x00409935
0x00409951
0x0040995a

APIs

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32 ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

ClientToScreen.USER32(?,?), ref: 004098AE
GetWindowRect.USER32 ref: 004098C1
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 004098D9
SetWindowLongW.USER32 ref: 004098EF
SetWindowLongW.USER32 ref: 004098F8
GetWindowRect.USER32 ref: 00409901

Part of subcall function 00407BA4: GetDlgItem.USER32 ref: 00407BC2
Part of subcall function 00407BA4: SetWindowPos.USER32(00000000), ref: 00407BC9

GetDlgItem.USER32 ref: 00409928
GetDlgItem.USER32 ref: 00409935
GetWindowLongW.USER32(?,000000F0), ref: 00409942
SetWindowLongW.USER32 ref: 00409951

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Window$Item$Long$HandleLoadMessageMetricsModuleRectSendSystem$ClientIconImageScreenShow
String ID:
API String ID: 1121484998-0
Opcode ID: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction ID: 9fdbf200746135bab5730a4dafb3ad07ec8a2d1c31f6c6808a3a3c7848768d2e
Opcode Fuzzy Hash: 896a1083596387c429694cdeec32fa87b02d5184d92bc3279f9fd5c98c9e356b
Instruction Fuzzy Hash: 45310171A00219BFDB11DBA9CD45EAFBBBDFF48710F104129F525F22A1CB74A9108B69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC0 Relevance: 15.1, APIs: 10, Instructions: 84
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401CC0(intOrPtr __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				char _v32;
				struct _SHELLEXECUTEINFOW _v92;
				void* _t36;
				struct HWND__* _t42;
				int _t51;
				signed int _t55;
				signed int _t56;
				int _t66;

				_v8 = __ecx;
				_t55 = __edx;
				E00411B60(E00411B60(_t36,  &_v20),  &_v32);
				_t66 = 0;
				memset( &_v92, 0, 0x3c);
				_v92.cbSize = 0x3c;
				_v92.lpDirectory = _a4;
				_v92.fMask = 0x740;
				_v92.nShow = 0xa;
				if((_t55 & 0x00000001) != 0) {
					_v92.nShow = 0;
					_v92.fMask = 0x8740;
				}
				if((_t55 & 0x00000002) != 0) {
					_v92.lpVerb = L"runas";
				}
				_t56 = _t55 & 0x00010000;
				if(_t56 == 0) {
					_v92.fMask = _v92.fMask | 0x00000100;
				}
				_t42 =  *0x41e72c; // 0x501be
				_v92.hwnd = _t42;
				ShowWindow(_t42, 5);
				BringWindowToTop(_v92.hwnd);
				E00411BE5( &_v32, E0040310A(_v8,  &_v20));
				if(_v16 != _t66) {
					_v92.lpFile = _v20;
					_v92.lpParameters = _v32;
					if(ShellExecuteExW( &_v92) != 0) {
						if(_t56 == _t66) {
							WaitForSingleObject(_v92.hProcess, 0xffffffff);
						}
						CloseHandle(_v92.hProcess);
						_t66 = 1;
					}
					_push(_v32);
					L004191B0();
					_push(_v20);
					L004191B0();
					_t51 = _t66;
				} else {
					_push(_v32);
					L004191B0();
					_push(_v20);
					L004191B0();
					_t51 = 1;
				}
				return _t51;
			}

0x00401cc7
0x00401cce
0x00401cd8
0x00401cdf
0x00401ce6
0x00401cf1
0x00401cf8
0x00401cfb
0x00401d02
0x00401d0c
0x00401d0e
0x00401d11
0x00401d11
0x00401d1b
0x00401d1d
0x00401d1d
0x00401d24
0x00401d2a
0x00401d2c
0x00401d2c
0x00401d33
0x00401d3b
0x00401d3e
0x00401d47
0x00401d5c
0x00401d64
0x00401d7e
0x00401d84
0x00401d93
0x00401d97
0x00401d9e
0x00401d9e
0x00401da7
0x00401daf
0x00401daf
0x00401db0
0x00401db3
0x00401db8
0x00401dbb
0x00401dc0
0x00401d66
0x00401d66
0x00401d69
0x00401d6e
0x00401d71
0x00401d78
0x00401d78
0x00401dc7

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

memset.MSVCRT ref: 00401CE6
ShowWindow.USER32(000501BE,00000005,?,0041A9F0,00000000), ref: 00401D3E
BringWindowToTop.USER32(?), ref: 00401D47
??3@YAXPAX@Z.MSVCRT ref: 00401D69
??3@YAXPAX@Z.MSVCRT ref: 00401D71
ShellExecuteExW.SHELL32(0000003C), ref: 00401D8B
WaitForSingleObject.KERNEL32(?,000000FF,?,0041A9F0,00000000), ref: 00401D9E
CloseHandle.KERNEL32(?,?,0041A9F0,00000000), ref: 00401DA7
??3@YAXPAX@Z.MSVCRT ref: 00401DB3
??3@YAXPAX@Z.MSVCRT ref: 00401DBB

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$Window$??2@BringCloseExecuteHandleObjectShellShowSingleWaitmemset
String ID:
API String ID: 1117119541-0
Opcode ID: f9bb73938863ab3e83ccdc08ac60133ddf5792fba4b5c5c85adfd1578530b248
Instruction ID: 93afddeaf3da2945c8596fa82df557d0c9d3bebd8f4b061b1b635e28d7e4d180
Opcode Fuzzy Hash: f9bb73938863ab3e83ccdc08ac60133ddf5792fba4b5c5c85adfd1578530b248
Instruction Fuzzy Hash: 35316971E00209ABDF11DFE5DC49ADEBBB5FF44304F10802AE512B62A4EB7C6994CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00409AB1(intOrPtr* __eax, void* __edx, void* __eflags) {
				signed int _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v56;
				signed int _t34;
				intOrPtr _t37;
				void* _t50;
				signed int _t57;
				signed int _t58;
				short* _t61;
				void* _t82;
				void* _t83;
				intOrPtr* _t84;
				void* _t86;

				_t84 = __eax;
				E00411C48(__eax, 0x41e844);
				_t34 = E004099F4(0x41c004, _t84);
				_v8 = _t34;
				if(_t34 <= 0) {
					L8:
					return _t34 | 0xffffffff;
				}
				_t61 =  *_t84 + _t34 * 2;
				if( *_t61 != 0x2e) {
					goto L8;
				}
				 *(_t84 + 4) = _t34;
				 *_t61 = 0;
				_t37 =  *0x41e76c; // 0x0
				_push(_t84);
				if(_t37 == 1) {
					_t57 = E004099F4(0x41c004);
					if(_t57 < 0) {
						L17:
						return 1;
					}
					_t82 = _t57 + _t57;
					_t44 =  *_t84 + _t82;
					if( *((short*)( *_t84 + _t82)) != 0x2e || _v8 - _t57 != 4) {
						goto L17;
					} else {
						E004119E1( &_v56, 2, _t44 + 2);
						E00411B84( &_v32, _v56);
						_push(_v56);
						L004191B0();
						if(E0040995B( &_v32, 0x41bffc) == 0) {
							_push(_v32);
							L004191B0();
							goto L17;
						}
						 *(_t84 + 4) = _t57;
						 *((short*)(_t82 +  *_t84)) = 0;
						_t50 = _t82 +  *_t84 + 2;
						__imp___wtol(_t50);
						_push(_v32);
						L15:
						_t86 = _t50;
						L004191B0();
						_t29 = _t86 + 1; // 0x1
						return _t29;
					}
				}
				_t34 = E004099F4(0x41c004);
				_t58 = _t34;
				if(_t58 <= 0) {
					goto L8;
				}
				_t83 = _t58 + _t58;
				_t34 =  *_t84 + _t83;
				if( *_t34 != 0x2e) {
					goto L8;
				}
				E004119E1( &_v44, 2, _t34 + 2);
				E00411B84( &_v20, _v44);
				_push(_v44);
				L004191B0();
				_t34 = E0040995B( &_v20, 0x41bffc);
				if(_t34 == 0) {
					_push(_v20);
					L004191B0();
					goto L8;
				}
				 *(_t84 + 4) = _t58;
				 *((short*)(_t83 +  *_t84)) = 0;
				_t50 = _t83 +  *_t84 + 2;
				__imp___wtol(_t50);
				_push(_v20);
				goto L15;
			}

0x00409aba
0x00409ac3
0x00409ad0
0x00409ad5
0x00409ada
0x00409b76
0x00000000
0x00409b76
0x00409ae2
0x00409ae9
0x00000000
0x00000000
0x00409aef
0x00409af4
0x00409af7
0x00409afd
0x00409b00
0x00409b83
0x00409b87
0x00409c08
0x00000000
0x00409c0a
0x00409b8b
0x00409b8e
0x00409b94
0x00000000
0x00409ba0
0x00409ba9
0x00409bb4
0x00409bb9
0x00409bbc
0x00409bd1
0x00409bff
0x00409c02
0x00000000
0x00409c07
0x00409bd5
0x00409bda
0x00409be0
0x00409be5
0x00409beb
0x00409bee
0x00409bee
0x00409bf0
0x00409bf7
0x00000000
0x00409bf7
0x00409b94
0x00409b02
0x00409b07
0x00409b0b
0x00000000
0x00000000
0x00409b0f
0x00409b12
0x00409b18
0x00000000
0x00000000
0x00409b23
0x00409b2e
0x00409b33
0x00409b36
0x00409b44
0x00409b4b
0x00409b6d
0x00409b70
0x00000000
0x00409b75
0x00409b4f
0x00409b54
0x00409b5a
0x00409b5f
0x00409b65
0x00000000

APIs

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 00409B36
_wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B5F
??3@YAXPAX@Z.MSVCRT ref: 00409B70
??3@YAXPAX@Z.MSVCRT ref: 00409BBC
_wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409BE5
??3@YAXPAX@Z.MSVCRT ref: 00409BF0
??3@YAXPAX@Z.MSVCRT ref: 00409C02

Part of subcall function 004119E1: memcpy.MSVCRT ref: 00411A0F

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Strings

.\/, xrefs: 00409AC8

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy$_wtol$??2@
String ID: .\/
API String ID: 211236615-1884134905
Opcode ID: 76076f61dae968f9017a61391940d4b7d187bd359ac5bc1a6c444d705f0d0ebd
Instruction ID: 0b6a9690c019190aaa6ec8925b5ba1fe496bdf8c1da3795196df282918bb7362
Opcode Fuzzy Hash: 76076f61dae968f9017a61391940d4b7d187bd359ac5bc1a6c444d705f0d0ebd
Instruction Fuzzy Hash: 1C41A331A04106ABCB15EF69DC919EEB7B5FF14318B14843EE512B72E2EB78AC41C748

Uniqueness

Uniqueness Score: -1.00%

Function 00404048 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404048(intOrPtr __ecx, char* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				intOrPtr _v12;
				char _v24;
				char _v124;
				char* _t41;
				void* _t68;

				_t67 = _a4;
				_v12 = __ecx;
				_v8 = __edx;
				E004117A8(_a4, ";!@Install@!UTF-8!");
				_t66 = _a8;
				E004117A8(_a8, ";!@InstallEnd@!");
				E0041170C( &_v24,  *((intOrPtr*)(_t67 + 4)) - 1, _t67);
				E004117A8(_t67, _v24);
				_push(_v24);
				L004191B0();
				E0041170C( &_v24,  *((intOrPtr*)(_t66 + 4)) - 1, _t66);
				E004117A8(_t66, _v24);
				_push(_v24);
				L004191B0();
				if(_v8 != 0) {
					_t41 = _v8;
					if( *_t41 != 0) {
						wsprintfA( &_v124, ":%hs", _t41);
						_t68 = _t68 + 0xc;
						E00411846(_t67,  &_v124);
						E00411846(_t66,  &_v124);
					}
				}
				if(_v12 != 0) {
					wsprintfA( &_v124, ":Language:%u", _v12);
					E00411846(_t67,  &_v124);
					E00411846(_t66,  &_v124);
				}
				_t49 = "!";
				E00411846(_t67, "!");
				return E00411846(_t66, _t49);
			}

0x00404050
0x00404054
0x0040405e
0x00404061
0x00404066
0x00404070
0x0040407e
0x00404088
0x0040408d
0x00404090
0x0040409f
0x004040a9
0x004040ae
0x004040b1
0x004040c1
0x004040c3
0x004040c9
0x004040d5
0x004040d7
0x004040e0
0x004040eb
0x004040eb
0x004040c9
0x004040f4
0x00404102
0x0040410d
0x00404118
0x00404118
0x0040411d
0x00404125
0x00404136

APIs

Part of subcall function 004117A8: ??2@YAPAXI@Z.MSVCRT ref: 004117CA
Part of subcall function 004117A8: ??3@YAXPAX@Z.MSVCRT ref: 004117D4

Part of subcall function 0041170C: memcpy.MSVCRT ref: 0041172D

??3@YAXPAX@Z.MSVCRT ref: 00404090
??3@YAXPAX@Z.MSVCRT ref: 004040B1
wsprintfA.USER32 ref: 004040D5
wsprintfA.USER32 ref: 00404102

Strings

:Language:%u, xrefs: 004040FC
:%hs, xrefs: 004040CF
;!@InstallEnd@!, xrefs: 00404069
;!@Install@!UTF-8!, xrefs: 00404057

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$wsprintf$??2@memcpy
String ID: :%hs$:Language:%u$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 1376779256-695273242
Opcode ID: 6a02b744bc7d80d0513a6681fafc61890acde3536361d0bade6587cda85f6079
Instruction ID: f21a7fe07a8f386c91366acc762034fd49372255a28dee344885964aedd3aa00
Opcode Fuzzy Hash: 6a02b744bc7d80d0513a6681fafc61890acde3536361d0bade6587cda85f6079
Instruction Fuzzy Hash: 83218775A00109ABDB05F7A5D882AFE77BE9F44305F24402BF601B3292CF385E8497A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407894 Relevance: 13.5, APIs: 9, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407894(void* __ecx, int _a4) {
				void* _t21;

				_t21 = __ecx;
				SendMessageW(GetDlgItem( *(__ecx + 4), 0x4b3), 0xf4, 0, 1);
				SendMessageW(GetDlgItem( *(_t21 + 4), 0x4b4), 0xf4, 0, 1);
				SendMessageW( *(_t21 + 4), 0x401, _a4, 0);
				SendMessageW(GetDlgItem( *(_t21 + 4), _a4), 0xf4, 1, 1);
				return SetFocus(GetDlgItem( *(_t21 + 4), _a4));
			}

0x0040789e
0x004078bb
0x004078cd
0x004078dd
0x004078ee
0x00407904

APIs

GetDlgItem.USER32 ref: 004078A8
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078BB
GetDlgItem.USER32 ref: 004078C5
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004078CD
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 004078DD
GetDlgItem.USER32 ref: 004078E6
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004078EE
GetDlgItem.USER32 ref: 004078F7
SetFocus.USER32(00000000,?,?,00000000,0040851A,000004B3,00000000,?,000004B3), ref: 004078FA

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction ID: 223abb1aad09d6feda2c47f27d25d20709fdb3fcd92210378734137cee04cabe
Opcode Fuzzy Hash: 6496da3c9c0f305d28eaa89951ba916d2429e6ba680465666632d837b6b77d3e
Instruction Fuzzy Hash: 37F04F712403087BEA212B61DD86F5BBB5EEF85B54F018425F750650F0CBB7EC209A29

Uniqueness

Uniqueness Score: -1.00%

Function 00408946 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408946(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				char _v16;
				short _v40;
				void* _t47;
				signed char _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t88;
				intOrPtr* _t90;
				void* _t91;

				_t88 = __edx;
				_t91 = __ecx;
				E00411B60(_t47,  &_v16);
				_t90 = _a4;
				if(( *(__ecx + 0x60) |  *(__ecx + 0x64)) == 0) {
					_t9 =  &_a4;
					 *_t9 = _a4 & 0x00000000;
					__eflags =  *_t9;
				} else {
					_a4 = E00419250(E00419300( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x7530, 0), _t88,  *((intOrPtr*)(_t91 + 0x60)),  *((intOrPtr*)(_t91 + 0x64)));
				}
				if(_a4 > 0x7530) {
					_a4 = 0x7530;
				}
				SendMessageW(GetDlgItem( *(_t91 + 4), 0x4b8), 0x402, _a4, 0);
				asm("cdq");
				wsprintfW( &_v40, L"%d%%", (_a4 + 0x12b) / 0x12c);
				if(( *0x41e44c & 0x00000004) != 0) {
					E00407A0F(GetDlgItem( *(_t91 + 4), 0x4b5),  &_v40);
				}
				_t58 =  *0x41e44c; // 0x0
				if((_t58 & 0x00000002) == 0) {
					_t99 = _t58 & 0x00000001;
					if((_t58 & 0x00000001) == 0) {
						E00411BE5( &_v16,  &_v40);
						E004015EC( &_v16, 0x20);
						_push( *0x41e73c);
					} else {
						E00411BE5( &_v16,  *0x41e73c);
						E004015EC( &_v16, 0x20);
						_push( &_v40);
					}
					E00411CA3( &_v16);
					_t58 = E00408056(_t91, _t99, _v16);
				}
				if( *((intOrPtr*)(_t91 + 0x70)) != 0) {
					_t59 =  *((intOrPtr*)(_t91 + 0x70));
					 *((intOrPtr*)( *_t59 + 0x28))(_t59,  *(_t91 + 4), 2);
					_t61 =  *((intOrPtr*)(_t91 + 0x70));
					_t58 =  *((intOrPtr*)( *_t61 + 0x24))(_t61,  *(_t91 + 4),  *_t90,  *((intOrPtr*)(_t90 + 4)),  *((intOrPtr*)(_t91 + 0x60)),  *((intOrPtr*)(_t91 + 0x64)));
				}
				_push(_v16);
				L004191B0();
				return _t58;
			}

0x00408946
0x0040894e
0x00408954
0x0040895f
0x00408967
0x00408988
0x00408988
0x00408988
0x00408969
0x00408983
0x00408983
0x0040898f
0x00408991
0x00408991
0x004089af
0x004089bd
0x004089cf
0x004089df
0x004089f2
0x004089f2
0x004089f7
0x004089fe
0x00408a03
0x00408a05
0x00408a26
0x00408a30
0x00408a35
0x00408a07
0x00408a0d
0x00408a17
0x00408a1f
0x00408a1f
0x00408a3e
0x00408a48
0x00408a48
0x00408a51
0x00408a53
0x00408a5e
0x00408a64
0x00408a75
0x00408a75
0x00408a78
0x00408a7b
0x00408a85

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040897E

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

GetDlgItem.USER32 ref: 004089A2
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 004089AF
wsprintfW.USER32 ref: 004089CF
GetDlgItem.USER32 ref: 004089ED
??3@YAXPAX@Z.MSVCRT ref: 00408A7B

Strings

%d%%, xrefs: 004089C9

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@Item$MessageSendUnothrow_t@std@@@__ehfuncinfo$??2@memcpywsprintf
String ID: %d%%
API String ID: 3036602612-1518462796
Opcode ID: cc2156a1dbd376bf078a3937079c515b0febf8ca54c72ff010180aa3c1e48a0a
Instruction ID: 897cffd7501da61c07280fb0c04fd43b1710295bd97e9baaaef8b47ade3b7e37
Opcode Fuzzy Hash: cc2156a1dbd376bf078a3937079c515b0febf8ca54c72ff010180aa3c1e48a0a
Instruction Fuzzy Hash: 8341A375900704BFDB15ABA1CD45EDAB7B9FF08304F10842EFA42662E1DB39E950CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DFD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409DFD(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr* _t44;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				void* _t52;
				WCHAR* _t71;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t80;
				void* _t82;

				_t82 = __eflags;
				_t77 = _t79 - 0x78;
				_t80 = _t79 - 0x88;
				_t52 = __ecx;
				 *((intOrPtr*)(_t77 + 0x3c)) = 0;
				 *((intOrPtr*)(_t77 + 0x44)) = 0;
				 *((intOrPtr*)(_t77 + 0x48)) = 0;
				 *((intOrPtr*)(_t77 + 0x4c)) = 0;
				 *((intOrPtr*)(_t77 + 0x50)) = 0;
				 *((intOrPtr*)(_t77 + 0x54)) = 0;
				 *((intOrPtr*)(_t77 + 0x58)) = 0;
				E00411B60(0, _t77 + 0x5c);
				_t74 = E00409AB1(_t77 + 0x5c, __edx, _t82);
				if(_t74 != 0xffffffff) {
					 *((intOrPtr*)(_t77 + 0x74)) = _t74;
					E00411B60(_t36, _t77 + 0x68);
					_push(_t74);
					_t71 = L".%03u";
					while(1) {
						wsprintfW(_t77 - 0x10, _t71);
						_t80 = _t80 + 0xc;
						_t69 = _t77 + 0x5c;
						E00411BE5(_t77 + 0x68,  *((intOrPtr*)(E00411B08(_t77 + 0x30, _t77 + 0x5c, _t77 - 0x10))));
						_push( *((intOrPtr*)(_t77 + 0x30)));
						L004191B0();
						_t44 = E00409A19(_t77 + 0x3c,  *((intOrPtr*)(_t77 + 0x68)), _t77 + 0x3c);
						__eflags = _t44;
						if(_t44 != 0) {
							break;
						}
						_t46 = E00409DD3(_t77 + 0x3c, _t52 + 0x1c, _t69, _t77 + 0x3c);
						_push( *((intOrPtr*)(_t77 + 0x68)));
						L004191B0();
						_t17 = _t77 + 0x74;
						 *_t17 =  *((intOrPtr*)(_t77 + 0x74)) + 1;
						__eflags =  *_t17;
						E00411B60(_t46, _t77 + 0x68);
						_push( *((intOrPtr*)(_t77 + 0x74)));
					}
					_push( *((intOrPtr*)(_t77 + 0x68)));
					L004191B0();
					_push( *((intOrPtr*)(_t77 + 0x5c)));
					L004191B0();
					_t48 =  *((intOrPtr*)(_t77 + 0x3c));
					__eflags = _t48;
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 + 8))(_t48);
					}
					_t49 = 1;
				} else {
					_push( *((intOrPtr*)(_t77 + 0x5c)));
					L004191B0();
					_t49 = 0;
				}
				return _t49;
			}

0x00409dfd
0x00409dfe
0x00409e02
0x00409e0b
0x00409e11
0x00409e14
0x00409e17
0x00409e1a
0x00409e1d
0x00409e20
0x00409e23
0x00409e26
0x00409e33
0x00409e38
0x00409e4e
0x00409e51
0x00409e56
0x00409e5d
0x00409e87
0x00409e8c
0x00409e8e
0x00409e95
0x00409ea5
0x00409eaa
0x00409ead
0x00409ebc
0x00409ec1
0x00409ec3
0x00000000
0x00000000
0x00409e6b
0x00409e70
0x00409e73
0x00409e78
0x00409e78
0x00409e78
0x00409e7f
0x00409e84
0x00409e84
0x00409ec5
0x00409ec8
0x00409ecd
0x00409ed0
0x00409ed5
0x00409edb
0x00409edd
0x00409ee2
0x00409ee2
0x00409ee5
0x00409e3a
0x00409e3a
0x00409e3d
0x00409e43
0x00409e43
0x00409eed

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT ref: 00409B36
Part of subcall function 00409AB1: _wtol.MSVCRT(?,?,00000002,-00000002,?,?,0041E844,00000000), ref: 00409B5F
Part of subcall function 00409AB1: ??3@YAXPAX@Z.MSVCRT ref: 00409BF0

??3@YAXPAX@Z.MSVCRT ref: 00409E3D
wsprintfW.USER32 ref: 00409E8C
??3@YAXPAX@Z.MSVCRT ref: 00409EAD
??3@YAXPAX@Z.MSVCRT ref: 00409EC8
??3@YAXPAX@Z.MSVCRT ref: 00409ED0

Strings

.%03u, xrefs: 00409E5D, 00409E8A

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@_wtolwsprintf
String ID: .%03u
API String ID: 2619731350-3746577511
Opcode ID: aee8325995449cb21eb21f699a5c5bd25a94ee3b3b11cdc4a6253a9314ba322a
Instruction ID: 700b262c2caaefa25544a4da0f9a64c534e6180d5fa040a2be027d4297a76f61
Opcode Fuzzy Hash: aee8325995449cb21eb21f699a5c5bd25a94ee3b3b11cdc4a6253a9314ba322a
Instruction Fuzzy Hash: 0C311A71504209AFCF04EF65D8518EE3BB9EF04354B14402BFD15922A2EB39ED85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004036C8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004036C8(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%S\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%S/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = L"%%S";
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x004036d0
0x004036d5
0x004036d7
0x004036e0
0x004036ed
0x004036fa
0x00403709
0x0040370e
0x00403711
0x0040371b
0x00403728
0x00403735
0x00403744
0x0040374c
0x00403754
0x0040375b
0x00403767
0x0040376c
0x0040376f
0x00403774
0x00403777
0x00403781

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00403711
??3@YAXPAX@Z.MSVCRT ref: 0040374C
??3@YAXPAX@Z.MSVCRT ref: 0040376F
??3@YAXPAX@Z.MSVCRT ref: 00403777

Strings

`V, xrefs: 004036DC, 00403717, 00403760
%%S/, xrefs: 0040372D
%%S\, xrefs: 004036F2

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%S/$%%S\$`V
API String ID: 3447362686-88797856
Opcode ID: 1681c57c38f83b6f319beb82b4b77a736cd4652b77870a8b14d6a0dcba04e2ca
Instruction ID: 8a838fedbf1cd3f57b408fd45307b2668bf9ac3bef67c8916e08563063fd3bd5
Opcode Fuzzy Hash: 1681c57c38f83b6f319beb82b4b77a736cd4652b77870a8b14d6a0dcba04e2ca
Instruction Fuzzy Hash: 13112B319480096ACB05F792DC53DFEB7799E54314F10016FF712A21A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 00403782 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403782(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%M\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%M/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = L"%%M";
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x0040378a
0x0040378f
0x00403791
0x0040379a
0x004037a7
0x004037b4
0x004037c3
0x004037c8
0x004037cb
0x004037d5
0x004037e2
0x004037ef
0x004037fe
0x00403806
0x0040380e
0x00403815
0x00403821
0x00403826
0x00403829
0x0040382e
0x00403831
0x0040383b

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004037CB
??3@YAXPAX@Z.MSVCRT ref: 00403806
??3@YAXPAX@Z.MSVCRT ref: 00403829
??3@YAXPAX@Z.MSVCRT ref: 00403831

Strings

@V, xrefs: 00403796, 004037D1, 0040381A
%%M/, xrefs: 004037E7
%%M\, xrefs: 004037AC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%M/$%%M\$@V
API String ID: 3447362686-3814413527
Opcode ID: 588c370c0f1c2f451554cef3d8baf4e9667b6e0329825f2c43b22c15ef3818ef
Instruction ID: 030220e8798e44c826c8ca556ead690550140fee0cdfed357d3ace2c4a35e24d
Opcode Fuzzy Hash: 588c370c0f1c2f451554cef3d8baf4e9667b6e0329825f2c43b22c15ef3818ef
Instruction Fuzzy Hash: E2112B329480096ACB05F792DC53DFEB7799E54314F10016FF612A21A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 00407AED Relevance: 12.1, APIs: 8, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407AED(intOrPtr __ecx, WCHAR* _a4, void* _a8, void* _a12, signed int _a16) {
				struct HDC__* _v8;
				signed int _v12;
				intOrPtr _v16;
				struct HDC__* _t31;
				int _t33;
				int _t35;
				void* _t45;
				long _t47;
				long _t53;
				struct tagRECT* _t57;

				_v12 = _v12 & 0x00000000;
				_v16 = __ecx;
				_t31 = GetDC( *(__ecx + 4));
				_v8 = _t31;
				if(_t31 != 0) {
					_t33 = GetSystemMetrics(0xb);
					_t45 = 0xffffffc4;
					_t53 = _t45 - _t33 + GetSystemMetrics(0x3d);
					_t35 = GetSystemMetrics(0x3e);
					_t57 = _a8;
					_t10 = _t35 - 0x78; // -120
					_t47 = _t10;
					_t57->bottom = 0;
					_t57->top = 0;
					_t57->left = 0;
					_t57->right = _t53;
					_a8 = SelectObject(_v8, _a12);
					_v12 = 0 | DrawTextW(_v8, _a4, 0xffffffff, _t57, _a16 | 0x00000400) > 0x00000000;
					if(_t53 < _t57->right) {
						_t57->right = _t53;
					}
					if(_t47 < _t57->bottom) {
						_t57->bottom = _t47;
					}
					SelectObject(_v8, _a8);
					ReleaseDC( *(_v16 + 4), _v8);
				}
				return _v12;
			}

0x00407af6
0x00407afa
0x00407afd
0x00407b03
0x00407b08
0x00407b19
0x00407b1d
0x00407b26
0x00407b29
0x00407b2e
0x00407b34
0x00407b34
0x00407b39
0x00407b3c
0x00407b3f
0x00407b41
0x00407b4a
0x00407b6c
0x00407b72
0x00407b74
0x00407b74
0x00407b7a
0x00407b7c
0x00407b7c
0x00407b85
0x00407b94
0x00407b9c
0x00407ba1

APIs

GetDC.USER32(?), ref: 00407AFD
GetSystemMetrics.USER32 ref: 00407B19
GetSystemMetrics.USER32 ref: 00407B22
GetSystemMetrics.USER32 ref: 00407B29
SelectObject.GDI32(?,?), ref: 00407B44
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00407B5F
SelectObject.GDI32(?,?), ref: 00407B85
ReleaseDC.USER32 ref: 00407B94

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction ID: c6efab504cd997bbd87537fcada5a97682737a4c05f62cea40a671b0dd12ad2f
Opcode Fuzzy Hash: 2de4bb473bfb4b8f909a57e36c0b108e7016f7be85cc3fde936b1bc80fa66e5b
Instruction Fuzzy Hash: 53213871900209EFCB11DFA5DD44A9EBFF4EF08364F10C46AE829A62A0C731AA54DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0040B900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040B900(intOrPtr* __ecx) {
				void* _t48;
				void* _t58;
				signed int _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t73;
				intOrPtr* _t90;
				intOrPtr* _t92;
				signed int _t95;
				void* _t97;
				void* _t98;

				_t92 = __ecx;
				if( *__ecx != 0x3f) {
					_t48 =  *((intOrPtr*)(__ecx + 4)) +  *((intOrPtr*)(__ecx + 0x1c)) + 8;
					_t64 = 0;
					 *(_t97 + 0x10) = _t48;
					if(_t48 != 0) {
						_push(_t48);
						L004191BC();
						_t97 = _t97 + 4;
						_t64 = _t48;
					}
					memcpy(_t64, _t92 + 8,  *(_t92 + 4));
					memcpy(_t64 +  *(_t92 + 4),  *(_t92 + 0x18),  *(_t92 + 0x1c));
					_t90 = _t64 +  *(_t92 + 4) +  *(_t92 + 0x1c);
					 *_t90 = 0;
					 *((intOrPtr*)(_t90 + 4)) = 0;
					_t98 = _t97 + 0x18;
					 *((intOrPtr*)(_t98 + 0x1c)) = 0x6a09e667;
					 *((intOrPtr*)(_t98 + 0x20)) = 0xbb67ae85;
					 *((intOrPtr*)(_t98 + 0x24)) = 0x3c6ef372;
					 *((intOrPtr*)(_t98 + 0x28)) = 0xa54ff53a;
					 *((intOrPtr*)(_t98 + 0x2c)) = 0x510e527f;
					 *((intOrPtr*)(_t98 + 0x30)) = 0x9b05688c;
					 *((intOrPtr*)(_t98 + 0x34)) = 0x1f83d9ab;
					 *((intOrPtr*)(_t98 + 0x38)) = 0x5be0cd19;
					 *((intOrPtr*)(_t98 + 0x3c)) = 0;
					 *((intOrPtr*)(_t98 + 0x40)) = 0;
					_t95 = E00419340(1,  *_t92, 0);
					 *(_t98 + 0x18) = 0;
					do {
						E0040B440(_t98 + 0x20, _t64,  *((intOrPtr*)(_t98 + 0x10)));
						_t58 = 0;
						while(1) {
							_t41 = _t58 + _t90;
							 *_t41 =  *((char*)(_t58 + _t90)) + 1;
							if( *_t41 != 0) {
								goto L14;
							}
							_t58 = _t58 + 1;
							if(_t58 < 8) {
								continue;
							}
							goto L14;
						}
						L14:
						_t59 =  *(_t98 + 0x18);
						_t95 = _t95 + 0xffffffff;
						asm("adc eax, 0xffffffff");
						 *(_t98 + 0x18) = _t59;
					} while ((_t95 | _t59) != 0);
					_t46 = _t98 + 0x1c; // 0x6a09e667
					_t60 = E0040B6F0(_t46, _t92 + 0x20);
					_push(_t64);
					L004191B0();
					return _t60;
				}
				_t61 = 0;
				if( *((intOrPtr*)(__ecx + 4)) > 0) {
					do {
						 *((char*)(__ecx + _t61 + 0x20)) =  *((intOrPtr*)(__ecx + _t61 + 8));
						_t61 = _t61 + 1;
					} while (_t61 <  *((intOrPtr*)(__ecx + 4)));
				}
				_t73 = 0;
				if( *(_t92 + 0x1c) <= 0) {
					L6:
					if(_t61 >= 0x20) {
						goto L16;
					} else {
						_t14 = _t92 + 0x20; // 0x21
						return memset(_t61 + _t14, 0, 0x20 - _t61);
					}
				} else {
					while(_t61 < 0x20) {
						 *((char*)(_t61 + _t92 + 0x20)) =  *((intOrPtr*)(_t73 +  *(_t92 + 0x18)));
						_t73 = _t73 + 1;
						_t61 = _t61 + 1;
						if(_t73 <  *(_t92 + 0x1c)) {
							continue;
						} else {
							goto L6;
						}
						goto L17;
					}
					L16:
					return _t61;
				}
				L17:
			}

0x0040b904
0x0040b909
0x0040b96e
0x0040b974
0x0040b977
0x0040b97d
0x0040b97f
0x0040b980
0x0040b985
0x0040b988
0x0040b988
0x0040b993
0x0040b9a6
0x0040b9b0
0x0040b9b5
0x0040b9b7
0x0040b9bc
0x0040b9c6
0x0040b9ce
0x0040b9d6
0x0040b9de
0x0040b9e6
0x0040b9ee
0x0040b9f6
0x0040b9fe
0x0040ba06
0x0040ba0a
0x0040ba13
0x0040ba15
0x0040ba20
0x0040ba2b
0x0040ba30
0x0040ba32
0x0040ba32
0x0040ba32
0x0040ba35
0x00000000
0x00000000
0x0040ba37
0x0040ba3b
0x00000000
0x00000000
0x00000000
0x0040ba3b
0x0040ba3d
0x0040ba3d
0x0040ba41
0x0040ba44
0x0040ba4b
0x0040ba4b
0x0040ba54
0x0040ba58
0x0040ba5d
0x0040ba5e
0x00000000
0x0040ba68
0x0040b90b
0x0040b910
0x0040b912
0x0040b916
0x0040b91a
0x0040b91b
0x0040b912
0x0040b920
0x0040b925
0x0040b941
0x0040b944
0x00000000
0x0040b94a
0x0040b952
0x0040b965
0x0040b965
0x0040b927
0x0040b927
0x0040b936
0x0040b93a
0x0040b93b
0x0040b93f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b93f
0x0040ba6d
0x0040ba6d
0x0040ba6d
0x00000000

APIs

memset.MSVCRT ref: 0040B959
??2@YAPAXI@Z.MSVCRT ref: 0040B980
memcpy.MSVCRT ref: 0040B993
memcpy.MSVCRT ref: 0040B9A6
??3@YAXPAX@Z.MSVCRT ref: 0040BA5E

Strings

gj, xrefs: 0040BA54

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: memcpy$??2@??3@memset
String ID: gj
API String ID: 1510051167-4203073231
Opcode ID: 43e91e779c1f4a61919552a6ba70e54c31c19546ad12069bfcf5aceab843841f
Instruction ID: d88508602b6957b794b8bf8d319cc32ba67a487d5ed6ee7fd98696191516abac
Opcode Fuzzy Hash: 43e91e779c1f4a61919552a6ba70e54c31c19546ad12069bfcf5aceab843841f
Instruction Fuzzy Hash: 34418CB1A043009FC320EF65C88096BB7E5FB99718F144E2EE4D697752E734E949CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00401B0B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00401B0B() {
				struct HWND__* _v8;
				short _v264;
				short _v2312;
				WCHAR* _t15;
				struct HWND__* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				WCHAR* _t35;
				WCHAR* _t36;
				WCHAR* _t37;
				void* _t39;
				intOrPtr* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t48;

				_t15 =  *0x41e714; // 0x0
				_t45 = _t44 - 0x904;
				_t32 = 0;
				_t43 = _t34;
				if(_t15 == 0) {
					_t35 = 0x27;
					wsprintfW( &_v2312, E00403DC8(_t35),  *_t43,  *((intOrPtr*)(_t43 + 0xc)));
					_t46 = _t45 + 0x10;
					_v8 = 0;
					if( *((intOrPtr*)(_t43 + 0x10)) <= 0) {
						L8:
						if(";!@Install@!UTF-8!" == 0x3b) {
							_t36 =  &_v2312;
							L11:
							E00409686(_t36, _t39);
							L12:
							E00405B62();
							ExitProcess(0xa);
						}
						_push(_t32);
						_t37 = 3;
						MessageBoxW(_t32,  &_v2312, E00403DC8(_t37), ??);
						goto L12;
					}
					_t33 = _t43 + 0x14;
					do {
						wsprintfW( &_v264, L"\t0x%p\n",  *_t33);
						_t46 = _t46 + 0xc;
						lstrcatW( &_v2312,  &_v264);
						_v8 = _v8 + 1;
						_t33 = _t33 + 4;
					} while (_v8 <  *((intOrPtr*)(_t43 + 0x10)));
					_t32 = 0;
					goto L8;
				}
				_t48 =  *0x41e716 - _t32; // 0x0
				if(_t48 != 0) {
					 *0x41e714 = _t15;
				}
				_t36 = E00403DC8(_t15);
				goto L11;
			}

0x00401b0e
0x00401b13
0x00401b1b
0x00401b1e
0x00401b22
0x00401b44
0x00401b5d
0x00401b5f
0x00401b62
0x00401b68
0x00401ba4
0x00401bab
0x00401bc7
0x00401bcd
0x00401bcd
0x00401bd2
0x00401bd2
0x00401bd9
0x00401bd9
0x00401bad
0x00401bb0
0x00401bbf
0x00000000
0x00401bbf
0x00401b6a
0x00401b6d
0x00401b7b
0x00401b7d
0x00401b8e
0x00401b94
0x00401b9a
0x00401b9d
0x00401ba2
0x00000000
0x00401ba2
0x00401b24
0x00401b2b
0x00401b2f
0x00401b2f
0x00401b3b
0x00000000

APIs

wsprintfW.USER32 ref: 00401B5D
wsprintfW.USER32 ref: 00401B7B
lstrcatW.KERNEL32(?,?), ref: 00401B8E
MessageBoxW.USER32(00000000,?,00000000,00000000), ref: 00401BBF
ExitProcess.KERNEL32 ref: 00401BD9

Strings

0x%p, xrefs: 00401B75

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: wsprintf$ExitMessageProcesslstrcat
String ID: 0x%p
API String ID: 1920160435-1745605757
Opcode ID: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction ID: 21ff27a6a0f5ea301036ba6721b670bc4eb5db3d4988dc935fe7745def954242
Opcode Fuzzy Hash: de6fc8d45903a09760ad9a5220580b1c83e0b5bb66eb900d9d32d6c52b165c1f
Instruction Fuzzy Hash: 7F219975901208AFD720DFB4DD85EDA77BCEF04304F0044BAE611A21D1EB78BE548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00407F86 Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00407F86(long __ecx, struct HWND__* _a4) {
				struct HDC__* _v8;
				char _v324;
				short _v326;
				short _v328;
				void _v360;
				char _v432;
				short _v436;
				int _v452;
				void _v860;
				DLGTEMPLATE* _t22;
				struct HDC__* _t24;
				signed int _t26;
				long _t30;
				signed int _t32;
				CHAR* _t34;
				struct HINSTANCE__* _t41;

				_t30 = __ecx;
				_t32 = 0x58;
				memcpy( &_v360, 0x41e490, _t32 << 2);
				_v860 = 0x1f4;
				if(SystemParametersInfoW(0x29, 0,  &_v860, 0) != 0) {
					_t24 = GetDC(0);
					_v8 = _t24;
					_t26 = MulDiv(_v452, 0x48, GetDeviceCaps(_t24, 0x5a));
					ReleaseDC(0, _v8);
					_v326 = _v436;
					_v328 =  ~_t26;
					_v324 = _v432;
				}
				_t41 = GetModuleHandleW(0);
				if( *(_t30 + 0x38) == 0) {
					L4:
					_t22 =  &_v360;
					 *(_t30 + 0x38) = 0;
				} else {
					_push(0);
					_t34 = 5;
					_t22 = E004039F0(_t34,  *(_t30 + 0x38) & 0x0000ffff);
					if(_t22 == 0) {
						goto L4;
					}
				}
				return DialogBoxIndirectParamW(_t41, _t22, _a4, E00407744, _t30);
			}

0x00407f94
0x00407f96
0x00407fa2
0x00407fb1
0x00407fc3
0x00407fc6
0x00407fcf
0x00407fe1
0x00407fef
0x00407ffc
0x00408009
0x00408010
0x00408010
0x0040801d
0x00408022
0x00408035
0x00408035
0x0040803b
0x00408024
0x00408028
0x0040802b
0x0040802c
0x00408033
0x00000000
0x00000000
0x00408033
0x00408053

APIs

SystemParametersInfoW.USER32 ref: 00407FBB
GetDC.USER32(00000000), ref: 00407FC6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00407FD2
MulDiv.KERNEL32(?,00000048,00000000), ref: 00407FE1
ReleaseDC.USER32 ref: 00407FEF
GetModuleHandleW.KERNEL32(00000000), ref: 00408017
DialogBoxIndirectParamW.USER32 ref: 00408049

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystem
String ID:
API String ID: 3212456201-0
Opcode ID: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction ID: 0d6cfd111af944fba9a3d93ccc4bb6b201ee0ba3342a1467b8569908ac4f5c69
Opcode Fuzzy Hash: d52d7d66d1777c6683a19ab09cc34ad267647d5eb631a79ac1977f9ea0d9fe45
Instruction Fuzzy Hash: 8921C331901258AFDB319F61DC48FEB7BBCEB89751F0040AAF909B2291DB344E80CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408B72 Relevance: 10.6, APIs: 7, Instructions: 63
timethreadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B72(void* __ecx) {
				int _t10;
				signed int _t18;
				void* _t21;
				void* _t25;
				void* _t27;
				intOrPtr _t30;
				signed int _t31;
				void* _t35;

				_t27 = __ecx;
				_t30 =  *0x41e8e0; // 0x0
				if(_t30 != 0) {
					_t10 = EndDialog( *(__ecx + 4), 0);
				}
				_t31 =  *0x41e8d4; // 0x0
				if(_t31 != 0) {
					KillTimer( *(_t27 + 4), 1);
					_t32 =  *0x41e44c & 0x00000100;
					if(( *0x41e44c & 0x00000100) == 0 || E00408B2E(_t27, _t25, _t32) != 0) {
						return EndDialog( *(_t27 + 4), 0);
						L13:
					}
					_t18 =  *0x41e8d4; // 0x0
					_t10 = SetTimer( *(_t27 + 4), 1, _t18 * 0xa, 0);
				}
				_t35 =  *0x41e770 - 1; // 0x2
				if(_t35 != 0) {
					_t21 =  *0x41e720; // 0x330
					if(_t21 != 0) {
						SuspendThread(_t21);
						_t37 =  *0x41e44c & 0x00000100;
						if(( *0x41e44c & 0x00000100) == 0 || E00408B2E(_t27, _t25, _t37) != 0) {
							 *0x41e8cc = 1;
							TerminateThread(_t21, 0x16);
							return EndDialog( *(_t27 + 4), 0);
							goto L13;
						} else {
							return ResumeThread(_t21);
						}
					}
				}
				return _t10;
			}

0x00408b7e
0x00408b80
0x00408b86
0x00408b8c
0x00408b8c
0x00408b91
0x00408b97
0x00408b9d
0x00408ba3
0x00408bad
0x00000000
0x00408c21
0x00408c21
0x00408bba
0x00408bc8
0x00408bc8
0x00408bce
0x00408bd4
0x00408bd6
0x00408bde
0x00408be1
0x00408be7
0x00408bf1
0x00408c10
0x00408c16
0x00000000
0x00000000
0x00408bfe
0x00000000
0x00408bff
0x00408bf1
0x00408bde
0x00408c27

APIs

EndDialog.USER32(?,00000000), ref: 00408B8C
KillTimer.USER32(?,00000001), ref: 00408B9D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00408BC8
SuspendThread.KERNEL32(00000330), ref: 00408BE1
ResumeThread.KERNEL32(00000330), ref: 00408BFF
EndDialog.USER32(?,00000000), ref: 00408C21

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction ID: f920c74330c8bea86978497107333c2b8e7ef69701de9f597e4ce46cb6d114b0
Opcode Fuzzy Hash: b8d07711118b6918d21d1c8eaca0c7ddfc869e85b997711a11a4ac529ea7d2d4
Instruction Fuzzy Hash: 401186752012089FE7155F62EF84AA776BCF704745B04843EF586612B1CB79AC10DF2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040360E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040360E(void* __ecx, void* __edx) {
				char _v16;
				char _v28;
				void* _t18;
				void* _t34;
				void* _t51;
				void* _t52;
				intOrPtr* _t53;

				_t51 = __ecx;
				_t52 = __edx;
				E00411B60(_t18,  &_v16);
				E00411C48( &_v16, __edx);
				E00411CA3( &_v16, "\\");
				E00411B84( &_v28, L"%%T\\");
				E00411F27(__ecx,  &_v28,  &_v16);
				_push(_v28);
				L004191B0();
				E00411C48( &_v16, _t52);
				E00411CA3( &_v16, "/");
				E00411B84( &_v28, L"%%T/");
				E00411F27(_t51,  &_v28,  &_v16);
				L004191B0();
				 *_t53 = 0x41abd4;
				E00411B84( &_v28, _v28);
				_t34 = E00411F27(_t51,  &_v28, _t52);
				_push(_v28);
				L004191B0();
				_push(_v16);
				L004191B0();
				return _t34;
			}

0x00403616
0x0040361b
0x0040361d
0x00403626
0x00403633
0x00403640
0x0040364f
0x00403654
0x00403657
0x00403661
0x0040366e
0x0040367b
0x0040368a
0x00403692
0x0040369a
0x004036a1
0x004036ad
0x004036b2
0x004036b5
0x004036ba
0x004036bd
0x004036c7

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00403657
??3@YAXPAX@Z.MSVCRT ref: 00403692
??3@YAXPAX@Z.MSVCRT ref: 004036B5
??3@YAXPAX@Z.MSVCRT ref: 004036BD

Strings

%%T/, xrefs: 00403673
%%T\, xrefs: 00403638

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy$??2@
String ID: %%T/$%%T\
API String ID: 3447362686-2679640699
Opcode ID: 04fbe8f642e626939d5ded048618951192fd7906010909b1d7a42e49d815b11e
Instruction ID: 051198a5a84e8eab651e9532c73f3d1e84a216c654f8844b6e35c77aa68833ba
Opcode Fuzzy Hash: 04fbe8f642e626939d5ded048618951192fd7906010909b1d7a42e49d815b11e
Instruction Fuzzy Hash: 17112B319481096ACB05F792EC53DFEB77A9E54318F10016FF712A20A1EF686AC6C699

Uniqueness

Uniqueness Score: -1.00%

Function 00415556 Relevance: 10.5, APIs: 7, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00415556(intOrPtr* __ecx) {
				intOrPtr _t20;
				intOrPtr* _t22;
				intOrPtr* _t28;

				 *__ecx = 0;
				_push( *((intOrPtr*)(__ecx + 8)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x24)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x2c)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x30)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				_push( *((intOrPtr*)(__ecx + 0x38)));
				L004191B0();
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				_t22 = __ecx + 0x3c;
				_pop(_t27);
				_t28 = _t22;
				_t20 =  *_t28;
				if(_t20 != 0) {
					_push(_t20);
					L004191B0();
					 *_t28 = 0;
				}
				 *((intOrPtr*)(_t28 + 4)) = 0;
				return _t20;
			}

0x0041555c
0x0041555e
0x00415561
0x00415566
0x00415569
0x0041556c
0x0041556f
0x00415572
0x00415575
0x0041557a
0x0041557d
0x00415580
0x00415585
0x00415588
0x0041558b
0x00415590
0x00415593
0x00415596
0x0041559b
0x0041559e
0x004155a1
0x004155a6
0x004155a9
0x004155ac
0x004155b4
0x004155b8
0x004155bb
0x0040b7b1
0x0040b7b3
0x0040b7b7
0x0040b7b9
0x0040b7ba
0x0040b7c2
0x0040b7c2
0x0040b7c8
0x0040b7d0

APIs

??3@YAXPAX@Z.MSVCRT ref: 00415561
??3@YAXPAX@Z.MSVCRT ref: 00415575
??3@YAXPAX@Z.MSVCRT ref: 00415580
??3@YAXPAX@Z.MSVCRT ref: 0041558B
??3@YAXPAX@Z.MSVCRT ref: 00415596
??3@YAXPAX@Z.MSVCRT ref: 004155A1
??3@YAXPAX@Z.MSVCRT ref: 004155AC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7c9371a914b57f19ce79c954a967c76c214296d55059a56f4cebc56dc326127b
Instruction ID: 4fa50ddcceeb69e8f72710d2ea5ebf37512df2501741efa383495b0307b540d7
Opcode Fuzzy Hash: 7c9371a914b57f19ce79c954a967c76c214296d55059a56f4cebc56dc326127b
Instruction Fuzzy Hash: E701C0B1800B41ABD231AF27C919887FEF2FF94304344592FE08702A25CB75B891DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040A049 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 166
sleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040A049() {
				signed int _v8;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v88;
				char* _v92;
				signed int _t25;
				signed int _t30;
				void* _t33;
				signed short* _t39;

				_v8 = _v8 & 0x00000000;
				_t39 =  *0x41e8dc; // 0x562790
				_t25 =  *_t39 & 0x0000ffff;
				if(_t25 == 0) {
					L46:
					return _v8;
				} else {
					_t30 = 0x64;
					do {
						_t33 = (_t25 & 0x0000ffff) + 0xffffffbe;
						if(_t33 > 0x38) {
							goto L44;
						}
						switch( *((intOrPtr*)(( *(_t33 + 0x40a2c9) & 0x000000ff) * 4 +  &M0040A29D))) {
							case 0:
								if(E00405041() == 0) {
									if( *_t39 != 0x42) {
										_v8 = _t30;
									} else {
										_t27 = L"BeginPrompt";
									}
								}
								_t36 =  *0x41e738; // 0x2560a38
								E00408C28(_t36, _t27);
								goto L44;
							case 1:
								__eflags =  *0x41e44c & 0x00000100;
								if(__eflags != 0) {
									L12:
									__ecx =  &_v88;
									__eax = E004076D3( &_v88, __edx, __eflags);
									__ecx =  &_v88;
									_v88 = 0x41bfb4;
									__eax = E004080A7(0);
									goto L13;
								}
								__eflags = __ax - 0x43;
								if(__eflags == 0) {
									goto L12;
								}
								goto L11;
							case 2:
								__eflags =  *0x41e770 - 2;
								if( *0x41e770 != 2) {
									L20:
									__eax = E00408D16(__edx);
									goto L44;
								}
								__eflags = __ax - 0x45;
								if(__eflags != 0) {
									goto L11;
								}
								goto L20;
							case 3:
								__edx = 0;
								__ecx = L"FinishMessage";
								__esi = E00405041();
								__eflags = __esi;
								if(__esi == 0) {
									__eflags =  *__edi - 0x46;
									if( *__edi == 0x46) {
										__esi = L"FinishMessage";
									}
								}
								__eflags =  *0x41e458;
								if(__eflags < 0) {
									 *0x41e458 = 1;
									__eflags =  *0x41e458;
								}
								if(__eflags > 0) {
									L31:
									__ecx =  &_v88;
									__eax = E004076D3( &_v88, __edx, __eflags);
									__ecx =  &_v88;
									_v88 = "G]@";
									_v32 = 0x7d5;
									__eax = E00407A45( &_v88, 0x11,  *0x41e738, __esi, 0);
									L13:
									__ecx =  &_v88;
									goto L14;
								} else {
									__eflags =  *__edi - 0x46;
									if(__eflags != 0) {
										goto L11;
									}
									goto L31;
								}
							case 4:
								__edx = 0;
								__ecx = L"HelpText";
								__eax = E00405041();
								__esi = __eax;
								__eflags = __eax;
								if(__eflags != 0) {
									L36:
									__ecx =  &_v92;
									__eax = E004076D3( &_v92, __edx, __eflags);
									__ecx =  &_v92;
									_v92 = "G]@";
									_v36 = 0x7d6;
									__eax = E00407A45( &_v92, 0x11,  *0x41e738, __esi, 0);
									__ecx =  &_v92;
									L14:
									__eax = E00407734(__eax, __ecx);
									goto L44;
								}
								__eflags =  *__edi - 0x48;
								if(__eflags != 0) {
									L35:
									_v8 = __ebx;
									goto L36;
								}
								_push(0x18);
								_pop(__ecx);
								__eax = E00403DC8(L"HelpText");
								__esi = __eax;
								__eflags = __eax;
								if(__eflags != 0) {
									goto L36;
								}
								goto L35;
							case 5:
								__ecx =  *0x41e44c;
								__ecx =  *0x41e44c & 0x000000c0;
								__eflags = __cl - 0x80;
								if(__cl == 0x80) {
									L17:
									__edx =  *0x41e748; // 0x56bb10
									__ecx =  *0x41e754; // 0x56bae0
									__eax = E00408CC3(__ecx, __edx);
									goto L44;
								}
								__eflags = __ax - 0x50;
								if(__eflags != 0) {
									goto L11;
								}
								goto L17;
							case 6:
								__esi = 0x41e7f0;
								__ecx = 0x41e7f0;
								__eax = E00408D7B(0x41e7f0, __edx, __eflags);
								do {
									Sleep(__ebx);
									__ecx = 0x41e7f0;
									__eflags = E0040769B(0x41e7f0);
								} while (__eflags != 0);
								goto L44;
							case 7:
								__edx = 0;
								__ecx = L"WarningTitle";
								__eax = E00405041();
								__eflags = __eax;
								if(__eax != 0) {
									L42:
									_push(0x2a);
									_pop(__ecx);
									__ecx = E00403DC8(__ecx);
									__eax = E004096FF(__ecx, __edx, __eflags);
									goto L44;
								}
								__eflags =  *__edi - 0x57;
								if(__eflags != 0) {
									goto L11;
								}
								goto L42;
							case 8:
								__eax = E00401080(__edx, __eflags);
								goto L44;
							case 9:
								__edx = 0;
								__ecx = L"ErrorTitle";
								__eax = E00405041();
								__eflags = __eax;
								if(__eax != 0) {
									L23:
									_push(0xf);
									_push(0);
									__eax = E0040976C(__edx);
									_pop(__ecx);
									_pop(__ecx);
									goto L44;
								}
								__eflags =  *__edi - 0x5a;
								if(__eflags != 0) {
									L11:
									_v8 = __ebx;
									goto L44;
								}
								goto L23;
							case 0xa:
								goto L44;
						}
						L44:
						_t39 =  &(_t39[1]);
						_t25 =  *_t39 & 0x0000ffff;
					} while (_t25 != 0);
					goto L46;
				}
			}

0x0040a04f
0x0040a054
0x0040a05a
0x0040a060
0x0040a295
0x0040a29a
0x0040a066
0x0040a06a
0x0040a06b
0x0040a06e
0x0040a074
0x00000000
0x00000000
0x0040a081
0x00000000
0x0040a098
0x0040a09e
0x0040a0a4
0x0040a0a0
0x0040a0a0
0x0040a0a0
0x0040a09e
0x0040a0a7
0x0040a0af
0x00000000
0x00000000
0x0040a0b9
0x0040a0c3
0x0040a0d3
0x0040a0d3
0x0040a0d6
0x0040a0dd
0x0040a0e0
0x0040a0e7
0x00000000
0x0040a0e7
0x0040a0c5
0x0040a0c9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a126
0x0040a12d
0x0040a135
0x0040a135
0x00000000
0x0040a135
0x0040a12f
0x0040a133
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a169
0x0040a16b
0x0040a175
0x0040a177
0x0040a179
0x0040a17b
0x0040a17f
0x0040a181
0x0040a181
0x0040a17f
0x0040a186
0x0040a18d
0x0040a18f
0x0040a199
0x0040a199
0x0040a1a0
0x0040a1ac
0x0040a1ac
0x0040a1af
0x0040a1bd
0x0040a1c2
0x0040a1c9
0x0040a1d0
0x0040a0ec
0x0040a0ec
0x00000000
0x0040a1a2
0x0040a1a2
0x0040a1a6
0x00000000
0x00000000
0x00000000
0x0040a1a6
0x00000000
0x0040a1da
0x0040a1dc
0x0040a1e1
0x0040a1e6
0x0040a1e8
0x0040a1ea
0x0040a203
0x0040a203
0x0040a206
0x0040a214
0x0040a219
0x0040a220
0x0040a227
0x0040a22c
0x0040a0ef
0x0040a0ef
0x00000000
0x0040a0ef
0x0040a1ec
0x0040a1f0
0x0040a200
0x0040a200
0x00000000
0x0040a200
0x0040a1f2
0x0040a1f4
0x0040a1f5
0x0040a1fa
0x0040a1fc
0x0040a1fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a0f9
0x0040a0ff
0x0040a105
0x0040a108
0x0040a110
0x0040a110
0x0040a116
0x0040a11c
0x00000000
0x0040a11c
0x0040a10a
0x0040a10e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a234
0x0040a239
0x0040a23b
0x0040a240
0x0040a241
0x0040a247
0x0040a24e
0x0040a24e
0x00000000
0x00000000
0x0040a254
0x0040a256
0x0040a25b
0x0040a260
0x0040a262
0x0040a26e
0x0040a26e
0x0040a270
0x0040a276
0x0040a278
0x00000000
0x0040a278
0x0040a264
0x0040a268
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a27f
0x00000000
0x00000000
0x0040a13f
0x0040a141
0x0040a146
0x0040a14b
0x0040a14d
0x0040a159
0x0040a159
0x0040a15b
0x0040a15d
0x0040a162
0x0040a163
0x00000000
0x0040a163
0x0040a14f
0x0040a153
0x0040a0cb
0x0040a0cb
0x00000000
0x0040a0cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a284
0x0040a284
0x0040a287
0x0040a28a
0x00000000
0x0040a294

APIs

Sleep.KERNEL32(00000064,0041E89C,00000000,00000000), ref: 0040A241

Strings

BeginPrompt, xrefs: 0040A088
FinishMessage, xrefs: 0040A16B, 0040A181, 0040A1B6
WarningTitle, xrefs: 0040A256
ErrorTitle, xrefs: 0040A141
HelpText, xrefs: 0040A1DC

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Sleep
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$WarningTitle
API String ID: 3472027048-1960609661
Opcode ID: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction ID: 6ded7748b71ab9f5b936a386d8eac6af1666c8eea906bb290fcf471db964143e
Opcode Fuzzy Hash: cf9250849fedc6f67974e0ceab6cd0c6a5807e8a287a7b517c2b9e144e56b559
Instruction Fuzzy Hash: 6151B134E0174587EB24ABA689117AE73A1AF50318F14807FE8023B3D1EB7D59A5D64F

Uniqueness

Uniqueness Score: -1.00%

Function 00416E4A Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 354
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00416E4A(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a7, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t223;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				intOrPtr _t254;
				void* _t256;
				void* _t257;
				void* _t258;
				signed char _t260;
				intOrPtr _t264;
				void* _t269;
				signed int _t270;
				void* _t271;
				signed int _t275;
				signed int _t295;
				intOrPtr _t297;
				intOrPtr _t310;
				signed int _t314;
				intOrPtr _t316;
				signed int _t317;
				char _t319;
				signed int _t321;
				signed int _t326;
				signed int _t333;
				void* _t334;
				intOrPtr _t335;
				intOrPtr* _t336;
				signed int _t338;
				void* _t347;
				void* _t348;

				_t349 = __eflags;
				_t347 = __ecx;
				E004168B6(__ecx, __edx, _t334, __eflags, 0xb, 0);
				_t223 = E004160BB( *((intOrPtr*)(__ecx + 0x38)), __edx, __ecx, __eflags);
				_v12 = _v12 & 0x00000000;
				_t335 = _t223;
				_v32 = _t335;
				_v64 = 0;
				E004167E7( &_v68, __edx, _t348, __eflags, _t347, _a4);
				_t275 = _a8;
				_t11 = _t335 + 1; // 0x1
				_v28 =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) +  *( *(_t347 + 0x38));
				 *((intOrPtr*)(_t275 + 4)) = _t335;
				_a4 = _t11;
				E00416221(E004161F4(_t275 + 0x30, __eflags, _t11), _t275 + 0x34, _t335);
				E004161F4(_t275 + 0x38, _t349, _a4);
				_t336 = _t275 + 0x2c;
				E004161F4(_t336, _t349, _v32 + 1);
				_t233 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_v44 = 0;
				_v20 =  *(_t347 + 0x38);
				_v24 = 0;
				_t350 = _v32;
				if(_v32 > 0) {
					while(1) {
						_t337 = _v24;
						_t326 =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38));
						 *( *(_t275 + 0x38) + _v24 * 4) = _t326;
						_t288 = _v20;
						_v40 = _t233;
						_a8 = _t233;
						_t234 = E004160BB(_v20, _t326, _t347, __eflags);
						_v8 = _t234;
						__eflags = _t234;
						if(_t234 == 0) {
							break;
						}
						__eflags = _t234 - 0x40;
						if(_t234 > 0x40) {
							break;
						}
						_v36 = _v36 & 0x00000000;
						__eflags = _t234;
						if(_t234 == 0) {
							L37:
							_t288 = 1;
							__eflags = _t234 - 1;
							if(_t234 != 1) {
								L40:
								_t337 = _a8;
								__eflags = _a8 - _t234 - 1;
								if(__eflags < 0) {
									break;
								}
								E004167C5( &_v92, _t337, __eflags);
								_t338 = _v8;
								E004167C5( &_v80, _t338, __eflags);
								_a4 = _a4 & 0x00000000;
								_t337 = _t338 - 1;
								__eflags = _t337;
								_v36 = _t337;
								if(__eflags == 0) {
									L47:
									_t337 = _a8 - _v36;
									_v36 = _t337;
									__eflags = _t337 - 1;
									if(_t337 == 1) {
										L52:
										_t245 = 0;
										__eflags = 0 - _v8;
										if(__eflags >= 0) {
											L58:
											if(__eflags == 0) {
												break;
											}
											L59:
											_t246 = _v24;
											_t295 = _v12;
											_t336 = _t275 + 0x2c;
											 *((intOrPtr*)( *_t336 + _t246 * 4)) = _t295;
											_v12 = _t295 + _v8;
											_t297 = _v44;
											 *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + _t246 * 4)) = _t297;
											_v44 = _t297 + _v36;
											 *((char*)(_t246 +  *((intOrPtr*)(_t275 + 0x34)))) = _v40;
											_t247 = _t246 + 1;
											_v24 = _t247;
											__eflags = _t247 - _v32;
											if(_t247 < _v32) {
												_t233 = 0;
												__eflags = 0;
												continue;
											}
											goto L1;
										} else {
											goto L53;
										}
										while(1) {
											L53:
											_t288 = _v80;
											__eflags =  *((char*)(_t288 + _t245));
											if( *((char*)(_t288 + _t245)) == 0) {
												break;
											}
											_t245 = _t245 + 1;
											__eflags = _t245 - _v8;
											if(_t245 < _v8) {
												continue;
											}
											L57:
											__eflags = _t245 - _v8;
											goto L58;
										}
										_v40 = _t245;
										goto L57;
									}
									_a4 = _a4 & 0x00000000;
									__eflags = _t337;
									if(__eflags == 0) {
										goto L52;
									} else {
										goto L49;
									}
									while(1) {
										L49:
										_t288 = _v20;
										_t256 = E004160BB(_v20, _t326, _t347, __eflags);
										__eflags = _t256 - _a8;
										if(_t256 >= _a8) {
											goto L61;
										}
										_t288 = _v92;
										__eflags =  *((char*)(_t256 + _t288));
										if( *((char*)(_t256 + _t288)) != 0) {
											goto L61;
										}
										_a4 = _a4 + 1;
										 *((char*)(_t256 + _t288)) = 1;
										__eflags = _a4 - _t337;
										if(__eflags < 0) {
											continue;
										}
										goto L52;
									}
									break;
								} else {
									goto L42;
								}
								while(1) {
									L42:
									_t288 =  *(_t347 + 0x38);
									_t257 = E004160BB( *(_t347 + 0x38), _t326, _t347, __eflags);
									__eflags = _t257 - _a8;
									if(_t257 >= _a8) {
										goto L61;
									}
									_t288 = _v92;
									__eflags =  *((char*)(_t257 + _t288));
									if(__eflags != 0) {
										goto L61;
									}
									 *((char*)(_t257 + _t288)) = 1;
									_t288 =  *(_t347 + 0x38);
									_t258 = E004160BB( *(_t347 + 0x38), _t326, _t347, __eflags);
									__eflags = _t258 - _v8;
									if(_t258 >= _v8) {
										goto L61;
									}
									_t288 = _v80;
									__eflags =  *((char*)(_t258 + _t288));
									if( *((char*)(_t258 + _t288)) != 0) {
										goto L61;
									}
									_a4 = _a4 + 1;
									 *((char*)(_t258 + _t288)) = 1;
									__eflags = _a4 - _v36;
									if(__eflags < 0) {
										continue;
									}
									goto L47;
								}
								break;
							}
							__eflags = _a8 - 1;
							if(_a8 != 1) {
								goto L40;
							}
							_v40 = _v40 & 0x00000000;
							_v36 = 1;
							goto L59;
						} else {
							goto L8;
						}
						while(1) {
							L8:
							_t337 = _v20;
							_t288 = _t337;
							_t260 = E00415F52(_t337, _t337);
							_a7 = _t260;
							__eflags = _t260 & 0x000000c0;
							if((_t260 & 0x000000c0) != 0) {
								goto L61;
							}
							_t288 = _t260 & 0xf;
							_v52 = _t288;
							__eflags = _t288 - 8;
							if(_t288 > 8) {
								goto L61;
							}
							_t326 =  *(_t337 + 8);
							__eflags = _t288 -  *((intOrPtr*)(_t337 + 4)) - _t326;
							if(_t288 >  *((intOrPtr*)(_t337 + 4)) - _t326) {
								L62:
								_t236 = E00415EBA(_t288, _t337);
								L63:
								__eflags = _t236 - 0xa;
								if(_t236 != 0xa) {
									L66:
									E004163EB( *(_t347 + 0x38), _t326);
									L67:
									_t236 = E00416087( *(_t347 + 0x38));
									if((_t236 | _t326) != 0) {
										goto L63;
									}
									return _t236;
								}
								__eflags = _t326;
								if(__eflags != 0) {
									goto L66;
								}
								E00416D08(_t347, __eflags, _v32, _t275 + 0xc);
								goto L67;
							}
							_v60 = _v60 & 0x00000000;
							_v56 = _v56 & 0x00000000;
							_v16 = _v16 & 0x00000000;
							_t264 =  *_t337 + _t326;
							_v48 = _t264;
							__eflags = _t288;
							if(_t288 == 0) {
								L16:
								 *(_t337 + 8) =  *(_t337 + 8) + _t288;
								__eflags =  *((intOrPtr*)(_t275 + 0x50)) - 0x80;
								if( *((intOrPtr*)(_t275 + 0x50)) < 0x80) {
									_t288 = _t275 + 0x4c;
									E004169F7(_t275 + 0x4c, _v60, _v56);
								}
								__eflags = _a7 & 0x00000010;
								_v16 = 1;
								if(__eflags == 0) {
									L21:
									_a8 = _a8 + _v16;
									__eflags = _a8 - 0x40;
									if(_a8 > 0x40) {
										goto L61;
									}
									__eflags = _a7 & 0x00000020;
									if(__eflags == 0) {
										L35:
										_v36 = _v36 + 1;
										__eflags = _v36 - _v8;
										if(_v36 < _v8) {
											continue;
										}
										_t234 = _v8;
										goto L37;
									}
									_t269 = E004160BB(_t337, _t326, _t347, __eflags);
									_t288 =  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8);
									__eflags = _t269 -  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8);
									if(_t269 >  *((intOrPtr*)(_t337 + 4)) -  *(_t337 + 8)) {
										goto L62;
									}
									__eflags = _v60 - 0x21;
									if(_v60 != 0x21) {
										L29:
										__eflags = _v60 - 0x30101;
										if(_v60 == 0x30101) {
											__eflags = _v56;
											if(_v56 == 0) {
												__eflags = _t269 - 5;
												if(_t269 == 5) {
													_t314 =  *(_t347 + 0x38);
													_t326 =  *(_t314 + 8);
													_t316 =  *((intOrPtr*)(_t326 +  *_t314 + 1));
													__eflags =  *((intOrPtr*)(_t275 + 0x48)) - _t316;
													if( *((intOrPtr*)(_t275 + 0x48)) < _t316) {
														 *((intOrPtr*)(_t275 + 0x48)) = _t316;
													}
												}
											}
										}
										L34:
										_t149 = _t337 + 8;
										 *_t149 =  *(_t337 + 8) + _t269;
										__eflags =  *_t149;
										goto L35;
									}
									__eflags = _v56;
									if(_v56 != 0) {
										goto L29;
									}
									__eflags = _t269 - 1;
									if(_t269 == 1) {
										_t317 =  *(_t347 + 0x38);
										_t326 =  *(_t317 + 8);
										_t319 =  *((intOrPtr*)(_t326 +  *_t317));
										__eflags =  *((intOrPtr*)(_t275 + 0x44)) - _t319;
										if( *((intOrPtr*)(_t275 + 0x44)) < _t319) {
											 *((char*)(_t275 + 0x44)) = _t319;
										}
									}
									goto L34;
								} else {
									_t288 = _t337;
									_t270 = E004160BB(_t337, _t326, _t347, __eflags);
									_v16 = _t270;
									__eflags = _t270 - 0x40;
									if(__eflags > 0) {
										goto L61;
									}
									_t288 = _t337;
									_t271 = E004160BB(_t337, _t326, _t347, __eflags);
									__eflags = _t271 - 1;
									if(_t271 != 1) {
										goto L61;
									}
									goto L21;
								}
							} else {
								goto L14;
								L14:
								_t321 = _v60;
								asm("cdq");
								_t288 = _v52;
								_t326 = _t326 | (_v56 << 0x00000020 | _t321) << 0x8;
								_v16 = _v16 + 1;
								_v60 =  *(_v16 + _t264) & 0x000000ff | _t321 << 0x00000008;
								_v56 = _t326;
								__eflags = _v16 - _t288;
								if(_v16 < _t288) {
									_t264 = _v48;
									goto L14;
								} else {
									_t337 = _v20;
									goto L16;
								}
							}
						}
						break;
					}
					L61:
					E00415EDA(_t288);
					goto L62;
				}
				L1:
				_t249 = _v24;
				 *((intOrPtr*)( *_t336 + _t249 * 4)) = _v12;
				 *((intOrPtr*)( *((intOrPtr*)(_t275 + 0x30)) + _t249 * 4)) = _v44;
				_t326 =  *(_t275 + 0x38);
				 *((intOrPtr*)(_t326 + _t249 * 4)) =  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38));
				E0040C020(_t275 + 0x3c, _v28,  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38)));
				_push(_v80);
				L004191B0();
				_push(_v92);
				L004191B0();
				E00415EF3( &_v68);
				E004168B6(_t347, _t326,  *((intOrPtr*)( *(_t347 + 0x38) + 8)) - _v28 +  *( *(_t347 + 0x38)), _t350, 0xc, 0);
				E004161C7(_t275 + 0x28, _t350, _v12);
				_a4 = _a4 & 0x00000000;
				if(_v12 <= 0) {
					goto L67;
				} else {
					goto L2;
				}
				do {
					L2:
					_t254 = E00416087( *(_t347 + 0x38));
					_t310 =  *((intOrPtr*)(_t275 + 0x28));
					_v64 = _t326;
					_t333 = _a4;
					 *((intOrPtr*)(_t310 + _t333 * 8)) = _t254;
					 *(_t310 + 4 + _t333 * 8) = _v64;
					_t326 = _t333 + 1;
					_a4 = _t326;
				} while (_t326 < _v12);
				goto L67;
			}

0x00416e4a
0x00416e57
0x00416e59
0x00416e61
0x00416e69
0x00416e6d
0x00416e73
0x00416e76
0x00416e7c
0x00416e89
0x00416e8c
0x00416e8f
0x00416e96
0x00416e99
0x00416ea5
0x00416eb0
0x00416eb9
0x00416ebf
0x00416ec7
0x00416ec9
0x00416ecc
0x00416ecf
0x00416ed2
0x00416ed5
0x00416ed8
0x00416edb
0x00416ede
0x00416ee1
0x00416ee4
0x00416ee7
0x00416f92
0x00416f9b
0x00416f9e
0x00416fa3
0x00416fa6
0x00416fa9
0x00416fac
0x00416faf
0x00416fb4
0x00416fb7
0x00416fb9
0x00000000
0x00000000
0x00416fbf
0x00416fc2
0x00000000
0x00000000
0x00416fc8
0x00416fcc
0x00416fce
0x00417131
0x00417133
0x00417134
0x00417136
0x00417149
0x00417149
0x0041714d
0x0041714f
0x00000000
0x00000000
0x00417158
0x0041715d
0x00417163
0x00417168
0x0041716c
0x0041716c
0x0041716d
0x00417170
0x004171c1
0x004171c4
0x004171c7
0x004171ca
0x004171cd
0x004171f9
0x004171f9
0x004171fb
0x004171fe
0x00417217
0x00417217
0x00000000
0x00000000
0x00417219
0x00417219
0x0041721c
0x0041721f
0x00417224
0x0041722d
0x00417230
0x00417233
0x0041723c
0x00417242
0x00417245
0x00417246
0x00417249
0x0041724c
0x00416f90
0x00416f90
0x00000000
0x00416f90
0x00000000
0x00000000
0x00000000
0x00000000
0x00417200
0x00417200
0x00417200
0x00417203
0x00417207
0x00000000
0x00000000
0x00417209
0x0041720a
0x0041720d
0x00000000
0x00000000
0x00417214
0x00417214
0x00000000
0x00417214
0x00417211
0x00000000
0x00417211
0x004171cf
0x004171d3
0x004171d5
0x00000000
0x00000000
0x00000000
0x00000000
0x004171d7
0x004171d7
0x004171d7
0x004171da
0x004171df
0x004171e2
0x00000000
0x00000000
0x004171e4
0x004171e7
0x004171eb
0x00000000
0x00000000
0x004171ed
0x004171f0
0x004171f4
0x004171f7
0x00000000
0x00000000
0x00000000
0x004171f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00417172
0x00417172
0x00417172
0x00417175
0x0041717a
0x0041717d
0x00000000
0x00000000
0x00417183
0x00417186
0x0041718a
0x00000000
0x00000000
0x00417190
0x00417194
0x00417197
0x0041719c
0x0041719f
0x00000000
0x00000000
0x004171a5
0x004171a8
0x004171ac
0x00000000
0x00000000
0x004171b2
0x004171b5
0x004171bc
0x004171bf
0x00000000
0x00000000
0x00000000
0x004171bf
0x00000000
0x00417172
0x00417138
0x0041713b
0x00000000
0x00000000
0x0041713d
0x00417141
0x00000000
0x00000000
0x00000000
0x00000000
0x00416fd4
0x00416fd4
0x00416fd4
0x00416fd7
0x00416fd9
0x00416fde
0x00416fe1
0x00416fe3
0x00000000
0x00000000
0x00416fec
0x00416fef
0x00416ff2
0x00416ff5
0x00000000
0x00000000
0x00416ffb
0x00417003
0x00417005
0x0041725c
0x0041725c
0x00417261
0x00417261
0x00417264
0x0041727a
0x0041727d
0x00417282
0x00417285
0x0041728e
0x00000000
0x00000000
0x00417294
0x00417294
0x00417266
0x00417268
0x00000000
0x00000000
0x00417273
0x00000000
0x00417273
0x0041700d
0x00417011
0x00417015
0x00417019
0x0041701b
0x0041701e
0x00417020
0x00417054
0x00417059
0x0041705c
0x00417063
0x00417068
0x0041706e
0x0041706e
0x00417073
0x00417077
0x0041707e
0x004170a3
0x004170a6
0x004170a9
0x004170ad
0x00000000
0x00000000
0x004170b3
0x004170b7
0x0041711f
0x0041711f
0x00417125
0x00417128
0x00000000
0x00000000
0x0041712e
0x00000000
0x0041712e
0x004170bb
0x004170c3
0x004170c6
0x004170c8
0x00000000
0x00000000
0x004170ce
0x004170d2
0x004170f4
0x004170f4
0x004170fb
0x004170fd
0x00417101
0x00417103
0x00417106
0x00417108
0x0041710b
0x00417110
0x00417114
0x00417117
0x00417119
0x00417119
0x00417117
0x00417106
0x00417101
0x0041711c
0x0041711c
0x0041711c
0x0041711c
0x00000000
0x0041711c
0x004170d4
0x004170d8
0x00000000
0x00000000
0x004170da
0x004170dd
0x004170df
0x004170e2
0x004170e7
0x004170ea
0x004170ed
0x004170ef
0x004170ef
0x004170ed
0x00000000
0x00417080
0x00417080
0x00417082
0x00417087
0x0041708a
0x0041708d
0x00000000
0x00000000
0x00417093
0x00417095
0x0041709a
0x0041709d
0x00000000
0x00000000
0x00000000
0x0041709d
0x00417022
0x00417022
0x00417027
0x0041702e
0x0041703b
0x0041703e
0x00417041
0x00417043
0x00417046
0x00417049
0x0041704c
0x0041704f
0x00417024
0x00000000
0x00417051
0x00417051
0x00000000
0x00417051
0x0041704f
0x00417020
0x00000000
0x00416fd4
0x00417257
0x00417257
0x00000000
0x00417257
0x00416eed
0x00416efd
0x00416f00
0x00416f09
0x00416f18
0x00416f21
0x00416f24
0x00416f29
0x00416f2c
0x00416f31
0x00416f34
0x00416f3e
0x00416f49
0x00416f54
0x00416f59
0x00416f61
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f67
0x00416f67
0x00416f6a
0x00416f6f
0x00416f72
0x00416f75
0x00416f78
0x00416f7e
0x00416f82
0x00416f83
0x00416f86
0x00000000

APIs

Part of subcall function 004161F4: ??3@YAXPAX@Z.MSVCRT ref: 004161F9
Part of subcall function 004161F4: ??2@YAPAXI@Z.MSVCRT ref: 00416214

Part of subcall function 00416221: ??3@YAXPAX@Z.MSVCRT ref: 00416226
Part of subcall function 00416221: ??2@YAPAXI@Z.MSVCRT ref: 00416232

Part of subcall function 0040C020: ??3@YAXPAX@Z.MSVCRT ref: 0040C034
Part of subcall function 0040C020: ??2@YAPAXI@Z.MSVCRT ref: 0040C04E
Part of subcall function 0040C020: memcpy.MSVCRT ref: 0040C068

??3@YAXPAX@Z.MSVCRT ref: 00416F2C
??3@YAXPAX@Z.MSVCRT ref: 00416F34

Part of subcall function 004161C7: ??3@YAXPAX@Z.MSVCRT ref: 004161CC
Part of subcall function 004161C7: ??2@YAPAXI@Z.MSVCRT ref: 004161E7

Part of subcall function 004167C5: memset.MSVCRT ref: 004167DD

Strings

@, xrefs: 004170A9
!, xrefs: 004170CE
, xrefs: 004170B3

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@$memcpymemset
String ID: $!$@
API String ID: 1807930983-2517134481
Opcode ID: 2e028c5046e16f84e286dfab5e01026ea567286e3fcc8e8ae10bc411d946f500
Instruction ID: f55dd101b204f21da1f631f5c3487a3bc2704fd2e33f175c23863e5c7b78e8a3
Opcode Fuzzy Hash: 2e028c5046e16f84e286dfab5e01026ea567286e3fcc8e8ae10bc411d946f500
Instruction Fuzzy Hash: C0E13D70904249DFCF14DF95C580AEDBBB2BF49314F25849EE806AB352D739A9C2CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004013A6 Relevance: 9.1, APIs: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004013A6() {
				signed int _v8;
				signed int _v12;
				void* __ecx;
				signed int _t31;
				signed int _t33;
				signed int _t34;
				intOrPtr* _t35;
				long _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t41;
				signed int _t49;
				void* _t51;
				signed int _t66;
				void* _t69;
				signed int _t73;
				intOrPtr* _t74;
				void* _t77;

				_push(_t51);
				_push(_t51);
				_t69 = _t51;
				if(( *0x41e774 & 0x00000040) != 0) {
					L19:
					_t31 = 0;
					L20:
					return _t31;
				}
				_t76 =  *0x41e704;
				if( *0x41e704 > 0) {
					goto L19;
				}
				_t77 = E00401341(_t51, _t76);
				if(_t77 == 0) {
					goto L19;
				}
				_t33 = E004011CA(_t69);
				_t66 = 4;
				_t49 = _t33;
				_t34 = _t33 * _t66;
				_push( ~(0 | _t77 > 0x00000000) | _t34);
				L004191BC();
				_t73 = 0;
				_v12 = _t34;
				_v8 = 0;
				if(_t49 <= 0) {
					L8:
					_push(_v12);
					L004191B0();
					goto L19;
				} else {
					goto L4;
				}
				do {
					L4:
					_t35 = E00407376(_t73);
					if(_t35 != 0) {
						_t35 = _v12;
						_v8 = _v8 + 1;
						 *((intOrPtr*)(_t35 + _v8 * 4)) = _t73;
					}
					_t73 = _t73 + 1;
				} while (_t73 < _t49);
				if(_v8 != 0) {
					_push(0x14);
					L004191BC();
					__eflags = _t35;
					if(_t35 == 0) {
						_t74 = 0;
						__eflags = 0;
					} else {
						_t74 = E00401280(_t35, _t35);
					}
					__eflags = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)( *_t74 + 4))(_t74);
					}
					_t36 = GetTickCount();
					 *(_t69 + 0x88) = _t36;
					_t22 = _t69 + 8; // 0x562608
					_t37 =  *_t22;
					_t38 =  *((intOrPtr*)( *_t37 + 0x1c))(_t37, _v12, _v8, 0, _t74);
					__eflags = _t38;
					if(_t38 != 0) {
						L17:
						_push(_v12);
						L004191B0();
						__eflags = _t74;
						if(_t74 != 0) {
							 *((intOrPtr*)( *_t74 + 8))(_t74);
						}
						goto L19;
					} else {
						_t41 =  *((intOrPtr*)(_t74 + 0xc));
						__eflags =  *((intOrPtr*)(_t41 + 0x10));
						if( *((intOrPtr*)(_t41 + 0x10)) == 0) {
							goto L17;
						}
						L004191B0();
						 *((intOrPtr*)( *_t74 + 8))(_t74, _v12);
						_t31 = 1;
						goto L20;
					}
				}
				goto L8;
			}

0x004013a9
0x004013aa
0x004013b5
0x004013b7
0x004014a1
0x004014a1
0x004014a3
0x004014a7
0x004014a7
0x004013bd
0x004013c4
0x00000000
0x00000000
0x004013cf
0x004013d1
0x00000000
0x00000000
0x004013d9
0x004013e2
0x004013e3
0x004013e5
0x004013ee
0x004013ef
0x004013f4
0x004013f7
0x004013fa
0x004013ff
0x00401424
0x00401424
0x00401427
0x00000000
0x00000000
0x00000000
0x00000000
0x00401401
0x00401401
0x00401403
0x0040140a
0x0040140f
0x00401412
0x00401415
0x00401415
0x00401418
0x00401419
0x00401422
0x0040142f
0x00401431
0x00401437
0x00401439
0x00401446
0x00401446
0x0040143b
0x00401442
0x00401442
0x00401448
0x0040144a
0x0040144f
0x0040144f
0x00401452
0x0040145d
0x00401463
0x00401463
0x0040146c
0x0040146f
0x00401471
0x0040148e
0x0040148e
0x00401491
0x00401497
0x00401499
0x0040149e
0x0040149e
0x00000000
0x00401473
0x00401473
0x00401476
0x00401479
0x00000000
0x00000000
0x0040147e
0x00401487
0x0040148a
0x00000000
0x0040148a
0x00401471
0x00000000

APIs

??2@YAPAXI@Z.MSVCRT ref: 004013EF
??3@YAXPAX@Z.MSVCRT ref: 00401427
??2@YAPAXI@Z.MSVCRT ref: 00401431
GetTickCount.KERNEL32 ref: 00401452
??3@YAXPAX@Z.MSVCRT ref: 0040147E
??3@YAXPAX@Z.MSVCRT ref: 00401491

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@$CountTick
String ID:
API String ID: 590505967-0
Opcode ID: 4699d905c8759a55064c140dd67c413f7b2118ce164f0ad64860b0f17ea45ef9
Instruction ID: a6903403f5f4fcf2204198b93a2ae2fd4058f2025a7845204c1723fd466c5d3b
Opcode Fuzzy Hash: 4699d905c8759a55064c140dd67c413f7b2118ce164f0ad64860b0f17ea45ef9
Instruction Fuzzy Hash: F531D331A00111AFCF25AFA5C8899AEB7A5AF05314F14407FF942B72B1DB388D81D798

Uniqueness

Uniqueness Score: -1.00%

Function 00406013 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406013(void* __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _v20;
				char _v24;
				signed int _v32;
				void* _v36;
				short _v40;
				short _v44;
				signed int _v52;
				short _v56;
				char _v60;
				void* __esi;
				void* _t39;
				void* _t48;
				signed int _t55;
				void* _t56;
				void* _t57;

				_v52 = _v52 | 0xffffffff;
				_t57 = __ecx;
				_v8 = __edx;
				_v56 = 0;
				_v60 = 0x41ab9c;
				_v44 = 0;
				_v40 = 0;
				_t39 = E00411412(__ecx, 1);
				_t79 = _t39;
				if(_t39 != 0) {
					L6:
					E00411743(_t39,  &_v24);
					E004117A8( &_v24, 0x41e484);
					E00411846( &_v24, ";!@Install@!UTF-8!");
					E00411846( &_v24,  *_v8);
					E00411846( &_v24, ";!@InstallEnd@!");
					_t48 = E0041249F(0x41ab9c,  &_v60, _v24, _v20,  &_v12);
					__eflags = _t48;
					if(_t48 != 0) {
						L9:
						_push(_v24);
						L10:
						L004191B0();
						_v60 = 0x41ab9c;
						E0041115B( &_v52);
						return 0;
					}
					__eflags = _v12 - _v20;
					if(_v12 != _v20) {
						goto L9;
					}
					_push(_v24);
					L004191B0();
					_v60 = 0x41ab9c;
					E0041115B( &_v52);
					return 1;
				}
				E00411B84( &_v36, __ecx);
				_t55 = E004038FB( &_v36, _t79);
				if(_t55 >= 0) {
					_t76 = _v36;
					_v32 = _t55;
					 *((short*)(_v36 + _t55 * 2)) = 0;
					_t56 = E00404772(_v36, _t76);
					__eflags = _t56;
					if(_t56 == 0) {
						goto L2;
					}
					_v44 = 0;
					_v40 = 0;
					_t39 = E00411412(_t57, 1);
					__eflags = _t39;
					if(_t39 == 0) {
						goto L2;
					}
					_push(_v36);
					L004191B0();
					goto L6;
				}
				L2:
				_push(_v36);
				goto L10;
			}

0x00406019
0x00406020
0x0040602f
0x00406032
0x00406035
0x00406038
0x0040603b
0x0040603e
0x00406043
0x00406045
0x0040609a
0x0040609d
0x004060aa
0x004060b7
0x004060c4
0x004060d1
0x004060e4
0x004060e9
0x004060eb
0x0040610d
0x0040610d
0x00406110
0x00406110
0x00406119
0x0040611c
0x00000000
0x00406121
0x004060f0
0x004060f3
0x00000000
0x00000000
0x004060f5
0x004060f8
0x00406101
0x00406104
0x00000000
0x00406109
0x0040604b
0x00406053
0x0040605a
0x00406064
0x00406069
0x0040606c
0x00406073
0x00406078
0x0040607a
0x00000000
0x00000000
0x00406082
0x00406085
0x00406088
0x0040608d
0x0040608f
0x00000000
0x00000000
0x00406091
0x00406094
0x00000000
0x00406099
0x0040605c
0x0040605c
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 004060F8

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00406094
??3@YAXPAX@Z.MSVCRT ref: 00406110

Strings

;!@InstallEnd@!, xrefs: 004060C9
;!@Install@!UTF-8!, xrefs: 004060AF

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 750647942-372238525
Opcode ID: 102760258bb57b0453f08181b6363c86a14e2b67dcb9ddf4d16648d83637f981
Instruction ID: 6115e21da8c550f7c259bf06f757151a7c4d16b5fd4a7f66b5d549820aeda24a
Opcode Fuzzy Hash: 102760258bb57b0453f08181b6363c86a14e2b67dcb9ddf4d16648d83637f981
Instruction Fuzzy Hash: 69315271D00219ABCF05EF95DD929EEBB75BF54314F20002BF512B22E2DB381A95CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040439D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040439D(intOrPtr __edx, void* __eflags) {
				void* __ecx;
				void* _t8;
				long _t11;
				WCHAR* _t12;
				short* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t34;
				WCHAR** _t35;
				short _t36;
				void* _t37;

				 *((intOrPtr*)(_t37 + 0x10)) = __edx;
				_t35 = _t24;
				E00411B60(_t8, _t24);
				_t11 = GetTempPathW(1, E004042F3(_t35, __edx, 2));
				_t36 = 0;
				_t35[1] = 0;
				 *( *_t35) = 0;
				if(_t11 > 0) {
					_t3 = _t11 + 1; // 0x1
					_t23 = _t3;
					GetTempPathW(_t23, E004042F3(_t35, 0, _t23));
					E004042D8(_t35);
				}
				_t12 = _t35[1];
				_t22 =  &(_t12[7]);
				_t34 = _t12 + _t12;
				while(1) {
					wsprintfW(E004042F3(_t35, 0, _t22) + _t34,  *(_t37 + 0x14), _t36);
					_t37 = _t37 + 0xc;
					E004042D8(_t35);
					if(GetFileAttributesW( *_t35) == 0xffffffff) {
						break;
					}
					_t36 = _t36 + 1;
					if(_t36 < 0xfff) {
						continue;
					}
					break;
				}
				return _t35;
			}

0x004043a2
0x004043a6
0x004043a8
0x004043bf
0x004043c3
0x004043c7
0x004043ca
0x004043cf
0x004043d1
0x004043d1
0x004043de
0x004043e2
0x004043e2
0x004043e7
0x004043ea
0x004043ed
0x004043f0
0x00404400
0x00404406
0x0040440b
0x0040441b
0x00000000
0x00000000
0x0040441d
0x00404424
0x00000000
0x00000000
0x00000000
0x00404424
0x0040442d

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
wsprintfW.USER32 ref: 00404400
GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Strings

PreExtract, xrefs: 004043A1

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: PathTemp$??2@??3@AttributesFilewcsncpywsprintf
String ID: PreExtract
API String ID: 342973707-1883995278
Opcode ID: 3caa998f6f9b15566bfd3027daf281284352955ee3439a0eb514e667720d2acc
Instruction ID: 87ce6a64adcde4581c58fbcd89a197d799c86788f89504f70527ff8ba021350e
Opcode Fuzzy Hash: 3caa998f6f9b15566bfd3027daf281284352955ee3439a0eb514e667720d2acc
Instruction Fuzzy Hash: EE0100B07012086BC214AF6ADC4492EF399EFC0758B01457EF206A76E2CF79991587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00407474 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00407474(void* __ecx, void* __edx) {
				intOrPtr _v16;
				void* _t10;
				signed int _t12;
				void* _t15;
				void* _t30;

				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					__eflags =  *0x41e774 & 0x00000080;
					if(__eflags == 0) {
						_t28 = L"7ZipSfx.%03x";
						_t10 = E0040439D(L"7ZipSfx.%03x", __eflags);
						_t6 = _t30 + 4; // 0x41e86c
						E00411C48(_t6, _t10);
						_push(_v16);
						L004191B0();
						_t8 = _t30 + 4; // 0x5624f0
						_t12 = E00404772( *_t8, L"7ZipSfx.%03x");
						__eflags = _t12;
						if(_t12 != 0) {
							E00407474(_t30, _t28);
							_t9 = _t30 + 4; // 0x5624f0
							E00405051(L"SfxVarApiPath",  *_t9, __eflags, 0);
							_t15 = E0040758D();
						} else {
							_t15 = 0;
						}
						return _t15;
					}
					_t4 = _t30 + 4; // 0x41e86c
					E00411C48(_t4, "`\xef\xbf				}
				return 1;
			}

0x0040747b
0x00407481
0x00407487
0x0040748e
0x004074a0
0x004074a8
0x004074ae
0x004074b1
0x004074b6
0x004074b9
0x004074bf
0x004074c2
0x004074c7
0x004074c9
0x004074d1
0x004074d6
0x004074e0
0x004074e7
0x004074cb
0x004074cb
0x004074cb
0x00000000
0x004074ec
0x00407495
0x00407498
0x00407498
0x00000000

APIs

Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000002,PreExtract,0041AA3C,?,00000000,?,00405BF5), ref: 004043BF
Part of subcall function 0040439D: GetTempPathW.KERNEL32(00000001,00000000,00000001,?,00000000,?,00405BF5), ref: 004043DE
Part of subcall function 0040439D: wsprintfW.USER32 ref: 00404400
Part of subcall function 0040439D: GetFileAttributesW.KERNEL32(?,?,?,00405BF5,?,?,?,?,?,?,?,?,?,?,004070C0,0041E844), ref: 00404412

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 004074B9

Part of subcall function 00404772: lstrlenW.KERNEL32(?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 00404781
Part of subcall function 00404772: GetSystemTimeAsFileTime.KERNEL32(00402DFC,00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047ED
Part of subcall function 00404772: GetFileAttributesW.KERNELBASE(00000000,?,?,0041E89C,0041E7B8,00000000,?,?,?,00402DFC,PreExtract,0041AA3C,0041E868), ref: 004047F4
Part of subcall function 00404772: ??3@YAXPAX@Z.MSVCRT ref: 004048A6

Strings

SfxVarApiPath, xrefs: 004074DB
PreExtract, xrefs: 0040747A
`V, xrefs: 00407490
7ZipSfx.%03x, xrefs: 004074A0

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@File$AttributesPathTempTime$??2@Systemlstrlenmemcpywsprintf
String ID: 7ZipSfx.%03x$PreExtract$SfxVarApiPath$`V
API String ID: 1986220984-1835358673
Opcode ID: b650f4d05546b6de96449c7a266caf08ec487d924668627aae34cb48e3baaff6
Instruction ID: 2ce7c900065db82cd6f53f7d938477cc4679eae404a7dae147fc4add6962fe21
Opcode Fuzzy Hash: b650f4d05546b6de96449c7a266caf08ec487d924668627aae34cb48e3baaff6
Instruction Fuzzy Hash: 65F0D670A0810063C704B765D952AEEB7555F81308B10823FE926325E2EF3CA985C6CF

Uniqueness

Uniqueness Score: -1.00%

Function 0040758D Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040758D() {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr* _t23;
				signed int _t25;
				signed int _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t41;
				intOrPtr _t42;
				signed int _t59;
				signed int _t60;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				intOrPtr* _t69;
				void* _t71;
				void* _t72;

				_push(_t42);
				_push(_t42);
				_v12 = _t42;
				if(( *0x41e774 & 0x00000080) == 0) {
					L9:
					_t23 = 0;
					L10:
					return _t23;
				}
				_t41 = 0;
				_t71 =  *0x41e704 - _t41; // 0x0
				if(_t71 > 0) {
					goto L9;
				}
				_t72 = E00401341(0x41e7b8, _t71);
				if(_t72 == 0) {
					goto L9;
				}
				_t25 = E004011CA(0x41e7b8);
				_t59 = 4;
				_t63 = _t25;
				_t60 = _t25 * _t59 >> 0x20;
				_t26 = _t25 * _t59;
				_push( ~(0 | _t72 > 0x00000000) | _t26);
				L004191BC();
				_t68 = 0;
				_v8 = _t26;
				if(_t63 == 0) {
					L8:
					_push(_v8);
					L004191B0();
					goto L9;
				} else {
					goto L4;
				}
				do {
					L4:
					_t27 = E0040742F(_t68);
					if(_t27 != 0) {
						_t27 = _v8;
						 *((intOrPtr*)(_t27 + _t41 * 4)) = _t68;
						_t41 = _t41 + 1;
					}
					_t68 = _t68 + 1;
				} while (_t68 < _t63);
				if(_t41 != 0) {
					_push(0x48);
					L004191BC();
					__eflags = _t27;
					if(_t27 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = E00402671(_t27);
					}
					__eflags = _t69;
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 4))(_t69);
					}
					_t64 = _v12;
					E00407474(_t64, _t60);
					_t17 = _t64 + 4; // 0x700062
					E0040242A(_t69,  *_t17);
					_t30 =  *0x41e7c0; // 0x562608
					_t31 =  *((intOrPtr*)( *_t30 + 0x1c))(_t30, _v8, _t41, 0, _t69);
					_push(_v8);
					__eflags = _t31;
					if(_t31 == 0) {
						L004191B0();
						__eflags = _t69;
						if(_t69 != 0) {
							 *((intOrPtr*)( *_t69 + 8))(_t69);
						}
						_t23 = 1;
						goto L10;
					} else {
						L004191B0();
						__eflags = _t69;
						if(_t69 != 0) {
							 *((intOrPtr*)( *_t69 + 8))(_t69);
						}
						goto L9;
					}
				}
				goto L8;
			}

0x00407590
0x00407591
0x0040759c
0x0040759f
0x00407606
0x00407606
0x00407608
0x0040760c
0x0040760c
0x004075a1
0x004075a3
0x004075a9
0x00000000
0x00000000
0x004075b7
0x004075b9
0x00000000
0x00000000
0x004075bd
0x004075c6
0x004075c7
0x004075c9
0x004075c9
0x004075d2
0x004075d3
0x004075d8
0x004075db
0x004075e0
0x004075fd
0x004075fd
0x00407600
0x00000000
0x00000000
0x00000000
0x00000000
0x004075e2
0x004075e2
0x004075e4
0x004075eb
0x004075ed
0x004075f0
0x004075f3
0x004075f3
0x004075f4
0x004075f5
0x004075fb
0x0040760d
0x0040760f
0x00407615
0x00407617
0x00407624
0x00407624
0x00407619
0x00407620
0x00407620
0x00407626
0x00407628
0x0040762d
0x0040762d
0x00407630
0x00407635
0x0040763a
0x0040763f
0x00407644
0x00407653
0x00407656
0x00407659
0x0040765b
0x0040766f
0x00407675
0x00407677
0x0040767c
0x0040767c
0x0040767f
0x00000000
0x0040765d
0x0040765d
0x00407663
0x00407665
0x0040766a
0x0040766a
0x00000000
0x00407665
0x0040765b
0x00000000

APIs

??2@YAPAXI@Z.MSVCRT ref: 004075D3
??3@YAXPAX@Z.MSVCRT ref: 00407600
??2@YAPAXI@Z.MSVCRT ref: 0040760F
??3@YAXPAX@Z.MSVCRT ref: 0040765D
??3@YAXPAX@Z.MSVCRT ref: 0040766F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: 357e7423da9001a941ef515e4cbd3ce3f2d2227d142375a73323132d154b3f2a
Instruction ID: a987b35fad98e116647973f19acdcfb235c3ad9f5bac28a4ad03e7c43b89f24f
Opcode Fuzzy Hash: 357e7423da9001a941ef515e4cbd3ce3f2d2227d142375a73323132d154b3f2a
Instruction Fuzzy Hash: B2315531E04A116BDB266BA9C8159AFB7A58F01724B14047FFD037B3D1DB39AC42C68E

Uniqueness

Uniqueness Score: -1.00%

Function 0040161A Relevance: 7.6, APIs: 5, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040161A(void* __ecx) {
				signed int _v5;
				signed int _v16;
				signed short* _v20;
				char _v32;
				signed int _t23;
				signed short* _t26;
				signed int _t28;
				signed short* _t31;
				void* _t35;
				signed short* _t39;
				signed int _t46;
				signed int _t49;
				WCHAR** _t50;
				void* _t51;
				signed int _t52;

				_t35 = __ecx;
				_t50 = 0x41e080;
				if( *0x41e080 == 0) {
					L4:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t23 = lstrlenW( *_t50);
					_t46 =  *_t50;
					_t49 = _t23;
					if(E0040386E(_t35, _t46, _t49) == 0 &&  *((short*)(_t35 + _t49 * 2)) == 0x3d) {
						break;
					}
					_t50 =  &(_t50[1]);
					if( *_t50 != 0) {
						continue;
					}
					goto L4;
				}
				E00411B84( &_v20, _t35);
				_t39 = _v20;
				__eflags =  *_t39;
				_t26 = _t39;
				_v5 = 0;
				if(__eflags == 0) {
					L15:
					_t28 = _t26 - _t39 >> 1;
					_v16 = _t28;
					_t51 = _t28 + _t28;
					 *((short*)(_t51 + _t39)) = 0;
					E00404473( &_v32,  &_v20, __eflags, 0xfde9);
					_t31 = E00405112( &_v32, 1, __eflags);
					_push(_v32);
					__eflags = _t31;
					if(_t31 != 0) {
						L004191B0();
						_push(_v20);
						L004191B0();
						return _t51 + _t35;
					}
					L004191B0();
					_push(_v20);
					L004191B0();
					return 1;
				} else {
					goto L7;
				}
				do {
					L7:
					_t52 =  *_t26 & 0x0000ffff;
					__eflags = _t52 - 0x20;
					if(_t52 > 0x20) {
						goto L9;
					}
					__eflags = _v5;
					if(__eflags == 0) {
						goto L15;
					}
					L9:
					__eflags = _t52 - 0x22;
					if(_t52 != 0x22) {
						__eflags = _t52 - 0x5c;
						if(_t52 == 0x5c) {
							__eflags = _t26[1] - 0x22;
							if(_t26[1] == 0x22) {
								_t26 =  &(_t26[1]);
								__eflags = _t26;
							}
						}
					} else {
						__eflags = _v5;
						_t46 = _t46 & 0xffffff00 | _v5 == 0x00000000;
						_v5 = _t46;
					}
					_t26 =  &(_t26[1]);
					__eflags =  *_t26;
				} while (__eflags != 0);
				goto L15;
			}

0x0040162a
0x0040162c
0x00401631
0x0040165a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401633
0x00401633
0x00401635
0x0040163b
0x0040163d
0x00401649
0x00000000
0x00000000
0x00401652
0x00401658
0x00000000
0x00000000
0x00000000
0x00401658
0x00401665
0x0040166a
0x0040166d
0x00401671
0x00401673
0x00401677
0x004016b0
0x004016b2
0x004016b4
0x004016b7
0x004016bc
0x004016cb
0x004016d5
0x004016da
0x004016dd
0x004016df
0x004016f8
0x004016fd
0x00401700
0x00000000
0x00401707
0x004016e1
0x004016e6
0x004016e9
0x00000000
0x00000000
0x00000000
0x00000000
0x00401679
0x00401679
0x00401679
0x0040167c
0x0040167f
0x00000000
0x00000000
0x00401681
0x00401685
0x00000000
0x00000000
0x00401687
0x00401687
0x0040168a
0x00401698
0x0040169b
0x0040169d
0x004016a2
0x004016a4
0x004016a4
0x004016a4
0x004016a2
0x0040168c
0x0040168c
0x00401690
0x00401693
0x00401693
0x004016a7
0x004016aa
0x004016aa
0x00000000

APIs

lstrlenW.KERNEL32(0041E080,?,0056250E,0041E7B8,?,?,?,?,?,?,004019E3), ref: 00401635
??3@YAXPAX@Z.MSVCRT ref: 004016E1
??3@YAXPAX@Z.MSVCRT ref: 004016E9
??3@YAXPAX@Z.MSVCRT ref: 004016F8
??3@YAXPAX@Z.MSVCRT ref: 00401700

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$lstrlen
String ID:
API String ID: 2031685711-0
Opcode ID: 4f1ed68b5695a5c14c76e622988fd2752a5896fb646f3d393ec15c852c9451e5
Instruction ID: 3b55230dadd2a4d047f6e8a8713cbcc3279512281016c63c74d99a53e3c26446
Opcode Fuzzy Hash: 4f1ed68b5695a5c14c76e622988fd2752a5896fb646f3d393ec15c852c9451e5
Instruction Fuzzy Hash: 8D21C232D042159BDB20AB65CC457EAB7B5AF11304F08487BE842B32E1E77A5C85CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 00409278 Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409278(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				struct _SHFILEINFOW _v712;
				short _v1236;
				void* _t32;
				void* _t40;
				void* _t44;

				_t40 = __edx;
				_t44 = __ecx;
				E00407A29(__ecx, 0x4b6,  &_v20);
				 *((intOrPtr*)(_t44 + 0x58)) = _v8 - _v16 + 2;
				E00407ABB(_t44, 0x4b6, 1);
				E00407ABB(_t44, 0x4b6, 1);
				_v712.hIcon = _v712.hIcon & 0x00000000;
				memset( &(_v712.iIcon), 0, 0x2b0);
				GetSystemDirectoryW( &_v1236, 0x104);
				SHGetFileInfoW( &_v1236, 0,  &_v712, 0x2b4, 0x103);
				 *(_t44 + 0x50) = _v712.hIcon;
				 *((intOrPtr*)(_t44 + 0x54)) = SetWindowLongW(GetDlgItem( *(_t44 + 4), 0x4b7), 0xfffffffc, E00408190);
				_t32 = E00408F3F(_t40);
				E004086A5();
				return _t32;
			}

0x00409278
0x0040928d
0x0040928f
0x004092a2
0x004092a5
0x004092b0
0x004092b5
0x004092ca
0x004092de
0x004092fe
0x0040930e
0x00409327
0x0040932a
0x00409333
0x0040933d

APIs

Part of subcall function 00407A29: GetDlgItem.USER32 ref: 00407A31

Part of subcall function 00407ABB: GetDlgItem.USER32 ref: 00407AC8
Part of subcall function 00407ABB: ShowWindow.USER32(00000000,?), ref: 00407ADF

memset.MSVCRT ref: 004092CA
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004092DE
SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 004092FE
GetDlgItem.USER32 ref: 00409311
SetWindowLongW.USER32 ref: 0040931F

Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040932F), ref: 00408F69
Part of subcall function 00408F3F: LoadIconW.USER32 ref: 00408F6C
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F80
Part of subcall function 00408F3F: GetSystemMetrics.USER32 ref: 00408F85
Part of subcall function 00408F3F: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040932F), ref: 00408F8E
Part of subcall function 00408F3F: LoadImageW.USER32 ref: 00408F91
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000001,?), ref: 00408FB1
Part of subcall function 00408F3F: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00408FBA
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FD7
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00408FE1
Part of subcall function 00408F3F: GetWindowLongW.USER32(?,000000F0), ref: 00408FED
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00408FFC
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 0040900A
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409018
Part of subcall function 00408F3F: GetWindowLongW.USER32(000000F0,000000F0), ref: 00409024
Part of subcall function 00408F3F: SetWindowLongW.USER32 ref: 00409033
Part of subcall function 00408F3F: GetDlgItem.USER32 ref: 00409040

Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000016,00000016), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Item$Window$Long$MessageSendSystem$HandleLoadMetricsModule$DirectoryFileFocusIconImageInfoShowmemset
String ID:
API String ID: 358862773-0
Opcode ID: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction ID: 03ccca4f95bb87f70630d4e99c8394251a1916bed47e60b30c1cc3b52240f206
Opcode Fuzzy Hash: 1bf49a831eb8ff5c5ec00c495e72c7c0aa245b25d53b34aa7426faeff0649c07
Instruction Fuzzy Hash: 5A1186B1E0031467DB10EBA5DD4DF9E77BCAB44B04F00446EB611F32C1DBB8AA448B69

Uniqueness

Uniqueness Score: -1.00%

Function 004086A5 Relevance: 7.5, APIs: 5, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004086A5() {
				int _t8;
				void* _t12;
				void* _t15;

				_t15 = _t12;
				SetFocus(GetDlgItem( *(_t15 + 4), 0x4b6));
				E00407A0F(GetDlgItem( *(_t15 + 4), 0x4b6),  *0x41e89c);
				_t8 =  *0x41e8a0; // 0x16
				_t16 = _t8;
				return SendMessageW(GetDlgItem( *(_t15 + 4), 0x4b6), 0xb1, _t8, _t16);
			}

0x004086b5
0x004086be
0x004086d3
0x004086d8
0x004086e1
0x004086f8

APIs

GetDlgItem.USER32 ref: 004086BB
SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
GetDlgItem.USER32 ref: 004086CE

Part of subcall function 00407A0F: SetWindowTextW.USER32(00000000,00000000), ref: 00407A17

GetDlgItem.USER32 ref: 004086E3
SendMessageW.USER32(00000000,000000B1,00000016,00000016), ref: 004086ED

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Item$FocusMessageSendTextWindow
String ID:
API String ID: 3590784419-0
Opcode ID: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction ID: e481abceb184fc0549e30438c3999ed73e1b8a385c7d6d0c75719509d1fab071
Opcode Fuzzy Hash: fad516354ac438f4a26c589cea41e0691f814e4d079acfbf6477a805b15347a8
Instruction Fuzzy Hash: 3EF0EC7110120C7FDB103752DC48D6B7F9DEBC53543014439FA0583120CB766C108B74

Uniqueness

Uniqueness Score: -1.00%

Function 00413ABD Relevance: 7.5, APIs: 5, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00413ABD(intOrPtr* __ecx) {
				void* _t5;

				_push( *((intOrPtr*)(__ecx + 0x34)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x28)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0x18)));
				L004191B0();
				_push( *((intOrPtr*)(__ecx + 0xc)));
				L004191B0();
				_push( *__ecx);
				L004191B0();
				return _t5;
			}

0x00413ac0
0x00413ac3
0x00413ac8
0x00413acb
0x00413ad0
0x00413ad3
0x00413ad8
0x00413adb
0x00413ae0
0x00413ae2
0x00413aeb

APIs

??3@YAXPAX@Z.MSVCRT ref: 00413AC3
??3@YAXPAX@Z.MSVCRT ref: 00413ACB
??3@YAXPAX@Z.MSVCRT ref: 00413AD3
??3@YAXPAX@Z.MSVCRT ref: 00413ADB
??3@YAXPAX@Z.MSVCRT ref: 00413AE2

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: c0cea427df70b318329de58a8d27c9361eb8e571d9d2fae283ae5dc4bbe5d3f1
Instruction ID: 781d56d26fbb2de701dc3dac839f3b2d883cb9d7cd57b29d0df98cb94b4adf54
Opcode Fuzzy Hash: c0cea427df70b318329de58a8d27c9361eb8e571d9d2fae283ae5dc4bbe5d3f1
Instruction Fuzzy Hash: 29D0C731400511BAEA223B16EC1B9C67AB3AF0031830D056FF8871143BDB567CE1DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040884D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040884D(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v40;
				int _t39;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t56;
				int _t58;
				intOrPtr _t60;
				intOrPtr _t70;
				char* _t74;
				intOrPtr* _t75;

				_t75 = __ecx;
				E00408579(__ecx);
				_t39 = GetSystemMetrics(7);
				_t60 =  *0x41e450; // 0x12c
				if( *((intOrPtr*)(_t75 + 0x14)) < _t60 - _t39) {
					_t58 = GetSystemMetrics(7);
					_t70 =  *0x41e450; // 0x12c
					 *((intOrPtr*)(_t75 + 0x14)) = _t70 - _t58;
				}
				E00411B84( &_v24,  *((intOrPtr*)(_t75 + 0xc)));
				_t74 = L" 100%% ";
				if(( *0x41e44c & 0x00000002) == 0) {
					E00411CA3( &_v24, _t74);
				}
				if(E00407907(_t75, _v24,  &_v12) != 0) {
					_t56 = _v12;
					if(_t56 >  *((intOrPtr*)(_t75 + 0x14))) {
						 *((intOrPtr*)(_t75 + 0x14)) = _t56;
					}
				}
				E00407A29(_t75, 0x4b8,  &_v40);
				 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + _v28 - _v36 + 0xe;
				if(( *0x41e44c & 0x00000004) != 0) {
					_push(0x820);
					_push( *((intOrPtr*)(_t75 + 0x34)));
					_push(_t75 + 0x50);
					_push(_t74);
					if( *((intOrPtr*)( *_t75 + 8))() != 0) {
						 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) +  *((intOrPtr*)(_t75 + 0x5c));
					}
					 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + 5;
				}
				 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + 0xffffffee;
				_t48 =  *((intOrPtr*)(_t75 + 0x18));
				if( *0x41e770 != 1) {
					_t49 = _t48 + 0xa;
					 *((intOrPtr*)(_t75 + 0x18)) = _t49;
				} else {
					E00407A29(_t75, 0x4b4,  &_v40);
					_t49 = _v36 - _v28;
					 *((intOrPtr*)(_t75 + 0x18)) =  *((intOrPtr*)(_t75 + 0x18)) + _t49;
				}
				_push(_v24);
				L004191B0();
				return _t49;
			}

0x00408855
0x00408857
0x00408864
0x00408866
0x00408871
0x00408875
0x00408877
0x0040887f
0x0040887f
0x00408888
0x00408894
0x00408899
0x0040889f
0x0040889f
0x004088b4
0x004088b6
0x004088bc
0x004088be
0x004088be
0x004088bc
0x004088cc
0x004088da
0x004088e4
0x004088e8
0x004088ed
0x004088f3
0x004088f4
0x004088fc
0x00408901
0x00408901
0x00408904
0x00408904
0x00408908
0x00408913
0x00408916
0x00408933
0x00408936
0x00408918
0x00408923
0x0040892b
0x0040892e
0x0040892e
0x00408939
0x0040893c
0x00408945

APIs

Part of subcall function 00408579: GetSystemMetrics.USER32 ref: 004085A1
Part of subcall function 00408579: GetSystemMetrics.USER32 ref: 004085A8

GetSystemMetrics.USER32 ref: 00408864
GetSystemMetrics.USER32 ref: 00408875
??3@YAXPAX@Z.MSVCRT ref: 0040893C

Strings

100%% , xrefs: 00408894, 0040889B, 004088F4

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: ef96bf9ae5c6826a7c8ae1886ba178aa49efd390282e60bbbb129ddedf62f90a
Instruction ID: 3e0dd225468330a220e365205065e92fc94ece49804654ab909baed5dde81f9a
Opcode Fuzzy Hash: ef96bf9ae5c6826a7c8ae1886ba178aa49efd390282e60bbbb129ddedf62f90a
Instruction Fuzzy Hash: 8C31B471A007059FDB24EFAAD9459AEB7F4EF10708B00452ED582A22E1DB78FD44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405DA5(void* __edx, void* __edi, void* __eflags) {
				char _v16;
				char _v100;
				short _v356;
				void* _t28;
				WCHAR* _t49;
				signed int _t51;
				void* _t55;
				void* _t57;

				 *0x41e44c = 8;
				E004076D3( &_v100, __edx, __eflags);
				_v100 = "G]@";
				E00411B84( &_v16, E00403DC8(1));
				_t51 = 0;
				_t55 =  *0x420b58 - _t51; // 0x7
				if(_t55 > 0) {
					_t49 = L", ";
					do {
						if(_t51 != 0) {
							E00411CA3( &_v16, _t49);
						}
						E00411D89( &_v16,  *((intOrPtr*)( *((intOrPtr*)(0x420a18 + _t51 * 4)) + 0x10)));
						_t51 = _t51 + 1;
						_t57 = _t51 -  *0x420b58; // 0x7
					} while (_t57 < 0);
					if(_t51 != 0) {
						E00411CA3( &_v16, _t49);
					}
				}
				E00411CA3( &_v16, L"Volumes");
				wsprintfW( &_v356, L" \n\t%X - %03X - %03X - %03X - %03X", 1, 0x5b7, 0x1f, 0x3fff, 7);
				E00411CA3( &_v16,  &_v356);
				E00411CA3( &_v16, 0x41bbe4);
				_t28 = E00407A45( &_v100, 0x11,  *0x41e738, _v16, 0);
				_push(_v16);
				L004191B0();
				return E00407734(_t28,  &_v100);
			}

0x00405db2
0x00405dbc
0x00405dc4
0x00405dd4
0x00405dd9
0x00405ddb
0x00405de1
0x00405de4
0x00405de9
0x00405deb
0x00405df1
0x00405df1
0x00405e03
0x00405e08
0x00405e09
0x00405e09
0x00405e13
0x00405e19
0x00405e19
0x00405e1e
0x00405e27
0x00405e48
0x00405e5b
0x00405e68
0x00405e7d
0x00405e82
0x00405e85
0x00405e95

APIs

Part of subcall function 004076D3: KiUserCallbackDispatcher.NTDLL ref: 00407715
Part of subcall function 004076D3: GetSystemMetrics.USER32 ref: 00407723

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

wsprintfW.USER32 ref: 00405E48
??3@YAXPAX@Z.MSVCRT ref: 00405E85

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

Strings

%X - %03X - %03X - %03X - %03X, xrefs: 00405E42
Volumes, xrefs: 00405E1F

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: memcpy$??3@CallbackDispatcherMetricsSystemUserwsprintf
String ID: %X - %03X - %03X - %03X - %03X$Volumes
API String ID: 2991351368-1890733987
Opcode ID: afc941ad2b4f6454c10dab7bc2b2609a1d5b1b6615d08056b88ec4f84c856272
Instruction ID: ab41b2b7a044f4dbafe54773f7122e0ca5258214a4a67c8b0ba5fddcbcc6d2b4
Opcode Fuzzy Hash: afc941ad2b4f6454c10dab7bc2b2609a1d5b1b6615d08056b88ec4f84c856272
Instruction Fuzzy Hash: 5821A131D44618AACB15AB91EC16EEEB774EF40704F00417FB516361E6EBB86A84CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 00405EEB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405EEB() {
				signed int _v8;
				char _v20;
				void* _v32;
				void* __ecx;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t43;
				void* _t74;

				E00411B84( &_v32);
				E0040360E( &_v32, 0x41e89c);
				E004036C8( &_v32, 0x41e794);
				E00403782( &_v32, 0x41e7ac);
				E0040383C( &_v32);
				_v8 = _v8 & 0x00000000;
				_t73 =  *0x41e78c;
				if( *0x41e78c > 0) {
					do {
						_t34 =  *0x41e788; // 0x2565d78
						E00404DCD( *((intOrPtr*)( *((intOrPtr*)(_t34 + _v8 * 4)))), _t73);
						E0040455D( &_v20);
						E0040360E( &_v20, 0x41e89c);
						E004036C8( &_v20, 0x41e794);
						E00403782( &_v20, 0x41e7ac);
						E0040383C( &_v20);
						_t43 =  *0x41e788; // 0x2565d78
						E00405732( &_v32,  *((intOrPtr*)(_t43 + _v8 * 4)),  &_v20);
						_push(_v20);
						L004191B0();
						_v8 = _v8 + 1;
						_t74 = _v8 -  *0x41e78c; // 0xa0
					} while (_t74 < 0);
				}
				_t33 = E004048CC(_v32);
				_push(_v32);
				L004191B0();
				return _t33;
			}

0x00405ef8
0x00405f07
0x00405f16
0x00405f25
0x00405f2d
0x00405f32
0x00405f36
0x00405f3d
0x00405f3f
0x00405f3f
0x00405f4f
0x00405f57
0x00405f61
0x00405f6b
0x00405f75
0x00405f7d
0x00405f89
0x00405f94
0x00405f99
0x00405f9c
0x00405fa1
0x00405fa8
0x00405fa8
0x00405f3f
0x00405fb3
0x00405fb8
0x00405fbb
0x00405fc5

APIs

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

Part of subcall function 0040360E: ??3@YAXPAX@Z.MSVCRT ref: 00403657
Part of subcall function 0040360E: ??3@YAXPAX@Z.MSVCRT ref: 00403692
Part of subcall function 0040360E: ??3@YAXPAX@Z.MSVCRT ref: 004036B5
Part of subcall function 0040360E: ??3@YAXPAX@Z.MSVCRT ref: 004036BD

Part of subcall function 004036C8: ??3@YAXPAX@Z.MSVCRT ref: 00403711
Part of subcall function 004036C8: ??3@YAXPAX@Z.MSVCRT ref: 0040374C
Part of subcall function 004036C8: ??3@YAXPAX@Z.MSVCRT ref: 0040376F
Part of subcall function 004036C8: ??3@YAXPAX@Z.MSVCRT ref: 00403777

Part of subcall function 00403782: ??3@YAXPAX@Z.MSVCRT ref: 004037CB
Part of subcall function 00403782: ??3@YAXPAX@Z.MSVCRT ref: 00403806
Part of subcall function 00403782: ??3@YAXPAX@Z.MSVCRT ref: 00403829
Part of subcall function 00403782: ??3@YAXPAX@Z.MSVCRT ref: 00403831

Part of subcall function 0040383C: ??3@YAXPAX@Z.MSVCRT ref: 00403865

??3@YAXPAX@Z.MSVCRT ref: 00405FBB

Part of subcall function 00404DCD: GetEnvironmentVariableW.KERNEL32(?,?,00000001,`V,@V,?,0041E89C,?,?,00405F54), ref: 00404DE7
Part of subcall function 00404DCD: GetEnvironmentVariableW.KERNEL32(?,00000000,00000002,00000001,00000002,?,?,00000001,`V,@V,?,0041E89C,?,?,00405F54), ref: 00404E0C

Part of subcall function 0040455D: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,?), ref: 00404585
Part of subcall function 0040455D: ??3@YAXPAX@Z.MSVCRT ref: 0040458E

??3@YAXPAX@Z.MSVCRT ref: 00405F9C

Strings

`V, xrefs: 00405F0C
@V, xrefs: 00405F1B

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$Environment$Variable$ExpandStringsmemcpy
String ID: @V$`V
API String ID: 3543874045-2004816466
Opcode ID: 04a9d1964aa71dc1f1619b95f164e1ddf557ebe2a34761bc58a6e27d71a63c4a
Instruction ID: 5d0342e9ba764d8212d47e143ee0c1c35a57ae36c89550e9fe9688e6325dba5e
Opcode Fuzzy Hash: 04a9d1964aa71dc1f1619b95f164e1ddf557ebe2a34761bc58a6e27d71a63c4a
Instruction Fuzzy Hash: C9213035E1011A9BDB14FF96D8918EE7775EF90319B10883EE412772E6DE386E06CB08

Uniqueness

Uniqueness Score: -1.00%

Function 004086F9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004086F9(void* __ecx) {
				signed int _v8;
				intOrPtr _v24;
				void _v40;
				char _v564;
				intOrPtr* _t20;
				char* _t22;
				signed int _t24;
				signed int _t30;
				intOrPtr* _t38;
				void* _t39;

				_t39 = __ecx;
				_t30 = 8;
				memset( &_v40, 0, _t30 << 2);
				_v40 =  *((intOrPtr*)(_t39 + 4));
				_t20 =  &_v40;
				_v24 = 0x41;
				__imp__SHBrowseForFolderW(_t20);
				_t38 = _t20;
				if(_t38 != 0) {
					_v564 = 0;
					_t22 =  &_v564;
					__imp__SHGetPathFromIDListW(_t38, _t22);
					if(_t22 != 0) {
						E00411BE5(0x41e89c,  &_v564);
						E004086A5();
					}
					_v8 = _v8 & 0x00000000;
					_t20 =  &_v8;
					__imp__SHGetMalloc(_t20);
					if(_t20 == 0) {
						_t20 = _v8;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x14))(_t20, _t38);
							_t24 = _v8;
							return  *((intOrPtr*)( *_t24 + 8))(_t24);
						}
					}
				}
				return _t20;
			}

0x00408704
0x0040870a
0x0040870e
0x00408713
0x00408716
0x0040871a
0x00408721
0x00408727
0x0040872b
0x0040872f
0x00408736
0x0040873e
0x00408746
0x00408754
0x0040875b
0x0040875b
0x00408760
0x00408764
0x00408768
0x00408770
0x00408772
0x00408777
0x0040877d
0x00408780
0x00000000
0x00408786
0x00408777
0x00408770
0x0040878c

APIs

SHBrowseForFolderW.SHELL32(?), ref: 00408721
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040873E
SHGetMalloc.SHELL32(00000000), ref: 00408768

Part of subcall function 00411BE5: ??2@YAPAXI@Z.MSVCRT ref: 00411C17
Part of subcall function 00411BE5: ??3@YAXPAX@Z.MSVCRT ref: 00411C20
Part of subcall function 00411BE5: memcpy.MSVCRT ref: 00411C38

Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086BB
Part of subcall function 004086A5: SetFocus.USER32(00000000,?,?,?,?,00408760,?), ref: 004086BE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086CE
Part of subcall function 004086A5: GetDlgItem.USER32 ref: 004086E3
Part of subcall function 004086A5: SendMessageW.USER32(00000000,000000B1,00000016,00000016), ref: 004086ED

Strings

A, xrefs: 0040871A

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Item$??2@??3@BrowseFocusFolderFromListMallocMessagePathSendmemcpy
String ID: A
API String ID: 593732027-3554254475
Opcode ID: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction ID: f71166d28af5d16d10e8ce64d0ac3497a8bafdc94a68efcedc6b2873967d7f2a
Opcode Fuzzy Hash: 3aef01d46d1d784e5e29d610c3657d02adb904ff4126155760b37b46b3dd5f1b
Instruction Fuzzy Hash: 1E1124756101089BDB10DBA5D958BEE77FCAF44700F1440AEE505E7240EF79DE04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040842D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040842D(void* __ecx) {
				char _v16;
				short _v528;
				void* _t16;
				WCHAR* _t26;
				void* _t28;

				_t28 = __ecx;
				E00411BBA( &_v16, __ecx + 0x3c);
				if( *((intOrPtr*)(__ecx + 0x48)) > 0) {
					_t26 = 0x1d;
					wsprintfW( &_v528, L" (%d%s)",  *((intOrPtr*)(__ecx + 0x48)), E00403DC8(_t26));
					E00411CA3( &_v16,  &_v528);
				}
				_t16 = E00407A0F(GetDlgItem( *(_t28 + 4),  *(_t28 + 0x4c)), _v16);
				_push(_v16);
				L004191B0();
				return _t16;
			}

0x00408437
0x00408440
0x00408449
0x0040844d
0x00408463
0x00408476
0x00408476
0x0040848e
0x00408493
0x00408496
0x0040849e

APIs

Part of subcall function 00411BBA: memcpy.MSVCRT ref: 00411BD6

wsprintfW.USER32 ref: 00408463

Part of subcall function 00411CA3: memcpy.MSVCRT ref: 00411CD0

GetDlgItem.USER32 ref: 00408485
??3@YAXPAX@Z.MSVCRT ref: 00408496

Strings

(%d%s), xrefs: 0040845D

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: memcpy$??3@Itemwsprintf
String ID: (%d%s)
API String ID: 1424909225-2087557067
Opcode ID: ba6a791d805c9db7788c2d9af21d26917ab2f2c02abcccd907ebcb2f8242930e
Instruction ID: 9e5063b97f59bed1c8fd24a2ad4692a97a2054891322a5ccd9956e41115b1732
Opcode Fuzzy Hash: ba6a791d805c9db7788c2d9af21d26917ab2f2c02abcccd907ebcb2f8242930e
Instruction Fuzzy Hash: 61F0CD71800218BFCB21B755DC05EDE77BCDF04304F10856BF512A11A1DB75AA548F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404DCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DCD(WCHAR* __edx, void* __eflags) {
				short _v4;
				WCHAR* _v8;
				WCHAR* _v16;
				void* __ecx;
				long _t6;
				void* _t14;
				void* _t22;

				_t19 = __edx;
				_v8 = __edx;
				_t22 = _t14;
				_t6 = GetEnvironmentVariableW(__edx,  &_v4, 1);
				_t20 = _t6;
				E00411B60(_t6, _t22);
				_t3 = _t20 + 2; // 0x2
				E004042F3(_t22, _t19, _t3);
				GetEnvironmentVariableW(_v16, E004042F3(_t22, _t19, _t3), _t6 + 1);
				E004042D8(_t22);
				return _t22;
			}

0x00404dcd
0x00404de1
0x00404de5
0x00404de7
0x00404deb
0x00404ded
0x00404df2
0x00404df8
0x00404e0c
0x00404e10
0x00404e1d

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00000001,`V,@V,?,0041E89C,?,?,00405F54), ref: 00404DE7

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

GetEnvironmentVariableW.KERNEL32(?,00000000,00000002,00000001,00000002,?,?,00000001,`V,@V,?,0041E89C,?,?,00405F54), ref: 00404E0C

Strings

`V, xrefs: 00404DD8
@V, xrefs: 00404DD7

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: EnvironmentVariable$??2@??3@wcsncpy
String ID: @V$`V
API String ID: 579573637-2004816466
Opcode ID: cd34e60aee2f2d32d4124acdf6d70a8ed6fd9b914a5c845a88df21b85932c597
Instruction ID: 80525576cb8e9b6dc9faabac3cd7908046377e0fd1f4f241bd6b80fff7ee7a8f
Opcode Fuzzy Hash: cd34e60aee2f2d32d4124acdf6d70a8ed6fd9b914a5c845a88df21b85932c597
Instruction Fuzzy Hash: AAF0A0B23042143AD518EB1B9C55CAFFBDCEBC8A90B80016FF205C3291EE65AD4586B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404666 Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404666(signed short** __ecx, void* __edi, void* __eflags) {
				signed short* _v8;
				signed short** _v12;
				char _v24;
				char _v36;
				char _v48;
				char _v60;
				void* _t30;
				void* _t33;
				signed int _t37;
				void* _t39;
				signed int _t46;
				signed int _t66;
				signed short* _t72;

				_v12 = __ecx;
				E00411B60(_t30,  &_v24);
				_t72 =  *__ecx;
				_t46 =  *_t72 & 0x0000ffff;
				if(_t46 != 0) {
					_v8 =  &(_t72[2]);
					do {
						if(_t46 != 0x7e) {
							L10:
							E004015EC( &_v24, _t46);
							_t72 =  &(_t72[1]);
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
						} else {
							_t66 = _t72[1] & 0x0000ffff;
							_t76 = _t66 - 0x78;
							if(_t66 != 0x78) {
								L6:
								__eflags = _t66 - 0x58;
								if(__eflags != 0) {
									goto L10;
								} else {
									_t68 = E004033E5(_v8, __eflags);
									__eflags = _t36;
									if(__eflags < 0) {
										goto L10;
									} else {
										_t37 = E004033E5( &(_t72[4]), __eflags);
										__eflags = _t37;
										if(_t37 < 0) {
											goto L10;
										} else {
											E004015EC( &_v24, _t68 << 0x00000008 | _t37);
											_t72 =  &(_t72[6]);
											_v8 =  &(_v8[6]);
										}
									}
								}
							} else {
								_t39 = E004033E5(_v8, _t76);
								_t77 = _t39;
								if(_t39 < 0) {
									goto L6;
								} else {
									E00411B60(E00411765( &_v48, _t39),  &_v36);
									E00411C48( &_v36, E0040442E( &_v60,  &_v48, _t77, 0));
									_push(_v60);
									L004191B0();
									E00411CE3( &_v24, _t77,  &_v36);
									_push(_v36);
									_v8 =  &(_v8[4]);
									_t72 =  &(_t72[4]);
									L004191B0();
									_push(_v48);
									L004191B0();
								}
							}
						}
						_t46 =  *_t72 & 0x0000ffff;
					} while (_t46 != 0);
				}
				_t33 = E00411C48(_v12,  &_v24);
				_push(_v24);
				L004191B0();
				return _t33;
			}

0x00404673
0x00404676
0x0040467b
0x0040467d
0x00404683
0x0040468c
0x00404690
0x00404694
0x0040473c
0x00404740
0x00404745
0x00404748
0x00404748
0x00404748
0x0040469a
0x0040469a
0x0040469e
0x004046a1
0x00404706
0x00404706
0x00404709
0x00000000
0x0040470b
0x00404713
0x00404715
0x00404717
0x00000000
0x00404719
0x0040471c
0x00404721
0x00404723
0x00000000
0x00404725
0x0040472e
0x00404733
0x00404736
0x00404736
0x00404723
0x00404717
0x004046a3
0x004046a6
0x004046ab
0x004046ad
0x00000000
0x004046af
0x004046bb
0x004046d1
0x004046d6
0x004046d9
0x004046e6
0x004046eb
0x004046ee
0x004046f2
0x004046f5
0x004046fa
0x004046fd
0x00404703
0x004046ad
0x004046a1
0x0040474c
0x0040474f
0x00404758
0x00404760
0x00404765
0x00404768
0x00404771

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

??3@YAXPAX@Z.MSVCRT ref: 00404768

Part of subcall function 0040442E: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00000000,004046CD,00000000,00000000,?,747149F0,00000000), ref: 0040445A

Part of subcall function 00411C48: ??2@YAPAXI@Z.MSVCRT ref: 00411C70
Part of subcall function 00411C48: ??3@YAXPAX@Z.MSVCRT ref: 00411C79
Part of subcall function 00411C48: memcpy.MSVCRT ref: 00411C93

??3@YAXPAX@Z.MSVCRT ref: 004046D9

Part of subcall function 00411CE3: memcpy.MSVCRT ref: 00411D06

??3@YAXPAX@Z.MSVCRT ref: 004046F5
??3@YAXPAX@Z.MSVCRT ref: 004046FD

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@memcpy$ByteCharMultiWide
String ID:
API String ID: 1626065140-0
Opcode ID: cfed7c3fc70475f93a7ec959c63c5169fa12933b3c7c731bcc2497a2fe8158e7
Instruction ID: 1758fece63184e570d04f9e3611b3a9f4be235bc0ae71469d74a11a45544da14
Opcode Fuzzy Hash: cfed7c3fc70475f93a7ec959c63c5169fa12933b3c7c731bcc2497a2fe8158e7
Instruction Fuzzy Hash: 123175B3D001199BDB15EBD5CD929EEB7B9AE51315B10003FE902731D1EF386E44D668

Uniqueness

Uniqueness Score: -1.00%

Function 00407907 Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00407907(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v16;
				char _v24;
				struct tagLOGFONTW _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				void _v524;
				intOrPtr* _t27;
				void* _t33;
				intOrPtr* _t41;
				intOrPtr _t43;

				_v8 = _v8 & 0x00000000;
				_t41 = __ecx;
				_v524 = 0x1f4;
				if(SystemParametersInfoW(0x29, 0x1f4,  &_v524, 0) != 0) {
					_t43 =  *((intOrPtr*)(_t41 + 0x1c)) + _v508 - 0x1a;
					if(( *0x41e44c & 0x00000200) == 0) {
						_t43 = _t43 + GetSystemMetrics(0x31);
					}
					_t33 = CreateFontIndirectW( &_v500);
					if(_t33 != 0) {
						_push(0x860);
						_push(_t33);
						_push( &_v24);
						_push(_a4);
						if( *((intOrPtr*)( *_t41 + 8))() != 0) {
							_t43 = _t43 + _v16;
							_v8 = 1;
						}
						DeleteObject(_t33);
					}
					_t27 = _a8;
					 *_t27 = _t43;
					 *((intOrPtr*)(_t27 + 4)) = _v504;
				}
				return _v8;
			}

0x00407910
0x00407917
0x00407928
0x00407936
0x0040794d
0x00407951
0x0040795b
0x0040795b
0x0040796a
0x0040796e
0x00407972
0x00407977
0x0040797b
0x0040797c
0x00407986
0x00407988
0x0040798b
0x0040798b
0x00407993
0x00407993
0x00407999
0x004079a2
0x004079a5
0x004079a8
0x004079ae

APIs

SystemParametersInfoW.USER32 ref: 0040792E
GetSystemMetrics.USER32 ref: 00407955
CreateFontIndirectW.GDI32(?), ref: 00407964
DeleteObject.GDI32(00000000), ref: 00407993

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction ID: 552ae8ed6ee0fcd442ad2df4779f82c6782e58800ccef47fbdddea08636dacf5
Opcode Fuzzy Hash: 3aa07e0a7f1af689ece96d308e0d97d5d4d1cf2e54ab12650ba7b2974e37ea09
Instruction Fuzzy Hash: 471163B5A00209AFEB10DF54DC88FEAB7B8EB08304F04806AED15A7291DB74ED44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0C0 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040C0C0(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _t16;
				intOrPtr* _t21;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;

				_t34 = __ecx;
				_t1 = _t34 + 8; // 0x0
				_t16 =  *_t1;
				if(_t16 >=  *__ecx) {
					_t2 = _t34 + 4; // 0x0
					_t33 =  *((intOrPtr*)( *_t2 + _t16 * 4 - 4));
					if(_t33 != 0) {
						_t16 =  *(_t33 + 0x18);
						_push(_t16);
						L004191B0();
						_push(_t33);
						L004191B0();
						_t35 = _t35 + 8;
					}
					 *(_t34 + 8) =  *(_t34 + 8) - 1;
				}
				_push(0x40);
				L004191BC();
				if(_t16 == 0) {
					_t32 = 0;
				} else {
					_t32 = E0040BC50(_t16, _a4);
				}
				_t10 = _t34 + 4; // 0x41e61c
				E0040261B(_t10);
				_t11 = _t34 + 8; // 0x0
				_t12 = _t34 + 4; // 0x0
				memmove( *_t12 + 4,  *_t12,  *_t11 +  *_t11 +  *_t11 +  *_t11);
				_t13 = _t34 + 4; // 0x0
				_t21 =  *_t13;
				 *_t21 = _t32;
				 *(_t34 + 8) =  *(_t34 + 8) + 1;
				return _t21;
			}

0x0040c0c1
0x0040c0c3
0x0040c0c3
0x0040c0c9
0x0040c0cb
0x0040c0d0
0x0040c0d6
0x0040c0d8
0x0040c0db
0x0040c0dc
0x0040c0e1
0x0040c0e2
0x0040c0e7
0x0040c0e7
0x0040c0ea
0x0040c0ea
0x0040c0ed
0x0040c0ef
0x0040c0f9
0x0040c10b
0x0040c0fb
0x0040c107
0x0040c107
0x0040c10d
0x0040c110
0x0040c115
0x0040c118
0x0040c125
0x0040c12b
0x0040c12b
0x0040c131
0x0040c133
0x0040c138

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040C0DC
??3@YAXPAX@Z.MSVCRT ref: 0040C0E2
??2@YAPAXI@Z.MSVCRT ref: 0040C0EF
memmove.MSVCRT ref: 0040C125

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$??2@memmove
String ID:
API String ID: 1826340609-0
Opcode ID: a955ddf8db9c5227398b46aae6552bba3d960cc894cfc919d0fdf54bb8bf9af8
Instruction ID: d72a3ecf45b14767aacc25f0edad6bbd2b7de6c552061b2cfde35ae26a62c5f5
Opcode Fuzzy Hash: a955ddf8db9c5227398b46aae6552bba3d960cc894cfc919d0fdf54bb8bf9af8
Instruction Fuzzy Hash: 67019E76600601ABD210AB59D8859A773F6EBC4314708893EE85BD7741DB38E892CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040455D Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040455D(WCHAR** __ecx) {
				char _v16;
				void* _t8;
				long _t11;
				long _t12;
				void* _t17;
				void* _t29;
				WCHAR* _t30;
				WCHAR** _t32;

				_t32 = __ecx;
				E00411B60(_t8,  &_v16);
				_t30 =  *__ecx;
				_t11 = ExpandEnvironmentStringsW(_t30, E004042F3( &_v16, _t29, 1), 1);
				if(_t11 != 0) {
					_t12 = _t11 + 1;
					ExpandEnvironmentStringsW( *_t32, E004042F3( &_v16, _t29, _t12), _t12);
					E004042D8( &_v16);
					_t17 = E00411C48(_t32,  &_v16);
					_push(_v16);
					L004191B0();
					return _t17;
				}
				_push(_v16);
				L004191B0();
				return _t11;
			}

0x00404564
0x0040456a
0x0040456f
0x00404585
0x00404589
0x00404599
0x004045a6
0x004045ab
0x004045b6
0x004045bb
0x004045be
0x00000000
0x004045c4
0x0040458b
0x0040458e
0x00000000

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

Part of subcall function 004042F3: wcsncpy.MSVCRT ref: 00404321
Part of subcall function 004042F3: ??3@YAXPAX@Z.MSVCRT ref: 0040432C

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,?), ref: 00404585
??3@YAXPAX@Z.MSVCRT ref: 0040458E
ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000), ref: 004045A6
??3@YAXPAX@Z.MSVCRT ref: 004045BE

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@wcsncpy
String ID:
API String ID: 3034541985-0
Opcode ID: 18d44fbca89cdad137d92f9d55577433105cb68edfb4229effb418910c7e4fe8
Instruction ID: 2e5778dcc9210aa7dd5b0ff30e3ff33adc1733fc5fdfc97d9385700bbc9d95d0
Opcode Fuzzy Hash: 18d44fbca89cdad137d92f9d55577433105cb68edfb4229effb418910c7e4fe8
Instruction Fuzzy Hash: E6F086B29001047ED714B755EC52DEE737CDF80704B10027EFA12B2195EF756E45C668

Uniqueness

Uniqueness Score: -1.00%

Function 00408DCA Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408DCA(int _a4, int _a8, struct tagPOINT* _a12) {
				struct tagRECT _v20;
				intOrPtr _t11;
				intOrPtr _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				struct tagPOINT* _t25;

				_t11 =  *0x41e8b4; // 0x0
				if(_t11 == 0) {
					return 0;
				}
				_t25 = _a12;
				if( *((intOrPtr*)(_t11 + 0x48)) <= 0) {
					L9:
					return CallNextHookEx( *0x41e8b8, _a4, _a8, _t25);
				}
				_t21 =  *0x41e5f0; // 0x202
				_t23 = 0x41e5f0;
				while(_t21 != 0) {
					if(_t21 == _a8) {
						ScreenToClient( *(_t11 + 4), _t25);
						_t16 =  *0x41e8b4; // 0x0
						GetClientRect( *(_t16 + 4),  &_v20);
						_push(_t25->y);
						if(PtInRect( &_v20,  *_t25) != 0) {
							_t22 =  *0x41e8b4; // 0x0
							E00408557(_t22);
						}
						goto L9;
					}
					_t23 = _t23 + 4;
					_t21 =  *_t23;
				}
				goto L9;
			}

0x00408dcd
0x00408dd7
0x00000000
0x00408e50
0x00408dde
0x00408de1
0x00408e3a
0x00000000
0x00408e4d
0x00408de3
0x00408de9
0x00408dfa
0x00408df3
0x00408e04
0x00408e0e
0x00408e16
0x00408e1c
0x00408e2d
0x00408e2f
0x00408e35
0x00408e35
0x00000000
0x00408e2d
0x00408df5
0x00408df8
0x00408df8
0x00000000

APIs

ScreenToClient.USER32 ref: 00408E04
GetClientRect.USER32 ref: 00408E16
PtInRect.USER32(?,?,?), ref: 00408E25

Part of subcall function 00408557: KillTimer.USER32(?,00000001,?,00408E3A), ref: 00408565

CallNextHookEx.USER32(?,?,?), ref: 00408E47

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ClientRect$CallHookKillNextScreenTimer
String ID:
API String ID: 3015594791-0
Opcode ID: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction ID: 8fcd255104d3cefc2dd881faf99252f3ba0547ec7e41450095debebf42560e69
Opcode Fuzzy Hash: 5d011e402e72c6a9b9df993ad098a0545963fe571f3a7749bf0a2aad1169c23d
Instruction Fuzzy Hash: 80015B35100115EBDB11AF55DE09EAA7BA6FB04304B08843AE956E32A1EB34E851DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004118AA Relevance: 6.0, APIs: 4, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004118AA(void** __ecx, void* _a4) {
				void* _v0;
				void* _v20;
				signed int _t29;
				void* _t33;
				void* _t36;
				void* _t38;
				void* _t39;
				void** _t40;
				signed int _t51;
				signed int _t53;
				void* _t55;
				signed int _t56;
				void** _t57;
				void** _t58;
				void* _t64;

				_t40 = __ecx;
				_t55 = _a4;
				_t57 = __ecx;
				if(_t55 < __ecx[1]) {
					L3:
					_push(0x41c9d4);
					_push( &_a4);
					_a4 = 0x13329ad;
					L00419360();
					asm("int3");
					_t38 = _v20;
					_push(_t57);
					_push(_t55);
					_t58 = _t40;
					__eflags = _t38 - 0x40000000;
					if(__eflags >= 0) {
						_push(0x41c9d4);
						_push( &_v0);
						_v0 = 0x13329ad;
						L00419360();
					}
					_t51 = 2;
					_t19 = _t38 + 1; // 0x13329ae
					_t29 = _t19 * _t51;
					_push( ~(0 | __eflags > 0x00000000) | _t29); // executed
					L004191BC(); // executed
					_t56 = _t29;
					__eflags = 0;
					 *_t56 = 0;
					_push( *_t58);
					L004191B0();
					 *_t58 = _t56;
					_t58[2] = _t38;
					return 0;
				} else {
					_t64 = _t55 - 0x40000000;
					if(_t64 >= 0) {
						goto L3;
					} else {
						_t53 = 2;
						_t33 = (_t55 + 1) * _t53;
						_push( ~(0 | _t64 > 0x00000000) | _t33);
						L004191BC();
						_t39 = _t33;
						_t36 = memcpy(_t39,  *__ecx, __ecx[1] + __ecx[1] + 2);
						_push( *_t57);
						L004191B0();
						_t57[2] = _t55;
						 *_t57 = _t39;
						return _t36;
					}
				}
			}

0x004118aa
0x004118b0
0x004118b3
0x004118b8
0x00411901
0x00411901
0x00411909
0x0041190a
0x00411911
0x00411916
0x0041191b
0x0041191e
0x0041191f
0x00411920
0x00411922
0x00411928
0x0041192a
0x00411932
0x00411933
0x0041193a
0x0041193a
0x00411943
0x00411944
0x00411947
0x00411950
0x00411951
0x00411956
0x00411958
0x0041195a
0x0041195d
0x0041195f
0x00411966
0x00411969
0x0041196f
0x004118ba
0x004118ba
0x004118c0
0x00000000
0x004118c2
0x004118c6
0x004118ca
0x004118d3
0x004118d4
0x004118d9
0x004118e6
0x004118eb
0x004118ed
0x004118f5
0x004118f9
0x004118fe
0x004118fe
0x004118c0

APIs

??2@YAPAXI@Z.MSVCRT ref: 004118D4
memcpy.MSVCRT ref: 004118E6
??3@YAXPAX@Z.MSVCRT ref: 004118ED
_CxxThrowException.MSVCRT(00000000,0041C9D4), ref: 00411911

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: a39656c9a0f29b0d75ec611e6129199ab4c4917e9e022243eb1b5d227c67b478
Instruction ID: 5ee8940816b856f5d356b0442bc385a37373ddd71d54f703b79fddb5c0f671e4
Opcode Fuzzy Hash: a39656c9a0f29b0d75ec611e6129199ab4c4917e9e022243eb1b5d227c67b478
Instruction Fuzzy Hash: 37F0A4B22002097FD7249F29C886D9AF7EDEF44358B15853FF55A87111D635E9808768

Uniqueness

Uniqueness Score: -1.00%

Function 00413ECE Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413ECE(void* __ecx, signed char _a4) {
				signed int _t13;
				signed char _t15;
				signed int _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				signed int* _t28;

				_t15 = _a4;
				_t25 = __ecx;
				if((_t15 & 0x00000002) == 0) {
					_push( *((intOrPtr*)(__ecx + 8)));
					L004191B0();
					if((_t15 & 0x00000001) != 0) {
						_push(__ecx);
						L004191B0();
					}
					return _t25;
				}
				_t28 = __ecx - 4;
				_t22 =  *_t28;
				_t13 = _t22 * 0x18;
				_t23 = _t22 - 1;
				if(_t23 < 0) {
					L4:
					if((_t15 & 0x00000001) != 0) {
						_push(_t28);
						L004191B0();
					}
					return _t28;
				}
				_t6 = _t25 + 8; // 0x8
				_t26 = _t13 + _t6;
				do {
					_t26 = _t26 - 0x18;
					_push( *_t26);
					L004191B0();
					_t23 = _t23 - 1;
				} while (_t23 >= 0);
				goto L4;
			}

0x00413ecf
0x00413ed4
0x00413ed9
0x00413f0f
0x00413f12
0x00413f1b
0x00413f1d
0x00413f1e
0x00413f23
0x00000000
0x00413f24
0x00413edd
0x00413ee0
0x00413ee5
0x00413ee8
0x00413ee9
0x00413efd
0x00413f00
0x00413f02
0x00413f03
0x00413f08
0x00000000
0x00413f0c
0x00413eeb
0x00413eeb
0x00413eef
0x00413eef
0x00413ef2
0x00413ef4
0x00413ef9
0x00413efa
0x00000000

APIs

??3@YAXPAX@Z.MSVCRT ref: 00413EF4
??3@YAXPAX@Z.MSVCRT ref: 00413F03
??3@YAXPAX@Z.MSVCRT ref: 00413F12
??3@YAXPAX@Z.MSVCRT ref: 00413F1E

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7fccf2b7c1636fd1299c0db7dfc47fac562344475ca437e22bde4de8f4bb3f90
Instruction ID: df1d0de5d1faf2a4a63eb667afbff75c77527abce675b50cc2a020710efc852e
Opcode Fuzzy Hash: 7fccf2b7c1636fd1299c0db7dfc47fac562344475ca437e22bde4de8f4bb3f90
Instruction Fuzzy Hash: 7CF084323042022AD2111F0DDC0A7CABBFA9F41362F08001FFA41A2362CA1ADEC2C18C

Uniqueness

Uniqueness Score: -1.00%

Function 00404C1B Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00404C1B(struct HWND__* __ecx) {
				WCHAR* _v16;
				char _v28;
				char _v40;
				int _t19;
				struct HWND__* _t31;
				void* _t33;

				_t31 = __ecx;
				E00404BDD( &_v16, __ecx, _t33);
				E0040562E( &_v16, _t33);
				E00411B84( &_v40, "%");
				E00411B84( &_v28, L"%^");
				E00411F27( &_v16,  &_v28,  &_v40);
				_push(_v28);
				L004191B0();
				_push(_v40);
				L004191B0();
				_t19 = SetWindowTextW(_t31, _v16);
				_push(_v16);
				L004191B0();
				return _t19;
			}

0x00404c22
0x00404c29
0x00404c31
0x00404c3e
0x00404c4b
0x00404c5b
0x00404c60
0x00404c63
0x00404c68
0x00404c6b
0x00404c76
0x00404c7c
0x00404c81
0x00404c8b

APIs

Part of subcall function 00404BDD: GetWindowTextLengthW.USER32(?), ref: 00404BEA
Part of subcall function 00404BDD: GetWindowTextW.USER32 ref: 00404C04

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 00404C63
??3@YAXPAX@Z.MSVCRT ref: 00404C6B
SetWindowTextW.USER32(?,?), ref: 00404C76
??3@YAXPAX@Z.MSVCRT ref: 00404C81

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@TextWindow$Lengthmemcpy
String ID:
API String ID: 396479319-0
Opcode ID: 3cf949a69a2d52a294484a280f02737cfc4412afb37bed1c8fd29356e531d02e
Instruction ID: 647b8b2bf9eadde8599631ea9265a657a51aafb4ceea6ad50fefe68966c78ca3
Opcode Fuzzy Hash: 3cf949a69a2d52a294484a280f02737cfc4412afb37bed1c8fd29356e531d02e
Instruction Fuzzy Hash: 63F04432D044096ACB05F7D1EC578DDB779DE08318B1001ABF602B21A1EF796ED5C69C

Uniqueness

Uniqueness Score: -1.00%

Function 00408287 Relevance: 6.0, APIs: 4, Instructions: 34
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408287(void* __ecx) {
				struct tagLOGFONTW _v96;
				int _t8;
				long _t11;
				int _t15;

				if(( *0x41e44c & 0x00000010) != 0) {
					_t8 = GetObjectW( *(__ecx + 0x34), 0x5c,  &_v96);
					if(_t8 != 0) {
						_v96.lfWeight = 0x2bc;
						_t11 = CreateFontIndirectW( &_v96);
						_t15 = _t11;
						if(_t15 != 0) {
							_t11 = SendMessageW(GetDlgItem( *(__ecx + 4), 0x4b5), 0x30, _t15, 0);
						}
						return _t11;
					}
				}
				return _t8;
			}

0x00408297
0x004082a2
0x004082aa
0x004082b1
0x004082b8
0x004082be
0x004082c2
0x004082d8
0x004082d8
0x00000000
0x004082de
0x004082aa
0x004082e1

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 004082A2
CreateFontIndirectW.GDI32(?), ref: 004082B8
GetDlgItem.USER32 ref: 004082CC
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 004082D8

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction ID: a857720c60cc7c4988bb0c271694e7fb1085ae67bc77bdb5017f4508090161c8
Opcode Fuzzy Hash: 5b90f754ead787c82706a5892f36a112a510cb736c9de123742b44b620c41e27
Instruction Fuzzy Hash: BAF0BE75501708ABD7205BA4DE09FCB7FACAB48B00F048039AE42E21D4DBB4D8108B29

Uniqueness

Uniqueness Score: -1.00%

Function 004039BC Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004039BC(struct HWND__* __ecx, struct tagPOINT* __edx) {
				struct HWND__* _t1;
				struct HWND__* _t7;
				struct HWND__* _t10;
				struct tagPOINT* _t12;

				_t10 = __ecx;
				_t12 = __edx;
				_t1 = GetParent(__ecx);
				_t7 = _t1;
				if(_t7 != 0) {
					GetWindowRect(_t10, _t12);
					ScreenToClient(_t7, _t12);
					ScreenToClient(_t7, _t12 + 8);
					return 1;
				}
				return _t1;
			}

0x004039bf
0x004039c2
0x004039c4
0x004039ca
0x004039ce
0x004039d2
0x004039e0
0x004039e7
0x00000000
0x004039eb
0x004039ef

APIs

GetParent.USER32 ref: 004039C4
GetWindowRect.USER32 ref: 004039D2
ScreenToClient.USER32 ref: 004039E0
ScreenToClient.USER32 ref: 004039E7

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction ID: 05e44d1457520c43b4422ecb6510286d39cbf22b8ad041ba1dad1a8fa24c712d
Opcode Fuzzy Hash: 2d4f567ce59a15c9bff0a5a7b1bdb7657322f25b8406bf3dc624692a176b5e82
Instruction Fuzzy Hash: 06E0C2732022206B931127B66C88CEB5E5CCDC25723060036F909D2311C9B5CC0185B0

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00405A8B(intOrPtr __ecx, void* __edx, void* __eflags, signed short* _a4, char _a7, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v24;
				void* _t23;
				signed int _t25;
				signed int _t27;
				void* _t34;
				signed short* _t48;
				signed short* _t49;

				_v12 = __ecx;
				_t34 = __edx;
				E00411B60(_t23,  &_v24);
				_t48 = _a4;
				_t49 = _t48;
				_a7 = 0;
				while(1) {
					L1:
					_t25 =  *_t49 & 0x0000ffff;
					if(_t25 >= 0x30 && _t25 <= 0x39) {
					}
					L9:
					E00411BE5( &_v24, _t34);
					E004015EC( &_v24,  *_t49 & 0x0000ffff);
					_v8 = _v8 & 0x00000000;
					_t49 =  &(_t49[1]);
					if(E00405041() == 0) {
						L1:
						_t25 =  *_t49 & 0x0000ffff;
						if(_t25 >= 0x30 && _t25 <= 0x39) {
						}
						goto L3;
					} else {
						L10:
						_a7 = 1;
						do {
							_v12();
							_v8 = _v8 + 1;
						} while (E00405041() != 0);
						do {
							goto L1;
						} while (E00405041() == 0);
						goto L10;
					}
					L13:
					_t27 = _a8;
					__eflags = _t27;
					if(_t27 != 0) {
						__eflags = _t27 - 1;
						if(__eflags == 0) {
							L19:
							_t27 = E00405A8B(_v12, _t34, __eflags, 0x41a648, 0xffffffff);
						} else {
							_t27 =  *_t48 & 0x0000ffff;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								__eflags = _a7;
								if(_a7 == 0) {
									__eflags = _t27;
									if(__eflags != 0) {
										goto L19;
									}
								}
							} else {
								__eflags = _a8 - 0xffffffff;
								if(_a8 != 0xffffffff) {
									goto L17;
								}
							}
						}
					}
					_push(_v24);
					L004191B0();
					return _t27;
					L3:
					if(_t25 >= 0x61 && _t25 <= 0x7a) {
						goto L9;
					}
					if(_t25 >= 0x41 && _t25 <= 0x5a) {
						goto L9;
					}
					if(_t48 == _t49 && _a8 == 0xffffffff) {
						goto L9;
					}
					goto L13;
				}
			}

0x00405a93
0x00405a9a
0x00405a9c
0x00405aa1
0x00405aa4
0x00405aa6
0x00405aaa
0x00405aaa
0x00405aaa
0x00405ab0
0x00405ab0
0x00405ad5
0x00405ad9
0x00405ae5
0x00405aed
0x00405af4
0x00405afe
0x00405aaa
0x00405aaa
0x00405ab0
0x00405ab0
0x00000000
0x00405b00
0x00405b00
0x00405b00
0x00405b04
0x00405b06
0x00405b0c
0x00405b17
0x00405aaa
0x00000000
0x00000000
0x00000000
0x00405aaa
0x00405b1d
0x00405b20
0x00405b20
0x00405b23
0x00405b25
0x00405b26
0x00405b41
0x00405b4d
0x00405b28
0x00405b28
0x00405b2b
0x00405b2e
0x00405b36
0x00405b36
0x00405b3a
0x00405b3c
0x00405b3f
0x00000000
0x00000000
0x00405b3f
0x00405b30
0x00405b30
0x00405b34
0x00000000
0x00000000
0x00405b34
0x00405b2e
0x00405b26
0x00405b52
0x00405b55
0x00405b5f
0x00405ab7
0x00405aba
0x00000000
0x00000000
0x00405ac4
0x00000000
0x00000000
0x00405acd
0x00000000
0x00000000
0x00000000
0x00405acd

APIs

Part of subcall function 00411B60: ??2@YAPAXI@Z.MSVCRT ref: 00411B68

??3@YAXPAX@Z.MSVCRT ref: 00405B55

Strings

PreExtract, xrefs: 00405A96
Shortcut, xrefs: 00405AD5

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??2@??3@
String ID: PreExtract$Shortcut
API String ID: 1936579350-2482910946
Opcode ID: 5532fbaefb99878067c42e5bd4bd80982b79f70872013abf3470e71f46453904
Instruction ID: 315cf4f10766d584262b92d033bb85e5ff693b0b03308dd198ea8ef753a083d6
Opcode Fuzzy Hash: 5532fbaefb99878067c42e5bd4bd80982b79f70872013abf3470e71f46453904
Instruction Fuzzy Hash: 6B21A634A005099ADF24EB55C5856FFB374DF51324F24423BE861BA2C1EA7CAE81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040235E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040235E(intOrPtr __ecx, intOrPtr __edx, signed short* _a4, intOrPtr* _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v40;
				signed int _t34;
				signed short* _t55;
				intOrPtr* _t58;

				_v8 = _v8 & 0x00000000;
				_v12 = __ecx;
				_v16 = __edx;
				E00411B84( &_v28, __ecx);
				_t55 = _a4;
				E004015EC( &_v28,  *_t55 & 0x0000ffff);
				_t58 = _a8;
				L1:
				while(E00405041() == 0) {
					_t55 =  &(_t55[1]);
					_t34 =  *_t55 & 0x0000ffff;
					if(_t34 >= 0x30 && _t34 <= 0x39) {
						L8:
						E00411BE5( &_v28, _v12);
						E004015EC( &_v28,  *_t55 & 0x0000ffff);
						_v8 = _v8 & 0x00000000;
						continue;
					}
					if(_t34 >= 0x61 && _t34 <= 0x7a) {
						goto L8;
					}
					if(_t34 >= 0x41 && _t34 <= 0x5a) {
						goto L8;
					}
					_push(_v28);
					L004191B0();
					return 1;
				}
				E00411B84( &_v40, _t30);
				E0040206F( &_v40, _v16, 0, _t58, _a12);
				_push(_v40);
				L004191B0();
				 *(_t58 + 4) =  *(_t58 + 4) & 0x00000000;
				 *((short*)( *_t58)) = 0;
				_v8 = _v8 + 1;
				_a12 = 0x41aa3c;
				goto L1;
			}

0x00402364
0x0040236a
0x00402371
0x00402374
0x00402379
0x00402383
0x00402388
0x00000000
0x0040238b
0x0040239a
0x0040239d
0x004023a3
0x004023be
0x004023c4
0x004023d0
0x004023d5
0x00000000
0x004023d5
0x004023ad
0x00000000
0x00000000
0x004023b7
0x00000000
0x00000000
0x00402418
0x0040241b
0x00402427
0x00402427
0x004023df
0x004023f0
0x004023f5
0x004023f8
0x004023fd
0x00402406
0x00402409
0x0040240c
0x00000000

APIs

Part of subcall function 00411B84: memcpy.MSVCRT ref: 00411BAA

??3@YAXPAX@Z.MSVCRT ref: 004023F8
??3@YAXPAX@Z.MSVCRT ref: 0040241B

Strings

PreExtract, xrefs: 00402369

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: ??3@$memcpy
String ID: PreExtract
API String ID: 750647942-1883995278
Opcode ID: 77baf2faadcb435e653529079c3a4f7fe71d575bcd91ad8a0804a3742f5a500f
Instruction ID: 45d7e0e5023832e0b8c8538628168a0a11dddb05f7aa8aa784a61664bfc27f9f
Opcode Fuzzy Hash: 77baf2faadcb435e653529079c3a4f7fe71d575bcd91ad8a0804a3742f5a500f
Instruction Fuzzy Hash: F8218671804106EBDF14EF91C986AEEB775EF11314F20442BE902B61E1E77C9E85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004056CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_wtol.MSVCRT(00000000,00000030,GUIFlags,00405939,?,0041E138,?,?,004066DE,?), ref: 00405668

Strings

tA, xrefs: 004056DF
MiscFlags, xrefs: 0040564A

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: _wtol
String ID: MiscFlags$tA
API String ID: 2131799477-2718850419
Opcode ID: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction ID: c8600267b0de4b6b736e5ffddf797ee874a7f0c572f21ec5a04ec4b3cd89c438
Opcode Fuzzy Hash: 2afad0e8fec61067b3716dfa9b106afa26c29772baddf64e22fdb0a12229e978
Instruction Fuzzy Hash: 30F0306180082042DB38161554C857BA696DA1B761FB94E3BE85EF12E0D33F8CC19D6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405B77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 7
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B77() {

				MessageBoxA(0, "Could not allocate memory", "7-Zip SFX", 0x10);
				return 0;
			}

0x00405b85
0x00405b8d

APIs

MessageBoxA.USER32 ref: 00405B85

Strings

7-Zip SFX, xrefs: 00405B79
Could not allocate memory, xrefs: 00405B7E

Memory Dump Source

Source File: 00000000.00000002.334302673.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.334288806.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334353728.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334410007.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.334426169.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ojSIQVSgby.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction ID: 2fd3f133cd00b8be6539cc3c82b36fa91af98800b418d3be2fc451a6c5964550
Opcode Fuzzy Hash: c7186cdcb0c566b5a5a438bceff3b0e8cdd749d374d7577f2b3fc30ec3787668
Instruction Fuzzy Hash: BEB012303C930821D10003200C0BFD41160D70CF16F5044517100A8CC9C7C87090914D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ojSIQVSgby.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\TotalCommander\CABRK.DLL

C:\Program Files (x86)\TotalCommander\CGLPT64.SYS

C:\Program Files (x86)\TotalCommander\CGLPT9X.VXD

C:\Program Files (x86)\TotalCommander\CGLPTNT.SYS

C:\Program Files (x86)\TotalCommander\DEFAULT.BAR

C:\Program Files (x86)\TotalCommander\FRERES32.DLL

C:\Program Files (x86)\TotalCommander\HISTORY.TXT

C:\Program Files (x86)\TotalCommander\KEYBOARD.TXT

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.INC

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.LNG

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CHN.MNU

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.INC

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.LNG

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_CZ.MNU

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.INC

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.LNG

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DAN.MNU

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.INC

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.LNG

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DEU.MNU

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.INC

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.LNG

C:\Program Files (x86)\TotalCommander\LANGUAGE\WCMD_DUT.MNU

Windows Analysis Report
ojSIQVSgby.exe